Medium Unpackme Enigma 5.6

[Apuromafo]

Difficulty : 3
Language : Delphi 7 SE
Platform : Windows X86
OS Version : XP and above
Packer / Protector : Enigma Protector 5.6

Description :

Medium unpackme for do a  tutorial/tut
maybe is medium because i gived info of registration  , maybe lv 8 without registration 

BR, APuromafo

Silver= unpacked.exe
Bronce=unpacked +tutorial 
Gold=unpacked+tutorial+script 


PID scan:
 

-=[ ProtectionID v0.6.8.5 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/16-13:09:21
Ready...
Scanning -> C:\Users\Pc\Desktop\Proyecto delphi Apuromafo\Project2_protected.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 2462720 (0259400h) Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x2A425E19 -> Fri 19th Jun 1992 22:22:17 (GMT)
[TimeStamp] 0x2A425E19 -> Fri 19th Jun 1992 22:22:17 (GMT) | PE Header | - | Offset: 0x00000108 | VA: 0x00400108 | -
[File Heuristics] -> Flag #1 : 00000000000001001100000100100011 (0x0004C123)
[Entrypoint Section Entropy] : 7.99 (section #10) ".data   " | Size : 0x1FD000 (2084864) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 11 (0xB) | ImageSize 0x9E2000 (10362880) byte(s)
[Export] 0% of function(s) (0 of 1) are in file | 0 are forwarded | 0 code | 0 data | 0 uninit data | 0 unknown | 
[VersionInfo] Company Name : The Enigma Protector Developers Team
[VersionInfo] Product Name : The Enigma Protector
[VersionInfo] Product Version : 1.0.0.0
[VersionInfo] File Description : Software Protection Tool
[VersionInfo] File Version : 1.0.0.0
[VersionInfo] Original FileName : enigma.exe
[VersionInfo] Internal Name : ENIGMA.EXE
[VersionInfo] Version Comments : http://enigmaprotector.com/
[VersionInfo] Legal Trademarks : Trademarks (R) 2002-2009 Vladimir Sukhov
[VersionInfo] Legal Copyrights : Copyrights (C) 2002-2009 Vladimir Sukhov?
[ModuleReport] [IAT] Modules -> kernel32.dll | user32.dll | advapi32.dll | oleaut32.dll | gdi32.dll | shell32.dll | version.dll | comctl32.dll
[Taggant Info] Record @ file offset 0x0005C400
Length : 0x3000 (12288) byte(s)  | CMSLength : 0x1ABA (6842) | Version : 1
PackerId found : 0x00000001 (1) | Enigma Protector V 5.60 Build 0 (reserved 0)
[!] Enigma Protector V 5.60 Build 0 (reserved 0) detected !
[CompilerDetect] -> Borland Delphi (unknown version) - 60% probability
- Scan Took : 0.46 Second(s) [00000002Eh (46) tick(s)] [12 of 580 scan(s) done]

Screenshoot
welcome click

for close, with 6 clicks


info

username:tuts4you.com
hiw:E8500-C2257-29449-D99A1-DCC92-EC29D-D49D4-F81F9
Serial:

LYB9-bvoA-Tt80-OQDB-2Zxm-V1SE-a5F8-zXqq-ovBV-tGPw-xKgD-az9H-U7u7-Ruac-9mCX-qvyT-PbBb-K1MX-eZgQ-OmH8-xc3Q-YP+G-RO7O-r==j-+lc8-W3rJ-bkMx-3GYX-kGgK-6WJk-bw2G-2ob4-H8vO-vjab-ayu5-gosR-7kqj-Iml=-q=2U-OgZN-t+kSNrh


LYB9-bvoA-Tt80-OQDB-2Zxm-V1SE-a5F8-zXqq-ovBV-tKPu-OdaJ-rJTO-1N2g-1smq-2=vE-mibL-iEzT-kjAZ-xaDq-6+Jx-jofC-H2cF-kHXM-qYMj-YyhF-yOol-8+kh-nfar-4qut-ZxPp-urF6-dUCo-xkRM-py8s-V0w4-5DQK-fNPH-BSGX-GGcV-tyk5-GY6AReT

LYB9-bvoA-Tt80-OQDB-2Zxm-V1SE-a5F8-zXqq-ovBV-tKPL-vcuv-ZKkv-H=lg-EQQ7-nd9G-nC8B-KxUs-2kaB-X3kJ-9=Zt-35EB-TRcd-l7v4-k2KO-zWc3-idyd-rSxF-luoG-5ytK-xsfo-VEor-hjcG-FJm3-CP6K-nkoC-9I0S-zDww-F3JK-k4o+-QThh-y7GEXoY

LYB9-bvoA-Tt80-OQDB-2Zxm-V1SE-a5F8-zXqq-ovBV-tKPB-vOQM-zjQb-TQmV-L+MQ-N2ZU-BJOd-5YZj-nRiW-+gpn-rtt8-21=F-lyvC-CKc3-YNFE-IH9L-ByBO-uMWL-Qht6-X3ed-au4P-zDXN-IfpP-rrgX-AZz4-j8w3-c9mh-qyqC-=KUM-MdGu-VdMc-04IlSnI

n° of execution with that key : 2  executions per key (4 key provided)
password:apuromafo

file:
Project2_protected.rar

Log of protection:

[14:19:53] Loading project settings...
[14:19:53] Loading main information
[14:19:53] Loading Registration Features - Registration Data Storage
[14:19:53] Loading Registration Features - Common
[14:19:53] Loading Registration Features - Registration Dialog
[14:19:53] Loading Registration Features - Key Expiration Reminder
[14:19:53] Loading Checkup
[14:19:53] Loading Checkup - Anti Debugger
[14:19:53] Loading Checkup - Control Sum
[14:19:53] Loading Checkup - Startup Password
[14:19:53] Loading Checkup - File Name
[14:19:53] Loading Checkup - Disk Drive
[14:19:53] Loading Checkup - Executed Copies
[14:19:53] Loading Checkup - User Language
[14:19:53] Loading Checkup - External Files
[14:19:53] Loading Checkup - Executed Processes
[14:19:53] Loading Checkup - Loaded Drivers
[14:19:53] Loading Checkup - Installed Services
[14:19:53] Loading Checkup - Windows Version
[14:19:53] Loading Checkup - Virtualization Tools
[14:19:53] Loading Checkup - Privileges
[14:19:53] Loading Protection
[14:19:53] Loading Protection - Protected Strings
[14:19:53] Loading Protection - Resources Protection
[14:19:53] Loading VirtualBox
[14:19:53] Loading VirtualBox - Files
[14:19:53] Loading VirtualBox - Registry
[14:19:53] Loading VirtualBox - Packaging
[14:19:53] Loading VirtualBox - Options
[14:19:53] Loading Virtual Machine
[14:19:53] Loading Miscellaneous
[14:19:53] Loading Miscellaneous - Splash Screen
[14:19:53] Loading Miscellaneous - Watermark
[14:19:53] Loading Miscellaneous - Plugins
[14:19:53] Loading Miscellaneous - Custom VERSION Resource
[14:19:53] Loading Miscellaneous - Custom MANIFEST Resource
[14:19:53] Loading Miscellaneous - Command Line
[14:19:53] Loading Protection - Environment Variables
[14:19:53] Loading Miscellaneous - Other
[14:19:53] Loading Trial Control
[14:19:53] Loading Trial Control - Common
[14:19:53] Loading Protection - Trial Data Storing
[14:19:53] Loading Trial Control - Lock Trial to User Language
[14:19:53] Loading Trial Control - Limitation by Executions Count
[14:19:53] Loading Trial Control - Limitation by Days Count
[14:19:53] Loading Trial Control - Limitation by Expiration Date
[14:19:53] Loading Trial Control - Limitation from Date till Date
[14:19:53] Loading Trial Control - Limitation of Execution Time
[14:19:53] Loading Trial Control - Reminder
[14:19:53] Loading Trial Control - Time Control
[14:19:53] Protect file: c:\users\pc\desktop\proyecto delphi apuromafo\project2.exe
[14:19:54] Protection started ...
[14:19:54] Input file size = 375808 bytes
[14:19:54] File entropy : 1,30
[14:19:54] Search markers...
[14:19:54] - 1 function(s) processed with RISC virtual machine
[14:19:54] Process Virtual Machine ...
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\checkremotedebuggerpresent.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\closehandle.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\debugobjects.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\emulatorsdetect.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\getstartupinfo.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\hardwarebreakpoints.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\heapcheck.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\hidecurrentthread.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\int3.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\int3check.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\isdebuggerpresent.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\isdebuggerpresentx.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\ntflags.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\ntforceflags.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\ntglobalflag.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\ntqueryinformationprocess.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\outputdebugstring.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\sandboxiedetect.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\writeprocessmemoryinject.dll
[14:20:09] Compress section :
[14:20:09]  - "CODE", size 317440 bytes ... 
[14:20:09] done, new size 148992 bytes
[14:20:09]  - "DATA", size 4608 bytes ... 
[14:20:09] done, new size 2048 bytes
[14:20:09]  - "BSS", size 0 bytes ... 
[14:20:09] done, new size 0 bytes
[14:20:09]  - ".idata", size 8192 bytes ... 
[14:20:09] done, new size 512 bytes
[14:20:09]  - ".tls", size 0 bytes ... 
[14:20:09] done, new size 0 bytes
[14:20:09]  - ".rdata", size 512 bytes ... 
[14:20:09] done, new size 0 bytes
[14:20:09]  - ".reloc", size 22528 bytes ... 
[14:20:09] done, new size 15872 bytes
[14:20:09]  - ".rsrc", size 21504 bytes ... 
[14:20:09] done, new size 3072 bytes
[14:20:14] Taggant: Prepare taggant
[14:20:14] Taggant: Certificate is valid
[14:20:14] Taggant: Compute hashes
[14:20:14] Taggant: Put timestamp, make sure internet connection is alive
[14:20:15] Taggant: Timestamp successfully obtained
[14:20:15] Taggant: Successfully placed to the file
[14:20:15] All completed, new file size = 2462720 bytes, ratio 655,31%
[14:20:15] File successfully protected: C:\Users\Pc\Desktop\Proyecto delphi Apuromafo\Project2_protected.exe

 

br, Apuromafo CLS

 

[icarusdc]

stuck at finding OEP

the unpackme uses Enigma normal VM, right? 'cause I can't found the OEP by setting memory breakpoint on access on code section and finding refrences on GMHA routine. so OEP maybe in last section.

the other hard part of this is you provide 4 keys with 2 executions only per key that means allowing 8 times to try

I've used the keys 5 times.

 

Salam.

[icarusdc]

Hi,

The steps I take for unpack this:

1. Change HWID. I used LCF-AT's script from here

2. VM Fixing and OEP Rebuilding. I used LCF-AT's script from here.

3. File Optimizing. I used SHADOW_UA's method from here.

 

Salam

Project2_protected_dump_SCY_2_2.rar

[GautamGreat]

Hi,

I have patched the HWID check, but Now it is showing invalid file name. I am working on that now. @icarusdc did you patched file name checks too?

[icarusdc]

Hi @ramjane

I've unpacked it with original filename and I didn't know about filename checks.

But I tried to unpacked it with non-original filename and no succeeded xD

 

Salam.

[GautamGreat]

Hi @icarusdc

How did you patch hwid? I patched with different method. Maybe there is problem.

[icarusdc]

Hi,

I just followed what @LCF-AT mentioned in this post.

Finding the right place to change HWID with lstrlenA API

 

Salam.

Edited March 9, 2017 by icarusdc

[GautamGreat]

Hi again.

I checked my script and made some changes now its work on 5.6 too. 

 

@icarusdc 

Unpacked+Video.rar

Edited March 9, 2017 by ramjane

[阿皇仔]

@ramjane

Can you tell me how to fix vmed api automatically?

I know how to  fix it manually, but it take me a lot of time.

[icarusdc]

wow you are great!

but seems you didnt found the OEP yet.

it will be trouble if OEP bytes are compilcated. fortunately, this unpackme is quite simple.

 

Salam.

[GautamGreat]

6 hours ago, 阿皇仔 said:

@ramjane

Can you tell me how to fix vmed api automatically?

I know how to  fix it manually, but it take me a lot of time.

Hi,

If you can fix it manually then you can write a script too, just use ollyscript reference from here. 
https://tuts4you.com/download.php?view.3431

[icarusdc]

@ramjane

wow, that's great stuff. patching PRE_EXIT_CHECK will bypass some checks by Enigma like filename, password, etc and you found that address!!

but it can't bypass CRC check, right? Enigma always shows Internal error.

 

@Apuromafo

any plan to make new unpackme with Enigma API(s)?

 

Salam.

[GautamGreat]

@icarusdc

Hi,

CRC checks can't be bypassed by prechecker patch. I don't worked on crc patch of enigma. It will ddefinitely hard for me. Enigma uses different method in crc? Well! I have to work on that. 

[Apuromafo]

On 10/3/2017 at 8:30 AM, icarusdc said:

@ramjane

wow, that's great stuff. patching PRE_EXIT_CHECK will bypass some checks by Enigma like filename, password, etc and you found that address!!

but it can't bypass CRC check, right? Enigma always shows Internal error.

 

@Apuromafo

any plan to make new unpackme with Enigma API(s)?

 

Salam.



 

the hard level must be with enigma api, but im not expert coder..i will wait there giv or have a little more time

BR, Apuromafo

pd:when i create a unpackme is only for test and share a little diferences in versions 5.5 to 5.6

pd: giv answered the question

Edited March 11, 2017 by Apuromafo

[icarusdc]

Hi,

I see.

I'm not a good coder, too. I've tried to protect an unpackme for test but never be as good as real application/target I found.

Real applications use some Enigma APIs and it's diferent from what I've found before. these Enigma APIs are located between Windows APIs. Normally Enigma APIs will be located in the end of IAT but it's not.

So that's why I'm wondering if you can make an unpackme with Enigma API like real application uses.

See picture:

Spoiler

 

 

 

Salam.

[vonjack]

fake hwid: use LCF-AT's script, new pattern #85D274??8B?AFC#

pre checker: find "div eax, 0" or "ud2"

VM API: modified PC-RET's script.

OEP find: use ramjane's method (I still don't know why, can you make an explanation for me ? Thank you!)

OEP restoration: use GIV's script.

dumped in Win7 x64.

 

 

Project2_protected_dump_SCY3.7z

[vonjack]

Find a new way to get OEP.

find #FF25????????C3# first, then get addr reference number, if > 0, bphws; else redo find.

esto, when stop, VM OEP is [esp] -5.

this method cannot use GIV's script to restoration OEP, need some modify.

when comes to VM OEP, set memory access breakpoint in 0x401000, and run, it will crash.

then we see log, "[ScryllaHide] Gard Page Breakpoint Violation 0x406064"

so we restart the target and script, goto VM OEP.

set hardware execution breakpoint on 0x406064, run.

when stop, use GIV's script to restoration OEP.

 

Attachment is my script video.

Script is mainly modified from ramjane. Add LCF-AT, PC-RET, GIV's script.

Video.7z

Edited March 14, 2017 by vonjack
Add Tutorial Video.