Jump to content
Tuts 4 You

[unpackme] The Enigma Protector-4.3-X32 [patch HWID and unpackme]


smnyabc

Recommended Posts

Just give us the startup password if you put a startup password.


Here is not a guessing password content.


You talk about and unpack and patch HWID.


I have patched the HWID but i'm stuck next to a startup password.


Just post the password so we can reach OEP or do you want us to spend useless time for patching a startup password?


Edited by GIV
Link to comment
Share on other sites

Hi,


 


ok I have checked this file and bypassed also the password check. :) I also made a short script which does patch the ID & Pass check so that you get the file running as you can see on my picture below.



//////////////////////////////////////////////////////////////
//
// HWID Patch & Password Bypass Script
//
// Example Script for only this UnpackMe....
//
// The Enigma Protector-4.3-X32 [patch HWID and unpackme]
//
// LCF-AT
//////////////////////////////////////////////////////////////
bphwc
bc
alloc 1000
mov SECTION, $RESULT
var ID_HOOK
var PASS_HOOK
var TEMP
var AT
exec
push 0
call {GetModuleHandleA}
ende
add AT, 00FF2C05+eax
add ID_HOOK, 000693D0+eax
add PASS_HOOK, 00FE7FE6+eax
bphws ID_HOOK
esto
bphwc
mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500#
mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3#
gpa "lstrlenA", "kernel32.dll"
mov TEMP, $RESULT
eval "call {TEMP}"
asm SECTION+2D, $RESULT
mov [SECTION+41], SECTION
gci ID_HOOK, DESTINATION
mov TEMP, $RESULT
eval "jmp {TEMP}"
asm SECTION+48, $RESULT
add SECTION, 29
eval "jmp {SECTION}"
asm ID_HOOK, $RESULT
sub SECTION, 29
bphws PASS_HOOK
bpgoto PASS_HOOK, PASS_HOOK_STOP
////////////////////////////////
RUN:
esto
pause
pause
////////////////////////////////
PASS_HOOK_STOP:
cmp [esp+14], AT
jne RUN
mov eip, SECTION+4D
bphwc
esto
pause
ret

greetz


post-27695-0-58245300-1429902107_thumb.p

  • Like 11
Link to comment
Share on other sites

Teddy Rogers

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment
Share on other sites

Hi GIV,


 


so you also need to enter the valid Name & Key (see txt file) if you get the reg nag to see. :)


 


greetz


  • Like 3
Link to comment
Share on other sites

OK.


I see now...


You changed the ID to be as the one in the file.


:)


 


Here is my raw dump....



What i have done.


1. Run LCF-AT script for HWID change.


2. Enter password: carckmeunapckme


3. Fix import redirection


4. Arrive at OEP (not in VM - piece of cake)


5. Fix VM'ed imports


6. Put all imports in one place with UIF


7. Dump and fix.


  • Like 3
Link to comment
Share on other sites

  • 5 years later...

Hi , I am Newbie , I am looking for answer about  LCF-At's  script execution problem

 

exec

push 0

call {GetModuleHandleA} 

ende

 

this lines , when executes "EXEC " by OllyScript whole program executed . May i ask why is that happening?

it do not just executes lines between exec and ende , like ollyscript manual says.

 

Thank you all.

Edited by Mahasona
Link to comment
Share on other sites

  • 1 year later...
  • 1 year later...
Just now, windowbase said:

Untitled.png.1b064dd620115a38a5cee8da927a633f.png

I have above problem. Who can help me ?

sean.

The protection has detected your patches.

  • Like 2
Link to comment
Share on other sites

I used x64dbg and modified the vlaue of memory ? any other way to defeat this protection?

sean.

Edited by windowbase
Link to comment
Share on other sites

  • 6 months later...
windowbase

Can anyone please explain LCF-AT's script? I can't understand.

//////////////////////////////////////////////////////////////

//

//  HWID Patch & Password Bypass Script

//

//  Example Script for only this UnpackMe....

// 

//  The Enigma Protector-4.3-X32 [patch HWID and unpackme]

//

//  LCF-AT

//////////////////////////////////////////////////////////////

bphwc

bc

alloc 1000

mov SECTION, $RESULT

var ID_HOOK

var PASS_HOOK

var TEMP

var AT

exec

push 0

call {GetModuleHandleA} 

ende

add AT, 00FF2C05+eax

add ID_HOOK, 000693D0+eax

add PASS_HOOK, 00FE7FE6+eax

bphws ID_HOOK

esto

bphwc

mov [SECTION],    #4134423746343232363343393832393846383145394335423136323133353445344538333836354500#

mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3#

gpa "lstrlenA", "kernel32.dll"

mov TEMP, $RESULT

eval "call {TEMP}"

asm SECTION+2D, $RESULT

mov [SECTION+41], SECTION

gci ID_HOOK, DESTINATION

mov TEMP, $RESULT

eval "jmp {TEMP}"

asm SECTION+48, $RESULT

add SECTION, 29

eval "jmp {SECTION}"

asm ID_HOOK, $RESULT

sub SECTION, 29

bphws PASS_HOOK

bpgoto PASS_HOOK, PASS_HOOK_STOP

////////////////////////////////

RUN:

esto

pause

pause

////////////////////////////////

PASS_HOOK_STOP:

cmp [esp+14], AT

jne RUN

mov eip, SECTION+4D

bphwc

esto

pause

ret
Quote

What are these?

mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500#

mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3#

 

Please give me your kind hands.

Regards.

sean.

Edited by windowbase
editing some words.
Link to comment
Share on other sites

jackyjask

Number the lines

ask what line  you have trouble with?

 

 

PS In English the word "help" is not used in plural

 

Link to comment
Share on other sites

31 minutes ago, jackyjask said:

PS In English the word "help" is not used in plural

He's an English teacher btw

  • Haha 1
Link to comment
Share on other sites

jackyjask

well, there is "helps" word but thats not a noun!!!

thats a verb

he

she

it

helps

;)

but 

I need help

you need help

they/we need help!

 

Edited by jackyjask
  • Like 1
Link to comment
Share on other sites

windowbase
11 hours ago, jackyjask said:

Number the lines

ask what line  you have trouble with?

@jackyjask In summary, what script is above? what does it do?

1:mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500#

2:mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3#

1 is the valid HWID.

2 is the patch code. 

Regards.

sean.

Edited by windowbase
editing some words.
Link to comment
Share on other sites

jackyjask

great!

you just put the valuable info and those cryptic bytes are now very well understood

what would be the next puzzle question

PS we are doing decomposition job now

once we break all the lines to molecules/atoms we'll start building new blocks -> synthesis

Link to comment
Share on other sites

windowbase
6 minutes ago, jackyjask said:

great!

you just put the valuable info and those cryptic bytes are now very well understood

what would be the next puzzle question

PS we are doing decomposition job now

once we break all the lines to molecules/atoms we'll start building new blocks -> synthesis

@jackyjask I actually viewed the LCF-AT's tutorials. so I understood easily. but ollydbg script commands are somewhat away from me.

In this way, up to which versions of the Enigma HWID can be bypassed?

Do you know?

And it's only for x86

Regards.

sean.

Edited by windowbase
Editing words.
Link to comment
Share on other sites

jackyjask

yeah, mostly it was for x86 when LCFAT was busy withprotectors and Ollydbg scripting (5-10 years ago...)

unfortunately (or luckily) LCFAT is now a fully dedicated browser ninja! :)

so its up to us, kids of 2020+ to continue the great adventure and create more meat/bbq/cocacola fun :)

Edited by jackyjask
  • Thanks 1
  • Haha 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...