Sp1d3rZ Posted November 28, 2008 Share Posted November 28, 2008 (edited) UnpackME 2009 - The Enigma Protect v1.55 FOR UR Support OK BEST OF LUCK eNjOy! UnpackME_2009.rar Edited November 29, 2008 by Sp1d3rZ Link to comment Share on other sites More sharing options...
KOrUPt Posted November 28, 2008 Share Posted November 28, 2008 (edited) I'll take a shot at it... I don't think I'll be able to beat it though. If someone does beat it please write a tutorial on how you did it . Also, detects Skype as a debugging tool, why do they put so much 'junk' into that thing . KOrUPt. Edited November 28, 2008 by KOrUPt Link to comment Share on other sites More sharing options...
pseudonym Posted November 28, 2008 Share Posted November 28, 2008 (edited) UnpackME 2009 - The Enigma Protect v1.55Its new challenge for TOP Unpackers. Example: quosego OK BEST OF LUCK eNjOy! Its not a challenge for 'top' unpackers, I'm not much more than a noob. Enigma s a better protector than you made it look, you made it simple. _http://filebeam.com/d9f618ccfda5e8db570791bd82351615 Edited November 28, 2008 by pseudonym Link to comment Share on other sites More sharing options...
pavka Posted November 28, 2008 Share Posted November 28, 2008 UnpackME 2009 - The Enigma Protect v1.55Its new challenge for TOP Unpackers. Example: quosego OK BEST OF LUCK eNjOy! LOL You are the author of Enigma protector, which will make the challenge? In vain here to allow such things to different loham .. Link to comment Share on other sites More sharing options...
KOrUPt Posted November 28, 2008 Share Posted November 28, 2008 It crashes out each time I try and debug it ... Any suggestions guys? I'm currently using OllyDRX along with OllyAdvanced and phant0m to hide my debugger, maybe code hooks are being detected ... I realise the original code is written in VB and by the looks of it API redirection isn't used, not sure on that though. Hope I can get a few tips on this. Thanks in advance. KOrUPt. Link to comment Share on other sites More sharing options...
by:70 Posted November 28, 2008 Share Posted November 28, 2008 (edited) 提示下 Under the tips Edited November 28, 2008 by by:70 Link to comment Share on other sites More sharing options...
Teddy Rogers Posted November 28, 2008 Share Posted November 28, 2008 Sp1d3rZ, it would be nice if you could edit your original post with the protection features that have been applied...Ted. Link to comment Share on other sites More sharing options...
Sp1d3rZ Posted November 28, 2008 Author Share Posted November 28, 2008 V Nice pseudonym, Gr8 Work. Link to comment Share on other sites More sharing options...
by:70 Posted November 28, 2008 Share Posted November 28, 2008 V Nice pseudonym, Gr8 Work. Link to comment Share on other sites More sharing options...
HSN.C3r Posted November 28, 2008 Share Posted November 28, 2008 HiHere is my unpacked file.unpacked.rar Link to comment Share on other sites More sharing options...
Sp1d3rZ Posted November 28, 2008 Author Share Posted November 28, 2008 hhhmmm NICE WORK HSN.C3r Link to comment Share on other sites More sharing options...
LCF-AT Posted November 28, 2008 Share Posted November 28, 2008 Hello, you can also unpack it easier if you attach it...uif..etc. A method for some lazy people. greetz Link to comment Share on other sites More sharing options...
Fungus Posted November 28, 2008 Share Posted November 28, 2008 I looked at it some...lots of anti-debug.So far, I found it doesn't work due to wrong INT3 handling, Exception Handler doesn't redirect the flow to the right place. Also with Access Violation occuring immediately after the INT3.I fixed that but some pointers are set somewhere and I dunno what correct value should be, so I get detected =]Also, it detects Task Bar Shuffle as debugger (that should get fixed). Link to comment Share on other sites More sharing options...
KOrUPt Posted November 29, 2008 Share Posted November 29, 2008 (edited) HI Fungus. I'm also having problems with this protection, I hope someone writes a tutorial on it . The Anti-Debugging appears to be very strong. I recommend you set a hardware breakpoint at 0x004FA724, that call accounts for most of the anti-debugging as far as I can see. I recommend you use Phant0m with all protection options enabled along with OllyAdvanced's Anti IsDebuggerPresent() and Anti CheckRemoteDebuggerPresent(). There are quite a few calls to functions that call CreateThread(), just before those calls is a call to a function that calls CloseHandle(), both of these function as Anti-Debugging. (I recommend you read the above sentence again if you didn't understand it ). You'll need to prevent the threads execution, either by NOPing the calls to CreateThread or by patching the thread(s) itself with a "RET 4" instruction... As for the CloseHandle() protection I'd imagine you'll be able to insert a RET instruction at the beginning of the call. There is a lot more Anti-Debugging, some of which I strongly advise you NOP. There seems to be quote a few of redirected API's(which contradicts my previous post )... IAT appears to start at 0x00485208. You'll be dealing with the following calls as far as Anti-Debug goes: CheckRemoteDebuggerPresent()IsDebuggerPresent()CloseHandle()DebugBreak()NtQuerySystemInformationProcess()GetStartupInfoA() // I'm not sure how this works as anti-debug but it is used.[...] Along with a lot more, I wont post too much as I want leave a few surprises... You'll also want to pass all exceptions to the application. Unfortunately after circumventing all of the above Anti-Debug I still get a crash . Does anyone have any tips to help me out? Feel free to post or drop me a PM. Thanks in advance . KOrUPt. P.S: If I'm giving away too much let me know and I'll 'censor' the post to a degree . Hopefully I'm not. Apologies if so, I just really want to get this thing beat :happy:. Edited November 29, 2008 by KOrUPt Link to comment Share on other sites More sharing options...
HSN.C3r Posted November 29, 2008 Share Posted November 29, 2008 (edited) Use these plugins to bypass anti debug : -Phantom -HideDebugger -HideOD All of options must be checked. And HWBP on address of 0054C761 : 0054C761 /74 1D JE SHORT UnpackME.0054C780 Change Z flag and run it in Ollydbg. I have a KMPlayer(a Music Player) on my system and this unpackme detects it as a debugger!!! Edited November 29, 2008 by HSN.C3r Link to comment Share on other sites More sharing options...
by:70 Posted November 29, 2008 Share Posted November 29, 2008 Use these plugins to bypass anti debug :-Phantom -HideDebugger -HideOD All of options must be checked. And HWBP on address of 0054C761 : 0054C761 /74 1D JE SHORT UnpackME.0054C780 Thank you 谢谢 Change Z flag and run it in Ollydbg. I have a KMPlayer(a Music Player) on my system and this unpackme detects it as a debugger!!! Link to comment Share on other sites More sharing options...
Teddy Rogers Posted November 29, 2008 Share Posted November 29, 2008 Maybe someone here would like to tell everyone what protection features this unpackme is protected with? Ted. Link to comment Share on other sites More sharing options...
metr0 Posted November 29, 2008 Share Posted November 29, 2008 If stolen OEP and IAT emulation and elimination were all protection options, I theoretically unpacked it - though UIF redirects the new import section to a memory range below the imagebase, thus the PE refuses to run. Tried KB's Rebasing plugin, but it did not work as well... :/ Link to comment Share on other sites More sharing options...
HSN.C3r Posted November 29, 2008 Share Posted November 29, 2008 (edited) Yes ... All protection options are a stolen OEP and IAT emulation. By using UIF , unpacking of it is easy. Edited November 29, 2008 by HSN.C3r Link to comment Share on other sites More sharing options...
metr0 Posted November 29, 2008 Share Posted November 29, 2008 Was too lazy to code a rebasing script, still wondering why UIF chooses a new memory range below imagebase... Any way to circumvent that behaviour? Link to comment Share on other sites More sharing options...
Fungus Posted November 29, 2008 Share Posted November 29, 2008 Was too lazy to code a rebasing script, still wondering why UIF chooses a new memory range below imagebase... Any way to circumvent that behaviour?You can get around that by allocating some memory before execution with ollyadvanced. Link to comment Share on other sites More sharing options...
KOrUPt Posted November 29, 2008 Share Posted November 29, 2008 I've tried the following plugins with all options enabled to hide my debugger: Phant0m. HideDebugger. HideOD. OllyAdvanced. I've also tried circumventing the anti-debugging manually myself... Yet I still end up with a crash(returns to an invalid memory address). I'm stuck and confused. Apparently it ran normally for metr0, a few of you only needed to use the above plugins... Yet none of my attempts are working . I cant even get it to run to find OEP yet alone fixing the imports. Starting to loose faith on this one. KOrUPt. Link to comment Share on other sites More sharing options...
Sp1d3rZ Posted November 29, 2008 Author Share Posted November 29, 2008 Protection Options Screenshot added Link to comment Share on other sites More sharing options...
Fungus Posted November 30, 2008 Share Posted November 30, 2008 Unpacked =] that NtQuerySystemInformationProcess on ntdll.dll is the bugger UnpackedME2009.rar Link to comment Share on other sites More sharing options...
Sp1d3rZ Posted November 30, 2008 Author Share Posted November 30, 2008 WOW Fungus appreciate ur good work. And thnx for this > NtQuerySystemInformationProcess on ntdll.dll is the bugger Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now