Modify Posted January 23, 2016 Posted January 23, 2016 Difficulty : 5Language : BorlandPlatform : WindowsOS Version : Windows 7Packer / Protector : Themida 2.3.2.0, Enigma 3.80 Description : Simple modify section, import table Screenshot : UnPackMeDemo.7z
Reasen Posted January 23, 2016 Posted January 23, 2016 Just old olly scripts can beat these old protections easy, so i think difficult is 1 or 2.
GIV Posted February 16, 2016 Posted February 16, 2016 First layer: Enigma 3.70 Second layer: Themida OEP: 0044F378 55 PUSH EBP ; <-OEP found by GIV 0044F379 8BEC MOV EBP,ESP 0044F37B 83C4 F0 ADD ESP,-0x10 0044F37E B8 98F14400 MOV EAX,100.0044F198 0044F383 E8 4068FBFF CALL 100.00405BC8 0044F388 A1 F40F4500 MOV EAX,DWORD PTR DS:[0x450FF4] 0044F38D 8B00 MOV EAX,DWORD PTR DS:[EAX] ; 100.00905A4D 0044F38F E8 50E5FFFF CALL 100.0044D8E4 0044F394 8B0D D0104500 MOV ECX,DWORD PTR DS:[0x4510D0] ; 100.00452BD0 0044F39A A1 F40F4500 MOV EAX,DWORD PTR DS:[0x450FF4] 0044F39F 8B00 MOV EAX,DWORD PTR DS:[EAX] ; 100.00905A4D 0044F3A1 8B15 84EE4400 MOV EDX,DWORD PTR DS:[0x44EE84] ; 100.0044EED0 0044F3A7 E8 50E5FFFF CALL 100.0044D8FC 0044F3AC A1 F40F4500 MOV EAX,DWORD PTR DS:[0x450FF4] 0044F3B1 8B00 MOV EAX,DWORD PTR DS:[EAX] ; 100.00905A4D 0044F3B3 E8 C4E5FFFF CALL 100.0044D97C 0044F3B8 E8 6349FBFF CALL 100.00403D20 1
Solution icarusdc Posted February 17, 2016 Solution Posted February 17, 2016 So I tried to implement my learning from this forum to this UnpackMe. The steps I take to unpack this file: 1. Analyzing the protection. The analyzer says it protected by Enigma. 2. Unpacking with LCF-AT's Script. It fails so I tried to follow SHADOW_UA's manual unpacking. 3. Breaks on EP. It seems has other protection. As Modify mention in his post, this file has Themida and Enigma. So I tried to use Themida OEP script from GIV to find OEP. And yes, I finally breaks on OEP. The question is IAT and other stuff so I choose using LCF-AT's script again. 4. Repeating steps 2 to reach EP then using LCF-AT's Themida Script. It fails on some lines. So I edit these then resume script. 5. After scripting done, the target still has some invalid APIs. I guess it's from Enigma redirection API. So once again I follow SHADOW_UA's manual unpacking to fix these APIs. 6. Dump & fix dump. 7. Done. So this is just UnpackMe. But I tried to crack this. I load the dump into Olly. Searching for all referenced text strings. Found an interesting string on VA 0044F07D. 0044F02C /. 55 PUSH EBP 0044F02D |. 8BEC MOV EBP,ESP 0044F02F |. 6A 00 PUSH 0x0 0044F031 |. 6A 00 PUSH 0x0 0044F033 |. 6A 00 PUSH 0x0 0044F035 |. 53 PUSH EBX 0044F036 |. 8BD8 MOV EBX,EAX 0044F038 |. 33C0 XOR EAX,EAX 0044F03A |. 55 PUSH EBP 0044F03B |. 68 CCF04400 PUSH 0x44F0CC 0044F040 |. 64:FF30 PUSH DWORD PTR FS:[EAX] 0044F043 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP 0044F046 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-0x4] 0044F049 |. 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC] 0044F04F |. E8 E8F3FDFF CALL 0042E43C ; 0042E43C 0044F054 |. 837D FC 00 CMP DWORD PTR SS:[EBP-0x4],0x0 0044F058 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-0x8] 0044F05B |. 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC] 0044F061 |. E8 D6F3FDFF CALL 0042E43C ; 0042E43C 0044F066 |. 837D F8 00 CMP DWORD PTR SS:[EBP-0x8],0x0 0044F06A |. 74 45 JE SHORT 0044F0B1 ; 0044F0B1 0044F06C |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-0xC] 0044F06F |. 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC] 0044F075 |. E8 C2F3FDFF CALL 0042E43C ; 0042E43C 0044F07A |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-0xC] 0044F07D |. BA E0F04400 MOV EDX,0x44F0E0 ; ASCII "vfgnrtg45b5r5b1-brf45b5r4b-bb54rb-br5b4r5b" 0044F082 |. E8 9551FBFF CALL 0040421C ; 0040421C 0044F087 |. 75 15 JNZ SHORT 0044F09E ; 0044F09E 0044F089 |. 6A 00 PUSH 0x0 ; /Style = MB_OK|MB_APPLMODAL 0044F08B |. 68 0CF14400 PUSH 0x44F10C ; |Title = "" 0044F090 |. 68 10F14400 PUSH 0x44F110 ; |Text = "All Done, Nice Job" 0044F095 |. 6A 00 PUSH 0x0 ; |hOwner = NULL 0044F097 |. E8 FC73FBFF CALL 00406498 ; \MessageBoxA 0044F09C |. EB 13 JMP SHORT 0044F0B1 ; 0044F0B1 0044F09E |> 6A 00 PUSH 0x0 ; /Style = MB_OK|MB_APPLMODAL 0044F0A0 |. 68 0CF14400 PUSH 0x44F10C ; |Title = "" 0044F0A5 |. 68 24F14400 PUSH 0x44F124 ; |Text = "You Enter Wrong Key" 0044F0AA |. 6A 00 PUSH 0x0 ; |hOwner = NULL 0044F0AC |. E8 E773FBFF CALL 00406498 ; \MessageBoxA 0044F0B1 |> 33C0 XOR EAX,EAX 0044F0B3 |. 5A POP EDX 0044F0B4 |. 59 POP ECX 0044F0B5 |. 59 POP ECX 0044F0B6 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX 0044F0B9 |. 68 D3F04400 PUSH 0x44F0D3 0044F0BE |> 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-0xC] 0044F0C1 |. BA 03000000 MOV EDX,0x3 0044F0C6 |. E8 694DFBFF CALL 00403E34 ; 00403E34 0044F0CB \. C3 RETN 0044F0CC .^ E9 4347FBFF JMP 00403814 ; 00403814 0044F0D1 .^ EB EB JMP SHORT 0044F0BE ; 0044F0BE 0044F0D3 . 5B POP EBX 0044F0D4 . 8BE5 MOV ESP,EBP 0044F0D6 . 5D POP EBP 0044F0D7 . C3 RETN After patching some bytes. 0044F02C . 55 PUSH EBP 0044F02D . 8BEC MOV EBP,ESP 0044F02F . 6A 00 PUSH 0x0 0044F031 . 6A 00 PUSH 0x0 0044F033 . 6A 00 PUSH 0x0 0044F035 . 53 PUSH EBX 0044F036 . 8BD8 MOV EBX,EAX 0044F038 . 33C0 XOR EAX,EAX 0044F03A . 55 PUSH EBP 0044F03B . 68 CCF04400 PUSH 0x44F0CC 0044F040 . 64:FF30 PUSH DWORD PTR FS:[EAX] 0044F043 . 64:8920 MOV DWORD PTR FS:[EAX],ESP 0044F046 . 8D55 FC LEA EDX,DWORD PTR SS:[EBP-0x4] 0044F049 . 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC] 0044F04F . E8 E8F3FDFF CALL 0042E43C ; 0042E43C 0044F054 . 837D FC 00 CMP DWORD PTR SS:[EBP-0x4],0x0 0044F058 . 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-0x8] 0044F05B . 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC] 0044F061 . E8 D6F3FDFF CALL 0042E43C ; 0042E43C 0044F066 . 837D F8 00 CMP DWORD PTR SS:[EBP-0x8],0x0 0044F06A . 90 NOP 0044F06B . 90 NOP 0044F06C . 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-0xC] 0044F06F . 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC] 0044F075 . E8 C2F3FDFF CALL 0042E43C ; 0042E43C 0044F07A . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-0xC] 0044F07D . BA E0F04400 MOV EDX,0x44F0E0 ; ASCII "vfgnrtg45b5r5b1-brf45b5r4b-bb54rb-br5b4r5b" 0044F082 . E8 9551FBFF CALL 0040421C ; 0040421C 0044F087 . 90 NOP 0044F088 . 90 NOP 0044F089 . 6A 00 PUSH 0x0 ; /Style = MB_OK|MB_APPLMODAL 0044F08B . 68 0CF14400 PUSH 0x44F10C ; |Title = "" 0044F090 . 68 10F14400 PUSH 0x44F110 ; |Text = "All Done, Nice Job" 0044F095 . 6A 00 PUSH 0x0 ; |hOwner = NULL 0044F097 . E8 FC73FBFF CALL 00406498 ; \MessageBoxA 0044F09C . EB 13 JMP SHORT 0044F0B1 ; 0044F0B1 0044F09E . 6A 00 PUSH 0x0 ; /Style = MB_OK|MB_APPLMODAL 0044F0A0 . 68 0CF14400 PUSH 0x44F10C ; |Title = "" 0044F0A5 . 68 24F14400 PUSH 0x44F124 ; |Text = "You Enter Wrong Key" 0044F0AA . 6A 00 PUSH 0x0 ; |hOwner = NULL 0044F0AC . E8 E773FBFF CALL 00406498 ; \MessageBoxA 0044F0B1 > 33C0 XOR EAX,EAX 0044F0B3 . 5A POP EDX 0044F0B4 . 59 POP ECX 0044F0B5 . 59 POP ECX 0044F0B6 . 64:8910 MOV DWORD PTR FS:[EAX],EDX 0044F0B9 . 68 D3F04400 PUSH 0x44F0D3 0044F0BE > 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-0xC] 0044F0C1 . BA 03000000 MOV EDX,0x3 0044F0C6 . E8 694DFBFF CALL 00403E34 ; 00403E34 0044F0CB . C3 RETN 0044F0CC .^ E9 4347FBFF JMP 00403814 ; 00403814 0044F0D1 .^ EB EB JMP SHORT 0044F0BE ; 0044F0BE 0044F0D3 . 5B POP EBX 0044F0D4 . 8BE5 MOV ESP,EBP 0044F0D6 . 5D POP EBP 0044F0D7 . C3 RETN Running the target, clicking the button and yes, Good boy message appears. Hope this helps Salam 3
GIV Posted February 18, 2016 Posted February 18, 2016 (edited) Sorry but i don't have much time to look but here it is. Serial: Quote vfgnrtg45b5r5b1-brf45b5r4b-bb54rb-br5b4r5b Attached is unpacked and cleaned file. Tested on XP. 100_unpacked_size_reduced.rar Step 1. Bypass Enigma layer. Just use Shadow_UA method. Step 2 Use LCF-AT script for Themida. Step 3. Remove via LordPE useless sections and rebuild the file. Edited February 18, 2016 by GIV 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now