Page 1 of 1

Enigma anti byte patching

Posted: Mon Aug 22, 2016 1:09 am
by Dave1234
Hello everyone
I am Enigma user since 6 months
We have a product with server protection and I use enigma on client version

But with everynew version releases there are bunch of kids able to bypass without unpacking patch bytes in memory making loaders

Now I.ve seen enigma is pretty good but failed.in protection against memory patching

I ve used in app Vm macros
ep protected strings function
Integrity check

And all things which enigma offer

Can u guy help me in this any thing I can do to avoid memory patch
Cause I m damn sure they cannot run exe if unpack ( I did try that)
And I ve seen they using jmp in.olly to skip/ bypass security checks

Thanks,

Re: Enigma anti byte patching

Posted: Mon Aug 22, 2016 7:04 am
by Enigma
Hi,

As per information you gave us, I'm not sure that your application was unpacked. If you applied RISC VM (through markers or functions selecting) and protected strings this adds a full power protection to your file.

However, even if this all is implemented, it is possible to patch unprotected parts of code in memory.

To avoid this, everything that you need to do - protect this part of code that has a weakness for patching.

Apply a virtual machine protection to this part of code and that fixes all your problems. When virtual machine is applied, the original code is being protected so that it becomes impossible to change/patch it.

Re: Enigma anti byte patching

Posted: Mon Aug 22, 2016 7:53 am
by Dave1234
Applying virtual machine
You mean by markers ?

Yes I did that on.sensitive parts of code

You recommend using vm markers or risc marker
For those parts ?

Because I use vm marker on most

Re: Enigma anti byte patching

Posted: Mon Aug 22, 2016 7:53 am
by Dave1234
Applying virtual machine
You mean by markers ?

Yes I did that on.sensitive parts of code

You recommend using vm markers or risc marker
For those parts ?

Because I use vm marker on most

Re: Enigma anti byte patching

Posted: Mon Aug 22, 2016 10:01 am
by Enigma
Risc vm markers provide stronger protection than usual vm markers.

Anyway vm markers provide anti-patching ability too.

If your app is being patched in memory, you first need to know what exact code is patched? Because if code is patched, then I dount it is protected with virtual machine and you have to apply vm for this code.

Re: Enigma anti byte patching

Posted: Mon Aug 22, 2016 2:24 pm
by Dave1234
Yes they patch the code thats inside vm marker
But some functions I take from sysutils
Those are not inside markers I dought there is the flaw
I ve change marker to risc lets see what happen

Re: Enigma anti byte patching

Posted: Tue Aug 23, 2016 9:54 am
by Enigma
I do not think they patched code inside the markers, even vm markers, this is too complex.

However, imagine if you have some function like this one:

Code: Select all

function compare(x : string) : boolean;
begin
  // Some code to protect
  // ...
  // End of code
  Result := CompareStr(x, 'test') = 1;
end;
You could protect this function with any virtual machine, but for a cracker this does not matter at all. Cracker could hook the function CompareStr and return any custom result for it. So even if your function becomes protected, it would be possible to change it's result.

To fix such case, you need to protect both functions, your one and system one. And for this case, it is better to use protection with map file instead of markers.

Generate a map file in Delphi, and then using Virtual Machine - Functions Selecting select necessary functions to protect.

Re: Enigma anti byte patching

Posted: Tue Aug 23, 2016 11:42 pm
by Dave1234
Thanks for suggestions
In my case
The function is inttohex
This means he can hook this function and change result ?

Basically its a unique I'd of hardware for which I use inttohex function and check on server

Now in video of cracker I saw unique I'd was 00000000000000 that means he skipped or changed result

Because all possible functions had markers except inttohex

Thanks