اطلاعیه

Collapse
No announcement yet.

انجام آموزش بازکردن فایل ...

Collapse
X
 
  • Filter
  • زمان
  • Show
Clear All
new posts

  • انجام آموزش بازکردن فایل ...

    من هر کاری کردم نشد که این آموزش رو انجام دهم ...
    امکانش هست یکی تست کنه و در انجامش کمک کنه ...


    Yoda Protector 1.03.3 - manually unpacking

    Tuesday, January 03 2006 @ 08:26 PM CET
    Contributed by: haggar
    Views: 1616

    TutorialsLevel : beginner

    ============================
    Yoda Protector 1.03.3 - manually unpacking
    ============================



    This tutorial will describe manually unpacking last Yoda Protector version 1.03.3. Tutorial will focus on main yP problem, running protected file under debugger.





    1. Introduction

    Hi, friends and welcome to new unpacking tutorial. As I sad, yP 1.03.3 is last yoda protector version and author has decided to stop project. He is planing to start new one. I have already wrote tutorial for unpacking 1.03.2beta vesion, which is prety indentical as this one, but that tutorial didn't described how to run protected file under debugger. This tutorial will show how anti-debug tricks can be easy avoided and bypassed.

    We will need some tools:

    - OllyDbg 1.10
    - LordPE
    - ImpREC
    - Windows XP
    - Target is here http://www.reversing.be/binaries/art...3202404818.rar

    This tutorial will not go in details because there is no need for that. Rebuilding imports is very easy and that is all we need to do after we reach OEP.

    Yoda Protector is based on Yoda's Cryptor frame, only that new tricks are added from time to time. Old tricks are PE header erasing (which is pointless), CRC checking (code and file), IsDebuggerPresent check, API redirecting and destroying import information. This old tricks are already described in my tutorial about ExeStealth v2.74a (this protector is just rip of yoda). New tricks are terminating Olly and possible freesing Windows XP.


    Let's see how Olly is killed. Protector is using combination of API's to get PID number of all running processes. Then it search for process that started (ollydbg in our case) and terminate it. It compares PID of that process with it's own PID. If those PID's are not same (ei. exe is started trough olly) it will terminate that process.

    Second trick is more annoying. Protector will use BlockInput API before any other check. That API blocks input devices (mouse, keyboard, etc..) so we are blocked from our system. Then protector will do other checks and decrypting. If in meantime protector stops on some exception or Olly is found , our system will wait for us to take action but we cannot do nothing except restart windows. If everything is passed fine, protector will again use BlockInput API to unblock input devices. Pretty smart trick.





    2. Reaching OEP

    OK, time to unpack target. Grab crackme and load it in Olly. In olly , ignore all exceptions then set in Events to "Break on new module (DLL)". We need to break on user32.dll loading in order to intercept BlockInput API. Then press F9 untill you see that User32.dll is loaded:

    Executable modules
    Base Size Entry Name File version Path
    00400000 0001F000 004166ED Crackme0 D:yodayP1.03.3Crackme05.exe
    77D40000 0008C000 77D53A05 User32 5.1.2600.1561 (x C:WINDOWSsystem32User32.dll
    77E60000 000E6000 77E7ADB3 kernel32 5.1.2600.1560 (x C:WINDOWSsystem32kernel32.dll
    77F50000 000A7000 ntdll 5.1.2600.1106 (x C:WINDOWSSystem32ntdll.dll

    After that we can uncheck option for breaking on new module. Now we need just to patch BlockInput API so it doesn't block devices. Simply select, "go to, expression" and enter BlockInput. Ok and we land in user32.dll on that API (this looks on my system):

    77D98A69 > B8 36110000 MOV EAX,1136
    77D98A6E BA 0003FE7F MOV EDX,7FFE0300
    77D98A73 FFD2 CALL EDX
    77D98A75 C2 0400 RETN 4

    To kill API, just NOP all to RETN 4:

    77D98A69 > 90 NOP
    77D98A6A 90 NOP
    77D98A6B 90 NOP
    77D98A6C 90 NOP
    77D98A6D 90 NOP
    77D98A6E 90 NOP
    77D98A6F 90 NOP
    77D98A70 90 NOP
    77D98A71 90 NOP
    77D98A72 90 NOP
    77D98A73 90 NOP
    77D98A74 90 NOP
    77D98A75 C2 0400 RETN 4 <---- Place breakpoint here!

    And place bp on RETN 4. We will need this later.





    We have killed this api and with that we avoid blocking devices, but we need to prevent Olly killing. There is similar simple solution for that. Yoda uses CreateToolhelp32Snapshot to get all processes and couple others to walk trough all processes. But it uses GetCurrentProcessId to get PID of itself. Then yoda will check is process who started it has same PID as itself (ei. did protected file started trough some debugger or not) and if not, it will terminate that process. We can do next to prevent killing Olly:

    - Open LordPE and get PID of OllyDbg.exe. Mine is 478.
    - "Go to , expression", enter GetCurrentProcessId and click ok. You are in API:

    77E76914 > 64:A1 18000000 MOV EAX,DWORD PTR FS:[18]
    77E7691A 8B40 20 MOV EAX,DWORD PTR DS:[EAX+20]
    77E7691D C3 RETN

    That api will return PID of protected file, but I will patch it to return Olly PID. And our protected file will think that it is Olly itself, he he, check:

    77E76914 > B8 78040000 MOV EAX,478
    77E76919 90 NOP
    77E7691A 90 NOP
    77E7691B 90 NOP
    77E7691C 90 NOP
    77E7691D C3 RETN


    And that's it! Now we need use plugin to hide Olly from IsDebugerPresent check and run (remember bp on BlockInput). We will stop two times on bp on patched BlockInput API. Then we open "Memory Map" window and place memory bp on access on first section and run. OEP is reached:

    004079D0 55 PUSH EBP ; Crackme0.00417058
    004079D1 8BEC MOV EBP,ESP
    004079D3 83C4 F4 ADD ESP,-0C
    004079D6 53 PUSH EBX
    004079D7 56 PUSH ESI ; Crackme0.00418370
    004079D8 57 PUSH EDI ; Crackme0.0041837D
    004079D9 B8 98794000 MOV EAX,Crackme0.00407998
    004079DE E8 D1CBFFFF CALL Crackme0.004045B4
    004079E3 BE CC954000 MOV ESI,Crackme0.004095CC
    004079E8 BF E4954000 MOV EDI,Crackme0.004095E4
    004079ED BB A0954000 MOV EBX,Crackme0.004095A0
    004079F2 33C0 XOR EAX,EAX
    004079F4 55 PUSH EBP ; Crackme0.00417058
    004079F5 68 847C4000 PUSH Crackme0.00407C84
    004079FA 64:FF30 PUSH DWORD PTR FS:[EAX]
    004079FD 64:8920 MOV DWORD PTR FS:[EAX],ESP
    00407A00 A1 80824000 MOV EAX,DWORD PTR DS:[408280]
    00407A05 8B00 MOV EAX,DWORD PTR DS:[EAX]
    ...
    ...


    All we need to do now is dumping and rebuilding IAT. For dumping you should use OllyDump (LordPE couse loss of icon) and for rebuilding IAT - ImpREC.




    3. Final words

    And that is all Unpacking yoda protected dll's is even easier. Sorry for spelling and grammar mistakes.


    Thanks and greets to detten for publishing my tutorials, all BIW crew. Special greets to friends on artem and crackmes.de comunity.

    See you in next tutorial and Happy New Year to all of you


    [ haggar, somewhere at the beggining of 2006 ]
    یا حق ...
    روزي دوباره باز خواهم گشت ...

    _..[ستايشگر].._

Working...
X