smnyabc Posted April 24, 2015 Share Posted April 24, 2015 (edited) patch HWID and unpackme The Enigma Protector 4.3(build 20150225) License type:Singletep4.3pacth+unpackme.rar Edited April 24, 2015 by smnyabc Link to comment Share on other sites More sharing options...
h4sh3m Posted April 24, 2015 Share Posted April 24, 2015 Hi required start pass?we should bypass this manually? Best Regards,h4sh3m 3 Link to comment Share on other sites More sharing options...
GIV Posted April 24, 2015 Share Posted April 24, 2015 (edited) Just give us the startup password if you put a startup password.Here is not a guessing password content.You talk about and unpack and patch HWID.I have patched the HWID but i'm stuck next to a startup password.Just post the password so we can reach OEP or do you want us to spend useless time for patching a startup password? Edited April 24, 2015 by GIV Link to comment Share on other sites More sharing options...
LCF-AT Posted April 24, 2015 Share Posted April 24, 2015 Hi, ok I have checked this file and bypassed also the password check. I also made a short script which does patch the ID & Pass check so that you get the file running as you can see on my picture below. ////////////////////////////////////////////////////////////// // // HWID Patch & Password Bypass Script // // Example Script for only this UnpackMe.... // // The Enigma Protector-4.3-X32 [patch HWID and unpackme] // // LCF-AT ////////////////////////////////////////////////////////////// bphwc bc alloc 1000 mov SECTION, $RESULT var ID_HOOK var PASS_HOOK var TEMP var AT exec push 0 call {GetModuleHandleA} ende add AT, 00FF2C05+eax add ID_HOOK, 000693D0+eax add PASS_HOOK, 00FE7FE6+eax bphws ID_HOOK esto bphwc mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500# mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3# gpa "lstrlenA", "kernel32.dll" mov TEMP, $RESULT eval "call {TEMP}" asm SECTION+2D, $RESULT mov [SECTION+41], SECTION gci ID_HOOK, DESTINATION mov TEMP, $RESULT eval "jmp {TEMP}" asm SECTION+48, $RESULT add SECTION, 29 eval "jmp {SECTION}" asm ID_HOOK, $RESULT sub SECTION, 29 bphws PASS_HOOK bpgoto PASS_HOOK, PASS_HOOK_STOP //////////////////////////////// RUN: esto pause pause //////////////////////////////// PASS_HOOK_STOP: cmp [esp+14], AT jne RUN mov eip, SECTION+4D bphwc esto pause ret greetz 10 Link to comment Share on other sites More sharing options...
Teddy Rogers Posted April 25, 2015 Share Posted April 25, 2015 The [unpackme] tag has been added to your topic title. Please remember to follow and adhere to the topic title format - thankyou! [This is an automated reply] Link to comment Share on other sites More sharing options...
LCF-AT Posted April 25, 2015 Share Posted April 25, 2015 Hi, just unpacked and attached the file now. greetz Project1_protected_Unpacked.rar 4 Link to comment Share on other sites More sharing options...
GIV Posted April 27, 2015 Share Posted April 27, 2015 (edited) Password for start unpackme: carckmeunapckme Edit:@LCF-ATDo you have any ideea why your script does not work for me? http://www85.zippyshare.com/v/I42O9Hof/file.html Edited April 27, 2015 by GIV Link to comment Share on other sites More sharing options...
LCF-AT Posted April 27, 2015 Share Posted April 27, 2015 Hi GIV, so you also need to enter the valid Name & Key (see txt file) if you get the reg nag to see. greetz 2 Link to comment Share on other sites More sharing options...
GIV Posted April 27, 2015 Share Posted April 27, 2015 OK. I see now... You changed the ID to be as the one in the file. Here is my raw dump.... http://www44.zippyshare.com/v/8gvCt0D9/file.html What i have done. 1. Run LCF-AT script for HWID change. 2. Enter password: carckmeunapckme 3. Fix import redirection 4. Arrive at OEP (not in VM - piece of cake) 5. Fix VM'ed imports 6. Put all imports in one place with UIF 7. Dump and fix. 3 Link to comment Share on other sites More sharing options...
Mahasona Posted June 14, 2020 Share Posted June 14, 2020 (edited) Hi , I am Newbie , I am looking for answer about LCF-At's script execution problem exec push 0 call {GetModuleHandleA} ende this lines , when executes "EXEC " by OllyScript whole program executed . May i ask why is that happening? it do not just executes lines between exec and ende , like ollyscript manual says. Thank you all. Edited June 14, 2020 by Mahasona Link to comment Share on other sites More sharing options...
daniielolguiin Posted September 24, 2021 Share Posted September 24, 2021 Hi, i'm starting unpacking, can someone help me understand how to decipher it? Link to comment Share on other sites More sharing options...
windowbase Posted June 15 Share Posted June 15 I have above problem. Who can help me ? sean. Link to comment Share on other sites More sharing options...
X0rby Posted June 15 Share Posted June 15 Just now, windowbase said: I have above problem. Who can help me ? sean. The protection has detected your patches. 1 Link to comment Share on other sites More sharing options...
windowbase Posted June 15 Share Posted June 15 (edited) I used x64dbg and modified the vlaue of memory ? any other way to defeat this protection? sean. Edited June 15 by windowbase Link to comment Share on other sites More sharing options...
krotty Posted June 15 Share Posted June 15 4 hours ago, windowbase said: I have above problem. Who can help me ? sean. CRC Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now