Simple Calculator (Enigma 7.40 + ILProtector 2.0.22.14)

[azufo]

View File

Simple Calculator (Enigma 7.40 + ILProtector 2.0.22.14)

---

This is a simple calculator.exe. Protected with ILProtector 2.0.22.14 and double layer Enigma 7.40. First layer on DLL, second layer on EXE and added DLL in Enigma Virtualbox.

For skilled reversers this will not be a problem unpack this.

---

• Submitter
  azufo
• Submitted
  01/10/2024
• Category
  UnPackMe (.NET)

 

[lengyue]

Happy New Year, this example uses encrypted RSA: 4096 and UNICODE authorization mode. There is no time to delve deeper into whether a constant exists, and of course, finding it is not difficult. Authorization name: Tuts4you 2024. dat, encrypt registration information and prohibit users from copying.The difficulty of this software lies in reverse debugging

Edited February 8 by lengyue

[azufo]

2 hours ago, lengyue said:

Happy New Year, this example uses encrypted RSA: 4096 and UNICODE authorization mode. There is no time to delve deeper into whether a constant exists, and of course, finding it is not difficult. Authorization name: Tuts4you 2024. dat, encrypt registration information and prohibit users from copying.

Here the hard of part is dumping the native dll. It's easy for me and I've unpacked several such targets. At this target you have to dump it manually, because dll saver wont't work.

[BlackHat]

1 hour ago, azufo said:

Here the hard of part is dumping the native dll. It's easy for me and I've unpacked several such targets. At this target you have to dump it manually, because dll saver wont't work.

IT'S very easy to dump. Not a problem since it is C# protector even though it generates native dll. 

I just basically need to bypass the enigma nag only and then it is 1 sec. of work. 

[azufo]

11 minutes ago, BlackHat said:

IT'S very easy to dump. Not a problem since it is C# protector even though it generates native dll. 

I just basically need to bypass the enigma nag only and then it is 1 sec. of work. 

Тhis method you are thinking here will not work, try it.

[BlackHat]

4 hours ago, azufo said:

Тhis method you are thinking here will not work, try it.

Now a days I only work with C#, so if you have bypassed this Enigma Registration window then send me and I will post the unpacked one.  I just want it running in my system. that's it. 
Also I am using Win11 in my real pc yet it shows VM detected. 

Edited February 8 by BlackHat

[azufo]

15 hours ago, BlackHat said:

Now a days I only work with C#, so if you have bypassed this Enigma Registration window then send me and I will post the unpacked one.  I just want it running in my system. that's it. 
Also I am using Win11 in my real pc yet it shows VM detected. 

I am the author of this challenge and i removed the cheap tricks. There is no way to hook winapi without it detecting you or copying it to an easy ram disk, vm, etc.About hwid nag is very easy to bypass in few minutes.  There is no way to dump the native dll for 1 second, minute and make it work.

Edited February 9 by azufo

[lengyue]

Sorry, I can't dump the DLL, I can only hook PatchHWID. Anti debugging very strong

[Hadits follower]

when the file is runned it appeared a registration window ,which screenshot u have attached to ur thread, is the file c# or native ? if the file is native dialog box and posted it in dotnet unpack me section then there is nothing different between posting a dotnet file with win rar/zip password , u can post it on crack me section if the dialog box is native , 

 

[azufo]

1 hour ago, Hadits follower said:

when the file is runned it appeared a registration window ,which screenshot u have attached to ur thread, is the file c# or native ? if the file is native dialog box and posted it in dotnet unpack me section then there is nothing different between posting a dotnet file with win rar/zip password , u can post it on crack me section if the dialog box is native , 

 

This is vbnet file protected whit ilprotect and enigma and source code is included, you can take a look. 

In this form there is no way to crack it except in the debugger

Edited February 10 by azufo

[Hadits follower]

when i pack/zip a dotnet file with winrar password then i can call its a dotnet file , and post that password protected file in dotnet unpackme section and saying people look the 2nd layer is dotnet , i have to crack the password to see the dotnet file , the same thing u did in this thread , when i run the file the window appear that is not dotnet 

 

[lengyue]

PatchHWID&KeyGen

[BlackHat]

On 2/9/2024 at 1:06 PM, azufo said:

I am the author of this challenge and i removed the cheap tricks. There is no way to hook winapi without it detecting you or copying it to an easy ram disk, vm, etc.About hwid nag is very easy to bypass in few minutes.  There is no way to dump the native dll for 1 second, minute and make it work.

Just send me then without HWID locked or at least with Trial enabled so I can run it in my system without putting my time in enigma hwid patching. 

Rest of the work is not time taking. 

[dayeya4896]

43 minutes ago, lengyue said:

PatchHWID&KeyGen

Happy new year

Edited February 10 by dayeya4896

[azufo]

28 minutes ago, lengyue said:

PatchHWID&KeyGen

Well done, I know you're a good reverse. Now u need dump dll and unpack ilprotect.

[lengyue]

I have been unable to successfully debug on the Windows 10 platform, and I don't know how to dump the DLL file. I tried to use a debugger to attach it, but the dump DLL cannot be fixed with importREC. I am still thinking about it

 

Quote

Sorry, in order not to harm the interests of the author of The Enigma Protector, I do not want to disclose the KeyGen information temporarily. The Enigma Protector_7.5 has fixed constants and some issues, and it cannot be searched in memory.

@azufoDue to the strong anti debugging capability, I can only write all the data required for hijacking DLL output patches for patch writing

Regards

Test Protect 2024-.rar

Edited February 11 by lengyue

[azufo]

7 hours ago, lengyue said:

I have been unable to successfully debug on the Windows 10 platform, and I don't know how to dump the DLL file. I tried to use a debugger to attach it, but the dump DLL cannot be fixed with importREC. I am still thinking about it

@lengyue I'll give you a little help. Уou need a dump and repair with PE editor + debbuger ....

[azufo]

15 hours ago, BlackHat said:

Just send me then without HWID locked or at least with Trial enabled so I can run it in my system without putting my time in enigma hwid patching. 

Rest of the work is not time taking. 

it's a 2 minute job for hwid, but I'm curious why you're so keen on it being a trivial protect. You can dump the dll for 1 sec, so it won't be a problem for you.

Edited February 11 by azufo

[Sean Park - Lovejoy]

30 minutes ago, azufo said:

it's a 2 minute job for hwid, but I'm curious why you're so keen on it being a trivial protect. You can dump the dll for 1 sec, so it won't be a problem for you.

 

Why is this warning shown in my windows 11 machine?

 

 

Regards.

sean.

[azufo]

Debugger is 

Just now, windowbase said:

 

Why is this warning shown in my windows 11 machine?

 

 

Regards.

sean.

Your Debbuger is detect

[lengyue]

2 hours ago, azufo said:

@lengyue 我会给你一点帮助。 Уou 需要使用 PE 编辑器 + debbuger 进行转储和修复 ....

Thank you.

[Sean Park - Lovejoy]

13 minutes ago, azufo said:

Debugger is 

Your Debbuger is detect

Which plugins do I have to use and how do I configure them?

Regards.

sean.

[azufo]

24 minutes ago, windowbase said:

Which plugins do I have to use and how do I configure them?

Regards.

sean.

Sean, I can help you, but I expect others to help the less experienced. All I've seen here is mumbling and writing about things I know can't happen. I created this challenge to get them to help each other and eliminate the use of trivial tools and tricks.

only @lengyue and one more Chinese reverse from other group have progressed.

Edited February 11 by azufo

[Sean Park - Lovejoy]

3 minutes ago, azufo said:

Sean, I can help you, but I expect others to help the less experienced. All I've seen here is mumbling and writing about things I know can't happen. I created this challenge to get them to help each other and eliminate the use of trivial tools and tricks.

Okay. I understood.

Regards.

sean.

[TRISTAN Pro]

3 hours ago, azufo said:

Sean, I can help you, but I expect others to help the less experienced. All I've seen here is mumbling and writing about things I know can't happen. I created this challenge to get them to help each other and eliminate the use of trivial tools and tricks.

only @lengyue and one more Chinese reverse from other group have progressed.

Hum😁

Just passed here.

Even impliment dll it can be patched as always.

So here yuo are the runtime32.dll nice try unfortenly many people can still bypass.

I don't know for. Net so I just attach dll main as yuo said.

Thanks for challenge.

humm.rar

Edited February 11 by TRISTAN Pro
Forget something