[unpackme] UnpackMe Enigma 4.10 maximum protection + HWID

[converse]

UnpackMe Enigma 4.10 (maximum protection) + registration dialog (HWID)

 

 

UnpackMe Enigma 4.10 (maximum protection).rar

UnpackMe Enigma 4.10 (maximum protection+HWID).rar

Edited June 7, 2014 by converse

[Teddy Rogers]

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

[LCF-AT]

Hi,

 

unpacked first file only so the HWID file should be same just with HWID. So in this case I do save to download the second BIGSIZE (for a little unpackme) file of 7+ MB also in this case because I have only a download speed of mostly 10 KB/s (only here of course).

 

greetz

UnpackMe Enigma 4.10 (maximum protection)_Unpacked.rar

[Lostin]

Nice unpacked me LCF-AT

 

new VM i think its RISC right?

[LCF-AT]

Hi,

 

just any VM which used tons of memory. Also at the end you only need to de-obfuscate the entire OEP routine which you can handle manually.The file was also not maximum protected as converse told us. Just fix OEP routine + VMed imports who calling the Inner VM + pre push value creater (lea esp...).So in any other last postet unpacked there is also same new VM used but there I just redirected / added the VM sections to dump but not this time.

 

greetz

[Lostin]

I thought so

 

For the rebuild of OEP i think its just fixed as all other Delphi 7 apps but how would one find that Mov eax,address at first and the other calls?

Edited June 10, 2014 by Lostin

[LCF-AT]

Just stop at OEP 005DF3B8 VA then set mem BP access at code = 0040DE3C VA first routine call and in eax you see the value you need to know.Also the same with the rest,just trace till routine end = back to VM set mem access code = next stop at routine X.Now check register values and find them if needed to create the other commands between the calls in OEP routine.Pretty simple = good for me to play a little ping pong match.

 

greetz

[converse]

Hi,

 

The file was also not maximum protected as converse told us. 

 

greetz

 

file is protected with all options, with what you have that no maximum protection? (I purposely did not crypted file if you about it,everything else is the maximum)

Edited June 11, 2014 by converse

[LCF-AT]

So you did not use any Outer VM in your UnpackMe only the protector layer used Inner VM (default) but the Outer VM you have to enable and choose manually to VM the code in codesection itself.Also I see no stolen codes too etc.Only protection in codesection itself is the obfuscated OEP routine thats all.There are many more features which you can add and create a make a real maximum protected UnpackMe.Maybe next time.

 

greetz

[gen]

@LCF-AT, what version of Ollydbg do you use to unpack enigma? can you be kind enough to share your tool that works with Enigma? thanks

[LCF-AT]

"Know is power - nothing know does nothing"

 

Just grab a Olly and necessary plugins then setup and start and thats all already and now you can also play with Enigma.No super duper hyper dyper special Olly necessary. For more infos check out the Enigma topics around you.

 

greetz

[LCF-AT]

@ converse

 

So I downloaded your HWID UnpackMe now and I see you didn't added any valid HWID / Name / Key datas.Could you please post them for your UnpackMe Enigma 4.10 (maximum protection+HWID).exe file.I need to check your file + valid datas together (with my new script)

 

Thank you

[GIV]

Hi again (sorry again to revive an old post but i look now on Enigma files ).

Here is the file unpacked with the VM in place ( no OEP reconstruct).

The size is huge compared with the file with reconstructed OEP.

UnpackMe Enigma 4.10 (maximum protection)_dump_SCY.rar

Edited January 15, 2016 by GIV
Add attach here.