thisistest Posted February 11, 2010 Posted February 11, 2010 Enigma Protector 1.91 update again!Welcome to test!test1.rartest2.rartest3.rar
thisistest Posted February 11, 2010 Author Posted February 11, 2010 http://www.enigmaprotector.com/en/downloads.html
-kNiGhT- Posted February 13, 2010 Posted February 13, 2010 (edited) No major differences with earlier versions of Enigma, only the VM has changed a little bitEnigma_unpacked.rar Edited February 13, 2010 by -kNiGhT- 1
thisistest Posted February 14, 2010 Author Posted February 14, 2010 kNiGhT,hi my friend! unpacked can run xp !
thisistest Posted June 3, 2010 Author Posted June 3, 2010 test it~! Enigma1.96Enigma1.96.rartest1.rar
LCF-AT Posted June 15, 2010 Posted June 15, 2010 Hello, here my unpacked file.VM fixed.The other file is using a new reg / key cheme so it has also changed. So can you also pack some files with the new Enigma 2.x for us? Here my unpacked file without key.Test it. greetz test1_Enigma1.96_VM_Unpacked.rar 1
Syntax Posted June 16, 2010 Posted June 16, 2010 (edited) Test it , masters Version : Enigma Protector 2.0 License Protection Advanced Import Protection WinAPI Redirection WinAPI Emulation Inline Patching Protection Entry Point Obfuscation Anti Debugger Protection File Name Checking Runtime integrity checking ControlSum Checkup etc ................ HWID : E43E91-08EC6D Name : Tuts4you Registration key : DtdmBsQzBtol9JH2eJH561VfEEq37CyGKy=1z1DdTPSXcRA7sJFZg=TV9DBiPAZ5vSaXJw3uBmIUz+SL8tgvE49K5G+zWXF415AyhoMTx7t9pBRq+EzM5L6ahm55Iu6RpIbqwU5SvBmZF4XeTY Notepad_HWID.rar Edited June 16, 2010 by (*_*)
thisistest Posted June 16, 2010 Author Posted June 16, 2010 test1_Enigma1.96_VM_Unpacked.exe on working~!
LCF-AT Posted June 16, 2010 Posted June 16, 2010 Hi, here now the second 1.96 UnpackMe + HWID change. -------------------------------- @ (*_*) Ok I have also changed the HWID in your file and I get this... ...and then! A ) New check B ) You made a problem..maybe C ) Send me the valid test key data for this HWID 90B991-08E051 to test whether I get still the invalid file name message or not. greetz Enigma2_1.96_HWID_change_VM-Fix_Unpacked.rar
Syntax Posted June 17, 2010 Posted June 17, 2010 (edited) @LCF-AT Yes , i activated file name check protection and uploaded with new name . Here is the original name : Notepad_Protected.exe Check it , LCF-AT Edited June 17, 2010 by (*_*)
LCF-AT Posted June 17, 2010 Posted June 17, 2010 @ (*_*) Ahhhh,this was the reason. So I have never get this message before.Wait!But if you now enter the valid data lets say on your PC with you correct HWID then you will get also this message and this means it does also not start.You know,no run no fun.Anyway so now it works and here is my unpacked file. You have not enabled the Virtual Machine function selecting.This makes it easier to unpack in your case.But you have enabled the advance import protection right?So all in all you can get a very clean and small unpacked file.Test it. greetz Enigma_2.0_Notepad_HWID_changed_Unpacked.rar
ghandi Posted June 17, 2010 Posted June 17, 2010 Quote Yes , i activated file name check protection and uploaded with new name Thats just a little bit unfair, don't you think? I know that unpackmes are rarely like RL targets, but even so the file should be runnable once the requested limitation was bypassed (there was no mention of the name being changed). HR, Ghandi
Syntax Posted June 17, 2010 Posted June 17, 2010 (edited) @LCF-AT , File works fine in XP SP3 . @ghandi Edited June 17, 2010 by (*_*)
keven Posted July 5, 2010 Posted July 5, 2010 Hi,LCF-AT:Your file works good!Is there any great scripts for Enigma except for Enigma_unpacker_v0.92.osc,because it just work between v1.55--v1.65,the other version it doesn't support.
LCF-AT Posted July 5, 2010 Posted July 5, 2010 Hi, no there is no >public< script which you can DL or use for this kind of Enigma files. Also you need to fix the VM's and this should be your main problem. greetz
keven Posted July 6, 2010 Posted July 6, 2010 It's easy to unpack some VC app which is packed with enigma,but it's hard to me that some files which is compiler by "E language",just as attachment,it's packed by Enigma 1.52,and no WaterMark,but it's hard to unpack.TYQQ_E_QueryPW5.1.rar
LCF-AT Posted July 6, 2010 Posted July 6, 2010 Hi,ok here I have made a short unpack script just for this exe file!pausebphwcbccmp eip, 00404561je startbphws 00404561, "x"estobphwcstart:var Avar magicvar VPvar freegpa "VirtualProtect", "kernel32.dll"mov VirtualProtect, $RESULTbphws 00544BB3, "x"bphws 005444D1, "x"bphws 0053E5EB, "x"estobphwc 00544BB3readstr [eip], 06mov magic, $RESULTbuf magicmov A, eipmov [eip], E990, 02bphws 00545135, "x"estobphwc 00545135mov [A], magicbphws 00544BB3, "x"estobphwc eipmov A, eipreadstr [eip], 04mov magic, $RESULTbuf magicfill eip, 4,90bphws 0054458E, "x"estomov [A], magicestobphwc eipreadstr [eip], 06mov magic, $RESULTbuf magicmov A, eipmov [eip], E990, 02bphws 00545135, "x"estobphwc eipmov [A], magicestostomov eax, 00405DCCmov ecx, 00405DCCbphwcmov A, eipalloc 1000mov free, $RESULTmov eip, freeadd eip, 100mov [eip], #6068001040006A40680050000068BBBBBBBBE8EA6E8CCC619090#add eip, 18bp eipsub eip, 18add eip, 12eval "call VirtualProtect"asm eip, $RESULTsub eip, 12mov [eip+02], freemov [eip+0E], 401000estomov eip, Abcfree freebphws 00405DCC, "x"estobphwccmt eip, "New OEP"msg "This target is using also a overlay!Extract & add them!"pauseThe target used also a overlay which you need to add on your dump.Don`t forget this.greetz
keven Posted July 8, 2010 Posted July 8, 2010 yeah,the same as mine,esto overbphwc 00544BB3 let me see...my system is winxp sp2 and winxp sp3,no,maybe there are some issues in the script..
LCF-AT Posted July 8, 2010 Posted July 8, 2010 Hi,what do you mean?bphwc 00544BB3 = remove HWBP on 00544BB3What happen in your script window if you use "S" button?Script works.All addresses are in the main target to see.Maybe you have a older script version etc.You can also repleace bphwc 00544BB3 with bphwc eip.Or if you mean esto then change this esto with erun.greetz
keven Posted July 9, 2010 Posted July 9, 2010 (edited) Hi, My script version is v1.78.3,just as below: and when I run your script,look line 20,"esto",but that it didn't have a break on 0x544bb3 or 0x005444D1 or 0053E5EB, it runs till the software is initioned,look left window. I had did a test that first I made a HW break on 0x544bb3(yes,it breaks on 0x5ea1a4,here it released a dll just like load.dll),then I made a HE break on 0x544bb3,it doesn't work too,but bp 0x544bb3,it works well. I know how the Enigma protect work,but I don't know why your script works wrong. Edited July 9, 2010 by keven
LCF-AT Posted July 9, 2010 Posted July 9, 2010 Hi,so in this case you have a HWBP problem.If the HWBP not break and the BP break then you have a problem.Problem can be a wrong Olly / plugin setting or a unknown hook in the SSDT table [check this with the IceSword tool and remove the unknown lines].Enable also protect DRx in your phant0m plugin.Then load the target again in Olly.Now open LOG window and see if you find any bad string like Error etc....mostly red marked.Check this and try again.If this not help you then change the HWBPs in the script to BPs.greetz
Max_ Posted September 17, 2010 Posted September 17, 2010 can any one provide me unpacking script for enigma 1.96 or unpacking tutorial.
LCF-AT Posted September 17, 2010 Posted September 17, 2010 @ Max_So I think there is no [public] tut & script for ENIGMA 1.96 + out there.greetz
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now