Jump to content
Tuts 4 You

Enigma Protector 5.2


GIV

Recommended Posts

GIV

YEP.

Enigma have been knocked down for good.

I think only the VM'ed functions are hard to restore. Rest of the protection is kinda messy. The only option is to post a unpackme without a key for you to try to bypass the HWID without a valid key. 

  • Like 1
Link to post
  • Replies 79
  • Created
  • Last Reply

Top Posters In This Topic

  • GIV

    31

  • GautamGreat

    12

  • icarusdc

    9

  • camilo

    3

Top Posters In This Topic

Popular Posts

Yep. That is one of the sections. It may be more on larger files. BTW. Here is my script for recover VM'ed Enigma OEP. Is written back in 2015 and i don't know if is fail proof because i did

Hi, The steps I take for unpack this: 1. Change HWID. I used LCF-AT's script from here 2. VM Fixing and OEP Rebuilding. I used LCF-AT's script from here. 3. File Optimizing. I used

Hello. Here i made a video of my script have a look VM API Fixing script is not mine its by PC-RET i just added that script to my script     Video.rar

Posted Images

GautamGreat

Hello.

Here i made a video of my script have a look

VM API Fixing script is not mine its by PC-RET i just added that script to my script

 

 

Video.rar

  • Like 3
Link to post

Hi.
Sorry for late reply.
The script look fine.
You can add the feature of auto dump and rebuild.

I did not see how you find the missing 4 API's and how you reconstructed the OEP.
So i guess regarding the rest of the features like file name, password patch and OS version you inserted in the script auto patching things.

Right?

  • Like 1
Link to post
GautamGreat
8 hours ago, GIV said:

Hi.
Sorry for late reply.
The script look fine.
You can add the feature of auto dump and rebuild.

I did not see how you find the missing 4 API's and how you reconstructed the OEP.
So i guess regarding the rest of the features like file name, password patch and OS version you inserted in the script auto patching things.

Right?

Yes it is working like PRE_CHECKER_PATCH 

I updated the script now

Now script can Fix VM Api very fast

http://wikisend.com/download/212166/

  • Like 1
Link to post

I see.
But from what you present the file you are using is not protected by Enigma 5.xx.

  • Like 1
Link to post
  • 1 month later...
On 2016年5月1日 at 2:53 PM, GIV said:

YEP.

Enigma have been knocked down for good.

I think only the VM'ed functions are hard to restore. Rest of the protection is kinda messy. The only option is to post a unpackme without a key for you to try to bypass the HWID without a valid key. 

but in your topic 

you already bypassed the HWID lock without a valid key,is that right?

  • Like 1
Link to post
18 hours ago, benney said:

but in your topic 

you already bypassed the HWID lock without a valid key,is that right?

Yes. This is true.

Link to post

Is working fine here.

You could recover virtualized OEP and make a cleaner a smaller file though.

Link to post
GautamGreat

Actually I was learning about VM dumping its my 2nd try on VM OEP and its working.

Its a quick unpack.

Link to post

You must cancel high alloc mode and then see what memory blocks are used outside the main file virtual space and add them to your dump.

The file with reconstructed OEP is much much smaller though.

Link to post
GautamGreat

Hey. today i am gonna share my new script for finding OEP of newer version of Enigma. Old bytes pattern for finding OEP by SHADOW_UA is now no more working so here i am created a new script.

Please test and tell report

PS : My English is not Good :)

 

ShortScript_For Finding OEP.txt

  • Like 2
Link to post

Hi.

I see that you decrypt the code first then you search....

I have tested on the main Enigma 5.4 x86 exe.

The result is not correct.

 

030913E8    3239            XOR BH,BYTE PTR DS:[ECX]                 ; OEP <------- ramjane
030913EA    3045 35         XOR BYTE PTR SS:[EBP+0x35],AL
030913ED    45              INC EBP
030913EE    43              INC EBX
030913EF    37              AAA
030913F0    43              INC EBX
030913F1    36:34 32        XOR AL,0x32                              ; Superfluous prefix
030913F4    0000            ADD BYTE PTR DS:[EAX],AL
030913F6    0000            ADD BYTE PTR DS:[EAX],AL
030913F8    0C 76           OR AL,0x76
030913FA    C400            LES EAX,FWORD PTR DS:[EAX]               ; Modification of segment register
030913FC    0C 76           OR AL,0x76
030913FE    C400            LES EAX,FWORD PTR DS:[EAX]               ; Modification of segment register
03091400    281B            SUB BYTE PTR DS:[EBX],BL
03091402    0000            ADD BYTE PTR DS:[EAX],AL
03091404    0000            ADD BYTE PTR DS:[EAX],AL
03091406    0000            ADD BYTE PTR DS:[EAX],AL
03091408    0000            ADD BYTE PTR DS:[EAX],AL
0309140A    0000            ADD BYTE PTR DS:[EAX],AL
0309140C    0000            ADD BYTE PTR DS:[EAX],AL
0309140E    0000            ADD BYTE PTR DS:[EAX],AL
03091410    0000            ADD BYTE PTR DS:[EAX],AL
03091412    0000            ADD BYTE PTR DS:[EAX],AL
03091414    0000            ADD BYTE PTR DS:[EAX],AL
03091416    0000            ADD BYTE PTR DS:[EAX],AL
03091418    0000            ADD BYTE PTR DS:[EAX],AL
0309141A    0000            ADD BYTE PTR DS:[EAX],AL
0309141C    0000            ADD BYTE PTR DS:[EAX],AL
0309141E    0000            ADD BYTE PTR DS:[EAX],AL
03091420    0000            ADD BYTE PTR DS:[EAX],AL
03091422    0000            ADD BYTE PTR DS:[EAX],AL
03091424    0000            ADD BYTE PTR DS:[EAX],AL
03091426    0000            ADD BYTE PTR DS:[EAX],AL
03091428    0000            ADD BYTE PTR DS:[EAX],AL
0309142A    0000            ADD BYTE PTR DS:[EAX],AL
0309142C    0000            ADD BYTE PTR DS:[EAX],AL
0309142E    0000            ADD BYTE PTR DS:[EAX],AL
03091430    0000            ADD BYTE PTR DS:[EAX],AL

 

Link to post

I'm trying to unpack "Enigma 5.2 unpackme 3" but it seems that windows version check is enabled. is there any pattern to search for in order to bypass this check ? 

Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...