Posted February 25, 20178 yr Difficulty : 0Language : free pascal /Lazarus IDE x86Platform : Windows X86OS Version : XP and abovePacker / Protector : Enigma Protector 5.6 Description : Small unpackme for do a simple tutorial maybe is easy, but i hope there you too can do tutorial BR, APuromafo Silver= unpacked.exe Bronce=unpacked +tutorial Gold=unpacked+tutorial+script PID scan: Scanning -> C:\project1_protected.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 6942172 (069EDDCh) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x00000000 -> Thu 01st Jan 1970 00:00:00 (GMT) -> File has 933852 (0E3FDCh) bytes of appended data starting at offset 05BAE00h [File Heuristics] -> Flag #1 : 00000000000001011100000100100111 (0x0005C127) [Entrypoint Section Entropy] : 7.97 (section #10) ".data " | Size : 0x1D9000 (1937408) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 11 (0xB) | ImageSize 0x1652000 (23404544) byte(s) [Export] 0% of function(s) (0 of 1) are in file | 0 are forwarded | 0 code | 0 data | 0 uninit data | 0 unknown | [ModuleReport] [IAT] Modules -> kernel32.dll | user32.dll | advapi32.dll | oleaut32.dll | gdi32.dll | shell32.dll | version.dll | comctl32.dll | ole32.dll [Taggant Info] Record @ file offset 0x003E1E00 Length : 0x3000 (12288) byte(s) | CMSLength : 0x1ABA (6842) | Version : 1 PackerId found : 0x00000001 (1) | Enigma Protector V 5.60 Build 0 (reserved 0) [!] Enigma Protector V 5.60 Build 0 (reserved 0) detected ! - Scan Took : 0.93 Second(s) [00000005Dh (93) tick(s)] [12 of 580 scan(s) done] Screen Shoot initial: when check the checkbox if check Again : Link of file Simple Packed:project1_protected.rar Edited February 27, 20178 yr by Apuromafo update :)
February 26, 20178 yr hello.4.x tutorial can unpack. download: https://tuts4you.com/download.php?view.3590 unpacked.7z
February 26, 20178 yr @BambooQJ I can not understand where I can see a real api 00401000 - FF25 F86B5B00 JMP DWORD PTR DS:[5B6BF8] 00401010 - FF25 FC6B5B00 JMP DWORD PTR DS:[5B6BFC] 00401020 - FF25 006C5B00 JMP DWORD PTR DS:[5B6C00] etc. The rest is understandable from old versions enigma. Edited February 26, 20178 yr by converse
February 27, 20178 yr 9 hours ago, converse said: @BambooQJ I watched this tutorial, there are only finding a api under the vm Be patient, my friend...CTRL+L You'll find something new
February 27, 20178 yr Hi, So it's very new Enigma version. I still can't find how to reach the OEP properly. I found a trick for reaching OEP but it's just for protected file which using VM RISC protection core, no matter if it's virtualized OEP or not. And this unpackme uses it. The script I use for reaching OEP by ramjane is here. Put script bp at line 48; 45 ramjane: 46 cmp eax,0 47 jne ramjane1 48 esto when stopped at that line, we need to step script line carefully (press TAB). stepping "esto" command again and again. if olly seems taking long time to execute esto command, then Set break-on-access F2 on code section. press F9/run. we will land at OEP. this trick can find OEP for this Unpackme and GIV's unpackme (original version 5.4 here). it fails finding OEP if target use non-VM RISC protection core (like in DEMO 5.5). fixing IAT still same. using SHADOWS_UA's tutorial in here. I'm sorry if my explanation is quite messy. I hope you'll understand. Salam. project1_protected_unpacked.rar
February 27, 20178 yr Author nice, many unpacked for easy version, next will send a medim version BR , Apuromafo note:BambooQJ,icarusdc unpacked run fine BambooQJ was done a tut recent: Edited February 28, 20178 yr by Apuromafo updated with solutions...
March 11, 20178 yr @BambooQJ @icarusdc I have a question, looking forward to your help I use a short script of the author LCF-AT : "Simple script which dumps the VM.txt" and changed the OEP and the VA in the script available. And very easily after that I get file "VM DUMP" to add section in the target unpacked, target test works perfectly on WIN XP SP2 X86, WIN 7 X76. But after reboot Windows 7 x86, target run "CRASH" Try dump file VM, I see addresses have been changed. WIN XP SP2 not change address DUMP VM. That's is what I encountered, please help. Sorry for my language english is very bad.
March 11, 20178 yr 1 hour ago, dangducluan said: @BambooQJ @icarusdc I have a question, looking forward to your help I use a short script of the author LCF-AT : "Simple script which dumps the VM.txt" and changed the OEP and the VA in the script available. And very easily after that I get file "VM DUMP" to add section in the target unpacked, target test works perfectly on WIN XP SP2 X86, WIN 7 X76. But after reboot Windows 7 x86, target run "CRASH" Try dump file VM, I see addresses have been changed. WIN XP SP2 not change address DUMP VM. That's is what I encountered, please help. Sorry for my language english is very bad. Hi, you didn't patched some api in your unpacked file. You have to patch it. Already mentioned by LCF-AT in this thread https://forum.tuts4you.com/topic/38285-enigma-protector-52/
March 11, 20178 yr 2 hours ago, ramjane said: Hi, you didn't patched some api in your unpacked file. You have to patch it. Already mentioned by LCF-AT in this thread https://forum.tuts4you.com/topic/38285-enigma-protector-52/ Hi, Thank you for replying to me Sorry, I have followed topic you sent me and still do not understand what you mean? I do manual editing and using scripting Shadow fix API. After dump, I think if I do not edit the fully api the target will not RUN, software is "Crash" when I reboot windows. Can make a short video tutorial patched api file unpacked? Edited March 11, 20178 yr by dangducluan
March 11, 20178 yr Hi @dangducluan have you saved the IAT tree before using VM-dumping-script? if so, then you'll just need to fix Windows API inside Enigma Section as what ramjane mentioned. Salam.
March 11, 20178 yr Hi guys, @icarusdc @ramjane I making video unpacking fast, please help me answer? Why? Crash software after reboot window, tks http://www.mediafire.com/file/cmyayzmbb4p6pbq/Unpacked_MB.wmv
March 11, 20178 yr Hi, if your unpacked file can't run fine first time run after unpacking, then there will be other checks that you need to fix manually. it maybe from Enigma or the app itself. it's your job to find what it is. I guess it will be cracking instead of unpacking. but if your unpacked file can run fine for first time run and crash after rebooting, then you'll need to fix API inside Enigma section. Salam.
March 11, 20178 yr 5 minutes ago, icarusdc said: Hi, if your unpacked file can't run fine first time run after unpacking, then there will be other checks that you need to fix manually. it maybe from Enigma or the app itself. it's your job to find what it is. I guess it will be cracking instead of unpacking. but if your unpacked file can run fine for first time run and crash after rebooting, then you'll need to fix API inside Enigma section. Salam. File unpacked can run after unpacking, you can see my video. How to fix API inside Enigma section? My friend
March 11, 20178 yr Hi, seriuously your unpacked file run after unpacking? I thought I saw it terminated and then you reload it. Salam.
March 23, 20178 yr Solution This file is so easy, i finded oep, fixed enigma iat virtualization, dumped, and fixed. Works fine, exe optimized to 3 mb If you have some questions about unpacking enigma, cisc vm dumping and risc vm dumping, contact my by using: Jabber: julia.pcret@exploit.im Telegram: @julia_pcret (https://t.me/julia_pcret) P.S. All functions in file works fine, tested on Windows XP project1_protected_dumped.exe
Create an account or sign in to comment