Multiple Protection v1.0

[Modify]

Difficulty : 5
Language : Borland
Platform : Windows
OS Version :  Windows 7
Packer / Protector : Themida 2.3.2.0, Enigma 3.80

Description :

Simple modify section, import table

Screenshot :

UnPackMeDemo.7z

 

[Reasen]

Just old olly scripts can beat these old protections easy, so i think difficult is 1 or 2.

[GIV]

First layer: Enigma 3.70

Second layer: Themida

OEP:

0044F378     55                PUSH EBP                                                               ; <-OEP found by GIV
0044F379     8BEC              MOV EBP,ESP
0044F37B     83C4 F0           ADD ESP,-0x10
0044F37E     B8 98F14400       MOV EAX,100.0044F198
0044F383     E8 4068FBFF       CALL 100.00405BC8
0044F388     A1 F40F4500       MOV EAX,DWORD PTR DS:[0x450FF4]
0044F38D     8B00              MOV EAX,DWORD PTR DS:[EAX]                                             ; 100.00905A4D
0044F38F     E8 50E5FFFF       CALL 100.0044D8E4
0044F394     8B0D D0104500     MOV ECX,DWORD PTR DS:[0x4510D0]                                        ; 100.00452BD0
0044F39A     A1 F40F4500       MOV EAX,DWORD PTR DS:[0x450FF4]
0044F39F     8B00              MOV EAX,DWORD PTR DS:[EAX]                                             ; 100.00905A4D
0044F3A1     8B15 84EE4400     MOV EDX,DWORD PTR DS:[0x44EE84]                                        ; 100.0044EED0
0044F3A7     E8 50E5FFFF       CALL 100.0044D8FC
0044F3AC     A1 F40F4500       MOV EAX,DWORD PTR DS:[0x450FF4]
0044F3B1     8B00              MOV EAX,DWORD PTR DS:[EAX]                                             ; 100.00905A4D
0044F3B3     E8 C4E5FFFF       CALL 100.0044D97C
0044F3B8     E8 6349FBFF       CALL 100.00403D20

 

[icarusdc]

So I tried to implement my learning from this forum to this UnpackMe.

The steps I take to unpack this file:

1. Analyzing the protection. The analyzer says it protected by Enigma.

2. Unpacking with LCF-AT's Script. It fails so I tried to follow SHADOW_UA's manual unpacking.

3. Breaks on EP. It seems has other protection. As Modify mention in his post, this file has Themida and Enigma. So I tried to use Themida OEP script from GIV to find OEP. And yes, I finally breaks on OEP. The question is IAT and other stuff so I choose using LCF-AT's script again. 

4. Repeating steps 2 to reach EP then using LCF-AT's Themida Script. It fails on some lines. So I edit these then resume script.

5. After scripting done, the target still has some invalid APIs. I guess it's from Enigma redirection API. So once again I follow SHADOW_UA's manual unpacking to fix these APIs.

6. Dump & fix dump.

7. Done.

 

So this is just UnpackMe. But I tried to crack this. I load the dump into Olly. Searching for all referenced text strings. Found an interesting string on VA 0044F07D. 

0044F02C  /.  55            PUSH EBP
0044F02D  |.  8BEC          MOV EBP,ESP
0044F02F  |.  6A 00         PUSH 0x0
0044F031  |.  6A 00         PUSH 0x0
0044F033  |.  6A 00         PUSH 0x0
0044F035  |.  53            PUSH EBX
0044F036  |.  8BD8          MOV EBX,EAX
0044F038  |.  33C0          XOR EAX,EAX
0044F03A  |.  55            PUSH EBP
0044F03B  |.  68 CCF04400   PUSH 0x44F0CC
0044F040  |.  64:FF30       PUSH DWORD PTR FS:[EAX]
0044F043  |.  64:8920       MOV DWORD PTR FS:[EAX],ESP
0044F046  |.  8D55 FC       LEA EDX,DWORD PTR SS:[EBP-0x4]
0044F049  |.  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC]
0044F04F  |.  E8 E8F3FDFF   CALL 0042E43C                            ;  0042E43C
0044F054  |.  837D FC 00    CMP DWORD PTR SS:[EBP-0x4],0x0
0044F058  |.  8D55 F8       LEA EDX,DWORD PTR SS:[EBP-0x8]
0044F05B  |.  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC]
0044F061  |.  E8 D6F3FDFF   CALL 0042E43C                            ;  0042E43C
0044F066  |.  837D F8 00    CMP DWORD PTR SS:[EBP-0x8],0x0
0044F06A  |.  74 45         JE SHORT 0044F0B1                        ;  0044F0B1
0044F06C  |.  8D55 F4       LEA EDX,DWORD PTR SS:[EBP-0xC]
0044F06F  |.  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC]
0044F075  |.  E8 C2F3FDFF   CALL 0042E43C                            ;  0042E43C
0044F07A  |.  8B45 F4       MOV EAX,DWORD PTR SS:[EBP-0xC]
0044F07D  |.  BA E0F04400   MOV EDX,0x44F0E0                         ;  ASCII "vfgnrtg45b5r5b1-brf45b5r4b-bb54rb-br5b4r5b"
0044F082  |.  E8 9551FBFF   CALL 0040421C                            ;  0040421C
0044F087  |.  75 15         JNZ SHORT 0044F09E                       ;  0044F09E
0044F089  |.  6A 00         PUSH 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
0044F08B  |.  68 0CF14400   PUSH 0x44F10C                            ; |Title = ""
0044F090  |.  68 10F14400   PUSH 0x44F110                            ; |Text = "All Done, Nice Job"
0044F095  |.  6A 00         PUSH 0x0                                 ; |hOwner = NULL
0044F097  |.  E8 FC73FBFF   CALL 00406498                            ; \MessageBoxA
0044F09C  |.  EB 13         JMP SHORT 0044F0B1                       ;  0044F0B1
0044F09E  |>  6A 00         PUSH 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
0044F0A0  |.  68 0CF14400   PUSH 0x44F10C                            ; |Title = ""
0044F0A5  |.  68 24F14400   PUSH 0x44F124                            ; |Text = "You Enter Wrong Key"
0044F0AA  |.  6A 00         PUSH 0x0                                 ; |hOwner = NULL
0044F0AC  |.  E8 E773FBFF   CALL 00406498                            ; \MessageBoxA
0044F0B1  |>  33C0          XOR EAX,EAX
0044F0B3  |.  5A            POP EDX
0044F0B4  |.  59            POP ECX
0044F0B5  |.  59            POP ECX
0044F0B6  |.  64:8910       MOV DWORD PTR FS:[EAX],EDX
0044F0B9  |.  68 D3F04400   PUSH 0x44F0D3
0044F0BE  |>  8D45 F4       LEA EAX,DWORD PTR SS:[EBP-0xC]
0044F0C1  |.  BA 03000000   MOV EDX,0x3
0044F0C6  |.  E8 694DFBFF   CALL 00403E34                            ;  00403E34
0044F0CB  \.  C3            RETN
0044F0CC   .^ E9 4347FBFF   JMP 00403814                             ;  00403814
0044F0D1   .^ EB EB         JMP SHORT 0044F0BE                       ;  0044F0BE
0044F0D3   .  5B            POP EBX
0044F0D4   .  8BE5          MOV ESP,EBP
0044F0D6   .  5D            POP EBP
0044F0D7   .  C3            RETN

 

After patching some bytes.

0044F02C   .  55            PUSH EBP
0044F02D   .  8BEC          MOV EBP,ESP
0044F02F   .  6A 00         PUSH 0x0
0044F031   .  6A 00         PUSH 0x0
0044F033   .  6A 00         PUSH 0x0
0044F035   .  53            PUSH EBX
0044F036   .  8BD8          MOV EBX,EAX
0044F038   .  33C0          XOR EAX,EAX
0044F03A   .  55            PUSH EBP
0044F03B   .  68 CCF04400   PUSH 0x44F0CC
0044F040   .  64:FF30       PUSH DWORD PTR FS:[EAX]
0044F043   .  64:8920       MOV DWORD PTR FS:[EAX],ESP
0044F046   .  8D55 FC       LEA EDX,DWORD PTR SS:[EBP-0x4]
0044F049   .  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC]
0044F04F   .  E8 E8F3FDFF   CALL 0042E43C                            ;  0042E43C
0044F054   .  837D FC 00    CMP DWORD PTR SS:[EBP-0x4],0x0
0044F058   .  8D55 F8       LEA EDX,DWORD PTR SS:[EBP-0x8]
0044F05B   .  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC]
0044F061   .  E8 D6F3FDFF   CALL 0042E43C                            ;  0042E43C
0044F066   .  837D F8 00    CMP DWORD PTR SS:[EBP-0x8],0x0
0044F06A   .  90            NOP
0044F06B   .  90            NOP
0044F06C   .  8D55 F4       LEA EDX,DWORD PTR SS:[EBP-0xC]
0044F06F   .  8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC]
0044F075   .  E8 C2F3FDFF   CALL 0042E43C                            ;  0042E43C
0044F07A   .  8B45 F4       MOV EAX,DWORD PTR SS:[EBP-0xC]
0044F07D   .  BA E0F04400   MOV EDX,0x44F0E0                         ;  ASCII "vfgnrtg45b5r5b1-brf45b5r4b-bb54rb-br5b4r5b"
0044F082   .  E8 9551FBFF   CALL 0040421C                            ;  0040421C
0044F087   .  90            NOP
0044F088   .  90            NOP
0044F089   .  6A 00         PUSH 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
0044F08B   .  68 0CF14400   PUSH 0x44F10C                            ; |Title = ""
0044F090   .  68 10F14400   PUSH 0x44F110                            ; |Text = "All Done, Nice Job"
0044F095   .  6A 00         PUSH 0x0                                 ; |hOwner = NULL
0044F097   .  E8 FC73FBFF   CALL 00406498                            ; \MessageBoxA
0044F09C   .  EB 13         JMP SHORT 0044F0B1                       ;  0044F0B1
0044F09E   .  6A 00         PUSH 0x0                                 ; /Style = MB_OK|MB_APPLMODAL
0044F0A0   .  68 0CF14400   PUSH 0x44F10C                            ; |Title = ""
0044F0A5   .  68 24F14400   PUSH 0x44F124                            ; |Text = "You Enter Wrong Key"
0044F0AA   .  6A 00         PUSH 0x0                                 ; |hOwner = NULL
0044F0AC   .  E8 E773FBFF   CALL 00406498                            ; \MessageBoxA
0044F0B1   >  33C0          XOR EAX,EAX
0044F0B3   .  5A            POP EDX
0044F0B4   .  59            POP ECX
0044F0B5   .  59            POP ECX
0044F0B6   .  64:8910       MOV DWORD PTR FS:[EAX],EDX
0044F0B9   .  68 D3F04400   PUSH 0x44F0D3
0044F0BE   >  8D45 F4       LEA EAX,DWORD PTR SS:[EBP-0xC]
0044F0C1   .  BA 03000000   MOV EDX,0x3
0044F0C6   .  E8 694DFBFF   CALL 00403E34                            ;  00403E34
0044F0CB   .  C3            RETN
0044F0CC   .^ E9 4347FBFF   JMP 00403814                             ;  00403814
0044F0D1   .^ EB EB         JMP SHORT 0044F0BE                       ;  0044F0BE
0044F0D3   .  5B            POP EBX
0044F0D4   .  8BE5          MOV ESP,EBP
0044F0D6   .  5D            POP EBP
0044F0D7   .  C3            RETN

 

Running the target, clicking the button and yes, Good boy message appears.

Hope this helps

 

Salam

[GIV]

Sorry but i don't have much time to look but here it is.

Serial:

Quote

vfgnrtg45b5r5b1-brf45b5r4b-bb54rb-br5b4r5b

Attached is unpacked and cleaned file.

Tested on XP.

100_unpacked_size_reduced.rar

 

Step 1.

Bypass Enigma layer. Just use Shadow_UA method.

Step 2

Use LCF-AT script for Themida.

Step 3.

Remove via LordPE useless sections and rebuild the file.

 

Edited February 18, 2016 by GIV