[crackme] UnpackNPatchme (Enigma Protector 2.21)

[Syntax]

UnpackMe - Enigma Protector 2.21

EntryPoint Virtualization

Virtual Machine Protection

Antidebug Protections

WinAPI Emulations

WinAPI Redirections

Advanced Import Protection

Rule : You need to patch "NoWay to "You Won" .

Good Luck .

KeygenMe is taken from crackmes.de . Thank you .

Unpack&PatchMe.rar

[Teddy Rogers]

The [crackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

[EvOlUtIoN]

i Hope this inline patched will be good enough Unpack enigma is quite annoying, anyway inline patch is easier and result is same. (especially in this case where string is chosen into enigma code). I don't know exactly if prevent iat emulation can be prevent, but if not (i doubt it can't) rebuild IAT will be really hard.

/>http://www.4shared.com/file/ll_5zU4F/UnpackPatchMe_done_EvOlUtIoN.html

Edited December 2, 2010 by EvOlUtIoN

[Ronar22]

Unpacked and Vm Patched .

Tested on winxp sp2 & win7.

Patched.rar

[LCF-AT]

Hello,

hmmmm nice new Enigma version!

Ok here my unpacked file + VM Rebuild.

@ (*_*)

So the nag patch is very simple so that I have it not patched now but if you want to can patch it in my file now so you will see the code direct under my OEP bytes.

0046F8BC  CALL 0046E4E8                
0046F8C1  CMP EAX,DWORD PTR SS:[EBP-4]
0046F8C7  JNZ 0046F8DF    <--- Just nop!             
0046F8CD  MOV EAX,46EBD4                  ; UNICODE "you won! "
0046F8D3  NOP
0046F8D4  CALL 0043BBFC               
0046F8D9  NOP
0046F8DA  JMP 0046F8EB                
0046F8DF  MOV EAX,46EBF8                  ; UNICODE "no way..."
0046F8E5  NOP
0046F8E6  CALL 0043BBFC               
0046F8EB  MOV AL,BYTE PTR SS:[EBP-5]
0046F8F1  MOV ESP,EBP
0046F8F3  POP EBP                       
0046F8F4  RETN

greetz

Unpack&PatchMe_Unpacked+VM_Rebuild.rar

[Syntax]

Gold medal goes to LCF-AT for unpacking & fully restoring virtualized functions (You are very strong !!!).

Silver medal goes to EvOlUtIoN for inline patching latest enigma protector.

Bronze medal goes to Ronar22 for unpacking & patching latest enigma protector.

Great Job , Guys .

[fastfood]

I have program protected by enigma protector 2.13, how can I unpack it?

[aminebot]

inline patched

Patched_inline.rar

[LCF-AT]

@ aminebot

You did a VM Struct patch

$ ==>    >00000050
$+4      >0000009F
$+8      >00000000
$+C      >0000008C
$+10     >00000025
$+14     >00000000
$+18     >00002000
$+1C     >00000000
$+20     >0000008D | 8C
$+24     >0000002A | 25
$+28     >00000000
$+2C     >00202000 | 2000
$+30     >FFFFFFFC | 00
$+34     >00000000
$+38     >00000000
$+3C     >00000000
$+40     >00000000
$+44     >00000000
---------------------
=
---------------------
0046F8C1    3B85 FCFFFFFF           CMP EAX,DWORD PTR SS:[EBP-4]
to
0046F8C1    3BC0                    CMP EAX,EAX

greetz

[zerith]

I'm seeing a pretty strange case here...

There is a call to CheckRemoteDebuggerPresent @ 0x00791754 and, WITHIN CheckRemoteDebuggerPresent, if any Hardware Breakpoints were set up by the user,

a message will pop up "Internal Protection Error".

I'm wondering, how does code of the packer manage to run between the CALL to CheckRemoteDebuggerPresent and its return!? am i missing something?

[LCF-AT]

@ zerith

007C38E0  PUSH 7C38FC                          ; New SEH
007C38E5  PUSH DWORD PTR FS:[0]                ; Set SEH
007C38EC  MOV DWORD PTR FS:[0],ESP             ; Set SEH
007C38F3  XOR EAX,EAX
007C38F5  XOR DWORD PTR DS:[EAX],EAX           ; Force AV
007C38F7  CALL 007C38AC                     
007C38FC  MOV EAX,DWORD PTR SS:[ESP+C]         ; After AV stops here
007C3900  MOV ECX,DWORD PTR SS:[ESP+4]
007C3904  MOV DWORD PTR DS:[EAX+4],0
007C390B  MOV DWORD PTR DS:[EAX+8],0
007C3912  MOV DWORD PTR DS:[EAX+C],0
007C3919  MOV DWORD PTR DS:[EAX+10],0
007C3920  AND DWORD PTR DS:[EAX+14],FFFF0FF0
007C3927  AND DWORD PTR DS:[EAX+18],0DC00
007C392E  MOV DWORD PTR DS:[EAX+B8],7C393B     ; New SEH
007C3938  XOR EAX,EAX
007C393A  RETN
007C393B  POP DWORD PTR FS:[0]                 ; Next stop see SEHs  | 005EA218 | Internal Protection Error VMed
007C3942  ADD ESP,4
007C3945  PUSH 7C3961                          ; New SEH
007C394A  PUSH DWORD PTR FS:[0]
007C3951  MOV DWORD PTR FS:[0],ESP
007C3958  XOR EAX,EAX
007C395A  XOR DWORD PTR DS:[EAX],EAX
007C395C  CALL 007C38AC                      
007C3961  MOV EAX,DWORD PTR SS:[ESP+C]
007C3965  MOV ECX,DWORD PTR SS:[ESP+4]
007C3969  CMP DWORD PTR DS:[EAX+4],0
007C396D  JNZ 007C38AC                       
007C3973  CMP DWORD PTR DS:[EAX+8],0
007C3977  JNZ 007C38AC                       
007C397D  CMP DWORD PTR DS:[EAX+C],0
007C3981  JNZ 007C38AC                       
007C3987  CMP DWORD PTR DS:[EAX+10],0
007C398B  JNZ 007C38AC                      
007C3991  MOV DWORD PTR DS:[EAX+B8],7C399E     ; New SEH
007C399B  XOR EAX,EAX
007C399D  RETN
007C399E  POP DWORD PTR FS:[0]           
007C39A5  ADD ESP,4
007C39A8  RETN005EA218  JMP 005EA227 005EA227  PUSH 1391
005EA22C  JMP 005DAF94
------------------------------UnVirtualized
---------------
005EA218   /E9 0A000000    JMP 005EA227     
005EA21D  -|E9 D6B27701    JMP 01D654F8
005EA222   |90             NOP
005EA223   |90             NOP
005EA224   |90             NOP
005EA225   |90             NOP
005EA226   |90             NOP
005EA227  -\E9 CCB27701    JMP 01D654F8                           
------------------------
01D654F8  PUSH 0
01D654FD  PUSH 571634                      ; ASCII "The Enigma Protector"
01D65502  PUSH 57164C                      ; ASCII "Internal Protection Error, please contact to author!"
01D65507  PUSH 0
01D6550C  NOP
01D6550D  CALL 004A1658                    ; JMP to user32.MessageBoxA------------
------------007C38E0 <-- to ret
or
005EA218 <-- to retBypass Internal Protection Error

greetz