Unpacking enigma 5 dll - technique help requested

For english speakers or readers.
If you don't know Romanian post here.

Unpacking enigma 5 dll - technique help requested

Post Number:#1  Postby aono » 25 Nov 2018 03:09

hello everyone

i am newish at RE - learned lots from the big guys tuts and scripts - respect to all of them.
I am wanting to learn the method for unpack / dump /fix dll packed with EP5

for the practice target, I can manually find the VM OEP and the real code virtualised OEP; I can manually find the IAT and reconstruct IAT in a dump using impREC.
but I cannot fix the VM APIs ...yet - any help to make me learn is requested

@Giv's 'Enigma Protector 4.xx and 5.XX unpacker by GIV..’ runs but gives error at line 187/188 - - not sure why but maybe ‘REG’ variable is not defined at this point? and the script stops out

@LCF-AT ‘Enigma HWID Inline B****1.0’ runs but the produced dll file crashes.

my previous knowledge finding HWID patch bytes also not helpful here.

Thanks in advance for Any help for a guy with 'junior' knowledge
User avatar
aono
Amator
Amator
Progress to next rank:
20%
 
Status: Offline
Posts: 3
Joined: 23 Nov 2018 15:48

Invitations sent: 0
Referrals: 0
Local time: 20 Feb 2019 22:07
Has thanked: 0 time
Been thanked: 2 times

Re: Unpacking enigma 5 dll - technique help requested

Post Number:#2  Postby giv » 25 Nov 2018 09:37

Hi.
Shadow_UA have a nice tutorial about your question.
Just use my script and step line by line to understand the method.
https://www.youtube.com/watch?v=DKKsdEX4LCI

About HWID issues in my script:
I did not used a lot on HWID so that is why, maybe, in some cases may fail.
Just trace and fix the script.
Best regards!
GIV
User avatar
giv
Admin
Admin
 
Status: Offline
Posts: 856
Age: 37
Joined: 02 Nov 2012 15:33
Location: Romania

Invitations sent: 3
Referrals: 34
National Flag:
Romania
Local time: 20 Feb 2019 22:07
Has thanked: 325 times
Been thanked: 328 times

Re: Unpacking enigma 5 dll - technique help requested

Post Number:#3  Postby aono » 25 Nov 2018 13:20

@Giv, thanks for replying and your help.
this knowledge hopefully will help others also

I am thinking like this, please advise if you think it will work:

1. your script actually works well and get past nag screen with any text entered - if the dll in memory (after running your script) is dumped, what steps then needed to make it run "patched"without the script - i am thinking like this because the 'ín memory' version of dll is what we need as a standalone dll

2. thanks for video link - do you advise making a smaller script (from the original) to just fix VM APIs would be useful for that step - to make it fast and easy? @Shadow_UA says he has publsihed a 'fix VM APIs' script, but I cannot find anywhere, can you help locate? or, will just using section from your script work also?

grateful thanks
User avatar
aono
Amator
Amator
Progress to next rank:
20%
 
Status: Offline
Posts: 3
Joined: 23 Nov 2018 15:48

Invitations sent: 0
Referrals: 0
Local time: 20 Feb 2019 22:07
Has thanked: 0 time
Been thanked: 2 times

Re: Unpacking enigma 5 dll - technique help requested

Post Number:#4  Postby giv » 26 Nov 2018 09:32

Hi.
1. So i told you already.
Unpack in 2 imagebases and then fix relocations.

2. His script is incorporated into mine (just search into my script).

So i guess that you are in a rush.
Take it easy because you have all needed info.

aono wrote:@Giv, thanks for replying and your help.
this knowledge hopefully will help others also

I am thinking like this, please advise if you think it will work:

1. your script actually works well and get past nag screen with any text entered - if the dll in memory (after running your script) is dumped, what steps then needed to make it run "patched"without the script - i am thinking like this because the 'ín memory' version of dll is what we need as a standalone dll

2. thanks for video link - do you advise making a smaller script (from the original) to just fix VM APIs would be useful for that step - to make it fast and easy? @Shadow_UA says he has publsihed a 'fix VM APIs' script, but I cannot find anywhere, can you help locate? or, will just using section from your script work also?

grateful thanks
Best regards!
GIV
User avatar
giv
Admin
Admin
 
Status: Offline
Posts: 856
Age: 37
Joined: 02 Nov 2012 15:33
Location: Romania

Invitations sent: 3
Referrals: 34
National Flag:
Romania
Local time: 20 Feb 2019 22:07
Has thanked: 325 times
Been thanked: 328 times


Return to English area

Who is online

Users browsing this forum: No registered users and 14 guests

cron