Enigma Protector 5.2

[GIV]

You can use GetVersion API.

https://msdn.microsoft.com/en-us/library/windows/desktop/ms724439(v=vs.85).aspx

[Ahmad_k]

Thanks, i got it 

[icarusdc]

Hi @ramjane

Script for finding OEP for keygenme v2.0 unpackme (Enigma 5.40) is working. 

But it doesn't work for last 2 unpackme (Original.rar).

 

Salam.

[GautamGreat]

Yes,

This script is working only on Virtualized OEP targets.

I am currently working on that and trying to find a way to reach at OEP

[sanode]

Any update on the scripts?

[GIV]

The scripts are updated but not available for public since the first release of the 5.xx version and updated to latest version (5.5).

I see that the price for the protector raised from 149 to 199 USD.

Maybe release of a unpack script will make the authors rethink their price policy.

 

[Techlord]

52 minutes ago, GIV said:

The scripts are updated but not available for public since the first release of the 5.xx version and updated to latest version (5.5).

I see that the price for the protector raised from 149 to 199 USD.

Maybe release of a unpack script will make the authors rethink their price policy.

 

Was thinking exactly the same thing ol' friend

Was mulling over the idea of releasing a couple of detailed tuts on unpacking the latest v5.xx versions in the coming weeks !

I also felt that that the Enigma guys were getting too cocky !

 

P.S : I do have the licensed versions of Enigma for my company. So in a way not a very wise step for me to release details on how to crack the protections but then again, feel that the Enigma guys should get not be getting too cocky either !

Edited January 16, 2017 by Techlord

[GIV]

Sure. 

I have the scripts for version 5.xx back from 2014 (if i recall correct) written by myself based on public info and personal research, with some small parts taken from LCF-AT script (to avoid double work) where was the case, and yes i have a personal license for one of my software too (but is .NET so is not a great loss for me because for .NET platform the EP is next to nothing for protection). 

I have told the EP guys that is a bug regarding a XP issue of their software for .NET files, make a clear example (bug which scared many of my customers), and their reply was that they know and the bug will be solved. For 9 months of my subscription and some released versions the bug is still there. And they raises the prices now. lol

Maybe is not a wise ideea to show them how to bring in the knees the protector but small parts can be shown.

 

[icarusdc]

Hi @GIV

Can your script handle Enigma Online Registration?

I found 2 differences for unpacking Enigma. First one is how to reach OEP and second one is how to bypass online registration.

 

Salam.

[GIV]

Hi. No. EP is not a interest for me since one year ago. But i guess if you know how to do the feature could be added to any script easy.

[fly1n]

On 2016/4/28 at 10:27 PM, GIV said:

OK.

Last unpackme for this version:

HWID: C965A-EA6AB-81EB2-7D035-38C99-24D7E-04041-78A0E
USER: giv
KEY: F5X353-TRTFA3-LXAKLE-XDEED2-J4NMDN-AHP9DA-6VLGLP-PVJB5U-UUSNEN-7M8CUQ-UNEQTE-QATVWK-UBAKKZ-RYKMNQ-PB5CME-JQ8HSB-TUV7FL-7A3NB4-E3TJMU

 

Enigma 5.2 unpackme 3_protected.rar

I am now working on this unpackme_3. I have been able to bypass the OS check and process check but stuck on the region check.

I have tried to trace (set hw access bp on) the return value of GetUserDefaultLCID/GetThreadLocale/GetUserDefaultUILanguage/GetACP, but it seems that the region check doesn't use the above APIs? Then I tried to put bp on some registry access APIs to see if Enigma retrives the region info from registry. Unforunately, I didn't get any useful info either. Can anyone give me a hint about what API(s) I should look into.

Thanks.

[fly1n]

I still don't know what API EP uses to implement regional check, but anyway I found how to bypass it.

Here is the optimized file for unpack3.

optimized.exe

[GIV]

Would you like to try a 5.5 unpackme?

[fly1n]

On 13/02/2017 at 10:56 PM, GIV said:

Would you like to try a 5.5 unpackme?

Thanks. I own an official license of EP :).

[icarusdc]

Hi, @GIV

Would you like to add some Enigma API into your next UnpackMe?

 

Salam.

[vonjack]

I'm a noob.

Try to dump full VM.

Hwid fake & OEP find: use modified script from ramjane : 

eax !=0 -> repne scasb (strlen) -> repne cmpsb (strcmp) -> rep movsb (strcpy)

VM dump: use LCF-AT's script : RVA: 1AE0000

dump some memory that VM uses (from LCF-AT's tutorial):

 RVA: 1310000 RVA: 13A0000 RVA: 13B0000

IAT fix:

RVA: 52118 (Use LCF-AT's method, find push and jmp)

RVA: 21CBDC (only 3 APIs)

RVA: 6E111C (something maybe VM uses)

Do you know how to dump full VM easily? I want to find a easy way. THX!

Unpackme_fullvm.7z

Edited March 12, 2017 by vonjack

[GIV]

The best way to avoid use of VM for Enigma is to devirtualize the OEP.

 

[Viloresi]

2 hours ago, GIV said:

The best way to avoid use of VM for Enigma is to devirtualize the OEP.

 

wow, man.... I don't know you and probably you don't know me, btw much respect from an unknown person, for still using xp service pack LOL 

Edited March 12, 2017 by Viloresi

[vonjack]

10 hours ago, GIV said:

The best way to avoid use of VM for Enigma is to devirtualize the OEP.

 

Thank you.

For Enigma 5.2, it seems to dump full vm only need add 17X0000 section with the string "Invalid NULL variant operation".

Am I right?

[GIV]

Yep.

That is one of the sections. It may be more on larger files.

BTW. Here is my script for recover VM'ed Enigma OEP. Is written back in 2015 and i don't know if is fail proof because i did not use/test for more than a year ago.

// giv@reversing.ro
// Script for restore VM OEP on Enigma 5.xx VM'ed OEP
// Delphi files + VB6

bc
lc
bphwc
bpmc
dbh

GMI eip, CODEBASE
mov bazacod, $RESULT
GMI eip, CODESIZE
mov marimecod, $RESULT

VAR INTRARE
ask "Enter the EIP of the stolen OEP"
mov INTRARE, $RESULT
//mov INTRARE, 0041F372


BPHWS INTRARE
erun
bphwc INTRARE

ask "Enter compiler type: 1 for Delphi 2 for Visual Basic 3 for C++"
mov tipcompilator, $RESULT
cmp $RESULT,1 
ifeq
jmp Delphi
endif
cmp $RESULT,2 
ifeq
jmp vb6
endif
cmp $RESULT,3
ifeq
jmp C_plus
endif

//Target compiler select
mov delphi, 1
mov vb6, 0
mov cpp, 0
/////////////////


cmp delphi, 1
ifeq
jmp Delphi
endif

cmp vb6, 1
ifeq
jmp vb6
endif

cmp cpp, 1
ifeq
jmp C_plus
endif


Delphi:
log "PUSH EBP"
log "MOV EBP, ESP"
log "ADD ESP, -10"

BREAK:

bc
bphwc
bpmc

BPRM bazacod, marimecod
erun
cmp eip, INTRARE
ifeq
jmp BREAK
endif
cmp eip, bazacod+marimecod
ifa
jmp BREAK
endif
cmp eax, 01000000
ifa
jmp DWORD
endif
cmp [eip], #FF25#, 2
ifeq
jmp BREAK
endif
mov valoareeax, eax
eval "MOV EAX, 00{valoareeax}"
LOG $RESULT, ""
eval "MOV ECX, 00{ecx}"
log $RESULT, ""
eval "MOV EDX, 00{edx}"
log $RESULT, ""
mov pozitie, eip
eval "CALL 0{pozitie}"
log $RESULT, ""

GASIRE_RET:
bpmc
cmp [eip], #FF25#, 2
ifeq
jmp BREAK
endif
find eip, #C3#, 5
mov adresagasitaret, $RESULT
cmp adresagasitaret, 0
ifa
bp adresagasitaret
erun
bc adresagasitaret
esti
gci eip, COMMAND 
mov stringoep, $RESULT
scmpi stringoep, "PUSH 0x0", 4
cmp $RESULT, 0
ifa
jmp Comanda_gci
endif
esti
jmp Comanda_gci
endif


find eip, #5?C?#, 1500
mov adresagasitaret, $RESULT
cmp adresagasitaret, 0
ifa
mov diferenta, adresagasitaret-eip
cmp diferenta, 35
ifb
cmp [adresagasitaret], #5BC3#, 2
ifeq
bpmc 
bp adresagasitaret
erun
esti
esti
jmp Comanda_gci
endif
cmp [adresagasitaret], #5DC2#, 2
ifeq
bpmc 
bp adresagasitaret
erun
esti
esti
jmp Comanda_gci
endif
msg "Diferenta prea mica"
endif
mov adresacomparare, adresagasitaret
add adresacomparare, 1
cmp [adresacomparare], #C3#,1
ifneq
mov start, eip
add start, 35
find start,#E8????????C3#
bp $RESULT
erun
bc
find eip, #5?C?#
bp $RESULT
erun
bc
esti
esti
jmp Comanda_gci
//msg "Pauza C3"
endif
bp adresagasitaret
erun
bc adresagasitaret
esti
esti
jmp Comanda_gci
endif

find eip, #5?5?5?5?C3#,500
bpmc
mov adresagasitaret, $RESULT
cmp adresagasitaret, 0
ifa
bp adresagasitaret
erun
bc adresagasitaret
esti
esti
jmp Comanda_gci
endif

cmp adresagasitaret, 0

Continuare_ret:
bpmc
ifa
bp adresagasitaret
bpmc
erun
endif
bc adresagasitaret
esti
esti
Comanda_gci:
GCI eip, COMMAND
mov comanda, $RESULT
scmpi comanda, "PUSH 0x0", 4
ifneq
jmp GASIRE_RET
endif
jmp BREAK

DWORD:
/////////
bc
bphwc
/////////
mov gasire, eax
rev gasire
mov gasire, $RESULT
///////////////////
eval "{gasire}"
mov gasire, $RESULT
//////////////////
len gasire
cmp $RESULT, 7
ifeq
eval "0{gasire}"
mov gasire, $RESULT
jmp ansamblare_gasire
endif
len gasire
cmp $RESULT, 6
ifeq
eval "00{gasire}"
mov gasire, $RESULT
endif
//log gasire, ""
ansamblare_gasire:
eval "#{gasire}#"
mov gasire, $RESULT
findmem gasire, bazacod
mov adresa_p, $RESULT
cmp adresa_p, 0
ifeq
msg "Pointer negasit"
pause
endif
ifa
eval "MOV EAX, DWORD PTR[{adresa_p}]"
log $RESULT, ""
cmp ecx, 401000
ifa
eval "MOV ECX, 00{ecx}"
log $RESULT, ""
endif
cmp edx, 401000
ifa
eval "MOV EDX, 00{edx}"
log $RESULT, ""
endif
mov pozitie, eip
eval "CALL 0{pozitie}"
log $RESULT, ""
jmp GASIRE_RET

vb6:
findmem #5642??21#, bazacod
mov variabilapush, $RESULT
cmp variabilapush,0
ifeq
msg "Pattern not found for push value - VB6"
jmp Sfarsit
endif
eval "PUSH 00{variabilapush}"
LOG $RESULT, ""
asm eip, $RESULT
mov variabilacall, eip-6
eval "CALL 00{variabilacall}"
LOG $RESULT, ""
asm eip+5, $RESULT
jmp Sfarsit

C_plus:
bc
bphwc
bpmc
BPRM bazacod, marimecod
erun
MOV intrarecallc, eip
EVAL "CALL {intrarecallc}"
log $RESULT, ""
ASM INTRARE, $RESULT
bc
bphwc
bpmc
rtr
esti
BPRM bazacod, marimecod
erun
MOV jmpc, eip
EVAL "JMP {jmpc}"
log $RESULT, ""
ASM INTRARE+5, $RESULT
jmp Sfarsit

Sfarsit:
msg "Script is finished"

 

Edited March 15, 2017 by GIV

[vonjack]

Thank you for your awesome VM OEP Restoration script !

It works well !

The attachment is the second unpackme (use password bypass script and GIV's OEP Restoration script).

Removed Enigma.dll in PE.

Filesize is small now.

Enigma 5.2 - 2.7z

[GIV]

Once i have provided all you need the file you posted is worthless.

Just eliminate Enigma sections and rebuild the file to reduce the file size.

[2lht_love]

Hi, @GIV

I  use VM OEP  not recover OEP. My file unpacked will crash after reboot WINXP SP3. How to fix it?

 

Edited March 13, 2017 by dangducluan

[GIV]

PM me your file.

 

[evggrig]

On 7/15/2016 at 8:18 PM, GautamGreat said:

Hey! I am written a script for new version. Here is a Video. When script will complete I will post here

and how are your successes?