10 May 2020

Update of unpackers

I'm trying to get back into reversing. Slowly.

So, here's a long-promised update to Molebox unpacker. It fixes unpacking of very, VERY, VERY old Molebox versions. The only file I have ever seen packed with it, is SCWU role playing game.

Enigma Virtual Box unpacker

This was done long time ago but I never posted it publicly. Support for Enigma Virtual Box 9.30/9.40. Should support 9.50 but it's not tested.

41 thoughts on “Update of unpackers

  1. Hi sir ! thanks god you're back ! btw can you check this Exe , i can't unpack it using your new version of Demoleition. I just need the file inside for study :) or you can send it to my Email :)
    {hidden link}
    I hope you can check it :)

    Link here: {hidden link}
    Mirror: {hidden link}

    God Bless Sir Kao !

  2. Hi Sir Kao i'm glad that you're back in reverse engr. anyways can you check this one ? i can't unpack it using your tool , can you check it ? and please if you don't mind can you send the files to my email address just for study .
    Thank you sir Kao ! God Bles
    {hidden link}

    • That's because it is a custom launcher and not packed with Molebox or Enigma Virtual Box. It's very easy to unpack, just put a breakpoint on WriteProcessMemory and you'll find both unpacked EXE file and a special DLL.

      I will not send you any files - if you need it, you unpack it yourself. :)

  3. Dear Mister Kao, you just solved a major crisis for M.U.G.E.N. THE SCWU, years and years people suffered to try to find solutions for this game, I ended up getting very close and ended up understanding the situation in which the game was, but I don't have knowledge in reverse engineering, you saved a lot of developers from Mugen and other game MODs, just doing this, THANK YOU VERY MUCH, although I think the creator of the free game (G Sueno) may be very angry when discovering this, but the game has been around since 2003 so I still don't know. ..
    IN ANY WAY THANK YOU!

  4. Nice you're back in action, kao! Great job as always, also for directions to Gordon.

    1 thanks and 1 request till now ... fair enough, I think :)

    • Hi Gino Manzon, "hide files" feature is supported, you just need to have a good mole_dictionary.txt. Please read the description in https://lifeinhex.com/september-update-of-unpackers/ .

      If you have a specific file that cannot be unpacked correctly, please upload it to MEGA or MediaFire and post the link in comments. I will be happy to check it when I have some free time.

  5. ahh i see , thank you sir kao , i hope soon you can update this hide features without using mole dictionary.text i'm willing to pay :)

    • :facepalm: Did you read the explanation in my link?

      Molebox VS [...] stores hash of the filename - original filenames are not stored anywhere

      It works the same way like cracking password hashes - you know the hash and want to find the password (or filename). You can either run MD5 bruteforce - which will take days/months/years, or use a good dictionary and find the password immediately. There is no other way.

  6. Hello Mr Kao, I have been trying to unpack an exe with all versions of your tool, but I have not been successful and I always get a message: [x] EXCEPTION ERangeError

    Peid shows: MoleBox 2.x.x -> Mole Studio [Overlay]

    I'll leave the file in case you have some time and maybe I can look at it.
    Thank you for your time and attention.

    {hidden link}

    • Thank you Cristiano, your uploaded file helps me a lot!

      I know what the problem is and will try to fix it soon™. I'll post an updated version of unpacker when it's done.

  7. [+] Filename: E:\abc\123.exe
    [i] Loading large file, it might take some time...
    [+] x86 executable
    [x] Expected section name ".enigma2", found ".engame2"
    [x] This file is not protected with Enigma Virtual Box or is hacked.

    What does it mean? Why doesn't it work?

    • It means exactly that:

      This file is not protected with Enigma Virtual Box or is hacked.

      If you know how to use hex editor, you can try to find string ".engame2" in the PE header, change it to ".enigma2" and hope that my unpacker will work afterwards.
      Changing .engame2

    • kao showed you how in the pic; you search for:

      2E 65 6E 67 61 6D 65 32

      In ASCII:
      2E = .
      65 = e
      6E = n
      67 = g
      61 = a
      6D = m
      65 = e
      32 = 2

  8. {hidden link}

    [+] Filename: E:\H\miel\abc1.5.exe
    [i] Loading large file, it might take some time...
    [+] x86 executable
    [x] Expected section name ".enigma2", found ".rsrc"
    [x] This file is not protected with Enigma Virtual Box or is hacked.

    What does it mean? Why doesn't it work?

  9. Hi @Kao
    first thanks for your unpack tool, it saved my work,
    The tool able to unpack some text file,
    But the still can not unpack some files(*.spr) from my file
    Could you please help me take a look
    {hidden link}

    Thanks so much

  10. Untitled1
    Untitled2

    Hello @Kao, I hope you're having a good day.
    I get the error:
    [x] Expected section name ".enigma2", found ".rsrc"
    While trying to unpack an executable.
    I checked out ".enigma2" using a hex editor and as you can see in the shared link, it's there.
    What should i do? I need your help.

    • Sections .enigma1 and .enigma2 must be the last sections in the file. In your case, there is another section .rsrc after them. It means your file has been modified by someone after packing.

      You can try deleting .rsrc section using some PE editor and then use my unpacker. But I cannot promise it will work.

  11. Thanks for answering first of all,
    I managed to delete the .rsrc section and now there's another error. I know you are generally busy, but is it possible if you could help me about that?

    • I can't help you without seeing the actual file. If you upload it to MEGA or MediaFire and post the link, I'll try to figure out what's going on.

  12. {hidden link}

    There's the file. I would recommend you to run it inside a VM or a sandbox. Thanks for helping, I'll be looking for your reply.

    • Now that I see the file, I can assure you - it is not packed with Enigma VirtualBox. If I had to guess, I would say it is Themida, possibly in combination with Enigma Protector.

      As far as I know, there is no public unpacker for these protectors.

  13. I used Enigma Virtual Box unpacker 0.58 to extract an exe. file then I got this result:

    EnigmaVBUnpacker v0.58, compiled on 01-12-2019 17:45
    Supports Enigma Virtual Box v4.10..9.40
    Latest version always on {hidden link}

    [+] Filename: \\Mac\Home\Desktop\ratai\BFC.exe
    [i] Loading large file, it might take some time...
    [+] x86 executable
    [+] Embedded files are not compressed
    [+] EnigmaVB version: UNKNOWN
    [!] Unknown EnigmaVB version, cannot guarantee that unpacking will work properly!
    [+] File "\\Mac\Home\Desktop\ratai\%DEFAULT FOLDER%\credits.html", size=0x1EC4B4
    [x] Extraction of file \\Mac\Home\Desktop\ratai\%DEFAULT FOLDER%\credits.html failed, probably corrupted executable!

    As the result I tested. EnigmaVBUnpacker v0.58 can't support Supports Enigma Virtual Box 9.50.

    • Thank you. If you could upload your file to MEGA.nz or Mediafire.com, I will be happy to update the unpacker.

  14. Thanks for the tools, it really makes my life easier. However, could you add an option to override the "enough space" check for EnigmaVBUnpacker?

    From time to time, when I try to unpack a file while I'm low on drive space (right now 4.42GB left on my only drive in my laptop after I tried to remove ~1GB of unused files) I'll get the message:

    [x] There is not enough space in working directory. Unpacking would most likely fail!

    I know for a fact that the file I'm trying to unpack isn't that large when unpacked, the file I unpacked today only takes 534MB of disk space after unpacking, which I did with an older version EnigmaVBUnpacker 0.55.

    I don't know how long the old version (that don't have the check) would keep working since it's dated back in 2018, I'd really like to be able to use the newer versions.

    • If you have just 4.42GB free space on your hard drive, you have bigger issues than my unpacker refusing to run. ;)

      I could add a command-line option. But do you really think anyone will ever read the manual to find this option?

      I'll think about that.

  15. Hello Kao thank you for EVBUnpacker i have some problem that after i unpacked the file
    EVBU said "Original file had no TLS directory" and i cant read the original file is there a way to fix this?

    Thank you

    • Hi EneoMy,
      I really can't answer that question without seeing the original file. Please upload it to Mega or MediaFire and send me the link. I'll be happy to take a look.

  16. hello Kao, i stumbled across your blog while researching about agile.net unpacker& deofuscator. awesome work on enigma, do you have any tools for agile.net as well? earlier i hv used de4dot with good success for C# binaries which were using old agile preotection.
    any help will be highly appreciated. cheers!

Leave a Reply to Gino Manzon Cancel reply

  • Be nice to me and everyone else.
  • If you are reporting a problem in my tool, please upload the file which causes the problem.
    I can`t help you without seeing the file.
  • Links in comments are visible only to me. Other visitors cannot see them.

Your email address will not be published.

nine  ×   =  fifty four