Jump to content
Tuts 4 You
  • 0
Sign in to follow this  
Apuromafo

Medium Unpackme Enigma 5.6

Question

Apuromafo

Difficulty : 3
Language : Delphi 7 SE
Platform : Windows X86
OS Version : XP and above
Packer / Protector : Enigma Protector 5.6

Description :

Medium unpackme for do a  tutorial/tut
maybe is medium because i gived info of registration :) , maybe lv 8 without registration 

BR, APuromafo

Silver= unpacked.exe
Bronce=unpacked +tutorial 
Gold=unpacked+tutorial+script 


PID scan:
 

-=[ ProtectionID v0.6.8.5 DECEMBER]=-
(c) 2003-2017 CDKiLLER & TippeX
Build 24/12/16-13:09:21
Ready...
Scanning -> C:\Users\Pc\Desktop\Proyecto delphi Apuromafo\Project2_protected.exe
File Type : 32-Bit Exe (Subsystem : Win GUI / 2), Size : 2462720 (0259400h) Byte(s) | Machine: 0x14C (I386)
Compilation TimeStamp : 0x2A425E19 -> Fri 19th Jun 1992 22:22:17 (GMT)
[TimeStamp] 0x2A425E19 -> Fri 19th Jun 1992 22:22:17 (GMT) | PE Header | - | Offset: 0x00000108 | VA: 0x00400108 | -
[File Heuristics] -> Flag #1 : 00000000000001001100000100100011 (0x0004C123)
[Entrypoint Section Entropy] : 7.99 (section #10) ".data   " | Size : 0x1FD000 (2084864) byte(s)
[DllCharacteristics] -> Flag : (0x0000) -> NONE
[SectionCount] 11 (0xB) | ImageSize 0x9E2000 (10362880) byte(s)
[Export] 0% of function(s) (0 of 1) are in file | 0 are forwarded | 0 code | 0 data | 0 uninit data | 0 unknown | 
[VersionInfo] Company Name : The Enigma Protector Developers Team
[VersionInfo] Product Name : The Enigma Protector
[VersionInfo] Product Version : 1.0.0.0
[VersionInfo] File Description : Software Protection Tool
[VersionInfo] File Version : 1.0.0.0
[VersionInfo] Original FileName : enigma.exe
[VersionInfo] Internal Name : ENIGMA.EXE
[VersionInfo] Version Comments : http://enigmaprotector.com/
[VersionInfo] Legal Trademarks : Trademarks (R) 2002-2009 Vladimir Sukhov
[VersionInfo] Legal Copyrights : Copyrights (C) 2002-2009 Vladimir Sukhov?
[ModuleReport] [IAT] Modules -> kernel32.dll | user32.dll | advapi32.dll | oleaut32.dll | gdi32.dll | shell32.dll | version.dll | comctl32.dll
[Taggant Info] Record @ file offset 0x0005C400
Length : 0x3000 (12288) byte(s)  | CMSLength : 0x1ABA (6842) | Version : 1
PackerId found : 0x00000001 (1) | Enigma Protector V 5.60 Build 0 (reserved 0)
[!] Enigma Protector V 5.60 Build 0 (reserved 0) detected !
[CompilerDetect] -> Borland Delphi (unknown version) - 60% probability
- Scan Took : 0.46 Second(s) [00000002Eh (46) tick(s)] [12 of 580 scan(s) done]


Screenshoot :)
welcome click
2017-02-27_142339.jpg.0da970aa99e969e15d8dd6e2106455a7.jpg
for close, with 6 clicks

2017-02-27_142407.jpg.b851f6da9126284f61e2fe77bc2b0680.jpg
info

username:tuts4you.com
hiw:E8500-C2257-29449-D99A1-DCC92-EC29D-D49D4-F81F9
Serial:

LYB9-bvoA-Tt80-OQDB-2Zxm-V1SE-a5F8-zXqq-ovBV-tGPw-xKgD-az9H-U7u7-Ruac-9mCX-qvyT-PbBb-K1MX-eZgQ-OmH8-xc3Q-YP+G-RO7O-r==j-+lc8-W3rJ-bkMx-3GYX-kGgK-6WJk-bw2G-2ob4-H8vO-vjab-ayu5-gosR-7kqj-Iml=-q=2U-OgZN-t+kSNrh


LYB9-bvoA-Tt80-OQDB-2Zxm-V1SE-a5F8-zXqq-ovBV-tKPu-OdaJ-rJTO-1N2g-1smq-2=vE-mibL-iEzT-kjAZ-xaDq-6+Jx-jofC-H2cF-kHXM-qYMj-YyhF-yOol-8+kh-nfar-4qut-ZxPp-urF6-dUCo-xkRM-py8s-V0w4-5DQK-fNPH-BSGX-GGcV-tyk5-GY6AReT

LYB9-bvoA-Tt80-OQDB-2Zxm-V1SE-a5F8-zXqq-ovBV-tKPL-vcuv-ZKkv-H=lg-EQQ7-nd9G-nC8B-KxUs-2kaB-X3kJ-9=Zt-35EB-TRcd-l7v4-k2KO-zWc3-idyd-rSxF-luoG-5ytK-xsfo-VEor-hjcG-FJm3-CP6K-nkoC-9I0S-zDww-F3JK-k4o+-QThh-y7GEXoY

LYB9-bvoA-Tt80-OQDB-2Zxm-V1SE-a5F8-zXqq-ovBV-tKPB-vOQM-zjQb-TQmV-L+MQ-N2ZU-BJOd-5YZj-nRiW-+gpn-rtt8-21=F-lyvC-CKc3-YNFE-IH9L-ByBO-uMWL-Qht6-X3ed-au4P-zDXN-IfpP-rrgX-AZz4-j8w3-c9mh-qyqC-=KUM-MdGu-VdMc-04IlSnI

n° of execution with that key : 2  executions per key (4 key provided)
password:apuromafo

file:

Project2_protected.rar

Log of protection:

[14:19:53] Loading project settings...
[14:19:53] Loading main information
[14:19:53] Loading Registration Features - Registration Data Storage
[14:19:53] Loading Registration Features - Common
[14:19:53] Loading Registration Features - Registration Dialog
[14:19:53] Loading Registration Features - Key Expiration Reminder
[14:19:53] Loading Checkup
[14:19:53] Loading Checkup - Anti Debugger
[14:19:53] Loading Checkup - Control Sum
[14:19:53] Loading Checkup - Startup Password
[14:19:53] Loading Checkup - File Name
[14:19:53] Loading Checkup - Disk Drive
[14:19:53] Loading Checkup - Executed Copies
[14:19:53] Loading Checkup - User Language
[14:19:53] Loading Checkup - External Files
[14:19:53] Loading Checkup - Executed Processes
[14:19:53] Loading Checkup - Loaded Drivers
[14:19:53] Loading Checkup - Installed Services
[14:19:53] Loading Checkup - Windows Version
[14:19:53] Loading Checkup - Virtualization Tools
[14:19:53] Loading Checkup - Privileges
[14:19:53] Loading Protection
[14:19:53] Loading Protection - Protected Strings
[14:19:53] Loading Protection - Resources Protection
[14:19:53] Loading VirtualBox
[14:19:53] Loading VirtualBox - Files
[14:19:53] Loading VirtualBox - Registry
[14:19:53] Loading VirtualBox - Packaging
[14:19:53] Loading VirtualBox - Options
[14:19:53] Loading Virtual Machine
[14:19:53] Loading Miscellaneous
[14:19:53] Loading Miscellaneous - Splash Screen
[14:19:53] Loading Miscellaneous - Watermark
[14:19:53] Loading Miscellaneous - Plugins
[14:19:53] Loading Miscellaneous - Custom VERSION Resource
[14:19:53] Loading Miscellaneous - Custom MANIFEST Resource
[14:19:53] Loading Miscellaneous - Command Line
[14:19:53] Loading Protection - Environment Variables
[14:19:53] Loading Miscellaneous - Other
[14:19:53] Loading Trial Control
[14:19:53] Loading Trial Control - Common
[14:19:53] Loading Protection - Trial Data Storing
[14:19:53] Loading Trial Control - Lock Trial to User Language
[14:19:53] Loading Trial Control - Limitation by Executions Count
[14:19:53] Loading Trial Control - Limitation by Days Count
[14:19:53] Loading Trial Control - Limitation by Expiration Date
[14:19:53] Loading Trial Control - Limitation from Date till Date
[14:19:53] Loading Trial Control - Limitation of Execution Time
[14:19:53] Loading Trial Control - Reminder
[14:19:53] Loading Trial Control - Time Control
[14:19:53] Protect file: c:\users\pc\desktop\proyecto delphi apuromafo\project2.exe
[14:19:54] Protection started ...
[14:19:54] Input file size = 375808 bytes
[14:19:54] File entropy : 1,30
[14:19:54] Search markers...
[14:19:54] - 1 function(s) processed with RISC virtual machine
[14:19:54] Process Virtual Machine ...
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\checkremotedebuggerpresent.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\closehandle.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\debugobjects.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\emulatorsdetect.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\getstartupinfo.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\hardwarebreakpoints.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\heapcheck.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\hidecurrentthread.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\int3.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\int3check.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\isdebuggerpresent.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\isdebuggerpresentx.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\ntflags.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\ntforceflags.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\ntglobalflag.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\ntqueryinformationprocess.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\outputdebugstring.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\sandboxiedetect.dll
[14:20:09] Process Plugin: C:\Program Files (x86)\The Enigma Protector5.60\Plugins\writeprocessmemoryinject.dll
[14:20:09] Compress section :
[14:20:09]  - "CODE", size 317440 bytes ... 
[14:20:09] done, new size 148992 bytes
[14:20:09]  - "DATA", size 4608 bytes ... 
[14:20:09] done, new size 2048 bytes
[14:20:09]  - "BSS", size 0 bytes ... 
[14:20:09] done, new size 0 bytes
[14:20:09]  - ".idata", size 8192 bytes ... 
[14:20:09] done, new size 512 bytes
[14:20:09]  - ".tls", size 0 bytes ... 
[14:20:09] done, new size 0 bytes
[14:20:09]  - ".rdata", size 512 bytes ... 
[14:20:09] done, new size 0 bytes
[14:20:09]  - ".reloc", size 22528 bytes ... 
[14:20:09] done, new size 15872 bytes
[14:20:09]  - ".rsrc", size 21504 bytes ... 
[14:20:09] done, new size 3072 bytes
[14:20:14] Taggant: Prepare taggant
[14:20:14] Taggant: Certificate is valid
[14:20:14] Taggant: Compute hashes
[14:20:14] Taggant: Put timestamp, make sure internet connection is alive
[14:20:15] Taggant: Timestamp successfully obtained
[14:20:15] Taggant: Successfully placed to the file
[14:20:15] All completed, new file size = 2462720 bytes, ratio 655,31%
[14:20:15] File successfully protected: C:\Users\Pc\Desktop\Proyecto delphi Apuromafo\Project2_protected.exe

 

br, Apuromafo CLS

 

Share this post


Link to post

16 answers to this question

Recommended Posts

  • 0
vonjack

Find a new way to get OEP.

find #FF25????????C3# first, then get addr reference number, if > 0, bphws; else redo find.

esto, when stop, VM OEP is [esp] -5.

this method cannot use GIV's script to restoration OEP, need some modify.

when comes to VM OEP, set memory access breakpoint in 0x401000, and run, it will crash.

then we see log, "[ScryllaHide] Gard Page Breakpoint Violation 0x406064"

so we restart the target and script, goto VM OEP.

set hardware execution breakpoint on 0x406064, run.

when stop, use GIV's script to restoration OEP.

 

Attachment is my script video.

Script is mainly modified from ramjane. Add LCF-AT, PC-RET, GIV's script.

Video.7z

Edited by vonjack
Add Tutorial Video. (see edit history)
  • Like 2

Share this post


Link to post
  • 1
icarusdc

Hi,

The steps I take for unpack this:

1. Change HWID. I used LCF-AT's script from here

2. VM Fixing and OEP Rebuilding. I used LCF-AT's script from here.

3. File Optimizing. I used SHADOW_UA's method from here.

 

Salam

Project2_protected_dump_SCY_2_2.rar

  • Like 4

Share this post


Link to post
  • 1
icarusdc

Hi,

I see.

I'm not a good coder, too. I've tried to protect an unpackme for test but never be as good as real application/target I found.

Real applications use some Enigma APIs and it's diferent from what I've found before. these Enigma APIs are located between Windows APIs. Normally Enigma APIs will be located in the end of IAT but it's not.

So that's why I'm wondering if you can make an unpackme with Enigma API like real application uses.

See picture:

Spoiler

eni.jpg

 

 

 

Salam.

Share this post


Link to post
  • 1
vonjack

fake hwid: use LCF-AT's script, new pattern #85D274??8B?AFC#

pre checker: find "div eax, 0" or "ud2"

VM API: modified PC-RET's script.

OEP find: use ramjane's method (I still don't know why, can you make an explanation for me ? Thank you!)

OEP restoration: use GIV's script.

dumped in Win7 x64.

 

 

Project2_protected_dump_SCY3.7z

  • Like 1

Share this post


Link to post
  • 0
icarusdc

stuck at finding OEP :(

the unpackme uses Enigma normal VM, right? 'cause I can't found the OEP by setting memory breakpoint on access on code section and finding refrences on GMHA routine. so OEP maybe in last section.

the other hard part of this is you provide 4 keys with 2 executions only per key that means allowing 8 times to try :(

I've used the keys 5 times.

 

Salam.

Share this post


Link to post
  • 0
GautamGreat

Hi,

I have patched the HWID check, but Now it is showing invalid file name. I am working on that now. @icarusdc did you patched file name checks too?

Share this post


Link to post
  • 0
icarusdc

Hi @ramjane

I've unpacked it with original filename and I didn't know about filename checks.

But I tried to unpacked it with non-original filename and no succeeded xD

 

Salam.

Share this post


Link to post
  • 0
GautamGreat

Hi @icarusdc

How did you patch hwid? I patched with different method. Maybe there is problem.

Share this post


Link to post
  • 0
icarusdc

Hi,

I just followed what @LCF-AT mentioned in this post.

Finding the right place to change HWID with lstrlenA API

 

Salam.

Edited by icarusdc (see edit history)

Share this post


Link to post
  • 0
阿皇仔

@ramjane

Can you tell me how to fix vmed api automatically?

I know how to  fix it manually, but it take me a lot of time.

Share this post


Link to post
  • 0
icarusdc

wow you are great!

but seems you didnt found the OEP yet.

it will be trouble if OEP bytes are compilcated. fortunately, this unpackme is quite simple.

 

Salam.

Share this post


Link to post
  • 0
GautamGreat
6 hours ago, 阿皇仔 said:

@ramjane

Can you tell me how to fix vmed api automatically?

I know how to  fix it manually, but it take me a lot of time.

Hi,

If you can fix it manually then you can write a script too, just use ollyscript reference from here. 
https://tuts4you.com/download.php?view.3431

Share this post


Link to post
  • 0
icarusdc

@ramjane

wow, that's great stuff. patching PRE_EXIT_CHECK will bypass some checks by Enigma like filename, password, etc and you found that address!!

but it can't bypass CRC check, right? Enigma always shows Internal error.

 

@Apuromafo

any plan to make new unpackme with Enigma API(s)?

 

Salam.

Share this post


Link to post
  • 0
GautamGreat

@icarusdc

Hi,

CRC checks can't be bypassed by prechecker patch. I don't worked on crc patch of enigma. It will ddefinitely hard for me. Enigma uses different method in crc? Well! I have to work on that. 

Share this post


Link to post
  • 0
Apuromafo
On 10/3/2017 at 8:30 AM, icarusdc said:

@ramjane

wow, that's great stuff. patching PRE_EXIT_CHECK will bypass some checks by Enigma like filename, password, etc and you found that address!!

but it can't bypass CRC check, right? Enigma always shows Internal error.

 

@Apuromafo

any plan to make new unpackme with Enigma API(s)?

 

Salam.



 

the hard level must be with enigma api, but im not expert coder..i will wait there giv or have a little more time

BR, Apuromafo

pd:when i create a unpackme is only for test and share a little diferences in versions 5.5 to 5.6

pd: giv answered the question

Edited by Apuromafo (see edit history)

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...