Enigma anti byte patching

Post here any topics that related to Enigma Protector, its functionality, your misunderstanding, offers to improvements etc etc etc
Post Reply
Dave1234
Posts: 7
Joined: Mon Aug 22, 2016 12:57 am

Enigma anti byte patching

Post by Dave1234 »

Hello everyone
I am Enigma user since 6 months
We have a product with server protection and I use enigma on client version

But with everynew version releases there are bunch of kids able to bypass without unpacking patch bytes in memory making loaders

Now I.ve seen enigma is pretty good but failed.in protection against memory patching

I ve used in app Vm macros
ep protected strings function
Integrity check

And all things which enigma offer

Can u guy help me in this any thing I can do to avoid memory patch
Cause I m damn sure they cannot run exe if unpack ( I did try that)
And I ve seen they using jmp in.olly to skip/ bypass security checks

Thanks,
Enigma
Site Admin
Posts: 2938
Joined: Wed Aug 20, 2008 2:24 pm

Re: Enigma anti byte patching

Post by Enigma »

Hi,

As per information you gave us, I'm not sure that your application was unpacked. If you applied RISC VM (through markers or functions selecting) and protected strings this adds a full power protection to your file.

However, even if this all is implemented, it is possible to patch unprotected parts of code in memory.

To avoid this, everything that you need to do - protect this part of code that has a weakness for patching.

Apply a virtual machine protection to this part of code and that fixes all your problems. When virtual machine is applied, the original code is being protected so that it becomes impossible to change/patch it.
Dave1234
Posts: 7
Joined: Mon Aug 22, 2016 12:57 am

Re: Enigma anti byte patching

Post by Dave1234 »

Applying virtual machine
You mean by markers ?

Yes I did that on.sensitive parts of code

You recommend using vm markers or risc marker
For those parts ?

Because I use vm marker on most
Dave1234
Posts: 7
Joined: Mon Aug 22, 2016 12:57 am

Re: Enigma anti byte patching

Post by Dave1234 »

Applying virtual machine
You mean by markers ?

Yes I did that on.sensitive parts of code

You recommend using vm markers or risc marker
For those parts ?

Because I use vm marker on most
Enigma
Site Admin
Posts: 2938
Joined: Wed Aug 20, 2008 2:24 pm

Re: Enigma anti byte patching

Post by Enigma »

Risc vm markers provide stronger protection than usual vm markers.

Anyway vm markers provide anti-patching ability too.

If your app is being patched in memory, you first need to know what exact code is patched? Because if code is patched, then I dount it is protected with virtual machine and you have to apply vm for this code.
Dave1234
Posts: 7
Joined: Mon Aug 22, 2016 12:57 am

Re: Enigma anti byte patching

Post by Dave1234 »

Yes they patch the code thats inside vm marker
But some functions I take from sysutils
Those are not inside markers I dought there is the flaw
I ve change marker to risc lets see what happen
Enigma
Site Admin
Posts: 2938
Joined: Wed Aug 20, 2008 2:24 pm

Re: Enigma anti byte patching

Post by Enigma »

I do not think they patched code inside the markers, even vm markers, this is too complex.

However, imagine if you have some function like this one:

Code: Select all

function compare(x : string) : boolean;
begin
  // Some code to protect
  // ...
  // End of code
  Result := CompareStr(x, 'test') = 1;
end;
You could protect this function with any virtual machine, but for a cracker this does not matter at all. Cracker could hook the function CompareStr and return any custom result for it. So even if your function becomes protected, it would be possible to change it's result.

To fix such case, you need to protect both functions, your one and system one. And for this case, it is better to use protection with map file instead of markers.

Generate a map file in Delphi, and then using Virtual Machine - Functions Selecting select necessary functions to protect.
Dave1234
Posts: 7
Joined: Mon Aug 22, 2016 12:57 am

Re: Enigma anti byte patching

Post by Dave1234 »

Thanks for suggestions
In my case
The function is inttohex
This means he can hook this function and change result ?

Basically its a unique I'd of hardware for which I use inttohex function and check on server

Now in video of cracker I saw unique I'd was 00000000000000 that means he skipped or changed result

Because all possible functions had markers except inttohex

Thanks
Post Reply