Jump to content
Tuts 4 You

[UnpackMe] Enigma_3.80


SReg

Recommended Posts

Hi SReg,

aha! :) Enigma has changed the VM struct a little and used also new VM blocks [231] etc.Great!Script does no more work with this new VM without to mod the DV[Enigma].dll.Anyway here my unpacked file.Test & tell whether it works for you.

greetz

UnPackMe.TEP.3.80_Unpacked.rar

  • Like 2
Link to comment

@ LCF-AT

you are Unpacking machine And still you have the record

of the Script

Themida 6458 lines of pure commands

Enigma 7050 Lines of pure commands

  • Like 1
Link to comment

@ SReg

Thanks

@ delldell

I try my best to write almost 1A scripts which can handle all versions if possible. :)

@ Lostin

Which kind of unpack problem do you have?So the unpack way of this new 3.80 is the same like before so they just changed the VM [added some kind of re-direction poinnters into VM Table] and the DV plugin can't handle this new feature at the moment so you have to wait till DizzY or Raham create a new update of the plugin.At the moment you can do these steps manually.


- Get OEP
- Find IAT RD - can fix 95 %
- Fix other other RD APIs at OEP - Just read store location
- Get Stolen Code parts
-----------------------------------------
- Fix Outer VM - Manually at the moment
-----------------------------------------
- Fix 2 Enigma Custom APIs

So on the other hand you can try to unpack other Enigma files lower than 3.80 to get some practice.Just read or watch some Enigma tuts or scripts and try them.

greetz

Link to comment

I keep to watch the code section until it decrypted

bp on VirtualFree

run until decrypted code section

but i never land on OEP

is there any trick to use with this :huh:

i keep on breaking here


00481CB3 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
00481CB5 89C1 MOV ECX,EAX
00481CB7 83E1 03 AND ECX,3
00481CBA F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[>
00481CBC 5F POP EDI ; 013E2E98
00481CBD 5E POP ESI ; 013E2E98
00481CBE C3 RETN

some targets only break at OEP after 2 calls on VirtualFree but this not so i think is not the same

i really hope people explain in their tutorials why we need to do this thing not just do it :huh:

Edited by Lostin
  • Like 1
Link to comment

@ Lostin

So there are diffrent ways to find the OEP of Enigma targets.So if you don't know how to find then start thinking a little.What does it need to break at OEP or near OEP.

One manually OEP find method

--------------------------------

- Load app in Olly

- Run app

- Check target whether its a Delphi 10 app if yes then OEP is stored after codesection.

- Look into codesection where was the last [or close last] code byte written set HWBP write on it.

- Restart and run till you break

- Now trace over the routines set mem BP access code or below code [delphi 10]

- Run.If you again break on rep commands then trace again over the routines [more than one] and press run again.After a while you can see where it writes the OEP into memory and then you have the OEP so you just need some practice. :)

So on the other hand you can also try to use some pattern to get the OEP. :) So I know you are lazy and to make it easy for you and others I wrote now a little script which can find the OEP and breaks on it.Just use it if you still lazy. :)

It only find the used OEP [intern & extern] and not more!Don't forget this.

greetz

Enigma 1.3 - 3.8 Turbo OEP Finder by LCF-AT.rar

  • Like 2
Link to comment

Thank you friend

for this explanation i now study your little script and in this target OEP can also be found using 2 BP on VirtualProtect then bp on access code section but OEP is VM in this case.

i am not lazy as you think i try to learn but there tutorials are not aim to learn just to follow i miss haggar tutorials where he was explain each step in depth

now i have problem with IAT:

setting a hardware bp on write on

Hardware breakpoint 1 at UnPackMe.005B1294

will let you break here

005B128F 8B55 F0		 MOV EDX,DWORD PTR SS:[EBP-10]
005B1292 8910 MOV DWORD PTR DS:[EAX],EDX
005B1294 43 INC EBX
005B1295 83FB 03 CMP EBX,3
005B1298 ^ 0F85 D2FEFFFF JNZ UnPackMe.005B1170

we can see in edx is the emulated API address so how to return it to valid or this location we break is not right because we are inside a VM and we need to devirtulize first?

is there any tips on this my friend.

Also other question i have problem when set the Skip some exceptions in StrongOD plugin the Hardware breakpoints are no longer breaking. why is this? is this a bug or something? or is just me.

Edited by Lostin
Link to comment

Hi Lostin,

note the script only works with 3 pattern checks = static way.For manually finding you have to find other ways which you can use almost for any protection.Just try the steps which I have post to you.

Yes the IAT is the problem for you if you can't rebuild the VM code but also in that case there are some ways if you think and test a little.For this target you have to patch 2 addresses to get the whole IAT at once.


IAT START:
004616F4 00FDDC84 ; Using RD 1
004616F8 00FDDCC2
004616FC 00FDDD47
00461700 00000000Here using RD 2 pointing to VM Jumpers
0046175C 0053D68C UnPackMe.0053D68C
00461768 0053D308 UnPackMe.0053D308
0046176C 0053D7CC UnPackMe.0053D7CC
00461778 0053D8E4 UnPackMe.0053D8E4
0046177C 0053D2E4 UnPackMe.0053D2E4
etcJust binary copy address of RD 2 and search into memory-Now you land into a IAT MEM Table.Scroll up.+4 API or another RD address
+8 Table Pointer AddressMem Table Location:
------------------------------------
$ ==> 00FD7930 00000086
$+4 00FD7934 770F4880 oleaut32.SysFreeString
$+8 00FD7938 00FB2ED4 --- A1
--------
$+C 00FD793C 00000086
$+10 00FD7940 770FA3EC oleaut32.SysReAllocStringLen
$+14 00FD7944 00FB2F18
--------
$+18 00FD7948 00000086
$+1C 00FD794C 770F4B39 oleaut32.SysAllocStringLen
$+20 00FD7950 00FB2F8C
--------
$ ==> 00FD7A44 00000022
$+4 00FD7A48 0053D68C UnPackMe.0053D68C --- NO API
$+8 00FD7A4C 00FC0C58 --- B1Table IAT Locations
-----------------------
A1:
$ ==> 00FB2ED4 00000000
$+4 00FB2ED8 000616F4 = RVA + IB = 004616F4 | API = 770F4880 oleaut32.SysFreeString
$+8 00FB2EDC 00000016
$+C 00FB2EE0 00000001
$+10 00FB2EE4 00000001B1:
$ ==> 00FC0C58 00000000
$+4 00FC0C5C 0006175C = RVA + IB = 0046175C | API = 0053D68C
$+8 00FC0C60 00000016
$+C 00FC0C64 00000001
$+10 00FC0C68 00000001
0053D68C JMP 005E2E1F ; JMP to VMAnother store table in mem:
-----------------------------------
$ ==> 0057B42C 00000001
$+4 0057B430 0053AD1C ASCII "kernel32.dll"
$+8 0057B434 7C800000 kernel32.7C800000
$+C 0057B438 0053AE80 ASCII "LoadLibraryExA"
$+10 0057B43C 7C801D53 kernel32.LoadLibraryExA
$+14 0057B440 0053D68C UnPackMe.0053D68C
$+18 0057B444 00000000
$+1C 0057B448 00000000IAT Adress: 0046175C - RD Address: 0053D68C = API: 7C801D53 kernel32.LoadLibraryExAFix to:
-----------------------------------
0046175C | 7C801D53 kernel32.LoadLibraryExAPrevent Both IAT RDs!
-----------------------------------Prevent overwriting Mem Table Location0053D131 MOV DWORD PTR DS:[EDX+EAX*4+4],ECX ; Nop itResult if you only nop it =
----------------------------------
00461760 7C80A4B5 kernel32.GetThreadLocale ; API
00461764 7C801EF2 kernel32.GetStartupInfoA ; API
00461768 0053D308 UnPackMe.0053D308 ; Still RD to VM JMPer
0046176C 0053D7CC UnPackMe.0053D7CC ; Still RD to VM JMPer
Patch writing API to Table Location 2
---------------------------------------
0053BB65 MOV DWORD PTR DS:[EBX+10],EAX ; kernel32.GetProcAddress
0053BB68 ADD EBX,20 ; table dis count adderto0053BB65 MOV DWORD PTR DS:[EBX+14],EAX ; kernel32.GetProcAddress= $ ==> 0057B58C 00000001
$+4 0057B590 0053AD1C ASCII "kernel32.dll"
$+8 0057B594 00000000
$+C 0057B598 0053AF88 ASCII "GetProcAddress"
$+10 0057B59C 00000000
$+14 0057B5A0 0053D308 UnPackMe.0053D308
$+18 0057B5A4 00000000
$+1C 0057B5A8 00000000The RD address gets overwritten with the direct API GPA
$+14 0057B5A0 0053D308 UnPackMe.0053D308=$ ==> 0057B58C 00000001
$+4 0057B590 0053AD1C ASCII "kernel32.dll"
$+8 0057B594 7C800000 kernel32.7C800000
$+C 0057B598 0053AF88 ASCII "GetProcAddress"
$+10 0057B59C 00000000
$+14 0057B5A0 7C80AE40 kernel32.GetProcAddress
$+18 0057B5A4 00000000
$+1C 0057B5A8 00000000Result if you change it =
----------------------------------
00461760 00FDE24E
00461764 00FDE25B
00461768 7C80AE40 kernel32.GetProcAddress ; API
0046176C 7C80B741 kernel32.GetModuleHandleA ; API1. Change API writer to table to +14
2. Nop Mem API location overwriting
----------------------------------
3. Now you have the whole IAT fixed at OEP for this target2 Enigma APIs patch them manually!
----------------------------------
00461CB0 00546488 UnPackMe.00546488
00461CB4 00540FE0 UnPackMe.00540FE0

So the both patch addresses can you also figure out with using BPs but without to fix the VM you will break a lot times into VM checker routines that will be the problem for you.Anyway so its also possible without it and I hope you can understand my description above.

greetz

  • Like 1
Link to comment

Wow this is very nice friend

but problem NOP this line

MOV DWORD PTR DS:[EDX+EAX*4+4],ECX

Target no more run

Terminated with the following in log window

Process terminated, exit code 13E9E9E (20881054.)

maybe because of the CRC or something?

Question please need answer:

how did you get here:

MOV DWORD PTR DS:[EDX+EAX*4+4],ECX

and here

MOV DWORD PTR DS:[EBX+10],EAX

where to set a breakpoint on write to lead you here?

I checked your unpacked that have devirtulized OEP i think only the missed part is the mov EAX,address to rebuild OEP in delphi app.

others are just fixed parts

PUSH EBP

MOV EBP,ESP

ADD ESP,10

MOV EAX,Address

Edited by Lostin
Link to comment

Uhhmmmm LOSTIN! :)

Yes its a CRC check thats the reason why it terminates so you should know this already!


0053D131 MOV DWORD PTR DS:[EDX+EAX*4+4],ECX ; Nop0053D168 RETN ; Set BP and restore nopped command above again!

"how did you get here" - I told you already how to get there. :) Set BP on GPA and then check register and now you can start.

Check out this APIs ;)


GetProcAddress
GetModuleHandleA
LoadLibraryA

So the OEP is not the only Virtualized part there are some more. :) Of course you can try to rebuild the whole OEP routine if you can but also if you have it done then you need also to rebuild some other commands too and this commands you can only read from the VM Table [no static rebuild possible].

What to do now for you?

- OEP = You have it

- IAT = You have it

- StolenCode rebuild = Do you have already?

- Rebuild UV OEP routine = Do you have it = no!

- Fix 2 Enigma APIs = Do you have it = no!

StolenCode: Push xy | Jmp xy


00458790 JMP 00566C2C
004587AA JMP 00566C2C
004587E8 JMP 00566C2C
004587F7 JMP 00566C2C
00458816 JMP 00566C2C
0045886F JMP 00566C2C
0045888F JMP 00566C2C
0045889D JMP 00566C2C
004588CF JMP 00566C2C
00458775   JMP 00566C2C                  

Virtualized Outer VM: jmp | push xy | jmp xy


007F2BF9 JMP 005668D8
007F2C0B JMP 005668D8
007F2C22 JMP 005668D8
007F2C36 JMP 005668D8
007F2C48 JMP 005668D8
007F2C53 JMP 005668D8
007F2C6D JMP 005668D8
007F2C79 JMP 005668D8
007F2C89 JMP 005668D8
007F2C9B JMP 005668D8
007F2CAC JMP 005668D8
007F2CC4 JMP 005668D8
007F2CDA JMP 005668D8
      

Start at OEP


00459724 JMP 007F2BF4 ; OEP
007F2BF4 PUSH ED079B90
007F2BF9 JMP 005668D8
005668D8 PUSHAD
005639FE MOV EAX,DWORD PTR DS:[EBX]See ebx now = follow dump1.
------------------------------------
$ ==> >0000005A
$+4 >00000000
$+8 >00000000
$+C >0000008C Register
$+10 >0000002A EBP
etcPush EBP2. New Version = trace call ESI
------------------------------------
$ ==> >00000231
$+4 >00151F63
$+8 >00146CB9
$+C >00151E7C
$+10 >140F7461
etcMOV EBP,ESP3. New Version = trace call ESI
------------------------------------
$ ==> >00000231
$+4 >00151F63
$+8 >00151E7C
$+C >FFFFFFF0 -16 | -10
$+10 >4D6B4CD8
etcADD ESP,-104. New Version = trace call ESI
------------------------------------
$ ==> >00000231
$+4 >00151F63
$+8 >0014FCC5
$+C >00058930 RVA + IB = 00458930
$+10 >1AF0ACC5
etcMOV EAX,4589305.
------------------------------------
$ ==> >00000060
$+4 >00000000
$+8 >00000000
$+C >00000090
$+10 >00000000
$+14 >00000000
$+18 >00002000
$+1C >000065CC RVA
$+20 >0000008F
$+24 >00000000
$+28 >00000000
$+2C >00002000
$+30 >003F2C06
$+34 >00000000
$+38 >00000000
$+3C >00000000
$+40 >00000000
$+44 >00000000call 004065CCetc

Of course you need to know how to read the struct. :) So there is still a lot work for you to do.

greetz

  • Like 3
Link to comment

@ SReg

you still can change the title of your topic

-1 edit

- now click the botton that says [ Use Fulll Editor ]

then you will see the title of your topic so you can change it

@ LCF-AT

tested your script Enigma 1.3 - 3.8 Turbo OEP Finder by LCF-AT and working Good!!

  • Like 1
Link to comment

Wow my friend this information is very valuable like diamond :thumbsup: specially the run to return then restore nop command nice trick :thumbsup: so is very nice to learn from you :thumbsup:

PS:

so this > New Version = trace call ESI

mean to enter the command > 00563A38 CALL ESI

there are just junks there my friend i read same as your registers only at point

005639FE MOV EAX,DWORD PTR DS:[EBX]

then set a bp and run on the command Call ESI then enter with F7?

all went good but the read of structure i didn't get it.

Edited by Lostin
Link to comment

@ delldell

Thanks for testing. :)

I just wrote it directly at this day for the "master of laziness" aka Lostin! :)

@ laziness ;)

Not really.Just try some VMP targets and you get crazy so I think. :) Anyway so nice to hear that you get it working now.Keep going so maybe you get the file unpacked & fixed too without to check my file.

PS: What about your StrongOD / Skip some exceptions HWBP problem?Did you found the reason?So you use the right plugins & Olly settings or?Just use & enable this what you also need and not more.

greetz

Link to comment
chickenbutt

Tutorials are for people who don't want skills in this field, something that tells you where to BP is worthless.. no offense

MUP through tracing and dumping, or forever have to ask for help.. These talents can defeat fast cause they know how the protectors work(VM handlers, import hiding, encryptions etc..)

Themida is only harder because there are more VM handlers and better encryption

Link to comment

@ permana

What help?So I see the script brings you to the OEP = all ok.Now run the app and it should start and if not then check the reason etc.

- First check original condition

- load app

- run app

- does it run or crash?

- VB apps mostly need some extra registered ocx etc files or need to bypass internetchecks.Also the most VB Enigma targets using Enigma check APIs like EP_ProtectedStringByKey & EP_ProtectedStringByID.Check this too.

- Try to use the Enigma Unpacker script to get more infos + unpacked file.

@ chickenbutt

Yes that's true.

greetz

Link to comment

ok bro . then i try use the Enigma Unpacker script to get more infos + unpacked file. then. this is my result . your script not work :(

efe1d5762ffd4580929868a.png

help me bro

Link to comment

hi

i know its too late to post unpacked file.

i was coding New Enigma DeV (finished),on other hand, i have other stuff to do:)

here is my unpacked file, Fully Devirtualized + String Derypted + Code Decrypted.

also unNeeded section deleted to get smaller file size.

Kind Regards

Raham.

Enigma38_Unpacked.rar

  • Like 1
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...