March 17, 20178 yr how about other unpackme from Apuromafo (medium unpackme 5.6)? it has virtualized OEP by old Enigma VM and SHADOW_UA new script can't reach OEP. or maybe I use the script wrong. other way to reach OEP is using VirtualQuery and ResumeThread. this way can reach non-virtualized OEP and virtualized OEP by RISC VM, but can't reach by old VM. the virtualized OEP by old VM command is like JMP <Enigma VM section> or PUSH value JMP <Enigma VM section> if I remember it right. Salam.
March 17, 20178 yr 1 hour ago, icarusdc said: how about other unpackme from Apuromafo (medium unpackme 5.6)? it has virtualized OEP by old Enigma VM and SHADOW_UA new script can't reach OEP. or maybe I use the script wrong. other way to reach OEP is using VirtualQuery and ResumeThread. this way can reach non-virtualized OEP and virtualized OEP by RISC VM, but can't reach by old VM. the virtualized OEP by old VM command is like JMP <Enigma VM section> or PUSH value JMP <Enigma VM section> if I remember it right. Salam. I use SHADOW_UA's new script for medium unpackme, it shows "It seems that OEP: 5AEBA4 is RISC-protected. Continuing in another mode." first, then I press OK. It found the near OEP, 406064. It uses GetModuleHandleA, the emulated OEP, use GIV's script to fix.
March 17, 20178 yr 3 hours ago, icarusdc said: how about other unpackme from Apuromafo (medium unpackme 5.6)? it has virtualized OEP by old Enigma VM and SHADOW_UA new script can't reach OEP. or maybe I use the script wrong. other way to reach OEP is using VirtualQuery and ResumeThread. this way can reach non-virtualized OEP and virtualized OEP by RISC VM, but can't reach by old VM. the virtualized OEP by old VM command is like JMP <Enigma VM section> or PUSH value JMP <Enigma VM section> if I remember it right. Salam. Hi @icarusdc Newer enigma does not use old method. Now It is direct push the VA 7FBD0000 and execute RET command. actually the method is same only the call which is made from codesection to VM is vanished in medium unpackme 5.6, so i guess enigma is virutalizing only call command from codesection. 006DF19F 5C POP ESP 006DF1A0 C3 RETN ; -------> This return is back to VM (OEP) PS : My english is not so good.
March 23, 20178 yr Solution Well, in this version only new enigma hardware id protection, function is virtualized by CISC, old pattern don't works. After trace, i founded block, where are register save value under cisc virtualization, patched it, and nag go down. 1) Finding CISC block for bypass hardwareid. 2) Hooks enigma api logger for restore api emulation. 3) Go to oep, by using static signature in stub. 4) Fixing vm imports, this is same older versions. 5) Reslocating all imports outside by UIF and dumping process and memory. 6) Attaching memory with imports, and fixing exe file. 7) Fixing Enigma API code, redirect under OEP, with patch. 8) Cleaning all trash from file, my file is 400 Kb of code. If you have some questions about unpacking enigma, cisc vm dumping and risc vm dumping, contact my by using: Jabber: julia.pcret@exploit.im Telegram: @julia_pcret (https://t.me/julia_pcret) P.S. Can you give risc virtualized target? unprotectme_dumped_fixed.exe
December 24, 20177 yr Please help me, how bypass message? I find PRE_CHECK_EXIT using method LCF-AT but not working
December 24, 20177 yr 5 hours ago, dangducluan said: Please help me, how bypass message? I find PRE_CHECK_EXIT using method LCF-AT but not working Enigma has changed something I guess
December 25, 20177 yr 7 hours ago, GautamGreat said: Enigma has changed something I guess I see your video you can bypass some bad boy message from Enigma. You can share address PRE_EXIT_CHECKER, I using method find PRE_EXIT_CHECKER but not stop
December 25, 20177 yr 7 hours ago, dangducluan said: I see your video you can bypass some bad boy message from Enigma. You can share address PRE_EXIT_CHECKER, I using method find PRE_EXIT_CHECKER but not stop All information about that patch is already posted on this forum. You have to do little research to find that values.
December 25, 20177 yr 3 hours ago, GautamGreat said: All information about that patch is already posted on this forum. You have to do little research to find that values. a few hints, please give me the links on the forum
Create an account or sign in to comment