Protected RAM
Protected RAM
I got another question.
Autoit scripts have the signature AU3!EA06 inside, therefore you can easily dump the whole script from the ram by searching for EA06 and then decompile the dumped code.
Now i ask myself if enigma protects against this?
Thanks
Autoit scripts have the signature AU3!EA06 inside, therefore you can easily dump the whole script from the ram by searching for EA06 and then decompile the dumped code.
Now i ask myself if enigma protects against this?
Thanks
Re: Protected RAM
As far as I remember, AutoIt places this code in the file overlay. No one protection protects the overlay, it is just being always copied to the protected file unmodified.
Anyway, there is a way to apply some kind of protection to this data. Do the following in Enigma Protector:
1. Select input and output files in Input panel. Note, name of the files should be same, it is important.
2. Go to Virtual Box - Files, enable this option and place an input file in the %DEFAULT FOLDER% (you may enable compression there)
3. Go to Miscellaneous - Other and check the option Remove File Overlay.
Then protect. This data should be gone from protected file.
Anyway, there is a way to apply some kind of protection to this data. Do the following in Enigma Protector:
1. Select input and output files in Input panel. Note, name of the files should be same, it is important.
2. Go to Virtual Box - Files, enable this option and place an input file in the %DEFAULT FOLDER% (you may enable compression there)
3. Go to Miscellaneous - Other and check the option Remove File Overlay.
Then protect. This data should be gone from protected file.
Re: Protected RAM
Hello,
well if i remove the overlay than i get a AutoIt error.
I talked to a experienced friend he coded a protection for AutoIt scripts.
The way he protects the script form dumping it is that he just decrypts small parts of the code in the RAM when they are needed and then encrypt it again.
So if you want to dump it you need a very long time unti you have the whole code.
Is it possible to do something like this with Enigma?
Thanks
well if i remove the overlay than i get a AutoIt error.
I talked to a experienced friend he coded a protection for AutoIt scripts.
The way he protects the script form dumping it is that he just decrypts small parts of the code in the RAM when they are needed and then encrypt it again.
So if you want to dump it you need a very long time unti you have the whole code.
Is it possible to do something like this with Enigma?
Thanks
Re: Protected RAM
Yes, that's what I was talking you. This feature is Virtual Box.
If you just enable Remove Overlay feature then this will cause error.
But the main thing - add input executable into DEFAULT FOLDER of Virtual Box feature. Moreover, the name of the file in Virtual Box and the name of protected executable should be same, otherwise it won't work. I can confirm that I tested this way myself, and it worked well.
If you just enable Remove Overlay feature then this will cause error.
But the main thing - add input executable into DEFAULT FOLDER of Virtual Box feature. Moreover, the name of the file in Virtual Box and the name of protected executable should be same, otherwise it won't work. I can confirm that I tested this way myself, and it worked well.
Re: Protected RAM
Sorry but what file should i add to the virtual box?
The unprotected exe?
//EDIT: Okay seems to work. The overlay is gone and it still works fine.
I just wonder. Isn't is risky to place the unprotected file into the output? Or is it not really possible to access the virtual box?
Thanks
The unprotected exe?
//EDIT: Okay seems to work. The overlay is gone and it still works fine.
I just wonder. Isn't is risky to place the unprotected file into the output? Or is it not really possible to access the virtual box?
Thanks
Re: Protected RAM
Yes, the unprotected one.
If you want to go further, you may do more customizations to increase protection. Placing unprotected file into Virtual Box is not the "securest" way, so you may create a copy of unprotected file, walk through it's PE sections and delete all code and data inside it, everything excluding overlay. So the embeded file won't be a copy of unprotected file, just will contain an overlay inside. I'm not sure if after deleting all code/data inside it will still work, but at least code could be deleted w/o problems.
If you want to go further, you may do more customizations to increase protection. Placing unprotected file into Virtual Box is not the "securest" way, so you may create a copy of unprotected file, walk through it's PE sections and delete all code and data inside it, everything excluding overlay. So the embeded file won't be a copy of unprotected file, just will contain an overlay inside. I'm not sure if after deleting all code/data inside it will still work, but at least code could be deleted w/o problems.
Re: Protected RAM
Thanks for this idea i will try it out
If it does not work, how secure is it tpo place the copy inside?
I guess it is very hard to access it inside the virtual box?
And also. How is the data stored in the RAM?
Is it in one piece?
And a other question cause i do not want to open 10 threads^^:
With the Enigma Protector for x64 files, i can ONLY compile x64 files or both x86 (32) and x64?
If it does not work, how secure is it tpo place the copy inside?
I guess it is very hard to access it inside the virtual box?
And also. How is the data stored in the RAM?
Is it in one piece?
And a other question cause i do not want to open 10 threads^^:
With the Enigma Protector for x64 files, i can ONLY compile x64 files or both x86 (32) and x64?
Re: Protected RAM
This HAS to work, I just do not know how much data you may remove from this copy. Maybe all data (excluding overlay), maybe just only first PE section, maybe all data except PE header (this is the securest one and I think it will be working)..TechnoMan wrote:If it does not work, how secure is it tpo place the copy inside?
This is stored as much secure as possible. The overall file is never stored in memory, once application requires a part of the file, the protection extracts it and returns. So this way is very similar as your friend did, the data is being extracted partially, when the application requires it.TechnoMan wrote:I guess it is very hard to access it inside the virtual box?And also. How is the data stored in the RAM?
No, unfortunately, for protecting x86 (32 bit) and x64 (64 bit) executable files you have to use different versions of Enigma Protector.TechnoMan wrote:With the Enigma Protector for x64 files, i can ONLY compile x64 files or both x86 (32) and x64?
Re: Protected RAM
Yes it works. The file for the virtual box contains ONLY the overlay and it works fine
I also not only mean the files from the virtual box. I mean the Autoit code for example.
Or to make it more clear. Could i just dump the whole code from the memory and then decompile it in order to get the autoit source code?
Thank you for the support!
Is the data encrypted?This is stored as much secure as possible. The overall file is never stored in memory, once application requires a part of the file, the protection extracts it and returns. So this way is very similar as your friend did, the data is being extracted partially, when the application requires it.
I also not only mean the files from the virtual box. I mean the Autoit code for example.
Or to make it more clear. Could i just dump the whole code from the memory and then decompile it in order to get the autoit source code?
Thank you for the support!
Re: Protected RAM
Nice to hear that!TechnoMan wrote:Yes it works.
As far as I know, the Autoit executable itself does not contain much data. So protection of it's code is not much necessary. Note, this is not a professional opinion, because I personally did not work much with Autoit.TechnoMan wrote:Or to make it more clear. Could i just dump the whole code from the memory and then decompile it in order to get the autoit source code?
And due to this, I think that for Autoit it would be better - better overlay protection, and not the protection of the code.