ARTeam Tutorial

Visit: http://cracking.accessroot.com | http://forum.accessroot.com

Unpacking Yoda's cryptor 1.x/modified


Information

Unpacking yoda's cryptor 1.x / modified

Target

X-Attack

Available

http://www.outwarshop.com/programs/xattacksetup.zip

Tools

OllyDbg 1.10, ImpRec

Protection

Yoda's cryptor 1.x / modified

level

Beginner

Category

Unpacking

Author

Teerayoot - 28 July 2004

Requirements

Windows XP, IE 5.5 and above for best viewing


0. Introduction

Hi all ,this is my first tut on ARTeam.
This tut i will explain how to unpack Yoda's cryptor 1.x (modified) crypted prog, i selected X-Attack as target can be download here

This target is a VB application you can scan with PEiD to identify the target here is the evidence

Ok let's go on unpacking...
 


1. Unpacking Yoda's cryptor 1.x (modified)

Fire up OllyDbg and open the target you will land on EP of the target

 

now go to Modules Window (press Alt+E) you will see the "MSVBVM60" not load yet ,hmm i need to set BP inside that modules .

Hit F9 run OllyDbg now ours modules loaded

 

ok when MSVBVM60 loaded i need to set BP inside that ... Press Ctrl+N to
view name of that module and set BP on ThunRTMain like pic below

Ok all setting done now restart OllyDbg and hit F9 again you will

be land on the ThunRTMain that i previous set .

Now press Alt+K go to Stack Window you will see the caller like
this pic

You see the caller that is a OEP ,you got it ! double click on that call
you will land here

Select on 0040118C address and press Ctrl+* to move origin that address
You should remember this signature when play with VB apps entry point.

Ok we pause on the original entry point of the program ,we are ready to
dump it right ;)

 

Let's go on the Dumping ....

 

 



2. Dumping The Target

As usual ,invoke OllyDump plugin and dump at that OEP



Ok we dumped the target

Let's go on IAT rebuilding....


 



3. Rebuilding the IAT

Fire up Import Recontructor and select ours target

Fill the oep the click "IAT Auto search" like pic below

You see all functions we gets are all valid so let's select Fix Dump to fix ours dumped file.

Congratulation you are Done on manual unpacking yoda's cryptor 1.x / modified


 
4. Conclusion

Lesson Learnt

You learnt how easy to unpack VB apps packed/crypted program.
Just set BP on MSVBVM60.ThunRTMain,when program pause there
just go back to caller and move origin there and dump there.





 
8. Greetingz

[MAIN TEAM]
| Nilrem | Enforcer | Ferrari | Pompeyfan(ex-member) | MaDMAn_H3rCuL3s | EJ12N | Kruger |
Shub-Nigurrath | Jdog45 | Teerayoot |

[TRIAL MEMBERS]
| R@Dier |

*****************************

Exetools | Woodmann | VCT | JMI | Britedream | Hacnho | cl0ud (Mephisto) | Zest | Everyone over at our forums, you make it what it is | Everyone we missed & you
Thanks to the authors of X-attack, Ollydbg, LordPE, Imprec, and X-attack
 

[Teerayoot]

Any comments, suggestion PM me .
Teerayoot@bugsgroup.com