View Full Version : yodas protector 1.03.1
ypsuxx
December 30th, 2005, 01:53
hi,
can someone unpack this file:
http://www.badongo.com/file.php?file=none__2005-12-29_push.dll
("http://www.badongo.com/file.php?file=none__2005-12-29_push.dll
")
I have tried a long time with different yoda unpack scripts for this version. (Yodas protector 1.03.1/1.03.2) but i have still problems with the dll olly says "To many parameters"...
I'am reading always its soo easy to unpack yodas and its not a protector - its a packer ... if someone can unpack please do it!
thx!
regards,
ypsuxx
mr haggar
January 1st, 2006, 10:58
Yoda is protector and it is good free one. I'll check it because I have never tried to unpack yoda dll.
mr haggar
January 1st, 2006, 12:22
OEP = 1000E634 > $ 6A 0C PUSH 0C
Open Olly and go to expression, enter this 1000E634 value and place hardware bp on execution there. You will break there. Rest is your job, just dump and use ImpREC to rebuild IAT.
Btw, this is some game file?
yp suxx
January 1st, 2006, 23:08
Open olly:
1.) loading the DLL
2.) No if it asks for analysing the compressed data
3.) CTRL+G for expression window with 1000E634
then i'am at:
1000E634 8AFA MOV BH,DL
5.)setting hardware bp on execution
6.) F9
then i'am at:
100249C1 8BEF MOV EBP,EDI
100249C3 33DB XOR EBX,EBX
100249C5 64:8F03 POP DWORD PTR FS:[EBX]
100249C8 83C4 04 ADD ESP,4
dumping the process, try to rebuild the iat with (1000E634)
IAT tells me it's not the correct OEP and:
100249C1 8BEF MOV EBP,EDI
seems to be wrong?
maybe u can help me up
mr haggar
January 2nd, 2006, 14:19
You have probably stopped on some exception or some breakpoint which you forgot. OEP is:
1000E634 6A 0C PUSH 0C
1000E636 68 68A30110 PUSH push.1001A368
1000E63B E8 801E0000 CALL push.100104C0
1000E640 33C0 XOR EAX,EAX
1000E642 40 INC EAX
1000E643 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
1000E646 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C] ; push.10000000
1000E649 33FF XOR EDI,EDI
1000E64B 3BF7 CMP ESI,EDI
1000E64D 75 0C JNZ SHORT push.1000E65B
1000E64F 393D 68F80110 CMP DWORD PTR DS:[1001F868],EDI
1000E655 0F84 B3000000 JE push.1000E70E
1000E65B 897D FC MOV DWORD PTR SS:[EBP-4],EDI
1000E65E 3BF0 CMP ESI,EAX
1000E660 74 05 JE SHORT push.1000E667
1000E662 83FE 02 CMP ESI,2
1000E665 75 31 JNZ SHORT push.1000E698
1000E667 A1 44110210 MOV EAX,DWORD PTR DS:[10021144]
1000E66C 3BC7 CMP EAX,EDI
1000E66E 74 0C JE SHORT push.1000E67C
Remove all breakpoints (memory, software or hardware) before you place one at OEP. There will be encrypted code but bp will work when Yoda jumps to decrypted OEP.
mr haggar
January 2nd, 2006, 14:20
In short , keep pressing F9 untill you break on OEP.
yp suxx
January 3rd, 2006, 11:34
woah did you tried to fix the iat with imprec - (impRec OEP 0000E634) if i do "Get imports" and try to fixing the invalids my impREC is freezing & crashing.
I have removed all bps (hardware, memory,...)
what to do?
mr haggar
January 3rd, 2006, 14:45
You are probably don't know how to use ImpREC properly. There shouldn't be problems.
First you attach to lunchdll.exe , then click on "Pick dll" find push.dll and then enter for OEP=E634. Then "IAT Autosearch" and "Get Imports". There will be lot of invalid ones, you click "Show invalid" then rightclick and chose "Trace level1". All imports will be founded and you can fix dump.
yp suxx
January 4th, 2006, 04:13
Thank you mr hagger for your help.
I have dumped the file & rebuild the IAT.
http://www.badongo.com/file.php?file=none__2006-01-04_dumped_.dll
("http://www.badongo.com/file.php?file=none__2006-01-04_dumped_.dll
")
But if i scan it with PEiD it does tell me "Nothing found *" and the Entrypoint section is empty.
(Dumped without rebuild import)
It's not working!
Did you got the same result?
mr haggar
January 4th, 2006, 13:42
Gimme some mail and I'll send you my dump.
mr haggar
January 4th, 2006, 16:14
Btw, I wrote tutorial how to unpack yoda 1.03.3, you can find it here
www.reversing.be
("http://www.reversing.be
")
under tutorials.
yp suxx
January 4th, 2006, 16:44
send it here:
ypsuxx@web.de
btw;nice tutorial
yp suxx
January 5th, 2006, 16:48
hi mr hagger,
unpacking DLL won't still work. Not with your tutorial / your oep (same method).
Try to pack a DLL from any program that requieres a DLL with yodas protector 1.03.3 and unpack it.
Unpack seems to work but if you start the program that requieres the DLL it will crash because the
dll is not more working after unpacking.
Is it working for you?
(if yes can you please send the dumped dll of the link to my email thanks)
mr haggar
January 6th, 2006, 05:47
I have unpacked couple dll's but not with yoda. I think that your dump is OK. Maybe there is some check. What is exe that needs this dll? Is this some game file? Gimme the name of game (or send me an exe) and I will check, it's interesting me now.
Btw, I will try with some other file too.
See you.
yp suxx
January 6th, 2006, 06:03
hi mr hagger,
gimme your mail i'll send you the files and some instruction for the file.
//btw unpacked a lot of files and they are working after unpacking (.exe)
if i unpack any dll the program is crashing.
mr haggar
January 6th, 2006, 06:14
Listen, I will not give mail here (since this forum doesn't have PM). Go to BIW reversing (there where is tutorial) login as user and send me PM , and I'll give you email and also send you mine dump.
Btw, I have packed my Movie Maker along with two dll's. After unpacking dll's, program works normaly as it should. I think that you have made some mistake. We'll see

yp suxx
January 6th, 2006, 06:40
check BiW reversing pm.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.