metr0 Posted November 30, 2008 Posted November 30, 2008 (edited) Unpacked as well... weird stuff, CHimpREC refused to run (x64 version, side-by-side configuration error? ) - lucky me, that was one of the rather rare cases the ImpRec 1.7 fix works properly. :] edit: Will do a small tutor if anyone wants me to... mup.7z Edited November 30, 2008 by metr0
HSN.C3r Posted November 30, 2008 Posted November 30, 2008 Here I have made a tut for this unpackme: http://www.upload4free.com/download.php?file=543933857-Enigma.rar
KOrUPt Posted November 30, 2008 Posted November 30, 2008 (edited) Nice work HSN.C3r(And you metr0 )... I was having trouble fixing the imports as UIF kept placing the IAT below the Imagebase, I knew I should have filled those fields in xD. Other than that small problem I think I did a pretty good job in analysing how it works. OEP Bytes: 68 B0 63 42 00 E8 F0 FF FF FFProtectors IAT Construction: 0047B759Protectors IAT Location(near by): 00485208 - Protectors IAT.IAT Redirection Jmp(Magic Jmp): 004F0C83 - Only protectors functions are redirected.ThunRtMain VA: 00401128 I've also looked into all of it's anti-debugging amongst other things . I could post a dump now but I doubt there would be much point. Again, nice job . KOrUPt. Edited November 30, 2008 by KOrUPt
by:70 Posted November 30, 2008 Posted November 30, 2008 (edited) The following is a course I did download addressftp://cektop:by:70@ftpcektop.3322.org/脱壳/脱壳-Enigma Protect v1.55 by70.rarI set up a local FTP IPaddress: ftpcektop.3322.org port: 21 account: cektop password: by: 70 Edited November 30, 2008 by by:70
thisistest Posted December 10, 2008 Posted December 10, 2008 Use these plugins to bypass anti debug :-Phantom-HideDebugger-HideOD http://filebeam.com/b05c95e4271dcb01abb564fdfff747b3
thisistest Posted December 10, 2008 Posted December 10, 2008 (edited) Removed... (Loki) Edited December 11, 2008 by Loki
Sp1d3rZ Posted December 10, 2008 Author Posted December 10, 2008 (edited) Removed... (Loki) Edited December 11, 2008 by Loki
Loki Posted December 11, 2008 Posted December 11, 2008 Sorry, had to remove direct links to retail software
thisistest Posted December 13, 2008 Posted December 13, 2008 vb oep 特点0040113E - FF25 34104000 JMP DWORD PTR DS:[<&MSVBVM60.EVENT_SINK_>; MSVBVM60.EVENT_SINK_Release00401144 - FF25 64104000 JMP DWORD PTR DS:[<&MSVBVM60.#100>] ; MSVBVM60.ThunRTMain0040114A 0000 ADD BYTE PTR DS:[EAX],AL0040114C > 68 941F4000 PUSH 工程1.00401F9400401151 E8 EEFFFFFF CALL <JMP.&MSVBVM60.#100>00401156 0000 ADD BYTE PTR DS:[EAX],AL00401158 0000 ADD BYTE PTR DS:[EAX],AL0040115A 0000 ADD BYTE PTR DS:[EAX],AL0040115C 3000 XOR BYTE PTR DS:[EAX],AL0040115E 0000 ADD BYTE PTR DS:[EAX],AL0012FFBC 00401156 返回到 工程1.00401156 来自 <JMP.&MSVBVM60.#100>0012FFC0 00401F94 工程1.00401F940012FFC4 7C816FD7 返回到 kernel32.7C816FD70012FFC8 7C930738 ntdll.7C9307380012FFCC FFFFFFFF0012FFD0 7FFD50000012FFD4 8054507D0012FFD8 0012FFC80012FFDC FC565DA80012FFE0 FFFFFFFF SEH 链尾部0012FFE4 7C839AA8 SE 处理器0012FFE8 7C816FE0 kernel32.7C816FE00012FFEC 000000000012FFF0 000000000012FFF4 000000000012FFF8 0040114C 工程1.<模块入口点>7C92EB94 > C3 RETN7C92EB95 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]7C92EB9C 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]7C92EBA0 90 NOP7C92EBA1 90 NOP7C92EBA2 90 NOP0054C480 - FF25 1CF15400 JMP DWORD PTR DS:[54F11C] ; user32.MessageBoxA0054C486 8BC0 MOV EAX,EAX0054C488 - FF25 2CF15400 JMP DWORD PTR DS:[54F12C] ; kernel32.ExitProcess0054C48E 8BC0 MOV EAX,EAX0054C490 B8 98C45400 MOV EAX,UnpackME.0054C498 ; UNICODE "Enigma anti-debugger plugin - Debug Objects ?Vladimir Sukhov 30 August 2008"0054C495 C3 RETN0012FDE0 000000000012FDE4 0054C698 ASCII "Debugger is found on this machine!"0012FDE8 0054C690 ASCII "Error"0012FDEC 000000100012FDF0 00000000 /CALL 到 ExitProcess0012FDF4 00000000 \ExitCode = 00012FE20 0054C740 UnpackME.0054C7400012FE24 00520C38 UnpackME.00520C380012FE28 0047B949 UnpackME.0047B9490012FE2C 0050BBFC UnpackME.0050BBFC0012FE30 00549000 ASCII "MZP"0054C75A 833D 64E65400 0>CMP DWORD PTR DS:[54E664],00054C761 74 1D JE SHORT UnpackME.0054C780 ////////////0054C763 E8 88FFFFFF CALL UnpackME.0054C6F00054C768 68 28C75400 PUSH UnpackME.0054C7280054C76D 68 D0070000 PUSH 7D00054C772 6A 01 PUSH 10054C774 6A 00 PUSH 00054C776 E8 F5FCFFFF CALL UnpackME.0054C470 ; JMP 到 user32.SetTimer0054C77B A3 60E65400 MOV DWORD PTR DS:[54E660],EAX0054C780 C3 RETN0054C781 0000 ADD BYTE PTR DS:[EAX],AL0054C783 004E 74 ADD BYTE PTR DS:[ESI+74],CLDS:[0054E664]=7C92E01B (ntdll.ZwQueryInformationProcess)0012FF10 0149B456 返回到 0149B456 来自 UnpackME.004011280012FF14 004263B0 ASCII "VB5!6&*"0012FF18 004FC000 UnpackME.004FC0000012FF1C 000000000012FF20 0047F000 ASCII "MZP"0012FF24 00482F07 返回到 UnpackME.00482F07 来自 UnpackME.00482DA800401122 .- FF25 6C104000 JMP DWORD PTR DS:[<&msvbvm60.EVENT_SINK_>; msvbvm60.EVENT_SINK_Release00401128 $- FF25 70104000 JMP DWORD PTR DS:[<&msvbvm60.ThunRTMain>>; msvbvm60.ThunRTMain0040112E > $ 68 B0634200 PUSH 112E.004263B0 ; ASCII "VB5!6&*"00401133 . E8 F0FFFFFF CALL <JMP.&msvbvm60.ThunRTMain>
Apakekdah Posted December 13, 2008 Posted December 13, 2008 it's strange, why my 'Realtek HD Audio Manager' got detected as a debugger..
ibelvanbasten Posted December 13, 2008 Posted December 13, 2008 Wah Senengnya bs ketemu om Apakekdah.....
thisistest Posted December 14, 2008 Posted December 14, 2008 http://www.unpack.cn/redirect.php?tid=3072...stpost#lastpostSh4DoVV_Loader.rar
Enigma Posted December 16, 2008 Posted December 16, 2008 Little unpackme of Enigma with new VM, try it, interesting thing unpackme.zip
Apakekdah Posted December 18, 2008 Posted December 18, 2008 ah, the owner send it new crackme... who will break this ?
Enigma Posted December 19, 2008 Posted December 19, 2008 Haha Really, this is first time when I post an unpackme So, anyone can do it? PS: this is unpackme, not crackme, moreover, there is standard protection (without any anti-debugger tricks) + new VM
-kNiGhT- Posted December 19, 2008 Posted December 19, 2008 Here is my Dump!http://www.file-upload.net/download-1322914/Dump.rar.htmlI think it is not the best solution (how i unpacked it), but on my PC (XP SP2) it works fine!greetz
av999 Posted December 20, 2008 Posted December 20, 2008 ebfe to ThunRTMain in msvbvm60.dllthen attach with quickunpack ....http://rapidshare.de/files/41175723/unpacked.exe.zip.html
thisistest Posted December 23, 2008 Posted December 23, 2008 enigma_1.60_20081215_en_demo http://filebeam.com/40a5e42c42037bd28dce85501318ef9d
-kNiGhT- Posted December 28, 2008 Posted December 28, 2008 Here is the unpacked Unpackme (with new VM)! I have removed the "new VM" completely! (it was a hard work ) Unpacked_VM_FIX.rar
Enigma Posted December 30, 2008 Posted December 30, 2008 Wow, you are really great kNiGhT, as I saw, VM is really unpacked and re-solved! 5+!!!
Haxel Posted January 7, 2009 Posted January 7, 2009 Enigma member=Vladimir Sukhov?Anyway when you can released a new VM unpackme?PD: "Changed registration key algorithm from RSA to ECC" to prevent recent keygen no?
mickeymouse Posted January 23, 2009 Posted January 23, 2009 Use these plugins to bypass anti debug :-Phantom-HideDebugger-HideOD http://filebeam.com/b05c95e4271dcb01abb564fdfff747b3oh
Apuromafo Posted February 4, 2009 Posted February 4, 2009 (edited) Here is the unpacked Unpackme (with new VM)!I have removed the "new VM" completely! (it was a hard work ) mm and how find the vm?.. can do a tutorial?.. ..push +jmp=vmstarting.. --but post what'.. because the original exe is in the tutorial of http://www.tuts4you.com/download.php?view.2426 Unpacking_Enigma_Protector__English_Version_\Tools\Delphi.exe ->this is the original exe.. but--how to solve the vm?.. Edited February 5, 2009 by apuromafo
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now