GIV Posted April 20, 2016 Posted April 20, 2016 (edited) Difficulty : 3Language : DelphiPlatform : Windows X86OS Version : XP and abovePacker / Protector : Enigma Protector 5.2 Description : Small unpackme for you guys to try. Screenshot : Enigma Protector 5.2 unpackme.rar Edited April 20, 2016 by Teddy Rogers 4
Solution icarusdc Posted April 21, 2016 Solution Posted April 21, 2016 Hi, The steps I take for unpack this: 1. Change HWID. I used LCF-AT's script from here 2. VM Fixing and OEP Rebuilding. I used LCF-AT's script from here. 3. File Optimizing. I used SHADOW_UA's method from here. Unpacked files: here Salam. 6
GIV Posted April 21, 2016 Author Posted April 21, 2016 Good. But the file "unpackme_VMOEP.exe" crash for me on XP SP3 X86. 1
LCF-AT Posted April 21, 2016 Posted April 21, 2016 Hi, so you haven't fixed some imports in your protector section.Just check them again and see which of them you have to fix. $ ==> >777C9AC5 $+4 >777B7750 ... $+844 >777D2283 $+848 >00000000 Here the first API access address... 00AE1304 770BCE90 greetz 1
icarusdc Posted April 22, 2016 Posted April 22, 2016 Hi, Yes, I do a test today and it crashes here too. So I tried to unpack again. First time, it runs fine so I tried to restart my PC. After restarting, I tried to run the file and boom, it crashes. I dont' know why this happens. I just followed LCF-AT method to redirect all VM to one section. Crashing happens after restarting PC. By the way, did you enable Redirect WinAPI function in Import protection? If you did, then I assume TEP can't prosess the function if file has Virtual Machine function enabled. Salam.
Xjun Posted April 22, 2016 Posted April 22, 2016 (edited) Not optimized! 1. Find for machine code in memory, write hardware breakpoints, replaced! 2. used SHADOW_UA's method fix OEP and IAT 8B 08 C6 01 FF <--Find OEP 3D 00 F0 00 00 7E 13 B8 00 00 01 00 <-- Fix iat 3. use hardware access breakpoints, observation Register ,Rebuilding VM OEP push ebp mov ebp,esp add esp,-0x10 mov eax,0044DF6C call 0040607C mov eax,dword ptr [0x0044ff44] mov eax,dword ptr [eax] call 0044C6D8 mov ecx,dword ptr [0x00450020] mov eax,dword ptr [0x0044ff44] mov eax,dword ptr [eax] mov edx,dword ptr [0x0044DD4C] call 0044C6F0 mov eax,dword ptr [0x0044ff44] mov eax,dword ptr [eax] call 0044C770 call 004040E8 lea eax, dword ptr [eax] Forgive me do not speak English! greetings! dumped_SCY.rar Edited April 22, 2016 by Xjun Did not complete 2
icarusdc Posted April 22, 2016 Posted April 22, 2016 Hi, I tried to fix the crash. I already restarting my PC again and again. Result is file works rine. I hope this will work too in your PC. I realize that LCF-AT missed one step for fixing the VM after tracing section in file and she didn't show in her tutorial video before. Fortunately, it can be fixed by newbie like me. I'm afraid if the cause of crash is something harder. Hehe. Really so much thanks to LCF-AT. Still figuring out how to find right VA to dump XBundler. Oops, sorry I'm out of topic LINK VMFIX: here Salam.
LCF-AT Posted April 22, 2016 Posted April 22, 2016 Hi again, as I said,if you want to use VM OEP then you have to handle the 4 imports access in Enigma Section.All you have to do is to return the API calls so you don't need to fix them (un-important APIs) just xor eax & use right API return value then save the patches and your VM OEP file does work. 00AE5770 33C0 XOR EAX,EAX // ntdll.RtlSetLastWin32Error 00AE5772 C2 0400 RETN 0x4 00AE577C 33C0 XOR EAX,EAX // ntdll.RtlLeaveCriticalSection 00AE577E C2 0400 RETN 0x4 00AE57D0 33C0 XOR EAX,EAX // ntdll.RtlGetLastWin32Error 00AE57D2 C3 RETN 00AE57FA 33C0 XOR EAX,EAX // ntdll.RtlEnterCriticalSection 00AE57FC C2 0400 RETN 0x4 Make this patches.About XBundler,just find right HWID VA so I told you already and if you did use the breakpoint with conditions I did post then you have seen both DWORDs already a few times. If you pick the right 2 DWs (see dump) and if you do a little research then you will find one more interesting location. Just keep going. greetz 2
camilo Posted April 22, 2016 Posted April 22, 2016 (edited) And this is my try. Faked HWID with help of LCF-AT script (Thanks man, impressive!). Then manually find OEP via Shadow tactics & rebuild VMed imports. Dump&Fix by ImpRec. Rebuild OEP as (again) per LCF-AT explanations on another post. And change OEP to new code snippet with LordPE. And finally optimized size manually with CFF by moving data and removing waste sections. Hope it works in all OSes PS: Archive pass is the standard for this house dowloads with blake bla bla lol unpackmegiv.rar Edited April 22, 2016 by camilo
GIV Posted April 23, 2016 Author Posted April 23, 2016 The hwid can be patched easy. Is another method more easy. I will post for you next days another unpackme with more options of the protector.
GIV Posted April 27, 2016 Author Posted April 27, 2016 Here is a sample that use some more options of Enigma Protector 5.2 features. When you run just give me a HWID/name and i will generate a license key for you to try to unpack. Enigma 5.2 unpackme - 2.rar 1
GautamGreat Posted April 27, 2016 Posted April 27, 2016 Hey GIV need a key for unpacking 63B2A-EA675-63B56-AC944-BDB19-24D3F-06971-523EF
camilo Posted April 27, 2016 Posted April 27, 2016 Let's play C965A-EA6AB-81EB2-7D035-38C99-24D7E-04041-78A0E
GIV Posted April 28, 2016 Author Posted April 28, 2016 OK one ID only will be enough: HWID: 63B2A-EA675-63B56-AC944-BDB19-24D3F-06971-523EF User: ramjane Key: CQD2-WP3L-UBLV-7AEH-RLQJ-B42U-8MZR-FA7E-HZU2-XTJF-V8KS-QCUC-3DKV-LHA5-CTHX-9Y3E-SUSS-NAEX-VHKX-XHR5-E9XG-A43Q-7KDK-NYHC-AVGQ-JF76-WH2EKA3 1
camilo Posted April 28, 2016 Posted April 28, 2016 I assume you are not going to tell us the password needed after HWID nag
GIV Posted April 28, 2016 Author Posted April 28, 2016 HWID change is easy with today knowledge. You must patch the password protection. I guess that will not be that hard because there is some info posted here on this forum.
GautamGreat Posted April 28, 2016 Posted April 28, 2016 Done unpacked Thanks LCF AT for his password patching method. Enigma 5.2 unpackme - 2_dump_SCY.rar
GIV Posted April 28, 2016 Author Posted April 28, 2016 Great. Tommorrow i will post a new unpackme with a new protection features.
icarusdc Posted April 29, 2016 Posted April 29, 2016 (edited) Hi, I tried to attempt the Unpacked with VMOEP. Here are the steps I take to unpack: 1. Change HWID using LCF-AT's script here 2. Get Password Bypass VA using GIV's script here lc bc bpmc bphwc mov start, 00000000 // Fill VA Start of EnigmaSection mov end, 00000000 // Fill VA End of EnigmaSection next: find start, #68????????E9????????# cmp $RESULT, 0 ifeq jmp end1 endif cmp $RESULT, end ifa jmp end1 endif bp $RESULT mov adress, $RESULT mov start, adress+5 jmp next end1: msg "Script finished" pause pause 3. Unpack using LCF-AT's script to get IAT tree here 4. Unpack using LCF-AT's script to get Unpacked with VMOEP here 5. Fix IAT error with LCF-AT's tutorial here I hope this helps. So I heard you will post other UnpackMe. I hope it will has complexity as real program. I have the file which has VMed API. I tried to find API using LCF-AT script but it always says possible Enigma API. It's really rare case because Enigma API always in the end of IAT not between IAT. Since we can not discuss/request crackme/unpackme comercial file, I hope your next unpackme will be like that condition so I can learn how to unpack my file. Salam. enigma 5.2 unpackme - 2_VMOEP.rar Edited April 29, 2016 by icarusdc 1
GIV Posted April 29, 2016 Author Posted April 29, 2016 OK. Last unpackme for this version: HWID: C965A-EA6AB-81EB2-7D035-38C99-24D7E-04041-78A0E USER: giv KEY: F5X353-TRTFA3-LXAKLE-XDEED2-J4NMDN-AHP9DA-6VLGLP-PVJB5U-UUSNEN-7M8CUQ-UNEQTE-QATVWK-UBAKKZ-RYKMNQ-PB5CME-JQ8HSB-TUV7FL-7A3NB4-E3TJMU Enigma 5.2 unpackme 3_protected.rar
GIV Posted April 29, 2016 Author Posted April 29, 2016 1 hour ago, icarusdc said: Hi, I tried to attempt the Unpacked with VMOEP. Here are the steps I take to unpack: 1. Change HWID using LCF-AT's script here 2. Get Password Bypass VA using GIV's script here lc bc bpmc bphwc mov start, 00000000 // Fill VA Start of EnigmaSection mov end, 00000000 // Fill VA End of EnigmaSection next: find start, #68????????E9????????# cmp $RESULT, 0 ifeq jmp end1 endif cmp $RESULT, end ifa jmp end1 endif bp $RESULT mov adress, $RESULT mov start, adress+5 jmp next end1: msg "Script finished" pause pause 3. Unpack using LCF-AT's script to get IAT tree here 4. Unpack using LCF-AT's script to get Unpacked with VMOEP here 5. Fix IAT error with LCF-AT's tutorial here I hope this helps. So I heard you will post other UnpackMe. I hope it will has complexity as real program. I have the file which has VMed API. I tried to find API using LCF-AT script but it always says possible Enigma API. It's really rare case because Enigma API always in the end of IAT not between IAT. Since we can not discuss/request crackme/unpackme comercial file, I hope your next unpackme will be like that condition so I can learn how to unpack my file. Salam. enigma 5.2 unpackme - 2_VMOEP.rar Hi. Your file does not run on my PC
icarusdc Posted April 29, 2016 Posted April 29, 2016 Hi, I don't know why that error happens because I tried run my unpacked file many times after restarting PC and file runs fine. My OS is Windows 7 Professional 32bit. Salam.
GIV Posted April 29, 2016 Author Posted April 29, 2016 I will tell you why. That API is introduced in Vista and above. Your file will not run in Windows XP. Unpack and fix IAT under XP to run on XP. Meanwhile look at last unpackme.
icarusdc Posted April 29, 2016 Posted April 29, 2016 Hi, Oh, that is the reason why the error appears. I don't have another Windows OS except Windows 7. By the way, I tried to unpack your third unpackme. The steps I take to unpack the third unpackme like previous unpackme here I hope this time will be running fine in your PC. Salam. Enigma 5.2 unpackme 3_VMOEP.rar 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now