November 30, 200816 yr Unpacked as well... weird stuff, CHimpREC refused to run (x64 version, side-by-side configuration error? ) - lucky me, that was one of the rather rare cases the ImpRec 1.7 fix works properly. :] edit: Will do a small tutor if anyone wants me to... mup.7z Edited November 30, 200816 yr by metr0
November 30, 200816 yr Here I have made a tut for this unpackme: http://www.upload4free.com/download.php?file=543933857-Enigma.rar
November 30, 200816 yr Nice work HSN.C3r(And you metr0 )... I was having trouble fixing the imports as UIF kept placing the IAT below the Imagebase, I knew I should have filled those fields in xD. Other than that small problem I think I did a pretty good job in analysing how it works. OEP Bytes: 68 B0 63 42 00 E8 F0 FF FF FFProtectors IAT Construction: 0047B759Protectors IAT Location(near by): 00485208 - Protectors IAT.IAT Redirection Jmp(Magic Jmp): 004F0C83 - Only protectors functions are redirected.ThunRtMain VA: 00401128 I've also looked into all of it's anti-debugging amongst other things . I could post a dump now but I doubt there would be much point. Again, nice job . KOrUPt. Edited November 30, 200816 yr by KOrUPt
November 30, 200816 yr The following is a course I did download addressftp://cektop:by:70@ftpcektop.3322.org/脱壳/脱壳-Enigma Protect v1.55 by70.rarI set up a local FTP IPaddress: ftpcektop.3322.org port: 21 account: cektop password: by: 70 Edited November 30, 200816 yr by by:70
December 10, 200816 yr Use these plugins to bypass anti debug :-Phantom-HideDebugger-HideOD http://filebeam.com/b05c95e4271dcb01abb564fdfff747b3
December 13, 200816 yr vb oep 特点0040113E - FF25 34104000 JMP DWORD PTR DS:[<&MSVBVM60.EVENT_SINK_>; MSVBVM60.EVENT_SINK_Release00401144 - FF25 64104000 JMP DWORD PTR DS:[<&MSVBVM60.#100>] ; MSVBVM60.ThunRTMain0040114A 0000 ADD BYTE PTR DS:[EAX],AL0040114C > 68 941F4000 PUSH 工程1.00401F9400401151 E8 EEFFFFFF CALL <JMP.&MSVBVM60.#100>00401156 0000 ADD BYTE PTR DS:[EAX],AL00401158 0000 ADD BYTE PTR DS:[EAX],AL0040115A 0000 ADD BYTE PTR DS:[EAX],AL0040115C 3000 XOR BYTE PTR DS:[EAX],AL0040115E 0000 ADD BYTE PTR DS:[EAX],AL0012FFBC 00401156 返回到 工程1.00401156 来自 <JMP.&MSVBVM60.#100>0012FFC0 00401F94 工程1.00401F940012FFC4 7C816FD7 返回到 kernel32.7C816FD70012FFC8 7C930738 ntdll.7C9307380012FFCC FFFFFFFF0012FFD0 7FFD50000012FFD4 8054507D0012FFD8 0012FFC80012FFDC FC565DA80012FFE0 FFFFFFFF SEH 链尾部0012FFE4 7C839AA8 SE 处理器0012FFE8 7C816FE0 kernel32.7C816FE00012FFEC 000000000012FFF0 000000000012FFF4 000000000012FFF8 0040114C 工程1.<模块入口点>7C92EB94 > C3 RETN7C92EB95 8DA424 00000000 LEA ESP,DWORD PTR SS:[ESP]7C92EB9C 8D6424 00 LEA ESP,DWORD PTR SS:[ESP]7C92EBA0 90 NOP7C92EBA1 90 NOP7C92EBA2 90 NOP0054C480 - FF25 1CF15400 JMP DWORD PTR DS:[54F11C] ; user32.MessageBoxA0054C486 8BC0 MOV EAX,EAX0054C488 - FF25 2CF15400 JMP DWORD PTR DS:[54F12C] ; kernel32.ExitProcess0054C48E 8BC0 MOV EAX,EAX0054C490 B8 98C45400 MOV EAX,UnpackME.0054C498 ; UNICODE "Enigma anti-debugger plugin - Debug Objects ?Vladimir Sukhov 30 August 2008"0054C495 C3 RETN0012FDE0 000000000012FDE4 0054C698 ASCII "Debugger is found on this machine!"0012FDE8 0054C690 ASCII "Error"0012FDEC 000000100012FDF0 00000000 /CALL 到 ExitProcess0012FDF4 00000000 \ExitCode = 00012FE20 0054C740 UnpackME.0054C7400012FE24 00520C38 UnpackME.00520C380012FE28 0047B949 UnpackME.0047B9490012FE2C 0050BBFC UnpackME.0050BBFC0012FE30 00549000 ASCII "MZP"0054C75A 833D 64E65400 0>CMP DWORD PTR DS:[54E664],00054C761 74 1D JE SHORT UnpackME.0054C780 ////////////0054C763 E8 88FFFFFF CALL UnpackME.0054C6F00054C768 68 28C75400 PUSH UnpackME.0054C7280054C76D 68 D0070000 PUSH 7D00054C772 6A 01 PUSH 10054C774 6A 00 PUSH 00054C776 E8 F5FCFFFF CALL UnpackME.0054C470 ; JMP 到 user32.SetTimer0054C77B A3 60E65400 MOV DWORD PTR DS:[54E660],EAX0054C780 C3 RETN0054C781 0000 ADD BYTE PTR DS:[EAX],AL0054C783 004E 74 ADD BYTE PTR DS:[ESI+74],CLDS:[0054E664]=7C92E01B (ntdll.ZwQueryInformationProcess)0012FF10 0149B456 返回到 0149B456 来自 UnpackME.004011280012FF14 004263B0 ASCII "VB5!6&*"0012FF18 004FC000 UnpackME.004FC0000012FF1C 000000000012FF20 0047F000 ASCII "MZP"0012FF24 00482F07 返回到 UnpackME.00482F07 来自 UnpackME.00482DA800401122 .- FF25 6C104000 JMP DWORD PTR DS:[<&msvbvm60.EVENT_SINK_>; msvbvm60.EVENT_SINK_Release00401128 $- FF25 70104000 JMP DWORD PTR DS:[<&msvbvm60.ThunRTMain>>; msvbvm60.ThunRTMain0040112E > $ 68 B0634200 PUSH 112E.004263B0 ; ASCII "VB5!6&*"00401133 . E8 F0FFFFFF CALL <JMP.&msvbvm60.ThunRTMain>
December 14, 200816 yr http://www.unpack.cn/redirect.php?tid=3072...stpost#lastpostSh4DoVV_Loader.rar
December 19, 200816 yr Haha Really, this is first time when I post an unpackme So, anyone can do it? PS: this is unpackme, not crackme, moreover, there is standard protection (without any anti-debugger tricks) + new VM
December 19, 200816 yr Here is my Dump!http://www.file-upload.net/download-1322914/Dump.rar.htmlI think it is not the best solution (how i unpacked it), but on my PC (XP SP2) it works fine!greetz
December 20, 200816 yr ebfe to ThunRTMain in msvbvm60.dllthen attach with quickunpack ....http://rapidshare.de/files/41175723/unpacked.exe.zip.html
December 23, 200816 yr enigma_1.60_20081215_en_demo http://filebeam.com/40a5e42c42037bd28dce85501318ef9d
December 28, 200816 yr Here is the unpacked Unpackme (with new VM)! I have removed the "new VM" completely! (it was a hard work ) Unpacked_VM_FIX.rar
December 30, 200816 yr Wow, you are really great kNiGhT, as I saw, VM is really unpacked and re-solved! 5+!!!
January 7, 200916 yr Enigma member=Vladimir Sukhov?Anyway when you can released a new VM unpackme?PD: "Changed registration key algorithm from RSA to ECC" to prevent recent keygen no?
January 23, 200916 yr Use these plugins to bypass anti debug :-Phantom-HideDebugger-HideOD http://filebeam.com/b05c95e4271dcb01abb564fdfff747b3oh
February 4, 200916 yr Here is the unpacked Unpackme (with new VM)!I have removed the "new VM" completely! (it was a hard work ) mm and how find the vm?.. can do a tutorial?.. ..push +jmp=vmstarting.. --but post what'.. because the original exe is in the tutorial of http://www.tuts4you.com/download.php?view.2426 Unpacking_Enigma_Protector__English_Version_\Tools\Delphi.exe ->this is the original exe.. but--how to solve the vm?.. Edited February 5, 200916 yr by apuromafo
Create an account or sign in to comment