icarusdc Posted March 17, 2017 Posted March 17, 2017 how about other unpackme from Apuromafo (medium unpackme 5.6)? it has virtualized OEP by old Enigma VM and SHADOW_UA new script can't reach OEP. or maybe I use the script wrong. other way to reach OEP is using VirtualQuery and ResumeThread. this way can reach non-virtualized OEP and virtualized OEP by RISC VM, but can't reach by old VM. the virtualized OEP by old VM command is like JMP <Enigma VM section> or PUSH value JMP <Enigma VM section> if I remember it right. Salam.
vonjack Posted March 17, 2017 Posted March 17, 2017 1 hour ago, icarusdc said: how about other unpackme from Apuromafo (medium unpackme 5.6)? it has virtualized OEP by old Enigma VM and SHADOW_UA new script can't reach OEP. or maybe I use the script wrong. other way to reach OEP is using VirtualQuery and ResumeThread. this way can reach non-virtualized OEP and virtualized OEP by RISC VM, but can't reach by old VM. the virtualized OEP by old VM command is like JMP <Enigma VM section> or PUSH value JMP <Enigma VM section> if I remember it right. Salam. I use SHADOW_UA's new script for medium unpackme, it shows "It seems that OEP: 5AEBA4 is RISC-protected. Continuing in another mode." first, then I press OK. It found the near OEP, 406064. It uses GetModuleHandleA, the emulated OEP, use GIV's script to fix.
GautamGreat Posted March 17, 2017 Posted March 17, 2017 3 hours ago, icarusdc said: how about other unpackme from Apuromafo (medium unpackme 5.6)? it has virtualized OEP by old Enigma VM and SHADOW_UA new script can't reach OEP. or maybe I use the script wrong. other way to reach OEP is using VirtualQuery and ResumeThread. this way can reach non-virtualized OEP and virtualized OEP by RISC VM, but can't reach by old VM. the virtualized OEP by old VM command is like JMP <Enigma VM section> or PUSH value JMP <Enigma VM section> if I remember it right. Salam. Hi @icarusdc Newer enigma does not use old method. Now It is direct push the VA 7FBD0000 and execute RET command. actually the method is same only the call which is made from codesection to VM is vanished in medium unpackme 5.6, so i guess enigma is virutalizing only call command from codesection. 006DF19F 5C POP ESP 006DF1A0 C3 RETN ; -------> This return is back to VM (OEP) PS : My english is not so good.
Solution FeliXW Posted March 23, 2017 Solution Posted March 23, 2017 Well, in this version only new enigma hardware id protection, function is virtualized by CISC, old pattern don't works. After trace, i founded block, where are register save value under cisc virtualization, patched it, and nag go down. 1) Finding CISC block for bypass hardwareid. 2) Hooks enigma api logger for restore api emulation. 3) Go to oep, by using static signature in stub. 4) Fixing vm imports, this is same older versions. 5) Reslocating all imports outside by UIF and dumping process and memory. 6) Attaching memory with imports, and fixing exe file. 7) Fixing Enigma API code, redirect under OEP, with patch. 8) Cleaning all trash from file, my file is 400 Kb of code. If you have some questions about unpacking enigma, cisc vm dumping and risc vm dumping, contact my by using: Jabber: julia.pcret@exploit.im Telegram: @julia_pcret (https://t.me/julia_pcret) P.S. Can you give risc virtualized target? unprotectme_dumped_fixed.exe 1
2lht_love Posted December 24, 2017 Posted December 24, 2017 Please help me, how bypass message? I find PRE_CHECK_EXIT using method LCF-AT but not working
GautamGreat Posted December 24, 2017 Posted December 24, 2017 5 hours ago, dangducluan said: Please help me, how bypass message? I find PRE_CHECK_EXIT using method LCF-AT but not working Enigma has changed something I guess
2lht_love Posted December 25, 2017 Posted December 25, 2017 7 hours ago, GautamGreat said: Enigma has changed something I guess I see your video you can bypass some bad boy message from Enigma. You can share address PRE_EXIT_CHECKER, I using method find PRE_EXIT_CHECKER but not stop
GautamGreat Posted December 25, 2017 Posted December 25, 2017 7 hours ago, dangducluan said: I see your video you can bypass some bad boy message from Enigma. You can share address PRE_EXIT_CHECKER, I using method find PRE_EXIT_CHECKER but not stop All information about that patch is already posted on this forum. You have to do little research to find that values.
2lht_love Posted December 25, 2017 Posted December 25, 2017 3 hours ago, GautamGreat said: All information about that patch is already posted on this forum. You have to do little research to find that values. a few hints, please give me the links on the forum
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now