01 Mar 2019

March update of unpackers

Enigma VirtualBox unpacker

  • Unpacker will refuse to run if there is not enough space in TMP folder and/or in working directory
  • PE header size was calculated incorrectly in some cases
  • TLS directory was not detected correctly for some files

Setting TMP folder to a RAM drive was a good idea in 1990s. Now it's year 2019 and you can't manage virtual memory better than Windows already do. But some people apparently still try, so I added checks to stop them from shooting themselves in the foot.

Molebox VS unpacker

  • Added support for a very old version on Molebox VS, as reported by death

The fix was actually implemented a long time ago, I just didn't make the announcement.

52 thoughts on “March update of unpackers

  1. Avatar

    [+] MD5: cab4548622781e72424bc9391e114030
    [i] Molebox type: new (v4.4325..v4.5462)
    [i] Exact MoleboxVS version: UNKNOWN

    • Avatar

      I can't help you without seeing the file. Please upload it to mega.co.nz or mediafire.com and send me the link. I'll be happy to fix the problem.

  2. Avatar

    Why don't you unpack VMprotect? No talent sir? No skillz?

    All you can do is to unpack UPX like protections?

    Don't waste our time you dummy.

    • Avatar

      It's my blog and I write about things that interest *me*.

      If you don't like it, stop reading and go away. As simple as that.

  3. Avatar

    " I can't help you without seeing the file. Please upload it to mega.co.nz or mediafire.com and send me the link. I'll be happy to fix the problem "

    Link :
    {hidden link}

    Thanks

    • Avatar

      Thank you, I will look at it and fix the problem.

      EDIT: your file is protected using "Enable anti-crack features" switch. I know how to fix that but I will not have any free time this week. So, I'll look at that sometime next week.

  4. Avatar

    Hi Kao do you have time ? Can you check this file , i can't unpack it using your new version of demoleitionVS.
    Link :{hidden link}

    • Avatar

      That's because it's not protected with Molebox at all. It is using some custom "protection". :)

      There are 4 files inside:

      • actual htlauncher.exe
      • ClientLib.dll - contains ZIP with more files
      • gameguard.dll - probably some sort of anticheat
      • nvidiar.exe - some sort of anticheat? Very suspicious file.

      And inside the ZIP file there are:

      • serverlist.bin
      • system\HTMessage.txl
      • system\TantraParam.tpa
    • Avatar

      Your file is protected using Molebox VS "Enable anti-crack features" switch. I am working on a fix for that.

  5. Avatar

    That's because it's not protected with Molebox at all. It is using some custom "protection". :)

    There are 4 files inside:

    actual htlauncher.exe
    ClientLib.dll - contains ZIP with more files
    gameguard.dll - probably some sort of anticheat
    nvidiar.exe - some sort of anticheat? Very suspicious file.
    And inside the ZIP file there are:

    serverlist.bin
    system\HTMessage.txl
    system\TantraParam.tpa

    Kao what kind of packer they use ?

      • Avatar

        I don't speak your language, could you please use English?

        You did not upload full installation, so I cannot extract all files. I will fix my unpacker and publish it soon. Then you can extract the files yourself.

  6. Avatar

    Thanks for release the nice tool
    However, i got some error.
    Please help me or give me advice.
    I used your demoleiton v0.60.

    {hidden link}

    And, if you want send the fixed files, please send my e-mails : {hidden link}

    Thanks pro kao.

    • Avatar

      Your file is broken. You did not unpack Enigma Protector correctly - and therefore my unpacker cannot do its job.

  7. Avatar

    [+] MD5: 580d93fd2f4b2a0ef050e92fd0a55757
    [i] Molebox type: very old (v4.1394..v4.2062)
    [x] EXCEPTION EOutOfMemory

    • Avatar

      As always - I can't help you without seeing the file. Please upload it to Mega.co.nz or mediafire.com, send me the link and I'll fix the bug.

  8. Avatar

    >Unpacker will refuse to run if there is not enough space in TMP folder and/or in working directory

    0.56 doesn't work with Wine anymore (4.0/4.9). It's possible to run unpacked software in native NW.js, so I use it for that. My /tmp is tmpfs as well, but that's not the problem here. Would be great if you could fix it, thank you.

    • Avatar

      I just tested it under Ubuntu 18.04.2 and Wine 4.0.1 - it works just fine.
      enigmavb unpacker in wine

      Could you provide me with more details about your system and how you run the unpacker? df -l and wine output during the execution + screenshots from winecfg would be a good start. Otherwise there is not much I can do - it works for me.

      • Avatar

        Sorry, my whole system (most of it) might be currently located in RAM, so that can possibly be the reason. This is the first time there is such a problem, I'm not sure what to think about it. Should I mention that previous version works perfectly fine?

        Here's some info:

        ~ $ df -l
        Filesystem 1K-blocks Used Available Use% Mounted on
        devtmpfs 10240 0 10240 0% /dev
        shm 4078724 10752 4067972 1% /dev/shm
        tmpfs 4078724 1018776 3059948 25% /run
        /dev/sdb1 3410408 2618988 791420 77% /run/initramfs/live
        /dev/loop0 2538880 2538880 0 100% /run/initramfs/squashfs
        none 4078724 1018776 3059948 25% /
        cgroup_root 10240 0 10240 0% /sys/fs/cgroup
        none 4078724 12 4078712 1% /run/user/1000
        none 4078724 0 4078724 0% /run/user/0

      • Avatar

        But seriously this logic is broken. I don't run my system from RAM anymore and it won't extract anything. I get this message:

        EnigmaVBUnpacker v0.57, compiled on 21-06-2019 11:28
        Supports Enigma Virtual Box v4.10..9.20
        Latest version always on {hidden link}

        [+] Filename: C:\shit\Peasants Quest NYD191.exe
        [x] There is not enough space in working directory. Unpacking would most likely fail!
        [+] Filename: C:\shit\Peasants Quest NYD191.exe
        [x] There is not enough space in working directory. Unpacking would most likely fail!

        Why would you think this was a good idea? Well, I still hope you're going to remove it.

        Thankfully 0.55 still seems to work.

        Here's my current df -l if it helps:
        /dev/root 90791560 76754596 9382000 90% /
        devtmpfs 10240 0 10240 0% /dev
        tmpfs 814500 856 813644 1% /run
        shm 4072484 628688 3443796 16% /dev/shm
        cgroup_root 10240 0 10240 0% /sys/fs/cgroup
        none 4072484 128 4072356 1% /tmp

  9. Avatar

    How much space exactly is "enough space" for EnigmaVBUnpacker?

    I can't extract a ~600MB .exe file, when I have:
    - 3GB~ free space on my C:\ drive (system)
    - 2GB~ free space on my R:\ drive (a Ram Drive indeed, but I did NOT put %TMP% there or anything alike)
    - 3GB free RAM (5GB in total if counting cached), the RAM for R:\ is pre-allocated.

    If I use an old version (Enigma Virtual Box unpacker 0.55) it unpacks the file just fine, and the extract files are ~600MB in total (about the same as original .exe file)

    So... how much "empty space" in which form do I need exactly to use the updated version? I understand you want a safety feature but it would be nice to be able to manually override it.

  10. Avatar

    i unpacked enigma but failed, help me extract it all with, thank you
    file: {hidden link}
    [+] Embedded files are compressed
    [?] LoaderSize = 0. Probably old unsupported EnigmaVB version.
    [!] Unknown EnigmaVB version, cannot guarantee that unpacking will work properly!
    [!] unknown virtual file type 0
    [!] unknown virtual file type 0

    • Avatar

      You are using an old version of my unpacker. Get the latest one from https://lifeinhex.com/download/enigma-virtual-box-unpacker/ - it will give a warning but unpack your file correctly.

      EnigmaVBUnpacker v0.58, compiled on 01-12-2019 17:45
      Supports Enigma Virtual Box v4.10..9.40
      Latest version always on https://lifeinhex.com

      [+] Filename: F:\3k.exe
      [+] MD5: 6233866ebd18709d7c4541bf036c83a5
      [+] x86 executable
      [+] Embedded files are not compressed
      [+] EnigmaVB version: UNKNOWN
      [!] Unknown EnigmaVB version, cannot guarantee that unpacking will work properly!
      [+] File "F:\%DEFAULT FOLDER%\resolution.ini", size=0xA9
      [+] File "F:\%DEFAULT FOLDER%\Update2.pak", size=0x8E95AD
      [i] Original file had no TLS directory
      [+] Unpacked main file: F:\3k_unpacked.exe
      [+] Finished!

      • Avatar

        I can unzip it, I see it seems to be still the pack file, right ?, only extract a small part

        • Avatar

          There is a second protection+VMProtect in your EXE file. If you want to extract all files, you will need to analyze that part yourself.

          • Avatar

            Do you have documents for me to excerpt about that vmprotect, I tried searching online but it was useless, thank you

          • Avatar

            No, sorry, I don't have a specific tutorial.
            There are lots of tutorials and videos about VMProtect available, and some are pretty good.

          • Avatar

            I tried extracting according to the video's instructions but my file has anti-debug feature, I use strongod to bypass the anti-debug feature but it's useless for my file :(, I treaty you create the tool Extract as molebox

  11. Avatar

    Sorry for raising a question which is not so related to the unpacker.
    Recently I unpacked some Molebox-VS-packed application, but the unpacked executable seem to be 16-bit and the Windows system refused to run it (but it is not corrupted, for it can be run in wine, or maybe some old versions of Windows).
    So in fact I am wondering why it can run inside molebox. Does molebox somehow modify the PE header or something? And I'm also wondering what can I do to make it run.
    Again, sorry for bothering.

    • Avatar

      I can't answer your question without seeing the executable. It might be a bug in unpacker, it might be some Windows "feature" or it might be something else entirely.

      Could you please upload your packed file (MEGA or Mediafire preferred) and I'll be happy to take a look.

      • Avatar

        Sorry for such a late reply... course assignments and the graduation project kill me...
        I have uploaded the whole archive on mediafire, and what I am trying to unpack is malie_chs.exe inside that archive. I am doing this because ESET (or maybe other virus scanners would also do this) keeps complaining about the MoleboxVS packed file, and it also keeps deleting some games I am to play.
        But in fact I don't think the unpacked executable is corrupted. As far as I can see, it may be caused by some non-standard way MoleboxVS use to create the process.
        File link here: {hidden link}

Leave a Reply to kao Cancel reply

  • Be nice to me and everyone else.
  • If you are reporting a problem in my tool, please upload the file which causes the problem.
    I can`t help you without seeing the file.
  • Links in comments are visible only to me. Other visitors cannot see them.

Your email address will not be published.

9  +   =  10