pushxor Posted June 25, 2011 Share Posted June 25, 2011 Hi, I've created a new .exe that protected with Enigma v2.60 Have fun Enigma.v2.60_20110523.UnpackMe.rar Link to comment Share on other sites More sharing options...
LCF-AT Posted June 25, 2011 Share Posted June 25, 2011 Hi, thank you for creating a new Enigma UnpackMe. Ok here my unpacked file + VM Rebuild of the whole OEP routine. greetz Enigma.v2.60_20110523.UnpackMe_Unpacked_VM_Rebuild.rar Link to comment Share on other sites More sharing options...
pushxor Posted June 25, 2011 Author Share Posted June 25, 2011 wow, it is very fast LCF-AT tried and it's full unpacked BR Link to comment Share on other sites More sharing options...
DizzY_D Posted June 25, 2011 Share Posted June 25, 2011 (edited) Thx for unpackme but nothing has really changed from 2.33Unpacked + Devirtualized file in attatchment.Edit: LCF AT your unpacked exe doesnt run on my PC. I get access violation when executing 00000000 in some Delphi resource load function when loading "Image1".Enigma.v2.60_20110523.UnpackMe_DUMP_.rar Edited June 25, 2011 by DizzY_D Link to comment Share on other sites More sharing options...
blackpirate Posted June 25, 2011 Share Posted June 25, 2011 @LCF like Dizzy said i get this on win7 x86 @Dizzy you unpack runs well ! Link to comment Share on other sites More sharing options...
LCF-AT Posted June 25, 2011 Share Posted June 25, 2011 Hhmmm.Working well on XP.So you can try to use the fixres tool with my dump.Then test whether it runs now or not.If not then you can try cut away the manifest file from the resources with a tool like restorator.Or try to do just a valid rebuild maybe this helps.So maybe the problem is that I have cut away some other sections which are not used with XP maybe there are some infos which will used with win7.Always this *_* win7 problems!greetz Link to comment Share on other sites More sharing options...
aminebot Posted July 2, 2011 Share Posted July 2, 2011 I have just one question , how are you doing to rebuild IAT ? Link to comment Share on other sites More sharing options...
DizzY_D Posted July 2, 2011 Share Posted July 2, 2011 If you have Enigma's Virtual DLL devirtualized it's no problem at all.The redirection is fixed by patching 1 JE to JMP. Fixing the VM APIs is a bit more problematic but if you know the right place its also done with a 2 instruction patch.But since you probably dont have a VM rebuilder all this tips are useless. Maybe i make a tutorial about it when i finished my Enigma Unpacker. Link to comment Share on other sites More sharing options...
aminebot Posted July 2, 2011 Share Posted July 2, 2011 If you have Enigma's Virtual DLL devirtualized it's no problem at all.The redirection is fixed by patching 1 JE to JMP. Fixing the VM APIs is a bit more problematic but if you know the right place its also done with a 2 instruction patch.But since you probably dont have a VM rebuilder all this tips are useless. Maybe i make a tutorial about it when i finished my Enigma Unpacker.Thanks for reply,i understand easily some basic virtualized instructions (push , mov , call , cmp , jmp..) .i am trying to study the part of code that write the IAT , is it the correct way to find this JE ? Link to comment Share on other sites More sharing options...
LCF-AT Posted July 2, 2011 Share Posted July 2, 2011 There are some diffrent way's how to get the iat or prevent iat RD or iat VM. If you can devirtualize the first VM then you can easy patch the IAT RD to get all APIs.On board you can also find some older enigma scripts till v2.xx which can get the IAT without to devirtualize the first VM and then you see something like this in the IAT. 016C9BE4 68 0A2A7FCD PUSH CD7F2A0A016C9BE9 813424 5A6270BA XOR DWORD PTR SS:[ESP],BA70625A016C9BF0 C3 RETN016C9BF1 68 759F5681 PUSH 81569F75016C9BF6 813424 E85647F6 XOR DWORD PTR SS:[ESP],F64756E8016C9BFD C3 RETN016C9BFE 68 9F238E0F PUSH 0F8E239F016C9C03 813424 C6688178 XOR DWORD PTR SS:[ESP],788168C6016C9C0A C3 RETN016C9C0B 68 BCB85750 PUSH 5057B8BC016C9C10 813424 74D78D27 XOR DWORD PTR SS:[ESP],278DD774016C9C17 C3 RETN016C9C18 68 786ADA77 PUSH 77DA6A78016C9C1D C3 RETN Simple xoring = API or just direct API pushes. Also its not just one JE which you have to patch so just to find this ONE JE will not help you so much. greetz Link to comment Share on other sites More sharing options...
DeadAndGone Posted December 7, 2011 Share Posted December 7, 2011 Thanks for the challange. Here is mine unpacked file.unpacked.By.Silence.rar Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now