Jump to content
View in the app

A better way to browse. Learn more.

Tuts 4 You

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

Featured Replies

how about other unpackme from Apuromafo (medium unpackme 5.6)?

it has virtualized OEP by old Enigma VM and SHADOW_UA new script can't reach OEP.

or maybe I use the script wrong.

other way to reach OEP is using VirtualQuery and ResumeThread. this way can reach non-virtualized OEP and virtualized OEP by RISC VM, but can't reach by old VM.

the virtualized OEP by old VM command is like JMP <Enigma VM section> or PUSH value JMP <Enigma VM section> if I remember it right.

 

Salam.

1 hour ago, icarusdc said:

how about other unpackme from Apuromafo (medium unpackme 5.6)?

it has virtualized OEP by old Enigma VM and SHADOW_UA new script can't reach OEP.

or maybe I use the script wrong.

other way to reach OEP is using VirtualQuery and ResumeThread. this way can reach non-virtualized OEP and virtualized OEP by RISC VM, but can't reach by old VM.

the virtualized OEP by old VM command is like JMP <Enigma VM section> or PUSH value JMP <Enigma VM section> if I remember it right.

 

Salam.

I use SHADOW_UA's new script for medium unpackme, it shows "It seems that OEP: 5AEBA4 is RISC-protected. Continuing in another mode." first, then I press OK. It found the near OEP, 406064. It uses GetModuleHandleA, the emulated OEP, use GIV's script to fix.

 

3 hours ago, icarusdc said:

how about other unpackme from Apuromafo (medium unpackme 5.6)?

it has virtualized OEP by old Enigma VM and SHADOW_UA new script can't reach OEP.

or maybe I use the script wrong.

other way to reach OEP is using VirtualQuery and ResumeThread. this way can reach non-virtualized OEP and virtualized OEP by RISC VM, but can't reach by old VM.

the virtualized OEP by old VM command is like JMP <Enigma VM section> or PUSH value JMP <Enigma VM section> if I remember it right.

 

Salam.

Hi @icarusdc

Newer enigma does not use old method. Now It is direct push the VA 7FBD0000 and execute RET command. actually the method is same only the call which is made from codesection to VM is vanished in medium unpackme 5.6, so i guess enigma is virutalizing only call command from codesection.

006DF19F    5C              POP ESP
006DF1A0    C3              RETN                         ; -------> This return is back to VM (OEP)

PS : My english is not so good. :D 

Capture.JPG

  • Solution

Well, in this version only new enigma hardware id protection, function is virtualized by CISC, old pattern don't works. After trace, i founded block, where are register save value under cisc virtualization, patched it, and nag go down.

1) Finding CISC block for bypass hardwareid.
2) Hooks enigma api logger for restore api emulation.
3) Go to oep, by using static signature in stub.
4) Fixing vm imports, this is same older versions.
5) Reslocating all imports outside by UIF and dumping process and memory.
6) Attaching memory with imports, and fixing exe file.
7) Fixing Enigma API code, redirect under OEP, with patch.
8) Cleaning all trash from file, my file is 400 Kb of code.

If you have some questions about unpacking enigma, cisc vm dumping and risc vm dumping, contact my by using:
Jabber: julia.pcret@exploit.im
Telegram: @julia_pcret (https://t.me/julia_pcret)

P.S. Can you give risc virtualized target?

unprotectme_dumped_fixed.exe

  • 9 months later...

Please help me, how bypass message? I find PRE_CHECK_EXIT using method LCF-AT but not working

 

5 hours ago, dangducluan said:

Please help me, how bypass message? I find PRE_CHECK_EXIT using method LCF-AT but not working

 

Enigma has changed something I guess

7 hours ago, GautamGreat said:

Enigma has changed something I guess

I see your video you can bypass some bad boy message from Enigma. You can share address PRE_EXIT_CHECKER, I using method find PRE_EXIT_CHECKER but not stop

7 hours ago, dangducluan said:

I see your video you can bypass some bad boy message from Enigma. You can share address PRE_EXIT_CHECKER, I using method find PRE_EXIT_CHECKER but not stop

All information about that patch is already posted on this forum. You have to do little research to find that values.

3 hours ago, GautamGreat said:

All information about that patch is already posted on this forum. You have to do little research to find that values.

a few hints, please give me the links on the forum :(

Create an account or sign in to comment

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.