July 21, 20169 yr Author You can use GetVersion API. https://msdn.microsoft.com/en-us/library/windows/desktop/ms724439(v=vs.85).aspx
August 12, 20169 yr Hi @ramjane Script for finding OEP for keygenme v2.0 unpackme (Enigma 5.40) is working. But it doesn't work for last 2 unpackme (Original.rar). Salam.
August 12, 20169 yr Yes, This script is working only on Virtualized OEP targets. I am currently working on that and trying to find a way to reach at OEP
January 16, 20178 yr Author The scripts are updated but not available for public since the first release of the 5.xx version and updated to latest version (5.5). I see that the price for the protector raised from 149 to 199 USD. Maybe release of a unpack script will make the authors rethink their price policy.
January 16, 20178 yr 52 minutes ago, GIV said: The scripts are updated but not available for public since the first release of the 5.xx version and updated to latest version (5.5). I see that the price for the protector raised from 149 to 199 USD. Maybe release of a unpack script will make the authors rethink their price policy. Was thinking exactly the same thing ol' friend Was mulling over the idea of releasing a couple of detailed tuts on unpacking the latest v5.xx versions in the coming weeks ! I also felt that that the Enigma guys were getting too cocky ! P.S : I do have the licensed versions of Enigma for my company. So in a way not a very wise step for me to release details on how to crack the protections but then again, feel that the Enigma guys should get not be getting too cocky either ! Edited January 16, 20178 yr by Techlord
January 16, 20178 yr Author Sure. I have the scripts for version 5.xx back from 2014 (if i recall correct) written by myself based on public info and personal research, with some small parts taken from LCF-AT script (to avoid double work) where was the case, and yes i have a personal license for one of my software too (but is .NET so is not a great loss for me because for .NET platform the EP is next to nothing for protection). I have told the EP guys that is a bug regarding a XP issue of their software for .NET files, make a clear example (bug which scared many of my customers), and their reply was that they know and the bug will be solved. For 9 months of my subscription and some released versions the bug is still there. And they raises the prices now. lol Maybe is not a wise ideea to show them how to bring in the knees the protector but small parts can be shown.
January 17, 20178 yr Hi @GIV Can your script handle Enigma Online Registration? I found 2 differences for unpacking Enigma. First one is how to reach OEP and second one is how to bypass online registration. Salam.
January 17, 20178 yr Author Hi. No. EP is not a interest for me since one year ago. But i guess if you know how to do the feature could be added to any script easy.
February 5, 20178 yr On 2016/4/28 at 10:27 PM, GIV said: OK. Last unpackme for this version: HWID: C965A-EA6AB-81EB2-7D035-38C99-24D7E-04041-78A0E USER: giv KEY: F5X353-TRTFA3-LXAKLE-XDEED2-J4NMDN-AHP9DA-6VLGLP-PVJB5U-UUSNEN-7M8CUQ-UNEQTE-QATVWK-UBAKKZ-RYKMNQ-PB5CME-JQ8HSB-TUV7FL-7A3NB4-E3TJMU Enigma 5.2 unpackme 3_protected.rar I am now working on this unpackme_3. I have been able to bypass the OS check and process check but stuck on the region check. I have tried to trace (set hw access bp on) the return value of GetUserDefaultLCID/GetThreadLocale/GetUserDefaultUILanguage/GetACP, but it seems that the region check doesn't use the above APIs? Then I tried to put bp on some registry access APIs to see if Enigma retrives the region info from registry. Unforunately, I didn't get any useful info either. Can anyone give me a hint about what API(s) I should look into. Thanks.
February 13, 20178 yr I still don't know what API EP uses to implement regional check, but anyway I found how to bypass it. Here is the optimized file for unpack3. optimized.exe
February 17, 20178 yr On 13/02/2017 at 10:56 PM, GIV said: Would you like to try a 5.5 unpackme? Thanks. I own an official license of EP :).
March 12, 20178 yr I'm a noob. Try to dump full VM. Hwid fake & OEP find: use modified script from ramjane : eax !=0 -> repne scasb (strlen) -> repne cmpsb (strcmp) -> rep movsb (strcpy) VM dump: use LCF-AT's script : RVA: 1AE0000 dump some memory that VM uses (from LCF-AT's tutorial): RVA: 1310000 RVA: 13A0000 RVA: 13B0000 IAT fix: RVA: 52118 (Use LCF-AT's method, find push and jmp) RVA: 21CBDC (only 3 APIs) RVA: 6E111C (something maybe VM uses) Do you know how to dump full VM easily? I want to find a easy way. THX! Unpackme_fullvm.7z Edited March 12, 20178 yr by vonjack
March 12, 20178 yr 2 hours ago, GIV said: The best way to avoid use of VM for Enigma is to devirtualize the OEP. wow, man.... I don't know you and probably you don't know me, btw much respect from an unknown person, for still using xp service pack LOL Edited March 12, 20178 yr by Viloresi
March 13, 20178 yr 10 hours ago, GIV said: The best way to avoid use of VM for Enigma is to devirtualize the OEP. Thank you. For Enigma 5.2, it seems to dump full vm only need add 17X0000 section with the string "Invalid NULL variant operation". Am I right?
March 13, 20178 yr Author Yep. That is one of the sections. It may be more on larger files. BTW. Here is my script for recover VM'ed Enigma OEP. Is written back in 2015 and i don't know if is fail proof because i did not use/test for more than a year ago. // giv@reversing.ro // Script for restore VM OEP on Enigma 5.xx VM'ed OEP // Delphi files + VB6 bc lc bphwc bpmc dbh GMI eip, CODEBASE mov bazacod, $RESULT GMI eip, CODESIZE mov marimecod, $RESULT VAR INTRARE ask "Enter the EIP of the stolen OEP" mov INTRARE, $RESULT //mov INTRARE, 0041F372 BPHWS INTRARE erun bphwc INTRARE ask "Enter compiler type: 1 for Delphi 2 for Visual Basic 3 for C++" mov tipcompilator, $RESULT cmp $RESULT,1 ifeq jmp Delphi endif cmp $RESULT,2 ifeq jmp vb6 endif cmp $RESULT,3 ifeq jmp C_plus endif //Target compiler select mov delphi, 1 mov vb6, 0 mov cpp, 0 ///////////////// cmp delphi, 1 ifeq jmp Delphi endif cmp vb6, 1 ifeq jmp vb6 endif cmp cpp, 1 ifeq jmp C_plus endif Delphi: log "PUSH EBP" log "MOV EBP, ESP" log "ADD ESP, -10" BREAK: bc bphwc bpmc BPRM bazacod, marimecod erun cmp eip, INTRARE ifeq jmp BREAK endif cmp eip, bazacod+marimecod ifa jmp BREAK endif cmp eax, 01000000 ifa jmp DWORD endif cmp [eip], #FF25#, 2 ifeq jmp BREAK endif mov valoareeax, eax eval "MOV EAX, 00{valoareeax}" LOG $RESULT, "" eval "MOV ECX, 00{ecx}" log $RESULT, "" eval "MOV EDX, 00{edx}" log $RESULT, "" mov pozitie, eip eval "CALL 0{pozitie}" log $RESULT, "" GASIRE_RET: bpmc cmp [eip], #FF25#, 2 ifeq jmp BREAK endif find eip, #C3#, 5 mov adresagasitaret, $RESULT cmp adresagasitaret, 0 ifa bp adresagasitaret erun bc adresagasitaret esti gci eip, COMMAND mov stringoep, $RESULT scmpi stringoep, "PUSH 0x0", 4 cmp $RESULT, 0 ifa jmp Comanda_gci endif esti jmp Comanda_gci endif find eip, #5?C?#, 1500 mov adresagasitaret, $RESULT cmp adresagasitaret, 0 ifa mov diferenta, adresagasitaret-eip cmp diferenta, 35 ifb cmp [adresagasitaret], #5BC3#, 2 ifeq bpmc bp adresagasitaret erun esti esti jmp Comanda_gci endif cmp [adresagasitaret], #5DC2#, 2 ifeq bpmc bp adresagasitaret erun esti esti jmp Comanda_gci endif msg "Diferenta prea mica" endif mov adresacomparare, adresagasitaret add adresacomparare, 1 cmp [adresacomparare], #C3#,1 ifneq mov start, eip add start, 35 find start,#E8????????C3# bp $RESULT erun bc find eip, #5?C?# bp $RESULT erun bc esti esti jmp Comanda_gci //msg "Pauza C3" endif bp adresagasitaret erun bc adresagasitaret esti esti jmp Comanda_gci endif find eip, #5?5?5?5?C3#,500 bpmc mov adresagasitaret, $RESULT cmp adresagasitaret, 0 ifa bp adresagasitaret erun bc adresagasitaret esti esti jmp Comanda_gci endif cmp adresagasitaret, 0 Continuare_ret: bpmc ifa bp adresagasitaret bpmc erun endif bc adresagasitaret esti esti Comanda_gci: GCI eip, COMMAND mov comanda, $RESULT scmpi comanda, "PUSH 0x0", 4 ifneq jmp GASIRE_RET endif jmp BREAK DWORD: ///////// bc bphwc ///////// mov gasire, eax rev gasire mov gasire, $RESULT /////////////////// eval "{gasire}" mov gasire, $RESULT ////////////////// len gasire cmp $RESULT, 7 ifeq eval "0{gasire}" mov gasire, $RESULT jmp ansamblare_gasire endif len gasire cmp $RESULT, 6 ifeq eval "00{gasire}" mov gasire, $RESULT endif //log gasire, "" ansamblare_gasire: eval "#{gasire}#" mov gasire, $RESULT findmem gasire, bazacod mov adresa_p, $RESULT cmp adresa_p, 0 ifeq msg "Pointer negasit" pause endif ifa eval "MOV EAX, DWORD PTR[{adresa_p}]" log $RESULT, "" cmp ecx, 401000 ifa eval "MOV ECX, 00{ecx}" log $RESULT, "" endif cmp edx, 401000 ifa eval "MOV EDX, 00{edx}" log $RESULT, "" endif mov pozitie, eip eval "CALL 0{pozitie}" log $RESULT, "" jmp GASIRE_RET vb6: findmem #5642??21#, bazacod mov variabilapush, $RESULT cmp variabilapush,0 ifeq msg "Pattern not found for push value - VB6" jmp Sfarsit endif eval "PUSH 00{variabilapush}" LOG $RESULT, "" asm eip, $RESULT mov variabilacall, eip-6 eval "CALL 00{variabilacall}" LOG $RESULT, "" asm eip+5, $RESULT jmp Sfarsit C_plus: bc bphwc bpmc BPRM bazacod, marimecod erun MOV intrarecallc, eip EVAL "CALL {intrarecallc}" log $RESULT, "" ASM INTRARE, $RESULT bc bphwc bpmc rtr esti BPRM bazacod, marimecod erun MOV jmpc, eip EVAL "JMP {jmpc}" log $RESULT, "" ASM INTRARE+5, $RESULT jmp Sfarsit Sfarsit: msg "Script is finished" Edited March 15, 20178 yr by GIV
March 13, 20178 yr Thank you for your awesome VM OEP Restoration script ! It works well ! The attachment is the second unpackme (use password bypass script and GIV's OEP Restoration script). Removed Enigma.dll in PE. Filesize is small now. Enigma 5.2 - 2.7z
March 13, 20178 yr Author Once i have provided all you need the file you posted is worthless. Just eliminate Enigma sections and rebuild the file to reduce the file size.
March 13, 20178 yr Hi, @GIV I use VM OEP not recover OEP. My file unpacked will crash after reboot WINXP SP3. How to fix it? Edited March 13, 20178 yr by dangducluan
January 8, 20187 yr On 7/15/2016 at 8:18 PM, GautamGreat said: Hey! I am written a script for new version. Here is a Video. When script will complete I will post here and how are your successes?
Create an account or sign in to comment