[UnPackMe]Enigma Protector

[thisistest]

Enigma Protector 1.91 update again!

Welcome to test!

test1.rar

test2.rar

test3.rar

[thisistest]

http://www.enigmaprotector.com/en/downloads.html

[-kNiGhT-]

No major differences with earlier versions of Enigma, only the VM has changed a little bit

Enigma_unpacked.rar

Edited February 13, 2010 by -kNiGhT-

[thisistest]

kNiGhT，hi my friend！

unpacked can run xp ！

[thisistest]

test it~! Enigma1.96

Enigma1.96.rar

test1.rar

[LCF-AT]

Hello,

here my unpacked file.VM fixed.The other file is using a new reg / key cheme so it has also changed. So can you also pack some files with the new Enigma 2.x for us?

Here my unpacked file without key.Test it.

greetz

test1_Enigma1.96_VM_Unpacked.rar

[Syntax]

Test it , masters

Version : Enigma Protector 2.0

License Protection

Advanced Import Protection

WinAPI Redirection

WinAPI Emulation

Inline Patching Protection

Entry Point Obfuscation

Anti Debugger Protection

File Name Checking

Runtime integrity checking

ControlSum Checkup

etc ................

HWID : E43E91-08EC6D

Name : Tuts4you

Registration key : DtdmBsQzBtol9JH2eJH561VfEEq37CyGKy=1z1DdTPSXcRA7sJFZg=TV9DBiPAZ5vSaXJw3uBmIUz+SL8tgvE49K5G+zWXF415AyhoMTx7t9pBRq+EzM5L6ahm55Iu6RpIbqwU5SvBmZF4XeTY

Notepad_HWID.rar

Edited June 16, 2010 by (*_*)

[thisistest]

test1_Enigma1.96_VM_Unpacked.exe on working~!

[LCF-AT]

Hi,

here now the second 1.96 UnpackMe + HWID change.

--------------------------------

@ (*_*)

Ok I have also changed the HWID in your file and I get this...

...and then!

A ) New check

B ) You made a problem..maybe

C ) Send me the valid test key data for this HWID 90B991-08E051 to test whether I get still the invalid file name message or not.

greetz

Enigma2_1.96_HWID_change_VM-Fix_Unpacked.rar

[thisistest]

nice work~!

[Syntax]

@LCF-AT

Yes , i activated file name check protection and uploaded with new name .

Here is the original name : Notepad_Protected.exe

Check it , LCF-AT

Edited June 17, 2010 by (*_*)

[LCF-AT]

@ (*_*)

Ahhhh,this was the reason. So I have never get this message before.Wait!But if you now enter the valid data lets say on your PC with you correct HWID then you will get also this message and this means it does also not start.You know,no run no fun.Anyway so now it works and here is my unpacked file.

You have not enabled the Virtual Machine function selecting.This makes it easier to unpack in your case.But you have enabled the advance import protection right?So all in all you can get a very clean and small unpacked file.Test it.

greetz

Enigma_2.0_Notepad_HWID_changed_Unpacked.rar

[ghandi]

Yes , i activated file name check protection and uploaded with new name

Thats just a little bit unfair, don't you think? I know that unpackmes are rarely like RL targets, but even so the file should be runnable once the requested limitation was bypassed (there was no mention of the name being changed).

HR,

Ghandi

[Syntax]

@LCF-AT ,

File works fine in XP SP3 .

@ghandi

Edited June 17, 2010 by (*_*)

[keven]

Hi,LCF-AT:

Your file works good!

Is there any great scripts for Enigma except for Enigma_unpacker_v0.92.osc,

because it just work between v1.55--v1.65,

the other version it doesn't support.

[LCF-AT]

Hi,

no there is no >public< script which you can DL or use for this kind of Enigma files. Also you need to fix the VM's and this should be your main problem.

greetz

[keven]

It's easy to unpack some VC app which is packed with enigma,but it's hard to me that some files which is compiler by "E language",just as attachment,it's packed by Enigma 1.52,and no WaterMark,but it's hard to unpack.

TYQQ_E_QueryPW5.1.rar

[LCF-AT]

Hi,

ok here I have made a short unpack script just for this exe file!

pause
bphwc
bc
cmp eip, 00404561
je start
bphws 00404561, "x"
esto
bphwc
start:
var A
var magic
var VP
var free
gpa "VirtualProtect", "kernel32.dll"
mov VirtualProtect, $RESULTbphws 00544BB3, "x"
bphws 005444D1, "x"
bphws 0053E5EB, "x"
esto
bphwc 00544BB3
readstr [eip], 06
mov magic, $RESULT
buf magic
mov A, eip
mov [eip], E990, 02
bphws 00545135, "x"
esto
bphwc 00545135
mov [A], magic
bphws 00544BB3, "x"
esto
bphwc eip
mov A, eip
readstr [eip], 04
mov magic, $RESULT
buf magic
fill eip, 4,90
bphws 0054458E, "x"
esto
mov [A], magic
esto
bphwc eip
readstr [eip], 06
mov magic, $RESULT
buf magic
mov A, eip
mov [eip], E990, 02
bphws 00545135, "x"
esto
bphwc eip
mov [A], magic
esto
sto
mov eax, 00405DCC
mov ecx, 00405DCC
bphwc
mov A, eip
alloc 1000
mov free, $RESULT
mov eip, free
add eip, 100
mov [eip], #6068001040006A40680050000068BBBBBBBBE8EA6E8CCC619090#
add eip, 18
bp eip
sub eip, 18
add eip, 12
eval "call VirtualProtect"
asm eip, $RESULT
sub eip, 12
mov [eip+02], free
mov [eip+0E], 401000
esto
mov eip, A
bc
free free
bphws 00405DCC, "x"
esto
bphwc
cmt eip, "New OEP"
msg "This target is using also a overlay!Extract & add them!"
pause

The target used also a overlay which you need to add on your dump.Don`t forget this.

greetz

[thisistest]

i test it

esto over

bphwc 00544BB3

[keven]

yeah,

the same as mine,

esto over

bphwc 00544BB3

let me see...

my system is winxp sp2 and winxp sp3,

no,maybe there are some issues in the script..

[LCF-AT]

Hi,

what do you mean?

bphwc 00544BB3 = remove HWBP on 00544BB3

What happen in your script window if you use "S" button?

Script works.All addresses are in the main target to see.

Maybe you have a older script version etc.You can also repleace bphwc 00544BB3 with bphwc eip.Or if you mean esto then change this esto with erun.

greetz

[keven]

Hi,

My script version is v1.78.3,just as below:

and when I run your script,look line 20,"esto",but that it didn't have a break on 0x544bb3 or 0x005444D1 or 0053E5EB,

it runs till the software is initioned,look left window.

I had did a test that first I made a HW break on 0x544bb3(yes,it breaks on 0x5ea1a4,here it released a dll just like load.dll),then I made a HE break on 0x544bb3,it doesn't work too,but bp 0x544bb3,it works well.

I know how the Enigma protect work,but I don't know why your script works wrong.

Edited July 9, 2010 by keven

[LCF-AT]

Hi,

so in this case you have a HWBP problem.If the HWBP not break and the BP break then you have a problem.Problem can be a wrong Olly / plugin setting or a unknown hook in the SSDT table [check this with the IceSword tool and remove the unknown lines].Enable also protect DRx in your phant0m plugin.Then load the target again in Olly.Now open LOG window and see if you find any bad string like Error etc....mostly red marked.

Check this and try again.If this not help you then change the HWBPs in the script to BPs.

greetz

[Max_]

can any one provide me unpacking script for enigma 1.96 or unpacking tutorial.

[LCF-AT]

@ Max_

So I think there is no [public] tut & script for ENIGMA 1.96 + out there.

greetz