[unpackme] The Enigma Protector-4.3-X32 [patch HWID and unpackme]

[smnyabc]

patch HWID and unpackme

 

The Enigma Protector 4.3(build 20150225) License type:Single

tep4.3pacth+unpackme.rar

Edited April 24, 2015 by smnyabc

[h4sh3m]

Hi

 

required start pass?

we should bypass this manually?

 

 

 

Best Regards,

h4sh3m

[GIV]

Just give us the startup password if you put a startup password.

Here is not a guessing password content.

You talk about and unpack and patch HWID.

I have patched the HWID but i'm stuck next to a startup password.

Just post the password so we can reach OEP or do you want us to spend useless time for patching a startup password?

Edited April 24, 2015 by GIV

[LCF-AT]

Hi,

 

ok I have checked this file and bypassed also the password check. I also made a short script which does patch the ID & Pass check so that you get the file running as you can see on my picture below.

//////////////////////////////////////////////////////////////

//

//  HWID Patch & Password Bypass Script

//

//  Example Script for only this UnpackMe....

// 

//  The Enigma Protector-4.3-X32 [patch HWID and unpackme]

//

//  LCF-AT

//////////////////////////////////////////////////////////////

bphwc

bc

alloc 1000

mov SECTION, $RESULT

var ID_HOOK

var PASS_HOOK

var TEMP

var AT

exec

push 0

call {GetModuleHandleA} 

ende

add AT, 00FF2C05+eax

add ID_HOOK, 000693D0+eax

add PASS_HOOK, 00FE7FE6+eax

bphws ID_HOOK

esto

bphwc

mov [SECTION],    #4134423746343232363343393832393846383145394335423136323133353445344538333836354500#

mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3#

gpa "lstrlenA", "kernel32.dll"

mov TEMP, $RESULT

eval "call {TEMP}"

asm SECTION+2D, $RESULT

mov [SECTION+41], SECTION

gci ID_HOOK, DESTINATION

mov TEMP, $RESULT

eval "jmp {TEMP}"

asm SECTION+48, $RESULT

add SECTION, 29

eval "jmp {SECTION}"

asm ID_HOOK, $RESULT

sub SECTION, 29

bphws PASS_HOOK

bpgoto PASS_HOOK, PASS_HOOK_STOP

////////////////////////////////

RUN:

esto

pause

pause

////////////////////////////////

PASS_HOOK_STOP:

cmp [esp+14], AT

jne RUN

mov eip, SECTION+4D

bphwc

esto

pause

ret

greetz

[Teddy Rogers]

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

[LCF-AT]

Hi,

 

just unpacked and attached the file now.

 

greetz

Project1_protected_Unpacked.rar

[GIV]

Password for start unpackme:

 

carckmeunapckme

 

 

 

Edit:

@LCF-AT

Do you have any ideea why your script does not work for me?

 

http://www85.zippyshare.com/v/I42O9Hof/file.html

Edited April 27, 2015 by GIV

[LCF-AT]

Hi GIV,

 

so you also need to enter the valid Name & Key (see txt file) if you get the reg nag to see.

 

greetz

[GIV]

OK.

I see now...

You changed the ID to be as the one in the file.

 

Here is my raw dump....

 

http://www44.zippyshare.com/v/8gvCt0D9/file.html

What i have done.

1. Run LCF-AT script for HWID change.

2. Enter password: carckmeunapckme

3. Fix import redirection

4. Arrive at OEP (not in VM - piece of cake)

5. Fix VM'ed imports

6. Put all imports in one place with UIF

7. Dump and fix.

[Mahasona]

Hi , I am Newbie , I am looking for answer about  LCF-At's  script execution problem

 

exec

push 0

call {GetModuleHandleA} 

ende

 

this lines , when executes "EXEC " by OllyScript whole program executed . May i ask why is that happening?

it do not just executes lines between exec and ende , like ollyscript manual says.

 

Thank you all.

Edited June 14, 2020 by Mahasona

[daniielolguiin]

Hi, i'm starting unpacking, can someone help me understand how to decipher it?

[Sean the hard worker]

I have above problem. Who can help me ?

sean.

[X0rby]

Just now, windowbase said:

I have above problem. Who can help me ?

sean.

The protection has detected your patches.

[Sean the hard worker]

I used x64dbg and modified the vlaue of memory ? any other way to defeat this protection?

sean.

Edited June 15, 2023 by windowbase

[krotty]

4 hours ago, windowbase said:

I have above problem. Who can help me ?

sean.

CRC 

[Sean the hard worker]

Can anyone please explain LCF-AT's script? I can't understand.

//////////////////////////////////////////////////////////////

//

//  HWID Patch & Password Bypass Script

//

//  Example Script for only this UnpackMe....

// 

//  The Enigma Protector-4.3-X32 [patch HWID and unpackme]

//

//  LCF-AT

//////////////////////////////////////////////////////////////

bphwc

bc

alloc 1000

mov SECTION, $RESULT

var ID_HOOK

var PASS_HOOK

var TEMP

var AT

exec

push 0

call {GetModuleHandleA} 

ende

add AT, 00FF2C05+eax

add ID_HOOK, 000693D0+eax

add PASS_HOOK, 00FE7FE6+eax

bphws ID_HOOK

esto

bphwc

mov [SECTION],    #4134423746343232363343393832393846383145394335423136323133353445344538333836354500#

mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3#

gpa "lstrlenA", "kernel32.dll"

mov TEMP, $RESULT

eval "call {TEMP}"

asm SECTION+2D, $RESULT

mov [SECTION+41], SECTION

gci ID_HOOK, DESTINATION

mov TEMP, $RESULT

eval "jmp {TEMP}"

asm SECTION+48, $RESULT

add SECTION, 29

eval "jmp {SECTION}"

asm ID_HOOK, $RESULT

sub SECTION, 29

bphws PASS_HOOK

bpgoto PASS_HOOK, PASS_HOOK_STOP

////////////////////////////////

RUN:

esto

pause

pause

////////////////////////////////

PASS_HOOK_STOP:

cmp [esp+14], AT

jne RUN

mov eip, SECTION+4D

bphwc

esto

pause

ret

Quote

What are these?

mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500#

mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3#

 

Please give me your kind hands.

Regards.

sean.

Edited January 12 by windowbase
editing some words.

[jackyjask]

Number the lines

ask what line  you have trouble with?

 

 

PS In English the word "help" is not used in plural

 

[X0rby]

31 minutes ago, jackyjask said:

PS In English the word "help" is not used in plural

He's an English teacher btw

[jackyjask]

well, there is "helps" word but thats not a noun!!!

thats a verb

he

she

it

helps

but 

I need help

you need help

they/we need help!

 

Edited January 11 by jackyjask

[Sean the hard worker]

11 hours ago, jackyjask said:

Number the lines

ask what line  you have trouble with?

@jackyjask In summary, what script is above? what does it do?

1:mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500#

2:mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3#

1 is the valid HWID.

2 is the patch code. 

Regards.

sean.

Edited January 12 by windowbase
editing some words.

[jackyjask]

great!

you just put the valuable info and those cryptic bytes are now very well understood

what would be the next puzzle question

PS we are doing decomposition job now

once we break all the lines to molecules/atoms we'll start building new blocks -> synthesis

[Sean the hard worker]

6 minutes ago, jackyjask said:

great!

you just put the valuable info and those cryptic bytes are now very well understood

what would be the next puzzle question

PS we are doing decomposition job now

once we break all the lines to molecules/atoms we'll start building new blocks -> synthesis

@jackyjask I actually viewed the LCF-AT's tutorials. so I understood easily. but ollydbg script commands are somewhat away from me.

In this way, up to which versions of the Enigma HWID can be bypassed?

Do you know?

And it's only for x86? 

Regards.

sean.

Edited January 12 by windowbase
Editing words.

[jackyjask]

yeah, mostly it was for x86 when LCFAT was busy withprotectors and Ollydbg scripting (5-10 years ago...)

unfortunately (or luckily) LCFAT is now a fully dedicated browser ninja!

so its up to us, kids of 2020+ to continue the great adventure and create more meat/bbq/cocacola fun

Edited January 12 by jackyjask