Jump to content
Tuts 4 You

[unpackme] 2009


Sp1d3rZ

Recommended Posts

I'll take a shot at it... I don't think I'll be able to beat it though. If someone does beat it please write a tutorial on how you did it :) .

Also, detects Skype as a debugging tool, why do they put so much 'junk' into that thing :( .

KOrUPt.

Edited by KOrUPt
Link to comment
UnpackME 2009 - The Enigma Protect v1.55

Its new challenge for TOP Unpackers. Example: quosego

OK ;) BEST OF LUCK

eNjOy! :thumbsup:

Its not a challenge for 'top' unpackers, I'm not much more than a noob. Enigma s a better protector than you made it look, you made it simple.

_http://filebeam.com/d9f618ccfda5e8db570791bd82351615

Edited by pseudonym
Link to comment
UnpackME 2009 - The Enigma Protect v1.55

Its new challenge for TOP Unpackers. Example: quosego

OK ;) BEST OF LUCK

eNjOy! :thumbsup:

LOL

You are the author of Enigma protector, which will make the challenge? In vain here to allow such things to different loham ..

Link to comment

It crashes out each time I try and debug it :( ... Any suggestions guys?

I'm currently using OllyDRX along with OllyAdvanced and phant0m to hide my debugger, maybe code hooks are being detected :ermm: ...

I realise the original code is written in VB and by the looks of it API redirection isn't used, not sure on that though.

Hope I can get a few tips on this. Thanks in advance.

KOrUPt.

Link to comment

I looked at it some...

lots of anti-debug.

So far, I found it doesn't work due to wrong INT3 handling, Exception Handler doesn't redirect the flow to the right place. Also with Access Violation occuring immediately after the INT3.

I fixed that but some pointers are set somewhere and I dunno what correct value should be, so I get detected =]

Also, it detects Task Bar Shuffle as debugger (that should get fixed).

Link to comment

HI Fungus.

I'm also having problems with this protection, I hope someone writes a tutorial on it :) .

The Anti-Debugging appears to be very strong. I recommend you set a hardware breakpoint at 0x004FA724, that call accounts for most of the anti-debugging as far as I can see.

I recommend you use Phant0m with all protection options enabled along with OllyAdvanced's Anti IsDebuggerPresent() and Anti CheckRemoteDebuggerPresent().

There are quite a few calls to functions that call CreateThread(), just before those calls is a call to a function that calls CloseHandle(), both of these function as Anti-Debugging. (I recommend you read the above sentence again if you didn't understand it :P ).

You'll need to prevent the threads execution, either by NOPing the calls to CreateThread or by patching the thread(s) itself with a "RET 4" instruction...

As for the CloseHandle() protection I'd imagine you'll be able to insert a RET instruction at the beginning of the call.

There is a lot more Anti-Debugging, some of which I strongly advise you NOP.

There seems to be quote a few of redirected API's(which contradicts my previous post :confused: )... IAT appears to start at 0x00485208.

You'll be dealing with the following calls as far as Anti-Debug goes:

CheckRemoteDebuggerPresent()
IsDebuggerPresent()
CloseHandle()
DebugBreak()
NtQuerySystemInformationProcess()
GetStartupInfoA() // I'm not sure how this works as anti-debug but it is used.
[...]

Along with a lot more, I wont post too much as I want leave a few surprises...

You'll also want to pass all exceptions to the application.

Unfortunately after circumventing all of the above Anti-Debug I still get a crash :( .

Does anyone have any tips to help me out? Feel free to post or drop me a PM.

Thanks in advance :) .

KOrUPt.

P.S: If I'm giving away too much let me know and I'll 'censor' the post to a degree :) . Hopefully I'm not. Apologies if so, I just really want to get this thing beat :happy:.

Edited by KOrUPt
Link to comment

Use these plugins to bypass anti debug :

-Phantom

-HideDebugger

-HideOD

All of options must be checked.

And HWBP on address of 0054C761 :

 0054C761   /74 1D		   JE SHORT UnpackME.0054C780

Change Z flag and run it in Ollydbg. ;)

I have a KMPlayer(a Music Player) on my system and this unpackme detects it as a debugger!!!

Edited by HSN.C3r
Link to comment
Use these plugins to bypass anti debug :

-Phantom

-HideDebugger

-HideOD

All of options must be checked.

And HWBP on address of 0054C761 :

 0054C761   /74 1D		   JE SHORT UnpackME.0054C780

Thank you 谢谢 :o

Change Z flag and run it in Ollydbg. ;)

I have a KMPlayer(a Music Player) on my system and this unpackme detects it as a debugger!!!

Link to comment

If stolen OEP and IAT emulation and elimination were all protection options, I theoretically unpacked it - though UIF redirects the new import section to a memory range below the imagebase, thus the PE refuses to run. Tried KB's Rebasing plugin, but it did not work as well... :/

Link to comment
Was too lazy to code a rebasing script, still wondering why UIF chooses a new memory range below imagebase... Any way to circumvent that behaviour?

You can get around that by allocating some memory before execution with ollyadvanced.

Link to comment

I've tried the following plugins with all options enabled to hide my debugger:

Phant0m.

HideDebugger.

HideOD.

OllyAdvanced.

I've also tried circumventing the anti-debugging manually myself... Yet I still end up with a crash(returns to an invalid memory address).

I'm stuck and confused.

Apparently it ran normally for metr0, a few of you only needed to use the above plugins... Yet none of my attempts are working :( .

I cant even get it to run to find OEP yet alone fixing the imports. Starting to loose faith on this one.

KOrUPt.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...