Log in

View Full Version : yoda cryptor help.

_genuine
November 19th, 2009, 03:25
Alright so ive read almost everything i can find on yoda cryptor 1.xx modified, and it all seemed to be easy enough to unpack..my target however seems to have something extra that i cant really understand in my initial analysis of it.

So here we go, just so i give enough information ill go thru the steps of how im 'supposed' to get to the oep.

Opened up the target (removed all exceptions in Olly except the ignore exceptions in kernel).

Here is my entry point.
Code:


00C1E060 bots.<ModuleEntryPoint>                    $  60              PUSHAD

00C1E061                                            .  E8 00000000     CALL bots.00C1E066

00C1E066                                            $  5D              POP EBP                                 ;  kernel32.7C817077

00C1E067                                            .  81ED 0F1E4000   SUB EBP,bots.00401E0F

00C1E06D                                            .  B9 57090000     MOV ECX,957

00C1E072                                            .  8DBD 571E4000   LEA EDI,DWORD PTR SS:[EBP+401E57]

00C1E078                                            .  8BF7            MOV ESI,EDI                             ;  ntdll.7C910228

00C1E07A                                            >  AC              LODS BYTE PTR DS:[ESI]


Using the ESP trick i single stepped over the PUSHAD and set a HW breakpoint on ESP.


I shift+f9 once and i reach the point where Yoda cryptor sets up its exception handler code to cause an exception. Right here. (To note, in another paper regarding this packer there is the technique of Shift+F9 until the program runs, then rerun the number of Shoft+f9 -1 times to reach this as well.).

Code:


00C1E739                                            .  50              PUSH EAX                                ;  bots.00C1E6E8

00C1E73A                                            ?  33C0            XOR EAX,EAX                             ;  OEP Or Next Shell To Get,Please dumped it,Enjoy!

00C1E73C                                            .  64:FF30         PUSH DWORD PTR FS:[EAX]

00C1E73F                                            ?  64:8920         MOV DWORD PTR FS:[EAX],ESP

00C1E742                                            ?  EB 01           JMP SHORT bots.00C1E745

00C1E744                                            ?  8700            XCHG DWORD PTR DS:[EAX],EAX             ;  bots.00C1E6E8

00C1E746                                            .  0000            ADD BYTE PTR DS:[EAX],AL



In the SEH chain in olly we will see where this SEH record lies in, after stepping into the code and raising the exception. Inm y case it is here, and i set a breakpoint on this exceptionhandler.

Code:


00C1E6E8                                           |.  55              PUSH EBP

00C1E6E9                                           |.  8BEC            MOV EBP,ESP

00C1E6EB                                           |.  57              PUSH EDI                                ;  ntdll.7C910228

00C1E6EC                                           |.  8B45 10         MOV EAX,[ARG.3]

00C1E6EF                                           |.  8BB8 C4000000   MOV EDI,DWORD PTR DS:[EAX+C4]

00C1E6F5                                           |.  FF37            PUSH DWORD PTR DS:[EDI]

00C1E6F7                                           |.  33FF            XOR EDI,EDI                             ;  ntdll.7C910228

00C1E6F9                                           |.  64:8F07         POP DWORD PTR FS:[EDI]                  ;  0012FFE0

00C1E6FC                                           |.  8380 C4000000 0>ADD DWORD PTR DS:[EAX+C4],8

00C1E703                                           |.  8BB8 A4000000   MOV EDI,DWORD PTR DS:[EAX+A4]

00C1E709                                           |.  C1C7 07         ROL EDI,7

00C1E70C                                           |.  89B8 B8000000   MOV DWORD PTR DS:[EAX+B8],EDI           ;  ntdll.7C910228

00C1E712                                           |.  B8 00000000     MOV EAX,0

00C1E717                                           |.  5F              POP EDI                                 ;  0012FFE0

00C1E718                                           |.  C9              LEAVE

00C1E719                                           \.  C3              RETN


In this code where the line
00C1E70C |. 89B8 B8000000 MOV DWORD PTR DS:[EAX+B8],EDI ; ntdll.7C910228


EDI will contain 00401000..which is supposed ! to be the OEP, but this is not the case in my target..According to popular papers. this should continue execution to the OEP. Wait for it...

After the bp is set there and we reach the exception handler code. We will ALT+F9 to return to code after the handler. which will be 00401000.

the code here is strange.
Code:


00401000                                             68 01A0C000       PUSH bots.00C0A001

00401005                                             E8 01000000       CALL bots.0040100B

0040100A                                             C3                RETN

0040100B                                             C3                RETN


it Calls this RETN, and the RETN just terminates the application..

This where that ends..now somewhere in all my analysis i thought i found a place where the OEP was, lying in some addresses in the 007XXXXXX range..when i remember how i got there ill update this thread but if anyone who does know about yoda cryptor and can realize some thing here id like some input or feedback, thanks.
_genuine
November 19th, 2009, 05:28
Well ive found what seems to be the redirecting of the IAT, its a jmp table. and like i imagined its in the 007XXXXXX range of addresses, will it be safe to say the OEP will most likely lie in the 007XXXXX range of addresses?

Code:


00706506                                           - FF25 689FBD00     JMP DWORD PTR DS:[BD9F68]

0070650C                                           - FF25 649FBD00     JMP DWORD PTR DS:[BD9F64]

00706512                                           - FF25 609FBD00     JMP DWORD PTR DS:[BD9F60]

00706518                                           - FF25 849EBD00     JMP DWORD PTR DS:[BD9E84]

0070651E                                           - FF25 B09DBD00     JMP DWORD PTR DS:[BD9DB0]

00706524                                           - FF25 B49DBD00     JMP DWORD PTR DS:[BD9DB4]

0070652A                                           - FF25 B89DBD00     JMP DWORD PTR DS:[BD9DB8]

00706530                                           - FF25 BC9DBD00     JMP DWORD PTR DS:[BD9DBC]

00706536                                           - FF25 C09DBD00     JMP DWORD PTR DS:[BD9DC0]

0070653C                                           - FF25 C49DBD00     JMP DWORD PTR DS:[BD9DC4]

00706542                                           - FF25 C89DBD00     JMP DWORD PTR DS:[BD9DC8]

00706548                                           - FF25 CC9DBD00     JMP DWORD PTR DS:[BD9DCC]

0070654E                                           - FF25 D09DBD00     JMP DWORD PTR DS:[BD9DD0]

00706554                                           - FF25 D49DBD00     JMP DWORD PTR DS:[BD9DD4]

0070655A                                           - FF25 D89DBD00     JMP DWORD PTR DS:[BD9DD8]

00706560                                           - FF25 DC9DBD00     JMP DWORD PTR DS:[BD9DDC]

00706566                                           - FF25 E09DBD00     JMP DWORD PTR DS:[BD9DE0]

0070656C                                           - FF25 E49DBD00     JMP DWORD PTR DS:[BD9DE4]          ; kernel32.CloseHandle

00706572                                           - FF25 E89DBD00     JMP DWORD PTR DS:[BD9DE8]

00706578                                           - FF25 EC9DBD00     JMP DWORD PTR DS:[BD9DEC]          ; kernel32.CreateFileA

0070657E                                           - FF25 F09DBD00     JMP DWORD PTR DS:[BD9DF0]

00706584                                           - FF25 F49DBD00     JMP DWORD PTR DS:[BD9DF4]

0070658A                                           - FF25 F89DBD00     JMP DWORD PTR DS:[BD9DF8]

00706590                                           - FF25 FC9DBD00     JMP DWORD PTR DS:[BD9DFC]

00706596                                           - FF25 009EBD00     JMP DWORD PTR DS:[BD9E00]

0070659C                                           - FF25 049EBD00     JMP DWORD PTR DS:[BD9E04]

007065A2                                           - FF25 089EBD00     JMP DWORD PTR DS:[BD9E08]

007065A8                                           - FF25 0C9EBD00     JMP DWORD PTR DS:[BD9E0C]

007065AE                                           - FF25 109EBD00     JMP DWORD PTR DS:[BD9E10]

007065B4                                           - FF25 149EBD00     JMP DWORD PTR DS:[BD9E14]

007065BA                                           - FF25 189EBD00     JMP DWORD PTR DS:[BD9E18]

007065C0                                           - FF25 1C9EBD00     JMP DWORD PTR DS:[BD9E1C]

007065C6                                           - FF25 209EBD00     JMP DWORD PTR DS:[BD9E20]

007065CC                                           - FF25 249EBD00     JMP DWORD PTR DS:[BD9E24]

007065D2                                           - FF25 289EBD00     JMP DWORD PTR DS:[BD9E28]

007065D8                                           - FF25 2C9EBD00     JMP DWORD PTR DS:[BD9E2C]

007065DE                                           - FF25 309EBD00     JMP DWORD PTR DS:[BD9E30]

007065E4                                           - FF25 349EBD00     JMP DWORD PTR DS:[BD9E34]

007065EA                                           - FF25 389EBD00     JMP DWORD PTR DS:[BD9E38]          ; kernel32.LoadLibraryA

007065F0                                           - FF25 3C9EBD00     JMP DWORD PTR DS:[BD9E3C]

007065F6                                           - FF25 409EBD00     JMP DWORD PTR DS:[BD9E40]

007065FC                                           - FF25 449EBD00     JMP DWORD PTR DS:[BD9E44]

00706602                                           - FF25 489EBD00     JMP DWORD PTR DS:[BD9E48]

00706608                                           - FF25 4C9EBD00     JMP DWORD PTR DS:[BD9E4C]

0070660E                                           - FF25 509EBD00     JMP DWORD PTR DS:[BD9E50]

00706614                                           - FF25 549EBD00     JMP DWORD PTR DS:[BD9E54]

0070661A                                           - FF25 589EBD00     JMP DWORD PTR DS:[BD9E58]

00706620                                           - FF25 5C9EBD00     JMP DWORD PTR DS:[BD9E5C]

00706626                                           - FF25 609EBD00     JMP DWORD PTR DS:[BD9E60]

0070662C                                           - FF25 649EBD00     JMP DWORD PTR DS:[BD9E64]

00706632                                           - FF25 689EBD00     JMP DWORD PTR DS:[BD9E68]

00706638                                           - FF25 6C9EBD00     JMP DWORD PTR DS:[BD9E6C]

0070663E                                           - FF25 709EBD00     JMP DWORD PTR DS:[BD9E70]

00706644                                           - FF25 749EBD00     JMP DWORD PTR DS:[BD9E74]

0070664A                                           - FF25 789EBD00     JMP DWORD PTR DS:[BD9E78]

00706650                                           - FF25 7C9EBD00     JMP DWORD PTR DS:[BD9E7C]

00706656                                           - FF25 809EBD00     JMP DWORD PTR DS:[BD9E80]

0070665C                                           - FF25 6C9FBD00     JMP DWORD PTR DS:[BD9F6C]

00706662                                           - FF25 889EBD00     JMP DWORD PTR DS:[BD9E88]

00706668                                           - FF25 8C9EBD00     JMP DWORD PTR DS:[BD9E8C]

0070666E                                           - FF25 909EBD00     JMP DWORD PTR DS:[BD9E90]

00706674                                           - FF25 949EBD00     JMP DWORD PTR DS:[BD9E94]

0070667A                                           - FF25 989EBD00     JMP DWORD PTR DS:[BD9E98]

00706680                                           - FF25 9C9EBD00     JMP DWORD PTR DS:[BD9E9C]

00706686                                           - FF25 00A2BD00     JMP DWORD PTR DS:[BDA200]          ; USER32.SetRect

0070668C                                           - FF25 B0A1BD00     JMP DWORD PTR DS:[BDA1B0]          ; USER32.PtInRect

00706692                                           - FF25 ACA1BD00     JMP DWORD PTR DS:[BDA1AC]          ; USER32.MessageBoxA

00706698                                           - FF25 A8A1BD00     JMP DWORD PTR DS:[BDA1A8]          ; USER32.PostMessageA

0070669E                                           - FF25 A4A1BD00     JMP DWORD PTR DS:[BDA1A4]          ; USER32.GetActiveWindow

007066A4                                           - FF25 A0A1BD00     JMP DWORD PTR DS:[BDA1A0]          ; USER32.wsprintfA

007066AA                                           - FF25 04A2BD00     JMP DWORD PTR DS:[BDA204]          ; USER32.DispatchMessageA

007066B0                                           - FF25 C0A1BD00     JMP DWORD PTR DS:[BDA1C0]          ; USER32.TranslateMessage

007066B6                                           - FF25 C4A1BD00     JMP DWORD PTR DS:[BDA1C4]          ; USER32.TranslateAcceleratorA

007066BC                                           - FF25 C8A1BD00     JMP DWORD PTR DS:[BDA1C8]          ; USER32.IsDialogMessageA

007066C2                                           - FF25 CCA1BD00     JMP DWORD PTR DS:[BDA1CC]          ; USER32.GetMessageA

007066C8                                           - FF25 D0A1BD00     JMP DWORD PTR DS:[BDA1D0]          ; USER32.PeekMessageA

007066CE                                           - FF25 D4A1BD00     JMP DWORD PTR DS:[BDA1D4]          ; USER32.SystemParametersInfoA

007066D4                                           - FF25 D8A1BD00     JMP DWORD PTR DS:[BDA1D8]          ; USER32.FindWindowA

007066DA                                           - FF25 DCA1BD00     JMP DWORD PTR DS:[BDA1DC]          ; USER32.ShowCursor

007066E0                                           - FF25 E0A1BD00     JMP DWORD PTR DS:[BDA1E0]          ; USER32.UpdateWindow

007066E6                                           - FF25 E4A1BD00     JMP DWORD PTR DS:[BDA1E4]          ; USER32.ShowWindow

007066EC                                           - FF25 E8A1BD00     JMP DWORD PTR DS:[BDA1E8]          ; USER32.CreateWindowExA

007066F2                                           - FF25 ECA1BD00     JMP DWORD PTR DS:[BDA1EC]          ; USER32.GetSystemMetrics

007066F8                                           - FF25 F0A1BD00     JMP DWORD PTR DS:[BDA1F0]          ; USER32.LoadAcceleratorsA

007066FE                                           - FF25 F4A1BD00     JMP DWORD PTR DS:[BDA1F4]          ; USER32.RegisterClassExA

00706704                                           - FF25 F8A1BD00     JMP DWORD PTR DS:[BDA1F8]          ; USER32.LoadCursorA

0070670A                                           - FF25 FCA1BD00     JMP DWORD PTR DS:[BDA1FC]          ; USER32.LoadIconA

00706710                                           - FF25 38A2BD00     JMP DWORD PTR DS:[BDA238]          ; USER32.DefWindowProcA

00706716                                           - FF25 64A2BD00     JMP DWORD PTR DS:[BDA264]          ; USER32.PostQuitMessage

0070671C                                           - FF25 08A2BD00     JMP DWORD PTR DS:[BDA208]          ; USER32.MoveWindow

00706722                                           - FF25 0CA2BD00     JMP DWORD PTR DS:[BDA20C]          ; USER32.GetClientRect

00706728                                           - FF25 10A2BD00     JMP DWORD PTR DS:[BDA210]          ; USER32.GetCursorPos

0070672E                                           - FF25 14A2BD00     JMP DWORD PTR DS:[BDA214]          ; USER32.ReleaseDC

00706734                                           - FF25 18A2BD00     JMP DWORD PTR DS:[BDA218]          ; USER32.GetDC

0070673A                                           - FF25 1CA2BD00     JMP DWORD PTR DS:[BDA21C]          ; USER32.CreateDialogParamA

00706740                                           - FF25 20A2BD00     JMP DWORD PTR DS:[BDA220]          ; USER32.EndDialog

00706746                                           - FF25 24A2BD00     JMP DWORD PTR DS:[BDA224]          ; USER32.DestroyWindow

0070674C                                           - FF25 28A2BD00     JMP DWORD PTR DS:[BDA228]          ; USER32.SetDlgItemTextA

00706752                                           - FF25 2CA2BD00     JMP DWORD PTR DS:[BDA22C]          ; USER32.SetWindowPos

00706758                                           - FF25 30A2BD00     JMP DWORD PTR DS:[BDA230]          ; USER32.GetWindowRect

0070675E                                           - FF25 34A2BD00     JMP DWORD PTR DS:[BDA234]          ; USER32.GetParent

00706764                                           - FF25 60A2BD00     JMP DWORD PTR DS:[BDA260]          ; USER32.IsWindow

0070676A                                           - FF25 5CA2BD00     JMP DWORD PTR DS:[BDA25C]          ; USER32.SetRectEmpty

00706770                                           - FF25 58A2BD00     JMP DWORD PTR DS:[BDA258]          ; USER32.RegisterClassA

00706776                                           - FF25 54A2BD00     JMP DWORD PTR DS:[BDA254]          ; USER32.GetClassInfoA

0070677C                                           - FF25 50A2BD00     JMP DWORD PTR DS:[BDA250]          ; USER32.RemovePropA

00706782                                           - FF25 4CA2BD00     JMP DWORD PTR DS:[BDA24C]          ; USER32.SetPropA

00706788                                           - FF25 48A2BD00     JMP DWORD PTR DS:[BDA248]          ; USER32.GetPropA

0070678E                                           - FF25 44A2BD00     JMP DWORD PTR DS:[BDA244]          ; USER32.UnregisterClassA

00706794                                           - FF25 40A2BD00     JMP DWORD PTR DS:[BDA240]          ; USER32.CopyRect

0070679A                                           - FF25 3CA2BD00     JMP DWORD PTR DS:[BDA23C]          ; USER32.MessageBoxW

007067A0                                           - FF25 289DBD00     JMP DWORD PTR DS:[BD9D28]          ; GDI32.DeleteDC

007067A6                                           - FF25 249DBD00     JMP DWORD PTR DS:[BD9D24]          ; GDI32.DeleteObject

007067AC                                           - FF25 209DBD00     JMP DWORD PTR DS:[BD9D20]          ; GDI32.GetTextExtentPoint32A

007067B2                                           - FF25 1C9DBD00     JMP DWORD PTR DS:[BD9D1C]          ; GDI32.SelectObject

007067B8                                           - FF25 D09CBD00     JMP DWORD PTR DS:[BD9CD0]          ; GDI32.CreateCompatibleDC

007067BE                                           - FF25 109DBD00     JMP DWORD PTR DS:[BD9D10]          ; GDI32.CreateFontA

007067C4                                           - FF25 0C9DBD00     JMP DWORD PTR DS:[BD9D0C]          ; GDI32.GetObjectA

007067CA                                           - FF25 089DBD00     JMP DWORD PTR DS:[BD9D08]          ; GDI32.GetObjectW

007067D0                                           - FF25 049DBD00     JMP DWORD PTR DS:[BD9D04]          ; GDI32.CreateDIBSection

007067D6                                           - FF25 009DBD00     JMP DWORD PTR DS:[BD9D00]          ; GDI32.GetCharacterPlacementA

007067DC                                           - FF25 FC9CBD00     JMP DWORD PTR DS:[BD9CFC]          ; GDI32.GetCharacterPlacementW

007067E2                                           - FF25 F89CBD00     JMP DWORD PTR DS:[BD9CF8]          ; GDI32.SetTextColor

007067E8                                           - FF25 F49CBD00     JMP DWORD PTR DS:[BD9CF4]          ; GDI32.SetBkColor

007067EE                                           - FF25 F09CBD00     JMP DWORD PTR DS:[BD9CF0]          ; GDI32.SetBkMode

007067F4                                           - FF25 EC9CBD00     JMP DWORD PTR DS:[BD9CEC]          ; GDI32.GetTextMetricsA

007067FA                                           - FF25 149DBD00     JMP DWORD PTR DS:[BD9D14]          ; GDI32.GetTextMetricsW

00706800                                           - FF25 E89CBD00     JMP DWORD PTR DS:[BD9CE8]          ; GDI32.GetFontLanguageInfo

00706806                                           - FF25 E49CBD00     JMP DWORD PTR DS:[BD9CE4]          ; GDI32.CreateFontIndirectA

0070680C                                           - FF25 D89CBD00     JMP DWORD PTR DS:[BD9CD8]          ; GDI32.CreateFontIndirectW

00706812                                           - FF25 D49CBD00     JMP DWORD PTR DS:[BD9CD4]          ; GDI32.SetTextAlign

00706818                                           - FF25 189DBD00     JMP DWORD PTR DS:[BD9D18]          ; GDI32.SetMapMode

0070681E                                           - FF25 CC9CBD00     JMP DWORD PTR DS:[BD9CCC]          ; GDI32.ExtTextOutA

00706824                                           - FF25 DC9CBD00     JMP DWORD PTR DS:[BD9CDC]          ; GDI32.MoveToEx

0070682A                                           - FF25 E09CBD00     JMP DWORD PTR DS:[BD9CE0]          ; GDI32.ExtTextOutW

00706830                                           - FF25 9C9BBD00     JMP DWORD PTR DS:[BD9B9C]          ; ADVAPI32.RegCloseKey

00706836                                           - FF25 649BBD00     JMP DWORD PTR DS:[BD9B64]          ; ADVAPI32.RegCreateKeyExA

0070683C                                           - FF25 909BBD00     JMP DWORD PTR DS:[BD9B90]          ; ADVAPI32.RegQueryValueExA

00706842                                           - FF25 949BBD00     JMP DWORD PTR DS:[BD9B94]          ; ADVAPI32.RegOpenKeyExA

00706848                                           - FF25 989BBD00     JMP DWORD PTR DS:[BD9B98]          ; ADVAPI32.RegSetValueExA

0070684E                                           - FF25 A09BBD00     JMP DWORD PTR DS:[BD9BA0]          ; ADVAPI32.RegOpenKeyA

00706854                                           - FF25 70A1BD00     JMP DWORD PTR DS:[BDA170]          ; shell32.ShellExecuteA

0070685A                                           - FF25 B8A4BD00     JMP DWORD PTR DS:[BDA4B8]          ; ole32.CoUninitialize

00706860                                           - FF25 B4A4BD00     JMP DWORD PTR DS:[BDA4B4]          ; ole32.CoCreateInstance

00706866                                           - FF25 B0A4BD00     JMP DWORD PTR DS:[BDA4B0]          ; ole32.CoInitialize

0070686C                                           - FF25 ACA4BD00     JMP DWORD PTR DS:[BDA4AC]          ; ole32.CLSIDFromString

00706872                                           - FF25 40A1BD00     JMP DWORD PTR DS:[BDA140]          ; oleaut32.VariantClear

00706878                                           - FF25 3CA1BD00     JMP DWORD PTR DS:[BDA13C]          ; oleaut32.VariantInit

0070687E                                           - FF25 38A1BD00     JMP DWORD PTR DS:[BDA138]          ; oleaut32.SysAllocString

00706884                                           - FF25 ECA4BD00     JMP DWORD PTR DS:[BDA4EC]          ; zlib1.uncompress

0070688A                                           - FF25 E8A4BD00     JMP DWORD PTR DS:[BDA4E8]          ; zlib1.compress

00706890                                           - FF25 70A4BD00     JMP DWORD PTR DS:[BDA470]          ; mac3r.MassiveAdClient3::CMassiveClientCore::Tick

00706896                                           - FF25 6CA4BD00     JMP DWORD PTR DS:[BDA46C]          ; mac3r.MassiveAdClient3::CMassiveClientCore::Instance

0070689C                                           - FF25 68A4BD00     JMP DWORD PTR DS:[BDA468]          ; mac3r.MassiveAdClient3::CMassiveClientCore::EnterZone

007068A2                                           - FF25 64A4BD00     JMP DWORD PTR DS:[BDA464]          ; mac3r.MassiveAdClient3::CMassiveClientCore::GetLastError

007068A8                                           - FF25 60A4BD00     JMP DWORD PTR DS:[BDA460]          ; mac3r.MassiveAdClient3::CMassiveClientCore::ExitZone

007068AE                                           - FF25 5CA4BD00     JMP DWORD PTR DS:[BDA45C]          ; mac3r.MassiveAdClient3::CMassiveAdObjectSubscriber::GetName

007068B4                                           - FF25 58A4BD00     JMP DWORD PTR DS:[BDA458]          ; mac3r.MassiveAdClient3::CMassiveClientCore::GetState

007068BA                                           - FF25 54A4BD00     JMP DWORD PTR DS:[BDA454]          ; mac3r.MassiveAdClient3::CMassiveClientCore::Initialize

007068C0                                           - FF25 50A4BD00     JMP DWORD PTR DS:[BDA450]          ; mac3r.MassiveAdClient3::CMassiveClientCore::Shutdown

007068C6                                           - FF25 4CA4BD00     JMP DWORD PTR DS:[BDA44C]          ; mac3r.MassiveAdClient3::CMassiveAdObjectSubscriber::~CMassiveAdObjectSubscriber

007068CC                                           - FF25 48A4BD00     JMP DWORD PTR DS:[BDA448]          ; mac3r.MassiveAdClient3::CMassiveAdObjectSubscriber::CMassiveAdObjectSubscriber

007068D2                                           - FF25 74A4BD00     JMP DWORD PTR DS:[BDA474]          ; mac3r.MassiveAdClient3::CMassiveAdObjectSubscriber::SetImpression

007068D8                                           - FF25 44A4BD00     JMP DWORD PTR DS:[BDA444]          ; mac3r.MassiveAdClient3::CMassiveAdObjectSubscriber::GetCrexID



Now i realized that after ive traced for so long, if im already executing code in the 007XXXXXX range of addresses, ive already executed my OEP and have passed it..any suggestions on how i can get that dam thing?

About a day ago when i dumped a file at what seemed to be an OEP it was in the 007XXXXX address, and PEID even recognized the file as being written in Visual C++, so good sign , but the IAT was all fucked..any ideas?

PS: Just so im not mistaken, since its been a while since ive done all this stuff, unpacking especially.. in terms of unpacking when youve reached the OEP, all it means is that the packer has done its work and that the executable is ready to execute its own code right? and thats why we want to find the OEP in order for the program after its been dumped and IATs fixed to run normally without the packer screwing the code up for disassembly..correct me if im wrong.
vect0r
November 19th, 2009, 15:38
You have tried to rebuild imports using ImpRec after reaching the OEP?
_genuine
November 19th, 2009, 22:32
Yes, ImpREC finds nothing good at the alleged OEP, I made a fucked up dump using the bad OEP and the correct IAT RVA. but its the OEP i have a hard time finding, anyways i think it does lie in the 007XXXXX addresses, ill post why soon here..
_genuine
November 20th, 2009, 08:36
hey ladies.

Well the file is protected with Yoda Cryptor AND Asprotect! i have solved it now and imports as well..gonna post the solution here soon when i have time to put everything together

regards.
vect0r
November 21st, 2009, 06:55
Congrats dude, I would be interested to see the analysis.. Post the file too when you get a chance