Just trying to make a loader for a target packed with enigma. I cracked the application without unpacking it but not able to make loader for it.

Sections are encrypted. Only when i put bp on getmodulehandleA api then section get decrypt and i can easily make patches.

So is it possible to make loader in this kind of condition.

Because if the section are not encrypted ..i make a loader easily but it get decrypt after putting bp on that api.

any suggestions?

search!
for example, i remember Nico's work on crackme..

i would suggest reading yates paper on creating loaders , link is at bottom of page

For lazy bastards like me there are already made loader generators. Search the web for them. Also, go through Lena's video tutorials, she shows how to use the unpacker code segment to implement your own patches (Not a loader per se, but it works. . .

that is a brilliant!! the videos are great and the generators aren't that bad..
but implementing code patching in the unpacker code segment is a excellent approach..
especially for dumping,patching and so forth..the way I can see to do this "genericly" to packed programs that run the stub first, is to create the process suspended OpenThread GetContext change Selector to cause a GENERAL_PAGE_FAULT on Execution, do some fancy stuff with the error handler at fs:[0] to handle the GPF, SetContext ResumeProcess, this should pick up Execution of either thread or TLS or w/e this Break on Execution should yield to us the Fake OEP, we then just need to analyze the Unpacking routine find the decrypt with a little help from Branch checking and a Disasmbler we could make it auto patch the unpacking code sizeof(AlreadyRunCode) is all patchable and and reusable and it has done its job. :] from that vantage point you can analyze and patch as much code as you want..

regards BanMe

you guys are not getting exactly what i want. to make loader i know very well. but this situation is different. I have seen lena's tutorial. Easy to make because there is no encryption or decryption process. As i said above packed with enigma. Supose i want to patch

va address 40201A and byte is there 35 and i want to change it to 36 ... easy by loader if there is no decryption process.

but if the program is not in running state. the bytes at this VA 40201a are 00 .....which decrypt into 35 when i put bp on GetModuleHandleA So how to make loader in this condition. i tried to make loader like lena tutorial by adding byte to 35 to 36 and run ..it was giving error..... So now is there any help which i can expect ?

Why bother with a loader? Can't you just unpack it and then patch it on disk?

ya i know by reading couple of tutorials i can unpack it. But in future enigma is growing day by day and unpacking becoming harder..so it would be good if i should have another option ....like without unpacking the target just crack that one by patching few bytes with the help of loader

http://www.reverse-engineering.info/PE_Information/Crackers_Guide_To_Program_Flow.pdf

was the link i was thinking about

Uhhmm. I think I get your problem. You need to make a loader that knows how long to wait and make sure the program is already decrypted before applying the patches. . .Right ?
The loader should hook, either the code of enigma before the jmp to the OEP of the protected code, or hook an API that is called by the decrypted code and the decrypted code only, but it is called after the decryption takes place (obviously) but before the code to be patched is run.
Variations on the theme include a hook in the loader code that is called frequently, examines the bytes to be patched, and detects when they get decrypted, then proceeds to patch. Or may be I still do not understand the question. Try harder to explain what you really need to do

you are right Naides. Thanks God. now someone knows what i exactly want. To make simple loader by dup is easy just a 5 min job but this condition is little different.

i don't understand. if you can trace it to the oep, why bother creating a loader at all? why not just dump the memory, fix the IT and the OEP, and be done with it?

yes i know by reading tutorials i can do but this time i am here for loader next time i will come with unpack issue with enigma if it would be the latest or vmprotect. Because couple of application i can crack without unpacking so there is no need to go in the forum and ask the same question how to unpack this and how to unpack that. If i can crak target without unpacking then i think its big achievement.