GIV Posted May 1, 2016 Author Share Posted May 1, 2016 YEP. Enigma have been knocked down for good. I think only the VM'ed functions are hard to restore. Rest of the protection is kinda messy. The only option is to post a unpackme without a key for you to try to bypass the HWID without a valid key. 1 Link to comment Share on other sites More sharing options...
choxa Posted May 5, 2016 Share Posted May 5, 2016 can some one help me 1 Link to comment Share on other sites More sharing options...
GautamGreat Posted May 6, 2016 Share Posted May 6, 2016 Hello. Here i made a video of my script have a look VM API Fixing script is not mine its by PC-RET i just added that script to my script Video.rar 3 Link to comment Share on other sites More sharing options...
GIV Posted May 12, 2016 Author Share Posted May 12, 2016 Hi. Sorry for late reply. The script look fine. You can add the feature of auto dump and rebuild. I did not see how you find the missing 4 API's and how you reconstructed the OEP. So i guess regarding the rest of the features like file name, password patch and OS version you inserted in the script auto patching things. Right? 1 Link to comment Share on other sites More sharing options...
GautamGreat Posted May 12, 2016 Share Posted May 12, 2016 8 hours ago, GIV said: Hi. Sorry for late reply. The script look fine. You can add the feature of auto dump and rebuild. I did not see how you find the missing 4 API's and how you reconstructed the OEP. So i guess regarding the rest of the features like file name, password patch and OS version you inserted in the script auto patching things. Right? Yes it is working like PRE_CHECKER_PATCH I updated the script now Now script can Fix VM Api very fast http://wikisend.com/download/212166/ 1 Link to comment Share on other sites More sharing options...
GIV Posted May 13, 2016 Author Share Posted May 13, 2016 I see. But from what you present the file you are using is not protected by Enigma 5.xx. 1 Link to comment Share on other sites More sharing options...
GautamGreat Posted May 13, 2016 Share Posted May 13, 2016 Yeah but i tested it on all of target from v4.10 to 5.3 1 Link to comment Share on other sites More sharing options...
GIV Posted May 16, 2016 Author Share Posted May 16, 2016 Could be. Good luck! 1 Link to comment Share on other sites More sharing options...
benney Posted July 9, 2016 Share Posted July 9, 2016 On 2016年5月1日 at 2:53 PM, GIV said: YEP. Enigma have been knocked down for good. I think only the VM'ed functions are hard to restore. Rest of the protection is kinda messy. The only option is to post a unpackme without a key for you to try to bypass the HWID without a valid key. but in your topic you already bypassed the HWID lock without a valid key,is that right? 1 Link to comment Share on other sites More sharing options...
benney Posted July 9, 2016 Share Posted July 9, 2016 On 2016年5月12日 at 11:15 PM, ramjane said: Yes it is working like PRE_CHECKER_PATCH I updated the script now Now script can Fix VM Api very fast http://wikisend.com/download/212166/ Can you upload your video again,the link above is some kind of music. can you share your script too?? Link to comment Share on other sites More sharing options...
GIV Posted July 10, 2016 Author Share Posted July 10, 2016 18 hours ago, benney said: but in your topic you already bypassed the HWID lock without a valid key,is that right? Yes. This is true. Link to comment Share on other sites More sharing options...
GIV Posted July 11, 2016 Author Share Posted July 11, 2016 Here is a sample for Enigma 5.4 for you to try. Just post impressions after you unpack. Enigma 5.40 unpackme.rar 1 Link to comment Share on other sites More sharing options...
GautamGreat Posted July 11, 2016 Share Posted July 11, 2016 Hi unpacked here Not much changes only old pattern trick not work for finding OEP Just unpacked and fixed I can't upload to board I don't know why it always stuck on mid so I uploaded to to extern host here is it http://www.4shared.com/rar/lH0_VbI0ba/Unpacked.html 1 Link to comment Share on other sites More sharing options...
GIV Posted July 12, 2016 Author Share Posted July 12, 2016 Is working fine here. You could recover virtualized OEP and make a cleaner a smaller file though. Link to comment Share on other sites More sharing options...
GautamGreat Posted July 12, 2016 Share Posted July 12, 2016 Actually I was learning about VM dumping its my 2nd try on VM OEP and its working. Its a quick unpack. Link to comment Share on other sites More sharing options...
GIV Posted July 12, 2016 Author Share Posted July 12, 2016 You must cancel high alloc mode and then see what memory blocks are used outside the main file virtual space and add them to your dump. The file with reconstructed OEP is much much smaller though. Link to comment Share on other sites More sharing options...
GautamGreat Posted July 15, 2016 Share Posted July 15, 2016 Hey! I am written a script for new version. Here is a Video. When script will complete I will post here. TESTVIDEO.rar Link to comment Share on other sites More sharing options...
GIV Posted July 15, 2016 Author Share Posted July 15, 2016 Hi. Just out of curiosity...except OEP arrive pattern is any difference? Link to comment Share on other sites More sharing options...
GautamGreat Posted July 15, 2016 Share Posted July 15, 2016 Only the method to reach at OEP is change rest all are same as old version. 2 Link to comment Share on other sites More sharing options...
GIV Posted July 16, 2016 Author Share Posted July 16, 2016 OK. I hope you will post helpful info. Link to comment Share on other sites More sharing options...
GautamGreat Posted July 18, 2016 Share Posted July 18, 2016 Hey. today i am gonna share my new script for finding OEP of newer version of Enigma. Old bytes pattern for finding OEP by SHADOW_UA is now no more working so here i am created a new script. Please test and tell report PS : My English is not Good ShortScript_For Finding OEP.txt 2 Link to comment Share on other sites More sharing options...
GIV Posted July 19, 2016 Author Share Posted July 19, 2016 Hi. I see that you decrypt the code first then you search.... I have tested on the main Enigma 5.4 x86 exe. The result is not correct. 030913E8 3239 XOR BH,BYTE PTR DS:[ECX] ; OEP <------- ramjane 030913EA 3045 35 XOR BYTE PTR SS:[EBP+0x35],AL 030913ED 45 INC EBP 030913EE 43 INC EBX 030913EF 37 AAA 030913F0 43 INC EBX 030913F1 36:34 32 XOR AL,0x32 ; Superfluous prefix 030913F4 0000 ADD BYTE PTR DS:[EAX],AL 030913F6 0000 ADD BYTE PTR DS:[EAX],AL 030913F8 0C 76 OR AL,0x76 030913FA C400 LES EAX,FWORD PTR DS:[EAX] ; Modification of segment register 030913FC 0C 76 OR AL,0x76 030913FE C400 LES EAX,FWORD PTR DS:[EAX] ; Modification of segment register 03091400 281B SUB BYTE PTR DS:[EBX],BL 03091402 0000 ADD BYTE PTR DS:[EAX],AL 03091404 0000 ADD BYTE PTR DS:[EAX],AL 03091406 0000 ADD BYTE PTR DS:[EAX],AL 03091408 0000 ADD BYTE PTR DS:[EAX],AL 0309140A 0000 ADD BYTE PTR DS:[EAX],AL 0309140C 0000 ADD BYTE PTR DS:[EAX],AL 0309140E 0000 ADD BYTE PTR DS:[EAX],AL 03091410 0000 ADD BYTE PTR DS:[EAX],AL 03091412 0000 ADD BYTE PTR DS:[EAX],AL 03091414 0000 ADD BYTE PTR DS:[EAX],AL 03091416 0000 ADD BYTE PTR DS:[EAX],AL 03091418 0000 ADD BYTE PTR DS:[EAX],AL 0309141A 0000 ADD BYTE PTR DS:[EAX],AL 0309141C 0000 ADD BYTE PTR DS:[EAX],AL 0309141E 0000 ADD BYTE PTR DS:[EAX],AL 03091420 0000 ADD BYTE PTR DS:[EAX],AL 03091422 0000 ADD BYTE PTR DS:[EAX],AL 03091424 0000 ADD BYTE PTR DS:[EAX],AL 03091426 0000 ADD BYTE PTR DS:[EAX],AL 03091428 0000 ADD BYTE PTR DS:[EAX],AL 0309142A 0000 ADD BYTE PTR DS:[EAX],AL 0309142C 0000 ADD BYTE PTR DS:[EAX],AL 0309142E 0000 ADD BYTE PTR DS:[EAX],AL 03091430 0000 ADD BYTE PTR DS:[EAX],AL Link to comment Share on other sites More sharing options...
GIV Posted July 19, 2016 Author Share Posted July 19, 2016 (edited) Here are 2 more unpackmes with Enigma 5.4. OEP is not virtualized so for you it must be easy to get the point. Original.rar Edited July 19, 2016 by GIV Add 2 words 1 Link to comment Share on other sites More sharing options...
GautamGreat Posted July 19, 2016 Share Posted July 19, 2016 Thanks GIV for these unpackme. I will try to make a fully working script. 2 Link to comment Share on other sites More sharing options...
Ahmad_k Posted July 21, 2016 Share Posted July 21, 2016 I'm trying to unpack "Enigma 5.2 unpackme 3" but it seems that windows version check is enabled. is there any pattern to search for in order to bypass this check ? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now