» » Unpacking Yodas Protector 1.03.3

Unpacking Yodas Protector 1.03.3

18 Comments
Watch Online Tutorial : Click Here
Download Archives : Unpackme, Complete Tutorial Click Here


C:\Yodas Protector Unpacking.swf
Build 2 successfully completed
Created at: Sat Aug 14 08:28:53 2010
Flash player required: v6.0 or above
Size: 1654 KB
Total frames in main movie: 5160
Playback frame rate: 20
Approximate playback time: 258 seconds

Annotated text transcript:

Unpacking Yoda's Protector 1.03.3
Tools :

-OllyDBG
-OllyDump
-IsDebugPresent (If you need)
-LordPE
-TargetFile

This Tutorial is writen by Richard Irfan Yusan

richardyusan@rocketmail.com
The TargetFile ;-)
yoda's Protector 1.03.3 -> Ashkbiz Danehkar
Entryopy : PACKED
EP Check : PACKED
Load the target file to OllyDBG
Set your Exceptions Settings like this
make sure this checkbox is checked
If User32.dll already loaded into memory, set your ollydbg events setting back to normal
Uncheck !
Right Click > Go To > Expression

Or

CTRL + G
Type "BlockInput"
Fill with NOPs
Place Breakpoint here
F2
Now, we must fix IsDebuggerPresent

there are two method :

1.Manual Fix : Continue watching
2. Using IsDebuggerPresent OllyDBG plugin , you can skip this step
MOV EAX,0
GetCurrentProcessId

Case sensitive
Yoda uses CreateToolhelp32Snapshot to retrieve all running processes. Then , yoda search for process that started unpackme and it checks does that proces has same PID as unpackme itself. If not, yoda terminates that process which is OllyDbg.exe in our case. If we patch CreateToolhelp32Snapshot API, we will get Invalid_Handle exception. But there is another very easy way how to trick yoda. Yoda uses GetCurrentProcessId API to retrieve it's own PID. We can make yoda think that it is ollydbg.exe if we set that API to retireve olly's PID. How we can do that? By injecting simple patch.
00000730 is OllyDBG PID
730 mean ollydbg pid
Run Debugged Program

F9
We land at this breakpoint :D
Run Debugged Program Again

F9
Set Memory BP on access
OEP
CTRL+A to analyze this code
UnPackMe file run without error :D
;-)
Entropy : NOT PACKED
EPCheck : NOT PACKED
And UnPackMe Unpacked succesfully !

My Blog :
richardyusan.wordpress.com





Enter your email to get cracked apks then don't forget to click confirmation link in your email inbox:


Delivered by FeedBurner

- Uncheck 'download with download manager' to download the file - Please report broken link in the comment!

18 Responses to "Unpacking Yodas Protector 1.03.3"

  1. citermaniaxAugust 15, 2010 at 11:19 PM

    fungsinya buat apa gan? btw quickwall hack nya kapan kabarnya direlease secara resmi gan?

    ReplyDelete
  2. fikriAugust 15, 2010 at 11:46 PM

    hadohh quickwallhack kenapa di kasih secur gan cara dptin securnnya gmna sih???syarat2nya?kpn di release public~
    THX Behore ~

    ReplyDelete
  3. kakaAugust 16, 2010 at 1:39 AM

    Gan RCD, yg d proteksi itu pass na apa?

    ReplyDelete
  4. aguskaswaAugust 16, 2010 at 3:03 AM

    mas rcd aku pm di forum nyit nyit lom ada replay...thank

    ReplyDelete
  5. vanderv03August 16, 2010 at 5:19 AM

    gan pass.a nanti kirim ke email.q ya ?
    plizzz gan T.T

    ReplyDelete
  6. Cabe_RawitAugust 16, 2010 at 9:56 AM

    sabar aj kk,
    mngkin nunggu bis maintenan pbnya x bru di sebar

    ReplyDelete
  7. megaAugust 16, 2010 at 12:45 PM

    itu fungsinya buat apa gan yodasprotector

    ReplyDelete
  8. ryanAugust 16, 2010 at 6:54 PM

    yahh aku downlad tapi gunanya ? apa :(

    ReplyDelete
  9. xizukawaAugust 16, 2010 at 7:58 PM

    kk richard bikinin cheat ninja saga dong aku butuh plizz
    kali aja bisa

    ReplyDelete
  10. fensAugust 16, 2010 at 8:25 PM

    gan ,.,. gimana tuh tutor nya rumit amat !!
    trus cheat ammo nya gan kog ngga berfungsi ,.
    vidio nya rumit kk kcil !!
    tlong tanggapi kk richard ^^

    ReplyDelete
  11. yakuzaAugust 17, 2010 at 3:27 AM

    ehh....ehhh...ggaaannnn
    saya baru tau ternyata dari gemscool juga ada ngeluarin cheat....
    mereka nyebar cheat secara cuma2 d forumnya ...
    cek aja nih tp hrs daftar dolo....
    http://gemcheat.darkbb.com/forum.htm
    ahahhahahahhahahahhahahahahhahahahaha
    ternyata kadal makan kadal....
    mereka basmi cheater tp mereka membiakan cheat jg...hahahhahahahahhahahahahhahahahahahhahahahahhahahah....
    like this bgd dah gw....
    kacauu....hahahahhahahahha

    ReplyDelete
  12. awandAugust 17, 2010 at 6:43 PM

    LEacher detected

    ReplyDelete
  13. *Metay*August 17, 2010 at 7:58 PM

    gwa ksih tw cara singkat pke cheat yg work 100 %,,yg mw tw info lanjut nya coment di FB gwa z,, untk mencaga kerahasiaan..
    caranya dgn PM dan gwa bls ntr dgn info lanjut nya,serta tutorial nya..

    ReplyDelete
  14. *Metay*August 17, 2010 at 7:58 PM

    FB gwa erryburonan2nd@yahoo.com
    thx..

    ReplyDelete
  15. *Metay*August 17, 2010 at 8:00 PM

    gwa ksih tw cara singkat pke cheat yg work 100 %,,yg mw tw info lanjut nya coment di FB gwa z,, untk menjaga kerahasiaan..
    caranya dgn PM dan gwa bls ntr dgn info lanjut nya,serta tutorial nya..
    PM di : erryburonan2nd@yahoo.com
    thx..

    ReplyDelete
  16. Basmi LeacherAugust 18, 2010 at 4:05 AM

    YANG COMENT KEBANYAKAN LEACHER NYOK

    ReplyDelete
  17. andri ansyah RamadhanAugust 18, 2010 at 8:01 PM

    Kluarin Cheat Beret dund Bwat Jimat gua !
    Thx bwat anak anak R_Club ! MERDEKA !

    ReplyDelete
  18. Portal Informasi Teknologi Online » Unpacking Yodas Protector 1.03.3 ver. 1November 6, 2010 at 8:07 AM

    [...] C:Yodas Protector Unpacking.swf Build 2 successfully completed Created at: Sat Aug 14 08:28:53 2010 Flash player required: v6.0 or above Size: 1654 KB Total frames in main movie: 5160 Playback frame rate: 20 Approximate playback time: 258 seconds Annotated text transcript: Unpacking Yoda's Protector 1.03.3 Tools : -OllyDBG -OllyDump -IsDebugPresent (If you need) -LordPE -TargetFile This Tutorial is writen by Richard Irfan Yusan richardyusan@rocketmail.com The TargetFile yoda's Protector 1.03.3 -> Ashkbiz Danehkar Entryopy : PACKED EP Check : PACKED Load the target file to OllyDBG Set your Exceptions Settings like this make sure this checkbox is checked If User32.dll already loaded into memory, set your ollydbg events setting back to normal Uncheck ! Right Click > Go To > Expression Or CTRL + G Type "BlockInput" Fill with NOPs Place Breakpoint here F2 Now, we must fix IsDebuggerPresent there are two method : 1.Manual Fix : Continue watching 2. Using IsDebuggerPresent OllyDBG plugin , you can skip this step MOV EAX,0 GetCurrentProcessId Case sensitive Yoda uses CreateToolhelp32Snapshot to retrieve all running processes. Then , yoda search for process that started unpackme and it checks does that proces has same PID as unpackme itself. If not, yoda terminates that process which is OllyDbg.exe in our case. If we patch CreateToolhelp32Snapshot API, we will get Invalid_Handle exception. But there is another very easy way how to trick yoda. Yoda uses GetCurrentProcessId API to retrieve it's own PID. We can make yoda think that it is ollydbg.exe if we set that API to retireve olly's PID. How we can do that? By injecting simple patch. 00000730 is OllyDBG PID 730 mean ollydbg pid Run Debugged Program F9 We land at this breakpoint Run Debugged Program Again F9 Set Memory BP on access OEP CTRL+A to analyze this code UnPackMe file run without error Entropy : NOT PACKED EPCheck : NOT PACKED And UnPackMe Unpacked succesfully ! sumber [...]

    ReplyDelete

Subscribe to: Post Comments (Atom)