Reverse Engineering RET Homepage RET Members Reverse Engineering Projects Reverse Engineering Papers Reversing Challenges Reverser Tools RET Re-Search Engine Reverse Engineering Forum Reverse Engineering Links

Go Back   Reverse Engineering Team Board > Reverse Engineering Board > File Unpacking
FAQ Members List Calendar Search Today's Posts Mark Forums Read

Reply
 
Thread Tools Display Modes
  #1  
Old 11-18-2019, 01:12 PM
CodeRipper CodeRipper is offline
Member
 
Join Date: Mar 2009
Location: Romania
Posts: 27
Default Enigma Registration Bypass (short tut)

Enigma Registration Bypass (short tut):
Set breakpoint on VirtualAlloc Api, break twice to VirtualAlloc,
search for bytes:
55 8B EC 33 C9 51 51 51 51 51 51 53 8B D8 33 C0

Scroll down until you see:
TEST eax,eax
SETNE AL

EAX should be 01 at TEST eax,eax

"push eax, call ..., TEST eax,eax" "SETNE AL" Bytes:
50 E8 ?? ?? ?? ?? 85 C0 0F 95 C0
Reply With Quote
  #2  
Old 10-05-2023, 04:15 AM
CodeRipper CodeRipper is offline
Member
 
Join Date: Mar 2009
Location: Romania
Posts: 27
Default Trick for 5.x and 6.x

For 5.x and 6.x

Debugger used:
SHADOW Olly debugger with ScyllaHide plugin.

Older version push serial on eax and the magic test
will have only this parameter (serial),
the call should return 1.

On new version the call uses both User and Serial:
0061EE08 0101F317 VertigoB.0101F317
0061EE0C 022B4ACC ASCII "User"
0061EE10 022B4AB8 ASCII "SERIAL"

01020CB7 68 0254D543 PUSH 0x43D55402 ; called before 01020CC9
01020CBC ^ E9 2777FFFF JMP VertigoB.010183E8
01020CC1 DE61 1E FISUB WORD PTR DS:[ECX+0x1E]
01020CC4 05 46CBF555 ADD EAX,0x55F5CB46
01020CC9 C2 0800 RETN 0x8 ; when will return
01020CCC 68 3E54D543 PUSH 0x43D5543E
01020CD1 ^ E9 1277FFFF JMP VertigoB.010183E8

C2 08 00 68 ?? ?? ?? ?? E9
unfortunately they are lot of such pattern (30+),
you need to breakpoint on all addresses,
at "RETN 0x8" the value of eax should be 1.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump





Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.