SReg Posted August 5, 2012 Posted August 5, 2012 (edited) All Protection OptionsEnjoy ! ; )UnPackMe.TEP.3.80.rar Edited August 8, 2012 by SReg
LCF-AT Posted August 6, 2012 Posted August 6, 2012 Hi SReg, aha! Enigma has changed the VM struct a little and used also new VM blocks [231] etc.Great!Script does no more work with this new VM without to mod the DV[Enigma].dll.Anyway here my unpacked file.Test & tell whether it works for you. greetz UnPackMe.TEP.3.80_Unpacked.rar 2
delldell Posted August 6, 2012 Posted August 6, 2012 @ LCF-ATyou are Unpacking machine And still you have the recordof the ScriptThemida 6458 lines of pure commandsEnigma 7050 Lines of pure commands 1
Lostin Posted August 6, 2012 Posted August 6, 2012 Tutorial please on this! i tried it but i didn't get success
LCF-AT Posted August 6, 2012 Posted August 6, 2012 @ SReg Thanks @ delldell I try my best to write almost 1A scripts which can handle all versions if possible. @ Lostin Which kind of unpack problem do you have?So the unpack way of this new 3.80 is the same like before so they just changed the VM [added some kind of re-direction poinnters into VM Table] and the DV plugin can't handle this new feature at the moment so you have to wait till DizzY or Raham create a new update of the plugin.At the moment you can do these steps manually. - Get OEP- Find IAT RD - can fix 95 %- Fix other other RD APIs at OEP - Just read store location- Get Stolen Code parts------------------------------------------ Fix Outer VM - Manually at the moment------------------------------------------ Fix 2 Enigma Custom APIs So on the other hand you can try to unpack other Enigma files lower than 3.80 to get some practice.Just read or watch some Enigma tuts or scripts and try them. greetz
Lostin Posted August 6, 2012 Posted August 6, 2012 (edited) I keep to watch the code section until it decrypted bp on VirtualFree run until decrypted code section but i never land on OEP is there any trick to use with this i keep on breaking here 00481CB3 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>00481CB5 89C1 MOV ECX,EAX00481CB7 83E1 03 AND ECX,300481CBA F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>00481CBC 5F POP EDI ; 013E2E9800481CBD 5E POP ESI ; 013E2E9800481CBE C3 RETN some targets only break at OEP after 2 calls on VirtualFree but this not so i think is not the same i really hope people explain in their tutorials why we need to do this thing not just do it Edited August 6, 2012 by Lostin 1
LCF-AT Posted August 7, 2012 Posted August 7, 2012 @ Lostin So there are diffrent ways to find the OEP of Enigma targets.So if you don't know how to find then start thinking a little.What does it need to break at OEP or near OEP. One manually OEP find method -------------------------------- - Load app in Olly - Run app - Check target whether its a Delphi 10 app if yes then OEP is stored after codesection. - Look into codesection where was the last [or close last] code byte written set HWBP write on it. - Restart and run till you break - Now trace over the routines set mem BP access code or below code [delphi 10] - Run.If you again break on rep commands then trace again over the routines [more than one] and press run again.After a while you can see where it writes the OEP into memory and then you have the OEP so you just need some practice. So on the other hand you can also try to use some pattern to get the OEP. So I know you are lazy and to make it easy for you and others I wrote now a little script which can find the OEP and breaks on it.Just use it if you still lazy. It only find the used OEP [intern & extern] and not more!Don't forget this. greetz Enigma 1.3 - 3.8 Turbo OEP Finder by LCF-AT.rar 2
Lostin Posted August 8, 2012 Posted August 8, 2012 (edited) Thank you friendfor this explanation i now study your little script and in this target OEP can also be found using 2 BP on VirtualProtect then bp on access code section but OEP is VM in this case.i am not lazy as you think i try to learn but there tutorials are not aim to learn just to follow i miss haggar tutorials where he was explain each step in depthnow i have problem with IAT:setting a hardware bp on write onHardware breakpoint 1 at UnPackMe.005B1294will let you break here005B128F 8B55 F0 MOV EDX,DWORD PTR SS:[EBP-10]005B1292 8910 MOV DWORD PTR DS:[EAX],EDX005B1294 43 INC EBX005B1295 83FB 03 CMP EBX,3005B1298 ^ 0F85 D2FEFFFF JNZ UnPackMe.005B1170we can see in edx is the emulated API address so how to return it to valid or this location we break is not right because we are inside a VM and we need to devirtulize first?is there any tips on this my friend.Also other question i have problem when set the Skip some exceptions in StrongOD plugin the Hardware breakpoints are no longer breaking. why is this? is this a bug or something? or is just me. Edited August 8, 2012 by Lostin
LCF-AT Posted August 8, 2012 Posted August 8, 2012 Hi Lostin,note the script only works with 3 pattern checks = static way.For manually finding you have to find other ways which you can use almost for any protection.Just try the steps which I have post to you.Yes the IAT is the problem for you if you can't rebuild the VM code but also in that case there are some ways if you think and test a little.For this target you have to patch 2 addresses to get the whole IAT at once.IAT START:004616F4 00FDDC84 ; Using RD 1004616F8 00FDDCC2004616FC 00FDDD4700461700 00000000Here using RD 2 pointing to VM Jumpers0046175C 0053D68C UnPackMe.0053D68C00461768 0053D308 UnPackMe.0053D3080046176C 0053D7CC UnPackMe.0053D7CC00461778 0053D8E4 UnPackMe.0053D8E40046177C 0053D2E4 UnPackMe.0053D2E4etcJust binary copy address of RD 2 and search into memory-Now you land into a IAT MEM Table.Scroll up.+4 API or another RD address+8 Table Pointer AddressMem Table Location:------------------------------------$ ==> 00FD7930 00000086$+4 00FD7934 770F4880 oleaut32.SysFreeString$+8 00FD7938 00FB2ED4 --- A1--------$+C 00FD793C 00000086$+10 00FD7940 770FA3EC oleaut32.SysReAllocStringLen$+14 00FD7944 00FB2F18--------$+18 00FD7948 00000086$+1C 00FD794C 770F4B39 oleaut32.SysAllocStringLen$+20 00FD7950 00FB2F8C--------$ ==> 00FD7A44 00000022$+4 00FD7A48 0053D68C UnPackMe.0053D68C --- NO API$+8 00FD7A4C 00FC0C58 --- B1Table IAT Locations-----------------------A1:$ ==> 00FB2ED4 00000000$+4 00FB2ED8 000616F4 = RVA + IB = 004616F4 | API = 770F4880 oleaut32.SysFreeString$+8 00FB2EDC 00000016$+C 00FB2EE0 00000001$+10 00FB2EE4 00000001B1:$ ==> 00FC0C58 00000000$+4 00FC0C5C 0006175C = RVA + IB = 0046175C | API = 0053D68C$+8 00FC0C60 00000016$+C 00FC0C64 00000001$+10 00FC0C68 000000010053D68C JMP 005E2E1F ; JMP to VMAnother store table in mem:-----------------------------------$ ==> 0057B42C 00000001$+4 0057B430 0053AD1C ASCII "kernel32.dll"$+8 0057B434 7C800000 kernel32.7C800000$+C 0057B438 0053AE80 ASCII "LoadLibraryExA"$+10 0057B43C 7C801D53 kernel32.LoadLibraryExA$+14 0057B440 0053D68C UnPackMe.0053D68C$+18 0057B444 00000000$+1C 0057B448 00000000IAT Adress: 0046175C - RD Address: 0053D68C = API: 7C801D53 kernel32.LoadLibraryExAFix to:-----------------------------------0046175C | 7C801D53 kernel32.LoadLibraryExAPrevent Both IAT RDs!-----------------------------------Prevent overwriting Mem Table Location0053D131 MOV DWORD PTR DS:[EDX+EAX*4+4],ECX ; Nop itResult if you only nop it =----------------------------------00461760 7C80A4B5 kernel32.GetThreadLocale ; API00461764 7C801EF2 kernel32.GetStartupInfoA ; API00461768 0053D308 UnPackMe.0053D308 ; Still RD to VM JMPer0046176C 0053D7CC UnPackMe.0053D7CC ; Still RD to VM JMPerPatch writing API to Table Location 2---------------------------------------0053BB65 MOV DWORD PTR DS:[EBX+10],EAX ; kernel32.GetProcAddress0053BB68 ADD EBX,20 ; table dis count adderto0053BB65 MOV DWORD PTR DS:[EBX+14],EAX ; kernel32.GetProcAddress= $ ==> 0057B58C 00000001$+4 0057B590 0053AD1C ASCII "kernel32.dll"$+8 0057B594 00000000$+C 0057B598 0053AF88 ASCII "GetProcAddress"$+10 0057B59C 00000000$+14 0057B5A0 0053D308 UnPackMe.0053D308$+18 0057B5A4 00000000$+1C 0057B5A8 00000000The RD address gets overwritten with the direct API GPA$+14 0057B5A0 0053D308 UnPackMe.0053D308=$ ==> 0057B58C 00000001$+4 0057B590 0053AD1C ASCII "kernel32.dll"$+8 0057B594 7C800000 kernel32.7C800000$+C 0057B598 0053AF88 ASCII "GetProcAddress"$+10 0057B59C 00000000 $+14 0057B5A0 7C80AE40 kernel32.GetProcAddress$+18 0057B5A4 00000000$+1C 0057B5A8 00000000Result if you change it =----------------------------------00461760 00FDE24E00461764 00FDE25B00461768 7C80AE40 kernel32.GetProcAddress ; API0046176C 7C80B741 kernel32.GetModuleHandleA ; API1. Change API writer to table to +142. Nop Mem API location overwriting----------------------------------3. Now you have the whole IAT fixed at OEP for this target2 Enigma APIs patch them manually!----------------------------------00461CB0 00546488 UnPackMe.0054648800461CB4 00540FE0 UnPackMe.00540FE0So the both patch addresses can you also figure out with using BPs but without to fix the VM you will break a lot times into VM checker routines that will be the problem for you.Anyway so its also possible without it and I hope you can understand my description above.greetz 1
Lostin Posted August 8, 2012 Posted August 8, 2012 (edited) Wow this is very nice friendbut problem NOP this lineMOV DWORD PTR DS:[EDX+EAX*4+4],ECXTarget no more runTerminated with the following in log windowProcess terminated, exit code 13E9E9E (20881054.)maybe because of the CRC or something?Question please need answer:how did you get here:MOV DWORD PTR DS:[EDX+EAX*4+4],ECXand hereMOV DWORD PTR DS:[EBX+10],EAXwhere to set a breakpoint on write to lead you here?I checked your unpacked that have devirtulized OEP i think only the missed part is the mov EAX,address to rebuild OEP in delphi app.others are just fixed partsPUSH EBPMOV EBP,ESPADD ESP,10MOV EAX,Address Edited August 8, 2012 by Lostin
LCF-AT Posted August 8, 2012 Posted August 8, 2012 Uhhmmmm LOSTIN! Yes its a CRC check thats the reason why it terminates so you should know this already! 0053D131 MOV DWORD PTR DS:[EDX+EAX*4+4],ECX ; Nop0053D168 RETN ; Set BP and restore nopped command above again! "how did you get here" - I told you already how to get there. Set BP on GPA and then check register and now you can start. Check out this APIs GetProcAddressGetModuleHandleALoadLibraryA So the OEP is not the only Virtualized part there are some more. Of course you can try to rebuild the whole OEP routine if you can but also if you have it done then you need also to rebuild some other commands too and this commands you can only read from the VM Table [no static rebuild possible]. What to do now for you? - OEP = You have it - IAT = You have it - StolenCode rebuild = Do you have already? - Rebuild UV OEP routine = Do you have it = no! - Fix 2 Enigma APIs = Do you have it = no! StolenCode: Push xy | Jmp xy 00458790 JMP 00566C2C 004587AA JMP 00566C2C 004587E8 JMP 00566C2C 004587F7 JMP 00566C2C 00458816 JMP 00566C2C 0045886F JMP 00566C2C 0045888F JMP 00566C2C 0045889D JMP 00566C2C 004588CF JMP 00566C2C 00458775 JMP 00566C2C Virtualized Outer VM: jmp | push xy | jmp xy 007F2BF9 JMP 005668D8 007F2C0B JMP 005668D8 007F2C22 JMP 005668D8 007F2C36 JMP 005668D8 007F2C48 JMP 005668D8 007F2C53 JMP 005668D8 007F2C6D JMP 005668D8 007F2C79 JMP 005668D8 007F2C89 JMP 005668D8 007F2C9B JMP 005668D8 007F2CAC JMP 005668D8 007F2CC4 JMP 005668D8 007F2CDA JMP 005668D8 Start at OEP 00459724 JMP 007F2BF4 ; OEP007F2BF4 PUSH ED079B90007F2BF9 JMP 005668D8005668D8 PUSHAD005639FE MOV EAX,DWORD PTR DS:[EBX]See ebx now = follow dump1.------------------------------------$ ==> >0000005A $+4 >00000000$+8 >00000000$+C >0000008C Register$+10 >0000002A EBPetcPush EBP2. New Version = trace call ESI------------------------------------$ ==> >00000231$+4 >00151F63$+8 >00146CB9$+C >00151E7C$+10 >140F7461etcMOV EBP,ESP3. New Version = trace call ESI------------------------------------$ ==> >00000231$+4 >00151F63$+8 >00151E7C$+C >FFFFFFF0 -16 | -10$+10 >4D6B4CD8etcADD ESP,-104. New Version = trace call ESI------------------------------------$ ==> >00000231$+4 >00151F63$+8 >0014FCC5$+C >00058930 RVA + IB = 00458930$+10 >1AF0ACC5etcMOV EAX,4589305.------------------------------------$ ==> >00000060 $+4 >00000000$+8 >00000000$+C >00000090 $+10 >00000000$+14 >00000000$+18 >00002000$+1C >000065CC RVA$+20 >0000008F $+24 >00000000$+28 >00000000$+2C >00002000 $+30 >003F2C06$+34 >00000000$+38 >00000000$+3C >00000000$+40 >00000000$+44 >00000000call 004065CCetc Of course you need to know how to read the struct. So there is still a lot work for you to do. greetz 3
delldell Posted August 8, 2012 Posted August 8, 2012 @ SRegyou still can change the title of your topic-1 edit- now click the botton that says [ Use Fulll Editor ]then you will see the title of your topic so you can change it@ LCF-ATtested your script Enigma 1.3 - 3.8 Turbo OEP Finder by LCF-AT and working Good!! 1
Lostin Posted August 8, 2012 Posted August 8, 2012 (edited) Wow my friend this information is very valuable like diamond specially the run to return then restore nop command nice trick so is very nice to learn from you PS: so this > New Version = trace call ESI mean to enter the command > 00563A38 CALL ESI there are just junks there my friend i read same as your registers only at point 005639FE MOV EAX,DWORD PTR DS:[EBX] then set a bp and run on the command Call ESI then enter with F7? all went good but the read of structure i didn't get it. Edited August 8, 2012 by Lostin
LCF-AT Posted August 8, 2012 Posted August 8, 2012 @ delldell Thanks for testing. I just wrote it directly at this day for the "master of laziness" aka Lostin! @ laziness Not really.Just try some VMP targets and you get crazy so I think. Anyway so nice to hear that you get it working now.Keep going so maybe you get the file unpacked & fixed too without to check my file. PS: What about your StrongOD / Skip some exceptions HWBP problem?Did you found the reason?So you use the right plugins & Olly settings or?Just use & enable this what you also need and not more. greetz
permana Posted August 9, 2012 Posted August 9, 2012 i use your script bro . and this is my result help me bro LCF-AT )
chickenbutt Posted August 9, 2012 Posted August 9, 2012 Tutorials are for people who don't want skills in this field, something that tells you where to BP is worthless.. no offenseMUP through tracing and dumping, or forever have to ask for help.. These talents can defeat fast cause they know how the protectors work(VM handlers, import hiding, encryptions etc..)Themida is only harder because there are more VM handlers and better encryption
LCF-AT Posted August 9, 2012 Posted August 9, 2012 @ permanaWhat help?So I see the script brings you to the OEP = all ok.Now run the app and it should start and if not then check the reason etc.- First check original condition- load app- run app- does it run or crash?- VB apps mostly need some extra registered ocx etc files or need to bypass internetchecks.Also the most VB Enigma targets using Enigma check APIs like EP_ProtectedStringByKey & EP_ProtectedStringByID.Check this too.- Try to use the Enigma Unpacker script to get more infos + unpacked file.@ chickenbuttYes that's true.greetz
permana Posted August 9, 2012 Posted August 9, 2012 ok bro . then i try use the Enigma Unpacker script to get more infos + unpacked file. then. this is my result . your script not work help me bro
SReg Posted August 9, 2012 Author Posted August 9, 2012 @permanathis script has some problem on vista/win7try use nice OS - WinXP
Raham Posted August 17, 2012 Posted August 17, 2012 hii know its too late to post unpacked file.i was coding New Enigma DeV (finished),on other hand, i have other stuff to do:)here is my unpacked file, Fully Devirtualized + String Derypted + Code Decrypted.also unNeeded section deleted to get smaller file size.Kind RegardsRaham.Enigma38_Unpacked.rar 1
delldell Posted August 18, 2012 Posted August 18, 2012 Excellent Raham the UnpackMe on my OS is working very good
Priboi Posted January 28 Posted January 28 Hello, I want to unpack this target but I have problem on final step. I used LCF-AT Enigma Alternativ Unpacker 1.1. I have did all whats is needed but still exe not running. And getting 2 errors on two address and cant figure out why I get them. Can you help me guys? script log: https://pastebin.com/Bmz610nD enigma3.8myunpackme.rar
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now