[unpackme] 2009

November 30, 200816 yr

Unpacked as well... weird stuff, CHimpREC refused to run (x64 version, side-by-side configuration error? ) - lucky me, that was one of the rather rare cases the ImpRec 1.7 fix works properly. :]

edit: Will do a small tutor if anyone wants me to...

mup.7z

Edited November 30, 200816 yr by metr0

November 30, 200816 yr

Here I have made a tut for this unpackme:

http://www.upload4free.com/download.php?file=543933857-Enigma.rar

November 30, 200816 yr

November 30, 200816 yr

Nice work HSN.C3r(And you metr0 )...

I was having trouble fixing the imports as UIF kept placing the IAT below the Imagebase, I knew I should have filled those fields in xD.

Other than that small problem I think I did a pretty good job in analysing how it works.

OEP Bytes:
  68 B0 63 42 00 E8 F0 FF FF FFProtectors IAT Construction:
  0047B759Protectors IAT Location(near by):
  00485208 - Protectors IAT.IAT Redirection Jmp(Magic Jmp):
  004F0C83 - Only protectors functions are redirected.ThunRtMain VA:
  00401128

I've also looked into all of it's anti-debugging amongst other things .

I could post a dump now but I doubt there would be much point.

Again, nice job .

KOrUPt.

Edited November 30, 200816 yr by KOrUPt

November 30, 200816 yr

The following is a course I did download address

ftp://cektop:by:70@ftpcektop.3322.org/脱壳/脱壳-Enigma Protect v1.55 by70.rar

I set up a local FTP

IPaddress: ftpcektop.3322.org 
port: 21 
account: cektop 
password: by: 70

Edited November 30, 200816 yr by by:70

December 10, 200816 yr

Use these plugins to bypass anti debug :

-Phantom

-HideDebugger

-HideOD

http://filebeam.com/b05c95e4271dcb01abb564fdfff747b3

December 10, 200816 yr

Removed... (Loki)

Edited December 11, 200816 yr by Loki

December 10, 200816 yr

Author

Removed... (Loki)

Edited December 11, 200816 yr by Loki

December 11, 200816 yr

Sorry, had to remove direct links to retail software

December 13, 200816 yr

vb oep 特点

0040113E - FF25 34104000 JMP DWORD PTR DS:[<&MSVBVM60.EVENT_SINK_>; MSVBVM60.EVENT_SINK_Release

00401144 - FF25 64104000 JMP DWORD PTR DS:[<&MSVBVM60.#100>] ; MSVBVM60.ThunRTMain

0040114A 0000 ADD BYTE PTR DS:[EAX],AL

0040114C > 68 941F4000 PUSH 工程1.00401F94

00401151 E8 EEFFFFFF CALL <JMP.&MSVBVM60.#100>

00401156 0000 ADD BYTE PTR DS:[EAX],AL

00401158 0000 ADD BYTE PTR DS:[EAX],AL

0040115A 0000 ADD BYTE PTR DS:[EAX],AL

0040115C 3000 XOR BYTE PTR DS:[EAX],AL

0040115E 0000 ADD BYTE PTR DS:[EAX],AL

0012FFBC 00401156 返回到工程1.00401156 来自 <JMP.&MSVBVM60.#100>

0012FFC0 00401F94 工程1.00401F94

0012FFC4 7C816FD7 返回到 kernel32.7C816FD7

0012FFC8 7C930738 ntdll.7C930738

0012FFCC FFFFFFFF

0012FFD0 7FFD5000

0012FFD4 8054507D

0012FFD8 0012FFC8

0012FFDC FC565DA8

0012FFE0 FFFFFFFF SEH 链尾部

0012FFE4 7C839AA8 SE 处理器

0012FFE8 7C816FE0 kernel32.7C816FE0

0012FFEC 00000000

0012FFF0 00000000

0012FFF4 00000000

0012FFF8 0040114C 工程1.<模块入口点>

7C92EB94 > C3 RETN

7C92EB95 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]

7C92EB9C 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]

7C92EBA0 90 NOP

7C92EBA1 90 NOP

7C92EBA2 90 NOP

0054C480 - FF25 1CF15400 JMP DWORD PTR DS:[54F11C] ; user32.MessageBoxA

0054C486 8BC0 MOV EAX,EAX

0054C488 - FF25 2CF15400 JMP DWORD PTR DS:[54F12C] ; kernel32.ExitProcess

0054C48E 8BC0 MOV EAX,EAX

0054C490 B8 98C45400 MOV EAX,UnpackME.0054C498 ; UNICODE "Enigma anti-debugger plugin - Debug Objects ?Vladimir Sukhov 30 August 2008"

0054C495 C3 RETN

0012FDE0 00000000

0012FDE4 0054C698 ASCII "Debugger is found on this machine!"

0012FDE8 0054C690 ASCII "Error"

0012FDEC 00000010

0012FDF0 00000000 /CALL 到 ExitProcess

0012FDF4 00000000 \ExitCode = 0

0012FE20 0054C740 UnpackME.0054C740

0012FE24 00520C38 UnpackME.00520C38

0012FE28 0047B949 UnpackME.0047B949

0012FE2C 0050BBFC UnpackME.0050BBFC

0012FE30 00549000 ASCII "MZP"

0054C75A 833D 64E65400 0>CMP DWORD PTR DS:[54E664],0

0054C761 74 1D JE SHORT UnpackME.0054C780 ////////////

0054C763 E8 88FFFFFF CALL UnpackME.0054C6F0

0054C768 68 28C75400 PUSH UnpackME.0054C728

0054C76D 68 D0070000 PUSH 7D0

0054C772 6A 01 PUSH 1

0054C774 6A 00 PUSH 0

0054C776 E8 F5FCFFFF CALL UnpackME.0054C470 ; JMP 到 user32.SetTimer

0054C77B A3 60E65400 MOV DWORD PTR DS:[54E660],EAX

0054C780 C3 RETN

0054C781 0000 ADD BYTE PTR DS:[EAX],AL

0054C783 004E 74 ADD BYTE PTR DS:[ESI+74],CL

DS:[0054E664]=7C92E01B (ntdll.ZwQueryInformationProcess)

0012FF10 0149B456 返回到 0149B456 来自 UnpackME.00401128

0012FF14 004263B0 ASCII "VB5!6&*"

0012FF18 004FC000 UnpackME.004FC000

0012FF1C 00000000

0012FF20 0047F000 ASCII "MZP"

0012FF24 00482F07 返回到 UnpackME.00482F07 来自 UnpackME.00482DA8

00401122 .- FF25 6C104000 JMP DWORD PTR DS:[<&msvbvm60.EVENT_SINK_>; msvbvm60.EVENT_SINK_Release

00401128 $- FF25 70104000 JMP DWORD PTR DS:[<&msvbvm60.ThunRTMain>>; msvbvm60.ThunRTMain

0040112E > $ 68 B0634200 PUSH 112E.004263B0 ; ASCII "VB5!6&*"

00401133 . E8 F0FFFFFF CALL <JMP.&msvbvm60.ThunRTMain>

December 13, 200816 yr

it's strange, why my 'Realtek HD Audio Manager' got detected as a debugger..

December 13, 200816 yr

Wah Senengnya bs ketemu om Apakekdah..... :gathering:

December 14, 200816 yr

http://www.unpack.cn/redirect.php?tid=3072...stpost#lastpost

Sh4DoVV_Loader.rar

December 15, 200816 yr

Unpacked

Unpacked.zip

December 16, 200816 yr

Little unpackme of Enigma with new VM, try it, interesting thing

unpackme.zip

December 18, 200816 yr

ah, the owner send it new crackme...

who will break this ?

December 19, 200816 yr

Haha Really, this is first time when I post an unpackme

So, anyone can do it?

PS: this is unpackme, not crackme, moreover, there is standard protection (without any anti-debugger tricks) + new VM

December 19, 200816 yr

Here is my Dump!

http://www.file-upload.net/download-1322914/Dump.rar.html

I think it is not the best solution (how i unpacked it), but on my PC (XP SP2) it works fine!

greetz

December 20, 200816 yr

ebfe to ThunRTMain in msvbvm60.dll

then attach with quickunpack ....

http://rapidshare.de/files/41175723/unpacked.exe.zip.html

December 23, 200816 yr

enigma_1.60_20081215_en_demo http://filebeam.com/40a5e42c42037bd28dce85501318ef9d

December 28, 200816 yr

Here is the unpacked Unpackme (with new VM)!

I have removed the "new VM" completely! (it was a hard work )

Unpacked_VM_FIX.rar

December 30, 200816 yr

Wow, you are really great kNiGhT, as I saw, VM is really unpacked and re-solved! 5+!!!

January 7, 200916 yr

Enigma member=Vladimir Sukhov?

Anyway when you can released a new VM unpackme?

PD: "Changed registration key algorithm from RSA to ECC" to prevent recent keygen no?

January 23, 200916 yr

Use these plugins to bypass anti debug :
-Phantom
-HideDebugger
-HideOD
http://filebeam.com/b05c95e4271dcb01abb564fdfff747b3

oh

February 4, 200916 yr

Here is the unpacked Unpackme (with new VM)!
I have removed the "new VM" completely! (it was a hard work )

mm and how find the vm?..

can do a tutorial?..

..push +jmp=vmstarting..

--but post what'..

because the original exe is in the tutorial of

http://www.tuts4you.com/download.php?view.2426

Unpacking_Enigma_Protector__English_Version_\Tools\Delphi.exe ->this is the original exe..

but--how to solve the vm?..

Edited February 5, 200916 yr by apuromafo

Sign In

[unpackme] 2009

Featured Replies

Create an account or sign in to comment

Account

Navigation

Search

Configure browser push notifications

Chrome (Android)

Chrome (Desktop)

Safari (iOS 16.4+)

Safari (macOS)

Edge (Android)

Edge (Desktop)

Firefox (Android)

Firefox (Desktop)