smnyabc Posted April 24, 2015 Share Posted April 24, 2015 (edited) patch HWID and unpackme The Enigma Protector 4.3(build 20150225) License type:Singletep4.3pacth+unpackme.rar Edited April 24, 2015 by smnyabc Link to comment Share on other sites More sharing options...
h4sh3m Posted April 24, 2015 Share Posted April 24, 2015 Hi required start pass?we should bypass this manually? Best Regards,h4sh3m 3 Link to comment Share on other sites More sharing options...
GIV Posted April 24, 2015 Share Posted April 24, 2015 (edited) Just give us the startup password if you put a startup password.Here is not a guessing password content.You talk about and unpack and patch HWID.I have patched the HWID but i'm stuck next to a startup password.Just post the password so we can reach OEP or do you want us to spend useless time for patching a startup password? Edited April 24, 2015 by GIV Link to comment Share on other sites More sharing options...
LCF-AT Posted April 24, 2015 Share Posted April 24, 2015 Hi, ok I have checked this file and bypassed also the password check. I also made a short script which does patch the ID & Pass check so that you get the file running as you can see on my picture below. ////////////////////////////////////////////////////////////// // // HWID Patch & Password Bypass Script // // Example Script for only this UnpackMe.... // // The Enigma Protector-4.3-X32 [patch HWID and unpackme] // // LCF-AT ////////////////////////////////////////////////////////////// bphwc bc alloc 1000 mov SECTION, $RESULT var ID_HOOK var PASS_HOOK var TEMP var AT exec push 0 call {GetModuleHandleA} ende add AT, 00FF2C05+eax add ID_HOOK, 000693D0+eax add PASS_HOOK, 00FE7FE6+eax bphws ID_HOOK esto bphwc mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500# mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3# gpa "lstrlenA", "kernel32.dll" mov TEMP, $RESULT eval "call {TEMP}" asm SECTION+2D, $RESULT mov [SECTION+41], SECTION gci ID_HOOK, DESTINATION mov TEMP, $RESULT eval "jmp {TEMP}" asm SECTION+48, $RESULT add SECTION, 29 eval "jmp {SECTION}" asm ID_HOOK, $RESULT sub SECTION, 29 bphws PASS_HOOK bpgoto PASS_HOOK, PASS_HOOK_STOP //////////////////////////////// RUN: esto pause pause //////////////////////////////// PASS_HOOK_STOP: cmp [esp+14], AT jne RUN mov eip, SECTION+4D bphwc esto pause ret greetz 11 Link to comment Share on other sites More sharing options...
Teddy Rogers Posted April 25, 2015 Share Posted April 25, 2015 The [unpackme] tag has been added to your topic title. Please remember to follow and adhere to the topic title format - thankyou! [This is an automated reply] Link to comment Share on other sites More sharing options...
LCF-AT Posted April 25, 2015 Share Posted April 25, 2015 Hi, just unpacked and attached the file now. greetz Project1_protected_Unpacked.rar 4 Link to comment Share on other sites More sharing options...
GIV Posted April 27, 2015 Share Posted April 27, 2015 (edited) Password for start unpackme: carckmeunapckme Edit:@LCF-ATDo you have any ideea why your script does not work for me? http://www85.zippyshare.com/v/I42O9Hof/file.html Edited April 27, 2015 by GIV Link to comment Share on other sites More sharing options...
LCF-AT Posted April 27, 2015 Share Posted April 27, 2015 Hi GIV, so you also need to enter the valid Name & Key (see txt file) if you get the reg nag to see. greetz 3 Link to comment Share on other sites More sharing options...
GIV Posted April 27, 2015 Share Posted April 27, 2015 OK. I see now... You changed the ID to be as the one in the file. Here is my raw dump.... http://www44.zippyshare.com/v/8gvCt0D9/file.html What i have done. 1. Run LCF-AT script for HWID change. 2. Enter password: carckmeunapckme 3. Fix import redirection 4. Arrive at OEP (not in VM - piece of cake) 5. Fix VM'ed imports 6. Put all imports in one place with UIF 7. Dump and fix. 3 Link to comment Share on other sites More sharing options...
Mahasona Posted June 14, 2020 Share Posted June 14, 2020 (edited) Hi , I am Newbie , I am looking for answer about LCF-At's script execution problem exec push 0 call {GetModuleHandleA} ende this lines , when executes "EXEC " by OllyScript whole program executed . May i ask why is that happening? it do not just executes lines between exec and ende , like ollyscript manual says. Thank you all. Edited June 14, 2020 by Mahasona Link to comment Share on other sites More sharing options...
daniielolguiin Posted September 24, 2021 Share Posted September 24, 2021 Hi, i'm starting unpacking, can someone help me understand how to decipher it? Link to comment Share on other sites More sharing options...
The Binary Expert Posted June 15, 2023 Share Posted June 15, 2023 I have above problem. Who can help me ? sean. Link to comment Share on other sites More sharing options...
X0rby Posted June 15, 2023 Share Posted June 15, 2023 Just now, windowbase said: I have above problem. Who can help me ? sean. The protection has detected your patches. 2 Link to comment Share on other sites More sharing options...
The Binary Expert Posted June 15, 2023 Share Posted June 15, 2023 (edited) I used x64dbg and modified the vlaue of memory ? any other way to defeat this protection? sean. Edited June 15, 2023 by windowbase Link to comment Share on other sites More sharing options...
krotty Posted June 15, 2023 Share Posted June 15, 2023 4 hours ago, windowbase said: I have above problem. Who can help me ? sean. CRC Link to comment Share on other sites More sharing options...
The Binary Expert Posted January 11 Share Posted January 11 (edited) Can anyone please explain LCF-AT's script? I can't understand. ////////////////////////////////////////////////////////////// // // HWID Patch & Password Bypass Script // // Example Script for only this UnpackMe.... // // The Enigma Protector-4.3-X32 [patch HWID and unpackme] // // LCF-AT ////////////////////////////////////////////////////////////// bphwc bc alloc 1000 mov SECTION, $RESULT var ID_HOOK var PASS_HOOK var TEMP var AT exec push 0 call {GetModuleHandleA} ende add AT, 00FF2C05+eax add ID_HOOK, 000693D0+eax add PASS_HOOK, 00FE7FE6+eax bphws ID_HOOK esto bphwc mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500# mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3# gpa "lstrlenA", "kernel32.dll" mov TEMP, $RESULT eval "call {TEMP}" asm SECTION+2D, $RESULT mov [SECTION+41], SECTION gci ID_HOOK, DESTINATION mov TEMP, $RESULT eval "jmp {TEMP}" asm SECTION+48, $RESULT add SECTION, 29 eval "jmp {SECTION}" asm ID_HOOK, $RESULT sub SECTION, 29 bphws PASS_HOOK bpgoto PASS_HOOK, PASS_HOOK_STOP //////////////////////////////// RUN: esto pause pause //////////////////////////////// PASS_HOOK_STOP: cmp [esp+14], AT jne RUN mov eip, SECTION+4D bphwc esto pause ret Quote What are these? mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500# mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3# Please give me your kind hands. Regards. sean. Edited January 12 by windowbase editing some words. Link to comment Share on other sites More sharing options...
jackyjask Posted January 11 Share Posted January 11 Number the lines ask what line you have trouble with? PS In English the word "help" is not used in plural Link to comment Share on other sites More sharing options...
X0rby Posted January 11 Share Posted January 11 31 minutes ago, jackyjask said: PS In English the word "help" is not used in plural He's an English teacher btw 1 Link to comment Share on other sites More sharing options...
jackyjask Posted January 11 Share Posted January 11 (edited) well, there is "helps" word but thats not a noun!!! thats a verb he she it helps but I need help you need help they/we need help! Edited January 11 by jackyjask 1 Link to comment Share on other sites More sharing options...
The Binary Expert Posted January 12 Share Posted January 12 (edited) 11 hours ago, jackyjask said: Number the lines ask what line you have trouble with? @jackyjask In summary, what script is above? what does it do? 1:mov [SECTION], #4134423746343232363343393832393846383145394335423136323133353445344538333836354500# 2:mov [SECTION+29], #608BF850E80000000083F8280F850C000000B928000000BE0000EE01F3A461E9000000005E5B59595DC3# 1 is the valid HWID. 2 is the patch code. Regards. sean. Edited January 12 by windowbase editing some words. Link to comment Share on other sites More sharing options...
jackyjask Posted January 12 Share Posted January 12 great! you just put the valuable info and those cryptic bytes are now very well understood what would be the next puzzle question PS we are doing decomposition job now once we break all the lines to molecules/atoms we'll start building new blocks -> synthesis Link to comment Share on other sites More sharing options...
The Binary Expert Posted January 12 Share Posted January 12 (edited) 6 minutes ago, jackyjask said: great! you just put the valuable info and those cryptic bytes are now very well understood what would be the next puzzle question PS we are doing decomposition job now once we break all the lines to molecules/atoms we'll start building new blocks -> synthesis @jackyjask I actually viewed the LCF-AT's tutorials. so I understood easily. but ollydbg script commands are somewhat away from me. In this way, up to which versions of the Enigma HWID can be bypassed? Do you know? And it's only for x86? Regards. sean. Edited January 12 by windowbase Editing words. Link to comment Share on other sites More sharing options...
jackyjask Posted January 12 Share Posted January 12 (edited) yeah, mostly it was for x86 when LCFAT was busy withprotectors and Ollydbg scripting (5-10 years ago...) unfortunately (or luckily) LCFAT is now a fully dedicated browser ninja! so its up to us, kids of 2020+ to continue the great adventure and create more meat/bbq/cocacola fun Edited January 12 by jackyjask 1 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now