C++ Markers / SDK

Post here any topics that related to Enigma Protector, its functionality, your misunderstanding, offers to improvements etc etc etc
Post Reply
0x53616D61676F6E
Posts: 2
Joined: Wed Apr 11, 2018 9:25 pm

C++ Markers / SDK

Post by 0x53616D61676F6E »

Hi,

I use Enigma Protector since some years, mostly to use the VirtualBox + basic Encryption through the GUI.
Now i have some important code in my software, which I need to protect in a stronger way.

I saw that Enigma has markers for execution inside of the VM and SDK (ex. EP_ProtectedStringByKey)

I have got some questions about this stuff:

First of all:
Do I need to use the #include stuff or can I simply create a define like the following, without any security issues (it works, but could there be any problems):

Code: Select all

#define ENIGMA_VM_START \
	    __asm _emit 0xEB \
	    __asm _emit 0x08 \
	    __asm _emit 0x56 \
	    __asm _emit 0x4D \
	    __asm _emit 0x42 \
	    __asm _emit 0x45 \
	    __asm _emit 0x47 \
	    __asm _emit 0x49 \
	    __asm _emit 0x4E \
	    __asm _emit 0x31

#define ENIGMA_VM_END \
		__asm _emit 0xEB \
		__asm _emit 0x08 \
		__asm _emit 0x56 \
		__asm _emit 0x4D \
		__asm _emit 0x45 \
		__asm _emit 0x4E \
		__asm _emit 0x44 \
		__asm _emit 0x31 \
		__asm _emit 0x00 \
		__asm _emit 0x00
Second question, should I call SDK methods like "EP_ProtectedStringByKey" inside of the risc vm or doesnt this matter?

Code: Select all

	char ret[255];
	ENIGMA_VM_START; // #include "EnigmaSDK/vm_risc_begin.inc"
	EP_ProtectedStringByKey("KEY", &ret[0], sizeof(ret));
	ENIGMA_VM_END; // #include "EnigmaSDK/vm_risc_end.inc"
	std::string IDKJustSomething(ret);
4 question:
Is it ok/right to call a method which also runs in the VM through a method that runs in the VM (it works, but could there be any problems)?

Code: Select all

void BLA::Test2(std::string * ret)
{
	ENIGMA_VM_START; // #include "EnigmaSDK/vm_risc_begin.inc"
	char test[299];
	EP_ProtectedStringByKey("KEY", &test[0], sizeof(test));
	ret->append(test);
	ENIGMA_VM_END; // #include "EnigmaSDK/vm_risc_end.inc"
}

void BLA::Test(std::string * ret)
{
	ENIGMA_VM_START; // #include "EnigmaSDK/vm_risc_begin.inc"
	char test[299];
	EP_ProtectedStringByKey("KEY", &test[0], sizeof(test));
	Test2(ret); // runs in the VM too
	ENIGMA_VM_END; // #include "EnigmaSDK/vm_risc_end.inc"
}
Last question, is there any support of returns inside of the VM markers planed? Of course I can use other ways to return a value but it would be a nice feature.
Enigma
Site Admin
Posts: 2939
Joined: Wed Aug 20, 2008 2:24 pm

Re: C++ Markers / SDK

Post by Enigma »

Hi, regarding your questions:
0x53616D61676F6E wrote:Do I need to use the #include stuff or can I simply create a define like the following, without any security issues (it works, but could there be any problems):
This way is perfect, it is the same as #include, so if this way is more suitable for you, feel free to use it.
0x53616D61676F6E wrote:Second question, should I call SDK methods like "EP_ProtectedStringByKey" inside of the risc vm or doesnt this matter?
This does not matter, but calling inside the marker serves the better protection as it would be impossible to somehow hook the results that EP_ProtectedStringByKey returns.
0x53616D61676F6E wrote:4 question:
Is it ok/right to call a method which also runs in the VM through a method that runs in the VM (it works, but could there be any problems)?
It is OK and it is right, there is no any problems. Just a small note. If it would be possible to use virtual machine thought MAP file and functions selecting, rather than through markers, it would be a better way. If you protect the function through MAP file, it also protects the function epilog and prolog, plus better handling of nested functions. Portection using markers does not have such advantages.
0x53616D61676F6E wrote:Last question, is there any support of returns inside of the VM markers planed? Of course I can use other ways to return a value but it would be a nice feature.
We do not limit using "return" inside vm markers. It is impossible to use return in other kind of markers, but not for VM/VM_RISC. So feel free to use it.
0x53616D61676F6E
Posts: 2
Joined: Wed Apr 11, 2018 9:25 pm

Re: C++ Markers / SDK

Post by 0x53616D61676F6E »

Hi, thanks for your answer.
I worked with the markers now for a bit and they work pretty good.

You said returns are working in the vm markers. At the moment I am using version 4.2 because i didn't need any updates until now. But in this version returns don't work.

I've got a question to this map file thing:
You worte it protects epi-/Prolog of the method.
If they are protected ,is it still possible to hook them?
Enigma
Site Admin
Posts: 2939
Joined: Wed Aug 20, 2008 2:24 pm

Re: C++ Markers / SDK

Post by Enigma »

0x53616D61676F6E wrote:If they are protected ,is it still possible to hook them?
It would be possible to hook the function begin only, but not the function end (I'm talking about the case, when no anti-debugger protection is used and cracker can attach to protected process without problems).

Let me give you a proper example. Imagine, there is a function1 and function 2. Function1 calls function2 inside. Now imagine the cases:
1. You protect function2 with MAP file. Since function1 is not protected, it would be possible to find in memory where function1 calls function2 and take/change results of function2. However, the function2 body will be completely hidden.
2. You protect function1 with MAP file. Cracker may find in memory the body of function2, hook it, then take input parameters or change results.
3. If you protect both functions, cracker may only find the begin of function1, hook it, but function2 will be completely hidden, it would be not possible nor find where it starts, nor when ends.

Based on this, if you have critical function which you would like to protect, which returns some results that are easy to hook and change, it is reasonable to add into the MAP protection this function, plus, all other functions that use it.
Post Reply