Syntax Posted December 2, 2010 Posted December 2, 2010 UnpackMe - Enigma Protector 2.21 EntryPoint Virtualization Virtual Machine Protection Antidebug Protections WinAPI Emulations WinAPI Redirections Advanced Import Protection Rule : You need to patch "NoWay to "You Won" . Good Luck . KeygenMe is taken from crackmes.de . Thank you . Unpack&PatchMe.rar
Teddy Rogers Posted December 2, 2010 Posted December 2, 2010 The [crackme] tag has been added to your topic title. Please remember to follow and adhere to the topic title format - thankyou! [This is an automated reply]
EvOlUtIoN Posted December 2, 2010 Posted December 2, 2010 (edited) i Hope this inline patched will be good enough Unpack enigma is quite annoying, anyway inline patch is easier and result is same. (especially in this case where string is chosen into enigma code). I don't know exactly if prevent iat emulation can be prevent, but if not (i doubt it can't) rebuild IAT will be really hard. />http://www.4shared.com/file/ll_5zU4F/UnpackPatchMe_done_EvOlUtIoN.html Edited December 2, 2010 by EvOlUtIoN
Ronar22 Posted December 2, 2010 Posted December 2, 2010 Unpacked and Vm Patched .Tested on winxp sp2 & win7.Patched.rar
LCF-AT Posted December 2, 2010 Posted December 2, 2010 Hello, hmmmm nice new Enigma version! Ok here my unpacked file + VM Rebuild. @ (*_*) So the nag patch is very simple so that I have it not patched now but if you want to can patch it in my file now so you will see the code direct under my OEP bytes. 0046F8BC CALL 0046E4E8 0046F8C1 CMP EAX,DWORD PTR SS:[EBP-4]0046F8C7 JNZ 0046F8DF <--- Just nop! 0046F8CD MOV EAX,46EBD4 ; UNICODE "you won! "0046F8D3 NOP0046F8D4 CALL 0043BBFC 0046F8D9 NOP0046F8DA JMP 0046F8EB 0046F8DF MOV EAX,46EBF8 ; UNICODE "no way..."0046F8E5 NOP0046F8E6 CALL 0043BBFC 0046F8EB MOV AL,BYTE PTR SS:[EBP-5]0046F8F1 MOV ESP,EBP0046F8F3 POP EBP 0046F8F4 RETN greetz Unpack&PatchMe_Unpacked+VM_Rebuild.rar
Syntax Posted December 3, 2010 Author Posted December 3, 2010 Gold medal goes to LCF-AT for unpacking & fully restoring virtualized functions (You are very strong !!!). Silver medal goes to EvOlUtIoN for inline patching latest enigma protector. Bronze medal goes to Ronar22 for unpacking & patching latest enigma protector. Great Job , Guys . 1
fastfood Posted January 5, 2011 Posted January 5, 2011 I have program protected by enigma protector 2.13, how can I unpack it?
LCF-AT Posted June 19, 2011 Posted June 19, 2011 @ aminebot You did a VM Struct patch $ ==> >00000050$+4 >0000009F$+8 >00000000$+C >0000008C$+10 >00000025$+14 >00000000$+18 >00002000$+1C >00000000$+20 >0000008D | 8C$+24 >0000002A | 25$+28 >00000000$+2C >00202000 | 2000$+30 >FFFFFFFC | 00$+34 >00000000$+38 >00000000$+3C >00000000$+40 >00000000$+44 >00000000---------------------=---------------------0046F8C1 3B85 FCFFFFFF CMP EAX,DWORD PTR SS:[EBP-4]to0046F8C1 3BC0 CMP EAX,EAX greetz
zerith Posted July 2, 2011 Posted July 2, 2011 I'm seeing a pretty strange case here...There is a call to CheckRemoteDebuggerPresent @ 0x00791754 and, WITHIN CheckRemoteDebuggerPresent, if any Hardware Breakpoints were set up by the user,a message will pop up "Internal Protection Error".I'm wondering, how does code of the packer manage to run between the CALL to CheckRemoteDebuggerPresent and its return!? am i missing something?
LCF-AT Posted July 2, 2011 Posted July 2, 2011 @ zerith007C38E0 PUSH 7C38FC ; New SEH007C38E5 PUSH DWORD PTR FS:[0] ; Set SEH007C38EC MOV DWORD PTR FS:[0],ESP ; Set SEH007C38F3 XOR EAX,EAX007C38F5 XOR DWORD PTR DS:[EAX],EAX ; Force AV007C38F7 CALL 007C38AC 007C38FC MOV EAX,DWORD PTR SS:[ESP+C] ; After AV stops here007C3900 MOV ECX,DWORD PTR SS:[ESP+4]007C3904 MOV DWORD PTR DS:[EAX+4],0007C390B MOV DWORD PTR DS:[EAX+8],0007C3912 MOV DWORD PTR DS:[EAX+C],0007C3919 MOV DWORD PTR DS:[EAX+10],0007C3920 AND DWORD PTR DS:[EAX+14],FFFF0FF0007C3927 AND DWORD PTR DS:[EAX+18],0DC00007C392E MOV DWORD PTR DS:[EAX+B8],7C393B ; New SEH007C3938 XOR EAX,EAX007C393A RETN007C393B POP DWORD PTR FS:[0] ; Next stop see SEHs | 005EA218 | Internal Protection Error VMed007C3942 ADD ESP,4007C3945 PUSH 7C3961 ; New SEH007C394A PUSH DWORD PTR FS:[0]007C3951 MOV DWORD PTR FS:[0],ESP007C3958 XOR EAX,EAX007C395A XOR DWORD PTR DS:[EAX],EAX007C395C CALL 007C38AC 007C3961 MOV EAX,DWORD PTR SS:[ESP+C]007C3965 MOV ECX,DWORD PTR SS:[ESP+4]007C3969 CMP DWORD PTR DS:[EAX+4],0007C396D JNZ 007C38AC 007C3973 CMP DWORD PTR DS:[EAX+8],0007C3977 JNZ 007C38AC 007C397D CMP DWORD PTR DS:[EAX+C],0007C3981 JNZ 007C38AC 007C3987 CMP DWORD PTR DS:[EAX+10],0007C398B JNZ 007C38AC 007C3991 MOV DWORD PTR DS:[EAX+B8],7C399E ; New SEH007C399B XOR EAX,EAX007C399D RETN007C399E POP DWORD PTR FS:[0] 007C39A5 ADD ESP,4007C39A8 RETN005EA218 JMP 005EA227 005EA227 PUSH 1391005EA22C JMP 005DAF94------------------------------UnVirtualized---------------005EA218 /E9 0A000000 JMP 005EA227 005EA21D -|E9 D6B27701 JMP 01D654F8005EA222 |90 NOP005EA223 |90 NOP005EA224 |90 NOP005EA225 |90 NOP005EA226 |90 NOP005EA227 -\E9 CCB27701 JMP 01D654F8 ------------------------01D654F8 PUSH 001D654FD PUSH 571634 ; ASCII "The Enigma Protector"01D65502 PUSH 57164C ; ASCII "Internal Protection Error, please contact to author!"01D65507 PUSH 001D6550C NOP01D6550D CALL 004A1658 ; JMP to user32.MessageBoxA------------------------007C38E0 <-- to retor005EA218 <-- to retBypass Internal Protection Errorgreetz 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now