Enigma Protector 5.2

[GIV]

Difficulty : 3
Language : Delphi
Platform : Windows X86
OS Version : XP and above
Packer / Protector : Enigma Protector 5.2

Description :

Small unpackme for you guys to try.

Screenshot :

Enigma Protector 5.2 unpackme.rar

Edited April 20, 2016 by Teddy Rogers

[icarusdc]

Hi,

The steps I take for unpack this:

1. Change HWID. I used LCF-AT's script from here

2. VM Fixing and OEP Rebuilding. I used LCF-AT's script from here.

3. File Optimizing. I used SHADOW_UA's method from here.

Unpacked files: here

 

Salam.

[GIV]

Good.

But the file "unpackme_VMOEP.exe" crash for me on XP SP3 X86.

[LCF-AT]

Hi,

so you haven't fixed some imports in your protector section.Just check them again and see which of them you have to fix.

$ ==>    >777C9AC5
$+4      >777B7750
...
$+844    >777D2283
$+848    >00000000

Here the first API access address...

00AE1304  770BCE90 

greetz

[icarusdc]

Hi,

Yes, I do a test today and it crashes here too. So I tried to unpack again. First time, it runs fine so I tried to restart my PC. After restarting, I tried to run the file and boom, it crashes. I dont' know why this happens. I just followed LCF-AT method to redirect all VM to one section. Crashing happens after restarting PC.

By the way, did you enable Redirect WinAPI function in Import protection? If you did, then I assume TEP can't prosess the function if file has Virtual Machine function enabled.

 

Salam.

[Xjun]

Not optimized！

1. Find   for machine code in memory, write hardware breakpoints, replaced!

2. used SHADOW_UA's method fix OEP and IAT 

    8B 08 C6 01 FF <--Find OEP
    3D 00 F0 00 00 7E 13 B8 00 00 01 00 <-- Fix iat

3.  use hardware  access breakpoints, observation Register ,Rebuilding VM OEP

push ebp
mov ebp,esp
add esp,-0x10
mov eax,0044DF6C 
call 0040607C 
mov eax,dword ptr [0x0044ff44]
mov eax,dword ptr [eax]
call 0044C6D8 
mov ecx,dword ptr [0x00450020]
mov eax,dword ptr [0x0044ff44]
mov eax,dword ptr [eax]
mov edx,dword ptr [0x0044DD4C]
call 0044C6F0 
mov eax,dword ptr [0x0044ff44]
mov eax,dword ptr [eax]
call 0044C770
call 004040E8
lea     eax, dword ptr [eax]

Forgive me do not speak English!  

greetings！

dumped_SCY.rar

Edited April 22, 2016 by Xjun
Did not complete

[icarusdc]

Hi,

I tried to fix the crash. I already restarting my PC again and again. Result is file works rine.

I hope this will work too in your PC.

I realize that LCF-AT missed one step for fixing the VM after tracing section in file and she didn't show in her tutorial video before.

Fortunately, it can be fixed by newbie like me. I'm afraid if the cause of crash is something harder. Hehe.

Really so much thanks to LCF-AT. Still figuring out how to find right VA to dump XBundler. Oops, sorry I'm out of topic

LINK VMFIX: here

 

Salam.

[LCF-AT]

Hi again,

as I said,if you want to use VM OEP then you have to handle the 4 imports access in Enigma Section.All you have to do is to return the API calls so you don't need to fix them (un-important APIs) just xor eax & use right API return value then save the patches and your VM OEP file does work.

00AE5770    33C0                 XOR EAX,EAX // ntdll.RtlSetLastWin32Error
00AE5772    C2 0400              RETN 0x4

00AE577C    33C0                 XOR EAX,EAX // ntdll.RtlLeaveCriticalSection
00AE577E    C2 0400              RETN 0x4

00AE57D0    33C0                 XOR EAX,EAX // ntdll.RtlGetLastWin32Error
00AE57D2    C3                   RETN

00AE57FA    33C0                 XOR EAX,EAX // ntdll.RtlEnterCriticalSection
00AE57FC    C2 0400              RETN 0x4

Make this patches.About XBundler,just find right HWID VA so I told you already and if you did use the breakpoint with conditions I did post then you have seen both DWORDs already a few times. If you pick the right 2 DWs (see dump) and if you do a little research then you will find one more interesting location. Just keep going.

greetz

[camilo]

And this is my try.

 

Faked HWID with help of LCF-AT script (Thanks man, impressive!).

Then manually find OEP via Shadow tactics & rebuild VMed imports.

Dump&Fix by ImpRec.

Rebuild OEP as (again) per LCF-AT explanations on another post. And change OEP to new code snippet with LordPE.

And finally optimized size manually with CFF by moving data and removing waste sections.

Hope it works in all OSes

PS: Archive pass is the standard for this house dowloads with blake bla bla lol

unpackmegiv.rar

Edited April 22, 2016 by camilo

[GIV]

The hwid can be patched easy. Is another method more easy. I will post for you next days another unpackme with more options of the protector.

[GIV]

Here is a sample that use some more options of Enigma Protector 5.2 features.

When you run just give me a HWID/name and i will generate a license key for you to try to unpack.

Enigma 5.2 unpackme - 2.rar

[GautamGreat]

Hey GIV need a key for unpacking

63B2A-EA675-63B56-AC944-BDB19-24D3F-06971-523EF

[camilo]

Let's play

 

C965A-EA6AB-81EB2-7D035-38C99-24D7E-04041-78A0E

[GIV]

OK one ID only will be enough:

HWID: 63B2A-EA675-63B56-AC944-BDB19-24D3F-06971-523EF

User: ramjane

Key: CQD2-WP3L-UBLV-7AEH-RLQJ-B42U-8MZR-FA7E-HZU2-XTJF-V8KS-QCUC-3DKV-LHA5-CTHX-9Y3E-SUSS-NAEX-VHKX-XHR5-E9XG-A43Q-7KDK-NYHC-AVGQ-JF76-WH2EKA3

[camilo]

I assume you are not going to tell us the password needed after HWID nag

[GIV]

HWID change is easy with today knowledge.

You must patch the password protection.

I guess that will not be that hard because there is some info posted here on this forum.

[GautamGreat]

Done unpacked 

Thanks LCF AT for his password patching method.

Enigma 5.2 unpackme - 2_dump_SCY.rar

[GIV]

Great.

Tommorrow i will post a new unpackme with a new protection features.

 

[icarusdc]

Hi,

 

I tried to attempt the Unpacked with VMOEP.

Here are the steps I take to unpack:

1. Change HWID using LCF-AT's script here

2. Get Password Bypass VA using GIV's script here

lc
bc
bpmc
bphwc

mov start, 00000000 // Fill VA Start of EnigmaSection
mov end,   00000000 // Fill VA End of EnigmaSection

next:
find start, #68????????E9????????#
cmp $RESULT, 0
ifeq
jmp end1
endif
cmp $RESULT, end
ifa
jmp end1
endif
bp $RESULT
mov adress, $RESULT
mov start, adress+5
jmp next


end1:
msg "Script finished"
pause
pause

3. Unpack using LCF-AT's script to get IAT tree here

4. Unpack using LCF-AT's script to get Unpacked with VMOEP here

5. Fix IAT error with LCF-AT's tutorial here

 

I hope this helps.

So I heard you will post other UnpackMe. I hope it will has complexity as real program. I have the file which has VMed API. I tried to find API using LCF-AT script but it always says possible Enigma API. It's really rare case because Enigma API always in the end of IAT not between IAT. Since we can not discuss/request crackme/unpackme comercial file, I hope your next unpackme will be like that condition so I can learn how to unpack my file.

Salam.

enigma 5.2 unpackme - 2_VMOEP.rar

Edited April 29, 2016 by icarusdc

[GIV]

OK.

Last unpackme for this version:

HWID: C965A-EA6AB-81EB2-7D035-38C99-24D7E-04041-78A0E
USER: giv
KEY: F5X353-TRTFA3-LXAKLE-XDEED2-J4NMDN-AHP9DA-6VLGLP-PVJB5U-UUSNEN-7M8CUQ-UNEQTE-QATVWK-UBAKKZ-RYKMNQ-PB5CME-JQ8HSB-TUV7FL-7A3NB4-E3TJMU

 

Enigma 5.2 unpackme 3_protected.rar

[GIV]

1 hour ago, icarusdc said:

Hi,

 

I tried to attempt the Unpacked with VMOEP.

Here are the steps I take to unpack:

1. Change HWID using LCF-AT's script here

2. Get Password Bypass VA using GIV's script here

lc
bc
bpmc
bphwc

mov start, 00000000 // Fill VA Start of EnigmaSection
mov end,   00000000 // Fill VA End of EnigmaSection

next:
find start, #68????????E9????????#
cmp $RESULT, 0
ifeq
jmp end1
endif
cmp $RESULT, end
ifa
jmp end1
endif
bp $RESULT
mov adress, $RESULT
mov start, adress+5
jmp next


end1:
msg "Script finished"
pause
pause

3. Unpack using LCF-AT's script to get IAT tree here

4. Unpack using LCF-AT's script to get Unpacked with VMOEP here

5. Fix IAT error with LCF-AT's tutorial here

 

I hope this helps.

So I heard you will post other UnpackMe. I hope it will has complexity as real program. I have the file which has VMed API. I tried to find API using LCF-AT script but it always says possible Enigma API. It's really rare case because Enigma API always in the end of IAT not between IAT. Since we can not discuss/request crackme/unpackme comercial file, I hope your next unpackme will be like that condition so I can learn how to unpack my file.

Salam.

enigma 5.2 unpackme - 2_VMOEP.rar

Hi.

Your file does not run on my PC

[icarusdc]

Hi,

I don't know why that error happens because I tried run my unpacked file many times after restarting PC and file runs fine. My OS is Windows 7 Professional 32bit.

 

Salam.

[GIV]

I will tell you why.

That API is introduced in Vista and above.

Your file will not run in Windows XP.

Unpack and fix IAT under XP to run on XP.

Meanwhile look at last unpackme. 

[icarusdc]

Hi,

Oh, that is the reason why the error appears. I don't have another Windows OS except Windows 7.

By the way, I tried to unpack your third unpackme.

The steps I take to unpack the third unpackme like previous unpackme here

 

I hope this time will be running fine in your PC.

 

Salam.

 

Enigma 5.2 unpackme 3_VMOEP.rar

[Sound]

Enigma has been Unpacker by fornication !