Jump to content
Tuts 4 You

[unpackme] The Enigma Protector-4.3-X32 [patch HWID and unpackme]


smnyabc

Recommended Posts

Just give us the startup password if you put a startup password.


Here is not a guessing password content.


You talk about and unpack and patch HWID.


I have patched the HWID but i'm stuck next to a startup password.


Just post the password so we can reach OEP or do you want us to spend useless time for patching a startup password?


Edited by GIV
Link to comment
Share on other sites

Hi,


 


ok I have checked this file and bypassed also the password check. :) I also made a short script which does patch the ID & Pass check so that you get the file running as you can see on my picture below.



//////////////////////////////////////////////////////////////
//
// HWID Patch & Password Bypass Script
//
// Example Script for only this UnpackMe....
//
// The Enigma Protector-4.3-X32 [patch HWID and unpackme]
//
// LCF-AT
//////////////////////////////////////////////////////////////
bphwc
bc
alloc 1000
mov SECTION, $RESULT
var ID_HOOK
var PASS_HOOK
var TEMP
var AT
exec
push 0
call {GetModuleHandleA}
ende
add AT, 00FF2C05+eax
add ID_HOOK, 000693D0+eax
add PASS_HOOK, 00FE7FE6+eax
bphws ID_HOOK
esto
bphwc
mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500#
mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3#
gpa "lstrlenA", "kernel32.dll"
mov TEMP, $RESULT
eval "call {TEMP}"
asm SECTION+2D, $RESULT
mov [SECTION+41], SECTION
gci ID_HOOK, DESTINATION
mov TEMP, $RESULT
eval "jmp {TEMP}"
asm SECTION+48, $RESULT
add SECTION, 29
eval "jmp {SECTION}"
asm ID_HOOK, $RESULT
sub SECTION, 29
bphws PASS_HOOK
bpgoto PASS_HOOK, PASS_HOOK_STOP
////////////////////////////////
RUN:
esto
pause
pause
////////////////////////////////
PASS_HOOK_STOP:
cmp [esp+14], AT
jne RUN
mov eip, SECTION+4D
bphwc
esto
pause
ret

greetz


post-27695-0-58245300-1429902107_thumb.p

  • Like 10
Link to comment
Share on other sites

Teddy Rogers

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Link to comment
Share on other sites

Hi GIV,


 


so you also need to enter the valid Name & Key (see txt file) if you get the reg nag to see. :)


 


greetz


  • Like 2
Link to comment
Share on other sites

OK.


I see now...


You changed the ID to be as the one in the file.


:)


 


Here is my raw dump....



What i have done.


1. Run LCF-AT script for HWID change.


2. Enter password: carckmeunapckme


3. Fix import redirection


4. Arrive at OEP (not in VM - piece of cake)


5. Fix VM'ed imports


6. Put all imports in one place with UIF


7. Dump and fix.


  • Like 3
Link to comment
Share on other sites

  • 5 years later...

Hi , I am Newbie , I am looking for answer about  LCF-At's  script execution problem

 

exec

push 0

call {GetModuleHandleA} 

ende

 

this lines , when executes "EXEC " by OllyScript whole program executed . May i ask why is that happening?

it do not just executes lines between exec and ende , like ollyscript manual says.

 

Thank you all.

Edited by Mahasona
Link to comment
Share on other sites

  • 1 year later...
  • 1 year later...
Just now, windowbase said:

Untitled.png.1b064dd620115a38a5cee8da927a633f.png

I have above problem. Who can help me ?

sean.

The protection has detected your patches.

  • Like 1
Link to comment
Share on other sites

windowbase

I used x64dbg and modified the vlaue of memory ? any other way to defeat this protection?

sean.

Edited by windowbase
Link to comment
Share on other sites

4 hours ago, windowbase said:

Untitled.png.1b064dd620115a38a5cee8da927a633f.png

I have above problem. Who can help me ?

sean.

CRC 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...