Is it safe to use compiler directive

Post here any topics that related to Enigma Protector, its functionality, your misunderstanding, offers to improvements etc etc etc
Post Reply
Grawol
Posts: 3
Joined: Sun Aug 19, 2018 10:58 am

Is it safe to use compiler directive

Post by Grawol » Sun Aug 19, 2018 11:17 am

Hello Enigma team,
I have a doubt regarding the safety of my program due to my lack of knowledge. It is fine if I use this kind of approach ?
I want to be more easy when I develop my program. I hope you understand what I mean.

Code: Select all

begin
{$IFDEF RELEASE}
// will check all needed security and registration things.
  EP_Marker('vm_risc_begin');
if EP_RegKeyStatus = 0 then ....
  if not EP_CheckupIsEnigmaOk then ...
  EP_Marker('vm_risc_end');
{$ENDIF}
// my procedures
end;
So, my program will check the security only if it build under release directive.
My silly question : can attacker make some kind of switch or jump to other mode (not "RELEASE" in this case) ?

Regards

ilya01
Posts: 104
Joined: Tue Oct 07, 2014 2:31 am

Re: Is it safe to use compiler directive

Post by ilya01 » Sun Aug 19, 2018 1:49 pm

If you use preprocessor directive then answer is no because this is only compilation-time process.
If you use dynamic runtine checks then answer is yes.
For delphi you must Build project after adding this conditions.
More info here: http://docwiki.embarcadero.com/RADStudi ... n_(Delphi)

Enigma
Site Admin
Posts: 2367
Joined: Wed Aug 20, 2008 2:24 pm

Re: Is it safe to use compiler directive

Post by Enigma » Mon Aug 20, 2018 10:40 am

Grawol wrote:Hello Enigma team,
So, my program will check the security only if it build under release directive.
My silly question : can attacker make some kind of switch or jump to other mode (not "RELEASE" in this case) ?
The way you are trying to code is almost OK, however, I would give you some advices.
1. The code example you gave belongs to x64 version, right? Because for x86 version markers should be placed using includes.
2. The main problem in your code is that it protects only part of code, the code that checks for protection, but excludes from protection your procedures. In this case, cracker can add a jimp before begin marker over the security functions and just skip it from running. To avoid that, you need to cover your procedures in markers too, so if cracker adds a jimp over the markers, over the security functions, it will also skip the execution of your code (that may cause problems).
So the code would look as following:

Code: Select all

begin
  EP_Marker('vm_risc_begin');
{$IFDEF RELEASE}
// will check all needed security and registration things.
if EP_RegKeyStatus = 0 then ....
  if not EP_CheckupIsEnigmaOk then ...
{$ENDIF}
// my procedures
  EP_Marker('vm_risc_end');
end;
3. Also note, that I moved EP_Marker function over the RELEASE, that's OK. Just copy the enigma_ide64.dll into the folder of the compiled executable to allow it to run and debug. Note, do not distribute this dll with protected application, it is not needed after protection!
4. Common advice, review the function/procedure, where you apply a virtual machine or security check. In some cases, this kind of protection could be useless, or can be simply bypassed by cracker, for example:

Code: Select all

procedure DoCheck();
begin
  EP_Marker('vm_risc_begin');
  // will check all needed security and registration things.
  if EP_RegKeyStatus = 0 then ....
  if not EP_CheckupIsEnigmaOk then ...
  EP_Marker('vm_risc_end');
end;
Useless procedure, cracker can patch the memory and just avoid execution of this function, it won't affect the functionality of the program

Code: Select all

function DoCheck() : boolean;
begin
  Result := false;
  EP_Marker('vm_risc_begin');
  // will check all needed security and registration things.
  if EP_CheckupIsEnigmaOk then Result := true;
  EP_Marker('vm_risc_end');
end;
Also useless function, cracker can patch memory, avoid execution of this function, change the execution context to return TRUE value always.

Code: Select all

function DoAdd(AInteger1, AInteger2 : integer) : Integer;
begin
  Result := 0;
  EP_Marker('vm_risc_begin');
  // will check all needed security and registration things.
  if EP_CheckupIsEnigmaOk then 
  begion
    Result := AInteger1 + AInteger2;
  end;
  EP_Marker('vm_risc_end');
end;
This is the correct example, because if cracker avoid execution of function, something in the program stops to work since DoAdd function performs some algorithm (add). If cracker somehow skip the protection part, the important useful functionality will be also missed.

Grawol
Posts: 3
Joined: Sun Aug 19, 2018 10:58 am

Re: Is it safe to use compiler directive

Post by Grawol » Thu Aug 23, 2018 4:35 am

Thank you Ilya and Enigma. Very clear explanation.
This will need some time for me to implement this new knowledge. I am very appreciate it.

One more thing, is this okay ?

Code: Select all

[09:34:38] Input file size = 7412914 bytes
[09:34:38] - function EP_RegCheckAndSaveKey found
[09:34:38] - function EP_CheckupIsEnigmaOk found
[09:34:38] - function EP_RegLoadKeyEx found
[09:34:38] - function EP_RegDeleteKey found
[09:34:38] - function EP_CheckupIsProtected found
[09:34:38] - function EP_RegLoadAndCheckKey found
[09:34:38] - function EP_RegHardwareID found
[09:34:38] - function EP_RegKeyStatus found
[09:34:38] Search markers...
[09:34:40] Marker found: vm_risc_begin, virtual address: 0x0083346A
[09:34:40] Marker found: vm_risc_end, virtual address: 0x00833495
[09:34:40] Marker found: reg_crypt_begin2, virtual address: 0x0083475E
[09:34:40] Marker found: reg_crypt_end2, virtual address: 0x00834770
[09:34:40] Marker found: vm_risc_begin, virtual address: 0x008359E9
[09:34:40] Marker found: vm_risc_end, virtual address: 0x00835B49
[09:34:41] - 0 function(s) processed with RISC virtual machine <<<<-- 0 function, what is count on this function ?
[09:34:41] Process Virtual Machine ...
[09:34:51] Compress section :
......
Best Regards

Enigma
Site Admin
Posts: 2367
Joined: Wed Aug 20, 2008 2:24 pm

Re: Is it safe to use compiler directive

Post by Enigma » Thu Aug 23, 2018 3:22 pm

Grawol wrote:
Thu Aug 23, 2018 4:35 am
One more thing, is this okay ?
That's absolutely OK.

There are two ways how to apply virtual machine:
- using markers, like you do
- using MAP file and feature Virtual Machine - Functions Selecting

In your log, I see that protection found markers well and there is no any problems with that.
But since you do not use virtual machine through MAP file, it shows that there is zero number of functions processed. This means that zero functions from MAP file.

Post Reply