Hello,

Enigma Alternativ Unpacker 1.0

-------------------------------------------------------

After a longer time I decided to write a new public unpacker script for the Enigma
protection
which can handle the latest enigma versions.The new script does alomst work like my
older script
"Enigma 1.x - 3.x VM Unpacker 1.0" but this time it will no more fix any Enigma VM
so it only
does dump the VM.The new script is called "Alternativ" so I think the names says
all.It's just a
alternativ unpack script which you can use for moddern Enigma versions 1.90 -
3.130.So also for
this script I tried to add all important features and some more to make a good
script also if it's
just a alternativ script to my other script.Anyway,so I think after releasing this
script the author
of Enigma will maybe also release a new Enigma update so it's always the same game
you know. :)

Script Features:
-------------------------------------------------------
Unpacking of ENIGMA 1.90 - 3.130+
RegSheme Bypass & HWID Changer
Enigma CheckUp Killer
VirtualMemory Dumper 1.90 - 3.x+ & SC Fixer M1
UIF Tool Necessary Sometimes!
Enigma Intern Export & VM Scan + Log
Improved Import Emulation Fixer
-------------------------------------------------------

Your tasks:
-------------------------------------------------------
Fix API addresses with the UIF tool if it's necessary - In some cases you have to
do this so the script
will tell you about it.If so then use the UIF tool and redirect the API addresses
on a place inside of
your target.

Your Main Task:

-------------------------------------------------------
So the script will bypass the first intern VM and does only check the extern /
Outer VM of your target.
If the outer VM is used then the script will read the VM and does dump this as new
section which you
have to add manually after dumping of your target.So here it can arise three
situations.

1. Your target don't use a outer VM - Just dump and fix the normal target.

2. Your target does use a outer VM

-In this case the script dump it as new sections which are marked normaly with VA -
RVA - Size.In this case
you have to add the sections correctly with the new RVA address.Add them enter
right RVA and make only a
valid PE rebuild so for this you can use the LordPE tool.
- If a outer VM is used and you have add some sections then you have ALWAYS to
change the "ESP Pointer"
address manually so this is very important!!!In the Olly LOG you can see all infos
about it.

- Load your ready dump in Olly and change ESP Pointer [enter new address] and
save.As new address you can
use any free address where the addresses above are 00 bytes.You can do it very
simple,just enter the almost
last address of your last IAT section which was cretaed by Scylla thats ok or just
add more free space
and then use the last address [watch video!].

3. Your target does use a outer VM - Section called

"VA_xxxxxxxx_RVA_ADJUST_size_xxxxxxxx.mem"

RVA_ADJUST <-- So if you see this in the section as RVA then you just need to add
the section without to
rebuild the PE.Just add and save.In this case you have to change some more section
Pointers and not only
the ESP Pointer.Also here you to check the Olly LOG window for all infos about it.

VM section exsample: 00C00145 SecBase: 00C00000 | Addr - Base = 145

VM added section is: 00990000 SecBase: 00990000 + 145 = 00990145 <--- New Pointer
address

Mostly in this case you have only to change the ESP Pointer and the new Pointer and
then save it.

4. Fixing of possible used EP_Exports of Enigma in the IAT

If your target used EP_APIs in the IAT then you have to fix them manually!Don't
keep them original!

EP_APIS: The most EP APIs which are used in the main IAT of your file does not have
any parameters
so in this case you can patch them easily with a positiv return result in
eax as 1.

Exsample: JMP DWORD [ADDR] ; EP_XY

to
mov eax,1
ret xy ; the right ret xy value is important to know!See
enigma_ide.dll.

EP APIs which are mostly used and have no parameters are

EP_CheckupIsEnigmaOk ret 1 = protection is OK and has not been modified

EP_CheckupIsProtected ret 1 = if the file is protected
etc....

This kind of EP_APIs can you patch on a simple way and don't need to execute the
this VMed API code.

Other EP APIs which can used in your IAT can be mostly some API which use
parameters and which have
to get some strings / keys etc which you only get if you execute the VMed EP API
only!

EP_ProtectedStringByID - The function returns protected strings

EP_ProtectedStringByKey - The function returns protected strings

So in this case you can not just patch the API like above so here you have to get
all return datas
first of the protected file for exsample.Just exe them all and note all return
values and buffers.
If you have all infos then you can later patch them manually.So don't keep this
APIs original!If you
let them original then your dump will crash [also on other systems].So you could
also patch this issue
but the problem is that the ENIGMA sections does also use a own IAT Table which we
have not fixed in
our dumped file.So if you have any EP APIs in your IAT then you have to patch
them.See video.

The main problem can be that you don't know what a EP API is used in your IAT so
they are mostly VMed
and this used EP API are also doubled and you can not just follow the EP offset in
the DLL_Loader.So
to prevent this problem for you I have created again a advanced export reader & VM
Scan which you can
enable in the script....

mov READ_DLL_LOADER, 01 // Read and log all intern loader EP_XY exports APIs!
mov GET_EP_VM_VALUES, 01 // Find all VMed EP push API values!Use it if your
target used EP APIs in the IAT!

...enable both to get all infos and log files.

Exsample:

Function File:
---------------------------
RVA: CF414 | VA: 10EA414 | Func: EP_CheckupIsProtected
RVA: CB470 | VA: 10E6470 | Func: EP_CryptDecryptBuffer
etc
---------------------------
VM File:
---------------------------
RVA: CF414 | VA: 10EA414 | VM PUSH VALUE: DeCrypt_ | Func: EP_CheckupIsProtected
RVA: CB470 | VA: 10E6470 | VM PUSH VALUE: 000043E7 | Func: EP_CryptDecryptBuffer
etc

In the function file you get listed all found EP exports of the inter DLL_Loader =
Enigmasection.
The addresses are the direct export call addresses and this are mostly NOT used in
your IAT.So in
this case you have a look into the VM file there you can see all VM push values for
each EP API so
they are the same also in your IAT.Now just follow a EP API address in your IAT and
trace til the
VM push or trace til the intern Main routine and there you can see the push value
in [ESP].If the
value is 000043E7 then find this value in the VM file to see which EP API is used
in this case.
If in the VM file not push values is logged and you just see DeCrypt_ then it means
that this EP
API is not VMed = full routine is directly readable.

PS: All EP API infos can you read in the Enigma help file.Just download a trial
version and check.Also
in the enigma_ide.dll file you can find the EP APIs + return values.Note that
this EP APIs in the
file are none callers and will always return a negativ value and they will also
not help if your
target used EP APIs with parameters to get xy datas back.

5. If your target is a VB VisualBasic file and there is missing one API then its
mostly the API
DllFunctionCall - so fix this manually!
-------------------------------------------------------

Thats all so far.The rest of the features you can test too if you enable them if
you need it.

Enigma CheckUp Killer - Can bypass all basic checks like trial,startup
pass,language,OS,etc.

Note: If you use any xy names driver like strongODs xy name like Turbo etc then
check this out
whether it check it.Set HWBP on CreateFile A|W API there you can see it.So the
target will not start
if your drivername will checked.If it will check then return the API with -1 in eax
or just remove your
checked driver [use autoruns tool] and use a other name for your plugin.Reboot
needed after delete the
old driver.

Improved Import Emulation Fixer - A very new feature of Enigma but this script can
handle this too.Just
watch the video.

So then have fun with my new script and til next time.

LCF-AT