Any questions? Ask us: support@enigmaprotector.com

Protected RAM

Post here any topics that related to Enigma Protector, its functionality, your misunderstanding, offers to improvements etc etc etc

Re: Protected RAM

Postby TechnoMan » Mon Nov 11, 2013 5:04 pm

Not sure what you mean.

The AutoIT exe containts the whole sourcecode.

If you do not use any proteciton you can just drag it into an decompiler and you get the full source code back thats the problem with the way autoit works (interpreter).

Therefore normally autoit also copys the WHOLE script into the memory, so you can also just drop it form there and then decompile it.

Therefore i want to know how does it work after i applied the enigma protection?

Is the code in the ram stores at once, or is it encrypted and only get's decrypted when there is the need for it, like my friend did it. So that you can't jsut drop it from the ram.

Hope you understand my question.

THanks
TechnoMan
 
Posts: 12
Joined: Fri Nov 08, 2013 5:32 pm

Re: Protected RAM

Postby Enigma » Thu Nov 14, 2013 8:29 am

OK, let me explain how the system works.

As we've decided, the sensitive data of Autoit exe is stored in the file overlay. Program reads this data to provide necessary program functionality. Enigma Protector (I mean it's Virtual Box feature) emulates the overlay, so when the program reads it from the file, protection redirects file read operations to memory, such way protection emulates the file.

You are wondering, if the sensitive data (overlay) exists in the memory after the file is protected. I can't answer you question. But I can confirm, that protection does not store virtual files in memory. So, if the program itself (Autoit) reads whole overlay and stores it in memory, then protection nothing can do and the overlay data will be always present in memory. But (this is my vision), if program reads the overlay data part-by-part, and whole overlay is never stored in memory, then protection works for Autoit.

Try to check it out, i.e. try to find the overlay in protected process, and you will understand if Enigma Protector helps you or no.
Enigma
Site Admin
 
Posts: 2142
Joined: Wed Aug 20, 2008 2:24 pm

Re: Protected RAM

Postby TechnoMan » Thu Nov 14, 2013 9:53 pm

No the overlay doe snot have anything todoö. Autoit loads the whole script into the ram and process it then line by line.

Anyways i tried to use both programs. First the friends program which encrypts the ram, and then yours.

However i need to disable the virtualazion of the entry point.

Is this a huge security risk?
TechnoMan
 
Posts: 12
Joined: Fri Nov 08, 2013 5:32 pm

Re: Protected RAM

Postby newuser » Sat Nov 16, 2013 10:55 am

Just a curious question here, can't Enigma Protector vm marker feature be apply to autoit compiled exe too? :?:
newuser
 
Posts: 49
Joined: Tue Apr 13, 2010 5:43 pm

Re: Protected RAM

Postby TechnoMan » Sat Nov 16, 2013 12:16 pm

Yeah i thought about that too, since i guess it would be much more harder then too.

But i can't find a way how to do that. Would be nice if Enigma (the admin) could find a way todo that since it looks like there are amny autoit users around.
TechnoMan
 
Posts: 12
Joined: Fri Nov 08, 2013 5:32 pm

Re: Protected RAM

Postby Enigma » Mon Nov 18, 2013 7:53 am

TechnoMan wrote:Is this a huge security risk?


No, that's not a huge risk, because we are mainly protecting overlay in this case.

Regarding VM Markers and code virtualization at all for Autoit (same also relates to Entry Point virtualization). I do not think it is much important in this case. As far as I know, AutoIt uses same exe template for any compiled executable, the only overlay changes because it contains all the data for execution etc. So even if you apply code virtualization, then what advantage you may get if cracker may take exe template from any other AutoIt exe?

So difficult to say if the exe virtualization will give you advantages in this case...

But, anyway, how to apply it. VN Markers can be used only if you can make changes in the application source code, but this does not make sense for Autoit because exe always same. So the only way to do that - using MAP file. Autoit exe does not contain map file (developers do not provide it, correct?), then there is a possible way to create a map file using IDA disassembler (you load file there, and through options menu generate it). The resulting map file should have the same name as exe, but with the map extension and both files should be located in the same folder. Then, in Enigma Protector go to Virtual Machine - Functions Selecting and select functions for virtualization.

This is not easy and good way I think, because you do not know the names of the functions, you do not know what is function for, and due to this you can't exactly decide what function needs to be protected.
Enigma
Site Admin
 
Posts: 2142
Joined: Wed Aug 20, 2008 2:24 pm

Previous

Return to Basic

Who is online

Users browsing this forum: No registered users and 3 guests