Flag: Tornado! Hurricane!

OpenRCE Packer Database >> yodaCrypt 1.2

Packer Name Packer Author Classification Analysis By Last Updated
yodaCrypt 1.2 yoda Crypter quig June 15 2005
Allocation Anti-Debug Anti-Disassembly Section Name Sample
PE Header yes yes yC N/A
Notes
Utilizes an API call to IsDebuggerPresent().

self decoding blocks
zeros out mem
uses kernel mode seh to get to oep so you cant trace it all from olly
luckily you can see all the offsets to bpx in each step.
oep in mem was same as uncompressed exe
follow instructions above to gt to oep

Transfer Command
kernel mode seh

breakpoint on kernel32.isdebuggerpresnt
single step through, after ret set eax=0

004096A1   FFD0             CALL EAX              ;isdebuggerpresent
004096A3   0BC0             OR EAX,EAX            ;test
004096A5   74 02            JE SHORT 004096A9     ;jmp if eax 0 (no debugger)
004096A7   61               POPAD
004096A8   C3               RETN
004096A9   F785 6C254000 01>TEST DWORD PTR SS:[EBP+40256C],1
004096B3   74 4F            JE SHORT 00409704                   ;jmps for me
004096B5   8DB5 E4264000    LEA ESI,DWORD PTR SS:[EBP+4026E4]
004096BB   8D85 6C244000    LEA EAX,DWORD PTR SS:[EBP+40246C]
004096C1   8946 08          MOV DWORD PTR DS:[ESI+8],EAX
004096C4   33DB             XOR EBX,EBX
004096C6   8D85 33254000    LEA EAX,DWORD PTR SS:[EBP+402533]
004096CC   50               PUSH EAX                            ;4097A6 (err handler routine)
004096CD   64:FF33          PUSH DWORD PTR FS:[EBX]             ;install err handler
004096D0   64:8923          MOV DWORD PTR FS:[EBX],ESP
004096D3   8BFD             MOV EDI,EBP
004096D5   B8 00440000      MOV EAX,4400
004096DA   EB 01            JMP SHORT 004096DD                       
004096DC   C7               ???                                     
004096DD   CD 68            INT 68                  ;throw error

shift-f7 single step into ntdll err handler
debug -> execute till user code


004097A6   55               PUSH EBP
004097A7   8BEC             MOV EBP,ESP
004097A9   57               PUSH EDI
004097AA   8B45 10          MOV EAX,DWORD PTR SS:[EBP+10]
004097AD   8BB8 9C000000    MOV EDI,DWORD PTR DS:[EAX+9C]
004097B3   FFB7 EC264000    PUSH DWORD PTR DS:[EDI+4026EC]  ;4096DF --bpx
004097B9   8F80 B8000000    POP DWORD PTR DS:[EAX+B8]
004097BF   89B8 B4000000    MOV DWORD PTR DS:[EAX+B4],EDI
004097C5   C780 9C000000 00>MOV DWORD PTR DS:[EAX+9C],0
004097CF   B8 00000000      MOV EAX,0
004097D4   5F               POP EDI
004097D5   C9               LEAVE
004097D6   C3               RETN

returns back into ntdll, then you loose trace with
kernel mode and int 2e call
you re-emerge here (from push above)

004096DF   33DB             XOR EBX,EBX
004096E1   64:8F03          POP DWORD PTR FS:[EBX]
004096E4   83C4 04          ADD ESP,4
004096E7   66:81FF 9712     CMP DI,1297
004096EC   74 0E            JE SHORT 004096FC                         
004096EE   66:81FF 7712     CMP DI,1277
004096F3   74 07            JE SHORT 004096FC                        
004096F5   66:81FF 3013     CMP DI,1330
004096FA   75 08            JNZ SHORT 00409704                        
004096FC   EB 01            JMP SHORT 004096FF                       
004096FE   FF61 EB          JMP DWORD PTR DS:[ECX-15]
00409701   01E8             ADD EAX,EBP
00409703   C3               RETN
00409704   8D85 CB244000    LEA EAX,DWORD PTR SS:[EBP+4024CB]
0040970A   50               PUSH EAX                           ;40973E change fx ret addr
0040970B   C3               RETN

0040973E   32C0             XOR AL,AL
00409740   8DBD ED1D4000    LEA EDI,DWORD PTR SS:[EBP+401DED]
00409746   B9 AC060000      MOV ECX,6AC
0040974B   AA               STOS BYTE PTR ES:[EDI]
0040974C  ^E2 FD            LOOPD SHORT 0040974B               ;zeroing out memory             
0040974E   8DBD F6244000    LEA EDI,DWORD PTR SS:[EBP+4024F6]
00409754   B9 C0020000      MOV ECX,2C0
00409759   AA               STOS BYTE PTR ES:[EDI]
0040975A  ^E2 FD            LOOPD SHORT 00409759               ;zeroing out memory      
0040975C   61               POPAD                       ;-bpx here and run
0040975D   50               PUSH EAX                    ;40970c (bpx err handler)
0040975E   33C0             XOR EAX,EAX
00409760   64:FF30          PUSH DWORD PTR FS:[EAX]     ;install err handler
00409763   64:8920          MOV DWORD PTR FS:[EAX],ESP
00409766   EB 01            JMP SHORT 00409769                        
00409768   87               db 87
00409769   0000             ADD BYTE PTR DS:[EAX],AL   ;throw error

shift-f7 single step into ntdll err handler
debug -> execute till user code (or better bpx on err handler olly slips some on till usercode) 

0040970C   55               PUSH EBP
0040970D   8BEC             MOV EBP,ESP
0040970F   57               PUSH EDI
00409710   8B45 10          MOV EAX,DWORD PTR SS:[EBP+10]
00409713   8BB8 C4000000    MOV EDI,DWORD PTR DS:[EAX+C4]
00409719   FF37             PUSH DWORD PTR DS:[EDI]
0040971B   33FF             XOR EDI,EDI
0040971D   64:8F07          POP DWORD PTR FS:[EDI]
00409720   8380 C4000000 08 ADD DWORD PTR DS:[EAX+C4],8
00409727   8BB8 A4000000    MOV EDI,DWORD PTR DS:[EAX+A4]
0040972D   C1C7 07          ROL EDI,7                     
00409730   89B8 B8000000    MOV DWORD PTR DS:[EAX+B8],EDI   ; ----- EDI = OEP (401048)   
00409736   B8 00000000      MOV EAX,0
0040973B   5F               POP EDI
0040973C   C9               LEAVE
0040973D   C3               RETN

back to ntdll, zwcontinue and kernelmode before hitting OEP


Entry Point Signature
00409060 > 60               PUSHAD
00409061   E8 00000000      CALL $+5
00409066   5D               POP EBP
00409067   81ED ????????    SUB EBP,offset
0040906D   B9 7B090000      MOV ECX,97B
00409072   8DBD ????????    LEA EDI,DWORD PTR SS:[EBP+offset]
Known Unpackers
// Y0da Crypter 1.2 OEP Finder v0.1
// by FEUERRADER [AHTeam]
// http://ahteam.org

var s
var k

eob Break 
mov s, esp
sub s, 04
bphws s, "r"
run

Break:
eob Break2
eoe expp
run

Break2:
eob B21
eoe expp
run

expp:
esto

B21:
eoe expp
bphwc s
eob B3
eoe expp1
mov k, eax
bp k
run

expp1:
esto
esto

B3:
bphwc k
eob Br4
findop eip, #C1C7#
bphws $RESULT, "x"
run

Br4:
bphwc $RESULT
sto
sto
eob Br5
mov k, edi
bp k
run

Br5:
bphwc k
cmt eip, "OEP"
ret

There are 30,784 total registered users.


Recently Created Topics
Question about memor...
Dec/12
How can i find conne...
Nov/27
How can I write olly...
Oct/05
Career: Malware Reve...
Sep/30
How to produce separ...
Sep/20
How to decompile a f...
Sep/16
How to trap mouse cl...
Sep/03
Intel pin in loaded ...
Jun/27
Going to do today wi...
Jun/27
how to create delphi...
Jun/27


Recent Forum Posts
New LoadMAP plugin v...
mefisto...
Intel pin in loaded ...
djnemo
OOP_RE tool available?
Bl4ckm4n
OOP_RE tool available?
van7hu
Should binaries be n...
Kolisar
Problem with ollydbg
nullx42
!findtrampoline Immu...
skycrack
looking for a softwa...
raxen
Documenting reversed...
raxen
.orpc section what's...
mbin


Recent Blog Entries
oleavr
Oct/24
Anatomy of a code tracer

hasherezade
Sep/24
IAT Patcher - new tool for ...

oleavr
Aug/27
CryptoShark: code tracer ba...

oleavr
Jun/25
Build a debugger in 5 minutes

oleavr
Apr/17
frida.re 1.2.0 is out, with...

More ...


Recent Blog Comments
djnemo on:
Nov/17
Kernel debugger vs user mod...

acel on:
Nov/14
Kernel debugger vs user mod...

pedram on:
Dec/21
frida.github.io: scriptable...

capadleman on:
Jun/19
Using NtCreateThreadEx for ...

newlulu on:
Jun/10
Branch tracing and LBR acce...

More ...


Imagery
SoySauce Blueprint
Jun 6, 2008

[+] expand

View Gallery (11) / Submit