RISC VM Takes really long to protect and more

[191]

Hello everyone,

I just bought Enigma Protector 4.1 and generally, the software is a masterpiece, but unfortunately, I have some problems with the new RISC VM.

First, my input program is a DLL, size 512 KB, about 1600 functions (compiled)

To protect it with the RISC VM (max settings) it took 4 hours, but then it failed because the protector ran out of memory.

My current VM settings are:

- Trashgen: 1
- Obfuscation: Max
- Duplicates: 0
- Encryption: Max

I started protecting the application about 30 minutes ago, and it only got about 40% finished now. It is quite a difference compared to Max settings, but in my opinion this still takes very long.

EDIT:

It's finally protected now! Took about 80 minutes.

Output file size: 99 MB ( 3400% more than the input ), I think thats WAY too large.
Using the classic VM the size is about 2 MB.

And the dll is crashing. ( I'll try to solve this later )

---------------------------------------------------------------

Another thing i've noticed is that the protected application gets REALLY big.

I protected another program, input size: 215 kb, 100 functions.

RISC VM Settings: Everything Maxed.

-> Output size: 14.6 MB

Using the classic VM the output size is about 1.4 MB.

Is that a normal behaviour?

-------------------------------------------------------------------

EDIT:

I am NOT using any VM_RISC markers, so thats definitly not the problem.

A really strange thing is, that i can only run the application once after protecting it.. If i start it again, it terminates itself after 2-4 seconds (no window showing up, not even the application's window).

The DLL does not crash if i use the classic VM, but it terminates the host process after about 10 seconds, again, no message or anything.

EDIT: I fixed the strange host process termination caused by the protected dll (It was the runtime integrity check, although, I enabled show message before termination it didn't show a message). The exe file still terminates itself if you run it a second time. Every inline patching / integrity stuff is disabled. Only happens when using the RISC VM.

EDIT: The exe file terminates itself only sometimes. Its like 60% termination. I have no idea what causes it but it seems to be really strange.

[Alec]

It is normal behaviour for the RISC VM that it will increase the size a lot if used not the way it was intended to. You should protect only the few main functions using RISC VM, for others Classic VM should be used. Note that every exeuctable protector (ours included) with VM support is not aimed at protecting all functions at once, VM should be used only where it's necessary - on the sensible to cracking/reversing code parts.

[Enigma]

To append:

Use vm_risc_begin/vm_risc_end markers for some parts of the code. For the functions selecting, use classic virtual machine, switch it in Virtual Machine - Settings panel.

[191]

Ah okay. Thanks for you reply.

So basically, i should use the classic VM for function selecting, and then, using the vm_risc markers, i should protect the REALLY sensitive code parts?

[zop]

Sure. Sensitive code should be protected better. But you must understand that the code will work slower (more protection = slower execution).
For example, I used virtualization for some graphics-drawing code and it was bad idea:)

[Enigma]

So basically, i should use the classic VM for function selecting, and then, using the vm_risc markers, i should protect the REALLY sensitive code parts?

Exactly! Settings you enter on Virtual Machine - Settings affects only code selected in Functions Selecting, however, vm_risc markers are always VM Risk virtual machine.

For example, I used virtualization for some graphics-drawing code and it was bad idea:)

Thanks you, that's useful example of how virtualization should NOT be applied!

[191]

Okay sure.

But one more question. Is there any way engima could use the debug database files generated if you use the /DEBUG flag in the linker for function selecting?

Function names like 0x103A3D are quite unclear. IDA is using the .pdb files and shows the "real" function names.

[Enigma]

But one more question. Is there any way engima could use the debug database files generated if you use the /DEBUG flag in the linker for function selecting?

You may try to turn off the option Miscellaneous - Other - Delete Debug Directory.

If this won't work, then possible solution would be also disabling application code compression and encryption, try to turn on the option Miscellaneous - Other - Do not compress and encrypt code and check if it will work.

[191]

These options apply AFTER the application is protected, right?

But i am talking about the input file. So that i can see the real function names in the "select functions" window.

[Enigma]

Ah, sorry, please discard my reply.

You need to create a map file for your file, without it, it is difficult to apply correct functions virtualization, see http://enigmaprotector.com/en/help/manu ... 41ac2fa01f

So make sure you have a map file, and it is located in the same folder as exe file.