Any questions? Ask us: support@enigmaprotector.com

Protected RAM

Post here any topics that related to Enigma Protector, its functionality, your misunderstanding, offers to improvements etc etc etc

Protected RAM

Postby TechnoMan » Fri Nov 08, 2013 10:37 pm

I got another question.

Autoit scripts have the signature AU3!EA06 inside, therefore you can easily dump the whole script from the ram by searching for EA06 and then decompile the dumped code.

Now i ask myself if enigma protects against this?

Thanks
TechnoMan
 
Posts: 12
Joined: Fri Nov 08, 2013 5:32 pm

Re: Protected RAM

Postby Enigma » Mon Nov 11, 2013 1:22 pm

As far as I remember, AutoIt places this code in the file overlay. No one protection protects the overlay, it is just being always copied to the protected file unmodified.

Anyway, there is a way to apply some kind of protection to this data. Do the following in Enigma Protector:
1. Select input and output files in Input panel. Note, name of the files should be same, it is important.
2. Go to Virtual Box - Files, enable this option and place an input file in the %DEFAULT FOLDER% (you may enable compression there)
3. Go to Miscellaneous - Other and check the option Remove File Overlay.

Then protect. This data should be gone from protected file.
Enigma
Site Admin
 
Posts: 2142
Joined: Wed Aug 20, 2008 2:24 pm

Re: Protected RAM

Postby TechnoMan » Mon Nov 11, 2013 3:38 pm

Hello,

well if i remove the overlay than i get a AutoIt error.

I talked to a experienced friend he coded a protection for AutoIt scripts.

The way he protects the script form dumping it is that he just decrypts small parts of the code in the RAM when they are needed and then encrypt it again.

So if you want to dump it you need a very long time unti you have the whole code.

Is it possible to do something like this with Enigma?

Thanks
TechnoMan
 
Posts: 12
Joined: Fri Nov 08, 2013 5:32 pm

Re: Protected RAM

Postby Enigma » Mon Nov 11, 2013 3:44 pm

Yes, that's what I was talking you. This feature is Virtual Box.

If you just enable Remove Overlay feature then this will cause error.

But the main thing - add input executable into DEFAULT FOLDER of Virtual Box feature. Moreover, the name of the file in Virtual Box and the name of protected executable should be same, otherwise it won't work. I can confirm that I tested this way myself, and it worked well.
Enigma
Site Admin
 
Posts: 2142
Joined: Wed Aug 20, 2008 2:24 pm

Re: Protected RAM

Postby TechnoMan » Mon Nov 11, 2013 3:58 pm

Sorry but what file should i add to the virtual box?

The unprotected exe?

//EDIT: Okay seems to work. The overlay is gone and it still works fine.

I just wonder. Isn't is risky to place the unprotected file into the output? Or is it not really possible to access the virtual box?

Thanks
TechnoMan
 
Posts: 12
Joined: Fri Nov 08, 2013 5:32 pm

Re: Protected RAM

Postby Enigma » Mon Nov 11, 2013 4:07 pm

Yes, the unprotected one.

If you want to go further, you may do more customizations to increase protection. Placing unprotected file into Virtual Box is not the "securest" way, so you may create a copy of unprotected file, walk through it's PE sections and delete all code and data inside it, everything excluding overlay. So the embeded file won't be a copy of unprotected file, just will contain an overlay inside. I'm not sure if after deleting all code/data inside it will still work, but at least code could be deleted w/o problems.
Enigma
Site Admin
 
Posts: 2142
Joined: Wed Aug 20, 2008 2:24 pm

Re: Protected RAM

Postby TechnoMan » Mon Nov 11, 2013 4:18 pm

Thanks for this idea i will try it out :)

If it does not work, how secure is it tpo place the copy inside?
I guess it is very hard to access it inside the virtual box?

And also. How is the data stored in the RAM?

Is it in one piece?

And a other question cause i do not want to open 10 threads^^:
With the Enigma Protector for x64 files, i can ONLY compile x64 files or both x86 (32) and x64?
TechnoMan
 
Posts: 12
Joined: Fri Nov 08, 2013 5:32 pm

Re: Protected RAM

Postby Enigma » Mon Nov 11, 2013 4:46 pm

TechnoMan wrote:If it does not work, how secure is it tpo place the copy inside?


This HAS to work, I just do not know how much data you may remove from this copy. Maybe all data (excluding overlay), maybe just only first PE section, maybe all data except PE header (this is the securest one and I think it will be working)..

TechnoMan wrote:I guess it is very hard to access it inside the virtual box?And also. How is the data stored in the RAM?


This is stored as much secure as possible. The overall file is never stored in memory, once application requires a part of the file, the protection extracts it and returns. So this way is very similar as your friend did, the data is being extracted partially, when the application requires it.

TechnoMan wrote:With the Enigma Protector for x64 files, i can ONLY compile x64 files or both x86 (32) and x64?


No, unfortunately, for protecting x86 (32 bit) and x64 (64 bit) executable files you have to use different versions of Enigma Protector.
Enigma
Site Admin
 
Posts: 2142
Joined: Wed Aug 20, 2008 2:24 pm

Re: Protected RAM

Postby TechnoMan » Mon Nov 11, 2013 4:51 pm

Yes it works. The file for the virtual box contains ONLY the overlay and it works fine :D

This is stored as much secure as possible. The overall file is never stored in memory, once application requires a part of the file, the protection extracts it and returns. So this way is very similar as your friend did, the data is being extracted partially, when the application requires it.


Is the data encrypted?

I also not only mean the files from the virtual box. I mean the Autoit code for example.
Or to make it more clear. Could i just dump the whole code from the memory and then decompile it in order to get the autoit source code?

Thank you for the support!
TechnoMan
 
Posts: 12
Joined: Fri Nov 08, 2013 5:32 pm

Re: Protected RAM

Postby Enigma » Mon Nov 11, 2013 4:58 pm

TechnoMan wrote:Yes it works.


Nice to hear that!

TechnoMan wrote:Or to make it more clear. Could i just dump the whole code from the memory and then decompile it in order to get the autoit source code?


As far as I know, the Autoit executable itself does not contain much data. So protection of it's code is not much necessary. Note, this is not a professional opinion, because I personally did not work much with Autoit.
And due to this, I think that for Autoit it would be better - better overlay protection, and not the protection of the code.
Enigma
Site Admin
 
Posts: 2142
Joined: Wed Aug 20, 2008 2:24 pm

Next

Return to Basic

Who is online

Users browsing this forum: Bing [Bot] and 9 guests