Jump to content
Tuts 4 You
Sign in to follow this  
smnyabc

[unpackme] The Enigma Protector-4.3-X32 [patch HWID and unpackme]

Rate this topic

Recommended Posts

h4sh3m

Hi


 


required start pass?


we should bypass this manually?


 


 


 


Best Regards,


h4sh3m


  • Like 2

Share this post


Link to post
Share on other sites
GIV

Just give us the startup password if you put a startup password.


Here is not a guessing password content.


You talk about and unpack and patch HWID.


I have patched the HWID but i'm stuck next to a startup password.


Just post the password so we can reach OEP or do you want us to spend useless time for patching a startup password?


Edited by GIV (see edit history)

Share this post


Link to post
Share on other sites
LCF-AT

Hi,


 


ok I have checked this file and bypassed also the password check. :) I also made a short script which does patch the ID & Pass check so that you get the file running as you can see on my picture below.



//////////////////////////////////////////////////////////////
//
// HWID Patch & Password Bypass Script
//
// Example Script for only this UnpackMe....
//
// The Enigma Protector-4.3-X32 [patch HWID and unpackme]
//
// LCF-AT
//////////////////////////////////////////////////////////////
bphwc
bc
alloc 1000
mov SECTION, $RESULT
var ID_HOOK
var PASS_HOOK
var TEMP
var AT
exec
push 0
call {GetModuleHandleA}
ende
add AT, 00FF2C05+eax
add ID_HOOK, 000693D0+eax
add PASS_HOOK, 00FE7FE6+eax
bphws ID_HOOK
esto
bphwc
mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500#
mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3#
gpa "lstrlenA", "kernel32.dll"
mov TEMP, $RESULT
eval "call {TEMP}"
asm SECTION+2D, $RESULT
mov [SECTION+41], SECTION
gci ID_HOOK, DESTINATION
mov TEMP, $RESULT
eval "jmp {TEMP}"
asm SECTION+48, $RESULT
add SECTION, 29
eval "jmp {SECTION}"
asm ID_HOOK, $RESULT
sub SECTION, 29
bphws PASS_HOOK
bpgoto PASS_HOOK, PASS_HOOK_STOP
////////////////////////////////
RUN:
esto
pause
pause
////////////////////////////////
PASS_HOOK_STOP:
cmp [esp+14], AT
jne RUN
mov eip, SECTION+4D
bphwc
esto
pause
ret

greetz


post-27695-0-58245300-1429902107_thumb.p

  • Like 8

Share this post


Link to post
Share on other sites
Teddy Rogers

The [unpackme] tag has been added to your topic title.

Please remember to follow and adhere to the topic title format - thankyou!

[This is an automated reply]

Share this post


Link to post
Share on other sites
LCF-AT

Hi GIV,


 


so you also need to enter the valid Name & Key (see txt file) if you get the reg nag to see. :)


 


greetz


  • Like 3

Share this post


Link to post
Share on other sites
GIV

OK.


I see now...


You changed the ID to be as the one in the file.


:)


 


Here is my raw dump....



What i have done.


1. Run LCF-AT script for HWID change.


2. Enter password: carckmeunapckme


3. Fix import redirection


4. Arrive at OEP (not in VM - piece of cake)


5. Fix VM'ed imports


6. Put all imports in one place with UIF


7. Dump and fix.


  • Like 3

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...