Not sure what you mean.
The AutoIT exe containts the whole sourcecode.
If you do not use any proteciton you can just drag it into an decompiler and you get the full source code back thats the problem with the way autoit works (interpreter).
Therefore normally autoit also copys the WHOLE script into the memory, so you can also just drop it form there and then decompile it.
Therefore i want to know how does it work after i applied the enigma protection?
Is the code in the ram stores at once, or is it encrypted and only get's decrypted when there is the need for it, like my friend did it. So that you can't jsut drop it from the ram.
Hope you understand my question.
THanks
Protected RAM
Re: Protected RAM
OK, let me explain how the system works.
As we've decided, the sensitive data of Autoit exe is stored in the file overlay. Program reads this data to provide necessary program functionality. Enigma Protector (I mean it's Virtual Box feature) emulates the overlay, so when the program reads it from the file, protection redirects file read operations to memory, such way protection emulates the file.
You are wondering, if the sensitive data (overlay) exists in the memory after the file is protected. I can't answer you question. But I can confirm, that protection does not store virtual files in memory. So, if the program itself (Autoit) reads whole overlay and stores it in memory, then protection nothing can do and the overlay data will be always present in memory. But (this is my vision), if program reads the overlay data part-by-part, and whole overlay is never stored in memory, then protection works for Autoit.
Try to check it out, i.e. try to find the overlay in protected process, and you will understand if Enigma Protector helps you or no.
As we've decided, the sensitive data of Autoit exe is stored in the file overlay. Program reads this data to provide necessary program functionality. Enigma Protector (I mean it's Virtual Box feature) emulates the overlay, so when the program reads it from the file, protection redirects file read operations to memory, such way protection emulates the file.
You are wondering, if the sensitive data (overlay) exists in the memory after the file is protected. I can't answer you question. But I can confirm, that protection does not store virtual files in memory. So, if the program itself (Autoit) reads whole overlay and stores it in memory, then protection nothing can do and the overlay data will be always present in memory. But (this is my vision), if program reads the overlay data part-by-part, and whole overlay is never stored in memory, then protection works for Autoit.
Try to check it out, i.e. try to find the overlay in protected process, and you will understand if Enigma Protector helps you or no.
Re: Protected RAM
No the overlay doe snot have anything todoö. Autoit loads the whole script into the ram and process it then line by line.
Anyways i tried to use both programs. First the friends program which encrypts the ram, and then yours.
However i need to disable the virtualazion of the entry point.
Is this a huge security risk?
Anyways i tried to use both programs. First the friends program which encrypts the ram, and then yours.
However i need to disable the virtualazion of the entry point.
Is this a huge security risk?
Re: Protected RAM
Just a curious question here, can't Enigma Protector vm marker feature be apply to autoit compiled exe too? 
Re: Protected RAM
Yeah i thought about that too, since i guess it would be much more harder then too.
But i can't find a way how to do that. Would be nice if Enigma (the admin) could find a way todo that since it looks like there are amny autoit users around.
But i can't find a way how to do that. Would be nice if Enigma (the admin) could find a way todo that since it looks like there are amny autoit users around.
Re: Protected RAM
No, that's not a huge risk, because we are mainly protecting overlay in this case.TechnoMan wrote:Is this a huge security risk?
Regarding VM Markers and code virtualization at all for Autoit (same also relates to Entry Point virtualization). I do not think it is much important in this case. As far as I know, AutoIt uses same exe template for any compiled executable, the only overlay changes because it contains all the data for execution etc. So even if you apply code virtualization, then what advantage you may get if cracker may take exe template from any other AutoIt exe?
So difficult to say if the exe virtualization will give you advantages in this case...
But, anyway, how to apply it. VN Markers can be used only if you can make changes in the application source code, but this does not make sense for Autoit because exe always same. So the only way to do that - using MAP file. Autoit exe does not contain map file (developers do not provide it, correct?), then there is a possible way to create a map file using IDA disassembler (you load file there, and through options menu generate it). The resulting map file should have the same name as exe, but with the map extension and both files should be located in the same folder. Then, in Enigma Protector go to Virtual Machine - Functions Selecting and select functions for virtualization.
This is not easy and good way I think, because you do not know the names of the functions, you do not know what is function for, and due to this you can't exactly decide what function needs to be protected.