Jump to content
Tuts 4 You

[unpackme] 2009


Sp1d3rZ

Recommended Posts

Unpacked as well... weird stuff, CHimpREC refused to run (x64 version, side-by-side configuration error? :o ) - lucky me, that was one of the rather rare cases the ImpRec 1.7 fix works properly. :]

edit: Will do a small tutor if anyone wants me to...

mup.7z

Edited by metr0
Link to comment
Share on other sites

Nice work HSN.C3r(And you metr0 :P )...

I was having trouble fixing the imports as UIF kept placing the IAT below the Imagebase, I knew I should have filled those fields in xD.

Other than that small problem I think I did a pretty good job in analysing how it works.

OEP Bytes:
68 B0 63 42 00 E8 F0 FF FF FFProtectors IAT Construction:
0047B759Protectors IAT Location(near by):
00485208 - Protectors IAT.IAT Redirection Jmp(Magic Jmp):
004F0C83 - Only protectors functions are redirected.ThunRtMain VA:
00401128

I've also looked into all of it's anti-debugging amongst other things :P .

I could post a dump now but I doubt there would be much point.

Again, nice job :) .

KOrUPt.

Edited by KOrUPt
Link to comment
Share on other sites

The following is a course I did download address

ftp://cektop:by:70@ftpcektop.3322.org/脱壳/脱壳-Enigma Protect v1.55 by70.rar

I set up a local FTP

IPaddress: ftpcektop.3322.org 
port: 21
account: cektop
password: by: 70
Edited by by:70
Link to comment
Share on other sites

  • 2 weeks later...

vb oep 特点

0040113E - FF25 34104000 JMP DWORD PTR DS:[<&MSVBVM60.EVENT_SINK_>; MSVBVM60.EVENT_SINK_Release

00401144 - FF25 64104000 JMP DWORD PTR DS:[<&MSVBVM60.#100>] ; MSVBVM60.ThunRTMain

0040114A 0000 ADD BYTE PTR DS:[EAX],AL

0040114C > 68 941F4000 PUSH 工程1.00401F94

00401151 E8 EEFFFFFF CALL <JMP.&MSVBVM60.#100>

00401156 0000 ADD BYTE PTR DS:[EAX],AL

00401158 0000 ADD BYTE PTR DS:[EAX],AL

0040115A 0000 ADD BYTE PTR DS:[EAX],AL

0040115C 3000 XOR BYTE PTR DS:[EAX],AL

0040115E 0000 ADD BYTE PTR DS:[EAX],AL

0012FFBC 00401156 返回到 工程1.00401156 来自 <JMP.&MSVBVM60.#100>

0012FFC0 00401F94 工程1.00401F94

0012FFC4 7C816FD7 返回到 kernel32.7C816FD7

0012FFC8 7C930738 ntdll.7C930738

0012FFCC FFFFFFFF

0012FFD0 7FFD5000

0012FFD4 8054507D

0012FFD8 0012FFC8

0012FFDC FC565DA8

0012FFE0 FFFFFFFF SEH 链尾部

0012FFE4 7C839AA8 SE 处理器

0012FFE8 7C816FE0 kernel32.7C816FE0

0012FFEC 00000000

0012FFF0 00000000

0012FFF4 00000000

0012FFF8 0040114C 工程1.<模块入口点>

7C92EB94 > C3 RETN

7C92EB95 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]

7C92EB9C 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]

7C92EBA0 90 NOP

7C92EBA1 90 NOP

7C92EBA2 90 NOP

0054C480 - FF25 1CF15400 JMP DWORD PTR DS:[54F11C] ; user32.MessageBoxA

0054C486 8BC0 MOV EAX,EAX

0054C488 - FF25 2CF15400 JMP DWORD PTR DS:[54F12C] ; kernel32.ExitProcess

0054C48E 8BC0 MOV EAX,EAX

0054C490 B8 98C45400 MOV EAX,UnpackME.0054C498 ; UNICODE "Enigma anti-debugger plugin - Debug Objects ?Vladimir Sukhov 30 August 2008"

0054C495 C3 RETN

0012FDE0 00000000

0012FDE4 0054C698 ASCII "Debugger is found on this machine!"

0012FDE8 0054C690 ASCII "Error"

0012FDEC 00000010

0012FDF0 00000000 /CALL 到 ExitProcess

0012FDF4 00000000 \ExitCode = 0

0012FE20 0054C740 UnpackME.0054C740

0012FE24 00520C38 UnpackME.00520C38

0012FE28 0047B949 UnpackME.0047B949

0012FE2C 0050BBFC UnpackME.0050BBFC

0012FE30 00549000 ASCII "MZP"

0054C75A 833D 64E65400 0>CMP DWORD PTR DS:[54E664],0

0054C761 74 1D JE SHORT UnpackME.0054C780 ////////////

0054C763 E8 88FFFFFF CALL UnpackME.0054C6F0

0054C768 68 28C75400 PUSH UnpackME.0054C728

0054C76D 68 D0070000 PUSH 7D0

0054C772 6A 01 PUSH 1

0054C774 6A 00 PUSH 0

0054C776 E8 F5FCFFFF CALL UnpackME.0054C470 ; JMP 到 user32.SetTimer

0054C77B A3 60E65400 MOV DWORD PTR DS:[54E660],EAX

0054C780 C3 RETN

0054C781 0000 ADD BYTE PTR DS:[EAX],AL

0054C783 004E 74 ADD BYTE PTR DS:[ESI+74],CL

DS:[0054E664]=7C92E01B (ntdll.ZwQueryInformationProcess)

0012FF10 0149B456 返回到 0149B456 来自 UnpackME.00401128

0012FF14 004263B0 ASCII "VB5!6&*"

0012FF18 004FC000 UnpackME.004FC000

0012FF1C 00000000

0012FF20 0047F000 ASCII "MZP"

0012FF24 00482F07 返回到 UnpackME.00482F07 来自 UnpackME.00482DA8

00401122 .- FF25 6C104000 JMP DWORD PTR DS:[<&msvbvm60.EVENT_SINK_>; msvbvm60.EVENT_SINK_Release

00401128 $- FF25 70104000 JMP DWORD PTR DS:[<&msvbvm60.ThunRTMain>>; msvbvm60.ThunRTMain

0040112E > $ 68 B0634200 PUSH 112E.004263B0 ; ASCII "VB5!6&*"

00401133 . E8 F0FFFFFF CALL <JMP.&msvbvm60.ThunRTMain>

Link to comment
Share on other sites

Haha :) Really, this is first time when I post an unpackme :)

So, anyone can do it?

PS: this is unpackme, not crackme, moreover, there is standard protection (without any anti-debugger tricks) + new VM ;)

Link to comment
Share on other sites

  • 2 weeks later...

Enigma member=Vladimir Sukhov?

Anyway when you can released a new VM unpackme?

PD: "Changed registration key algorithm from RSA to ECC" to prevent recent keygen no?

Link to comment
Share on other sites

  • 3 weeks later...
  • 2 weeks later...
Here is the unpacked Unpackme (with new VM)!

I have removed the "new VM" completely! (it was a hard work ;) )

mm and how find the vm?..

can do a tutorial?..

..push +jmp=vmstarting..

--but post what'..

because the original exe is in the tutorial of

http://www.tuts4you.com/download.php?view.2426

Unpacking_Enigma_Protector__English_Version_\Tools\Delphi.exe ->this is the original exe..

but--how to solve the vm?..

Edited by apuromafo
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...