Jump to content
Tuts 4 You

[UnPackMe]Enigma Protector


thisistest

Recommended Posts

  • 3 months later...
  • 2 weeks later...

Test it , masters :)

Version : Enigma Protector 2.0

License Protection

Advanced Import Protection

WinAPI Redirection

WinAPI Emulation

Inline Patching Protection

Entry Point Obfuscation

Anti Debugger Protection

File Name Checking

Runtime integrity checking

ControlSum Checkup

etc ................

HWID : E43E91-08EC6D

Name : Tuts4you

Registration key : DtdmBsQzBtol9JH2eJH561VfEEq37CyGKy=1z1DdTPSXcRA7sJFZg=TV9DBiPAZ5vSaXJw3uBmIUz+SL8tgvE49K5G+zWXF415AyhoMTx7t9pBRq+EzM5L6ahm55Iu6RpIbqwU5SvBmZF4XeTY

Notepad_HWID.rar

Edited by (*_*)
Link to comment
Share on other sites

Hi,

here now the second 1.96 UnpackMe + HWID change.

--------------------------------

@ (*_*)

Ok I have also changed the HWID in your file and I get this...

2l45cg.png

...and then!

bjdgt0.png

A ) New check

B ) You made a problem..maybe

C ) Send me the valid test key data for this HWID 90B991-08E051 to test whether I get still the invalid file name message or not.

greetz

Enigma2_1.96_HWID_change_VM-Fix_Unpacked.rar

Link to comment
Share on other sites

@LCF-AT

Yes , i activated file name check protection and uploaded with new name .

Here is the original name : Notepad_Protected.exe

Check it , LCF-AT :)

Edited by (*_*)
Link to comment
Share on other sites

@ (*_*)

Ahhhh,this was the reason. :) So I have never get this message before.Wait!But if you now enter the valid data lets say on your PC with you correct HWID then you will get also this message and this means it does also not start.You know,no run no fun.Anyway so now it works and here is my unpacked file.

You have not enabled the Virtual Machine function selecting.This makes it easier to unpack in your case.But you have enabled the advance import protection right?So all in all you can get a very clean and small unpacked file.Test it.

greetz

Enigma_2.0_Notepad_HWID_changed_Unpacked.rar

Link to comment
Share on other sites

Yes , i activated file name check protection and uploaded with new name

Thats just a little bit unfair, don't you think? I know that unpackmes are rarely like RL targets, but even so the file should be runnable once the requested limitation was bypassed (there was no mention of the name being changed). :P

HR,

Ghandi

Link to comment
Share on other sites

  • 3 weeks later...

Hi,LCF-AT:

Your file works good!

Is there any great scripts for Enigma except for Enigma_unpacker_v0.92.osc,

because it just work between v1.55--v1.65,

the other version it doesn't support.

Link to comment
Share on other sites

Hi,

no there is no >public< script which you can DL or use for this kind of Enigma files. :) Also you need to fix the VM's and this should be your main problem.

greetz

Link to comment
Share on other sites

It's easy to unpack some VC app which is packed with enigma,but it's hard to me that some files which is compiler by "E language",just as attachment,it's packed by Enigma 1.52,and no WaterMark,but it's hard to unpack.

TYQQ_E_QueryPW5.1.rar

Link to comment
Share on other sites

Hi,

ok here I have made a short unpack script just for this exe file!

pause
bphwc
bc
cmp eip, 00404561
je start
bphws 00404561, "x"
esto
bphwc
start:
var A
var magic
var VP
var free
gpa "VirtualProtect", "kernel32.dll"
mov VirtualProtect, $RESULTbphws 00544BB3, "x"
bphws 005444D1, "x"
bphws 0053E5EB, "x"
esto
bphwc 00544BB3
readstr [eip], 06
mov magic, $RESULT
buf magic
mov A, eip
mov [eip], E990, 02
bphws 00545135, "x"
esto
bphwc 00545135
mov [A], magic
bphws 00544BB3, "x"
esto
bphwc eip
mov A, eip
readstr [eip], 04
mov magic, $RESULT
buf magic
fill eip, 4,90
bphws 0054458E, "x"
esto
mov [A], magic
esto
bphwc eip
readstr [eip], 06
mov magic, $RESULT
buf magic
mov A, eip
mov [eip], E990, 02
bphws 00545135, "x"
esto
bphwc eip
mov [A], magic
esto
sto
mov eax, 00405DCC
mov ecx, 00405DCC
bphwc
mov A, eip
alloc 1000
mov free, $RESULT
mov eip, free
add eip, 100
mov [eip], #6068001040006A40680050000068BBBBBBBBE8EA6E8CCC619090#
add eip, 18
bp eip
sub eip, 18
add eip, 12
eval "call VirtualProtect"
asm eip, $RESULT
sub eip, 12
mov [eip+02], free
mov [eip+0E], 401000
esto
mov eip, A
bc
free free
bphws 00405DCC, "x"
esto
bphwc
cmt eip, "New OEP"
msg "This target is using also a overlay!Extract & add them!"
pause

The target used also a overlay which you need to add on your dump.Don`t forget this.

greetz

Link to comment
Share on other sites

yeah,

the same as mine,

esto over

bphwc 00544BB3

let me see...

my system is winxp sp2 and winxp sp3,

no,maybe there are some issues in the script..

Link to comment
Share on other sites

Hi,

what do you mean?

bphwc 00544BB3 = remove HWBP on 00544BB3

What happen in your script window if you use "S" button?

Script works.All addresses are in the main target to see.

Maybe you have a older script version etc.You can also repleace bphwc 00544BB3 with bphwc eip.Or if you mean esto then change this esto with erun.

greetz

Link to comment
Share on other sites

Hi,

My script version is v1.78.3,just as below:

post-55961-078202200 1278642100_thumb.jp

and when I run your script,look line 20,"esto",but that it didn't have a break on 0x544bb3 or 0x005444D1 or 0053E5EB,

it runs till the software is initioned,look left window.

post-55961-044057100 1278642121_thumb.jp

I had did a test that first I made a HW break on 0x544bb3(yes,it breaks on 0x5ea1a4,here it released a dll just like load.dll),then I made a HE break on 0x544bb3,it doesn't work too,but bp 0x544bb3,it works well.

I know how the Enigma protect work,but I don't know why your script works wrong.

Edited by keven
Link to comment
Share on other sites

Hi,

so in this case you have a HWBP problem.If the HWBP not break and the BP break then you have a problem.Problem can be a wrong Olly / plugin setting or a unknown hook in the SSDT table [check this with the IceSword tool and remove the unknown lines].Enable also protect DRx in your phant0m plugin.Then load the target again in Olly.Now open LOG window and see if you find any bad string like Error etc....mostly red marked.

Check this and try again.If this not help you then change the HWBPs in the script to BPs.

greetz

Link to comment
Share on other sites

  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...