Posted June 25, 201114 yr Hi, I've created a new .exe that protected with Enigma v2.60 Have fun Enigma.v2.60_20110523.UnpackMe.rar
June 25, 201114 yr Hi, thank you for creating a new Enigma UnpackMe. Ok here my unpacked file + VM Rebuild of the whole OEP routine. greetz Enigma.v2.60_20110523.UnpackMe_Unpacked_VM_Rebuild.rar
June 25, 201114 yr Thx for unpackme but nothing has really changed from 2.33Unpacked + Devirtualized file in attatchment.Edit: LCF AT your unpacked exe doesnt run on my PC. I get access violation when executing 00000000 in some Delphi resource load function when loading "Image1".Enigma.v2.60_20110523.UnpackMe_DUMP_.rar Edited June 25, 201114 yr by DizzY_D
June 25, 201114 yr Hhmmm.Working well on XP.So you can try to use the fixres tool with my dump.Then test whether it runs now or not.If not then you can try cut away the manifest file from the resources with a tool like restorator.Or try to do just a valid rebuild maybe this helps.So maybe the problem is that I have cut away some other sections which are not used with XP maybe there are some infos which will used with win7.Always this *_* win7 problems!greetz
July 2, 201114 yr If you have Enigma's Virtual DLL devirtualized it's no problem at all.The redirection is fixed by patching 1 JE to JMP. Fixing the VM APIs is a bit more problematic but if you know the right place its also done with a 2 instruction patch.But since you probably dont have a VM rebuilder all this tips are useless. Maybe i make a tutorial about it when i finished my Enigma Unpacker.
July 2, 201114 yr If you have Enigma's Virtual DLL devirtualized it's no problem at all.The redirection is fixed by patching 1 JE to JMP. Fixing the VM APIs is a bit more problematic but if you know the right place its also done with a 2 instruction patch.But since you probably dont have a VM rebuilder all this tips are useless. Maybe i make a tutorial about it when i finished my Enigma Unpacker.Thanks for reply,i understand easily some basic virtualized instructions (push , mov , call , cmp , jmp..) .i am trying to study the part of code that write the IAT , is it the correct way to find this JE ?
July 2, 201114 yr There are some diffrent way's how to get the iat or prevent iat RD or iat VM. If you can devirtualize the first VM then you can easy patch the IAT RD to get all APIs.On board you can also find some older enigma scripts till v2.xx which can get the IAT without to devirtualize the first VM and then you see something like this in the IAT. 016C9BE4 68 0A2A7FCD PUSH CD7F2A0A016C9BE9 813424 5A6270BA XOR DWORD PTR SS:[ESP],BA70625A016C9BF0 C3 RETN016C9BF1 68 759F5681 PUSH 81569F75016C9BF6 813424 E85647F6 XOR DWORD PTR SS:[ESP],F64756E8016C9BFD C3 RETN016C9BFE 68 9F238E0F PUSH 0F8E239F016C9C03 813424 C6688178 XOR DWORD PTR SS:[ESP],788168C6016C9C0A C3 RETN016C9C0B 68 BCB85750 PUSH 5057B8BC016C9C10 813424 74D78D27 XOR DWORD PTR SS:[ESP],278DD774016C9C17 C3 RETN016C9C18 68 786ADA77 PUSH 77DA6A78016C9C1D C3 RETN Simple xoring = API or just direct API pushes. Also its not just one JE which you have to patch so just to find this ONE JE will not help you so much. greetz
Create an account or sign in to comment