• 0
Apuromafo

Little Hard Enigma 5.6

Question

testing about 3 trial sdk 
 

Difficulty : 4
Language : Delphi 7 SE
Platform : Windows X86
OS Version : XP and above
Packer / Protector : Enigma Protector 5.6

Description :

Little hard unpackme for do a  tutorial/tut
maybe is hard because i not gived info of registration :) 

 BR, Apuromafo

SS:


2017-03-14_003159.jpg.77d293dbd4d6c84ce34e6f5f1efbd470.jpg

i know there with all harcoded things not must be imposible :)

atached ide.dll only for unpacked if really need :) link
Desktop.7z

2 people like this

Share this post


Link to post
Share on other sites

28 answers to this question

  • 0
1 hour ago, icarusdc said:

how about other unpackme from Apuromafo (medium unpackme 5.6)?

it has virtualized OEP by old Enigma VM and SHADOW_UA new script can't reach OEP.

or maybe I use the script wrong.

other way to reach OEP is using VirtualQuery and ResumeThread. this way can reach non-virtualized OEP and virtualized OEP by RISC VM, but can't reach by old VM.

the virtualized OEP by old VM command is like JMP <Enigma VM section> or PUSH value JMP <Enigma VM section> if I remember it right.

 

Salam.

I use SHADOW_UA's new script for medium unpackme, it shows "It seems that OEP: 5AEBA4 is RISC-protected. Continuing in another mode." first, then I press OK. It found the near OEP, 406064. It uses GetModuleHandleA, the emulated OEP, use GIV's script to fix.

 

Share this post


Link to post
Share on other sites
  • 0
3 hours ago, icarusdc said:

how about other unpackme from Apuromafo (medium unpackme 5.6)?

it has virtualized OEP by old Enigma VM and SHADOW_UA new script can't reach OEP.

or maybe I use the script wrong.

other way to reach OEP is using VirtualQuery and ResumeThread. this way can reach non-virtualized OEP and virtualized OEP by RISC VM, but can't reach by old VM.

the virtualized OEP by old VM command is like JMP <Enigma VM section> or PUSH value JMP <Enigma VM section> if I remember it right.

 

Salam.

Hi @icarusdc

Newer enigma does not use old method. Now It is direct push the VA 7FBD0000 and execute RET command. actually the method is same only the call which is made from codesection to VM is vanished in medium unpackme 5.6, so i guess enigma is virutalizing only call command from codesection.

006DF19F    5C              POP ESP
006DF1A0    C3              RETN                         ; -------> This return is back to VM (OEP)

PS : My english is not so good. :D 

Capture.JPG

Share this post


Link to post
Share on other sites
  • 0

Well, in this version only new enigma hardware id protection, function is virtualized by CISC, old pattern don't works. After trace, i founded block, where are register save value under cisc virtualization, patched it, and nag go down.

1) Finding CISC block for bypass hardwareid.
2) Hooks enigma api logger for restore api emulation.
3) Go to oep, by using static signature in stub.
4) Fixing vm imports, this is same older versions.
5) Reslocating all imports outside by UIF and dumping process and memory.
6) Attaching memory with imports, and fixing exe file.
7) Fixing Enigma API code, redirect under OEP, with patch.
8) Cleaning all trash from file, my file is 400 Kb of code.

If you have some questions about unpacking enigma, cisc vm dumping and risc vm dumping, contact my by using:
Jabber: julia.pcret@exploit.im
Telegram: @julia_pcret (https://t.me/julia_pcret)

P.S. Can you give risc virtualized target?

unprotectme_dumped_fixed.exe

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now