Apuromafo Posted February 27, 2017 Posted February 27, 2017 Difficulty : 3Language : Delphi 7 SEPlatform : Windows X86OS Version : XP and abovePacker / Protector : Enigma Protector 5.6 Description : Medium unpackme for do a tutorial/tut maybe is medium because i gived info of registration , maybe lv 8 without registration BR, APuromafo Silver= unpacked.exe Bronce=unpacked +tutorial Gold=unpacked+tutorial+script PID scan: -=[ ProtectionID v0.6.8.5 DECEMBER]=- (c) 2003-2017 CDKiLLER & TippeX Build 24/12/16-13:09:21 Ready... Scanning -> C:\Users\Pc\Desktop\Proyecto delphi Apuromafo\Project2_protected.exe File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 2462720 (0259400h) Byte(s) | Machine: 0x14C (I386) Compilation TimeStamp : 0x2A425E19 -> Fri 19th Jun 1992 22:22:17 (GMT) [TimeStamp] 0x2A425E19 -> Fri 19th Jun 1992 22:22:17 (GMT) | PE Header | - | Offset: 0x00000108 | VA: 0x00400108 | - [File Heuristics] -> Flag #1 : 00000000000001001100000100100011 (0x0004C123) [Entrypoint Section Entropy] : 7.99 (section #10) ".data " | Size : 0x1FD000 (2084864) byte(s) [DllCharacteristics] -> Flag : (0x0000) -> NONE [SectionCount] 11 (0xB) | ImageSize 0x9E2000 (10362880) byte(s) [Export] 0% of function(s) (0 of 1) are in file | 0 are forwarded | 0 code | 0 data | 0 uninit data | 0 unknown | [VersionInfo] Company Name : The Enigma Protector Developers Team [VersionInfo] Product Name : The Enigma Protector [VersionInfo] Product Version : 1.0.0.0 [VersionInfo] File Description : Software Protection Tool [VersionInfo] File Version : 1.0.0.0 [VersionInfo] Original FileName : enigma.exe [VersionInfo] Internal Name : ENIGMA.EXE [VersionInfo] Version Comments : http://enigmaprotector.com/ [VersionInfo] Legal Trademarks : Trademarks (R) 2002-2009 Vladimir Sukhov [VersionInfo] Legal Copyrights : Copyrights (C) 2002-2009 Vladimir Sukhov? [ModuleReport] [IAT] Modules -> kernel32.dll | user32.dll | advapi32.dll | oleaut32.dll | gdi32.dll | shell32.dll | version.dll | comctl32.dll [Taggant Info] Record @ file offset 0x0005C400 Length : 0x3000 (12288) byte(s) | CMSLength : 0x1ABA (6842) | Version : 1 PackerId found : 0x00000001 (1) | Enigma Protector V 5.60 Build 0 (reserved 0) [!] Enigma Protector V 5.60 Build 0 (reserved 0) detected ! [CompilerDetect] -> Borland Delphi (unknown version) - 60% probability - Scan Took : 0.46 Second(s) [00000002Eh (46) tick(s)] [12 of 580 scan(s) done] Screenshoot welcome click for close, with 6 clicks info username:tuts4you.com hiw:E8500-C2257-29449-D99A1-DCC92-EC29D-D49D4-F81F9 Serial: LYB9-bvoA-Tt80-OQDB-2Zxm-V1SE-a5F8-zXqq-ovBV-tGPw-xKgD-az9H-U7u7-Ruac-9mCX-qvyT-PbBb-K1MX-eZgQ-OmH8-xc3Q-YP+G-RO7O-r==j-+lc8-W3rJ-bkMx-3GYX-kGgK-6WJk-bw2G-2ob4-H8vO-vjab-ayu5-gosR-7kqj-Iml=-q=2U-OgZN-t+kSNrh LYB9-bvoA-Tt80-OQDB-2Zxm-V1SE-a5F8-zXqq-ovBV-tKPu-OdaJ-rJTO-1N2g-1smq-2=vE-mibL-iEzT-kjAZ-xaDq-6+Jx-jofC-H2cF-kHXM-qYMj-YyhF-yOol-8+kh-nfar-4qut-ZxPp-urF6-dUCo-xkRM-py8s-V0w4-5DQK-fNPH-BSGX-GGcV-tyk5-GY6AReT LYB9-bvoA-Tt80-OQDB-2Zxm-V1SE-a5F8-zXqq-ovBV-tKPL-vcuv-ZKkv-H=lg-EQQ7-nd9G-nC8B-KxUs-2kaB-X3kJ-9=Zt-35EB-TRcd-l7v4-k2KO-zWc3-idyd-rSxF-luoG-5ytK-xsfo-VEor-hjcG-FJm3-CP6K-nkoC-9I0S-zDww-F3JK-k4o+-QThh-y7GEXoY LYB9-bvoA-Tt80-OQDB-2Zxm-V1SE-a5F8-zXqq-ovBV-tKPB-vOQM-zjQb-TQmV-L+MQ-N2ZU-BJOd-5YZj-nRiW-+gpn-rtt8-21=F-lyvC-CKc3-YNFE-IH9L-ByBO-uMWL-Qht6-X3ed-au4P-zDXN-IfpP-rrgX-AZz4-j8w3-c9mh-qyqC-=KUM-MdGu-VdMc-04IlSnI n° of execution with that key : 2 executions per key (4 key provided)password:apuromafo file:Project2_protected.rar Log of protection: [14:19:53] Loading project settings... [14:19:53] Loading main information [14:19:53] Loading Registration Features - Registration Data Storage [14:19:53] Loading Registration Features - Common [14:19:53] Loading Registration Features - Registration Dialog [14:19:53] Loading Registration Features - Key Expiration Reminder [14:19:53] Loading Checkup [14:19:53] Loading Checkup - Anti Debugger [14:19:53] Loading Checkup - Control Sum [14:19:53] Loading Checkup - Startup Password [14:19:53] Loading Checkup - File Name [14:19:53] Loading Checkup - Disk Drive [14:19:53] Loading Checkup - Executed Copies [14:19:53] Loading Checkup - User Language [14:19:53] Loading Checkup - External Files [14:19:53] Loading Checkup - Executed Processes [14:19:53] Loading Checkup - Loaded Drivers [14:19:53] Loading Checkup - Installed Services [14:19:53] Loading Checkup - Windows Version [14:19:53] Loading Checkup - Virtualization Tools [14:19:53] Loading Checkup - Privileges [14:19:53] Loading Protection [14:19:53] Loading Protection - Protected Strings [14:19:53] Loading Protection - Resources Protection [14:19:53] Loading VirtualBox [14:19:53] Loading VirtualBox - Files [14:19:53] Loading VirtualBox - Registry [14:19:53] Loading VirtualBox - Packaging [14:19:53] Loading VirtualBox - Options [14:19:53] Loading Virtual Machine [14:19:53] Loading Miscellaneous [14:19:53] Loading Miscellaneous - Splash Screen [14:19:53] Loading Miscellaneous - Watermark [14:19:53] Loading Miscellaneous - Plugins [14:19:53] Loading Miscellaneous - Custom VERSION Resource [14:19:53] Loading Miscellaneous - Custom MANIFEST Resource [14:19:53] Loading Miscellaneous - Command Line [14:19:53] Loading Protection - Environment Variables [14:19:53] Loading Miscellaneous - Other [14:19:53] Loading Trial Control [14:19:53] Loading Trial Control - Common [14:19:53] Loading Protection - Trial Data Storing [14:19:53] Loading Trial Control - Lock Trial to User Language [14:19:53] Loading Trial Control - Limitation by Executions Count [14:19:53] Loading Trial Control - Limitation by Days Count [14:19:53] Loading Trial Control - Limitation by Expiration Date [14:19:53] Loading Trial Control - Limitation from Date till Date [14:19:53] Loading Trial Control - Limitation of Execution Time [14:19:53] Loading Trial Control - Reminder [14:19:53] Loading Trial Control - Time Control [14:19:53] Protect file: c:\users\pc\desktop\proyecto delphi apuromafo\project2.exe [14:19:54] Protection started ... [14:19:54] Input file size = 375808 bytes [14:19:54] File entropy : 1,30 [14:19:54] Search markers... [14:19:54] - 1 function(s) processed with RISC virtual machine [14:19:54] Process Virtual Machine ... [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\checkremotedebuggerpresent.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\closehandle.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\debugobjects.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\emulatorsdetect.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\getstartupinfo.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\hardwarebreakpoints.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\heapcheck.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\hidecurrentthread.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\int3.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\int3check.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\isdebuggerpresent.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\isdebuggerpresentx.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\ntflags.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\ntforceflags.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\ntglobalflag.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\ntqueryinformationprocess.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\outputdebugstring.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\sandboxiedetect.dll [14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\writeprocessmemoryinject.dll [14:20:09] Compress section : [14:20:09] - "CODE", size 317440 bytes ... [14:20:09] done, new size 148992 bytes [14:20:09] - "DATA", size 4608 bytes ... [14:20:09] done, new size 2048 bytes [14:20:09] - "BSS", size 0 bytes ... [14:20:09] done, new size 0 bytes [14:20:09] - ".idata", size 8192 bytes ... [14:20:09] done, new size 512 bytes [14:20:09] - ".tls", size 0 bytes ... [14:20:09] done, new size 0 bytes [14:20:09] - ".rdata", size 512 bytes ... [14:20:09] done, new size 0 bytes [14:20:09] - ".reloc", size 22528 bytes ... [14:20:09] done, new size 15872 bytes [14:20:09] - ".rsrc", size 21504 bytes ... [14:20:09] done, new size 3072 bytes [14:20:14] Taggant: Prepare taggant [14:20:14] Taggant: Certificate is valid [14:20:14] Taggant: Compute hashes [14:20:14] Taggant: Put timestamp, make sure internet connection is alive [14:20:15] Taggant: Timestamp successfully obtained [14:20:15] Taggant: Successfully placed to the file [14:20:15] All completed, new file size = 2462720 bytes, ratio 655,31% [14:20:15] File successfully protected: C:\Users\Pc\Desktop\Proyecto delphi Apuromafo\Project2_protected.exe br, Apuromafo CLS
icarusdc Posted March 1, 2017 Posted March 1, 2017 stuck at finding OEP the unpackme uses Enigma normal VM, right? 'cause I can't found the OEP by setting memory breakpoint on access on code section and finding refrences on GMHA routine. so OEP maybe in last section. the other hard part of this is you provide 4 keys with 2 executions only per key that means allowing 8 times to try I've used the keys 5 times. Salam.
icarusdc Posted March 1, 2017 Posted March 1, 2017 Hi, The steps I take for unpack this: 1. Change HWID. I used LCF-AT's script from here 2. VM Fixing and OEP Rebuilding. I used LCF-AT's script from here. 3. File Optimizing. I used SHADOW_UA's method from here. Salam Project2_protected_dump_SCY_2_2.rar 4
GautamGreat Posted March 9, 2017 Posted March 9, 2017 Hi, I have patched the HWID check, but Now it is showing invalid file name. I am working on that now. @icarusdc did you patched file name checks too?
icarusdc Posted March 9, 2017 Posted March 9, 2017 Hi @ramjane I've unpacked it with original filename and I didn't know about filename checks. But I tried to unpacked it with non-original filename and no succeeded xD Salam.
GautamGreat Posted March 9, 2017 Posted March 9, 2017 Hi @icarusdc How did you patch hwid? I patched with different method. Maybe there is problem.
icarusdc Posted March 9, 2017 Posted March 9, 2017 (edited) Hi, I just followed what @LCF-AT mentioned in this post. Finding the right place to change HWID with lstrlenA API Salam. Edited March 9, 2017 by icarusdc
GautamGreat Posted March 9, 2017 Posted March 9, 2017 (edited) Hi again. I checked my script and made some changes now its work on 5.6 too. @icarusdc Unpacked+Video.rar Edited March 9, 2017 by ramjane 2 1
阿皇仔 Posted March 9, 2017 Posted March 9, 2017 @ramjane Can you tell me how to fix vmed api automatically? I know how to fix it manually, but it take me a lot of time.
icarusdc Posted March 10, 2017 Posted March 10, 2017 wow you are great! but seems you didnt found the OEP yet. it will be trouble if OEP bytes are compilcated. fortunately, this unpackme is quite simple. Salam.
GautamGreat Posted March 10, 2017 Posted March 10, 2017 6 hours ago, 阿皇仔 said: @ramjane Can you tell me how to fix vmed api automatically? I know how to fix it manually, but it take me a lot of time. Hi, If you can fix it manually then you can write a script too, just use ollyscript reference from here. https://tuts4you.com/download.php?view.3431
icarusdc Posted March 10, 2017 Posted March 10, 2017 @ramjane wow, that's great stuff. patching PRE_EXIT_CHECK will bypass some checks by Enigma like filename, password, etc and you found that address!! but it can't bypass CRC check, right? Enigma always shows Internal error. @Apuromafo any plan to make new unpackme with Enigma API(s)? Salam.
GautamGreat Posted March 10, 2017 Posted March 10, 2017 @icarusdc Hi, CRC checks can't be bypassed by prechecker patch. I don't worked on crc patch of enigma. It will ddefinitely hard for me. Enigma uses different method in crc? Well! I have to work on that.
Apuromafo Posted March 11, 2017 Author Posted March 11, 2017 (edited) On 10/3/2017 at 8:30 AM, icarusdc said: @ramjane wow, that's great stuff. patching PRE_EXIT_CHECK will bypass some checks by Enigma like filename, password, etc and you found that address!! but it can't bypass CRC check, right? Enigma always shows Internal error. @Apuromafo any plan to make new unpackme with Enigma API(s)? Salam. the hard level must be with enigma api, but im not expert coder..i will wait there giv or have a little more time BR, Apuromafo pd:when i create a unpackme is only for test and share a little diferences in versions 5.5 to 5.6 pd: giv answered the question Edited March 11, 2017 by Apuromafo
icarusdc Posted March 11, 2017 Posted March 11, 2017 Hi, I see. I'm not a good coder, too. I've tried to protect an unpackme for test but never be as good as real application/target I found. Real applications use some Enigma APIs and it's diferent from what I've found before. these Enigma APIs are located between Windows APIs. Normally Enigma APIs will be located in the end of IAT but it's not. So that's why I'm wondering if you can make an unpackme with Enigma API like real application uses. See picture: Spoiler Salam.
vonjack Posted March 14, 2017 Posted March 14, 2017 fake hwid: use LCF-AT's script, new pattern #85D274??8B?AFC# pre checker: find "div eax, 0" or "ud2" VM API: modified PC-RET's script. OEP find: use ramjane's method (I still don't know why, can you make an explanation for me ? Thank you!) OEP restoration: use GIV's script. dumped in Win7 x64. Project2_protected_dump_SCY3.7z 1 1
Solution vonjack Posted March 14, 2017 Solution Posted March 14, 2017 (edited) Find a new way to get OEP. find #FF25????????C3# first, then get addr reference number, if > 0, bphws; else redo find. esto, when stop, VM OEP is [esp] -5. this method cannot use GIV's script to restoration OEP, need some modify. when comes to VM OEP, set memory access breakpoint in 0x401000, and run, it will crash. then we see log, "[ScryllaHide] Gard Page Breakpoint Violation 0x406064" so we restart the target and script, goto VM OEP. set hardware execution breakpoint on 0x406064, run. when stop, use GIV's script to restoration OEP. Attachment is my script video. Script is mainly modified from ramjane. Add LCF-AT, PC-RET, GIV's script. Video.7z Edited March 14, 2017 by vonjack Add Tutorial Video. 4
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now