Jump to content
Tuts 4 You

[unpackme] ENIGMA 2.05 UnpackMe

LCF-AT

By LCF-AT
in UnPackMe

 Share

Recommended Posts

LCF-AT

LCF-AT

Posted
Posted

Hello,

so today I have created & protected a new UnpackMe for you.

I added also some detect stuff [easy level].

So it should run normal with [mouse double click] and also in a normal basic protected Olly.

2jdmfi9.png

Have fun. :)

greetz

ENIGMA 2.05 UnpackMe.rar

  • Like 1
Teddy Rogers

Teddy Rogers

Posted
Posted

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

EvOlUtIoN

EvOlUtIoN

Posted
Posted

Good! I will take a look on it for sure. I'm in holidays now, but i hope t have time for it.

blackpirate

blackpirate

Posted
Posted

runs well on 7!

Ronar22

Ronar22

Posted
Posted

@hepL3r : can u post the rva where the exception happens ?

@blackpirate : thnx for testing.

LCF-AT

LCF-AT

Posted
  • Author
Posted

@ Ronar22

Ah ok I see it. :)

But,you did not rebuild any real code so you have choosen the simplest way and you just added the VM.

So the problem in this case is that you have NO real code.Lets say you need to patch something like a unregistered target to a registered target [patch xy etc] what then? :)

So if you can then try to rebuild [translate] the VM back to real code.

---------------------
00421997   JMP 007CA833                
0042199C   DEC DWORD PTR DS:[EDI]
0042199E   PUSHFD
0042199F   INC ESI
004219A0   JG SHORT 00421A00            
004219A2   OR AL,CH
004219A4   MOV EBP,9BDF8655
004219A9   CMP BYTE PTR DS:[EDI+18],AH
004219AC   JNS SHORT 00421945              
004219AE   MOV BL,27
004219B0   MOV AH,0F2
004219B2   AND DWORD PTR SS:[EBP+9533EAD6],E>
004219B8   POP SS                          
004219B9   LOOPD SHORT 004219D1          
004219BB   ???                             
004219BC   IN AL,0E4                      
004219BE   SUB AL,0EA
004219C0   MOV FS,WORD PTR DS:[EDX]        
004219C2   JS SHORT 004219BE              
004219C4   PUSH EBP
004219C5   OR BYTE PTR DS:[EDI+76],FFFFFFF6
004219CA   IN AL,DX                      
004219CB   STD
004219CC   PREFIX REPNE:                   
004219CD   CDQ
004219CE   ADC BYTE PTR DS:[CC71CC24],DL004219D4   PUSH ESI
-------------------------
00421997  XOR EAX,EAX
00421999  PUSH 0
0042199B  CMP DWORD PTR SS:[ESP+8],EAX
0042199F  PUSH 1000
004219A4  SETE AL
004219A7  PUSH EAX
004219A8  CALL DWORD PTR DS:[4290BC]       ; kernel32.HeapCreate
004219AE  TEST EAX,EAX
004219B0  MOV DWORD PTR DS:[436580],EAX
004219B5  JE SHORT 004219CC           
004219B7  CALL 00421C40             
004219BC  TEST EAX,EAX
004219BE  JNZ SHORT 004219CF      
004219C0  PUSH DWORD PTR DS:[436580]
004219C6  CALL DWORD PTR DS:[4290C0]       ; kernel32.HeapDestroy
004219CC  XOR EAX,EAX
004219CE  RETN
004219CF  PUSH 1
004219D1  POP EAX     
004219D2  RETN

There are more than 18300 commands which you need to rebuild.

greetz

EvOlUtIoN

EvOlUtIoN

Posted
Posted

I can't run this target...

LCF-AT

LCF-AT

Posted
  • Author
Posted

@ Evo

so what happend?

If nothing happend [no message] then you can be detected without to get a message by the unpackme.So I added some custom names & driver checks.Maybe you can check what you have running on your system.Try to close / unload other stuff if loaded.So the unpackme should then start.

greetz

EvOlUtIoN

EvOlUtIoN

Posted
Posted

I changed my mahine and now i can run it... But there are tons of code to rebuild :S

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...