Scribd
Upload
106 views

Enigma v4&v5 HWID Changer

Uploaded by

abdullaboliqchi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
106 views

Enigma v4&v5 HWID Changer

Uploaded by

abdullaboliqchi
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 8

// Targets:

// https://forum.tuts4you.com/topic/37064-unpackme-the-enigma-protector-43-x32-
patch-hwid-and-unpackme
// https://forum.tuts4you.com/topic/38285-enigma-protector-52
// Enter new HWID (to be set) under HWID variable with or without "-"
var HWID
var HWIDLen
var HWIDLoc
var VirtualFree
var EnigmaBase
var EnigmaVM
var i
var char
var Offset
var Calc1
var Calc2
var CSize
var Hook
var ODbgScriptVersion
mov HWID, "457CD-F8351-34E5F-6C41E"
log "The new HWID to be set should be entered in HWID var"

cmp $VERSION, "1.82"


je RIGHT_VERSION
ja RIGHT_VERSION
log ""
eval "Your are using a too old script version: {$VERSION}"
log $RESULT, ""
log ""
log "Update your plugin to min. version 1.82 and try again!"
log ""
eval "{SCRIPTNAME} {L2}{LONG} {L1}Your are using a too old script version:
{$VERSION} \r\n\r\nUpdate your plugin to min. version 1.82 and try again! \r\n\r\
n{LINES} \r\n{MY}"
msg $RESULT
ret
RIGHT_VERSION:
mov ODbgScriptVersion,$VERSION
log ODbgScriptVersion
log HWID
len HWID
mov HWIDLen, $RESULT
log HWIDLen
alloc 1000
mov HWIDLoc, $RESULT
mov [HWIDLoc], HWID
mov i,0
mov Offset, HWIDLoc
ReplaceChar_CheckChar:
mov char, [Offset], 1
cmp char, 2D // is -
jnz NotToRemove
// removing -
mov Calc1, Offset
inc Calc1 // skipped char
sub Calc1, HWIDLoc // current position
mov Calc2,HWIDLen
inc Calc2 // include null char
sub Calc2,Calc1
mov CSize, Calc2
MEMCPY Offset,Offset+1,CSize // MEMCPY dest,src,size
dec HWIDLen
jmp NextChar
NotToRemove:
cmp char,0 // do not check null end char
jz NextChar
// >'0' and <'9'
cmp char, 039
ja CheckAF // if > '9'
cmp char, 030
jae NextChar // if >= '0'
log "Invalid char in HWID, not a hex string"
ret

CheckAF:
cmp char, 046
ja InvalidChar // if > 'F'
cmp char, 041
jae NextChar // if >= 'A'
InvalidChar:
log "Invalid char in HWID, not a hex string"
ret

NextChar:
inc Offset
cmp char,0
jnz ReplaceChar_CheckChar

log HWIDLen

gpa "VirtualFree", "kernel32.dll"


mov VirtualFree, $RESULT
bp VirtualFree
erun
bc VirtualFree
rtr
sti
GMEMI eip, MEMORYBASE
mov EnigmaBase, $RESULT
log EnigmaBase
//0055AA34 60 PUSHAD
//0055AA35 9C PUSHFD
//0055AA36 B2 01 MOV DL,0x1
//0055AA38 BE 00000000 MOV ESI,0x0
find EnigmaBase, #609CB201BE00000000#
cmp $RESULT, 0
jnz BaseFound
log "Enigma VM not found!"
ret
BaseFound:
mov EnigmaVM, $RESULT
add EnigmaVM, 1
find EnigmaVM, #609CB201BE00000000#
cmp $RESULT, 0
jnz BaseFound2
log "Enigma VM not found!"
ret
BaseFound2:
mov EnigmaVM, $RESULT
log EnigmaVM

alloc 1000
mov Hook, $RESULT
log Hook

var ReadPlace
alloc 28
mov ReadPlace, $RESULT
var ProtectOffset
mov ProtectOffset,ReadPlace
add ProtectOffset,14

var CurrentPos
mov CurrentPos, Hook
var lstrlen
gpa "lstrlenA", "kernel32.dll"
mov lstrlen, $RESULT

var ReadMem
gpa "ReadProcessMemory", "kernel32.dll"
mov ReadMem, $RESULT

var VirtualQuery
gpa "VirtualQuery", "kernel32.dll"
mov VirtualQuery, $RESULT

var IsBadReadPtr
gpa "IsBadReadPtr", "kernel32.dll"
mov IsBadReadPtr, $RESULT

var IsValidHex
alloc 1000
mov IsValidHex, $RESULT
log IsValidHex
var CurrentPos2
mov CurrentPos2, IsValidHex

eval "xor esi,esi" // esi=0


asm CurrentPos2, $RESULT
GCI CurrentPos2, SIZE
add CurrentPos2, $RESULT

eval "mov dl,byte ptr [ebx+esi]" // get a char


asm CurrentPos2, $RESULT
GCI CurrentPos2, SIZE
add CurrentPos2, $RESULT

eval "cmp dl,039" // if > '9'


asm CurrentPos2, $RESULT
GCI CurrentPos2, SIZE
add CurrentPos2, $RESULT

mov [CurrentPos2], #7708# // next check


add CurrentPos2, 2

eval "cmp dl,030" // if >= '0' jae next char


asm CurrentPos2, $RESULT
GCI CurrentPos2, SIZE
add CurrentPos2, $RESULT

mov [CurrentPos2], #7310#


add CurrentPos2, 2

eval "xor eax,eax" // return 0


asm CurrentPos2, $RESULT
GCI CurrentPos2, SIZE
add CurrentPos2, $RESULT

eval "retn" // return


asm CurrentPos2, $RESULT
GCI CurrentPos2, SIZE
add CurrentPos2, $RESULT

eval "cmp dl,046" // if > 'F' jump to InvalidChar


asm CurrentPos2, $RESULT
GCI CurrentPos2, SIZE
add CurrentPos2, $RESULT

mov [CurrentPos2], #7705# // ja InvalidChar


add CurrentPos2, 2

eval "cmp dl,041" // if >= 'A' jump to next char


asm CurrentPos2, $RESULT
GCI CurrentPos2, SIZE
add CurrentPos2, $RESULT

mov [CurrentPos2], #7303# // jae next char


add CurrentPos2, 2

eval "xor eax,eax" // return 0


asm CurrentPos2, $RESULT
GCI CurrentPos2, SIZE
add CurrentPos2, $RESULT

eval "retn" // return


asm CurrentPos2, $RESULT
GCI CurrentPos2, SIZE
add CurrentPos2, $RESULT

eval "inc esi"


asm CurrentPos2, $RESULT
GCI CurrentPos2, SIZE
add CurrentPos2, $RESULT

eval "cmp esi,ecx"


asm CurrentPos2, $RESULT
GCI CurrentPos2, SIZE
add CurrentPos2, $RESULT

mov [CurrentPos2], #72DE# // jb begin


add CurrentPos2, 2

eval "mov eax,1" // return 1


asm CurrentPos2, $RESULT
GCI CurrentPos2, SIZE
add CurrentPos2, $RESULT
eval "retn" // return
asm CurrentPos2, $RESULT
GCI CurrentPos2, SIZE
add CurrentPos2, $RESULT

eval "pushad" // save registers


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

eval "pushfd" // save flags


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

eval "mov ebx,eax"


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

eval "push 1" // mem size


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

eval "push ebx" // address


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

eval "call {IsBadReadPtr}"


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

eval "cmp eax, 0"


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

mov [CurrentPos], #7550#


add CurrentPos, 2

eval "push 1C"


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

eval "push {ReadPlace}"


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

eval "push ebx" // address


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT
eval "call {VirtualQuery}"
asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

//eval "mov eax, dword ptr [{ProtectOffset}]"


//asm CurrentPos, $RESULT
//GCI CurrentPos, SIZE
//add CurrentPos, $RESULT
// insead do:
mov [CurrentPos], #A1# // mov eax,dword ptr [ProtectOffset]
inc CurrentPos
mov [CurrentPos], ProtectOffset, 4
add CurrentPos,4

//eval "and eax, 0EE" // DWORD mask = (PAGE_READONLY|PAGE_READWRITE|


PAGE_WRITECOPY|PAGE_EXECUTE_READ|PAGE_EXECUTE_READWRITE|PAGE_EXECUTE_WRITECOPY);
//asm CurrentPos, $RESULT
//GCI CurrentPos, SIZE
//add CurrentPos, $RESULT
mov [CurrentPos], #25# // and eax, 0EE
inc CurrentPos
mov [CurrentPos], 0EE, 4
add CurrentPos,4

eval "cmp eax, 0"


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

mov [CurrentPos], #7434#


add CurrentPos, 2

//eval "mov eax, dword ptr [{ProtectOffset}]"


//asm CurrentPos, $RESULT
//GCI CurrentPos, SIZE
//add CurrentPos, $RESULT
mov [CurrentPos], #A1# // mov eax,dword ptr [ProtectOffset]
inc CurrentPos
mov [CurrentPos], ProtectOffset, 4
add CurrentPos,4

//eval "and eax, 101" // if (mbi.Protect & (PAGE_GUARD|PAGE_NOACCESS))


//asm CurrentPos, $RESULT
//GCI CurrentPos, SIZE
//add CurrentPos, $RESULT
mov [CurrentPos], #25# // and eax, 0101
inc CurrentPos
mov [CurrentPos], 0101, 4
add CurrentPos,4

eval "cmp eax, 0"


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

mov [CurrentPos], #7525#


add CurrentPos, 2
eval "push ebx" // address
asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

eval "call {lstrlen}"


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

eval "cmp eax, {HWIDLen}"


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

mov [CurrentPos], #751A#


add CurrentPos, 2

eval "mov ecx, eax"


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

eval "call {IsValidHex}"


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

eval "cmp eax, 1"


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

mov [CurrentPos], #750E#


add CurrentPos, 2

//eval "mov esi, {HWIDLoc}"


//asm CurrentPos, $RESULT
//GCI CurrentPos, SIZE
//add CurrentPos, $RESULT
mov [CurrentPos], #BE# // mov esi, {HWIDLoc}
inc CurrentPos
mov [CurrentPos], HWIDLoc, 4
add CurrentPos,4

eval "mov edi, ebx"


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

//eval "mov ecx, {HWIDLen}"


//asm CurrentPos, $RESULT
//GCI CurrentPos, SIZE
//add CurrentPos, $RESULT
mov [CurrentPos], #B9# // "mov ecx, {HWIDLen}"
inc CurrentPos
mov [CurrentPos], HWIDLen, 4
add CurrentPos,4
eval "rep movsb"
asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

eval "popfd" // restore flags


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

eval "popad" // restore registers


asm CurrentPos, $RESULT
GCI CurrentPos, SIZE
add CurrentPos, $RESULT

mov [CurrentPos], #609CB201BE00000000# // original bytes


add CurrentPos, 9

var EnigmaVMAfter
mov EnigmaVMAfter, EnigmaVM
add EnigmaVMAfter, 9

eval "jmp {EnigmaVMAfter}" // assemble jump back


asm CurrentPos, $RESULT

eval "jmp {Hook}" // hook Enigma


asm EnigmaVM, $RESULT

You might also like