May 1, 20169 yr Author YEP. Enigma have been knocked down for good. I think only the VM'ed functions are hard to restore. Rest of the protection is kinda messy. The only option is to post a unpackme without a key for you to try to bypass the HWID without a valid key.
May 6, 20169 yr Hello. Here i made a video of my script have a look VM API Fixing script is not mine its by PC-RET i just added that script to my script Video.rar
May 12, 20169 yr Author Hi. Sorry for late reply. The script look fine. You can add the feature of auto dump and rebuild. I did not see how you find the missing 4 API's and how you reconstructed the OEP. So i guess regarding the rest of the features like file name, password patch and OS version you inserted in the script auto patching things. Right?
May 12, 20169 yr 8 hours ago, GIV said: Hi. Sorry for late reply. The script look fine. You can add the feature of auto dump and rebuild. I did not see how you find the missing 4 API's and how you reconstructed the OEP. So i guess regarding the rest of the features like file name, password patch and OS version you inserted in the script auto patching things. Right? Yes it is working like PRE_CHECKER_PATCH I updated the script now Now script can Fix VM Api very fast http://wikisend.com/download/212166/
May 13, 20169 yr Author I see. But from what you present the file you are using is not protected by Enigma 5.xx.
July 9, 20169 yr On 2016年5月1日 at 2:53 PM, GIV said: YEP. Enigma have been knocked down for good. I think only the VM'ed functions are hard to restore. Rest of the protection is kinda messy. The only option is to post a unpackme without a key for you to try to bypass the HWID without a valid key. but in your topic you already bypassed the HWID lock without a valid key,is that right?
July 9, 20169 yr On 2016年5月12日 at 11:15 PM, ramjane said: Yes it is working like PRE_CHECKER_PATCH I updated the script now Now script can Fix VM Api very fast http://wikisend.com/download/212166/ Can you upload your video again,the link above is some kind of music. can you share your script too??
July 10, 20169 yr Author 18 hours ago, benney said: but in your topic you already bypassed the HWID lock without a valid key,is that right? Yes. This is true.
July 11, 20169 yr Author Here is a sample for Enigma 5.4 for you to try. Just post impressions after you unpack. Enigma 5.40 unpackme.rar
July 11, 20169 yr Hi unpacked here Not much changes only old pattern trick not work for finding OEP Just unpacked and fixed I can't upload to board I don't know why it always stuck on mid so I uploaded to to extern host here is it http://www.4shared.com/rar/lH0_VbI0ba/Unpacked.html
July 12, 20169 yr Author Is working fine here. You could recover virtualized OEP and make a cleaner a smaller file though.
July 12, 20169 yr Actually I was learning about VM dumping its my 2nd try on VM OEP and its working. Its a quick unpack.
July 12, 20169 yr Author You must cancel high alloc mode and then see what memory blocks are used outside the main file virtual space and add them to your dump. The file with reconstructed OEP is much much smaller though.
July 15, 20169 yr Hey! I am written a script for new version. Here is a Video. When script will complete I will post here. TESTVIDEO.rar
July 18, 20169 yr Hey. today i am gonna share my new script for finding OEP of newer version of Enigma. Old bytes pattern for finding OEP by SHADOW_UA is now no more working so here i am created a new script. Please test and tell report PS : My English is not Good ShortScript_For Finding OEP.txt
July 19, 20169 yr Author Hi. I see that you decrypt the code first then you search.... I have tested on the main Enigma 5.4 x86 exe. The result is not correct. 030913E8 3239 XOR BH,BYTE PTR DS:[ECX] ; OEP <------- ramjane 030913EA 3045 35 XOR BYTE PTR SS:[EBP+0x35],AL 030913ED 45 INC EBP 030913EE 43 INC EBX 030913EF 37 AAA 030913F0 43 INC EBX 030913F1 36:34 32 XOR AL,0x32 ; Superfluous prefix 030913F4 0000 ADD BYTE PTR DS:[EAX],AL 030913F6 0000 ADD BYTE PTR DS:[EAX],AL 030913F8 0C 76 OR AL,0x76 030913FA C400 LES EAX,FWORD PTR DS:[EAX] ; Modification of segment register 030913FC 0C 76 OR AL,0x76 030913FE C400 LES EAX,FWORD PTR DS:[EAX] ; Modification of segment register 03091400 281B SUB BYTE PTR DS:[EBX],BL 03091402 0000 ADD BYTE PTR DS:[EAX],AL 03091404 0000 ADD BYTE PTR DS:[EAX],AL 03091406 0000 ADD BYTE PTR DS:[EAX],AL 03091408 0000 ADD BYTE PTR DS:[EAX],AL 0309140A 0000 ADD BYTE PTR DS:[EAX],AL 0309140C 0000 ADD BYTE PTR DS:[EAX],AL 0309140E 0000 ADD BYTE PTR DS:[EAX],AL 03091410 0000 ADD BYTE PTR DS:[EAX],AL 03091412 0000 ADD BYTE PTR DS:[EAX],AL 03091414 0000 ADD BYTE PTR DS:[EAX],AL 03091416 0000 ADD BYTE PTR DS:[EAX],AL 03091418 0000 ADD BYTE PTR DS:[EAX],AL 0309141A 0000 ADD BYTE PTR DS:[EAX],AL 0309141C 0000 ADD BYTE PTR DS:[EAX],AL 0309141E 0000 ADD BYTE PTR DS:[EAX],AL 03091420 0000 ADD BYTE PTR DS:[EAX],AL 03091422 0000 ADD BYTE PTR DS:[EAX],AL 03091424 0000 ADD BYTE PTR DS:[EAX],AL 03091426 0000 ADD BYTE PTR DS:[EAX],AL 03091428 0000 ADD BYTE PTR DS:[EAX],AL 0309142A 0000 ADD BYTE PTR DS:[EAX],AL 0309142C 0000 ADD BYTE PTR DS:[EAX],AL 0309142E 0000 ADD BYTE PTR DS:[EAX],AL 03091430 0000 ADD BYTE PTR DS:[EAX],AL
July 19, 20169 yr Author Here are 2 more unpackmes with Enigma 5.4. OEP is not virtualized so for you it must be easy to get the point. Original.rar Edited July 19, 20169 yr by GIV Add 2 words
July 21, 20169 yr I'm trying to unpack "Enigma 5.2 unpackme 3" but it seems that windows version check is enabled. is there any pattern to search for in order to bypass this check ?
Create an account or sign in to comment