Hey all,

I can't find the packer/encrypter for the following app:

www.brixton.org/misc/crackme.exe
(virus scanned)

I have tried generic apps such as PEiD but many apps give different results, and I have tried in vain to unpack it (with no success).

I'd appreciate any help on the matter!

Thanks,

brixton

RDG Packer Detector v0.6 Beta.rar

published yesterday say

yoda crypter 1.3

Ricardo Narvaja

Yes, it's Yoda Cryptor 1.3 (and packed by UPX on the next level).

did you try with this??

stud_pe ---> nothing detected


RDG Packer Detector v0.6 ----> RDG yoda's crypter 1.3

Hey,

I saw the yC section but I tried identifying with various tools and got nothing useful.

if it's also UPX packed, how would I unpack the whole thing? yC first then UPX?

Thanks all for the kind replies!

-brixton

[EDIT JMI] You are NOT supposed to ask for the "Tools of the Trade" here, so I removed that part of your Post. Do some of your own research on how to unpack Yoda Cryptor. Put something like "yoda cryptor unpacking" (without the quotes) in your favorite search engine and read some of the information you find.(I got 230 hits, including some tutorials.)

I'm sorry. I did my own search and I found an Ollyscript that works fine! I dumped the process and it works, and is about 10 times larger.

Now it has yC section, UPX sections and a new section. Now if it's packed with UPX, how can I unpack this now?

www.brixton.org/misc/unpacked.exe
(virus scanned)

Thanks for all replies!

-brixton

A simple search of this board would answer your question.

GEESH! think a little for yourself!

SiGiNT

Sorry, I'm a newbie. I tried UPX itself with unpack switch yet, says it isn't UPX packed. Something wrong here

Does PEiD Identify it as UPX? - sometimes it's necessary to play with the PE header to unpack UPX - also can be found searching here - lots of tuts available for unpacking UPX - even a plug-in for PEiD.

SiGiNT

@sigint33: It is UPX 1.92, inspect the file and you'll see.
You don't even know how to unpack UPX manually? There's more to reversing than just using the -d you know...

That is one of the easiest packers to unpack manually. No anti-debug, no code obfuscation, no anti-dumping. It just decompresses and runs.

Go read some more unpacking tutorials. Something similar to "basics of unpacking" is probably enough, as UPX is so simple that it doesn't even deserve a tutorial of its own.

In summary, all you need to do is load it into a debugger, run it to its entrypoint, then dump and restore imports.

I've just recently discovered a tutorial on manually unpacking UPX, as generic UPX unpackers (including the official one) don't work with this program.

Thanks all for the time you've taking to consider my problem and reply!
Also for putting up with my simple questions.

-brixton

OK this is driving me crazy, I got past the y0da crypter v1.3, but now I can't do this UPX, I read some tutorials, and I followed them. I found the POPAD then the jump, I'm sure I did it right, I rebuilt the imports, but nothing I tried actually works in the end

Maybe the app needs just something changing, but I don't know what. I don't know what to do

Search for a post by Bilbo RE- a recent crackme, I haven't downloaded your target but the info might be helpfull.

SiGiNT

I strongly suggest you to read the article about PE format at CodeBreakers Journal (no link, google ) . All. So you'll understand what's happen when you load an application, and this helps alot, at least conceptually.

Regards,
Maximus

Entry point? Common mistake of the beginner to not reset the OEP.

Ditto, LLXX,

I downloaded the unpacked ver., its definitely not loading at the correct OEP, tried to download the orig., but NAV blocked - probably another false warning but - I decided to give it a pass - also I'm not really sure that it's totally unpacked from the Yc shell, just my take at a glance.

SiGiNT

Reset the OEP? The app works as it is, so why would I need to change it? To unpack, I can use generic olly plugins to find the OEP but it doesn't work when dumped..

Hmmmmm,

Doesn't run here WinXP SP2 - briefly opens a dos box and exits -

00473341 u> BE 00104600 MOV ESI,unpacked.00461000
00473346 8DBE 0000FAFF LEA EDI,DWORD PTR DS:[ESI+FFFA0000]
0047334C 57 PUSH EDI ; ntdll.7C910738
0047334D 83CD FF OR EBP,FFFFFFFF
00473350 EB 10 JMP SHORT unpacked.00473362
00473352 90 NOP
00473353 90 NOP
00473354 90 NOP
00473355 90 NOP
00473356 90 NOP
00473357 90 NOP
00473358 8A06 MOV AL,BYTE PTR DS:[ESI]
0047335A 46 INC ESI
0047335B 8807 MOV BYTE PTR DS:[EDI],AL
0047335D 47 INC EDI ; ntdll.7C910738
0047335E 01DB ADD EBX,EBX
00473360 75 07 JNZ SHORT unpacked.00473369
00473362 8B1E MOV EBX,DWORD PTR DS:[ESI]
00473364 83EE FC SUB ESI,-4
00473367 11DB ADC EBX,EBX
00473369 ^ 72 ED JB SHORT unpacked.00473358


This doesn't look like an OEP to me - even for a UPX packed app -

00424B30 c> 66:C705 90494200 7507 MOV WORD PTR DS:[424990],775
00424B39 ^ E9 32FEFFFF JMP crackme.00424970
00424B3E 0000 ADD BYTE PTR DS:[EAX],AL
00424B40 0000 ADD BYTE PTR DS:[EAX],AL
00424B42 0000 ADD BYTE PTR DS:[EAX],AL
00424B44 0000 ADD BYTE PTR DS:[EAX],AL
00424B46 0000 ADD BYTE PTR DS:[EAX],AL
00424B48 0000 ADD BYTE PTR DS:[EAX],AL
00424B4A 0000 ADD BYTE PTR DS:[EAX],AL
00424B4C 0000 ADD BYTE PTR DS:[EAX],AL
00424B4E 0000 ADD BYTE PTR DS:[EAX],AL

This is generally what a UPX packed target will look like when loaded into Olly.

SiGiNT

It does what it's supposed to as you have to specify commandline parameters, and have some DLL aswell. Just trying to get the exe unpacked though ;\

I'll keep trying something, thanks for all your help!

edit:

it does have these such things:


00424B46 0000 ADD BYTE PTR DS:[EAX],AL
00424B48 0000 ADD BYTE PTR DS:[EAX],AL
00424B4A 0000 ADD BYTE PTR DS:[EAX],AL
00424B4C 0000 ADD BYTE PTR DS:[EAX],AL
00424B4E 0000 ADD BYTE PTR DS:[EAX],AL

Is the OEP the JMP before that?

edit2: I think that looks correct because the JMP just before all that, goes to a section of code after some INT3's, then it goes into GetCommandLine, etc, which is the standard start for many apps. But now when I dump it there, it's still not right.

Sorry,

The example I posted was not a good one - if you UPX notepad and load it into olly you'll see that your OEP is 1 line off, it should be - at the popad 1 line above, what really bothers me is that even if I change the OEP to what it should be PEiD reports no OEP found - could be your file PE header has some serious problems.

SiGiNT

Yes I think it does.

I followed the JMP after the POPAD, and went to another section (??? I think), anyway I traced through the code and now it's the proper program, I changed some values in memory and modded it to my liking. However, I can't copy to executable, maybe I'm in the wrong section or something because I can't go to the old sections anymore or anything. I tried dumping and it doesn't work either. So I can mod the app if I trace through, but I can't compile it to make future use easy..

That's UPX entrypoint. I packed an example program in UPX and disassembled the entrypoint, it looks like this:
Almost exactly the same thing.

That looks more like the end of the UPX decompressor. The JMP before the madding goes to the OEP.

I loaded it into Ollydbg and tried to run it to OEP, but it terminated before it reached OEP. Tracing through, it seems to have stalled somewhere in the import loading loop. I dumped it anyway and it looks like it's been unpacked.

What are you using to dump this? LordPE works fine.

I inspected the rest of the file... it's rather peculiar in that there is *another* EXE contained within its body, in ASCIIHex encoding. It starts with 4D5A...

The OEP is 00401b50, nop the call to ExitProcess to 00473475, dump and rebuild IAT as normal.
Regards,