Jump to content
Tuts 4 You

[crackme] UnpackNPatchme (Enigma Protector 2.21)


Syntax

Recommended Posts

UnpackMe - Enigma Protector 2.21

EntryPoint Virtualization

Virtual Machine Protection

Antidebug Protections

WinAPI Emulations

WinAPI Redirections

Advanced Import Protection

Rule : You need to patch "NoWay to "You Won" :yes: .

89692520.png

Good Luck .

KeygenMe is taken from crackmes.de . Thank you .

Unpack&PatchMe.rar

Link to comment

The [crackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment

i Hope this inline patched will be good enough :) Unpack enigma is quite annoying, anyway inline patch is easier and result is same. (especially in this case where string is chosen into enigma code). I don't know exactly if prevent iat emulation can be prevent, but if not (i doubt it can't) rebuild IAT will be really hard.


/>http://www.4shared.com/file/ll_5zU4F/UnpackPatchMe_done_EvOlUtIoN.html

Edited by EvOlUtIoN
Link to comment

Hello,

hmmmm nice new Enigma version! :)

Ok here my unpacked file + VM Rebuild.

@ (*_*)

So the nag patch is very simple so that I have it not patched now but if you want to can patch it in my file now so you will see the code direct under my OEP bytes.

0046F8BC  CALL 0046E4E8                
0046F8C1 CMP EAX,DWORD PTR SS:[EBP-4]
0046F8C7 JNZ 0046F8DF <--- Just nop!
0046F8CD MOV EAX,46EBD4 ; UNICODE "you won! "
0046F8D3 NOP
0046F8D4 CALL 0043BBFC
0046F8D9 NOP
0046F8DA JMP 0046F8EB
0046F8DF MOV EAX,46EBF8 ; UNICODE "no way..."
0046F8E5 NOP
0046F8E6 CALL 0043BBFC
0046F8EB MOV AL,BYTE PTR SS:[EBP-5]
0046F8F1 MOV ESP,EBP
0046F8F3 POP EBP
0046F8F4 RETN

greetz

Unpack&PatchMe_Unpacked+VM_Rebuild.rar

Link to comment

Gold medal goes to LCF-AT for unpacking & fully restoring virtualized functions (You are very strong !!!).

Silver medal goes to EvOlUtIoN for inline patching latest enigma protector.

Bronze medal goes to Ronar22 for unpacking & patching latest enigma protector.

Great Job , Guys :flowers: .

  • Like 1
Link to comment
  • 1 month later...
  • 5 months later...

@ aminebot

You did a VM Struct patch :)


$ ==> >00000050
$+4 >0000009F
$+8 >00000000
$+C >0000008C
$+10 >00000025
$+14 >00000000
$+18 >00002000
$+1C >00000000
$+20 >0000008D | 8C
$+24 >0000002A | 25
$+28 >00000000
$+2C >00202000 | 2000
$+30 >FFFFFFFC | 00
$+34 >00000000
$+38 >00000000
$+3C >00000000
$+40 >00000000
$+44 >00000000
---------------------
=
---------------------
0046F8C1 3B85 FCFFFFFF CMP EAX,DWORD PTR SS:[EBP-4]
to
0046F8C1 3BC0 CMP EAX,EAX

greetz

Link to comment
  • 2 weeks later...

I'm seeing a pretty strange case here...

There is a call to CheckRemoteDebuggerPresent @ 0x00791754 and, WITHIN CheckRemoteDebuggerPresent, if any Hardware Breakpoints were set up by the user,

a message will pop up "Internal Protection Error".

I'm wondering, how does code of the packer manage to run between the CALL to CheckRemoteDebuggerPresent and its return!? am i missing something?

Link to comment

@ zerith

007C38E0  PUSH 7C38FC                          ; New SEH
007C38E5 PUSH DWORD PTR FS:[0] ; Set SEH
007C38EC MOV DWORD PTR FS:[0],ESP ; Set SEH
007C38F3 XOR EAX,EAX
007C38F5 XOR DWORD PTR DS:[EAX],EAX ; Force AV
007C38F7 CALL 007C38AC
007C38FC MOV EAX,DWORD PTR SS:[ESP+C] ; After AV stops here
007C3900 MOV ECX,DWORD PTR SS:[ESP+4]
007C3904 MOV DWORD PTR DS:[EAX+4],0
007C390B MOV DWORD PTR DS:[EAX+8],0
007C3912 MOV DWORD PTR DS:[EAX+C],0
007C3919 MOV DWORD PTR DS:[EAX+10],0
007C3920 AND DWORD PTR DS:[EAX+14],FFFF0FF0
007C3927 AND DWORD PTR DS:[EAX+18],0DC00
007C392E MOV DWORD PTR DS:[EAX+B8],7C393B ; New SEH
007C3938 XOR EAX,EAX
007C393A RETN
007C393B POP DWORD PTR FS:[0] ; Next stop see SEHs | 005EA218 | Internal Protection Error VMed
007C3942 ADD ESP,4
007C3945 PUSH 7C3961 ; New SEH
007C394A PUSH DWORD PTR FS:[0]
007C3951 MOV DWORD PTR FS:[0],ESP
007C3958 XOR EAX,EAX
007C395A XOR DWORD PTR DS:[EAX],EAX
007C395C CALL 007C38AC
007C3961 MOV EAX,DWORD PTR SS:[ESP+C]
007C3965 MOV ECX,DWORD PTR SS:[ESP+4]
007C3969 CMP DWORD PTR DS:[EAX+4],0
007C396D JNZ 007C38AC
007C3973 CMP DWORD PTR DS:[EAX+8],0
007C3977 JNZ 007C38AC
007C397D CMP DWORD PTR DS:[EAX+C],0
007C3981 JNZ 007C38AC
007C3987 CMP DWORD PTR DS:[EAX+10],0
007C398B JNZ 007C38AC
007C3991 MOV DWORD PTR DS:[EAX+B8],7C399E ; New SEH
007C399B XOR EAX,EAX
007C399D RETN
007C399E POP DWORD PTR FS:[0]
007C39A5 ADD ESP,4
007C39A8 RETN005EA218 JMP 005EA227 005EA227 PUSH 1391
005EA22C JMP 005DAF94
------------------------------UnVirtualized
---------------
005EA218 /E9 0A000000 JMP 005EA227
005EA21D -|E9 D6B27701 JMP 01D654F8
005EA222 |90 NOP
005EA223 |90 NOP
005EA224 |90 NOP
005EA225 |90 NOP
005EA226 |90 NOP
005EA227 -\E9 CCB27701 JMP 01D654F8
------------------------
01D654F8 PUSH 0
01D654FD PUSH 571634 ; ASCII "The Enigma Protector"
01D65502 PUSH 57164C ; ASCII "Internal Protection Error, please contact to author!"
01D65507 PUSH 0
01D6550C NOP
01D6550D CALL 004A1658 ; JMP to user32.MessageBoxA------------
------------007C38E0 <-- to ret
or
005EA218 <-- to retBypass Internal Protection Error

greetz

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...