Quote:
|
Originally Posted by giga
Fade, its probably the best if you can upload your target to rapidshare.de or something like this, and i will try to make some small tutorial for you, but look that your target is not the very big size 
Best regards. |
The problem is that the file is malware, which I am trying to take a closer look at. If you still want the EXE I will upload it, but I just want to let you know first
Also while looking for an MUP tut, I found a couple more scripts but they are no good to me, I'll put them here though incase they help anybody else in future.
Code:
// Mr.David yoda's Crypter V1.2 OEP and Patch IAT v0.1
// This script will quickly put you at the OEP of an yoda's Crypter V1.2 EXE.
// Just run it!
msg "������OD�쳣���ó����ڴ��쳣��ȫ�����ԣ�Ȼ��Ӳ˵����������нű�"
pause
dbh //���ص�����
var cbase
gmi eip, CODEBASE
mov cbase, $RESULT
log cbase //��Դ�����������OllyDbg�ļ�¼����[log window]��,������
var csize //���ָ����ַ����ģ��������Ϣ,�ڴ澵��ϵ�
gmi eip, CODESIZE
mov csize, $RESULT
log csize
var addr1
var addr2
gpa "CloseHandle","kernel32.dll"
mov addr1,$RESULT //�ݾ� API�ϵ�CloseHandle
bp addr1
run
bc addr1 //Clear break point //ȡ���ϵ�
rtu //Alt+F9
findop eip,#8932# //����ָ��
mov addr1,$RESULT
bphws addr1,"x" //Ӳ���ϵ����VB����
run
repl eip, #8932#, #8902#, 10 //�в��β�����ǿ��
BPHWC addr1
findop eip,#33C3# //����ָ��
cmp $RESULT, 0
je lblabel1
mov addr2,$RESULT
bphws addr2,"x" //Ӳ���ϵ����VB����
run //����
repl eip, #33c3#, #33c0#, 10 //�в��β�����ǿ��
BPHWC addr2
esto
findop eip,#33DB# //����ָ��
cmp $RESULT, 0
je lblabel2
esto
bprm cbase, csize //�ڴ澵��ϵ�
esto
bpmc
cmt eip,"OEP Or Next Shell To Get,Please dumped it,Enjoy!" //Yodaȫ��Antiѡ��·��
ret
lblabel2:
bprm cbase, csize //�ڴ澵��ϵ�
esto
bpmc
cmt eip,"OEP Or Next Shell To Get,Please dumped it,Enjoy!" //ûѡ���Softice���쳣��һ�Σ������ʲôAntiѡ���ѡ����ô�ű�����ȷ���У�������ǧ��ʦ��ǧ�������ű�ֻ���ǶԿ�Ĭ��ѡ����ȷִ�еġ�
ret
lblabel1: //For VB����
esto
bprm cbase, csize //�ڴ澵��ϵ�
esto
bpmc
cmt eip,"VBOEP Or Next Shell To Get,Please dumped it,Enjoy!"
ret
Code:
//////////////////////////////////////////////////
// FileName : yoda's cryptor V1.2-V1.3.osc
// Comment : yoda's cryptor V1.2/V1.3 UnPacK
// Environment : WinXP SP2,OllyDbg V1.10,OllyScript V0.92
// Author : fly
// WebSite : http://www.unpack.cn
// Date : 2005-10-05 18:00
//////////////////////////////////////////////////
#log
dbh
var T0
var T1
var T2
var T3
//GetProcAddress����������������������������������������������������������������
gpa "GetProcAddress", "KERNEL32.dll"
eob GetProcAddress
bp $RESULT
esto
GoOn0:
esto
GetProcAddress:
cmp eip,$RESULT
jne GoOn0
bc $RESULT
rtu
//yC Some Modified Version����������������������������������������������������������������
/*
004042E6 FFD1 call ecx ; kernel32.GetCurrentThread
004042E8 6A 00 push 0
004042EA 6A 00 push 0
004042EC 6A 11 push 11
004042EE 50 push eax
004042EF FFD7 call edi ; ntdll.ZwSetInformationThread
*/
find eip, #FFD16A006A006A1150FFD78CC932C9E302#
cmp $RESULT, 0
je 7ror
mov T3,$RESULT
mov [T3],#FFD16A016A006A1150FFD78CC932C99090#
log $RESULT
//Pass ZwSetInformationThread
//OepRVA����������������������������������������������������������������
7ror:
find eip, #C1CB07#
cmp $RESULT, 0
je NoFind
mov T0,$RESULT
eob Break0
bp T0
log T0
esto
GoOn1:
esto
Break0:
cmp eip,$RESULT
jne GoOn1
cmp T3, 0
je OepRVA
mov [T3],#FFD16A006A006A1150FFD78CC932C9E302#
OepRVA:
bc T0
mov T1,ebx
log ebx
//Fixed Import Table����������������������������������������������������������������
find eip, #89322BC683E805#
cmp $RESULT, 0
log $RESULT
je NoFind
mov T2,$RESULT
log T2
asm T2,"MOV DWORD PTR [EDX],EAX"
//Fixed Importing Function
find eip, #740261C3#
cmp $RESULT, 0
je NoFind
eob Break1
bp $RESULT
esto
GoOn2:
esto
Break1:
cmp eip,$RESULT
jne GoOn2
bc $RESULT
asm T2,"MOV DWORD PTR [EDX],ESI"
//Revert Code
//GetOep����������������������������������������������������������������
eob Break2
bphws T1,"x"
esto
GoOn3:
esto
Break2:
cmp eip,T1
jne GoOn3
bphwc T1
//GameOver����������������������������������������������������������������
log eip
cmt eip, "This is the OEP! Found By: fly"
MSG "Just : OEP ! Dump and Fix IAT. Good Luck "
ret
NoFind:
MSG "Error! Maybe It's not yoda's cryptor V1.2/V1.3 ! "
ret