Posted April 24, 201510 yr patch HWID and unpackme The Enigma Protector 4.3(build 20150225) License type:Singletep4.3pacth+unpackme.rar Edited April 24, 201510 yr by smnyabc
April 24, 201510 yr Just give us the startup password if you put a startup password.Here is not a guessing password content.You talk about and unpack and patch HWID.I have patched the HWID but i'm stuck next to a startup password.Just post the password so we can reach OEP or do you want us to spend useless time for patching a startup password? Edited April 24, 201510 yr by GIV
April 24, 201510 yr Hi, ok I have checked this file and bypassed also the password check. I also made a short script which does patch the ID & Pass check so that you get the file running as you can see on my picture below. ////////////////////////////////////////////////////////////// // // HWID Patch & Password Bypass Script // // Example Script for only this UnpackMe.... // // The Enigma Protector-4.3-X32 [patch HWID and unpackme] // // LCF-AT ////////////////////////////////////////////////////////////// bphwc bc alloc 1000 mov SECTION, $RESULT var ID_HOOK var PASS_HOOK var TEMP var AT exec push 0 call {GetModuleHandleA} ende add AT, 00FF2C05+eax add ID_HOOK, 000693D0+eax add PASS_HOOK, 00FE7FE6+eax bphws ID_HOOK esto bphwc mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500# mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3# gpa "lstrlenA", "kernel32.dll" mov TEMP, $RESULT eval "call {TEMP}" asm SECTION+2D, $RESULT mov [SECTION+41], SECTION gci ID_HOOK, DESTINATION mov TEMP, $RESULT eval "jmp {TEMP}" asm SECTION+48, $RESULT add SECTION, 29 eval "jmp {SECTION}" asm ID_HOOK, $RESULT sub SECTION, 29 bphws PASS_HOOK bpgoto PASS_HOOK, PASS_HOOK_STOP //////////////////////////////// RUN: esto pause pause //////////////////////////////// PASS_HOOK_STOP: cmp [esp+14], AT jne RUN mov eip, SECTION+4D bphwc esto pause ret greetz
April 25, 201510 yr The [unpackme] tag has been added to your topic title. Please remember to follow and adhere to the topic title format - thankyou! [This is an automated reply]
April 25, 201510 yr Hi, just unpacked and attached the file now. greetz Project1_protected_Unpacked.rar
April 27, 201510 yr Password for start unpackme: carckmeunapckme Edit:@LCF-ATDo you have any ideea why your script does not work for me? http://www85.zippyshare.com/v/I42O9Hof/file.html Edited April 27, 201510 yr by GIV
April 27, 201510 yr Hi GIV, so you also need to enter the valid Name & Key (see txt file) if you get the reg nag to see. greetz
April 27, 201510 yr OK. I see now... You changed the ID to be as the one in the file. Here is my raw dump.... http://www44.zippyshare.com/v/8gvCt0D9/file.html What i have done. 1. Run LCF-AT script for HWID change. 2. Enter password: carckmeunapckme 3. Fix import redirection 4. Arrive at OEP (not in VM - piece of cake) 5. Fix VM'ed imports 6. Put all imports in one place with UIF 7. Dump and fix.
June 14, 20205 yr Hi , I am Newbie , I am looking for answer about LCF-At's script execution problem exec push 0 call {GetModuleHandleA} ende this lines , when executes "EXEC " by OllyScript whole program executed . May i ask why is that happening? it do not just executes lines between exec and ende , like ollyscript manual says. Thank you all. Edited June 14, 20205 yr by Mahasona
September 24, 20213 yr Hi, i'm starting unpacking, can someone help me understand how to decipher it?
June 15, 20232 yr Just now, windowbase said: I have above problem. Who can help me ? sean. The protection has detected your patches.
June 15, 20232 yr I used x64dbg and modified the vlaue of memory ? any other way to defeat this protection? sean. Edited June 15, 20232 yr by windowbase
January 11, 20241 yr Can anyone please explain LCF-AT's script? I can't understand. ////////////////////////////////////////////////////////////// // // HWID Patch & Password Bypass Script // // Example Script for only this UnpackMe.... // // The Enigma Protector-4.3-X32 [patch HWID and unpackme] // // LCF-AT ////////////////////////////////////////////////////////////// bphwc bc alloc 1000 mov SECTION, $RESULT var ID_HOOK var PASS_HOOK var TEMP var AT exec push 0 call {GetModuleHandleA} ende add AT, 00FF2C05+eax add ID_HOOK, 000693D0+eax add PASS_HOOK, 00FE7FE6+eax bphws ID_HOOK esto bphwc mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500# mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3# gpa "lstrlenA", "kernel32.dll" mov TEMP, $RESULT eval "call {TEMP}" asm SECTION+2D, $RESULT mov [SECTION+41], SECTION gci ID_HOOK, DESTINATION mov TEMP, $RESULT eval "jmp {TEMP}" asm SECTION+48, $RESULT add SECTION, 29 eval "jmp {SECTION}" asm ID_HOOK, $RESULT sub SECTION, 29 bphws PASS_HOOK bpgoto PASS_HOOK, PASS_HOOK_STOP //////////////////////////////// RUN: esto pause pause //////////////////////////////// PASS_HOOK_STOP: cmp [esp+14], AT jne RUN mov eip, SECTION+4D bphwc esto pause ret Quote What are these? mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500# mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3# Please give me your kind hands. Regards. sean. Edited January 12, 20241 yr by windowbase editing some words.
January 11, 20241 yr Number the lines ask what line you have trouble with? PS In English the word "help" is not used in plural
January 11, 20241 yr 31 minutes ago, jackyjask said: PS In English the word "help" is not used in plural He's an English teacher btw
January 11, 20241 yr well, there is "helps" word but thats not a noun!!! thats a verb he she it helps but I need help you need help they/we need help! Edited January 11, 20241 yr by jackyjask
January 12, 20241 yr 11 hours ago, jackyjask said: Number the lines ask what line you have trouble with? @jackyjask In summary, what script is above? what does it do? 1:mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500# 2:mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3# 1 is the valid HWID. 2 is the patch code. Regards. sean. Edited January 12, 20241 yr by windowbase editing some words.
January 12, 20241 yr great! you just put the valuable info and those cryptic bytes are now very well understood what would be the next puzzle question PS we are doing decomposition job now once we break all the lines to molecules/atoms we'll start building new blocks -> synthesis
January 12, 20241 yr 6 minutes ago, jackyjask said: great! you just put the valuable info and those cryptic bytes are now very well understood what would be the next puzzle question PS we are doing decomposition job now once we break all the lines to molecules/atoms we'll start building new blocks -> synthesis @jackyjask I actually viewed the LCF-AT's tutorials. so I understood easily. but ollydbg script commands are somewhat away from me. In this way, up to which versions of the Enigma HWID can be bypassed? Do you know? And it's only for x86? Regards. sean. Edited January 12, 20241 yr by windowbase Editing words.
January 12, 20241 yr yeah, mostly it was for x86 when LCFAT was busy withprotectors and Ollydbg scripting (5-10 years ago...) unfortunately (or luckily) LCFAT is now a fully dedicated browser ninja! so its up to us, kids of 2020+ to continue the great adventure and create more meat/bbq/cocacola fun Edited January 12, 20241 yr by jackyjask
Create an account or sign in to comment