danmz Posted December 22, 2015 Posted December 22, 2015 Detail : http://prntscr.com/9hav19 Good Luck Salam. CrackMe.rar
icarusdc Posted December 23, 2015 Posted December 23, 2015 this is not your hand made crackme/unpackme. Salam
GIV Posted December 23, 2015 Posted December 23, 2015 This is trash. Just fix API redirection, VM'ed API, find OEP and restore OEP. The OEP is like: PUSH EBP MOV EBP, ESP ADD ESP, -10 MOV EAX, 0047F234 MOV ECX, 00537000 MOV EDX, 0076A2F7 CALL 040615C MOV EAX, DWORD PTR[4803C8] CALL 0459B7C MOV EAX, DWORD PTR[4803C8] MOV EDX, 0047F5B4 CALL 045978C MOV EAX, DWORD PTR[4803C8] MOV ECX, 00483EEC MOV EDX, 0047C144 CALL 0459B94 MOV EAX, DWORD PTR[4803C8] MOV ECX, 00483F88 MOV EDX, 0047DDE4 CALL 0459B94 MOV EAX, DWORD PTR[4803C8] MOV ECX, 00483F88 CALL 0459C14 MOV EAX, DWORD PTR[4803C8] MOV ECX, 001AB1700 CALL 0403D78 A moderator please put this to trash.
icarusdc Posted December 23, 2015 Posted December 23, 2015 Well, I think it is hard for me to crack it because almost all important procedure is VMed. I need to study devirtualizing VM harder. Salam
GIV Posted December 23, 2015 Posted December 23, 2015 You cannot devirtualize the VM you just reconstruct OEP in this case. Take a look here: Quote https://forum.tuts4you.com/topic/36052-enigma-protector-410-unpacking-example/ You have all you need to know there. If you want to adapt the devirtualizer to the new VM type just take a look here: Quote https://forum.tuts4you.com/topic/28847-c-the-enigma-protector-devirtualizer-source-code/#comment-136340 1
icarusdc Posted December 23, 2015 Posted December 23, 2015 Yeah, I studied to reconstructing OEP from @SHADOW_UA and the OEP come more clean from @LCF-AT's guide. Amazing guide But I think this only works for OEP. not for VMed function like this crackme. Salam
GIV Posted December 24, 2015 Posted December 24, 2015 You cannot devirtualize the VM you just reconstruct OEP in this case. Take a look here: Quote https://forum.tuts4you.com/topic/36052-enigma-protector-410-unpacking-example/ You have all you need to know there. If you want to adapt the devirtualizer to the new VM type just take a look here: Quote https://forum.tuts4you.com/topic/28847-c-the-enigma-protector-devirtualizer-source-code/#comment-136340 You did not checked the second link. You have the sourcecode to the plugin for devirtualize the Enigma VM. You just need to adapt to newer versions. Just you have to work for that and not expect to receive for free. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now