Jump to content
Tuts 4 You
  • 0
Sign in to follow this  
GIV

Enigma Protector 5.2

Question

GIV

Difficulty : 3
Language : Delphi
Platform : Windows X86
OS Version : XP and above
Packer / Protector : Enigma Protector 5.2

Description :

Small unpackme for you guys to try.

Screenshot :

Clipboard01.jpg

Enigma Protector 5.2 unpackme.rar

Edited by Teddy Rogers (see edit history)
  • Like 2

Share this post


Link to post

Recommended Posts

  • 0
Sound

Enigma has been Unpacker by fornication !

Share this post


Link to post
  • 0
GIV

YEP.

Enigma have been knocked down for good.

I think only the VM'ed functions are hard to restore. Rest of the protection is kinda messy. The only option is to post a unpackme without a key for you to try to bypass the HWID without a valid key. 

  • Like 1

Share this post


Link to post
  • 0
choxa

can some one help me

 

  • Like 1

Share this post


Link to post
  • 0
GautamGreat

Hello.

Here i made a video of my script have a look

VM API Fixing script is not mine its by PC-RET i just added that script to my script

 

 

Video.rar

  • Like 2

Share this post


Link to post
  • 0
GIV

Hi.
Sorry for late reply.
The script look fine.
You can add the feature of auto dump and rebuild.

I did not see how you find the missing 4 API's and how you reconstructed the OEP.
So i guess regarding the rest of the features like file name, password patch and OS version you inserted in the script auto patching things.

Right?

  • Like 1

Share this post


Link to post
  • 0
GautamGreat
8 hours ago, GIV said:

Hi.
Sorry for late reply.
The script look fine.
You can add the feature of auto dump and rebuild.

I did not see how you find the missing 4 API's and how you reconstructed the OEP.
So i guess regarding the rest of the features like file name, password patch and OS version you inserted in the script auto patching things.

Right?

Yes it is working like PRE_CHECKER_PATCH 

I updated the script now

Now script can Fix VM Api very fast

http://wikisend.com/download/212166/

  • Like 1

Share this post


Link to post
  • 0
GIV

I see.
But from what you present the file you are using is not protected by Enigma 5.xx.

  • Like 1

Share this post


Link to post
  • 0
GautamGreat

Yeah but i tested it on all of target from v4.10 to 5.3

  • Like 1

Share this post


Link to post
  • 0
GIV

Could be.
Good luck!

  • Like 1

Share this post


Link to post
  • 0
benney
On 2016年5月1日 at 2:53 PM, GIV said:

YEP.

Enigma have been knocked down for good.

I think only the VM'ed functions are hard to restore. Rest of the protection is kinda messy. The only option is to post a unpackme without a key for you to try to bypass the HWID without a valid key. 

but in your topic 

you already bypassed the HWID lock without a valid key,is that right?

  • Like 1

Share this post


Link to post
  • 0
GIV
18 hours ago, benney said:

but in your topic 

you already bypassed the HWID lock without a valid key,is that right?

Yes. This is true.

Share this post


Link to post
  • 0
GIV

Here is a sample for Enigma 5.4 for you to try.

Just post impressions after you unpack.

 

Enigma 5.40 unpackme.rar

  • Like 1

Share this post


Link to post
  • 0
GIV

Is working fine here.

You could recover virtualized OEP and make a cleaner a smaller file though.

Share this post


Link to post
  • 0
GautamGreat

Actually I was learning about VM dumping its my 2nd try on VM OEP and its working.

Its a quick unpack.

Share this post


Link to post
  • 0
GIV

You must cancel high alloc mode and then see what memory blocks are used outside the main file virtual space and add them to your dump.

The file with reconstructed OEP is much much smaller though.

Share this post


Link to post
  • 0
GautamGreat

Hey! I am written a script for new version. Here is a Video. When script will complete I will post here.

TESTVIDEO.rar

Share this post


Link to post
  • 0
GIV

Hi.

Just out of curiosity...except OEP arrive pattern is any difference?

Share this post


Link to post
  • 0
GautamGreat

Only the method to reach at OEP is change rest all are same as old version.

  • Like 2

Share this post


Link to post
  • 0
GIV

OK.

I hope you will post helpful info.

:)

Share this post


Link to post
  • 0
GautamGreat

Hey. today i am gonna share my new script for finding OEP of newer version of Enigma. Old bytes pattern for finding OEP by SHADOW_UA is now no more working so here i am created a new script.

Please test and tell report

PS : My English is not Good :)

 

ShortScript_For Finding OEP.txt

  • Like 2

Share this post


Link to post
  • 0
GIV

Hi.

I see that you decrypt the code first then you search....

I have tested on the main Enigma 5.4 x86 exe.

The result is not correct.

 

030913E8    3239            XOR BH,BYTE PTR DS:[ECX]                 ; OEP <------- ramjane
030913EA    3045 35         XOR BYTE PTR SS:[EBP+0x35],AL
030913ED    45              INC EBP
030913EE    43              INC EBX
030913EF    37              AAA
030913F0    43              INC EBX
030913F1    36:34 32        XOR AL,0x32                              ; Superfluous prefix
030913F4    0000            ADD BYTE PTR DS:[EAX],AL
030913F6    0000            ADD BYTE PTR DS:[EAX],AL
030913F8    0C 76           OR AL,0x76
030913FA    C400            LES EAX,FWORD PTR DS:[EAX]               ; Modification of segment register
030913FC    0C 76           OR AL,0x76
030913FE    C400            LES EAX,FWORD PTR DS:[EAX]               ; Modification of segment register
03091400    281B            SUB BYTE PTR DS:[EBX],BL
03091402    0000            ADD BYTE PTR DS:[EAX],AL
03091404    0000            ADD BYTE PTR DS:[EAX],AL
03091406    0000            ADD BYTE PTR DS:[EAX],AL
03091408    0000            ADD BYTE PTR DS:[EAX],AL
0309140A    0000            ADD BYTE PTR DS:[EAX],AL
0309140C    0000            ADD BYTE PTR DS:[EAX],AL
0309140E    0000            ADD BYTE PTR DS:[EAX],AL
03091410    0000            ADD BYTE PTR DS:[EAX],AL
03091412    0000            ADD BYTE PTR DS:[EAX],AL
03091414    0000            ADD BYTE PTR DS:[EAX],AL
03091416    0000            ADD BYTE PTR DS:[EAX],AL
03091418    0000            ADD BYTE PTR DS:[EAX],AL
0309141A    0000            ADD BYTE PTR DS:[EAX],AL
0309141C    0000            ADD BYTE PTR DS:[EAX],AL
0309141E    0000            ADD BYTE PTR DS:[EAX],AL
03091420    0000            ADD BYTE PTR DS:[EAX],AL
03091422    0000            ADD BYTE PTR DS:[EAX],AL
03091424    0000            ADD BYTE PTR DS:[EAX],AL
03091426    0000            ADD BYTE PTR DS:[EAX],AL
03091428    0000            ADD BYTE PTR DS:[EAX],AL
0309142A    0000            ADD BYTE PTR DS:[EAX],AL
0309142C    0000            ADD BYTE PTR DS:[EAX],AL
0309142E    0000            ADD BYTE PTR DS:[EAX],AL
03091430    0000            ADD BYTE PTR DS:[EAX],AL

 

Share this post


Link to post
  • 0
GIV

Here are 2 more unpackmes with Enigma 5.4.

OEP is not virtualized so for you it must be easy to get the point.

 

Original.rar

Edited by GIV
Add 2 words (see edit history)
  • Thanks 1

Share this post


Link to post
  • 0
GautamGreat

Thanks GIV for these unpackme. I will try to make a fully working script.

  • Like 2

Share this post


Link to post
  • 0
Ahmad_k

I'm trying to unpack "Enigma 5.2 unpackme 3" but it seems that windows version check is enabled. is there any pattern to search for in order to bypass this check ? 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...