Easy Unpackme Enigma 5.6

[Apuromafo]

Difficulty : 0
Language : free pascal /Lazarus IDE x86
Platform : Windows X86
OS Version : XP and above
Packer / Protector : Enigma Protector 5.6

Description :

Small unpackme for do a simple tutorial
 

maybe is easy, but i hope there you too can do tutorial

BR, APuromafo

Silver= unpacked.exe
Bronce=unpacked +tutorial 
Gold=unpacked+tutorial+script 


PID scan:
Scanning -> C:\project1_protected.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 6942172 (069EDDCh) Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x00000000 -> Thu 01st Jan 1970 00:00:00 (GMT)
-> File has 933852 (0E3FDCh) bytes of appended data starting at offset 05BAE00h
[File Heuristics] -> Flag #1 : 00000000000001011100000100100111 (0x0005C127)
[Entrypoint Section Entropy] : 7.97 (section #10) ".data   " | Size : 0x1D9000 (1937408) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 11 (0xB) | ImageSize 0x1652000 (23404544) byte(s)
[Export] 0% of function(s) (0 of 1) are in file | 0 are forwarded | 0 code | 0 data | 0 uninit data | 0 unknown | 
[ModuleReport] [IAT] Modules -> kernel32.dll | user32.dll | advapi32.dll | oleaut32.dll | gdi32.dll | shell32.dll | version.dll | comctl32.dll | ole32.dll
[Taggant Info] Record @ file offset 0x003E1E00
Length : 0x3000 (12288) byte(s)  | CMSLength : 0x1ABA (6842) | Version : 1
PackerId found : 0x00000001 (1) | Enigma Protector V 5.60 Build 0 (reserved 0)
[!] Enigma Protector V 5.60 Build 0 (reserved 0) detected !
- Scan Took : 0.93 Second(s) [00000005Dh (93) tick(s)] [12 of 580 scan(s) done]


Screen Shoot
initial:


when check the checkbox

if check Again :

 

Link of file Simple Packed:project1_protected.rar

Edited February 27, 2017 by Apuromafo
update :)

[Teddy Rogers]

@Apuromafo can you add a screenshot please...

Ted.

[converse]

Added emulation of imports

[BambooQJ]

hello.4.x tutorial can unpack.

download:

https://tuts4you.com/download.php?view.3590

 

 

unpacked.7z

[converse]

@BambooQJ I can not understand where I can see a real api

00401000  - FF25 F86B5B00   JMP DWORD PTR DS:[5B6BF8]
00401010  - FF25 FC6B5B00   JMP DWORD PTR DS:[5B6BFC]
00401020  - FF25 006C5B00   JMP DWORD PTR DS:[5B6C00]
etc.

The rest is understandable from old versions enigma.

Edited February 26, 2017 by converse

[BambooQJ]

Take a look at the tutorial. You'll find something new

[converse]

@BambooQJ

I watched this tutorial, there are only finding a api under the vm

[BambooQJ]

9 hours ago, converse said:

@BambooQJ

I watched this tutorial, there are only finding a api under the vm

Be patient, my friend...CTRL+L  You'll find something new

[icarusdc]

Hi,

So it's very new Enigma version.

I still can't find how to reach the OEP properly.

I found a trick for reaching OEP but it's just for protected file which using VM RISC protection core, no matter if it's virtualized OEP or not.

And this unpackme uses it.

The script I use for reaching OEP by ramjane is here.

Put script bp at line 48;

45     ramjane:
46      cmp eax,0
47      jne ramjane1
48      esto

when stopped at that line, we need to step script line carefully (press TAB).
stepping "esto" command again and again.
if olly seems taking long time to execute esto command, then Set break-on-access F2 on code section.
press F9/run. we will land at OEP.

this trick can find OEP for this Unpackme and GIV's unpackme (original version 5.4 here).

it fails finding OEP if target use non-VM RISC protection core (like in DEMO 5.5).

fixing IAT still same. using SHADOWS_UA's tutorial in here.

I'm sorry if my explanation is quite messy. I hope you'll understand.

 

 

Salam.

project1_protected_unpacked.rar

[Apuromafo]

nice, many unpacked for easy version, next will send a medim version

BR , Apuromafo

note:BambooQJ,icarusdc unpacked run fine 

BambooQJ was done a tut recent: 

 

Edited February 28, 2017 by Apuromafo
updated with solutions...

[2lht_love]

@BambooQJ @icarusdc

I have a question, looking forward to your help

I use a short script of the author LCF-AT : "Simple script which dumps the VM.txt" and changed the OEP and the VA in the script available. And very easily after that I get file "VM DUMP" to add section in the target unpacked, target test works perfectly on WIN XP SP2 X86, WIN 7 X76. But after reboot Windows 7 x86, target run "CRASH" Try dump file VM, I see addresses have been changed. WIN XP SP2 not change address DUMP VM.

That's is what I encountered, please help. Sorry for my language english is very bad.

 

[GautamGreat]

1 hour ago, dangducluan said:

@BambooQJ @icarusdc

I have a question, looking forward to your help

I use a short script of the author LCF-AT : "Simple script which dumps the VM.txt" and changed the OEP and the VA in the script available. And very easily after that I get file "VM DUMP" to add section in the target unpacked, target test works perfectly on WIN XP SP2 X86, WIN 7 X76. But after reboot Windows 7 x86, target run "CRASH" Try dump file VM, I see addresses have been changed. WIN XP SP2 not change address DUMP VM.

That's is what I encountered, please help. Sorry for my language english is very bad.

 

Hi,

you didn't patched some api in your unpacked file. You have to patch it. Already mentioned by LCF-AT in this thread

https://forum.tuts4you.com/topic/38285-enigma-protector-52/

 

[2lht_love]

2 hours ago, ramjane said:

Hi,

you didn't patched some api in your unpacked file. You have to patch it. Already mentioned by LCF-AT in this thread

https://forum.tuts4you.com/topic/38285-enigma-protector-52/

Hi, Thank you for replying to me 

Sorry, I have followed topic you sent me and still do not understand what you mean?

I do manual editing and using scripting Shadow fix API. After dump, I think if I do not edit the fully api the target will not RUN, software is "Crash" when I reboot windows.

Can make a short video tutorial patched api file unpacked?

Edited March 11, 2017 by dangducluan

[icarusdc]

Hi @dangducluan

have you saved the IAT tree before using VM-dumping-script?

if so, then you'll just need to fix Windows API inside Enigma Section as what ramjane mentioned.

 

 

Salam.

[2lht_love]

Hi guys, @icarusdc @ramjane

I making video unpacking fast, please help me answer? Why? Crash software after reboot window, tks

http://www.mediafire.com/file/cmyayzmbb4p6pbq/Unpacked_MB.wmv

[icarusdc]

Hi,

if your unpacked file can't run fine first time run after unpacking, then there will be other checks that you need to fix manually.

it maybe from Enigma or the app itself. it's your job to find what it is. I guess it will be cracking instead of unpacking.

but if your unpacked file can run fine for first time run and crash after rebooting, then you'll need to fix API inside Enigma section.

 

Salam.

[2lht_love]

5 minutes ago, icarusdc said:

Hi,

if your unpacked file can't run fine first time run after unpacking, then there will be other checks that you need to fix manually.

it maybe from Enigma or the app itself. it's your job to find what it is. I guess it will be cracking instead of unpacking.

but if your unpacked file can run fine for first time run and crash after rebooting, then you'll need to fix API inside Enigma section.

 

Salam.

File unpacked can run  after unpacking, you can see my video. How to fix API inside Enigma section? My friend 

[icarusdc]

Hi,

seriuously your unpacked file run after unpacking?

I thought I saw it terminated and then you reload it.

 

Salam.

[FeliXW]

This file is so easy, i finded oep, fixed enigma iat virtualization, dumped, and fixed. Works fine, exe optimized to 3 mb

If you have some questions about unpacking enigma, cisc vm dumping and risc vm dumping, contact my by using:
Jabber: julia.pcret@exploit.im
Telegram: @julia_pcret (https://t.me/julia_pcret)

P.S. All functions in file works fine, tested on Windows XP

project1_protected_dumped.exe