Apuromafo Posted March 14, 2017 Posted March 14, 2017 testing about 3 trial sdk Difficulty : 4Language : Delphi 7 SEPlatform : Windows X86OS Version : XP and abovePacker / Protector : Enigma Protector 5.6 Description : Little hard unpackme for do a tutorial/tut maybe is hard because i not gived info of registration BR, Apuromafo SS: i know there with all harcoded things not must be imposible atached ide.dll only for unpacked if really need linkDesktop.7z 2
GautamGreat Posted March 14, 2017 Posted March 14, 2017 Unpacked Enigma api i just fix it with LCF-AT tut unprotectme_Unpacked.rar 2
vonjack Posted March 14, 2017 Posted March 14, 2017 Fix API method: I don't know if I do right, but enigma set IAT to zero, and set jmp [455XXX] to jmp [4XXXXXXX]. So I hook the modification code like this: Quote <00E60200> // alloc some memory mov edx,dword ptr ss:[ebp-10] pushad cmp edx, 465000 //edx should be 4XXXXXXX jl @err mov ebx, dword ptr ds:[eax] cmp ebx, 455000 //ebx should be in IAT area jl @err cmp ebx, 457000 jg @err mov ecx,dword ptr ds:[edx] cmp ecx, 3FE00000 //ecx should be a win32 api address jl @err cmp ecx, 7FFFFFFF jg @err mov dword ptr ds:[ebx], ecx //lol, fix IAT jmp @ret @err: mov dword ptr ds:[eax], edx @ret: popad jmp 5AD4EC //Here we hook, 5AD4EC-5 to jmp There's 3 Enigma API. Like ramjane, I just return 1. I don't know how to fully fix Enigma API, wish someone can show the script code Quote mov eax, 1 retn unprotectme_dump_SCY.7z
GautamGreat Posted March 14, 2017 Posted March 14, 2017 Hi @vonjack, I used different method to fix IAT. Redirect iat with old pattern trick and then use my script to fix vmed api and then used UIF Tool to move all api into one section. Did you test your oep finding method? is it work on this target?
阿皇仔 Posted March 14, 2017 Posted March 14, 2017 Hi @ramjane, Can you explain how to unpack enigma without valid key? (old pattern not work) Also, Medium Unpackme Enigma 5.6 always detect my ollydbg.exe, how can I avoid it? (bad tool detection)
vonjack Posted March 15, 2017 Posted March 15, 2017 (edited) @ramjane Hi, I just use the new method to get to VM OEP. But for this unpackme, GIV's script won't work, just log: Quote push ebp mov ebp, esp add esp, -10 So I make the 401000 memory access bp, run and crash, see the log, find "Guard Violation Address", here is the real OEP. My new edition fixed the enigma api manually. lol Wish you excellant script auto fix enigma api. Enigma API analysis: 4556F0 - 556AD4 - 578998 - 2C - EP_TrailExpirationDateEx 4556F4 - 5569AC - 57898C - 29 - EP_TrailDaysTotal 4556F8 - 55691C - 578980 - 26 - EP_TrialExecutionsTotal enigma_api_fix.7z Edited March 15, 2017 by vonjack
icarusdc Posted March 15, 2017 Posted March 15, 2017 Well, it's little bit lucky because Apuromafo didn't removed "Try" button. Since old HWID SIMPLE BYPASS by LCF-AT doesn't work, I just use this majic button xD the steps I took to unpack this: 1. finding PRE EXIT CHECKER for bypass some bad boy message from Enigma. 2. finding OEP by using GetModuleHandle call references. 3. fixing Emulated API. 4. relocating Outside API (Advance force import protection). 5. fixing Enigma API. 6. optimizing file size. ScreenShot: Spoiler File Size: +- 390 KB Salam. unprotectme_dump_SCY_2_2.rar 1
GIV Posted March 15, 2017 Posted March 15, 2017 4 hours ago, vonjack said: @ramjane Hi, I just use the new method to get to VM OEP. But for this unpackme, GIV's script won't work, just log: So I make the 401000 memory access bp, run and crash, see the log, find "Guard Violation Address", here is the real OEP. My new edition fixed the enigma api manually. lol Wish you excellant script auto fix enigma api. Enigma API analysis: 4556F0 - 556AD4 - 578998 - 2C - EP_TrailExpirationDateEx 4556F4 - 5569AC - 57898C - 29 - EP_TrailDaysTotal 4556F8 - 55691C - 578980 - 26 - EP_TrialExecutionsTotal enigma_api_fix.7z Hi. 1. I have tested my script on XP Only. 2. For script to work you must run from the OEP. 3. I did not tested extensive and on long and complicated Delphi OEP may miss some pointers.
vonjack Posted March 15, 2017 Posted March 15, 2017 @GIV Thank you for replying. Sometimes script crashing, I think it's the problem of scyllahide and win7 x64 (memory breakpoint). Olly1 in Win7 x64 often causes werid problems as I met. Thanks again for your sophiscated OEP restoration script. The script works on other unpackme well. Maybe because the OEP of this unpackme is not VMed, so the script just print "push ebp; ......".
vonjack Posted March 15, 2017 Posted March 15, 2017 3 minutes ago, GIV said: Then why you use the script if the OEP is not VM'ed? My script can run to "call addr" [VM OEP] -> "jmp [vmcode]; retn" [VM JUMP] No matter the unpackme's OEP is VM'ed or not, the script always runs to here. I don't know if it is VM'ed. So I used your script to check if the OEP is VM'ed
GIV Posted March 15, 2017 Posted March 15, 2017 Just learn basic OEP structure for Delphi, C++, VB6 etc.
SHADOW_UA Posted March 15, 2017 Posted March 15, 2017 (edited) Unpacked file attached. Original filename is apuromafo_protected.exe. This string can be found in memory just around filename check, so no problem here. Finding OEP in new Enigma 5.50-5.60 is very easy. Data structure can be found in Enigma VM section like: <RVA of OEP> <size of PE header> 0x400000 // always, even if imagebase is different O_o <offset of second section> Fixing regular API and VM API is the same as in previous versions. OEP is not virtualized. I've also returned custom values from Enigma API and placed them in stack. Feel free to ask questions. apuromafo_protected_unpacked.zip Edited March 15, 2017 by SHADOW_UA 7
阿皇仔 Posted March 15, 2017 Posted March 15, 2017 Hi, @SHADOW_UA Can you tell more details about bypass triggers? Or make a tut video for unpacking this? Even I renamed exe to apuromafo_protected, it still have many triggers, but I don't know how to bypass it.
SHADOW_UA Posted March 15, 2017 Posted March 15, 2017 9 minutes ago, 阿皇仔 said: Hi, @SHADOW_UA Can you tell more details about bypass triggers? Or make a tut video for unpacking this? Even I renamed exe to apuromafo_protected, it still have many triggers, but I don't know how to bypass it. Please be more specific. For me when I rename to apuromafo_protected.exe file runs perfectly (in case I "easy-bypass" HWID dialog).
阿皇仔 Posted March 15, 2017 Posted March 15, 2017 24 minutes ago, SHADOW_UA said: Please be more specific. For me when I rename to apuromafo_protected.exe file runs perfectly (in case I "easy-bypass" HWID dialog). There are two situations, first is exceed 2 trail execution, and second is datetime check.
SHADOW_UA Posted March 15, 2017 Posted March 15, 2017 4 minutes ago, 阿皇仔 said: There are two situations, first is exceed 2 trail execution, and second is datetime check. This dialog will never show up if you bypass registration with easy-bypass method (without key). Look in LCF-AT's script - you can find it in there. But there's one difference - starting from Enigma 5.50 that function is virtualized. So just have a bit patience in tracing and you'll find it. 1
GautamGreat Posted March 16, 2017 Posted March 16, 2017 Hi @SHADOW_UA Could you add some more detail about your OEP finding pattern? Actually I can not find this, <RVA of OEP> <size of PE header> 0x400000 // always, even if imagebase is different O_o <offset of second section> I used a different method to reach at OEP but it takes much time cause it decrypt the whole code then find OEP.
SHADOW_UA Posted March 17, 2017 Posted March 17, 2017 @ramjane I'm sharing my private script to reach OEP on all 5.xx (and maybe 4.xx). First it tries to find static OEP address in Enigma VM section. If failed, it tries to dynamically reach OEP. lc log "Enigma 5.xx OEP Finder by PC-RET v 1.1 started" bc dbh bphwc gmi eip, MODULEBASE MOV IMAGEBASE, $RESULT //gmi eip, CODEBASE //MOV CODEBASE, $RESULT //gmi eip, CODESIZE //MOV CODESIZE, $RESULT pusha mov eax, IMAGEBASE mov edi, eax add eax, 3C mov eax, edi+[eax] mov SECTIONS, [eax+06], 02 mov esi, eax+0F8 mov edi, 28 mov ebp, SECTIONS mov ecx, edi mul edi, 1 // second section add edi, esi sub edi, 28 mov CODEBASE, [edi+0C] add CODEBASE, IMAGEBASE mov CODESIZE, [edi+08] popa GPA "VirtualAlloc", "kernel32.dll" mov VirtualAlloc, $RESULT GPA "VirtualProtect", "kernel32.dll" mov VirtualProtect, $RESULT GPA "VirtualQuery", "kernel32.dll" mov VirtualQuery, $RESULT bphws VirtualAlloc run rtr esti bphwc VirtualAlloc gmemi eip, MEMORYBASE mov ENIGMA_SECTION, $RESULT mov startsearch, ENIGMA_SECTION find startsearch, #8945F8EB0C8BCF8BD68B45FCE8????????F6C304740B8B55F88B45FC# // structure cmp $RESULT, 0 je dynamic_find static_find: bp $RESULT esto gmemi esi, MEMORYBASE mov startsearch, $RESULT gmemi esi, MEMORYSIZE mov searchend, $RESULT add searchend, startsearch alloc 100 mov eval_section, $RESULT mov [eval_section], #609CB8AAAAAAAABBBBBBBBBBB9CCCCCCCCBADDDDDDDD3BC20F831F0000003918740D813800004000740583C004EBE73948100F840800000083C004EBD99D61908B70F803F39D6190# mov [eval_section+3], startsearch mov [eval_section+8], IMAGEBASE mov [eval_section+D], CODESIZE mov [eval_section+12], searchend bp eval_section+3f bp eval_section+45 bp eval_section+47 mov bakeip, eip mov eip, eval_section esto cmp eip, eval_section+3f je notfound_static cmp eip, eval_section+45 je found_static jmp error found_static: ///////////////////////You can stop here and see OEP in ESI register/////////////////////// mov oep, esi esto mov eip, bakeip bc free eval_section gmemi oep, MEMORYBASE cmp $RESULT, 0 jne not_invalid_oep eval "Invalid OEP found: {oep}. Now script will try another method." msg $RESULT jmp dynamic_find not_invalid_oep: mov oepbytes, [oep], 2 cmp oepbytes, 25ff je risc_oep cmp $RESULT, CODEBASE je good_oep eval "Some weird OEP found: {oep}. Do you want to continue or try using another method? \r\n\r\n\r\nContinue: NO\r\nAnother method: YES" msgyn $RESULT cmp $RESULT, 01 je dynamic_find good_oep: bphws oep esto msg "OEP found!" bphwc ret risc_oep: eval "It seems that OEP: {oep} is RISC-protected. Continuing in another mode." msg $RESULT jmp dynamic_find notfound_static: mov eip, bakeip bc free eval_section dynamic_find: bphws VirtualProtect esto bphwc VirtualProtect bphws VirtualQuery mov hits, 0 VirtualQueryloop: esto cmp [esp+4], IMAGEBASE je checkhits jmp VirtualQueryloop checkhits: inc hits cmp hits, 2 jne VirtualQueryloop bc bphwc bprm CODEBASE, CODESIZE run bpmc msg "Possible OEP(near OEP) found." ret error: msg "Fatal error occured." ret 14
evggrig Posted March 17, 2017 Posted March 17, 2017 какие либо особые настройки olly или плугинов для этого скрипта нужны? прога запускается не дожидаясь окончания работы скрипта.
SHADOW_UA Posted March 17, 2017 Posted March 17, 2017 7 minutes ago, evggrig said: какие либо особые настройки olly или плугинов для этого скрипта нужны? прога запускается не дожидаясь окончания работы скрипта. Кидай в ЛС файл, я посмотрю что не так (особых требований нет, главное, чтобы файл запускался под отладчиком).
GautamGreat Posted March 17, 2017 Posted March 17, 2017 Hi, I use a different approach, but your method is quite different and fast. Thanks for sharing your script. I also attached a video of my script. Video.rar
SHADOW_UA Posted March 17, 2017 Posted March 17, 2017 7 minutes ago, ramjane said: Hi, I use a different approach, but your method is quite different and fast. Thanks for sharing your script. I also attached a video of my script. Video.rar For some reason, I cannot download your attachment.
Techlord Posted March 17, 2017 Posted March 17, 2017 9 minutes ago, ramjane said: Hi, I use a different approach, but your method is quite different and fast. Thanks for sharing your script. I also attached a video of my script. Video.rar Even I cannot download the attachment - says that the resource is not available anymore
GautamGreat Posted March 17, 2017 Posted March 17, 2017 (edited) Yeah, I don't know why it is happening. I uploaded it to extern host. http://www115.zippyshare.com/v/SYHcLy21/file.html Edited March 17, 2017 by ramjane 1 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now