Log in

View Full Version : Yoda's Crypter 1.2


penguin0103
August 9th, 2007, 20:20
hi, I came across a program that I want to unpack. I scanned it with Protection_ID and PEiD and they say this:

PEiD: yoda's cryptor 1.2
Protection_ID: [!] Yoda´s Crypter v1.2 detected !

I tried to unpack this myself, but it won't work! I get a "Debugger Detected - Please close it down and restart!" message. I have Hide Debugger enabled on Olly, i've changed the IsDebuggerPresent api to return false, changed GetCurrentProcessId to return Olly's, done pretty much everything I can think just to make it to the OEP and it keeps detecting olly. I don't understand it! does anybody know what I can do to get by this?

I know my Hide Debugger is working because I tested it on a different packed file and it gets through.

LLXX
August 10th, 2007, 08:04
1. It may not actually be Yoda.

2. Google "yoda resource leak".

penguin0103
August 10th, 2007, 12:15
Thanks for replying!

I did as you said, and I found this article: http://www.wintellect.com/Articles/Yoda.pdf

I read it, but I understand very little.

I'm really not very good at debugging, and I know almost NO ASM, so seeing the disassembled code tells me (almost) nothing. I don't know what the packers doing, so tracing through it doesn't really tell me much. the thing is -- I don't really know the best way to learn this type of thing. to be good at debugging, do you need to know assembly to be able to do stuff like this without any help? I really would like to learn, but I just don't know the best way to go about it.

I know a little about it, at least. I did all the crackme's on www.hackthissite.org which weren't really hard, but I have absolutely no idea where I would even start in trying to find out why this packer is detecting olly. and I know the person who packed this file, and he's not exactly smart. so he's definately using a publicly released packer. so if it isn't yoda, what could it be?

again, thanks for replying!

LLXX
August 11th, 2007, 06:14
Quote:
[Originally Posted by penguin0103;67699]I'm really not very good at debugging, and I know almost NO ASM
Then why are you posting here instead of spending your time LEARNING the prerequisites like you should've done in the first place? There are literally millions of sites out there with the appropriate documentation, and I sure hope you're not going to tell us about how you can't read, because that's YOUR problem.

penguin0103
August 11th, 2007, 10:45
PLEASE don't post like you know what i've done and what I haven't. one of the reasons that keeps me (and probably others) from coming back to this website is because its members are complete pricks, unwilling to help someone who doesn't already know as much as them. I guess I forgot to mention that I HAVE searched for places to learn, and I was simply asking YOUR ADVICE on WHICH PLACE was BEST to LEARN from. I guess that's too hard of a question around here.

JMI
August 11th, 2007, 12:09
penguin0103:

Apparently you are one of those individuals who prefers "instant gratification" and who objects when you are advised what most people who pose questions such as yours are advised. "Reverse engineering" is a "skillset" that requires the "input" of "effort" on the part of its participants.

Also typical of those with low threshholds for the denial of their desire for "instant gratification," you bemoan being advised that YOU should both take the time to learn the basics and that YOU should spend quality time learning the "skill" of finding what YOU want in your quest to achieve reverse engineering skills.

Also, again "typical" of those with low threshholds for the denial of their desire for "instant gratification," when you initial request is met with a suggestion that YOU should spend some personal effort at achieving the answer to your request, you attack the giver of the advise and then attempt to escape criticism by CHANGING THE QUESTION to one hoped to portray yourself in a more favorable light.

Originally, you were bemoaning your lack of skillset at understanding assembly language and understanding the code. You did NOT ask for "ADVICE on WHICH PLACE was BEST to LEARN from." What you reported was that you had simply tried one particular debugger hider, without any real understanding of "how" or "why" it worked or did not work and you made a couple of changes in "IsDebuggerPresent api" and "GetCurrentProcessId" and damn, your target was still detecting the debugger. Imagine that!

So instead of spending any quality time in researching "How Debuggers are Detected" and/or how Olly is "detected," you walz in here, admitting you really don't understand much that the code is telling you, don't really understand that packer identifiers can, themselves, be fooled and mis-identify what has actually packed a target and actually asked:

"does anybody know what I can do to get by this?"

So you were given a "clue", which you apparently followed, and then came back admitting that what you found was "beyond" your skillset. So naturally you were advised you should work on that "missing" element, i.e. developing your skillset. Now you wine that you only wanted to know the "best" place to find the answer.

The answer to that question is: "using your brain and spending the time to learn." First, if you "know little about assembly language, your skillset at using a debugger is severly limited. If you don't understand what the debugger is showing you, how do you propose to figure out what it is doing?

How do you learn some basic skills in understanding assembly? You spend the time studying. Where do you go to learn? YOU use YOUR brain. You try something like "learn assembly" (without the quotes) in YOUR favorite search engine and/or the search engine here and YOU "actually read some of what you find!" YOU look through some of the many links at the bottom of these Forums and YOU spend the time reading up on assembly language.

YOU go to your favorite search engine and YOU enter something like ""detecting OllyDBG" (again without the quotes) and YOU read some of the hits you will get. I got 21,400.

Then YOU might try researching how packers "fake" signatures to make YOU think they are something else.

But YOU just want SOMEONE ELSE to GIVE you the ANSWER so YOU don't have to actually DO ANY REAL WORK or actually WAIT for the "instant gratification" of solving YOUR target of the moment!

And YOU wonder WHY someone as nice as yourself could be treated so badly?

We call it: "Tough Love!"

There simply is no substitute for actually spending the time to learn what you actually are doing.

Regards,

penguin0103
August 11th, 2007, 14:51
Quote:
[Originally Posted by penguin0103;67699]
I'm really not very good at debugging, and I know almost NO ASM, so seeing the disassembled code tells me (almost) nothing. I don't know what the packers doing, so tracing through it doesn't really tell me much. the thing is -- I don't really know the best way to learn this type of thing. to be good at debugging, do you need to know assembly to be able to do stuff like this without any help? I really would like to learn, but I just don't know the best way to go about it.


if you would read what I put in my 2nd post, you would see I was asking what the best way was to go about learning. he answered NONE of my questions, his reply was basically "get out of here and go search google." the first thing I did was search google. the 'tutorials' on Assembly are all different and don't really explain much, they all assume the person learning has a little knowledge of it already. I have absolutely NO experience in assembly, I only know commands like JE/JNZ/JG/JL/Call/Jmp, the very basics. I went through this about 6 years ago when I wanted to learn a bit of Visual Basic, I tried to start off on my own but the tutorials you find are shit. finally I found someone who was nice enough to get me started. but 99% of the people on here are unwilling to help people who are starting at ground zero. pretty much all I asked for was some advice on which website would give me a good start. is that asking people to solve my problem? NO. it's simply someone asking for a little HELP.

the second paragraph was an explanation on what I could do AFTER I understand a little more. why would I ask for help in the best way to learn assembly if I was going to ask other people to do it for me?

JMI
August 11th, 2007, 16:01
Obviously, you are still more interested in self-justification than actually getting any real work done and/or actually using YOUR brain to find solutions to YOUR needs.

For example, poor little you can't find ANYTHING useful for the beginner on how to understand assembly language. Now THAT truely is something pathetic! I suggested you check out the links at the bottom of these Forums. Did you do so, it certainly isn't apparent. Did you check out the Krobar Collection which includes a series on Assembly language for beginners? Or is it just "too pathetic" for someone of your oversized sense of self-importance?

What about "SandMan's Tutorial's" (+sandman) which is on the RCE-CD and referenced on CrackZ' site, both linked below

The "best" way to learn assembly language is to get YOUR ass out there and actually start reading information on assembly language structure and/or programming. What you are REALLY asking is guidance on how YOU can do as little actual work yourself in going about learning just enough assembly language to solve your current problem.

So why don't you get your head out of your rectum and go out on the net and actually search for information on assembly language for beginners and then ACTUALLY READ SOME OF IT!!!!

Regards,

penguin0103
August 11th, 2007, 20:21
lol I love people like you, you're so ignorant that you refuse to see things from other people's sides. you have an "i'm always right" attitude. I told you -- I looked at many tutorials for learning assembly but I was a bit confused on certain aspects of the language in each of them. you were obviously too stupid to put that together from my post, so there, I made it a little more clear for you. obviously someone who KNOWS the language would be able to teach it to someone who knows nothing about it. that being said, YOU, who knows the language, would be able to look at different assembly and tell me which tutorial is best for someone who is starting at the very beginning. but you're so full of yourself you don't look at it from anyone's side but your own. if you treat people in RL like you do online you'd get your ass kicked, but it's not a big deal. i'll go to a different site and find someone who doesn't have their own head up their ass. you remind me of the guys from that hybrid episode of south park who love the smell of their own gas, wasping it towards their noses each time they fart. LOL.

don't bother responding to me because I won't be checking back. you may delete my account.

bye.

Kayaker
August 11th, 2007, 20:41
'kay, I'm just talking to myself then...

It's a shame when this happens, but if the time wasted arguing was spent actually reading, he might have learned something.

I *really* hate to even mention the FAQ, but still, there's a section that seemingly would have given a starting point he so desperately couldn't find.

Quote:
What do I need to start?

Well, there is a good zip file to start with. Read it carefully: Tornado's crackers notes

Where can I find some assembly language guides?

Art of Assembly language, the bible:
http://cs.smith.edu/~thiebaut/ArtOfAssembly/artofasm.html

Win32asm basic tutorials: more programming oriented but very cool:
http://www.madwizard.org/view.php?page=tutorials.contents

Also, this opcode guide might come in quite handy when you feel ready to start patching some code: opcodes.zip.

We have the Intel Code Table: here.

We have the Windows Memory Layout: here.


How much nurturing is actually needed for *anyone* to learn the basics of *anything* anymore with the entire web at ones fingertips?

JMI
August 11th, 2007, 20:58
I'm really going to miss him.

The second post he ever made here, August 20, 2006, was to express his displeasure at not having reveived an answer to his question soon enough: "nobody can help me here? "

After approximately 10 days of posting in only two threads, where he was the one asking for the helping hand, he disappeared for nearly a year, resurfacing only to post this Thread.

Interestingly enough, his second Thread was about Yoda's Protector 1.3 and this thread is about Yoda's Crypter 1.2.

Seems he has a fixation about Yoda and Southpark.

I wonder if he's even aware that there is a decryptor available for Yoda Cryptor 1.2???

I also wonder why he missed this entry on the OpenRCE's discussion of yodaCrypt 1.2, found with just a few minutes surfing for "yoda crypt 1.2":

Utilizes an API call to IsDebuggerPresent().

self decoding blocks
zeros out mem
uses kernel mode seh to get to oep so you cant trace it all (believe it should be "at all" from olly
luckily you can see all the offsets to bpx in each step.
oep in mem was same as uncompressed exe
follow instructions above to gt to oep

It even has an OEP signature listing:

Entry Point Signature
00409060 > 60 PUSHAD
00409061 E8 00000000 CALL $+5
00409066 5D POP EBP
00409067 81ED ???????? SUB EBP,offset
0040906D B9 7B090000 MOV ECX,97B
00409072 8DBD ???????? LEA EDI,DWORD PTR SS:[EBP+offset]

and a script for finding the OEP by FEUERRADER!

Of course, he probably doesn't know about ring0 vs. ring3 debuggers. But then what do I know!

Regards,

LLXX
August 12th, 2007, 03:15
Quote:
one of the reasons that keeps me (and probably others) from coming back to this website is because its members are complete pricks, unwilling to help someone who doesn't already know as much as them
You think we want (l)users like you in the first place? (The entertainment aspect is overrated, seriously.)
Quote:
I told you -- I looked at many tutorials for learning assembly but I was a bit confused on certain aspects of the language in each of them. you were obviously too stupid to put that together from my post, so there, I made it a little more clear for you.
>but I was a bit confused
>but I was a bit
>I was
>I
Who is confused? You -- "were obviously too stupid to" understand, and you blame your own inadequacy on others?
Quote:
if you treat people in RL like you do online you'd get your ass kicked
What you're doing is the RL equivalent of going to a university and trying to get a degree when you only have a Grade 1 education, getting told you have to complete the curriculum up to that level, then complaining that you can't learn.
Quote:
[Originally Posted by penguin0103;67738]Visual Basic
It is very curious that nearly ALL of the 20+ self-proclaimed "programmers" I've dealt with, both online and IRL, that have had any exposure at all to this "programming" language, act with nearly the same attitude. There are at least two other threads here as evidence.

Silver
August 12th, 2007, 06:11
On the original topic, I'm pretty sure I posted this a year or 2 ago, but there's the full source to an earlier version of Yoda on Codeproject. Those who ignore history are doomed to repeat it, so I'd guess this would also be a good approach to understand Yoda's mindset when coding his protection.

Oh, also to add this - if you're starting out with reversing, spending a year becoming an asm expert is not necessary (although it would be valuable in its own right). Spend a little time with iczelion's earlier tutorials to get a feel for how asm works, but remember what you're learning is NOT what you'll see when you break out olly, ida, sice etc. A very good understanding of how multiple languages work and in-depth knowledge of Windows/win32api is far more useful in the early stages.

JMI
August 12th, 2007, 13:22
Just a small note to anyone who may be interested in the original topic itself. I believe that Silver's reference is to the CodeProject found here:

http://www.codeproject.com/cpp/peprotector1.asp?print=true

The MASM source of Yoda Cryptor 1.2 is actually available on Yoda's own Site, which is found here:

http://y0da.cjb.net/

It also contains the Unpacker by sNoOFy, which I mentioned earlier, along with its source code; deyoda 1.2...coded by C-ripper; DeyC...coded by [LiB] and two unpacking tutorials by CoDe_InSiDe.

All of which penguin0103 could have found with just a little bit of "semi-intelligent" searching.

Regards,