[UnpackMe] Enigma 2.60

[pushxor]

Hi, I've created a new .exe that protected with Enigma v2.60

Have fun

Enigma.v2.60_20110523.UnpackMe.rar

[LCF-AT]

Hi,

thank you for creating a new Enigma UnpackMe.

Ok here my unpacked file + VM Rebuild of the whole OEP routine.

greetz

Enigma.v2.60_20110523.UnpackMe_Unpacked_VM_Rebuild.rar

[pushxor]

wow, it is very fast LCF-AT

tried and it's full unpacked

BR

[DizzY_D]

Thx for unpackme but nothing has really changed from 2.33

Unpacked + Devirtualized file in attatchment.

Edit:

LCF AT your unpacked exe doesnt run on my PC. I get access violation when executing 00000000 in some Delphi resource load function when loading "Image1".

Enigma.v2.60_20110523.UnpackMe_DUMP_.rar

Edited June 25, 2011 by DizzY_D

[blackpirate]

@LCF

like Dizzy said i get this on win7 x86

@Dizzy

you unpack runs well !

[LCF-AT]

Hhmmm.Working well on XP.

So you can try to use the fixres tool with my dump.Then test whether it runs now or not.If not then you can try cut away the manifest file from the resources with a tool like restorator.

Or try to do just a valid rebuild maybe this helps.

So maybe the problem is that I have cut away some other sections which are not used with XP maybe there are some infos which will used with win7.Always this *_* win7 problems!

greetz

[aminebot]

I have just one question ,

how are you doing to rebuild IAT ?

[DizzY_D]

If you have Enigma's Virtual DLL devirtualized it's no problem at all.

The redirection is fixed by patching 1 JE to JMP. Fixing the VM APIs is a bit more problematic but if you know the right place its also done with a 2 instruction patch.

But since you probably dont have a VM rebuilder all this tips are useless.

Maybe i make a tutorial about it when i finished my Enigma Unpacker.

[aminebot]

If you have Enigma's Virtual DLL devirtualized it's no problem at all.

The redirection is fixed by patching 1 JE to JMP. Fixing the VM APIs is a bit more problematic but if you know the right place its also done with a 2 instruction patch.

But since you probably dont have a VM rebuilder all this tips are useless.

Maybe i make a tutorial about it when i finished my Enigma Unpacker.

Thanks for reply,

i understand easily some basic virtualized instructions (push , mov , call , cmp , jmp..) .

i am trying to study the part of code that write the IAT , is it the correct way to find this JE ?

[LCF-AT]

There are some diffrent way's how to get the iat or prevent iat RD or iat VM. If you can devirtualize the first VM then you can easy patch the IAT RD to get all APIs.On board you can also find some older enigma scripts till v2.xx which can get the IAT without to devirtualize the first VM and then you see something like this in the IAT.

016C9BE4     68 0A2A7FCD        PUSH CD7F2A0A
016C9BE9     813424 5A6270BA    XOR DWORD PTR SS:[ESP],BA70625A
016C9BF0     C3                 RETN
016C9BF1     68 759F5681        PUSH 81569F75
016C9BF6     813424 E85647F6    XOR DWORD PTR SS:[ESP],F64756E8
016C9BFD     C3                 RETN
016C9BFE     68 9F238E0F        PUSH 0F8E239F
016C9C03     813424 C6688178    XOR DWORD PTR SS:[ESP],788168C6
016C9C0A     C3                 RETN
016C9C0B     68 BCB85750        PUSH 5057B8BC
016C9C10     813424 74D78D27    XOR DWORD PTR SS:[ESP],278DD774
016C9C17     C3                 RETN
016C9C18     68 786ADA77        PUSH 77DA6A78
016C9C1D     C3                 RETN

Simple xoring = API or just direct API pushes.

Also its not just one JE which you have to patch so just to find this ONE JE will not help you so much.

greetz

[DeadAndGone]

Thanks for the challange. Here is mine unpacked file.

unpacked.By.Silence.rar