Jump to content
Tuts 4 You

[unpackme] ENIGMA 2.33 UnpackMe


LCF-AT

Recommended Posts

Never did any new enigma, let's see if they got any better at protecting.

0050A341                                             ED                       IN EAX,DX
0050A342 81FB 68584D56 CMP EBX,564D5868
0050A348 75 04 JNZ SHORT 0050A34E

So much for the VMware protection. ;) no onto unpacking.

EDIT1:

Spyware tool detected?? Can you be any vaguer.

EDIT2:

0012FF04   01302F2C   ASCII "fengyue0"

So bypassed all debugger checks and the VMware checks.

Let's see.

-Some VM

-memory loaded IAT redirs.

-VM iat redirs.

will continue tomorrow. :)

Edited by quosego
Link to comment

Hi quosego,

vaguer? Whats this?Sorry the translate mashine can not hanle this word.Or you do mean voyeur? :)

Yes,so I added some detect features also the VMWare / Box check etc.But no problem so you can run the UnpackMe also on your main PC so it's a clean small target.

So if you get the Spyware tool message then you need to disable something what is runing on your system.Enabled also some basic stuff + drivernames etc.Is not much just some offten used names. ;)

-Some VM // Yes but this time I have not VMed the whole code [just 62 code peaces this time]

-memory loaded IAT redirs. // Yes

-VM iat redirs // YES

"fengyue0" <-- One name check :) Basic of course

Yes keep working on it.

greetz

Link to comment

I remember just catching the v-DLL entrypoint and searching for "VMWare", doesn't work now anymore :s

The VM is pretty straight forward from a quick glance at it, with enough time not much of a problem

Link to comment

Anyone notice anything new/unusual in anti-debug?. Something is catching me in that unpackme and I haven't managed to track it down. I have protected my own example with e233 with anti enabled and had no problem. Oh btw, I can't/don't use strongOD.

Link to comment

I saw it uses CloseHandle anti-debug when I traced around the loader a bit. Phantom should fix that though.

What I did was just put a HWBP on read on PEB.BeingDebugged, after a few breaks in ntdll this gets you into the VM. From there just wait for the VM call to return (call stack), next VM entries should be antidebug

Link to comment
  • 3 months later...

Sorry for digging out this older Thread but I think its worth it. ;)

For about 1 year (with huge breaks) now I'm working on an Enigma 2.x full unpacker + devirtualizer.

Today I can show the first bigger success on this Unpackme.

My devirtualizer successfully devirtualized this one and now it runs completely independent.

I think the first release of my unpacker will be in the next few weeks so stay tuned. ;)

Unpacked file tested on Win7 x64 and XP SP3 x32 VM. Does it run on your machines?

BTW: Sorry for the file size but i had to append the VM bytecode section because the devirtualizer doesn't support a direct copy to the code section. Of course this will be added soon.

Kind regards,

DizzY_D

ENIGMA 2.33 UnpackMe_Full_Unpacked.rar

Link to comment

@ DizzY_D

Very good work so far. :)

Looks almost the same like my devirtualized enigma files.

If you really want to release a full Unpacker | devirtualizer then test your tool also with the older enigma versions [1.70 +| 1.90 +| 1.93 +| 1.96 til now] so til now there are together four diffrent VM structures [differ slightly].So keep going and I am also curious of your tool. :)

PS: XP SP2 works with your unpacked file.Let me know if you need some xy version test files to test your tool.

greetz

Link to comment
  • 9 years later...
mamipara

@LCF-AT

Validating on my test app, Watch the video and setup all required tools as mention txt. But both script give different error with (Enigma 2.33)

>>>Enigma Alternativ Unpacker 1.1

Sorry,NetFrameWork targets are not supported!

I have upto 2.0 net framework, also validate with win 7, win 10 64 bit
mov PRE_CHECKER_PATCH, 01
mov DUMP_OUTER_VM,     01


>>>Enigma 1.x - 3.x VM Unpacker 1.0 
mov BYPASS_REGSHEME,        01  
mov FIX_OUTER_VM_INSIDE,    01  

-HWID,Name,Key regshe appear and press "Register"
-It gives "successful registration" message
-Resume script
-This error occur
---------------------------
Can't find normal API JMP and Call commands!
Check your target for direct APIs and fix them with UIF!
INFO: Maybe your target used a another protecting layer!
----------------------------
--Press OK
--It pause at address 0019FEE0   00616832  Test.00616832
--Script finished

Any input here?

-mami

Link to comment
LCF-AT

Hi,

so you do see that this topic is more than 10 years old already right. :) The NetFrameWork infos should be wrong because the file is not NFW.Problem should be the Windows OS you are running and the arch.. (x64) where you can get diffrent results by using the script because the unpacking conditions are not same as you would try to unpack the target on XP x86 system.What you can try it running the script under VM & XP SP2 OS.Otherwise you need to debug the script itself and analyze the Error messages and trying to fix / bypass it manually.

greetz

  • Thanks 3
Link to comment
  • 2 weeks later...
mamipara

@LCF-AT

mov DUMP_OUTER_VM,     01 
mov PRE_CHECKER_PATCH, 01 

VM with XP SP3 32 bit.
Again it give error for same error(Sorry,NetFrameWork targets are not supported....). 

-Above error fixed after change PE file alignment value

cmp [eax+104], FILEALIG
jne NO_NET
cmp [eax+104], 1000  >>>2000 


-Enter valid Key and name and get message "registration success".

-It stop after below message
Found no valid API call or Jump commands!
Maybe your file used a double protection! 
Or you need some valid bypass datas! 

while debugging it seems to above error due to file alignment only.

Any quick hint which are other place need to change this 1000>>>2000? 

-mami

Link to comment
LCF-AT

Hi,

if your file is a NET target then script does fail to unpack your target because its a NET one.If you can bypass the RegNag successfully and your target does run (press run in Olly after you get "Found no valid API call or Jump commands") like it should then you can start to do some NET dump & fixing by using NET tools.Just try this.Dont remember anymore about that NET stuff.

PS: Script does check the first section RVA address for 1000.In case of NET the first section start at 2000.But as I said, script isnt a NET Enigma unpacker.

greetz

  • Like 1
  • Thanks 1
Link to comment
  • 1 month later...

Hi all.

If is a .NET target once you reach the OEP (if i recall correct even my memory is not that long) just dump with MegaDumper then fix.

Search...i have a script for that.....you can see there all you need.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...