Jump to content
Tuts 4 You

[UnpackMe] Enigma 2.60


pushxor

Recommended Posts

Thx for unpackme but nothing has really changed from 2.33

Unpacked + Devirtualized file in attatchment.

Edit:

LCF AT your unpacked exe doesnt run on my PC. I get access violation when executing 00000000 in some Delphi resource load function when loading "Image1".

Enigma.v2.60_20110523.UnpackMe_DUMP_.rar

Edited by DizzY_D
Link to comment
Share on other sites

Hhmmm.Working well on XP.

So you can try to use the fixres tool with my dump.Then test whether it runs now or not.If not then you can try cut away the manifest file from the resources with a tool like restorator.

Or try to do just a valid rebuild maybe this helps.

So maybe the problem is that I have cut away some other sections which are not used with XP maybe there are some infos which will used with win7.Always this *_* win7 problems!

greetz

Link to comment
Share on other sites

If you have Enigma's Virtual DLL devirtualized it's no problem at all.

The redirection is fixed by patching 1 JE to JMP. Fixing the VM APIs is a bit more problematic but if you know the right place its also done with a 2 instruction patch.

But since you probably dont have a VM rebuilder all this tips are useless.

Maybe i make a tutorial about it when i finished my Enigma Unpacker.

Link to comment
Share on other sites

If you have Enigma's Virtual DLL devirtualized it's no problem at all.

The redirection is fixed by patching 1 JE to JMP. Fixing the VM APIs is a bit more problematic but if you know the right place its also done with a 2 instruction patch.

But since you probably dont have a VM rebuilder all this tips are useless.

Maybe i make a tutorial about it when i finished my Enigma Unpacker.

Thanks for reply,

i understand easily some basic virtualized instructions (push , mov , call , cmp , jmp..) .

i am trying to study the part of code that write the IAT , is it the correct way to find this JE ?

Link to comment
Share on other sites

There are some diffrent way's how to get the iat or prevent iat RD or iat VM. :) If you can devirtualize the first VM then you can easy patch the IAT RD to get all APIs.On board you can also find some older enigma scripts till v2.xx which can get the IAT without to devirtualize the first VM and then you see something like this in the IAT.

016C9BE4     68 0A2A7FCD        PUSH CD7F2A0A
016C9BE9 813424 5A6270BA XOR DWORD PTR SS:[ESP],BA70625A
016C9BF0 C3 RETN
016C9BF1 68 759F5681 PUSH 81569F75
016C9BF6 813424 E85647F6 XOR DWORD PTR SS:[ESP],F64756E8
016C9BFD C3 RETN
016C9BFE 68 9F238E0F PUSH 0F8E239F
016C9C03 813424 C6688178 XOR DWORD PTR SS:[ESP],788168C6
016C9C0A C3 RETN
016C9C0B 68 BCB85750 PUSH 5057B8BC
016C9C10 813424 74D78D27 XOR DWORD PTR SS:[ESP],278DD774
016C9C17 C3 RETN
016C9C18 68 786ADA77 PUSH 77DA6A78
016C9C1D C3 RETN

Simple xoring = API or just direct API pushes.

Also its not just one JE which you have to patch so just to find this ONE JE will not help you so much.

greetz

Link to comment
Share on other sites

  • 5 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...