Posted November 28, 200816 yr UnpackME 2009 - The Enigma Protect v1.55 FOR UR Support OK BEST OF LUCK eNjOy! UnpackME_2009.rar Edited November 29, 200816 yr by Sp1d3rZ
November 28, 200816 yr I'll take a shot at it... I don't think I'll be able to beat it though. If someone does beat it please write a tutorial on how you did it . Also, detects Skype as a debugging tool, why do they put so much 'junk' into that thing . KOrUPt. Edited November 28, 200816 yr by KOrUPt
November 28, 200816 yr UnpackME 2009 - The Enigma Protect v1.55Its new challenge for TOP Unpackers. Example: quosego OK BEST OF LUCK eNjOy! Its not a challenge for 'top' unpackers, I'm not much more than a noob. Enigma s a better protector than you made it look, you made it simple. _http://filebeam.com/d9f618ccfda5e8db570791bd82351615 Edited November 28, 200816 yr by pseudonym
November 28, 200816 yr UnpackME 2009 - The Enigma Protect v1.55Its new challenge for TOP Unpackers. Example: quosego OK BEST OF LUCK eNjOy! LOL You are the author of Enigma protector, which will make the challenge? In vain here to allow such things to different loham ..
November 28, 200816 yr It crashes out each time I try and debug it ... Any suggestions guys? I'm currently using OllyDRX along with OllyAdvanced and phant0m to hide my debugger, maybe code hooks are being detected ... I realise the original code is written in VB and by the looks of it API redirection isn't used, not sure on that though. Hope I can get a few tips on this. Thanks in advance. KOrUPt.
November 28, 200816 yr Sp1d3rZ, it would be nice if you could edit your original post with the protection features that have been applied...Ted.
November 28, 200816 yr Hello, you can also unpack it easier if you attach it...uif..etc. A method for some lazy people. greetz
November 28, 200816 yr I looked at it some...lots of anti-debug.So far, I found it doesn't work due to wrong INT3 handling, Exception Handler doesn't redirect the flow to the right place. Also with Access Violation occuring immediately after the INT3.I fixed that but some pointers are set somewhere and I dunno what correct value should be, so I get detected =]Also, it detects Task Bar Shuffle as debugger (that should get fixed).
November 29, 200816 yr HI Fungus. I'm also having problems with this protection, I hope someone writes a tutorial on it . The Anti-Debugging appears to be very strong. I recommend you set a hardware breakpoint at 0x004FA724, that call accounts for most of the anti-debugging as far as I can see. I recommend you use Phant0m with all protection options enabled along with OllyAdvanced's Anti IsDebuggerPresent() and Anti CheckRemoteDebuggerPresent(). There are quite a few calls to functions that call CreateThread(), just before those calls is a call to a function that calls CloseHandle(), both of these function as Anti-Debugging. (I recommend you read the above sentence again if you didn't understand it ). You'll need to prevent the threads execution, either by NOPing the calls to CreateThread or by patching the thread(s) itself with a "RET 4" instruction... As for the CloseHandle() protection I'd imagine you'll be able to insert a RET instruction at the beginning of the call. There is a lot more Anti-Debugging, some of which I strongly advise you NOP. There seems to be quote a few of redirected API's(which contradicts my previous post )... IAT appears to start at 0x00485208. You'll be dealing with the following calls as far as Anti-Debug goes: CheckRemoteDebuggerPresent()IsDebuggerPresent()CloseHandle()DebugBreak()NtQuerySystemInformationProcess()GetStartupInfoA() // I'm not sure how this works as anti-debug but it is used.[...] Along with a lot more, I wont post too much as I want leave a few surprises... You'll also want to pass all exceptions to the application. Unfortunately after circumventing all of the above Anti-Debug I still get a crash . Does anyone have any tips to help me out? Feel free to post or drop me a PM. Thanks in advance . KOrUPt. P.S: If I'm giving away too much let me know and I'll 'censor' the post to a degree . Hopefully I'm not. Apologies if so, I just really want to get this thing beat :happy:. Edited November 29, 200816 yr by KOrUPt
November 29, 200816 yr Use these plugins to bypass anti debug : -Phantom -HideDebugger -HideOD All of options must be checked. And HWBP on address of 0054C761 : 0054C761 /74 1D JE SHORT UnpackME.0054C780 Change Z flag and run it in Ollydbg. I have a KMPlayer(a Music Player) on my system and this unpackme detects it as a debugger!!! Edited November 29, 200816 yr by HSN.C3r
November 29, 200816 yr Use these plugins to bypass anti debug :-Phantom -HideDebugger -HideOD All of options must be checked. And HWBP on address of 0054C761 : 0054C761 /74 1D JE SHORT UnpackME.0054C780 Thank you 谢谢 Change Z flag and run it in Ollydbg. I have a KMPlayer(a Music Player) on my system and this unpackme detects it as a debugger!!!
November 29, 200816 yr Maybe someone here would like to tell everyone what protection features this unpackme is protected with? Ted.
November 29, 200816 yr If stolen OEP and IAT emulation and elimination were all protection options, I theoretically unpacked it - though UIF redirects the new import section to a memory range below the imagebase, thus the PE refuses to run. Tried KB's Rebasing plugin, but it did not work as well... :/
November 29, 200816 yr Yes ... All protection options are a stolen OEP and IAT emulation. By using UIF , unpacking of it is easy. Edited November 29, 200816 yr by HSN.C3r
November 29, 200816 yr Was too lazy to code a rebasing script, still wondering why UIF chooses a new memory range below imagebase... Any way to circumvent that behaviour?
November 29, 200816 yr Was too lazy to code a rebasing script, still wondering why UIF chooses a new memory range below imagebase... Any way to circumvent that behaviour?You can get around that by allocating some memory before execution with ollyadvanced.
November 29, 200816 yr I've tried the following plugins with all options enabled to hide my debugger: Phant0m. HideDebugger. HideOD. OllyAdvanced. I've also tried circumventing the anti-debugging manually myself... Yet I still end up with a crash(returns to an invalid memory address). I'm stuck and confused. Apparently it ran normally for metr0, a few of you only needed to use the above plugins... Yet none of my attempts are working . I cant even get it to run to find OEP yet alone fixing the imports. Starting to loose faith on this one. KOrUPt.
November 30, 200816 yr Unpacked =] that NtQuerySystemInformationProcess on ntdll.dll is the bugger UnpackedME2009.rar
November 30, 200816 yr Author WOW Fungus appreciate ur good work. And thnx for this > NtQuerySystemInformationProcess on ntdll.dll is the bugger
Create an account or sign in to comment