Modify Posted January 23, 2016 Share Posted January 23, 2016 Difficulty : 5Language : BorlandPlatform : WindowsOS Version : Windows 7Packer / Protector : Themida 2.3.2.0, Enigma 3.80 Description : Simple modify section, import table Screenshot : UnPackMeDemo.7z Link to comment Share on other sites More sharing options...
Reasen Posted January 23, 2016 Share Posted January 23, 2016 Just old olly scripts can beat these old protections easy, so i think difficult is 1 or 2. Link to comment Share on other sites More sharing options...
GIV Posted February 16, 2016 Share Posted February 16, 2016 First layer: Enigma 3.70 Second layer: Themida OEP: 0044F378 55 PUSH EBP ; <-OEP found by GIV 0044F379 8BEC MOV EBP,ESP 0044F37B 83C4 F0 ADD ESP,-0x10 0044F37E B8 98F14400 MOV EAX,100.0044F198 0044F383 E8 4068FBFF CALL 100.00405BC8 0044F388 A1 F40F4500 MOV EAX,DWORD PTR DS:[0x450FF4] 0044F38D 8B00 MOV EAX,DWORD PTR DS:[EAX] ; 100.00905A4D 0044F38F E8 50E5FFFF CALL 100.0044D8E4 0044F394 8B0D D0104500 MOV ECX,DWORD PTR DS:[0x4510D0] ; 100.00452BD0 0044F39A A1 F40F4500 MOV EAX,DWORD PTR DS:[0x450FF4] 0044F39F 8B00 MOV EAX,DWORD PTR DS:[EAX] ; 100.00905A4D 0044F3A1 8B15 84EE4400 MOV EDX,DWORD PTR DS:[0x44EE84] ; 100.0044EED0 0044F3A7 E8 50E5FFFF CALL 100.0044D8FC 0044F3AC A1 F40F4500 MOV EAX,DWORD PTR DS:[0x450FF4] 0044F3B1 8B00 MOV EAX,DWORD PTR DS:[EAX] ; 100.00905A4D 0044F3B3 E8 C4E5FFFF CALL 100.0044D97C 0044F3B8 E8 6349FBFF CALL 100.00403D20 1 Link to comment Share on other sites More sharing options...
Solution icarusdc Posted February 17, 2016 Solution Share Posted February 17, 2016 So I tried to implement my learning from this forum to this UnpackMe. The steps I take to unpack this file: 1. Analyzing the protection. The analyzer says it protected by Enigma. 2. Unpacking with LCF-AT's Script. It fails so I tried to follow SHADOW_UA's manual unpacking. 3. Breaks on EP. It seems has other protection. As Modify mention in his post, this file has Themida and Enigma. So I tried to use Themida OEP script from GIV to find OEP. And yes, I finally breaks on OEP. The question is IAT and other stuff so I choose using LCF-AT's script again. 4. Repeating steps 2 to reach EP then using LCF-AT's Themida Script. It fails on some lines. So I edit these then resume script. 5. After scripting done, the target still has some invalid APIs. I guess it's from Enigma redirection API. So once again I follow SHADOW_UA's manual unpacking to fix these APIs. 6. Dump & fix dump. 7. Done. So this is just UnpackMe. But I tried to crack this. I load the dump into Olly. Searching for all referenced text strings. Found an interesting string on VA 0044F07D. 0044F02C /. 55 PUSH EBP 0044F02D |. 8BEC MOV EBP,ESP 0044F02F |. 6A 00 PUSH 0x0 0044F031 |. 6A 00 PUSH 0x0 0044F033 |. 6A 00 PUSH 0x0 0044F035 |. 53 PUSH EBX 0044F036 |. 8BD8 MOV EBX,EAX 0044F038 |. 33C0 XOR EAX,EAX 0044F03A |. 55 PUSH EBP 0044F03B |. 68 CCF04400 PUSH 0x44F0CC 0044F040 |. 64:FF30 PUSH DWORD PTR FS:[EAX] 0044F043 |. 64:8920 MOV DWORD PTR FS:[EAX],ESP 0044F046 |. 8D55 FC LEA EDX,DWORD PTR SS:[EBP-0x4] 0044F049 |. 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC] 0044F04F |. E8 E8F3FDFF CALL 0042E43C ; 0042E43C 0044F054 |. 837D FC 00 CMP DWORD PTR SS:[EBP-0x4],0x0 0044F058 |. 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-0x8] 0044F05B |. 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC] 0044F061 |. E8 D6F3FDFF CALL 0042E43C ; 0042E43C 0044F066 |. 837D F8 00 CMP DWORD PTR SS:[EBP-0x8],0x0 0044F06A |. 74 45 JE SHORT 0044F0B1 ; 0044F0B1 0044F06C |. 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-0xC] 0044F06F |. 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC] 0044F075 |. E8 C2F3FDFF CALL 0042E43C ; 0042E43C 0044F07A |. 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-0xC] 0044F07D |. BA E0F04400 MOV EDX,0x44F0E0 ; ASCII "vfgnrtg45b5r5b1-brf45b5r4b-bb54rb-br5b4r5b" 0044F082 |. E8 9551FBFF CALL 0040421C ; 0040421C 0044F087 |. 75 15 JNZ SHORT 0044F09E ; 0044F09E 0044F089 |. 6A 00 PUSH 0x0 ; /Style = MB_OK|MB_APPLMODAL 0044F08B |. 68 0CF14400 PUSH 0x44F10C ; |Title = "" 0044F090 |. 68 10F14400 PUSH 0x44F110 ; |Text = "All Done, Nice Job" 0044F095 |. 6A 00 PUSH 0x0 ; |hOwner = NULL 0044F097 |. E8 FC73FBFF CALL 00406498 ; \MessageBoxA 0044F09C |. EB 13 JMP SHORT 0044F0B1 ; 0044F0B1 0044F09E |> 6A 00 PUSH 0x0 ; /Style = MB_OK|MB_APPLMODAL 0044F0A0 |. 68 0CF14400 PUSH 0x44F10C ; |Title = "" 0044F0A5 |. 68 24F14400 PUSH 0x44F124 ; |Text = "You Enter Wrong Key" 0044F0AA |. 6A 00 PUSH 0x0 ; |hOwner = NULL 0044F0AC |. E8 E773FBFF CALL 00406498 ; \MessageBoxA 0044F0B1 |> 33C0 XOR EAX,EAX 0044F0B3 |. 5A POP EDX 0044F0B4 |. 59 POP ECX 0044F0B5 |. 59 POP ECX 0044F0B6 |. 64:8910 MOV DWORD PTR FS:[EAX],EDX 0044F0B9 |. 68 D3F04400 PUSH 0x44F0D3 0044F0BE |> 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-0xC] 0044F0C1 |. BA 03000000 MOV EDX,0x3 0044F0C6 |. E8 694DFBFF CALL 00403E34 ; 00403E34 0044F0CB \. C3 RETN 0044F0CC .^ E9 4347FBFF JMP 00403814 ; 00403814 0044F0D1 .^ EB EB JMP SHORT 0044F0BE ; 0044F0BE 0044F0D3 . 5B POP EBX 0044F0D4 . 8BE5 MOV ESP,EBP 0044F0D6 . 5D POP EBP 0044F0D7 . C3 RETN After patching some bytes. 0044F02C . 55 PUSH EBP 0044F02D . 8BEC MOV EBP,ESP 0044F02F . 6A 00 PUSH 0x0 0044F031 . 6A 00 PUSH 0x0 0044F033 . 6A 00 PUSH 0x0 0044F035 . 53 PUSH EBX 0044F036 . 8BD8 MOV EBX,EAX 0044F038 . 33C0 XOR EAX,EAX 0044F03A . 55 PUSH EBP 0044F03B . 68 CCF04400 PUSH 0x44F0CC 0044F040 . 64:FF30 PUSH DWORD PTR FS:[EAX] 0044F043 . 64:8920 MOV DWORD PTR FS:[EAX],ESP 0044F046 . 8D55 FC LEA EDX,DWORD PTR SS:[EBP-0x4] 0044F049 . 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC] 0044F04F . E8 E8F3FDFF CALL 0042E43C ; 0042E43C 0044F054 . 837D FC 00 CMP DWORD PTR SS:[EBP-0x4],0x0 0044F058 . 8D55 F8 LEA EDX,DWORD PTR SS:[EBP-0x8] 0044F05B . 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC] 0044F061 . E8 D6F3FDFF CALL 0042E43C ; 0042E43C 0044F066 . 837D F8 00 CMP DWORD PTR SS:[EBP-0x8],0x0 0044F06A . 90 NOP 0044F06B . 90 NOP 0044F06C . 8D55 F4 LEA EDX,DWORD PTR SS:[EBP-0xC] 0044F06F . 8B83 FC020000 MOV EAX,DWORD PTR DS:[EBX+0x2FC] 0044F075 . E8 C2F3FDFF CALL 0042E43C ; 0042E43C 0044F07A . 8B45 F4 MOV EAX,DWORD PTR SS:[EBP-0xC] 0044F07D . BA E0F04400 MOV EDX,0x44F0E0 ; ASCII "vfgnrtg45b5r5b1-brf45b5r4b-bb54rb-br5b4r5b" 0044F082 . E8 9551FBFF CALL 0040421C ; 0040421C 0044F087 . 90 NOP 0044F088 . 90 NOP 0044F089 . 6A 00 PUSH 0x0 ; /Style = MB_OK|MB_APPLMODAL 0044F08B . 68 0CF14400 PUSH 0x44F10C ; |Title = "" 0044F090 . 68 10F14400 PUSH 0x44F110 ; |Text = "All Done, Nice Job" 0044F095 . 6A 00 PUSH 0x0 ; |hOwner = NULL 0044F097 . E8 FC73FBFF CALL 00406498 ; \MessageBoxA 0044F09C . EB 13 JMP SHORT 0044F0B1 ; 0044F0B1 0044F09E . 6A 00 PUSH 0x0 ; /Style = MB_OK|MB_APPLMODAL 0044F0A0 . 68 0CF14400 PUSH 0x44F10C ; |Title = "" 0044F0A5 . 68 24F14400 PUSH 0x44F124 ; |Text = "You Enter Wrong Key" 0044F0AA . 6A 00 PUSH 0x0 ; |hOwner = NULL 0044F0AC . E8 E773FBFF CALL 00406498 ; \MessageBoxA 0044F0B1 > 33C0 XOR EAX,EAX 0044F0B3 . 5A POP EDX 0044F0B4 . 59 POP ECX 0044F0B5 . 59 POP ECX 0044F0B6 . 64:8910 MOV DWORD PTR FS:[EAX],EDX 0044F0B9 . 68 D3F04400 PUSH 0x44F0D3 0044F0BE > 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-0xC] 0044F0C1 . BA 03000000 MOV EDX,0x3 0044F0C6 . E8 694DFBFF CALL 00403E34 ; 00403E34 0044F0CB . C3 RETN 0044F0CC .^ E9 4347FBFF JMP 00403814 ; 00403814 0044F0D1 .^ EB EB JMP SHORT 0044F0BE ; 0044F0BE 0044F0D3 . 5B POP EBX 0044F0D4 . 8BE5 MOV ESP,EBP 0044F0D6 . 5D POP EBP 0044F0D7 . C3 RETN Running the target, clicking the button and yes, Good boy message appears. Hope this helps Salam 3 Link to comment Share on other sites More sharing options...
GIV Posted February 18, 2016 Share Posted February 18, 2016 (edited) Sorry but i don't have much time to look but here it is. Serial: Quote vfgnrtg45b5r5b1-brf45b5r4b-bb54rb-br5b4r5b Attached is unpacked and cleaned file. Tested on XP. 100_unpacked_size_reduced.rar Step 1. Bypass Enigma layer. Just use Shadow_UA method. Step 2 Use LCF-AT script for Themida. Step 3. Remove via LordPE useless sections and rebuild the file. Edited February 18, 2016 by GIV 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now