Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

Posted

Difficulty : 5
Language : Borland
Platform : Windows
OS Version :  Windows 7
Packer / Protector : Themida 2.3.2.0, Enigma 3.80

Description :

Simple modify section, import table

Screenshot :

100.JPG.9ae2f3cc66038857befa0ec84cb0a023

UnPackMeDemo.7z


 

Solved by icarusdc

Go to solution

Just old olly scripts can beat these old protections easy, so i think difficult is 1 or 2.

  • 4 weeks later...

First layer: Enigma 3.70

Second layer: Themida

OEP:

0044F378     55                PUSH EBP                                                               ; <-OEP found by GIV
0044F379     8BEC              MOV EBP,ESP
0044F37B     83C4 F0           ADD ESP,-0x10
0044F37E     B8 98F14400       MOV EAX,100.0044F198
0044F383     E8 4068FBFF       CALL 100.00405BC8
0044F388     A1 F40F4500       MOV EAX,DWORD PTR DS:[0x450FF4]
0044F38D     8B00              MOV EAX,DWORD PTR DS:[EAX]                                             ; 100.00905A4D
0044F38F     E8 50E5FFFF       CALL 100.0044D8E4
0044F394     8B0D D0104500     MOV ECX,DWORD PTR DS:[0x4510D0]                                        ; 100.00452BD0
0044F39A     A1 F40F4500       MOV EAX,DWORD PTR DS:[0x450FF4]
0044F39F     8B00              MOV EAX,DWORD PTR DS:[EAX]                                             ; 100.00905A4D
0044F3A1     8B15 84EE4400     MOV EDX,DWORD PTR DS:[0x44EE84]                                        ; 100.0044EED0
0044F3A7     E8 50E5FFFF       CALL 100.0044D8FC
0044F3AC     A1 F40F4500       MOV EAX,DWORD PTR DS:[0x450FF4]
0044F3B1     8B00              MOV EAX,DWORD PTR DS:[EAX]                                             ; 100.00905A4D
0044F3B3     E8 C4E5FFFF       CALL 100.0044D97C
0044F3B8     E8 6349FBFF       CALL 100.00403D20

 

  • Solution

So I tried to implement my learning from this forum to this UnpackMe.

The steps I take to unpack this file:

1. Analyzing the protection. The analyzer says it protected by Enigma.

2. Unpacking with LCF-AT's Script. It fails so I tried to follow SHADOW_UA's manual unpacking.

3. Breaks on EP. It seems has other protection. As Modify mention in his post, this file has Themida and Enigma. So I tried to use Themida OEP script from GIV to find OEP. And yes, I finally breaks on OEP. The question is IAT and other stuff so I choose using LCF-AT's script again. 

4. Repeating steps 2 to reach EP then using LCF-AT's Themida Script. It fails on some lines. So I edit these then resume script.

5. After scripting done, the target still has some invalid APIs. I guess it's from Enigma redirection API. So once again I follow SHADOW_UA's manual unpacking to fix these APIs.

6. Dump & fix dump.

7. Done.

 

So this is just UnpackMe. But I tried to crack this. I load the dump into Olly. Searching for all referenced text strings. Found an interesting string on VA 0044F07D. 

0044F02C  /.  55            PUSH EBP
0044F02D  |.  8BEC          MOV EBP,ESP
0044F02F  |.  6A 00         PUSH 0x0
0044F031  |.  6A 00         PUSH 0x0
0044F033  |.  6A 00         PUSH 0x0
0044F035  |.  53            PUSH EBX
0044F036  |.  8BD8          MOV EBX,EAX
0044F038  |.  33C0          XOR EAX,EAX
0044F03A  |.  55            PUSH EBP
0044F03B  |.  68 CCF04400   PUSH 0x44F0CC
0044F040  |.  64:FF30       PUSH DWORD PTR FS:[EAX]
0044F043  |.  64:8920       MOV DWORD PTR FS:[EAX],ESP
0044F046  |.  8D55 FC       LEA EDX,DWORD PTR SS:[EBP-0x4]
0044F049  |.  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC]
0044F04F  |.  E8 E8F3FDFF   CALL 0042E43C                            ;  0042E43C
0044F054  |.  837D FC 00    CMP DWORD PTR SS:[EBP-0x4],0x0
0044F058  |.  8D55 F8       LEA EDX,DWORD PTR SS:[EBP-0x8]
0044F05B  |.  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC]
0044F061  |.  E8 D6F3FDFF   CALL 0042E43C                            ;  0042E43C
0044F066  |.  837D F8 00    CMP DWORD PTR SS:[EBP-0x8],0x0
0044F06A  |.  74 45         JE SHORT 0044F0B1                        ;  0044F0B1
0044F06C  |.  8D55 F4       LEA EDX,DWORD PTR SS:[EBP-0xC]
0044F06F  |.  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC]
0044F075  |.  E8 C2F3FDFF   CALL 0042E43C                            ;  0042E43C
0044F07A  |.  8B45 F4       MOV EAX,DWORD PTR SS:[EBP-0xC]
0044F07D  |.  BA E0F04400   MOV EDX,0x44F0E0                         ;  ASCII "vfgnrtg45b5r5b1-brf45b5r4b-bb54rb-br5b4r5b"
0044F082  |.  E8 9551FBFF   CALL 0040421C                            ;  0040421C
0044F087  |.  75 15         JNZ SHORT 0044F09E                       ;  0044F09E
0044F089  |.  6A 00         PUSH 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
0044F08B  |.  68 0CF14400   PUSH 0x44F10C                            ; |Title = ""
0044F090  |.  68 10F14400   PUSH 0x44F110                            ; |Text = "All Done, Nice Job"
0044F095  |.  6A 00         PUSH 0x0                                 ; |hOwner = NULL
0044F097  |.  E8 FC73FBFF   CALL 00406498                            ; \MessageBoxA
0044F09C  |.  EB 13         JMP SHORT 0044F0B1                       ;  0044F0B1
0044F09E  |>  6A 00         PUSH 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
0044F0A0  |.  68 0CF14400   PUSH 0x44F10C                            ; |Title = ""
0044F0A5  |.  68 24F14400   PUSH 0x44F124                            ; |Text = "You Enter Wrong Key"
0044F0AA  |.  6A 00         PUSH 0x0                                 ; |hOwner = NULL
0044F0AC  |.  E8 E773FBFF   CALL 00406498                            ; \MessageBoxA
0044F0B1  |>  33C0          XOR EAX,EAX
0044F0B3  |.  5A            POP EDX
0044F0B4  |.  59            POP ECX
0044F0B5  |.  59            POP ECX
0044F0B6  |.  64:8910       MOV DWORD PTR FS:[EAX],EDX
0044F0B9  |.  68 D3F04400   PUSH 0x44F0D3
0044F0BE  |>  8D45 F4       LEA EAX,DWORD PTR SS:[EBP-0xC]
0044F0C1  |.  BA 03000000   MOV EDX,0x3
0044F0C6  |.  E8 694DFBFF   CALL 00403E34                            ;  00403E34
0044F0CB  \.  C3            RETN
0044F0CC   .^ E9 4347FBFF   JMP 00403814                             ;  00403814
0044F0D1   .^ EB EB         JMP SHORT 0044F0BE                       ;  0044F0BE
0044F0D3   .  5B            POP EBX
0044F0D4   .  8BE5          MOV ESP,EBP
0044F0D6   .  5D            POP EBP
0044F0D7   .  C3            RETN

 

After patching some bytes.

0044F02C   .  55            PUSH EBP
0044F02D   .  8BEC          MOV EBP,ESP
0044F02F   .  6A 00         PUSH 0x0
0044F031   .  6A 00         PUSH 0x0
0044F033   .  6A 00         PUSH 0x0
0044F035   .  53            PUSH EBX
0044F036   .  8BD8          MOV EBX,EAX
0044F038   .  33C0          XOR EAX,EAX
0044F03A   .  55            PUSH EBP
0044F03B   .  68 CCF04400   PUSH 0x44F0CC
0044F040   .  64:FF30       PUSH DWORD PTR FS:[EAX]
0044F043   .  64:8920       MOV DWORD PTR FS:[EAX],ESP
0044F046   .  8D55 FC       LEA EDX,DWORD PTR SS:[EBP-0x4]
0044F049   .  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC]
0044F04F   .  E8 E8F3FDFF   CALL 0042E43C                            ;  0042E43C
0044F054   .  837D FC 00    CMP DWORD PTR SS:[EBP-0x4],0x0
0044F058   .  8D55 F8       LEA EDX,DWORD PTR SS:[EBP-0x8]
0044F05B   .  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC]
0044F061   .  E8 D6F3FDFF   CALL 0042E43C                            ;  0042E43C
0044F066   .  837D F8 00    CMP DWORD PTR SS:[EBP-0x8],0x0
0044F06A   .  90            NOP
0044F06B   .  90            NOP
0044F06C   .  8D55 F4       LEA EDX,DWORD PTR SS:[EBP-0xC]
0044F06F   .  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC]
0044F075   .  E8 C2F3FDFF   CALL 0042E43C                            ;  0042E43C
0044F07A   .  8B45 F4       MOV EAX,DWORD PTR SS:[EBP-0xC]
0044F07D   .  BA E0F04400   MOV EDX,0x44F0E0                         ;  ASCII "vfgnrtg45b5r5b1-brf45b5r4b-bb54rb-br5b4r5b"
0044F082   .  E8 9551FBFF   CALL 0040421C                            ;  0040421C
0044F087   .  90            NOP
0044F088   .  90            NOP
0044F089   .  6A 00         PUSH 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
0044F08B   .  68 0CF14400   PUSH 0x44F10C                            ; |Title = ""
0044F090   .  68 10F14400   PUSH 0x44F110                            ; |Text = "All Done, Nice Job"
0044F095   .  6A 00         PUSH 0x0                                 ; |hOwner = NULL
0044F097   .  E8 FC73FBFF   CALL 00406498                            ; \MessageBoxA
0044F09C   .  EB 13         JMP SHORT 0044F0B1                       ;  0044F0B1
0044F09E   .  6A 00         PUSH 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
0044F0A0   .  68 0CF14400   PUSH 0x44F10C                            ; |Title = ""
0044F0A5   .  68 24F14400   PUSH 0x44F124                            ; |Text = "You Enter Wrong Key"
0044F0AA   .  6A 00         PUSH 0x0                                 ; |hOwner = NULL
0044F0AC   .  E8 E773FBFF   CALL 00406498                            ; \MessageBoxA
0044F0B1   >  33C0          XOR EAX,EAX
0044F0B3   .  5A            POP EDX
0044F0B4   .  59            POP ECX
0044F0B5   .  59            POP ECX
0044F0B6   .  64:8910       MOV DWORD PTR FS:[EAX],EDX
0044F0B9   .  68 D3F04400   PUSH 0x44F0D3
0044F0BE   >  8D45 F4       LEA EAX,DWORD PTR SS:[EBP-0xC]
0044F0C1   .  BA 03000000   MOV EDX,0x3
0044F0C6   .  E8 694DFBFF   CALL 00403E34                            ;  00403E34
0044F0CB   .  C3            RETN
0044F0CC   .^ E9 4347FBFF   JMP 00403814                             ;  00403814
0044F0D1   .^ EB EB         JMP SHORT 0044F0BE                       ;  0044F0BE
0044F0D3   .  5B            POP EBX
0044F0D4   .  8BE5          MOV ESP,EBP
0044F0D6   .  5D            POP EBP
0044F0D7   .  C3            RETN

 

Running the target, clicking the button and yes, Good boy message appears.

unpackme.jpg

Hope this helps

 

Salam

Sorry but i don't have much time to look but here it is.

Serial:

Quote

vfgnrtg45b5r5b1-brf45b5r4b-bb54rb-br5b4r5b

Attached is unpacked and cleaned file.

Tested on XP.

100_unpacked_size_reduced.rar

 

Step 1.

Bypass Enigma layer. Just use Shadow_UA method.

Step 2

Use LCF-AT script for Themida.

Step 3.

Remove via LordPE useless sections and rebuild the file.

 

Edited by GIV

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.