DizzY_D Posted April 17, 2012 Share Posted April 17, 2012 Hello community,I know you all do expect the paper that I announced about Enigma 2.x unpacking but I don't know when or if I will ever finish it.Because I don't want this project I spent so much time on to die, I decided to publish the source code of it now and seperate from the paper so that everyone can prepare it for future Enigma versions.Also LCF-AT found a bug that I couldn't fix so quickly so I hope someone who is more advanced in c++ than me can fix it.See http://forum.tuts4you.com/topic/26896-the-enigma-protector-2xx-unpacking-devirtualizer-by-dizzy-d/page__st__20#entry135147 for details.Just compile the source with MSVC++2010 and everything should work.Enigma DeVirtualizer.rar 15 Link to comment
DeadAndGone Posted April 18, 2012 Share Posted April 18, 2012 Many thanks for the good work and sharing! Link to comment
metr0 Posted April 18, 2012 Share Posted April 18, 2012 That's what we should see more often! Especially considering it's been your first C++ project, you did things well. Let's hope people will put this to good use. Link to comment
DizzY_D Posted May 26, 2012 Author Share Posted May 26, 2012 (edited) Just to keep the thread updated:I attatched the source of version 1.35.Big thanks to Raham who fixed a lot of bugs and added support for the newest Enigma version.Enigma DeVirtualizer1.3.5.rar Edited May 26, 2012 by DizzY_D 2 Link to comment
LCF-AT Posted May 26, 2012 Share Posted May 26, 2012 Hello,ok just wanna say that there is some small [bug] about fixing the outer VM.So if you fix it with your plugin [testet latest version] then it can happen that it will fix the VM into a section which was allocated over the main target.01000000 PE Main Target012BE000 Main Target endOuter VM Fix------------------012BF0D3 NOP012BF0D4 NOP012BF0D5 NOP012BF0D6 NOP012BF0D7 NOP012BF0D8 JMP 00C64038 // HereFixed code etc00C64038 MOV EDI,EDI00C6403A PUSH EBP00C6403B MOV EBP,ESP00C6403D PUSH EDISo in this case you can not normaly dump & add the section like you can do it if the section was allocated under the main target.So I say it would be better to add some more small checks into the plugin to prevent such fixing problems.Also I would add a better check for the VM Table command holder + sign to prevent crashing if you have a older ENIGMA VMed target 1.95 and lower versions...Sign newer versions:MOV EAX,DWORD PTR DS:[ADDR]MOV EAX,DWORD PTR DS:[EAX+ESI*8]ADD EAX,-3CMP EAX,??Sign older versions exsample like this:MOV EAX,DWORD PTR DS:[ADDR]MOV EAX,DWORD PTR DS:[EAX+ESI*8]CMP EAX,142JNZ SHORT INC EBXJMP SHORT CMP EAX,1E5JNZ longSo if you dont wanna add also a VM fixing for older versions then you can add some simple check for it after calling titan to prevent a crash.Just a idea.01394EF8 C745 E0 A1CCCCCC | MOV DWORD PTR SS:[EBP-20],CCCCCCA101394EFF C745 E4 CC8B04F0 | MOV DWORD PTR SS:[EBP-1C],F0048BCC01394F06 C745 E8 83C0FD83 | MOV DWORD PTR SS:[EBP-18],83FDC08301394F0D C645 EC F8 | MOV BYTE PTR SS:[EBP-14],0F801394F11 FFD7 | CALL EDI // Titan Find API ---------------------------------------------------------------------------------- or eax,eaxje NEWER_VM_SIGN_NOT_FOUND---------------------------------------------------------------------------------- 01394F13 8B50 01 | MOV EDX,DWORD PTR DS:[EAX+1] // eax = 00 = crashgreetz 1 Link to comment
Raham Posted May 26, 2012 Share Posted May 26, 2012 (edited) Hi LCF Problem 1: About Memory Region. as you know, it will usually happen because your ImageBase is high, so when enigma engine allocate a memory region for him VM, it will be below of ImageBase. no problem. Problem 2: About Older Version. yes i have noticed that , below of version 2 have old VM. Thx For Report, i will both of them PS: its not suitable topic for Bug report:-p Kind Regards Edited May 26, 2012 by Raham 1 Link to comment
DeadAndGone Posted May 26, 2012 Share Posted May 26, 2012 (edited) Well if you need some older version of enigma to make test, i have almost all versions of enigma protector, started with v1.02 till 3.60 Edited May 26, 2012 by Silence 1 Link to comment
mrexodia Posted June 30, 2014 Share Posted June 30, 2014 Hello everyone, Since I needed this I put the source on a git repo. Anyone who wants to contribute, please contact me so I can give you write access. It has various useless crashes fixed and I also added an exception handler, but it still doesn't work on many file. https://bitbucket.org/mrexodia/enigma-devirtualizer Greetings, Mr. eXoDia 5 Link to comment
GIV Posted September 15, 2014 Share Posted September 15, 2014 Hi.Witch is the last version of Enigma you have tested? Link to comment
mrexodia Posted September 19, 2014 Share Posted September 19, 2014 GIV: I didn't test anything really, just fixed some crappy source code bugs (reading from 0 addresses etc). Link to comment
Hasby Posted October 1, 2014 Share Posted October 1, 2014 Hello everyone,Since I needed this I put the source on a git repo. Anyone who wants to contribute, please contact me so I can give you write access.It has various useless crashes fixed and I also added an exception handler, but it still doesn't work on many file.https://bitbucket.org/mrexodia/enigma-devirtualizerGreetings,Mr. eXoDia IS BAD FIXED !Is better use the original from DizzY_D / Rahamwaste time man.. Link to comment
SmilingWolf Posted October 1, 2014 Share Posted October 1, 2014 (edited) @Hasby:The doctor checks you up and screams at you "you're not in good health!".This leaves you wondering what the heck is up, since "you're not in good health" might be anything between "you've got a cold" and "you're gonna die of cancer in 3... 2... 1...". Be more specific and tell, at the very least, which kind of problem(s) you have found (does it crash more often than the original version? Does it have problems devirtualizing things the original version handled correctly? etc...). Edited October 1, 2014 by SmilingWolf 1 Link to comment
mrexodia Posted October 1, 2014 Share Posted October 1, 2014 @Hasby: It could be that I missed some things, if you can please go back in the version history and figure out what is working. Personally I had a lot of crashes which I fixed (just rewrote some code, not everything). It can also be that this isnt the latest version (the GPL was violated, I just pushed the last version I had). Greetings Link to comment
Hasby Posted October 2, 2014 Share Posted October 2, 2014 @SmilingWolf and @Mr. eXoDiaNo...No..And sorry to Mr Exodia.I only wonder of this one, why this fixed version had a lot of crashes.Usually, Mr. eXoDia releases a MASTER PIECE of tool, coded by himself.(all releases is excellent and can be classified as MASTER PIECE)Think of it that my message as a trigger for the better release. No other...BR Link to comment
mrexodia Posted October 5, 2014 Share Posted October 5, 2014 @Hasby: The source code I fixed is older than the latest released binary, so that's why there might be some problems. I didn't code this myself, just re-released the latest source I had (newer than the latest publicly released source). Link to comment
Hasby Posted October 8, 2014 Share Posted October 8, 2014 @Mr. eXoDiaYeapp....That is I already thought.You are one of the best coderzs, that I see for until now.All your releases is nice and I would classify as MASTER PIECE.Just an advise: You should focus on your own code for better release,or create a new tool. I am sure that your release (your own code) would be a great tool again. Link to comment
mrexodia Posted October 9, 2014 Share Posted October 9, 2014 Hasby: Thanks for your advice. I have an advice for you too: I know perfectly fine what to focus on. If you don't like what I did with this code, fix it yourself. It's open source for a reason. Link to comment
Hasby Posted October 10, 2014 Share Posted October 10, 2014 @Mr. eXoDiaNo..I Love your tools, that your release with your own code.I always use your tools, for all situation. BR. Link to comment
ldr Posted December 3, 2014 Share Posted December 3, 2014 Hello everyone,Since I needed this I put the source on a git repo. Anyone who wants to contribute, please contact me so I can give you write access.It has various useless crashes fixed and I also added an exception handler, but it still doesn't work on many file.https://bitbucket.org/mrexodia/enigma-devirtualizerGreetings,Mr. eXoDia Hi Mr. eXoDia! I just compiled the latest source code of Enigma Devirtualizer from your repository with MS VS 2010 under Win XP SP3.The DLL compiled successfully but not working properly. The projects is set to link BeaEngine and Titanium library statically, but the compiled DLL needs bots DLLs. (I used depends.exe to detect dependent and unresolved dll-s) The Titanium DLL it's not problem I can place it into app directory and into Dev. directory, but I don't found the proper BeaEngine.dll.I just downloaded the latest BeaEngine.dll from the official site (www.beaengine.org) but unfortunately it's not working with the Dll. Maybe can you give me some hints howto compile/link it properly?The precompiled Engma dll from Raham don't need BeaEngine.dll. Regards leader Link to comment
mrexodia Posted December 3, 2014 Share Posted December 3, 2014 https://bitbucket.org/mrexodia/beaengine Greetings 1 1 Link to comment
ldr Posted December 8, 2014 Share Posted December 8, 2014 https://bitbucket.org/mrexodia/beaengineGreetings Thx, it's working now. Link to comment
MindSystem Posted December 14, 2014 Share Posted December 14, 2014 Thanks for the tool man Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now