hi,

can someone unpack this file:

http://www.badongo.com/file.php?file=none__2005-12-29_push.dll
("http://www.badongo.com/file.php?file=none__2005-12-29_push.dll
")

I have tried a long time with different yoda unpack scripts for this version. (Yodas protector 1.03.1/1.03.2) but i have still problems with the dll olly says "To many parameters"...
I'am reading always its soo easy to unpack yodas and its not a protector - its a packer ... if someone can unpack please do it!
thx!
regards,
ypsuxx

Yoda is protector and it is good free one. I'll check it because I have never tried to unpack yoda dll.

OEP = 1000E634 > $ 6A 0C PUSH 0C

Open Olly and go to expression, enter this 1000E634 value and place hardware bp on execution there. You will break there. Rest is your job, just dump and use ImpREC to rebuild IAT.

Btw, this is some game file?

Open olly:

1.) loading the DLL
2.) No if it asks for analysing the compressed data
3.) CTRL+G for expression window with 1000E634

then i'am at:

1000E634 8AFA MOV BH,DL

5.)setting hardware bp on execution
6.) F9

then i'am at:

100249C1 8BEF MOV EBP,EDI
100249C3 33DB XOR EBX,EBX
100249C5 64:8F03 POP DWORD PTR FS:[EBX]
100249C8 83C4 04 ADD ESP,4

dumping the process, try to rebuild the iat with (1000E634)

IAT tells me it's not the correct OEP and:
100249C1 8BEF MOV EBP,EDI
seems to be wrong?
maybe u can help me up

You have probably stopped on some exception or some breakpoint which you forgot. OEP is:

1000E634 6A 0C PUSH 0C
1000E636 68 68A30110 PUSH push.1001A368
1000E63B E8 801E0000 CALL push.100104C0
1000E640 33C0 XOR EAX,EAX
1000E642 40 INC EAX
1000E643 8945 E4 MOV DWORD PTR SS:[EBP-1C],EAX
1000E646 8B75 0C MOV ESI,DWORD PTR SS:[EBP+C] ; push.10000000
1000E649 33FF XOR EDI,EDI
1000E64B 3BF7 CMP ESI,EDI
1000E64D 75 0C JNZ SHORT push.1000E65B
1000E64F 393D 68F80110 CMP DWORD PTR DS:[1001F868],EDI
1000E655 0F84 B3000000 JE push.1000E70E
1000E65B 897D FC MOV DWORD PTR SS:[EBP-4],EDI
1000E65E 3BF0 CMP ESI,EAX
1000E660 74 05 JE SHORT push.1000E667
1000E662 83FE 02 CMP ESI,2
1000E665 75 31 JNZ SHORT push.1000E698
1000E667 A1 44110210 MOV EAX,DWORD PTR DS:[10021144]
1000E66C 3BC7 CMP EAX,EDI
1000E66E 74 0C JE SHORT push.1000E67C

Remove all breakpoints (memory, software or hardware) before you place one at OEP. There will be encrypted code but bp will work when Yoda jumps to decrypted OEP.

In short , keep pressing F9 untill you break on OEP.

woah did you tried to fix the iat with imprec - (impRec OEP 0000E634) if i do "Get imports" and try to fixing the invalids my impREC is freezing & crashing.

I have removed all bps (hardware, memory,...)
what to do?

You are probably don't know how to use ImpREC properly. There shouldn't be problems.

First you attach to lunchdll.exe , then click on "Pick dll" find push.dll and then enter for OEP=E634. Then "IAT Autosearch" and "Get Imports". There will be lot of invalid ones, you click "Show invalid" then rightclick and chose "Trace level1". All imports will be founded and you can fix dump.

Thank you mr hagger for your help.

I have dumped the file & rebuild the IAT.

http://www.badongo.com/file.php?file=none__2006-01-04_dumped_.dll
("http://www.badongo.com/file.php?file=none__2006-01-04_dumped_.dll
")

But if i scan it with PEiD it does tell me "Nothing found *" and the Entrypoint section is empty.

(Dumped without rebuild import)

It's not working!
Did you got the same result?

Gimme some mail and I'll send you my dump.

Btw, I wrote tutorial how to unpack yoda 1.03.3, you can find it here

www.reversing.be
("http://www.reversing.be
")

under tutorials.

send it here:
ypsuxx@web.de

btw;nice tutorial

hi mr hagger,

unpacking DLL won't still work. Not with your tutorial / your oep (same method).
Try to pack a DLL from any program that requieres a DLL with yodas protector 1.03.3 and unpack it.
Unpack seems to work but if you start the program that requieres the DLL it will crash because the
dll is not more working after unpacking.

Is it working for you?
(if yes can you please send the dumped dll of the link to my email thanks)

I have unpacked couple dll's but not with yoda. I think that your dump is OK. Maybe there is some check. What is exe that needs this dll? Is this some game file? Gimme the name of game (or send me an exe) and I will check, it's interesting me now.

Btw, I will try with some other file too.

See you.

hi mr hagger,

gimme your mail i'll send you the files and some instruction for the file.

//btw unpacked a lot of files and they are working after unpacking (.exe)
if i unpack any dll the program is crashing.

Listen, I will not give mail here (since this forum doesn't have PM). Go to BIW reversing (there where is tutorial) login as user and send me PM , and I'll give you email and also send you mine dump.

Btw, I have packed my Movie Maker along with two dll's. After unpacking dll's, program works normaly as it should. I think that you have made some mistake. We'll see

check BiW reversing pm.