DizzY_D Posted April 17, 2012 Posted April 17, 2012 Hello community,I know you all do expect the paper that I announced about Enigma 2.x unpacking but I don't know when or if I will ever finish it.Because I don't want this project I spent so much time on to die, I decided to publish the source code of it now and seperate from the paper so that everyone can prepare it for future Enigma versions.Also LCF-AT found a bug that I couldn't fix so quickly so I hope someone who is more advanced in c++ than me can fix it.See http://forum.tuts4you.com/topic/26896-the-enigma-protector-2xx-unpacking-devirtualizer-by-dizzy-d/page__st__20#entry135147 for details.Just compile the source with MSVC++2010 and everything should work.Enigma DeVirtualizer.rar 15
metr0 Posted April 18, 2012 Posted April 18, 2012 That's what we should see more often! Especially considering it's been your first C++ project, you did things well. Let's hope people will put this to good use.
DizzY_D Posted May 26, 2012 Author Posted May 26, 2012 (edited) Just to keep the thread updated:I attatched the source of version 1.35.Big thanks to Raham who fixed a lot of bugs and added support for the newest Enigma version.Enigma DeVirtualizer1.3.5.rar Edited May 26, 2012 by DizzY_D 2
LCF-AT Posted May 26, 2012 Posted May 26, 2012 Hello,ok just wanna say that there is some small [bug] about fixing the outer VM.So if you fix it with your plugin [testet latest version] then it can happen that it will fix the VM into a section which was allocated over the main target.01000000 PE Main Target012BE000 Main Target endOuter VM Fix------------------012BF0D3 NOP012BF0D4 NOP012BF0D5 NOP012BF0D6 NOP012BF0D7 NOP012BF0D8 JMP 00C64038 // HereFixed code etc00C64038 MOV EDI,EDI00C6403A PUSH EBP00C6403B MOV EBP,ESP00C6403D PUSH EDISo in this case you can not normaly dump & add the section like you can do it if the section was allocated under the main target.So I say it would be better to add some more small checks into the plugin to prevent such fixing problems.Also I would add a better check for the VM Table command holder + sign to prevent crashing if you have a older ENIGMA VMed target 1.95 and lower versions...Sign newer versions:MOV EAX,DWORD PTR DS:[ADDR]MOV EAX,DWORD PTR DS:[EAX+ESI*8]ADD EAX,-3CMP EAX,??Sign older versions exsample like this:MOV EAX,DWORD PTR DS:[ADDR]MOV EAX,DWORD PTR DS:[EAX+ESI*8]CMP EAX,142JNZ SHORT INC EBXJMP SHORT CMP EAX,1E5JNZ longSo if you dont wanna add also a VM fixing for older versions then you can add some simple check for it after calling titan to prevent a crash.Just a idea.01394EF8 C745 E0 A1CCCCCC | MOV DWORD PTR SS:[EBP-20],CCCCCCA101394EFF C745 E4 CC8B04F0 | MOV DWORD PTR SS:[EBP-1C],F0048BCC01394F06 C745 E8 83C0FD83 | MOV DWORD PTR SS:[EBP-18],83FDC08301394F0D C645 EC F8 | MOV BYTE PTR SS:[EBP-14],0F801394F11 FFD7 | CALL EDI // Titan Find API ---------------------------------------------------------------------------------- or eax,eaxje NEWER_VM_SIGN_NOT_FOUND---------------------------------------------------------------------------------- 01394F13 8B50 01 | MOV EDX,DWORD PTR DS:[EAX+1] // eax = 00 = crashgreetz 1
Raham Posted May 26, 2012 Posted May 26, 2012 (edited) Hi LCF Problem 1: About Memory Region. as you know, it will usually happen because your ImageBase is high, so when enigma engine allocate a memory region for him VM, it will be below of ImageBase. no problem. Problem 2: About Older Version. yes i have noticed that , below of version 2 have old VM. Thx For Report, i will both of them PS: its not suitable topic for Bug report:-p Kind Regards Edited May 26, 2012 by Raham 1
DeadAndGone Posted May 26, 2012 Posted May 26, 2012 (edited) Well if you need some older version of enigma to make test, i have almost all versions of enigma protector, started with v1.02 till 3.60 Edited May 26, 2012 by Silence 1
mrexodia Posted June 30, 2014 Posted June 30, 2014 Hello everyone, Since I needed this I put the source on a git repo. Anyone who wants to contribute, please contact me so I can give you write access. It has various useless crashes fixed and I also added an exception handler, but it still doesn't work on many file. https://bitbucket.org/mrexodia/enigma-devirtualizer Greetings, Mr. eXoDia 5
GIV Posted September 15, 2014 Posted September 15, 2014 Hi.Witch is the last version of Enigma you have tested?
mrexodia Posted September 19, 2014 Posted September 19, 2014 GIV: I didn't test anything really, just fixed some crappy source code bugs (reading from 0 addresses etc).
Hasby Posted October 1, 2014 Posted October 1, 2014 Hello everyone,Since I needed this I put the source on a git repo. Anyone who wants to contribute, please contact me so I can give you write access.It has various useless crashes fixed and I also added an exception handler, but it still doesn't work on many file.https://bitbucket.org/mrexodia/enigma-devirtualizerGreetings,Mr. eXoDia IS BAD FIXED !Is better use the original from DizzY_D / Rahamwaste time man..
SmilingWolf Posted October 1, 2014 Posted October 1, 2014 (edited) @Hasby:The doctor checks you up and screams at you "you're not in good health!".This leaves you wondering what the heck is up, since "you're not in good health" might be anything between "you've got a cold" and "you're gonna die of cancer in 3... 2... 1...". Be more specific and tell, at the very least, which kind of problem(s) you have found (does it crash more often than the original version? Does it have problems devirtualizing things the original version handled correctly? etc...). Edited October 1, 2014 by SmilingWolf 1
mrexodia Posted October 1, 2014 Posted October 1, 2014 @Hasby: It could be that I missed some things, if you can please go back in the version history and figure out what is working. Personally I had a lot of crashes which I fixed (just rewrote some code, not everything). It can also be that this isnt the latest version (the GPL was violated, I just pushed the last version I had). Greetings
Hasby Posted October 2, 2014 Posted October 2, 2014 @SmilingWolf and @Mr. eXoDiaNo...No..And sorry to Mr Exodia.I only wonder of this one, why this fixed version had a lot of crashes.Usually, Mr. eXoDia releases a MASTER PIECE of tool, coded by himself.(all releases is excellent and can be classified as MASTER PIECE)Think of it that my message as a trigger for the better release. No other...BR
mrexodia Posted October 5, 2014 Posted October 5, 2014 @Hasby: The source code I fixed is older than the latest released binary, so that's why there might be some problems. I didn't code this myself, just re-released the latest source I had (newer than the latest publicly released source).
Hasby Posted October 8, 2014 Posted October 8, 2014 @Mr. eXoDiaYeapp....That is I already thought.You are one of the best coderzs, that I see for until now.All your releases is nice and I would classify as MASTER PIECE.Just an advise: You should focus on your own code for better release,or create a new tool. I am sure that your release (your own code) would be a great tool again.
mrexodia Posted October 9, 2014 Posted October 9, 2014 Hasby: Thanks for your advice. I have an advice for you too: I know perfectly fine what to focus on. If you don't like what I did with this code, fix it yourself. It's open source for a reason.
Hasby Posted October 10, 2014 Posted October 10, 2014 @Mr. eXoDiaNo..I Love your tools, that your release with your own code.I always use your tools, for all situation. BR.
ldr Posted December 3, 2014 Posted December 3, 2014 Hello everyone,Since I needed this I put the source on a git repo. Anyone who wants to contribute, please contact me so I can give you write access.It has various useless crashes fixed and I also added an exception handler, but it still doesn't work on many file.https://bitbucket.org/mrexodia/enigma-devirtualizerGreetings,Mr. eXoDia Hi Mr. eXoDia! I just compiled the latest source code of Enigma Devirtualizer from your repository with MS VS 2010 under Win XP SP3.The DLL compiled successfully but not working properly. The projects is set to link BeaEngine and Titanium library statically, but the compiled DLL needs bots DLLs. (I used depends.exe to detect dependent and unresolved dll-s) The Titanium DLL it's not problem I can place it into app directory and into Dev. directory, but I don't found the proper BeaEngine.dll.I just downloaded the latest BeaEngine.dll from the official site (www.beaengine.org) but unfortunately it's not working with the Dll. Maybe can you give me some hints howto compile/link it properly?The precompiled Engma dll from Raham don't need BeaEngine.dll. Regards leader
mrexodia Posted December 3, 2014 Posted December 3, 2014 https://bitbucket.org/mrexodia/beaengine Greetings 1 1
ldr Posted December 8, 2014 Posted December 8, 2014 https://bitbucket.org/mrexodia/beaengineGreetings Thx, it's working now.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now