Jump to content
Tuts 4 You

The Enigma Protector v6.9


Recommended Posts

Sean Park - Lovejoy
Posted

GIV, is your mainform doesn't have any GUI components or texts ? I popup open your protected app. just in an easy way. see below.

Untitled.png.78a9347ed664a5605d9aed118b5de42c.png

  • Like 1
  • 3 months later...
CodeExplorer
Posted (edited)

Very interesting protection here.
bp breakpoints are detected; any change to enigma code section is detected.
The serial check is sometimes this:
0185E1F4    C2 0800         RETN 0x8 ; here is eax should be 1 not 0
0185E1F7    68 22FBE3BB     PUSH 0xBBE3FB22
0185E1FC  ^ E9 33C8CFFE     JMP Enigma_6.0055AA34
I don't know what's is going on.
 

Edited by CodeExplorer
  • Like 1
Posted
1 hour ago, CodeExplorer said:

bp breakpoints are detected; any change to enigma code section is detected.

what anti-dbg plugins are you using?  what dbg engine

  • 1 month later...
Posted (edited)
On 7/20/2021 at 4:48 PM, GIV said:

Enigma Protector v6.9


I have protected a simple file with the Enigma Protector 6.9. Try to unpack.

For a skilled reverser will not be as hard as it seems.

HWID: A7707-65A71-43529-A59E1-41C2F-C5AA0-EB308-3F774
Name: tuts4you
Key: BG8QC4UMZW3QMTH99U6ZTF8FJJNDAPKY5E2XNL3CMHRVUMLSB2QWRBSYBGF4RNHX7WC26W2GQMNBNPUU3YUTDXDS387A2UURMUVJ88P5PPC9ZCEQHFHW4J6ZQRAK7GW6DRK4QH4CGCEQM7F9K39J89S4CRARX3L3LPABBXU23M8QXP6A85L2CZFJZF66KF5NFTZ557872DA3

 


 

Unpacked with hight size on adding VM with Enigma section.

For the question all info is on this board thanks.

Enigma 6.9 - protected.rar

Edited by TRISTAN Pro
Posted (edited)
11 hours ago, kuazi GA said:

VFP9RENU.DLL

vfp9r.dll---What is it for?

Dll extract in the exe.

Edited by TRISTAN Pro
Response
Posted (edited)
On 10/2/2023 at 7:36 PM, CodeExplorer said:

@jackyjaskИзползвам SHADOW_FOR_ENIGMA olly debugger: https://workupload.com/file/YpxC9XhHEze
 

it's permanent encryption, but i don't know how to patch hwid perfectly. The Chinese have a tutorial for this, but it's no longer available... They also have script and a patching  tool for new version , but won't share them here.

Edited by azufo
  • Like 1
Posted

2023_11.10-06_09_27.png.79effab6a0dcb48a351260b6511a4d69.png

 

PS  "Do not modify the machine code at the virtual machine entry point as it will trigger the CRC check."🙂

  • Thanks 1
Posted
22 hours ago, kuazi GA said:

2023_11.10-06_09_27.png.79effab6a0dcb48a351260b6511a4d69.png

 

PS  "Do not modify the machine code at the virtual machine entry point as it will trigger the CRC check."🙂

yea this is very clear for me, but where to find the correct routine..

give some help 

  • Like 1
Posted

You need to patch HWID because it uses constant encryption to the one provided by giv....

then you can either calculate the password md5 hash to get (tuts4you.com) or you can bypass the "invalid password" check.

op.png

After that, you can register it.

  • Like 1
Posted (edited)

@TRISTAN Pro

--

Edited by X0rby
No problems in public, let's talk pm
Posted (edited)

😁😇

Edited by TRISTAN Pro
Ok
Posted
On 11/11/2023 at 11:39 PM, X0rby said:

You need to patch HWID because it uses constant encryption to the one provided by giv....

then you can either calculate the password md5 hash to get (tuts4you.com) or you can bypass the "invalid password" check.

op.png

After that, you can register it.

Bro im not NOOb, but i forgot some things and the password can be bp hooked without md5 calculation ;)

just looking for the right place to change hwid without crc detecting metest.jpg.490e68ee405c91caca97f11cce92db38.jpg

 

  • 1 month later...
Posted
On 20/07/2021 at 10:48, GIV said:

Protetor Enigma v6.9


Protegi um arquivo simples com o Enigma Protector 6.9. Tente desempacotar.

Para um reversor habilidoso não será tão difícil quanto parece.



						

 


 

what is the password because a window appears saying APPLICATION REQUIRES PASSWORD TO START, ENTER PASSWORD

 

 

  • 3 weeks later...
CodeExplorer
Posted

The password is tuts4you.com

Used Olly SHADOW debugger modification with ScyllaHide plugin.
First you need to Set on all options from DRx Protection in ScyllaHide.

It has set number of run time allowed so after expired run Trial-Reset.v4.0.Final and clean Enigma registry key.

Noticed this call:
VirtualAlloc reached:
Stack pointer = 23FDD0
[ESP] (return address) = 55ABBD
[ESP+4] (lpAddress) = 0
[ESP+8] (dwSize) = 100000
[ESP+12] (flAllocationType) = 2000
[ESP+16] (flProtect) = 1
Thread id = 3352
Allocated address = 3550000
Thread id = 3352

RESERVE = 2000

I've noticed the presence of some memory blocks with size 100000 one after another - probable should be appended to dump.
 

  • Like 2
  • Thanks 1
Sean Park - Lovejoy
Posted

Is anyone who loads this Enigma ver. 6.9 application successfully?

2024-01-13_201049.png.7e9e056d16bf6139e10390e6eac807d6.png2024-01-13_201156.png.5b6f08c4ae2f20f3d1280f781c28b84b.png

Regards.

sean.

  • Like 1
Posted (edited)
33 minutes ago, windowbase said:

Is anyone who loads this Enigma ver. 6.9 application successfully?

2024-01-13_201049.png.7e9e056d16bf6139e10390e6eac807d6.png2024-01-13_201156.png.5b6f08c4ae2f20f3d1280f781c28b84b.png

Regards.

sean.

these cheap tricks don't work here, it's constant encryption.

Edited by X0rby
Sean Park - Lovejoy
Posted

@X0rby Did you load it up successfully?

Regards.

sean.

  • Like 1
Posted
Just now, windowbase said:

@X0rby Did you load it up successfully?

Regards.

sean.

ofc, check my older replies - you need to patch hwid to the valid one.

  • Like 1
Sean Park - Lovejoy
Posted (edited)
1 hour ago, X0rby said:

ofc, check my older replies - you need to patch hwid to the valid one.

@X0rby You did. How did you bypass CRC checking? maybe I have the CRC issue.

Regards.

sean.

Edited by windowbase
adding words.
  • Like 2
Sean Park - Lovejoy
Posted
On 11/10/2023 at 7:14 AM, kuazi GA said:

PS  "Do not modify the machine code at the virtual machine entry point as it will trigger the CRC check."🙂

@kuazi GA

How should I do without modifying the virtual machine entry point? You already did it.

Can you guide me to solve it?

Regards.

sean.

  • Like 1
Posted
21 hours ago, windowbase said:

@夸子GA

不修改虚拟机入口点 怎么办已经做到了。

你能指导我解决它吗?

问候。

肖恩。

 

  • Like 2
Sean Park - Lovejoy
Posted (edited)

@kuazi GA I did it using the tool of @CodeExplorer.

Many thanks. by the way, did you do it using the tool? or in your own way?

And one more thing, the app closes when I click the window. is it intended by giv or any problem with me?

 

2024-01-16_010714.png.d2f009b3e5dccb6ef5ce273460829b71.png

Regards.

sean.

Edited by windowbase
adding words.
  • Like 2
CodeExplorer
Posted

Yeah, the windows closes after few time. Same thing here; I think was intended by giv.
 

  • Like 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...