Unpacking enigma 5 dll - technique help requested

For english speakers or readers.
If you don't know Romanian post here.

Unpacking enigma 5 dll - technique help requested

Post Number:#1  Postby aono » 25 Nov 2018 03:09

hello everyone

i am newish at RE - learned lots from the big guys tuts and scripts - respect to all of them.
I am wanting to learn the method for unpack / dump /fix dll packed with EP5

for the practice target, I can manually find the VM OEP and the real code virtualised OEP; I can manually find the IAT and reconstruct IAT in a dump using impREC.
but I cannot fix the VM APIs ...yet - any help to make me learn is requested

@Giv's 'Enigma Protector 4.xx and 5.XX unpacker by GIV..’ runs but gives error at line 187/188 - - not sure why but maybe ‘REG’ variable is not defined at this point? and the script stops out

@LCF-AT ‘Enigma HWID Inline B****1.0’ runs but the produced dll file crashes.

my previous knowledge finding HWID patch bytes also not helpful here.

Thanks in advance for Any help for a guy with 'junior' knowledge
User avatar
aono
Amator
Amator
Progress to next rank:
26.7%
 
Status: Offline
Posts: 4
Joined: 23 Nov 2018 15:48

Invitations sent: 0
Referrals: 0
Local time: 22 Apr 2019 21:20
Has thanked: 0 time
Been thanked: 2 times

Re: Unpacking enigma 5 dll - technique help requested

Post Number:#2  Postby giv » 25 Nov 2018 09:37

Hi.
Shadow_UA have a nice tutorial about your question.
Just use my script and step line by line to understand the method.
https://www.youtube.com/watch?v=DKKsdEX4LCI

About HWID issues in my script:
I did not used a lot on HWID so that is why, maybe, in some cases may fail.
Just trace and fix the script.
Best regards!
GIV
User avatar
giv
Admin
Admin
 
Status: Offline
Posts: 841
Age: 37
Joined: 02 Nov 2012 15:33
Location: Romania

Invitations sent: 3
Referrals: 34
National Flag:
Romania
Local time: 22 Apr 2019 21:20
Has thanked: 341 times
Been thanked: 328 times

Re: Unpacking enigma 5 dll - technique help requested

Post Number:#3  Postby aono » 25 Nov 2018 13:20

@Giv, thanks for replying and your help.
this knowledge hopefully will help others also

I am thinking like this, please advise if you think it will work:

1. your script actually works well and get past nag screen with any text entered - if the dll in memory (after running your script) is dumped, what steps then needed to make it run "patched"without the script - i am thinking like this because the 'ín memory' version of dll is what we need as a standalone dll

2. thanks for video link - do you advise making a smaller script (from the original) to just fix VM APIs would be useful for that step - to make it fast and easy? @Shadow_UA says he has publsihed a 'fix VM APIs' script, but I cannot find anywhere, can you help locate? or, will just using section from your script work also?

grateful thanks
User avatar
aono
Amator
Amator
Progress to next rank:
26.7%
 
Status: Offline
Posts: 4
Joined: 23 Nov 2018 15:48

Invitations sent: 0
Referrals: 0
Local time: 22 Apr 2019 21:20
Has thanked: 0 time
Been thanked: 2 times

Re: Unpacking enigma 5 dll - technique help requested

Post Number:#4  Postby giv » 26 Nov 2018 09:32

Hi.
1. So i told you already.
Unpack in 2 imagebases and then fix relocations.

2. His script is incorporated into mine (just search into my script).

So i guess that you are in a rush.
Take it easy because you have all needed info.

aono wrote:@Giv, thanks for replying and your help.
this knowledge hopefully will help others also

I am thinking like this, please advise if you think it will work:

1. your script actually works well and get past nag screen with any text entered - if the dll in memory (after running your script) is dumped, what steps then needed to make it run "patched"without the script - i am thinking like this because the 'ín memory' version of dll is what we need as a standalone dll

2. thanks for video link - do you advise making a smaller script (from the original) to just fix VM APIs would be useful for that step - to make it fast and easy? @Shadow_UA says he has publsihed a 'fix VM APIs' script, but I cannot find anywhere, can you help locate? or, will just using section from your script work also?

grateful thanks
Best regards!
GIV
User avatar
giv
Admin
Admin
 
Status: Offline
Posts: 841
Age: 37
Joined: 02 Nov 2012 15:33
Location: Romania

Invitations sent: 3
Referrals: 34
National Flag:
Romania
Local time: 22 Apr 2019 21:20
Has thanked: 341 times
Been thanked: 328 times

Re: Unpacking enigma 5 dll - technique help requested

Post Number:#5  Postby aono » 22 Feb 2019 21:52

Hi Giv

plz your advice:

target for unpacking is exe packed with enigma 5.xx, HWID lock, but file is 64 bit exe.

search hex codes for x32 enigma (like 55 8B EC 33 C9 51 51 51 51 51 51 53 8B D8 33 C0) is not found in this x64 exe
Is the Hex bytes codes to search for, for registration bypass or HWID, in x64 enigma different to x32 enigma? can you show us bytes to search for, plz?

thanks
User avatar
aono
Amator
Amator
Progress to next rank:
26.7%
 
Status: Offline
Posts: 4
Joined: 23 Nov 2018 15:48

Invitations sent: 0
Referrals: 0
Local time: 22 Apr 2019 21:20
Has thanked: 0 time
Been thanked: 2 times

Re: Unpacking enigma 5 dll - technique help requested

Post Number:#6  Postby giv » 22 Mar 2019 10:04

aono wrote:Hi Giv

plz your advice:

target for unpacking is exe packed with enigma 5.xx, HWID lock, but file is 64 bit exe.

search hex codes for x32 enigma (like 55 8B EC 33 C9 51 51 51 51 51 51 53 8B D8 33 C0) is not found in this x64 exe
Is the Hex bytes codes to search for, for registration bypass or HWID, in x64 enigma different to x32 enigma? can you show us bytes to search for, plz?

thanks


Ofcourse.
The instruction set is different so the byteset is different.
Best regards!
GIV
User avatar
giv
Admin
Admin
 
Status: Offline
Posts: 841
Age: 37
Joined: 02 Nov 2012 15:33
Location: Romania

Invitations sent: 3
Referrals: 34
National Flag:
Romania
Local time: 22 Apr 2019 21:20
Has thanked: 341 times
Been thanked: 328 times


Return to English area

Who is online

Users browsing this forum: No registered users and 1 guest

cron