need help unpacking yoda's cryptor 1.x / modified

#1 10-07-2006, 06:18

I have a file which I need to unpack, with the latest PEiD it is recognised as "yoda's cryptor 1.x / modified". Using google I found the script below.

Code:

// Mr.David yoda's cryptor 1.x  modified OEP and Patch IAT  v0.1b
// This script will quickly put you at the OEP of an yoda's cryptor 1.x  modified EXE.
// Just run it!

msg "������OD�쳣���ó����ڴ��쳣��ȫ�����ԣ�Ȼ��Ӳ˵����������нű�"
pause

dbh  //���ص�����

var addr   
sto        
mov addr,esp   //ESP����
bphws addr,"r"


var addr1

var addr2

gpa "CloseHandle","kernel32.dll"
mov addr1,$RESULT                    //�ݾ� API�ϵ�CloseHandle
bp addr1
run

bc addr1    //Clear break point  //ȡ���ϵ�
rtu        //Alt+F9


findop eip,#8932#    //����ָ��
mov addr1,$RESULT         
bphws addr1,"x"     
run
repl eip, #8932#, #8902#, 10       //�в��β����޲�ǿ��
BPHWC addr1


findop eip,#33C3#    //����ָ��
mov addr2,$RESULT 
bphws addr2,"x"     
run               //����


repl eip, #33c3#, #33c0#, 10    //�в��β����޲�ǿ��

BPHWC addr2

esto
esto

findop eip,#33DB#    //����ָ��  //�жϻ�ʣ�����쳣������·�� ����û�����ǣ�Yoda�޸Ŀǵ�����·�ߺ�ԭ���ֲ�ͬ! ����������
cmp $RESULT, 0
je lblabel2

esto
esto
esto
run
sto
sto
sto
sto
bphwc addr 
           
cmt eip,"OEP1 Or Next Shell To Get,Please dumped it,Enjoy!" //Yodaȫ��Antiѡ��·��

ret

lblabel2:
esto
esto
run
sto
sto
sto
sto
bphwc addr    
  
cmt eip,"OEP2 Or Next Shell To Get,Please dumped it,Enjoy!" //ûѡ���Softice���쳣��һ�Σ������ʲôAntiѡ���ѡ����ô�ű��޷���ȷ���У�������ǧ��ʦ��ǧ�������ű�ֻ���ǶԿ�Ĭ��ѡ����ȷִ�еġ�

ret

Firstly when I save that script in notepad if I save it as ANSI I lose the chinese characters and they are replaced by ???, this is what I see when the script runs.

http://img417.imageshack.us/img417/4434/ansiivh7.png

If I save it as unicode or unicode big endian, when I run the script in Olly I get a message like this.

http://img176.imageshack.us/img176/8739/unicodeerrorvi5.png

And if I save the script as UTF-8, this is what I see when I run it.

http://img117.imageshack.us/img117/3878/utf8ey7.png

I guess that doesn't really matter though, at least the script seems to run when it is saved as ANSII, I just wont be able to see the chinese text. And I don't speak chinese anyway, so does it really matter?

So I am curious, what happens when I run this script. It doesn't look like anything happened :P

Thanks

Thread Tools
Show Printable Version Email this Page
Display Modes
Switch to Linear Mode Switch to Hybrid Mode Threaded Mode