Enigma Protector 5.1

[GIV]

Difficulty : 3
Language : Borland
Platform : Windows X86
OS Version : XP and higher
Packer / Protector : Enigma Protector 5.1

Description :

Small unpackme.

Is in fact a crackme that i have fund on the www and apply a Enigma protector layer.

So the goal is to unpack. IMHO is not hard at all.

So i give you a valid combo of HWID/name/key:

HWID: 58603-7C96E-050B3-811FC
NAME: giv@reversing.ro
Key: KWFM62F-NMH8E94-BH2C98E-FDDEQHG-VK88BVD-PRXLNZA-FM6TWL7-U6NNJGL-3K5CMQY-BSXJM8W-LZ2NYTL-QWXQ69F-XBDPTNY-GWSNX2M-YTKJV9E-YHRWUPQ

The file have a password too witch is very easy to bypass.

Good luck!

Screenshot :

Crack Auth_Protected.rar

[Sound]

Enigma is a very user-friendly software protector.

[GIV]

So i know that you can unpack this. Also Shadow_UA and LCF-AT. So i do not accept any solution from the one above.

[White]

Hi, a tip for bypass password protected stuff. And this method comes from LCF-AT. 

First, you need a dll to bypass HWID, then unpack it.

Enigma_Password_ByPass.rar

[LCF-AT]

Hey guys,

where is my reply?Who did delete it?Ted was that you and if yes why?Strange!Before nine hours I wrote a reply with the unpacked file and now the reply is gone!?Or was that you GIV?Here a picture of my attachments / infos.

Did anybody seen my reply before its gone?Hey GIV so I think that was you or?Did you mean I wasn't allowed to join this time and to post my Unapcked file.

Nice idea White to create a dll for that (why didn't I had such a idea before instead to write some scripts?!). But then you can also write the rest parts into dll too for unpacking to make all the dishes at once.Hhmmm,so I think I have to test something now.  

greetz

[GIV]

Hi.

I cannot delete other posts.

I was interested in your dump too but when i try to download the post was not there.

Anyway i posted before that a dump from you is inacceptable because i know 100% that you can unpack.

So i have mentioned before but i did not remove any post.

A hint will be useful on how you managed to bypass the password.

 

[LCF-AT]

Aha and Oh!?So if you didn't delete it who was it then?Only Ted can do this right?But if so = why!?Or was it again any strange forum bug?Strange,so I did create a repy and the reply was also there after.No idea what the reason could be etc.

Ok wait,now I see I can't download my own attachments of my unpacked UnpackMe and I get this page to see with that info...

Sorry, there is a problem
The page you are trying to access is not available for your account.
Error code: 2C171/1 

....great!Another forum trouble with that new forum style.Sometimes I get also trouble if I wanna submit a reply and the button does change to save but no reply was made.Really bad sometimes.

Ok I try to upload the file again so maybe its working now.If not then I eat a broom.

PS: So unpacking is almost same again also ID bypassing / Checkup patching too also if its VMed.I made 2 patches for ID & Checkup (MultiASM).Also the name of your file is not original so this will also checked and get a info about (filename changed etc).

"crack auth.exe"
"crack auth_protected.exe"

 

Lets see whether you can download the file now also if I am out of the challenge this time.

greetz

Edited January 18, 2016 by Teddy Rogers

[Teddy Rogers]

1 hour ago, LCF-AT said:

where is my reply?Who did delete it?Ted was that you and if yes why?Strange!

Yes, I did for the following reasons...

Quote

Posted solutions without any write-up attached will be deleted, we don't need to know how awesome you are without it. Repeat offenders will be banned from using this forum.

Posting of unpacks without any reasonable write up or explanation is against the ethos of the changes implemented in this forum. It is explained at the top of the index page in each of crackme forum's and was discussed here.

Unfortunately you are not the only person to do this. If it continues I will have to decide whether to start reviewing and approving all posts as-well-as new topics or issue warnings to offenders. The other alternative is to let everyone attach the files and go back to how this forum used to be which, is what quite a few people complained about and prompted the changes...

Ted.

[icarusdc]

no attachment?

[LCF-AT]

Hhmmm ok Ted.Of course its a good question but I thought its more like a discussion round where the users of this forum / topic (if they are interested) can ask after IF they have questions about any issues of the called challenge to talk about it.So if I create both (Unpack + Solution if there is any new solution to post what is not always so) at once then maybe others are no more interested to handle some steps by itself anymore (if yes then they also ask later for some steps where they have any trouble to handle it) etc.On the other hand I can't also create each time a big solution / tutorial for each new UnpackMe which was postet or maybe nobody is interested for that file and solution then I did waste time to do this just to follow the new rules you know.Its a little difficult now.

greetz

[SReg]

Solution?

New rules look good for developers of protectors.

[GIV]

9 minutes ago, SReg said:

Solution?

New rules look good for developers of protectors.

Is  not ok?

I think is great.

Most of the "unpackmes" was "protected" with pirated copy of the protectors.

[icarusdc]

I only know about FileName Checking and it's not a bypass, just a sniffing.

I don't know sniffing other checking like Executed Copies, Password etc.

I bypass the hwid nag then when FileName nag appears, I go to VA 0012EC08. then go to VA [0012EC08+04]

Spoiler

 

The correct File Name is Crack Auth.exe

 

Salam

[LCF-AT]

What you can do is to check your desired protector xy like Enigma in that case itself.Download a trial version and see what features you can use to protect files.Also check the Enigma APIs descriptions to get more helpfully infos.The rest you can find out by debugging and for the checks like OS Version / Drive / Language / Execution Counts / drivers etc you can find the right system APIs which you then can check & patch.In the case of Enigma you can choose the extra stuff like you want (choose one by one for example) then protect a test file with that + low basic protection and now if got any bad checkup infos message (xy found / sorry can't run file etc) then just start debugging to find the check.Just try this too.

greetz

[Teddy Rogers]

@SReg There is no point in someone creating a topic with a file protected using You'll Be Super Confused By .NET v1.2.3.4.5 then someone replying with an attachment to their post saying; "2 eazy", "decrypted!", "here dis yall unpacked", etc. We all know You'll Be Super Confused By .NET v1.2.3.4.5 can be unpacked and decrypted. The why and how you did it is what we all want to know about. If you simply post an unpacked file because you know or found some uber elite method and don't want to share that knowledge or information your only intention is likely to show off...

Ted.

[GIV]

@all I assure you that i am a legal owner of a Enigma Protector license.

So posting here a unpackme is just for you guys because as you know i can handle ATM most of the protector options and unpack.

My aim is not, for you, to show a full way of unpacking this because you know, we advertise the product, but to show hints at least on how to do that and the user must think how to do that.

My best bet is on the "hints" that will help the users to put knowledge piece to piece on the puzzle and at the end to fully unpack the protected file by his own.

A good way will be, let's say, a hint on the password bypass for start.

[kao]

Hrmmpfff.. Teddy is becoming evil!

 

There was a valid question about Enigma VMWare detection:

Quote

Enigma Protector 5.1 unpackme

crystalboy replied to GIV's topic in UnPackMe's

@Arting I am interested too to see how you handle it. By the way i didn't understand how to bypass Vmware checks on that Unpackme so can't go forward

and here's the answer.

Enigma uses the most common VMWare detection method:

eax=564D5868 ebx=00000000 ecx=0000000A edx=00005658 esi=00684584 edi=006891F0
eip=00B0DA17 esp=0012FED4 ebp=0012FEF0

00b0da17 ed              in      eax, dx

The entire check and SEH handler are virtualized, so it's not easy to patch it. But you can put a breakpoint there, modify EAX value and continue execution.

 

Or you can hide your VMWare better by using this setting in VMX files:

isolation.tools.getVersion.disable = "TRUE"

For a full list of possible tweaks in VMX files, see http://sanbarrow.com/vmx/vmx-advanced.html and this presentation.

[crystalboy]

Thanks to @kao i just study how VM checks are made and move forward in unpackme. I just bypass the hardware id check but i am stucked (until tomorrow that i can work on it again) with the password at startup. I try all @giv usual combination but this times no luck. If we can receive any hint will be helpful.

If someone needs it i can record a small video to how i skipped hw check but i will like to solve it and make a full tutorial...

[GIV]

My first thought is that the password check is virtualized.

So a helpful thing will be to find all VM's entry and put a bp on them.

After you enter the pass a entry must be called and from there is just one step.

This is just a  guess though and i did not tested that but can be a start.

Edited January 21, 2016 by GIV

[GIV]

19 hours ago, kao said:

Hrmmpfff.. Teddy is becoming evil!

 

There was a valid question about Enigma VMWare detection:

and here's the answer.

Enigma uses the most common VMWare detection method:

eax=564D5868 ebx=00000000 ecx=0000000A edx=00005658 esi=00684584 edi=006891F0
eip=00B0DA17 esp=0012FED4 ebp=0012FEF0

00b0da17 ed              in      eax, dx

The entire check and SEH handler are virtualized, so it's not easy to patch it. But you can put a breakpoint there, modify EAX value and continue execution.

 

Or you can hide your VMWare better by using this setting in VMX files:

isolation.tools.getVersion.disable = "TRUE"

For a full list of possible tweaks in VMX files, see http://sanbarrow.com/vmx/vmx-advanced.html and this presentation.

Hi KAO and thanks for the hint.

I have made another unpackme just with virtual machines detection and search for the right pattern pointed into my unpackme (i have extrapolated the pattern and found on another address).

009D4B71    ED              IN EAX,DX                                ; I/O command
009D4B72    68 49D8C3A3     PUSH 0xA3C3D849
009D4B77  ^ E9 D89EBCFF     JMP keygenme.0059EA54

Put HWBP/exec on 009D4B71 but the bp is not hit and the program say that it will not run under VMWare.

I miss the patch point or what else i do wrong?

The unpackme is attached.

 

keygenme v2.0_VMWare_check.rar

Edited January 21, 2016 by GIV

[crystalboy]

@giv I didn't find the RVA where the check is made in your second keygenme with Vmware check but is easily fixable.

- Just break on RET of VirtualAlloc.
- Run
- Breakponit will be hit (remove it).
- Search on memory for VMXh magic value. 0x564D5868 mind the endianess will be 0x68584D56 so search for it.
- You will find two result in memory: 0xA571C5 and 0xA572AD, the first is the right one.
- Just overwrite the dword with a choosen value and run.

I tried to find the VA using an hardware breakpoint on access on the first result but  enigma caught me.

If @kao can give a way to understand how to find the VA i am also curious.

Edited January 21, 2016 by crystalboy

[GIV]

I have searched before (both normal and little endian) but i think i did not searched at the right timing.

 

Now i try what you say but is no use.

I have attached the a short video.

Video.rar

Edited January 21, 2016 by GIV

[kao]

I have a private tool for that, sorry.  But it's so easy to hide VMWare that you should never spend time trying to find the actual "in eax, dx" instruction.

For your keygenme v2.0_VMWare_check.rar the correct place should be this:

eax=564D5868 ebx=00000000 ecx=0000000A edx=00005658 esi=0056F584 edi=005741F0
eip=009DF8CB esp=0012FED4 ebp=0012FEF0

009df8cb ed              in      eax, dx

 

[GIV]

Yep. I get'it. 

In fact is no need for a private tool. The pattern is:

Quote

ED68????????E9??????FF

In Olly after you reached VirtualAlloc and executed.

Due to obfuscation Olly does not find the right spot but i think is easy to fix that via a simple OllyScript automation.

I will check that.

[crystalboy]

@giv

Quote

Just overwrite the dword with a choosen value and run

In attach what i meant with my sentence.

By the way the patter is right i make it too the same approach after sending my previous message .

 

 

sample.rar