////////////////////////////////////////////////////////////

// FileName : yoda's Protector V1.03.X.osc

// Comment : yoda's Protector V1.03.1/V1.03.2 UnPacK

// Environment : WinXP SP2,OllyDbg V1.10,OllyScript V0.92

// Author : fly

// WebSite : http://fly2004.163.cn.com

// Date : 2005-10-05 23:00

////////////////////////////////////////////////////////////

#log



dbh

var T0

var T1

var T2

var T3

var T4



//覧覧覧覧覧覧覧覧覧覧覧覧覧覧覧覧

gpa "GetVersion", "KERNEL32.dll"

eob GetVersion

bp $RESULT

esto

GoOn0:

esto



GetVersion:

cmp eip,$RESULT

jne GoOn0

bc $RESULT

rtu

mov eax,4



//覧覧覧覧覧覧覧覧覧覧覧覧覧覧覧覧

gpa "GetWindowLongA", "User32.dll"

eob GetWindowLongA

bp $RESULT

esto

GoOn1:

esto



GetWindowLongA:

cmp eip,$RESULT

jne GoOn1

bc $RESULT

rtu

mov T0,eax



//Lock Shell_TrayWnd

gpa "SetWindowLongA", "User32.dll"

eob SetWindowLongA

bp $RESULT

esto

GoOn2:

esto



SetWindowLongA:

cmp eip,$RESULT

jne GoOn2

bc $RESULT

mov T1,esp

add T1,C

mov [T1],T0

rtu



//覧覧覧覧覧覧覧覧覧覧覧覧覧覧覧覧

gpa "IsDebuggerPresent", "KERNEL32.dll"

eob IsDebuggerPresent

bp $RESULT

esto

GoOn3:

esto



IsDebuggerPresent:

cmp eip,$RESULT

jne GoOn3

bc $RESULT

rtu



find eip, #C1CB07#

cmp $RESULT, 0

je NoFind

mov T2,$RESULT

eob Ror7

bp T2

log T2

esto

GoOn4:

esto



Ror7:

cmp eip,T2

jne GoOn4

bc T2

mov T3,ebx

log ebx



//覧覧覧覧覧覧覧覧覧覧覧覧覧覧覧覧

find eip, #89322BC683E805#

cmp $RESULT, 0

log $RESULT

je NoFind



mov T4,$RESULT

mov [T4],C62B9090

//Fixed Importing Function



find eip, #740261C3#

cmp $RESULT, 0

je NoFind



eob Popad

bp $RESULT



esto

GoOn5:

esto



Popad:

cmp eip,$RESULT

jne GoOn5

bc $RESULT

mov [T4],C62B3289

//Revert Code



//覧覧覧覧覧覧覧覧覧覧覧覧覧覧覧覧

eob MyOEP

bp T3



esto

GoOn6:

esto



MyOEP:

cmp eip,T3

jne GoOn6

bc T3



//覧覧覧覧覧覧覧覧覧覧覧覧覧覧覧覧

log eip

cmt eip, "This is the OEP! Found By: fly"

MSG "Just : OEP ! Dump and Fix IAT. Good Luck "

ret



NoFind:

MSG "Error! Maybe It's not yoda's Protector V1.03.1/V1.03.2 ! "

ret