Posted February 11, 201015 yr Enigma Protector 1.91 update again!Welcome to test!test1.rartest2.rartest3.rar
February 13, 201015 yr No major differences with earlier versions of Enigma, only the VM has changed a little bitEnigma_unpacked.rar Edited February 13, 201015 yr by -kNiGhT-
June 15, 201015 yr Hello, here my unpacked file.VM fixed.The other file is using a new reg / key cheme so it has also changed. So can you also pack some files with the new Enigma 2.x for us? Here my unpacked file without key.Test it. greetz test1_Enigma1.96_VM_Unpacked.rar
June 16, 201015 yr Test it , masters Version : Enigma Protector 2.0 License Protection Advanced Import Protection WinAPI Redirection WinAPI Emulation Inline Patching Protection Entry Point Obfuscation Anti Debugger Protection File Name Checking Runtime integrity checking ControlSum Checkup etc ................ HWID : E43E91-08EC6D Name : Tuts4you Registration key : DtdmBsQzBtol9JH2eJH561VfEEq37CyGKy=1z1DdTPSXcRA7sJFZg=TV9DBiPAZ5vSaXJw3uBmIUz+SL8tgvE49K5G+zWXF415AyhoMTx7t9pBRq+EzM5L6ahm55Iu6RpIbqwU5SvBmZF4XeTY Notepad_HWID.rar Edited June 16, 201015 yr by (*_*)
June 16, 201015 yr Hi, here now the second 1.96 UnpackMe + HWID change. -------------------------------- @ (*_*) Ok I have also changed the HWID in your file and I get this... ...and then! A ) New check B ) You made a problem..maybe C ) Send me the valid test key data for this HWID 90B991-08E051 to test whether I get still the invalid file name message or not. greetz Enigma2_1.96_HWID_change_VM-Fix_Unpacked.rar
June 17, 201015 yr @LCF-AT Yes , i activated file name check protection and uploaded with new name . Here is the original name : Notepad_Protected.exe Check it , LCF-AT Edited June 17, 201015 yr by (*_*)
June 17, 201015 yr @ (*_*) Ahhhh,this was the reason. So I have never get this message before.Wait!But if you now enter the valid data lets say on your PC with you correct HWID then you will get also this message and this means it does also not start.You know,no run no fun.Anyway so now it works and here is my unpacked file. You have not enabled the Virtual Machine function selecting.This makes it easier to unpack in your case.But you have enabled the advance import protection right?So all in all you can get a very clean and small unpacked file.Test it. greetz Enigma_2.0_Notepad_HWID_changed_Unpacked.rar
June 17, 201015 yr Yes , i activated file name check protection and uploaded with new name Thats just a little bit unfair, don't you think? I know that unpackmes are rarely like RL targets, but even so the file should be runnable once the requested limitation was bypassed (there was no mention of the name being changed). HR, Ghandi
July 5, 201015 yr Hi,LCF-AT:Your file works good!Is there any great scripts for Enigma except for Enigma_unpacker_v0.92.osc,because it just work between v1.55--v1.65,the other version it doesn't support.
July 5, 201015 yr Hi, no there is no >public< script which you can DL or use for this kind of Enigma files. Also you need to fix the VM's and this should be your main problem. greetz
July 6, 201015 yr It's easy to unpack some VC app which is packed with enigma,but it's hard to me that some files which is compiler by "E language",just as attachment,it's packed by Enigma 1.52,and no WaterMark,but it's hard to unpack.TYQQ_E_QueryPW5.1.rar
July 6, 201015 yr Hi,ok here I have made a short unpack script just for this exe file!pausebphwcbccmp eip, 00404561je startbphws 00404561, "x"estobphwcstart:var Avar magicvar VPvar freegpa "VirtualProtect", "kernel32.dll"mov VirtualProtect, $RESULTbphws 00544BB3, "x"bphws 005444D1, "x"bphws 0053E5EB, "x"estobphwc 00544BB3readstr [eip], 06mov magic, $RESULTbuf magicmov A, eipmov [eip], E990, 02bphws 00545135, "x"estobphwc 00545135mov [A], magicbphws 00544BB3, "x"estobphwc eipmov A, eipreadstr [eip], 04mov magic, $RESULTbuf magicfill eip, 4,90bphws 0054458E, "x"estomov [A], magicestobphwc eipreadstr [eip], 06mov magic, $RESULTbuf magicmov A, eipmov [eip], E990, 02bphws 00545135, "x"estobphwc eipmov [A], magicestostomov eax, 00405DCCmov ecx, 00405DCCbphwcmov A, eipalloc 1000mov free, $RESULTmov eip, freeadd eip, 100mov [eip], #6068001040006A40680050000068BBBBBBBBE8EA6E8CCC619090#add eip, 18bp eipsub eip, 18add eip, 12eval "call VirtualProtect"asm eip, $RESULTsub eip, 12mov [eip+02], freemov [eip+0E], 401000estomov eip, Abcfree freebphws 00405DCC, "x"estobphwccmt eip, "New OEP"msg "This target is using also a overlay!Extract & add them!"pauseThe target used also a overlay which you need to add on your dump.Don`t forget this.greetz
July 8, 201015 yr yeah,the same as mine,esto overbphwc 00544BB3 let me see...my system is winxp sp2 and winxp sp3,no,maybe there are some issues in the script..
July 8, 201015 yr Hi,what do you mean?bphwc 00544BB3 = remove HWBP on 00544BB3What happen in your script window if you use "S" button?Script works.All addresses are in the main target to see.Maybe you have a older script version etc.You can also repleace bphwc 00544BB3 with bphwc eip.Or if you mean esto then change this esto with erun.greetz
July 9, 201015 yr Hi, My script version is v1.78.3,just as below: and when I run your script,look line 20,"esto",but that it didn't have a break on 0x544bb3 or 0x005444D1 or 0053E5EB, it runs till the software is initioned,look left window. I had did a test that first I made a HW break on 0x544bb3(yes,it breaks on 0x5ea1a4,here it released a dll just like load.dll),then I made a HE break on 0x544bb3,it doesn't work too,but bp 0x544bb3,it works well. I know how the Enigma protect work,but I don't know why your script works wrong. Edited July 9, 201015 yr by keven
July 9, 201015 yr Hi,so in this case you have a HWBP problem.If the HWBP not break and the BP break then you have a problem.Problem can be a wrong Olly / plugin setting or a unknown hook in the SSDT table [check this with the IceSword tool and remove the unknown lines].Enable also protect DRx in your phant0m plugin.Then load the target again in Olly.Now open LOG window and see if you find any bad string like Error etc....mostly red marked.Check this and try again.If this not help you then change the HWBPs in the script to BPs.greetz
September 17, 201014 yr can any one provide me unpacking script for enigma 1.96 or unpacking tutorial.
September 17, 201014 yr @ Max_So I think there is no [public] tut & script for ENIGMA 1.96 + out there.greetz
Create an account or sign in to comment