Unpacker ((top)): Enigma Protector 5x
Chronicle: Enigma Protector 5.x Unpacker
Phase 3: Dumping and IAT Rebuilding
Once execution lands at the OEP, you cannot simply dump the memory. Enigma 5.x uses stolen bytes and redirected imports.
- Dump at OEP: Use x64dbg's
scyllaplugin. Dump the full memory region (not justmain). - IAT Autosearch: In Scylla, click
IAT Autosearch->Get Imports. Enigma will show invalid, high-entropy addresses. You must manually trace each API call. - Tracing API Calls: In the dumped code, any call like
call dword ptr [0x12345678]likely points to a thunk. Follow that thunk—it will contain ajmp dword ptr [0xABCDEF00]. That final address should point into system DLLs. Log all such addresses and rebuild the IAT. - Fix OEP Bytes: Enigma sometimes steals the first 10-20 bytes of the original code (e.g.,
push ebp/mov ebp, esp). These bytes are stored encrypted in the protector's section. Use a memory breakpoint on the OEP's first byte to trace back where they are written, then copy-paste them.
Step 6 – Fix Sections and Relocations
Enigma may compress or encrypt original sections. After unpacking, you must restore section names (.text, .rdata, .data) and recalculate VirtualSize and RawSize. For DLLs, the relocation table must be repaired or removed. enigma protector 5x unpacker