8
11
Rate This
Watch Online Tutorial : Click Here
Download Archives : Unpackme, Complete Tutorial Click Here
C:\Yodas Protector Unpacking.swf Build 2 successfully completed Created at: Sat Aug 14 08:28:53 2010 Flash player required: v6.0 or above Size: 1654 KB Total frames in main movie: 5160 Playback frame rate: 20 Approximate playback time: 258 seconds Annotated text transcript: Unpacking Yoda's Protector 1.03.3 Tools : -OllyDBG -OllyDump -IsDebugPresent (If you need) -LordPE -TargetFile This Tutorial is writen by Richard Irfan Yusan richardyusan@rocketmail.com The TargetFileyoda's Protector 1.03.3 -> Ashkbiz Danehkar Entryopy : PACKED EP Check : PACKED Load the target file to OllyDBG Set your Exceptions Settings like this make sure this checkbox is checked If User32.dll already loaded into memory, set your ollydbg events setting back to normal Uncheck ! Right Click > Go To > Expression Or CTRL + G Type "BlockInput" Fill with NOPs Place Breakpoint here F2 Now, we must fix IsDebuggerPresent there are two method : 1.Manual Fix : Continue watching 2. Using IsDebuggerPresent OllyDBG plugin , you can skip this step MOV EAX,0 GetCurrentProcessId Case sensitive Yoda uses CreateToolhelp32Snapshot to retrieve all running processes. Then , yoda search for process that started unpackme and it checks does that proces has same PID as unpackme itself. If not, yoda terminates that process which is OllyDbg.exe in our case. If we patch CreateToolhelp32Snapshot API, we will get Invalid_Handle exception. But there is another very easy way how to trick yoda. Yoda uses GetCurrentProcessId API to retrieve it's own PID. We can make yoda think that it is ollydbg.exe if we set that API to retireve olly's PID. How we can do that? By injecting simple patch. 00000730 is OllyDBG PID 730 mean ollydbg pid Run Debugged Program F9 We land at this breakpoint
Run Debugged Program Again F9 Set Memory BP on access OEP CTRL+A to analyze this code UnPackMe file run without error
from Blog : richardyusan.wordpress.com
Tidak ada komentar:
Posting Komentar