Jump to content
Tuts 4 You
Sign in to follow this  
Apuromafo

Little Hard Enigma 5.6

Recommended Posts

icarusdc

how about other unpackme from Apuromafo (medium unpackme 5.6)?

it has virtualized OEP by old Enigma VM and SHADOW_UA new script can't reach OEP.

or maybe I use the script wrong.

other way to reach OEP is using VirtualQuery and ResumeThread. this way can reach non-virtualized OEP and virtualized OEP by RISC VM, but can't reach by old VM.

the virtualized OEP by old VM command is like JMP <Enigma VM section> or PUSH value JMP <Enigma VM section> if I remember it right.

 

Salam.

Share this post


Link to post
vonjack
1 hour ago, icarusdc said:

how about other unpackme from Apuromafo (medium unpackme 5.6)?

it has virtualized OEP by old Enigma VM and SHADOW_UA new script can't reach OEP.

or maybe I use the script wrong.

other way to reach OEP is using VirtualQuery and ResumeThread. this way can reach non-virtualized OEP and virtualized OEP by RISC VM, but can't reach by old VM.

the virtualized OEP by old VM command is like JMP <Enigma VM section> or PUSH value JMP <Enigma VM section> if I remember it right.

 

Salam.

I use SHADOW_UA's new script for medium unpackme, it shows "It seems that OEP: 5AEBA4 is RISC-protected. Continuing in another mode." first, then I press OK. It found the near OEP, 406064. It uses GetModuleHandleA, the emulated OEP, use GIV's script to fix.

 

Share this post


Link to post
GautamGreat
3 hours ago, icarusdc said:

how about other unpackme from Apuromafo (medium unpackme 5.6)?

it has virtualized OEP by old Enigma VM and SHADOW_UA new script can't reach OEP.

or maybe I use the script wrong.

other way to reach OEP is using VirtualQuery and ResumeThread. this way can reach non-virtualized OEP and virtualized OEP by RISC VM, but can't reach by old VM.

the virtualized OEP by old VM command is like JMP <Enigma VM section> or PUSH value JMP <Enigma VM section> if I remember it right.

 

Salam.

Hi @icarusdc

Newer enigma does not use old method. Now It is direct push the VA 7FBD0000 and execute RET command. actually the method is same only the call which is made from codesection to VM is vanished in medium unpackme 5.6, so i guess enigma is virutalizing only call command from codesection.

006DF19F    5C              POP ESP
006DF1A0    C3              RETN                         ; -------> This return is back to VM (OEP)

PS : My english is not so good. :D 

Capture.JPG

Share this post


Link to post
FeliXW

Well, in this version only new enigma hardware id protection, function is virtualized by CISC, old pattern don't works. After trace, i founded block, where are register save value under cisc virtualization, patched it, and nag go down.

1) Finding CISC block for bypass hardwareid.
2) Hooks enigma api logger for restore api emulation.
3) Go to oep, by using static signature in stub.
4) Fixing vm imports, this is same older versions.
5) Reslocating all imports outside by UIF and dumping process and memory.
6) Attaching memory with imports, and fixing exe file.
7) Fixing Enigma API code, redirect under OEP, with patch.
8) Cleaning all trash from file, my file is 400 Kb of code.

If you have some questions about unpacking enigma, cisc vm dumping and risc vm dumping, contact my by using:
Jabber: julia.pcret@exploit.im
Telegram: @julia_pcret (https://t.me/julia_pcret)

P.S. Can you give risc virtualized target?

unprotectme_dumped_fixed.exe

  • Like 1

Share this post


Link to post
dangducluan

Please help me, how bypass message? I find PRE_CHECK_EXIT using method LCF-AT but not working

 

Share this post


Link to post
GautamGreat
5 hours ago, dangducluan said:

Please help me, how bypass message? I find PRE_CHECK_EXIT using method LCF-AT but not working

 

Enigma has changed something I guess

Share this post


Link to post
dangducluan
7 hours ago, GautamGreat said:

Enigma has changed something I guess

I see your video you can bypass some bad boy message from Enigma. You can share address PRE_EXIT_CHECKER, I using method find PRE_EXIT_CHECKER but not stop

Share this post


Link to post
GautamGreat
7 hours ago, dangducluan said:

I see your video you can bypass some bad boy message from Enigma. You can share address PRE_EXIT_CHECKER, I using method find PRE_EXIT_CHECKER but not stop

All information about that patch is already posted on this forum. You have to do little research to find that values.

Share this post


Link to post
dangducluan
3 hours ago, GautamGreat said:

All information about that patch is already posted on this forum. You have to do little research to find that values.

a few hints, please give me the links on the forum :(

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
×
×
  • Create New...