YEP.

Enigma have been knocked down for good.

I think only the VM'ed functions are hard to restore. Rest of the protection is kinda messy. The only option is to post a unpackme without a key for you to try to bypass the HWID without a valid key. 

can some one help me

 

Hello.

Here i made a video of my script have a look

VM API Fixing script is not mine its by PC-RET i just added that script to my script

 

 

Video.rar

Hi.
Sorry for late reply.
The script look fine.
You can add the feature of auto dump and rebuild.

I did not see how you find the missing 4 API's and how you reconstructed the OEP.
So i guess regarding the rest of the features like file name, password patch and OS version you inserted in the script auto patching things.

Right?

8 hours ago, GIV said:

Hi.
Sorry for late reply.
The script look fine.
You can add the feature of auto dump and rebuild.

I did not see how you find the missing 4 API's and how you reconstructed the OEP.
So i guess regarding the rest of the features like file name, password patch and OS version you inserted in the script auto patching things.

Right?

Yes it is working like PRE_CHECKER_PATCH 

I updated the script now

Now script can Fix VM Api very fast

http://wikisend.com/download/212166/

I see.
But from what you present the file you are using is not protected by Enigma 5.xx.

Yeah but i tested it on all of target from v4.10 to 5.3

Could be.
Good luck!

On 2016年5月1日 at 2:53 PM, GIV said:

YEP.

Enigma have been knocked down for good.

I think only the VM'ed functions are hard to restore. Rest of the protection is kinda messy. The only option is to post a unpackme without a key for you to try to bypass the HWID without a valid key. 

but in your topic 

you already bypassed the HWID lock without a valid key,is that right?

On 2016年5月12日 at 11:15 PM, ramjane said:

Yes it is working like PRE_CHECKER_PATCH 

I updated the script now

Now script can Fix VM Api very fast

http://wikisend.com/download/212166/

Can you upload your video again,the link above is some kind of music.   can you share your script too??

18 hours ago, benney said:

but in your topic 

you already bypassed the HWID lock without a valid key,is that right?

Yes. This is true.

Here is a sample for Enigma 5.4 for you to try.

Just post impressions after you unpack.

 

Enigma 5.40 unpackme.rar

Hi

unpacked here

Not much changes only old pattern trick not work for finding OEP 

Just unpacked and fixed

I can't upload to board I don't know why it always stuck on mid so I uploaded to to extern host here is it

 

http://www.4shared.com/rar/lH0_VbI0ba/Unpacked.html

Is working fine here.

You could recover virtualized OEP and make a cleaner a smaller file though.

Actually I was learning about VM dumping its my 2nd try on VM OEP and its working.

Its a quick unpack.

You must cancel high alloc mode and then see what memory blocks are used outside the main file virtual space and add them to your dump.

The file with reconstructed OEP is much much smaller though.

Hey! I am written a script for new version. Here is a Video. When script will complete I will post here.

TESTVIDEO.rar

Hi.

Just out of curiosity...except OEP arrive pattern is any difference?

Only the method to reach at OEP is change rest all are same as old version.

OK.

I hope you will post helpful info.

Hey. today i am gonna share my new script for finding OEP of newer version of Enigma. Old bytes pattern for finding OEP by SHADOW_UA is now no more working so here i am created a new script.

Please test and tell report

PS : My English is not Good

 

ShortScript_For Finding OEP.txt

Hi.

I see that you decrypt the code first then you search....

I have tested on the main Enigma 5.4 x86 exe.

The result is not correct.

 

030913E8    3239            XOR BH,BYTE PTR DS:[ECX]                 ; OEP <------- ramjane
030913EA    3045 35         XOR BYTE PTR SS:[EBP+0x35],AL
030913ED    45              INC EBP
030913EE    43              INC EBX
030913EF    37              AAA
030913F0    43              INC EBX
030913F1    36:34 32        XOR AL,0x32                              ; Superfluous prefix
030913F4    0000            ADD BYTE PTR DS:[EAX],AL
030913F6    0000            ADD BYTE PTR DS:[EAX],AL
030913F8    0C 76           OR AL,0x76
030913FA    C400            LES EAX,FWORD PTR DS:[EAX]               ; Modification of segment register
030913FC    0C 76           OR AL,0x76
030913FE    C400            LES EAX,FWORD PTR DS:[EAX]               ; Modification of segment register
03091400    281B            SUB BYTE PTR DS:[EBX],BL
03091402    0000            ADD BYTE PTR DS:[EAX],AL
03091404    0000            ADD BYTE PTR DS:[EAX],AL
03091406    0000            ADD BYTE PTR DS:[EAX],AL
03091408    0000            ADD BYTE PTR DS:[EAX],AL
0309140A    0000            ADD BYTE PTR DS:[EAX],AL
0309140C    0000            ADD BYTE PTR DS:[EAX],AL
0309140E    0000            ADD BYTE PTR DS:[EAX],AL
03091410    0000            ADD BYTE PTR DS:[EAX],AL
03091412    0000            ADD BYTE PTR DS:[EAX],AL
03091414    0000            ADD BYTE PTR DS:[EAX],AL
03091416    0000            ADD BYTE PTR DS:[EAX],AL
03091418    0000            ADD BYTE PTR DS:[EAX],AL
0309141A    0000            ADD BYTE PTR DS:[EAX],AL
0309141C    0000            ADD BYTE PTR DS:[EAX],AL
0309141E    0000            ADD BYTE PTR DS:[EAX],AL
03091420    0000            ADD BYTE PTR DS:[EAX],AL
03091422    0000            ADD BYTE PTR DS:[EAX],AL
03091424    0000            ADD BYTE PTR DS:[EAX],AL
03091426    0000            ADD BYTE PTR DS:[EAX],AL
03091428    0000            ADD BYTE PTR DS:[EAX],AL
0309142A    0000            ADD BYTE PTR DS:[EAX],AL
0309142C    0000            ADD BYTE PTR DS:[EAX],AL
0309142E    0000            ADD BYTE PTR DS:[EAX],AL
03091430    0000            ADD BYTE PTR DS:[EAX],AL

 

Here are 2 more unpackmes with Enigma 5.4.

OEP is not virtualized so for you it must be easy to get the point.

 

Original.rar

Edited July 19, 20169 yr by GIV
Add 2 words

Thanks GIV for these unpackme. I will try to make a fully working script.

I'm trying to unpack "Enigma 5.2 unpackme 3" but it seems that windows version check is enabled. is there any pattern to search for in order to bypass this check ?