Jump to content
View in the app

A better way to browse. Learn more.
Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[unpackme] 2009

Sp1d3rZ
Sp1d3rZ
in UnPackMe

Featured Replies

Unpacked as well... weird stuff, CHimpREC refused to run (x64 version, side-by-side configuration error? :o ) - lucky me, that was one of the rather rare cases the ImpRec 1.7 fix works properly. :]

edit: Will do a small tutor if anyone wants me to...

mup.7z

Edited by metr0

Here I have made a tut for this unpackme:

http://www.upload4free.com/download.php?file=543933857-Enigma.rar

B)

:1a:

Nice work HSN.C3r(And you metr0 :P )...

I was having trouble fixing the imports as UIF kept placing the IAT below the Imagebase, I knew I should have filled those fields in xD.

Other than that small problem I think I did a pretty good job in analysing how it works.

OEP Bytes:
  68 B0 63 42 00 E8 F0 FF FF FFProtectors IAT Construction:
  0047B759Protectors IAT Location(near by):
  00485208 - Protectors IAT.IAT Redirection Jmp(Magic Jmp):
  004F0C83 - Only protectors functions are redirected.ThunRtMain VA:
  00401128

I've also looked into all of it's anti-debugging amongst other things :P .

I could post a dump now but I doubt there would be much point.

Again, nice job :) .

KOrUPt.

Edited by KOrUPt

The following is a course I did download address

ftp://cektop:by:70@ftpcektop.3322.org/脱壳/脱壳-Enigma Protect v1.55 by70.rar

I set up a local FTP 

IPaddress: ftpcektop.3322.org 
port: 21 
account: cektop 
password: by: 70

Edited by by:70

  • 2 weeks later...

Removed... (Loki)

Edited by Loki

  • Author

Removed... (Loki)

Edited by Loki

Sorry, had to remove direct links to retail software

vb oep 特点

0040113E - FF25 34104000 JMP DWORD PTR DS:[<&MSVBVM60.EVENT_SINK_>; MSVBVM60.EVENT_SINK_Release

00401144 - FF25 64104000 JMP DWORD PTR DS:[<&MSVBVM60.#100>] ; MSVBVM60.ThunRTMain

0040114A 0000 ADD BYTE PTR DS:[EAX],AL

0040114C > 68 941F4000 PUSH 工程1.00401F94

00401151 E8 EEFFFFFF CALL <JMP.&MSVBVM60.#100>

00401156 0000 ADD BYTE PTR DS:[EAX],AL

00401158 0000 ADD BYTE PTR DS:[EAX],AL

0040115A 0000 ADD BYTE PTR DS:[EAX],AL

0040115C 3000 XOR BYTE PTR DS:[EAX],AL

0040115E 0000 ADD BYTE PTR DS:[EAX],AL

0012FFBC 00401156 返回到 工程1.00401156 来自 <JMP.&MSVBVM60.#100>

0012FFC0 00401F94 工程1.00401F94

0012FFC4 7C816FD7 返回到 kernel32.7C816FD7

0012FFC8 7C930738 ntdll.7C930738

0012FFCC FFFFFFFF

0012FFD0 7FFD5000

0012FFD4 8054507D

0012FFD8 0012FFC8

0012FFDC FC565DA8

0012FFE0 FFFFFFFF SEH 链尾部

0012FFE4 7C839AA8 SE 处理器

0012FFE8 7C816FE0 kernel32.7C816FE0

0012FFEC 00000000

0012FFF0 00000000

0012FFF4 00000000

0012FFF8 0040114C 工程1.<模块入口点>

7C92EB94 > C3 RETN

7C92EB95 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]

7C92EB9C 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]

7C92EBA0 90 NOP

7C92EBA1 90 NOP

7C92EBA2 90 NOP

0054C480 - FF25 1CF15400 JMP DWORD PTR DS:[54F11C] ; user32.MessageBoxA

0054C486 8BC0 MOV EAX,EAX

0054C488 - FF25 2CF15400 JMP DWORD PTR DS:[54F12C] ; kernel32.ExitProcess

0054C48E 8BC0 MOV EAX,EAX

0054C490 B8 98C45400 MOV EAX,UnpackME.0054C498 ; UNICODE "Enigma anti-debugger plugin - Debug Objects ?Vladimir Sukhov 30 August 2008"

0054C495 C3 RETN

0012FDE0 00000000

0012FDE4 0054C698 ASCII "Debugger is found on this machine!"

0012FDE8 0054C690 ASCII "Error"

0012FDEC 00000010

0012FDF0 00000000 /CALL 到 ExitProcess

0012FDF4 00000000 \ExitCode = 0

0012FE20 0054C740 UnpackME.0054C740

0012FE24 00520C38 UnpackME.00520C38

0012FE28 0047B949 UnpackME.0047B949

0012FE2C 0050BBFC UnpackME.0050BBFC

0012FE30 00549000 ASCII "MZP"

0054C75A 833D 64E65400 0>CMP DWORD PTR DS:[54E664],0

0054C761 74 1D JE SHORT UnpackME.0054C780 ////////////

0054C763 E8 88FFFFFF CALL UnpackME.0054C6F0

0054C768 68 28C75400 PUSH UnpackME.0054C728

0054C76D 68 D0070000 PUSH 7D0

0054C772 6A 01 PUSH 1

0054C774 6A 00 PUSH 0

0054C776 E8 F5FCFFFF CALL UnpackME.0054C470 ; JMP 到 user32.SetTimer

0054C77B A3 60E65400 MOV DWORD PTR DS:[54E660],EAX

0054C780 C3 RETN

0054C781 0000 ADD BYTE PTR DS:[EAX],AL

0054C783 004E 74 ADD BYTE PTR DS:[ESI+74],CL

DS:[0054E664]=7C92E01B (ntdll.ZwQueryInformationProcess)

0012FF10 0149B456 返回到 0149B456 来自 UnpackME.00401128

0012FF14 004263B0 ASCII "VB5!6&*"

0012FF18 004FC000 UnpackME.004FC000

0012FF1C 00000000

0012FF20 0047F000 ASCII "MZP"

0012FF24 00482F07 返回到 UnpackME.00482F07 来自 UnpackME.00482DA8

00401122 .- FF25 6C104000 JMP DWORD PTR DS:[<&msvbvm60.EVENT_SINK_>; msvbvm60.EVENT_SINK_Release

00401128 $- FF25 70104000 JMP DWORD PTR DS:[<&msvbvm60.ThunRTMain>>; msvbvm60.ThunRTMain

0040112E > $ 68 B0634200 PUSH 112E.004263B0 ; ASCII "VB5!6&*"

00401133 . E8 F0FFFFFF CALL <JMP.&msvbvm60.ThunRTMain>

it's strange, why my 'Realtek HD Audio Manager' got detected as a debugger..

Wah Senengnya bs ketemu om Apakekdah..... :gathering:

Unpacked

Unpacked.zip

Little unpackme of Enigma with new VM, try it, interesting thing :)

unpackme.zip

ah, the owner send it new crackme...

who will break this ?

:D

Haha :) Really, this is first time when I post an unpackme :)

So, anyone can do it?

PS: this is unpackme, not crackme, moreover, there is standard protection (without any anti-debugger tricks) + new VM ;)

Here is the unpacked Unpackme (with new VM)!

I have removed the "new VM" completely! (it was a hard work ;) )

Unpacked_VM_FIX.rar

Wow, you are really great kNiGhT, as I saw, VM is really unpacked and re-solved! 5+!!!

  • 2 weeks later...

Enigma member=Vladimir Sukhov?

Anyway when you can released a new VM unpackme?

PD: "Changed registration key algorithm from RSA to ECC" to prevent recent keygen no?

  • 3 weeks later...
  • 2 weeks later...
Here is the unpacked Unpackme (with new VM)!

I have removed the "new VM" completely! (it was a hard work ;) )

mm and how find the vm?..

can do a tutorial?..

..push +jmp=vmstarting..

--but post what'..

because the original exe is in the tutorial of

http://www.tuts4you.com/download.php?view.2426

Unpacking_Enigma_Protector__English_Version_\Tools\Delphi.exe ->this is the original exe..

but--how to solve the vm?..

Edited by apuromafo

Create an account or sign in to comment

Go to topic listing

Configure browser push notifications
Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.