Enigma Virtual Box Unpacker / 解包工具
Project description
evbunpack
Enigma Virtual Box unpacker
Features
- Executable unpacking
- TLS, Exceptions, Import Tables and Relocs are recovered
- Executables with Overlays can be restored as well
- Enigma loader DLLs and extra data added by the packer is stripped
- Virtual Box Files unpacking
- Supports both built-in files and external packages
- Supports compressed mode
Tested Versions
- This applies to PE unpacking. If the chosen PE unpack variant does not work, please try out the other ones with
-pe [variant]
| Packer Version | Notes | Unpack with Flags |
|---|---|---|
| 11.00 | Automatically tested in CI for x86/x64 binaries. | -pe 10_70 |
| 10.70 | Automatically tested in CI for x86/x64 binaries. | -pe 10_70 |
| 9.70 | Automatically tested in CI for x86/x64 binaries. | -pe 9_70 |
| 7.80 | Automatically tested in CI for x86/x64 binaries | -pe 7_80 --legacy-fs |
Installation
For Windows Users : Builds are available here
Or get the latest version from PyPi:
pip install evbunpack
Usage
usage: evbunpack [-h] [--log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}] [-l] [--ignore-fs] [--ignore-pe] [--legacy-fs] [-pe {10_70,9_70,7_80}] [--out-pe OUT_PE] file output
Enigma Virtual Box Unpacker
options:
-h, --help show this help message and exit
--log-level {DEBUG,INFO,WARNING,ERROR,CRITICAL}
Set log level
Flags:
-l, --list Don't extract the files and print the table of content to stderr only
--ignore-fs Don't extract virtual filesystem
--ignore-pe Don't restore the executable
--legacy-fs Use legacy mode for filesystem extraction
-pe {10_70,9_70,7_80}, --pe-variant {10_70,9_70,7_80}
Unpacker variant to use when unpacking EXEs. default=9_70
Overrides:
--out-pe OUT_PE (If the executable is to be recovered) Where the unpacked EXE is saved. Leave as-is to save it in the output folder.
Input:
file File to be unpacked
output Output folder
Example Usage (test file available here)
Input:
evbunpack x64_PackerTestApp_packed_20240522.exe output
Output:
INFO: Enigma Virtual Box Unpacker v0.2.1
INFO: Extracting virtual filesystem
Filesystem:
└─── output
└─── output/README.txt
Writing File [size=0x11, offset=0x3465]: total= 11h read= 0h
INFO: Extraction complete
INFO: Restoring executable
INFO: Using default executable save path: output\x64_PackerTestApp_packed_20240522.exe
Saving PE: total= 3211h read= 0h
INFO: Unpacked PE saved: output\x64_PackerTestApp_packed_20240522.exe
TODO
- Automatically detect packer version
Credits
License
Apache 2.0 License
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
evbunpack-0.2.4.tar.gz
(15.7 kB
view details)
Built Distribution
evbunpack-0.2.4-py3-none-any.whl
(15.9 kB
view details)
File details
Details for the file evbunpack-0.2.4.tar.gz.
File metadata
- Download URL: evbunpack-0.2.4.tar.gz
- Upload date:
- Size: 15.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.10.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | a0db5350c2a79836ecf0a99a3f8444aa383162e0eccc80d4130bcc00b6347e3d |
|
| MD5 | 446b98af77bad6aedf1160207e31c970 |
|
| BLAKE2b-256 | f3bbc72fd107918bc969507ccb49f463ef703a51337df16552337bf6539f2c90 |
File details
Details for the file evbunpack-0.2.4-py3-none-any.whl.
File metadata
- Download URL: evbunpack-0.2.4-py3-none-any.whl
- Upload date:
- Size: 15.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/5.1.1 CPython/3.10.11
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | de00a4aac3426ded0aa96fabcc643e59a440c00edafa0cd5b59ee0b4ba0f28d6 |
|
| MD5 | 89e4d73874538b61507e7dd6a5784235 |
|
| BLAKE2b-256 | 650c97fb78555a0e6b3780b699a50999896a10a3321f8369f848afb28f8ea894 |
