• 0
Apuromafo

Little Hard Enigma 5.6

Question

testing about 3 trial sdk 
 

Difficulty : 4
Language : Delphi 7 SE
Platform : Windows X86
OS Version : XP and above
Packer / Protector : Enigma Protector 5.6

Description :

Little hard unpackme for do a  tutorial/tut
maybe is hard because i not gived info of registration :) 

 BR, Apuromafo

SS:


2017-03-14_003159.jpg.77d293dbd4d6c84ce34e6f5f1efbd470.jpg

i know there with all harcoded things not must be imposible :)

atached ide.dll only for unpacked if really need :) link
Desktop.7z

2 people like this

Share this post


Link to post
Share on other sites

28 answers to this question

  • 1

Fix API method:

I don't know if I do right, but enigma set IAT to zero, and set jmp [455XXX] to jmp [4XXXXXXX].

So I hook the modification code like this:

Quote

<00E60200> // alloc some memory

mov edx,dword ptr ss:[ebp-10]
pushad
cmp edx, 465000 //edx should be 4XXXXXXX
jl @err
mov ebx, dword ptr ds:[eax]
cmp ebx, 455000 //ebx should be in IAT area
jl @err
cmp ebx, 457000
jg @err
mov ecx,dword ptr ds:[edx]
cmp ecx, 3FE00000 //ecx should be a win32 api address
jl @err
cmp ecx, 7FFFFFFF
jg @err
mov dword ptr ds:[ebx], ecx //lol, fix IAT
jmp @ret
@err:
mov dword ptr ds:[eax], edx
@ret:
popad
jmp 5AD4EC //Here we hook, 5AD4EC-5 to jmp

There's 3 Enigma API.

Like ramjane, I just return 1. I don't know how to fully fix Enigma API, wish someone can show the script code :D

Quote

mov eax, 1
retn

 

unprotectme_dump_SCY.7z

Share this post


Link to post
Share on other sites
  • 1

Posted (edited)

Unpacked file attached.

Original filename is apuromafo_protected.exe. This string can be found in memory just around filename check, so no problem here.

Finding OEP in new Enigma 5.50-5.60 is very easy. Data structure can be found in Enigma VM section like:

<RVA of OEP>
<size of PE header>
0x400000 // always, even if imagebase is different O_o
<offset of second section>

Fixing regular API and VM API is the same as in previous versions. OEP is not virtualized.

I've also returned custom values from Enigma API and placed them in stack.

Feel free to ask questions.

apuromafo_protected_unpacked.zip

Edited by SHADOW_UA
5 people like this

Share this post


Link to post
Share on other sites
  • 0

Hi @vonjack,

I used different method to fix IAT. Redirect iat with old pattern trick and then use my script to fix vmed api and then used UIF Tool to move all api into one section.

Did you test your oep finding method? is it work on this target?

Share this post


Link to post
Share on other sites
  • 0

Hi @ramjane,

Can you explain how to unpack enigma without valid key? (old pattern not work)

Also, Medium Unpackme Enigma 5.6 always detect my ollydbg.exe, how can I avoid it? (bad tool detection)

 

Share this post


Link to post
Share on other sites
  • 0

Posted (edited)

@ramjane

 

Hi, I just use the new method to get to VM OEP.

But for this unpackme, GIV's script won't work, just log:

Quote

push ebp
mov ebp, esp
add esp, -10

So I make the 401000 memory access bp, run and crash, see the log, find "Guard Violation Address", here is the real OEP.

 

My new edition fixed the enigma api manually. lol :D

Wish you excellant script auto fix enigma api.

Enigma API analysis:

4556F0 - 556AD4 - 578998 - 2C - EP_TrailExpirationDateEx
4556F4 - 5569AC - 57898C - 29 - EP_TrailDaysTotal
4556F8 - 55691C - 578980 - 26 - EP_TrialExecutionsTotal

 

enigma_api_fix.7z

无标题.png

Edited by vonjack

Share this post


Link to post
Share on other sites
  • 0

Well, it's little bit lucky because Apuromafo didn't removed "Try" button. 
Since old HWID SIMPLE BYPASS by LCF-AT doesn't work, I just use this majic button xD

the steps I took to unpack this:
1. finding PRE EXIT CHECKER for bypass some bad boy message from Enigma.
2. finding OEP by using GetModuleHandle call references.
3. fixing Emulated API.
4. relocating Outside API (Advance force import protection).
5. fixing Enigma API.
6. optimizing file size.

ScreenShot:

Spoiler

en1.jpg

 

File Size: +- 390 KB


Salam.

unprotectme_dump_SCY_2_2.rar

Share this post


Link to post
Share on other sites
  • 0
4 hours ago, vonjack said:

@ramjane

 

Hi, I just use the new method to get to VM OEP.

But for this unpackme, GIV's script won't work, just log:

So I make the 401000 memory access bp, run and crash, see the log, find "Guard Violation Address", here is the real OEP.

 

My new edition fixed the enigma api manually. lol :D

Wish you excellant script auto fix enigma api.

Enigma API analysis:

4556F0 - 556AD4 - 578998 - 2C - EP_TrailExpirationDateEx
4556F4 - 5569AC - 57898C - 29 - EP_TrailDaysTotal
4556F8 - 55691C - 578980 - 26 - EP_TrialExecutionsTotal

 

enigma_api_fix.7z

无标题.png

Hi.

1. I have tested my script on XP Only.

2. For script to work you must run from the OEP.

3. I did not tested extensive and on long and complicated Delphi OEP may miss some pointers.

 

Share this post


Link to post
Share on other sites
  • 0

@GIV

Thank you for replying.

Sometimes script crashing, I think it's the problem of scyllahide and win7 x64 (memory breakpoint).

Olly1 in Win7 x64 often causes werid problems as I met.

Thanks again for your sophiscated OEP restoration script. The script works on other unpackme well.

Maybe because the OEP of this unpackme is not VMed, so the script just print "push ebp; ......". 

Share this post


Link to post
Share on other sites
  • 0

Then why you use the script if the OEP is not VM'ed?

Share this post


Link to post
Share on other sites
  • 0
3 minutes ago, GIV said:

Then why you use the script if the OEP is not VM'ed?

My script can run to 

"call addr" [VM OEP] -> "jmp [vmcode]; retn" [VM JUMP]

No matter the unpackme's OEP is VM'ed or not, the script always runs to here. I don't know if it is VM'ed.

So I used your script to check if the OEP is VM'ed :D

Share this post


Link to post
Share on other sites
  • 0

Just learn basic OEP structure for Delphi, C++, VB6 etc.

Share this post


Link to post
Share on other sites
  • 0

Hi, @SHADOW_UA

Can you tell more details about bypass triggers? Or make a tut video for unpacking this?

Even I renamed exe to apuromafo_protected, it still have many triggers, but I don't know how to bypass it.

Share this post


Link to post
Share on other sites
  • 0
9 minutes ago, 阿皇仔 said:

Hi, @SHADOW_UA

Can you tell more details about bypass triggers? Or make a tut video for unpacking this?

Even I renamed exe to apuromafo_protected, it still have many triggers, but I don't know how to bypass it.

Please be more specific. For me when I rename to apuromafo_protected.exe file runs perfectly (in case I "easy-bypass" HWID dialog).

Share this post


Link to post
Share on other sites
  • 0
24 minutes ago, SHADOW_UA said:

Please be more specific. For me when I rename to apuromafo_protected.exe file runs perfectly (in case I "easy-bypass" HWID dialog).

There are two situations, first is exceed 2 trail execution, and second is datetime check.

sshot-0013.png

Share this post


Link to post
Share on other sites
  • 0
4 minutes ago, 阿皇仔 said:

There are two situations, first is exceed 2 trail execution, and second is datetime check.

sshot-0013.png

This dialog will never show up if you bypass registration with easy-bypass method (without key). Look in LCF-AT's script - you can find it in there. But there's one difference - starting from Enigma 5.50 that function is virtualized. So just have a bit patience in tracing and you'll find it.

Share this post


Link to post
Share on other sites
  • 0

Hi @SHADOW_UA

Could you add some more detail about your OEP finding pattern?

Actually I can not find this, 

<RVA of OEP>
<size of PE header>
0x400000 // always, even if imagebase is different O_o
<offset of second section>

I used a different method to reach at OEP but it takes much time cause it decrypt the whole code then find OEP. 

Share this post


Link to post
Share on other sites
  • 0

@ramjane

I'm sharing my private script to reach OEP on all 5.xx (and maybe 4.xx). First it tries to find static OEP address in Enigma VM section. If failed, it tries to dynamically reach OEP.

lc
log "Enigma 5.xx OEP Finder by PC-RET v 1.1 started"
bc
dbh

bphwc
gmi eip, MODULEBASE
MOV IMAGEBASE, $RESULT
//gmi eip, CODEBASE
//MOV CODEBASE, $RESULT
//gmi eip, CODESIZE
//MOV CODESIZE, $RESULT

pusha
mov eax, IMAGEBASE
mov edi, eax
add eax, 3C
mov eax, edi+[eax]
mov SECTIONS, [eax+06], 02
mov esi, eax+0F8
mov edi, 28
mov ebp, SECTIONS
mov ecx, edi
mul edi, 1 // second section
add edi, esi
sub edi, 28
mov CODEBASE, [edi+0C]
add CODEBASE, IMAGEBASE
mov CODESIZE, [edi+08]
popa

GPA "VirtualAlloc", "kernel32.dll" 
mov VirtualAlloc, $RESULT
GPA "VirtualProtect", "kernel32.dll" 
mov VirtualProtect, $RESULT
GPA "VirtualQuery", "kernel32.dll" 
mov VirtualQuery, $RESULT
bphws VirtualAlloc
run
rtr
esti
bphwc VirtualAlloc

gmemi eip, MEMORYBASE
mov ENIGMA_SECTION, $RESULT
mov startsearch, ENIGMA_SECTION
find startsearch, #8945F8EB0C8BCF8BD68B45FCE8????????F6C304740B8B55F88B45FC# // structure
cmp $RESULT, 0
je dynamic_find
static_find:
bp $RESULT
esto
gmemi esi, MEMORYBASE
mov startsearch, $RESULT
gmemi esi, MEMORYSIZE
mov searchend, $RESULT
add searchend, startsearch
alloc 100
mov eval_section, $RESULT
mov [eval_section], #609CB8AAAAAAAABBBBBBBBBBB9CCCCCCCCBADDDDDDDD3BC20F831F0000003918740D813800004000740583C004EBE73948100F840800000083C004EBD99D61908B70F803F39D6190#
mov [eval_section+3], startsearch
mov [eval_section+8], IMAGEBASE
mov [eval_section+D], CODESIZE
mov [eval_section+12], searchend
bp eval_section+3f
bp eval_section+45
bp eval_section+47
mov bakeip, eip
mov eip, eval_section
esto
cmp eip, eval_section+3f
je notfound_static
cmp eip, eval_section+45
je found_static
jmp error
found_static:
///////////////////////You can stop here and see OEP in ESI register///////////////////////
mov oep, esi
esto
mov eip, bakeip
bc
free eval_section
gmemi oep, MEMORYBASE
cmp $RESULT, 0
jne not_invalid_oep
eval "Invalid OEP found: {oep}. Now script will try another method."
msg $RESULT
jmp dynamic_find
not_invalid_oep:

mov oepbytes, [oep], 2
cmp oepbytes, 25ff
je risc_oep

cmp $RESULT, CODEBASE
je good_oep
eval "Some weird OEP found: {oep}. Do you want to continue or try using another method? \r\n\r\n\r\nContinue: NO\r\nAnother method: YES"
msgyn $RESULT
cmp $RESULT, 01
je dynamic_find
good_oep:
bphws oep
esto
msg "OEP found!"
bphwc
ret

risc_oep:
eval "It seems that OEP: {oep} is RISC-protected. Continuing in another mode."
msg $RESULT
jmp dynamic_find

notfound_static:
mov eip, bakeip
bc
free eval_section
dynamic_find:
bphws VirtualProtect
esto
bphwc VirtualProtect
bphws VirtualQuery
mov hits, 0
VirtualQueryloop:
esto
cmp [esp+4], IMAGEBASE
je checkhits
jmp VirtualQueryloop
checkhits:
inc hits
cmp hits, 2
jne VirtualQueryloop
bc
bphwc
bprm CODEBASE, CODESIZE
run
bpmc
msg "Possible OEP(near OEP) found."
ret
error:
msg "Fatal error occured."
ret

 

8 people like this

Share this post


Link to post
Share on other sites
  • 0

какие либо особые настройки olly или плугинов для этого скрипта нужны?

прога запускается не дожидаясь окончания работы скрипта.

 

Share this post


Link to post
Share on other sites
  • 0
7 minutes ago, evggrig said:

какие либо особые настройки olly или плугинов для этого скрипта нужны?

прога запускается не дожидаясь окончания работы скрипта.

 

Кидай в ЛС файл, я посмотрю что не так (особых требований нет, главное, чтобы файл запускался под отладчиком).

Share this post


Link to post
Share on other sites
  • 0

Hi,

I use a different approach, but your method is quite different and fast. Thanks for sharing your script.

I also attached a video of my script.

Video.rar

Share this post


Link to post
Share on other sites
  • 0
7 minutes ago, ramjane said:

Hi,

I use a different approach, but your method is quite different and fast. Thanks for sharing your script.

I also attached a video of my script.

Video.rar

For some reason, I cannot download your attachment.

Share this post


Link to post
Share on other sites
  • 0
9 minutes ago, ramjane said:

Hi,

I use a different approach, but your method is quite different and fast. Thanks for sharing your script.

I also attached a video of my script.

Video.rar

Even I cannot download the attachment - says that the resource is not available anymore :(

Share this post


Link to post
Share on other sites
  • 0

how about other unpackme from Apuromafo (medium unpackme 5.6)?

it has virtualized OEP by old Enigma VM and SHADOW_UA new script can't reach OEP.

or maybe I use the script wrong.

other way to reach OEP is using VirtualQuery and ResumeThread. this way can reach non-virtualized OEP and virtualized OEP by RISC VM, but can't reach by old VM.

the virtualized OEP by old VM command is like JMP <Enigma VM section> or PUSH value JMP <Enigma VM section> if I remember it right.

 

Salam.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now