Skip to content
/ evbunpack Public

Enigma Virtual Box Unpacker / 解包、脱壳工具

License

Apache-2.0 license
144 stars 17 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

mos9527/evbunpack

BranchesTags

Repository files navigation

evbunpack

Windows Build Releases Code style: black

Enigma Virtual Box unpacker

Features

  • Executable unpacking
    • TLS, Exceptions, Import Tables and Relocs are recovered
    • Executables with Overlays can be restored as well
    • Enigma loader DLLs and extra data added by the packer is stripped
  • Virtual Box Files unpacking
    • Supports both built-in files and external packages
    • Supports compressed mode

Tested Versions

  • This applies to PE unpacking. If the chosen PE unpack variant does not work, please try out the other ones with -pe [variant]
Packer Version Notes Unpack with Flags
11.00 Automatically tested in CI for x86/x64 binaries. -pe 10_70
10.70 Automatically tested in CI for x86/x64 binaries. -pe 10_70
9.70 Automatically tested in CI for x86/x64 binaries. -pe 9_70
7.80 Automatically tested in CI for x86/x64 binaries -pe 7_80 --legacy-fs

Installation

For Windows Users : Builds are available here

Or get the latest version from PyPi:

    pip install evbunpack

Usage

usage: evbunpack [-h] [--log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}] [-l] [--ignore-fs] [--ignore-pe] [--legacy-fs] [-pe {10_70,9_70,7_80}] [--out-pe OUT_PE] file output

Enigma Virtual Box Unpacker

options:
  -h, --help            show this help message and exit
  --log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
                        Set log level

Flags:
  -l, --list            Don't extract the files and print the table of content to stderr only
  --ignore-fs           Don't extract virtual filesystem
  --ignore-pe           Don't restore the executable
  --legacy-fs           Use legacy mode for filesystem extraction
  -pe {10_70,9_70,7_80}, --pe-variant {10_70,9_70,7_80}
                        Unpacker variant to use when unpacking EXEs. default=9_70

Overrides:
  --out-pe OUT_PE       (If the executable is to be recovered) Where the unpacked EXE is saved. Leave as-is to save it in the output folder.

Input:
  file                  File to be unpacked
  output                Output folder

Example Usage (test file available here)

Input:

evbunpack x64_PackerTestApp_packed_20240522.exe output

Output:

INFO: Enigma Virtual Box Unpacker v0.2.1
INFO: Extracting virtual filesystem
Filesystem:
   └─── output
       └─── output/README.txt
Writing File [size=0x11, offset=0x3465]: total=      11h read=       0h
INFO: Extraction complete
INFO: Restoring executable
INFO: Using default executable save path: output\x64_PackerTestApp_packed_20240522.exe
Saving PE: total=    3211h read=       0h
INFO: Unpacked PE saved: output\x64_PackerTestApp_packed_20240522.exe

TODO

  • Automatically detect packer version

Credits

License

Apache 2.0 License

About

Enigma Virtual Box Unpacker / 解包、脱壳工具

Topics

python reverse-engineering unpacker evb

Resources

Readme

License

Apache-2.0 license
Activity

Stars

144 stars

Watchers

4 watching

Forks

17 forks
Report repository

Releases 14

Version 0.2.4 Latest
Oct 17, 2024
+ 13 releases

Contributors 2

Languages