GIV Posted July 21, 2016 Author Posted July 21, 2016 You can use GetVersion API. https://msdn.microsoft.com/en-us/library/windows/desktop/ms724439(v=vs.85).aspx
icarusdc Posted August 12, 2016 Posted August 12, 2016 Hi @ramjane Script for finding OEP for keygenme v2.0 unpackme (Enigma 5.40) is working. But it doesn't work for last 2 unpackme (Original.rar). Salam.
GautamGreat Posted August 12, 2016 Posted August 12, 2016 Yes, This script is working only on Virtualized OEP targets. I am currently working on that and trying to find a way to reach at OEP 1
GIV Posted January 16, 2017 Author Posted January 16, 2017 The scripts are updated but not available for public since the first release of the 5.xx version and updated to latest version (5.5). I see that the price for the protector raised from 149 to 199 USD. Maybe release of a unpack script will make the authors rethink their price policy. 1
Techlord Posted January 16, 2017 Posted January 16, 2017 (edited) 52 minutes ago, GIV said: The scripts are updated but not available for public since the first release of the 5.xx version and updated to latest version (5.5). I see that the price for the protector raised from 149 to 199 USD. Maybe release of a unpack script will make the authors rethink their price policy. Was thinking exactly the same thing ol' friend Was mulling over the idea of releasing a couple of detailed tuts on unpacking the latest v5.xx versions in the coming weeks ! I also felt that that the Enigma guys were getting too cocky ! P.S : I do have the licensed versions of Enigma for my company. So in a way not a very wise step for me to release details on how to crack the protections but then again, feel that the Enigma guys should get not be getting too cocky either ! Edited January 16, 2017 by Techlord 1
GIV Posted January 16, 2017 Author Posted January 16, 2017 Sure. I have the scripts for version 5.xx back from 2014 (if i recall correct) written by myself based on public info and personal research, with some small parts taken from LCF-AT script (to avoid double work) where was the case, and yes i have a personal license for one of my software too (but is .NET so is not a great loss for me because for .NET platform the EP is next to nothing for protection). I have told the EP guys that is a bug regarding a XP issue of their software for .NET files, make a clear example (bug which scared many of my customers), and their reply was that they know and the bug will be solved. For 9 months of my subscription and some released versions the bug is still there. And they raises the prices now. lol Maybe is not a wise ideea to show them how to bring in the knees the protector but small parts can be shown. 1
icarusdc Posted January 17, 2017 Posted January 17, 2017 Hi @GIV Can your script handle Enigma Online Registration? I found 2 differences for unpacking Enigma. First one is how to reach OEP and second one is how to bypass online registration. Salam.
GIV Posted January 17, 2017 Author Posted January 17, 2017 Hi. No. EP is not a interest for me since one year ago. But i guess if you know how to do the feature could be added to any script easy. 1
fly1n Posted February 5, 2017 Posted February 5, 2017 On 2016/4/28 at 10:27 PM, GIV said: OK. Last unpackme for this version: HWID: C965A-EA6AB-81EB2-7D035-38C99-24D7E-04041-78A0E USER: giv KEY: F5X353-TRTFA3-LXAKLE-XDEED2-J4NMDN-AHP9DA-6VLGLP-PVJB5U-UUSNEN-7M8CUQ-UNEQTE-QATVWK-UBAKKZ-RYKMNQ-PB5CME-JQ8HSB-TUV7FL-7A3NB4-E3TJMU Enigma 5.2 unpackme 3_protected.rar I am now working on this unpackme_3. I have been able to bypass the OS check and process check but stuck on the region check. I have tried to trace (set hw access bp on) the return value of GetUserDefaultLCID/GetThreadLocale/GetUserDefaultUILanguage/GetACP, but it seems that the region check doesn't use the above APIs? Then I tried to put bp on some registry access APIs to see if Enigma retrives the region info from registry. Unforunately, I didn't get any useful info either. Can anyone give me a hint about what API(s) I should look into. Thanks. 2
fly1n Posted February 13, 2017 Posted February 13, 2017 I still don't know what API EP uses to implement regional check, but anyway I found how to bypass it. Here is the optimized file for unpack3. optimized.exe 1
fly1n Posted February 17, 2017 Posted February 17, 2017 On 13/02/2017 at 10:56 PM, GIV said: Would you like to try a 5.5 unpackme? Thanks. I own an official license of EP :).
icarusdc Posted February 18, 2017 Posted February 18, 2017 Hi, @GIV Would you like to add some Enigma API into your next UnpackMe? Salam.
vonjack Posted March 12, 2017 Posted March 12, 2017 (edited) I'm a noob. Try to dump full VM. Hwid fake & OEP find: use modified script from ramjane : eax !=0 -> repne scasb (strlen) -> repne cmpsb (strcmp) -> rep movsb (strcpy) VM dump: use LCF-AT's script : RVA: 1AE0000 dump some memory that VM uses (from LCF-AT's tutorial): RVA: 1310000 RVA: 13A0000 RVA: 13B0000 IAT fix: RVA: 52118 (Use LCF-AT's method, find push and jmp) RVA: 21CBDC (only 3 APIs) RVA: 6E111C (something maybe VM uses) Do you know how to dump full VM easily? I want to find a easy way. THX! Unpackme_fullvm.7z Edited March 12, 2017 by vonjack 1
GIV Posted March 12, 2017 Author Posted March 12, 2017 The best way to avoid use of VM for Enigma is to devirtualize the OEP. 1
Viloresi Posted March 12, 2017 Posted March 12, 2017 (edited) 2 hours ago, GIV said: The best way to avoid use of VM for Enigma is to devirtualize the OEP. wow, man.... I don't know you and probably you don't know me, btw much respect from an unknown person, for still using xp service pack LOL Edited March 12, 2017 by Viloresi
vonjack Posted March 13, 2017 Posted March 13, 2017 10 hours ago, GIV said: The best way to avoid use of VM for Enigma is to devirtualize the OEP. Thank you. For Enigma 5.2, it seems to dump full vm only need add 17X0000 section with the string "Invalid NULL variant operation". Am I right?
GIV Posted March 13, 2017 Author Posted March 13, 2017 (edited) Yep. That is one of the sections. It may be more on larger files. BTW. Here is my script for recover VM'ed Enigma OEP. Is written back in 2015 and i don't know if is fail proof because i did not use/test for more than a year ago. // giv@reversing.ro // Script for restore VM OEP on Enigma 5.xx VM'ed OEP // Delphi files + VB6 bc lc bphwc bpmc dbh GMI eip, CODEBASE mov bazacod, $RESULT GMI eip, CODESIZE mov marimecod, $RESULT VAR INTRARE ask "Enter the EIP of the stolen OEP" mov INTRARE, $RESULT //mov INTRARE, 0041F372 BPHWS INTRARE erun bphwc INTRARE ask "Enter compiler type: 1 for Delphi 2 for Visual Basic 3 for C++" mov tipcompilator, $RESULT cmp $RESULT,1 ifeq jmp Delphi endif cmp $RESULT,2 ifeq jmp vb6 endif cmp $RESULT,3 ifeq jmp C_plus endif //Target compiler select mov delphi, 1 mov vb6, 0 mov cpp, 0 ///////////////// cmp delphi, 1 ifeq jmp Delphi endif cmp vb6, 1 ifeq jmp vb6 endif cmp cpp, 1 ifeq jmp C_plus endif Delphi: log "PUSH EBP" log "MOV EBP, ESP" log "ADD ESP, -10" BREAK: bc bphwc bpmc BPRM bazacod, marimecod erun cmp eip, INTRARE ifeq jmp BREAK endif cmp eip, bazacod+marimecod ifa jmp BREAK endif cmp eax, 01000000 ifa jmp DWORD endif cmp [eip], #FF25#, 2 ifeq jmp BREAK endif mov valoareeax, eax eval "MOV EAX, 00{valoareeax}" LOG $RESULT, "" eval "MOV ECX, 00{ecx}" log $RESULT, "" eval "MOV EDX, 00{edx}" log $RESULT, "" mov pozitie, eip eval "CALL 0{pozitie}" log $RESULT, "" GASIRE_RET: bpmc cmp [eip], #FF25#, 2 ifeq jmp BREAK endif find eip, #C3#, 5 mov adresagasitaret, $RESULT cmp adresagasitaret, 0 ifa bp adresagasitaret erun bc adresagasitaret esti gci eip, COMMAND mov stringoep, $RESULT scmpi stringoep, "PUSH 0x0", 4 cmp $RESULT, 0 ifa jmp Comanda_gci endif esti jmp Comanda_gci endif find eip, #5?C?#, 1500 mov adresagasitaret, $RESULT cmp adresagasitaret, 0 ifa mov diferenta, adresagasitaret-eip cmp diferenta, 35 ifb cmp [adresagasitaret], #5BC3#, 2 ifeq bpmc bp adresagasitaret erun esti esti jmp Comanda_gci endif cmp [adresagasitaret], #5DC2#, 2 ifeq bpmc bp adresagasitaret erun esti esti jmp Comanda_gci endif msg "Diferenta prea mica" endif mov adresacomparare, adresagasitaret add adresacomparare, 1 cmp [adresacomparare], #C3#,1 ifneq mov start, eip add start, 35 find start,#E8????????C3# bp $RESULT erun bc find eip, #5?C?# bp $RESULT erun bc esti esti jmp Comanda_gci //msg "Pauza C3" endif bp adresagasitaret erun bc adresagasitaret esti esti jmp Comanda_gci endif find eip, #5?5?5?5?C3#,500 bpmc mov adresagasitaret, $RESULT cmp adresagasitaret, 0 ifa bp adresagasitaret erun bc adresagasitaret esti esti jmp Comanda_gci endif cmp adresagasitaret, 0 Continuare_ret: bpmc ifa bp adresagasitaret bpmc erun endif bc adresagasitaret esti esti Comanda_gci: GCI eip, COMMAND mov comanda, $RESULT scmpi comanda, "PUSH 0x0", 4 ifneq jmp GASIRE_RET endif jmp BREAK DWORD: ///////// bc bphwc ///////// mov gasire, eax rev gasire mov gasire, $RESULT /////////////////// eval "{gasire}" mov gasire, $RESULT ////////////////// len gasire cmp $RESULT, 7 ifeq eval "0{gasire}" mov gasire, $RESULT jmp ansamblare_gasire endif len gasire cmp $RESULT, 6 ifeq eval "00{gasire}" mov gasire, $RESULT endif //log gasire, "" ansamblare_gasire: eval "#{gasire}#" mov gasire, $RESULT findmem gasire, bazacod mov adresa_p, $RESULT cmp adresa_p, 0 ifeq msg "Pointer negasit" pause endif ifa eval "MOV EAX, DWORD PTR[{adresa_p}]" log $RESULT, "" cmp ecx, 401000 ifa eval "MOV ECX, 00{ecx}" log $RESULT, "" endif cmp edx, 401000 ifa eval "MOV EDX, 00{edx}" log $RESULT, "" endif mov pozitie, eip eval "CALL 0{pozitie}" log $RESULT, "" jmp GASIRE_RET vb6: findmem #5642??21#, bazacod mov variabilapush, $RESULT cmp variabilapush,0 ifeq msg "Pattern not found for push value - VB6" jmp Sfarsit endif eval "PUSH 00{variabilapush}" LOG $RESULT, "" asm eip, $RESULT mov variabilacall, eip-6 eval "CALL 00{variabilacall}" LOG $RESULT, "" asm eip+5, $RESULT jmp Sfarsit C_plus: bc bphwc bpmc BPRM bazacod, marimecod erun MOV intrarecallc, eip EVAL "CALL {intrarecallc}" log $RESULT, "" ASM INTRARE, $RESULT bc bphwc bpmc rtr esti BPRM bazacod, marimecod erun MOV jmpc, eip EVAL "JMP {jmpc}" log $RESULT, "" ASM INTRARE+5, $RESULT jmp Sfarsit Sfarsit: msg "Script is finished" Edited March 15, 2017 by GIV 4 1
vonjack Posted March 13, 2017 Posted March 13, 2017 Thank you for your awesome VM OEP Restoration script ! It works well ! The attachment is the second unpackme (use password bypass script and GIV's OEP Restoration script). Removed Enigma.dll in PE. Filesize is small now. Enigma 5.2 - 2.7z
GIV Posted March 13, 2017 Author Posted March 13, 2017 Once i have provided all you need the file you posted is worthless. Just eliminate Enigma sections and rebuild the file to reduce the file size.
2lht_love Posted March 13, 2017 Posted March 13, 2017 (edited) Hi, @GIV I use VM OEP not recover OEP. My file unpacked will crash after reboot WINXP SP3. How to fix it? Edited March 13, 2017 by dangducluan
evggrig Posted January 8, 2018 Posted January 8, 2018 On 7/15/2016 at 8:18 PM, GautamGreat said: Hey! I am written a script for new version. Here is a Video. When script will complete I will post here and how are your successes?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now