Welcome to the new Woodmann RCE Messageboards Regroupment
Please be patient while the rest of the site is restored.

To all Members of the old RCE Forums:
In order to log in, it will be necessary to reset your forum login password ("I forgot my password") using the original email address you registered with. You will be sent an email with a link to reset your password for that member account.

The old vBulletin forum was converted to phpBB format, requiring the passwords to be reset. If this is a problem for some because of a forgotten email address, please feel free to re-register with a new username. We are happy to welcome old and new members back to the forums! Thanks.

All new accounts are manually activated before you can post. Any questions can be PM'ed to Kayaker.

Weird error unpacking yP (Yoda's Protector) 1.03.2

Support forums for OllyDbg 32-bit Assembler-Level Debugger.
Developed by Oleh Yuschuk (http://www.ollydbg.de)
Locked
Zumo
Junior Member
Posts: 6
Joined: Sun Mar 18, 2012 9:47 pm

Weird error unpacking yP (Yoda's Protector) 1.03.2

Post by Zumo »

I'm not asking for a complete rundown on unpacking this protector, I'm just wanting to know where I went wrong in the process. This is pretty much my first real attempt at this sort of thing. I've followed around 6 different tutorials for unpacking this packer, but every time I get to the part where I change the PID and NOP GetCurrentProcessId, the second time I press F9 I get an error. I've also attempted to use the yP (1.03.x) unpacking script to no avail. Am I using the IsDebuggerPresent plugin wrong? Sorry if the video is not clear enough, I did my best. I'm just starting to get very serious about learning RE and if I could get just a little guidance with this I'd be eternally grateful.


Thanks a million times!
User avatar
Darkelf
Posts: 222
Joined: Wed Jan 24, 2007 7:20 pm

Post by Darkelf »

The things you do in this video look pretty weird (imho).
Also, you have 4 or 5 different plugins all for the same purpose. Why???
OllyAdvanced is quite powerful. Markus put a lot of effort into it and it has a lot to offer, but I saw you use only little of it's power.
Anyways, I'm not here to criticize you. Is the program you try to unpack an unpackme or a commercial program? If it's an unpackme or a program of your own, please upload it somewhere. It's best to help you hands-on.

Regards
darkelf
I flout Chuck Norris, Spongebob barbecues underwater!
Zumo
Junior Member
Posts: 6
Joined: Sun Mar 18, 2012 9:47 pm

Post by Zumo »

Hi, Darkelf. Sorry for the late reply. I've gotten very close since yesterday. You wouldn't believe what I had to do to find the OEP...... Instead of following the normal routine and checking all Exceptions in Olly, I disabled all but KERNEL32. I screen recorded myself holding Shift-F2 until the program ran (stack overflowed), then went to the end of the video to see where to stop right before it runs (the section at the bottom-right of Olly went from 0012FFC4 all the way down to 00032???, 1 1/2 minutes of holding...) Anyway, I've successfully dumped the file (doubled in size) from Olly after finding OEP, but I'm having an issue in ImpREC. After fixing RVA and SIZE as instructed by ImpREC and pressing Get Imports, a message reads IAT read successfully and then freezes.

After first attaching to ImpREC:

OEP = 0081F549 (Real OEP = 00401000)
RVA = 00000000
SIZE = 00001000

After entering correct OEP and searching IAT:

OEP = 00001000
RVA = 00001000
SIZE= 0064F000

After clicking Get Imports, ImpREC freezes.




For what it's worth (probably not much,) I've found a neat little app called Quick Unpack 2.2 which is able to force unpack yP 1.03.2 (and many other packers/protectors) and export a tree for importing into ImpREC. After importing this tree, I see many other functions that ImpREC never revealed by itself (only 1). Every function reports to be valid. But fixing dump and saving does not make the unpacked app usable.
Zumo
Junior Member
Posts: 6
Joined: Sun Mar 18, 2012 9:47 pm

Post by Zumo »

Video removed
User avatar
evaluator
Posts: 1539
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

wow, video is HD & program name can clearly seen..
User avatar
Darkelf
Posts: 222
Joined: Wed Jan 24, 2007 7:20 pm

Post by Darkelf »

I have watched your video now and apart from your way of unpacking is somewhat strange, you are making 2 crucial mistakes.
I really have a problem to tell you what these mistakes are.
That's why:

1. what evaluator said - showing the programs name is not really bright.
2. the mistakes you made are so basic, it almost hurts.

Let me say this as a hint: you obviously don't understand the tools you are using. The first mistake you did is with OllyDump, the second one with ImpREC. Familiarize yourself with your tools and all will be well.

If you still don't get what you did wrong, drop me a PM.

Regards
darkelf
I flout Chuck Norris, Spongebob barbecues underwater!
User avatar
evaluator
Posts: 1539
Joined: Tue Sep 18, 2001 2:00 pm

Post by evaluator »

well, as about so called Yoda's Protector 1.03.2, it is INCORRECT protector as it does bad(not nice) things,
such as "User32.BlockInput".
but also these bad things are good for learning basic manual debugging.

on general level, this protector keeps original Imports crypted at it's place; decrypts/resolves/then_deletes.
so you can override last step & solve original Import;
Zumo
Junior Member
Posts: 6
Joined: Sun Mar 18, 2012 9:47 pm

Post by Zumo »

Yeah, that was pretty stupid on my part, it was a rushed video and has been removed... On that note, over the past few days I like to think I've gotten better. Maybe not by expert standards, but I'm working on it. The reason it looked weird was because of me following tutorials letter by letter. Some of them being translated from Arabic or Vietnamese (very hard to follow.) The steps I take in the video have been changed. Such as using Olly Advanced and telling OllyDump to not Rebuild Imports.

However, I think I've run into a brick wall. After successfully removing the protection, the app is being identified as VB6. I don't know how much this changes things, but I do know that the tutorials on this protector are (as far as I'm aware) not focused on VB6, which is obviously a problem, as using Olly will be different for me than the apps used in the tutorials. I've added about a dozen new programs to my cracking arsenal which focus on VB6 apps specifically. To name a few; VB Decompiler, P32Dasm, P-Code Loader 4.3, Semi VB Decompiler, and more. Some of these apps read the program as being compiled to Native code, and some to P-Code. So this is where I am.
Locked