Jump to content
Tuts 4 You
  • 0
Sign in to follow this  
Apuromafo

Little Hard Enigma 5.6

Question

Apuromafo

testing about 3 trial sdk 
 

Difficulty : 4
Language : Delphi 7 SE
Platform : Windows X86
OS Version : XP and above
Packer / Protector : Enigma Protector 5.6

Description :

Little hard unpackme for do a  tutorial/tut
maybe is hard because i not gived info of registration :) 

 BR, Apuromafo

SS:


2017-03-14_003159.jpg.77d293dbd4d6c84ce34e6f5f1efbd470.jpg

i know there with all harcoded things not must be imposible :)

atached ide.dll only for unpacked if really need :) link
Desktop.7z

  • Like 2

Share this post


Link to post

Recommended Posts

  • 1
FeliXW

Well, in this version only new enigma hardware id protection, function is virtualized by CISC, old pattern don't works. After trace, i founded block, where are register save value under cisc virtualization, patched it, and nag go down.

1) Finding CISC block for bypass hardwareid.
2) Hooks enigma api logger for restore api emulation.
3) Go to oep, by using static signature in stub.
4) Fixing vm imports, this is same older versions.
5) Reslocating all imports outside by UIF and dumping process and memory.
6) Attaching memory with imports, and fixing exe file.
7) Fixing Enigma API code, redirect under OEP, with patch.
8) Cleaning all trash from file, my file is 400 Kb of code.

If you have some questions about unpacking enigma, cisc vm dumping and risc vm dumping, contact my by using:
Jabber: julia.pcret@exploit.im
Telegram: @julia_pcret (https://t.me/julia_pcret)

P.S. Can you give risc virtualized target?

unprotectme_dumped_fixed.exe

  • Like 1

Share this post


Link to post
  • 2
SHADOW_UA

Unpacked file attached.

Original filename is apuromafo_protected.exe. This string can be found in memory just around filename check, so no problem here.

Finding OEP in new Enigma 5.50-5.60 is very easy. Data structure can be found in Enigma VM section like:

<RVA of OEP>
<size of PE header>
0x400000 // always, even if imagebase is different O_o
<offset of second section>

Fixing regular API and VM API is the same as in previous versions. OEP is not virtualized.

I've also returned custom values from Enigma API and placed them in stack.

Feel free to ask questions.

apuromafo_protected_unpacked.zip

Edited by SHADOW_UA (see edit history)
  • Like 7

Share this post


Link to post
  • 1
vonjack

Fix API method:

I don't know if I do right, but enigma set IAT to zero, and set jmp [455XXX] to jmp [4XXXXXXX].

So I hook the modification code like this:

Quote

<00E60200> // alloc some memory

mov edx,dword ptr ss:[ebp-10]
pushad
cmp edx, 465000 //edx should be 4XXXXXXX
jl @err
mov ebx, dword ptr ds:[eax]
cmp ebx, 455000 //ebx should be in IAT area
jl @err
cmp ebx, 457000
jg @err
mov ecx,dword ptr ds:[edx]
cmp ecx, 3FE00000 //ecx should be a win32 api address
jl @err
cmp ecx, 7FFFFFFF
jg @err
mov dword ptr ds:[ebx], ecx //lol, fix IAT
jmp @ret
@err:
mov dword ptr ds:[eax], edx
@ret:
popad
jmp 5AD4EC //Here we hook, 5AD4EC-5 to jmp

There's 3 Enigma API.

Like ramjane, I just return 1. I don't know how to fully fix Enigma API, wish someone can show the script code :D

Quote

mov eax, 1
retn

 

unprotectme_dump_SCY.7z

Share this post


Link to post
  • 1
SHADOW_UA

@ramjane

I'm sharing my private script to reach OEP on all 5.xx (and maybe 4.xx). First it tries to find static OEP address in Enigma VM section. If failed, it tries to dynamically reach OEP.

lc
log "Enigma 5.xx OEP Finder by PC-RET v 1.1 started"
bc
dbh

bphwc
gmi eip, MODULEBASE
MOV IMAGEBASE, $RESULT
//gmi eip, CODEBASE
//MOV CODEBASE, $RESULT
//gmi eip, CODESIZE
//MOV CODESIZE, $RESULT

pusha
mov eax, IMAGEBASE
mov edi, eax
add eax, 3C
mov eax, edi+[eax]
mov SECTIONS, [eax+06], 02
mov esi, eax+0F8
mov edi, 28
mov ebp, SECTIONS
mov ecx, edi
mul edi, 1 // second section
add edi, esi
sub edi, 28
mov CODEBASE, [edi+0C]
add CODEBASE, IMAGEBASE
mov CODESIZE, [edi+08]
popa

GPA "VirtualAlloc", "kernel32.dll" 
mov VirtualAlloc, $RESULT
GPA "VirtualProtect", "kernel32.dll" 
mov VirtualProtect, $RESULT
GPA "VirtualQuery", "kernel32.dll" 
mov VirtualQuery, $RESULT
bphws VirtualAlloc
run
rtr
esti
bphwc VirtualAlloc

gmemi eip, MEMORYBASE
mov ENIGMA_SECTION, $RESULT
mov startsearch, ENIGMA_SECTION
find startsearch, #8945F8EB0C8BCF8BD68B45FCE8????????F6C304740B8B55F88B45FC# // structure
cmp $RESULT, 0
je dynamic_find
static_find:
bp $RESULT
esto
gmemi esi, MEMORYBASE
mov startsearch, $RESULT
gmemi esi, MEMORYSIZE
mov searchend, $RESULT
add searchend, startsearch
alloc 100
mov eval_section, $RESULT
mov [eval_section], #609CB8AAAAAAAABBBBBBBBBBB9CCCCCCCCBADDDDDDDD3BC20F831F0000003918740D813800004000740583C004EBE73948100F840800000083C004EBD99D61908B70F803F39D6190#
mov [eval_section+3], startsearch
mov [eval_section+8], IMAGEBASE
mov [eval_section+D], CODESIZE
mov [eval_section+12], searchend
bp eval_section+3f
bp eval_section+45
bp eval_section+47
mov bakeip, eip
mov eip, eval_section
esto
cmp eip, eval_section+3f
je notfound_static
cmp eip, eval_section+45
je found_static
jmp error
found_static:
///////////////////////You can stop here and see OEP in ESI register///////////////////////
mov oep, esi
esto
mov eip, bakeip
bc
free eval_section
gmemi oep, MEMORYBASE
cmp $RESULT, 0
jne not_invalid_oep
eval "Invalid OEP found: {oep}. Now script will try another method."
msg $RESULT
jmp dynamic_find
not_invalid_oep:

mov oepbytes, [oep], 2
cmp oepbytes, 25ff
je risc_oep

cmp $RESULT, CODEBASE
je good_oep
eval "Some weird OEP found: {oep}. Do you want to continue or try using another method? \r\n\r\n\r\nContinue: NO\r\nAnother method: YES"
msgyn $RESULT
cmp $RESULT, 01
je dynamic_find
good_oep:
bphws oep
esto
msg "OEP found!"
bphwc
ret

risc_oep:
eval "It seems that OEP: {oep} is RISC-protected. Continuing in another mode."
msg $RESULT
jmp dynamic_find

notfound_static:
mov eip, bakeip
bc
free eval_section
dynamic_find:
bphws VirtualProtect
esto
bphwc VirtualProtect
bphws VirtualQuery
mov hits, 0
VirtualQueryloop:
esto
cmp [esp+4], IMAGEBASE
je checkhits
jmp VirtualQueryloop
checkhits:
inc hits
cmp hits, 2
jne VirtualQueryloop
bc
bphwc
bprm CODEBASE, CODESIZE
run
bpmc
msg "Possible OEP(near OEP) found."
ret
error:
msg "Fatal error occured."
ret

 

  • Like 11

Share this post


Link to post
  • 1
GautamGreat

Hi,

I use a different approach, but your method is quite different and fast. Thanks for sharing your script.

I also attached a video of my script.

Video.rar

Share this post


Link to post
  • 0
GautamGreat

Hi @vonjack,

I used different method to fix IAT. Redirect iat with old pattern trick and then use my script to fix vmed api and then used UIF Tool to move all api into one section.

Did you test your oep finding method? is it work on this target?

Share this post


Link to post
  • 0
阿皇仔

Hi @ramjane,

Can you explain how to unpack enigma without valid key? (old pattern not work)

Also, Medium Unpackme Enigma 5.6 always detect my ollydbg.exe, how can I avoid it? (bad tool detection)

 

Share this post


Link to post
  • 0
vonjack

@ramjane

 

Hi, I just use the new method to get to VM OEP.

But for this unpackme, GIV's script won't work, just log:

Quote

push ebp
mov ebp, esp
add esp, -10

So I make the 401000 memory access bp, run and crash, see the log, find "Guard Violation Address", here is the real OEP.

 

My new edition fixed the enigma api manually. lol :D

Wish you excellant script auto fix enigma api.

Enigma API analysis:

4556F0 - 556AD4 - 578998 - 2C - EP_TrailExpirationDateEx
4556F4 - 5569AC - 57898C - 29 - EP_TrailDaysTotal
4556F8 - 55691C - 578980 - 26 - EP_TrialExecutionsTotal

 

enigma_api_fix.7z

无标题.png

Edited by vonjack (see edit history)

Share this post


Link to post
  • 0
icarusdc

Well, it's little bit lucky because Apuromafo didn't removed "Try" button. 
Since old HWID SIMPLE BYPASS by LCF-AT doesn't work, I just use this majic button xD

the steps I took to unpack this:
1. finding PRE EXIT CHECKER for bypass some bad boy message from Enigma.
2. finding OEP by using GetModuleHandle call references.
3. fixing Emulated API.
4. relocating Outside API (Advance force import protection).
5. fixing Enigma API.
6. optimizing file size.

ScreenShot:

Spoiler

en1.jpg

 

File Size: +- 390 KB


Salam.

unprotectme_dump_SCY_2_2.rar

Share this post


Link to post
  • 0
GIV
4 hours ago, vonjack said:

@ramjane

 

Hi, I just use the new method to get to VM OEP.

But for this unpackme, GIV's script won't work, just log:

So I make the 401000 memory access bp, run and crash, see the log, find "Guard Violation Address", here is the real OEP.

 

My new edition fixed the enigma api manually. lol :D

Wish you excellant script auto fix enigma api.

Enigma API analysis:

4556F0 - 556AD4 - 578998 - 2C - EP_TrailExpirationDateEx
4556F4 - 5569AC - 57898C - 29 - EP_TrailDaysTotal
4556F8 - 55691C - 578980 - 26 - EP_TrialExecutionsTotal

 

enigma_api_fix.7z

无标题.png

Hi.

1. I have tested my script on XP Only.

2. For script to work you must run from the OEP.

3. I did not tested extensive and on long and complicated Delphi OEP may miss some pointers.

 

Share this post


Link to post
  • 0
vonjack

@GIV

Thank you for replying.

Sometimes script crashing, I think it's the problem of scyllahide and win7 x64 (memory breakpoint).

Olly1 in Win7 x64 often causes werid problems as I met.

Thanks again for your sophiscated OEP restoration script. The script works on other unpackme well.

Maybe because the OEP of this unpackme is not VMed, so the script just print "push ebp; ......". 

Share this post


Link to post
  • 0
GIV

Then why you use the script if the OEP is not VM'ed?

Share this post


Link to post
  • 0
vonjack
3 minutes ago, GIV said:

Then why you use the script if the OEP is not VM'ed?

My script can run to 

"call addr" [VM OEP] -> "jmp [vmcode]; retn" [VM JUMP]

No matter the unpackme's OEP is VM'ed or not, the script always runs to here. I don't know if it is VM'ed.

So I used your script to check if the OEP is VM'ed :D

Share this post


Link to post
  • 0
GIV

Just learn basic OEP structure for Delphi, C++, VB6 etc.

Share this post


Link to post
  • 0
阿皇仔

Hi, @SHADOW_UA

Can you tell more details about bypass triggers? Or make a tut video for unpacking this?

Even I renamed exe to apuromafo_protected, it still have many triggers, but I don't know how to bypass it.

Share this post


Link to post
  • 0
SHADOW_UA
9 minutes ago, 阿皇仔 said:

Hi, @SHADOW_UA

Can you tell more details about bypass triggers? Or make a tut video for unpacking this?

Even I renamed exe to apuromafo_protected, it still have many triggers, but I don't know how to bypass it.

Please be more specific. For me when I rename to apuromafo_protected.exe file runs perfectly (in case I "easy-bypass" HWID dialog).

Share this post


Link to post
  • 0
阿皇仔
24 minutes ago, SHADOW_UA said:

Please be more specific. For me when I rename to apuromafo_protected.exe file runs perfectly (in case I "easy-bypass" HWID dialog).

There are two situations, first is exceed 2 trail execution, and second is datetime check.

sshot-0013.png

Share this post


Link to post
  • 0
SHADOW_UA
4 minutes ago, 阿皇仔 said:

There are two situations, first is exceed 2 trail execution, and second is datetime check.

sshot-0013.png

This dialog will never show up if you bypass registration with easy-bypass method (without key). Look in LCF-AT's script - you can find it in there. But there's one difference - starting from Enigma 5.50 that function is virtualized. So just have a bit patience in tracing and you'll find it.

Share this post


Link to post
  • 0
GautamGreat

Hi @SHADOW_UA

Could you add some more detail about your OEP finding pattern?

Actually I can not find this, 

<RVA of OEP>
<size of PE header>
0x400000 // always, even if imagebase is different O_o
<offset of second section>

I used a different method to reach at OEP but it takes much time cause it decrypt the whole code then find OEP. 

Share this post


Link to post
  • 0
evggrig

какие либо особые настройки olly или плугинов для этого скрипта нужны?

прога запускается не дожидаясь окончания работы скрипта.

 

Share this post


Link to post
  • 0
SHADOW_UA
7 minutes ago, evggrig said:

какие либо особые настройки olly или плугинов для этого скрипта нужны?

прога запускается не дожидаясь окончания работы скрипта.

 

Кидай в ЛС файл, я посмотрю что не так (особых требований нет, главное, чтобы файл запускался под отладчиком).

Share this post


Link to post
  • 0
SHADOW_UA
7 minutes ago, ramjane said:

Hi,

I use a different approach, but your method is quite different and fast. Thanks for sharing your script.

I also attached a video of my script.

Video.rar

For some reason, I cannot download your attachment.

Share this post


Link to post
  • 0
Techlord
9 minutes ago, ramjane said:

Hi,

I use a different approach, but your method is quite different and fast. Thanks for sharing your script.

I also attached a video of my script.

Video.rar

Even I cannot download the attachment - says that the resource is not available anymore :(

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...