Sign in to follow this  
Followers 0
DizzY_D

[C++] The Enigma Protector Devirtualizer Source Code

26 posts in this topic

Hello community,

I know you all do expect the paper that I announced about Enigma 2.x unpacking but I don't know when or if I will ever finish it.

Because I don't want this project I spent so much time on to die, I decided to publish the source code of it now and seperate from the paper so that everyone can prepare it for future Enigma versions.

Also LCF-AT found a bug that I couldn't fix so quickly so I hope someone who is more advanced in c++ than me can fix it.

See http://forum.tuts4you.com/topic/26896-the-enigma-protector-2xx-unpacking-devirtualizer-by-dizzy-d/page__st__20#entry135147 for details.

Just compile the source with MSVC++2010 and everything should work.

Enigma DeVirtualizer.rar

14 people like this

Share this post


Link to post
Share on other sites

Many thanks for the good work and sharing!

Share this post


Link to post
Share on other sites

That's what we should see more often! :) Especially considering it's been your first C++ project, you did things well. Let's hope people will put this to good use.

Share this post


Link to post
Share on other sites

Good job ;)

Best Regards!

Share this post


Link to post
Share on other sites

Nice job

thanks for sharing

Share this post


Link to post
Share on other sites

Just to keep the thread updated:

I attatched the source of version 1.35.

Big thanks to Raham who fixed a lot of bugs and added support for the newest Enigma version.

Enigma DeVirtualizer1.3.5.rar

Edited by DizzY_D
2 people like this

Share this post


Link to post
Share on other sites

Hello,

ok just wanna say that there is some small [bug] about fixing the outer VM.So if you fix it with your plugin [testet latest version] then it can happen that it will fix the VM into a section which was allocated over the main target.


01000000 PE Main Target
012BE000 Main Target endOuter VM Fix
------------------
012BF0D3 NOP
012BF0D4 NOP
012BF0D5 NOP
012BF0D6 NOP
012BF0D7 NOP
012BF0D8 JMP 00C64038 // HereFixed code etc
00C64038 MOV EDI,EDI
00C6403A PUSH EBP
00C6403B MOV EBP,ESP
00C6403D PUSH EDI

So in this case you can not normaly dump & add the section like you can do it if the section was allocated under the main target.So I say it would be better to add some more small checks into the plugin to prevent such fixing problems.Also I would add a better check for the VM Table command holder + sign to prevent crashing if you have a older ENIGMA VMed target 1.95 and lower versions...

Sign newer versions:

MOV EAX,DWORD PTR DS:[ADDR]
MOV EAX,DWORD PTR DS:[EAX+ESI*8]
ADD EAX,-3
CMP EAX,??

Sign older versions exsample like this:

MOV EAX,DWORD PTR DS:[ADDR]
MOV EAX,DWORD PTR DS:[EAX+ESI*8]
CMP EAX,142
JNZ SHORT
INC EBX
JMP SHORT
CMP EAX,1E5
JNZ long

So if you dont wanna add also a VM fixing for older versions then you can add some simple check for it after calling titan to prevent a crash.Just a idea.


01394EF8 C745 E0 A1CCCCCC | MOV DWORD PTR SS:[EBP-20],CCCCCCA1
01394EFF C745 E4 CC8B04F0 | MOV DWORD PTR SS:[EBP-1C],F0048BCC
01394F06 C745 E8 83C0FD83 | MOV DWORD PTR SS:[EBP-18],83FDC083
01394F0D C645 EC F8 | MOV BYTE PTR SS:[EBP-14],0F8
01394F11 FFD7 | CALL EDI // Titan Find API
----------------------------------------------------------------------------------
or eax,eax
je NEWER_VM_SIGN_NOT_FOUND
----------------------------------------------------------------------------------
01394F13 8B50 01 | MOV EDX,DWORD PTR DS:[EAX+1] // eax = 00 = crash

greetz

1 person likes this

Share this post


Link to post
Share on other sites

Hi LCF

Problem 1:

About Memory Region.

as you know, it will usually happen because your ImageBase is high, so when enigma engine allocate a memory region for him VM, it will be below of ImageBase.

no problem.

Problem 2:

About Older Version. yes i have noticed that , below of version 2 have old VM.

Thx For Report, i will both of them :)

PS: its not suitable topic for Bug report:-p

Kind Regards

Edited by Raham
1 person likes this

Share this post


Link to post
Share on other sites

Well if you need some older version of enigma to make test, i have almost all versions of enigma protector, started with v1.02 till 3.60

Edited by Silence
1 person likes this

Share this post


Link to post
Share on other sites

Hello everyone,

Since I needed this I put the source on a git repo. Anyone who wants to contribute, please contact me so I can give you write access.

It has various useless crashes fixed and I also added an exception handler, but it still doesn't work on many file.

https://bitbucket.org/mrexodia/enigma-devirtualizer

Greetings,

Mr. eXoDia

5 people like this

Share this post


Link to post
Share on other sites

Hi.


Witch is the last version of Enigma you have tested?


Share this post


Link to post
Share on other sites

GIV: I didn't test anything really, just fixed some crappy source code bugs (reading from 0 addresses etc).

Share this post


Link to post
Share on other sites

Hello everyone,

Since I needed this I put the source on a git repo. Anyone who wants to contribute, please contact me so I can give you write access.

It has various useless crashes fixed and I also added an exception handler, but it still doesn't work on many file.

https://bitbucket.org/mrexodia/enigma-devirtualizer

Greetings,

Mr. eXoDia

 

IS BAD FIXED !

Is better use the original from DizzY_D / Raham

waste time man..

Share this post


Link to post
Share on other sites

@Hasby:


The doctor checks you up and screams at you "you're not in good health!".


This leaves you wondering what the heck is up, since "you're not in good health" might be anything between "you've got a cold" and "you're gonna die of cancer in 3... 2... 1...".


 


Be more specific and tell, at the very least, which kind of problem(s) you have found (does it crash more often than the original version? Does it have problems devirtualizing things the original version handled correctly? etc...).


Edited by SmilingWolf
1 person likes this

Share this post


Link to post
Share on other sites

@Hasby: It could be that I missed some things, if you can please go back in the version history and figure out what is working. Personally I had a lot of crashes which I fixed (just rewrote some code, not everything).

It can also be that this isnt the latest version (the GPL was violated, I just pushed the last version I had).

Greetings

Share this post


Link to post
Share on other sites

@SmilingWolf and @Mr. eXoDia
No...No..
And sorry to Mr Exodia.
I only wonder of this one, why this fixed version had a lot of crashes.
Usually, Mr. eXoDia releases a MASTER PIECE of tool, coded by himself.
(all releases is excellent and can be classified as MASTER PIECE)Think of it that my message as a trigger for the better release. No other...BR

Share this post


Link to post
Share on other sites

@Hasby: The source code I fixed is older than the latest released binary, so that's why there might be some problems. I didn't code this myself, just re-released the latest source I had (newer than the latest publicly released source).

Share this post


Link to post
Share on other sites

@Mr. eXoDia

Yeapp....
That is I already thought.
You are one of the best coderzs, that I see for until now.
All your releases is nice and I would classify as MASTER PIECE.Just an advise: You should focus on your own code for better release,
or create a new tool. I am sure that your release (your own code) would be a great tool again.
 

Share this post


Link to post
Share on other sites

Hasby: Thanks for your advice.

I have an advice for you too: I know perfectly fine what to focus on. If you don't like what I did with this code, fix it yourself. It's open source for a reason.

Share this post


Link to post
Share on other sites

@Mr. eXoDia


No..


I Love your tools, that your release with your own code.


I always use your tools, for all situation.


 


BR.

Share this post


Link to post
Share on other sites

Hello everyone,

Since I needed this I put the source on a git repo. Anyone who wants to contribute, please contact me so I can give you write access.

It has various useless crashes fixed and I also added an exception handler, but it still doesn't work on many file.

https://bitbucket.org/mrexodia/enigma-devirtualizer

Greetings,

Mr. eXoDia

 

Hi Mr. eXoDia!

 

I just compiled the latest source code of Enigma Devirtualizer from your repository with MS VS 2010 under Win XP SP3.

The DLL compiled successfully but not working properly. The projects is set to link BeaEngine and Titanium library statically, but the compiled DLL needs bots DLLs. (I used depends.exe to detect dependent and unresolved dll-s)

 

The Titanium DLL   it's not problem I can place it into app directory and into  Dev. directory, but I don't found the proper BeaEngine.dll.

I just downloaded the latest BeaEngine.dll from the official site (www.beaengine.org) but unfortunately it's not working with the Dll.

 

Maybe can you give me some hints howto compile/link it properly?

The precompiled Engma dll from Raham don't need BeaEngine.dll.

 

Regards

  leader

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0