Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[unpackme] 2009

Sp1d3rZ
Sp1d3rZ
in UnPackMe

Featured Replies

Posted

UnpackME 2009 - The Enigma Protect v1.55

FOR UR Support ;)

34j6u00.jpg

OK ;) BEST OF LUCK

eNjOy! :thumbsup:

UnpackME_2009.rar

Edited by Sp1d3rZ

I'll take a shot at it... I don't think I'll be able to beat it though. If someone does beat it please write a tutorial on how you did it :) .

Also, detects Skype as a debugging tool, why do they put so much 'junk' into that thing :( .

KOrUPt.

Edited by KOrUPt

UnpackME 2009 - The Enigma Protect v1.55

Its new challenge for TOP Unpackers. Example: quosego

OK ;) BEST OF LUCK

eNjOy! :thumbsup:

Its not a challenge for 'top' unpackers, I'm not much more than a noob. Enigma s a better protector than you made it look, you made it simple.

_http://filebeam.com/d9f618ccfda5e8db570791bd82351615

Edited by pseudonym

UnpackME 2009 - The Enigma Protect v1.55

Its new challenge for TOP Unpackers. Example: quosego

OK ;) BEST OF LUCK

eNjOy! :thumbsup:

LOL

You are the author of Enigma protector, which will make the challenge? In vain here to allow such things to different loham ..

It crashes out each time I try and debug it :( ... Any suggestions guys?

I'm currently using OllyDRX along with OllyAdvanced and phant0m to hide my debugger, maybe code hooks are being detected :ermm: ...

I realise the original code is written in VB and by the looks of it API redirection isn't used, not sure on that though.

Hope I can get a few tips on this. Thanks in advance.

KOrUPt.

提示下 Under the tips

Edited by by:70

Sp1d3rZ, it would be nice if you could edit your original post with the protection features that have been applied...

Ted.

  • Author

V Nice pseudonym, Gr8 Work. :rolleyes:

V Nice pseudonym, Gr8 Work. :rolleyes:

:blink:

Hi

Here is my unpacked file.

unpacked.rar

  • Author

hhhmmm ;) NICE WORK HSN.C3r

Hello,

you can also unpack it easier if you attach it...uif..etc.

A method for some lazy people. :)

greetz

I looked at it some...

lots of anti-debug.

So far, I found it doesn't work due to wrong INT3 handling, Exception Handler doesn't redirect the flow to the right place. Also with Access Violation occuring immediately after the INT3.

I fixed that but some pointers are set somewhere and I dunno what correct value should be, so I get detected =]

Also, it detects Task Bar Shuffle as debugger (that should get fixed).

HI Fungus.

I'm also having problems with this protection, I hope someone writes a tutorial on it :) .

The Anti-Debugging appears to be very strong. I recommend you set a hardware breakpoint at 0x004FA724, that call accounts for most of the anti-debugging as far as I can see.

I recommend you use Phant0m with all protection options enabled along with OllyAdvanced's Anti IsDebuggerPresent() and Anti CheckRemoteDebuggerPresent().

There are quite a few calls to functions that call CreateThread(), just before those calls is a call to a function that calls CloseHandle(), both of these function as Anti-Debugging. (I recommend you read the above sentence again if you didn't understand it :P ).

You'll need to prevent the threads execution, either by NOPing the calls to CreateThread or by patching the thread(s) itself with a "RET 4" instruction...

As for the CloseHandle() protection I'd imagine you'll be able to insert a RET instruction at the beginning of the call.

There is a lot more Anti-Debugging, some of which I strongly advise you NOP.

There seems to be quote a few of redirected API's(which contradicts my previous post :confused: )... IAT appears to start at 0x00485208.

You'll be dealing with the following calls as far as Anti-Debug goes:

CheckRemoteDebuggerPresent()
IsDebuggerPresent()
CloseHandle()
DebugBreak()
NtQuerySystemInformationProcess()
GetStartupInfoA() // I'm not sure how this works as anti-debug but it is used.
[...]

Along with a lot more, I wont post too much as I want leave a few surprises...

You'll also want to pass all exceptions to the application.

Unfortunately after circumventing all of the above Anti-Debug I still get a crash :( .

Does anyone have any tips to help me out? Feel free to post or drop me a PM.

Thanks in advance :) .

KOrUPt.

P.S: If I'm giving away too much let me know and I'll 'censor' the post to a degree :) . Hopefully I'm not. Apologies if so, I just really want to get this thing beat :happy:.

Edited by KOrUPt

Use these plugins to bypass anti debug :

-Phantom

-HideDebugger

-HideOD

All of options must be checked.

And HWBP on address of 0054C761 :

 0054C761   /74 1D		   JE SHORT UnpackME.0054C780

Change Z flag and run it in Ollydbg. ;)

I have a KMPlayer(a Music Player) on my system and this unpackme detects it as a debugger!!!

Edited by HSN.C3r

Use these plugins to bypass anti debug :

-Phantom

-HideDebugger

-HideOD

All of options must be checked.

And HWBP on address of 0054C761 :

 0054C761   /74 1D		   JE SHORT UnpackME.0054C780

Thank you 谢谢 :o

Change Z flag and run it in Ollydbg. ;)

I have a KMPlayer(a Music Player) on my system and this unpackme detects it as a debugger!!!

Maybe someone here would like to tell everyone what protection features this unpackme is protected with? :rolleyes:

Ted.

If stolen OEP and IAT emulation and elimination were all protection options, I theoretically unpacked it - though UIF redirects the new import section to a memory range below the imagebase, thus the PE refuses to run. Tried KB's Rebasing plugin, but it did not work as well... :/

Yes ...

All protection options are a stolen OEP and IAT emulation.

By using UIF , unpacking of it is easy. :)

Edited by HSN.C3r

Was too lazy to code a rebasing script, still wondering why UIF chooses a new memory range below imagebase... Any way to circumvent that behaviour?

Was too lazy to code a rebasing script, still wondering why UIF chooses a new memory range below imagebase... Any way to circumvent that behaviour?

You can get around that by allocating some memory before execution with ollyadvanced.

I've tried the following plugins with all options enabled to hide my debugger:

Phant0m.

HideDebugger.

HideOD.

OllyAdvanced.

I've also tried circumventing the anti-debugging manually myself... Yet I still end up with a crash(returns to an invalid memory address).

I'm stuck and confused.

Apparently it ran normally for metr0, a few of you only needed to use the above plugins... Yet none of my attempts are working :( .

I cant even get it to run to find OEP yet alone fixing the imports. Starting to loose faith on this one.

KOrUPt.

  • Author

Protection Options Screenshot added ;)

Unpacked =]

that NtQuerySystemInformationProcess on ntdll.dll is the bugger :D

UnpackedME2009.rar

  • Author

WOW Fungus appreciate ur good work. And thnx for this > NtQuerySystemInformationProcess on ntdll.dll is the bugger

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.