smnyabc Posted April 24, 2015 Posted April 24, 2015 (edited) patch HWID and unpackme The Enigma Protector 4.3(build 20150225) License type:Singletep4.3pacth+unpackme.rar Edited April 24, 2015 by smnyabc
h4sh3m Posted April 24, 2015 Posted April 24, 2015 Hi required start pass?we should bypass this manually? Best Regards,h4sh3m 3
GIV Posted April 24, 2015 Posted April 24, 2015 (edited) Just give us the startup password if you put a startup password.Here is not a guessing password content.You talk about and unpack and patch HWID.I have patched the HWID but i'm stuck next to a startup password.Just post the password so we can reach OEP or do you want us to spend useless time for patching a startup password? Edited April 24, 2015 by GIV
LCF-AT Posted April 24, 2015 Posted April 24, 2015 Hi, ok I have checked this file and bypassed also the password check. I also made a short script which does patch the ID & Pass check so that you get the file running as you can see on my picture below. ////////////////////////////////////////////////////////////// // // HWID Patch & Password Bypass Script // // Example Script for only this UnpackMe.... // // The Enigma Protector-4.3-X32 [patch HWID and unpackme] // // LCF-AT ////////////////////////////////////////////////////////////// bphwc bc alloc 1000 mov SECTION, $RESULT var ID_HOOK var PASS_HOOK var TEMP var AT exec push 0 call {GetModuleHandleA} ende add AT, 00FF2C05+eax add ID_HOOK, 000693D0+eax add PASS_HOOK, 00FE7FE6+eax bphws ID_HOOK esto bphwc mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500# mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3# gpa "lstrlenA", "kernel32.dll" mov TEMP, $RESULT eval "call {TEMP}" asm SECTION+2D, $RESULT mov [SECTION+41], SECTION gci ID_HOOK, DESTINATION mov TEMP, $RESULT eval "jmp {TEMP}" asm SECTION+48, $RESULT add SECTION, 29 eval "jmp {SECTION}" asm ID_HOOK, $RESULT sub SECTION, 29 bphws PASS_HOOK bpgoto PASS_HOOK, PASS_HOOK_STOP //////////////////////////////// RUN: esto pause pause //////////////////////////////// PASS_HOOK_STOP: cmp [esp+14], AT jne RUN mov eip, SECTION+4D bphwc esto pause ret greetz 11
Teddy Rogers Posted April 25, 2015 Posted April 25, 2015 The [unpackme] tag has been added to your topic title. Please remember to follow and adhere to the topic title format - thankyou! [This is an automated reply]
LCF-AT Posted April 25, 2015 Posted April 25, 2015 Hi, just unpacked and attached the file now. greetz Project1_protected_Unpacked.rar 4
GIV Posted April 27, 2015 Posted April 27, 2015 (edited) Password for start unpackme: carckmeunapckme Edit:@LCF-ATDo you have any ideea why your script does not work for me? http://www85.zippyshare.com/v/I42O9Hof/file.html Edited April 27, 2015 by GIV
LCF-AT Posted April 27, 2015 Posted April 27, 2015 Hi GIV, so you also need to enter the valid Name & Key (see txt file) if you get the reg nag to see. greetz 3
GIV Posted April 27, 2015 Posted April 27, 2015 OK. I see now... You changed the ID to be as the one in the file. Here is my raw dump.... http://www44.zippyshare.com/v/8gvCt0D9/file.html What i have done. 1. Run LCF-AT script for HWID change. 2. Enter password: carckmeunapckme 3. Fix import redirection 4. Arrive at OEP (not in VM - piece of cake) 5. Fix VM'ed imports 6. Put all imports in one place with UIF 7. Dump and fix. 3
Mahasona Posted June 14, 2020 Posted June 14, 2020 (edited) Hi , I am Newbie , I am looking for answer about LCF-At's script execution problem exec push 0 call {GetModuleHandleA} ende this lines , when executes "EXEC " by OllyScript whole program executed . May i ask why is that happening? it do not just executes lines between exec and ende , like ollyscript manual says. Thank you all. Edited June 14, 2020 by Mahasona
daniielolguiin Posted September 24, 2021 Posted September 24, 2021 Hi, i'm starting unpacking, can someone help me understand how to decipher it?
Sean Park - Lovejoy Posted June 15, 2023 Posted June 15, 2023 I have above problem. Who can help me ? sean.
X0rby Posted June 15, 2023 Posted June 15, 2023 Just now, windowbase said: I have above problem. Who can help me ? sean. The protection has detected your patches. 2
Sean Park - Lovejoy Posted June 15, 2023 Posted June 15, 2023 (edited) I used x64dbg and modified the vlaue of memory ? any other way to defeat this protection? sean. Edited June 15, 2023 by windowbase 1
krotty Posted June 15, 2023 Posted June 15, 2023 4 hours ago, windowbase said: I have above problem. Who can help me ? sean. CRC
Sean Park - Lovejoy Posted January 11 Posted January 11 (edited) Can anyone please explain LCF-AT's script? I can't understand. ////////////////////////////////////////////////////////////// // // HWID Patch & Password Bypass Script // // Example Script for only this UnpackMe.... // // The Enigma Protector-4.3-X32 [patch HWID and unpackme] // // LCF-AT ////////////////////////////////////////////////////////////// bphwc bc alloc 1000 mov SECTION, $RESULT var ID_HOOK var PASS_HOOK var TEMP var AT exec push 0 call {GetModuleHandleA} ende add AT, 00FF2C05+eax add ID_HOOK, 000693D0+eax add PASS_HOOK, 00FE7FE6+eax bphws ID_HOOK esto bphwc mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500# mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3# gpa "lstrlenA", "kernel32.dll" mov TEMP, $RESULT eval "call {TEMP}" asm SECTION+2D, $RESULT mov [SECTION+41], SECTION gci ID_HOOK, DESTINATION mov TEMP, $RESULT eval "jmp {TEMP}" asm SECTION+48, $RESULT add SECTION, 29 eval "jmp {SECTION}" asm ID_HOOK, $RESULT sub SECTION, 29 bphws PASS_HOOK bpgoto PASS_HOOK, PASS_HOOK_STOP //////////////////////////////// RUN: esto pause pause //////////////////////////////// PASS_HOOK_STOP: cmp [esp+14], AT jne RUN mov eip, SECTION+4D bphwc esto pause ret Quote What are these? mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500# mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3# Please give me your kind hands. Regards. sean. Edited January 12 by windowbase editing some words. 1
jackyjask Posted January 11 Posted January 11 Number the lines ask what line you have trouble with? PS In English the word "help" is not used in plural
X0rby Posted January 11 Posted January 11 31 minutes ago, jackyjask said: PS In English the word "help" is not used in plural He's an English teacher btw 1
jackyjask Posted January 11 Posted January 11 (edited) well, there is "helps" word but thats not a noun!!! thats a verb he she it helps but I need help you need help they/we need help! Edited January 11 by jackyjask 1
Sean Park - Lovejoy Posted January 12 Posted January 12 (edited) 11 hours ago, jackyjask said: Number the lines ask what line you have trouble with? @jackyjask In summary, what script is above? what does it do? 1:mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500# 2:mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3# 1 is the valid HWID. 2 is the patch code. Regards. sean. Edited January 12 by windowbase editing some words. 1
jackyjask Posted January 12 Posted January 12 great! you just put the valuable info and those cryptic bytes are now very well understood what would be the next puzzle question PS we are doing decomposition job now once we break all the lines to molecules/atoms we'll start building new blocks -> synthesis
Sean Park - Lovejoy Posted January 12 Posted January 12 (edited) 6 minutes ago, jackyjask said: great! you just put the valuable info and those cryptic bytes are now very well understood what would be the next puzzle question PS we are doing decomposition job now once we break all the lines to molecules/atoms we'll start building new blocks -> synthesis @jackyjask I actually viewed the LCF-AT's tutorials. so I understood easily. but ollydbg script commands are somewhat away from me. In this way, up to which versions of the Enigma HWID can be bypassed? Do you know? And it's only for x86? Regards. sean. Edited January 12 by windowbase Editing words. 1
jackyjask Posted January 12 Posted January 12 (edited) yeah, mostly it was for x86 when LCFAT was busy withprotectors and Ollydbg scripting (5-10 years ago...) unfortunately (or luckily) LCFAT is now a fully dedicated browser ninja! so its up to us, kids of 2020+ to continue the great adventure and create more meat/bbq/cocacola fun Edited January 12 by jackyjask 1 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now