Virtual Machine code mutation

Post here any topics that related to Enigma Protector, its functionality, your misunderstanding, offers to improvements etc etc etc
Post Reply
Sebastiano
Posts: 10
Joined: Wed Oct 13, 2010 1:55 pm
Contact:

Virtual Machine code mutation

Post by Sebastiano » Wed Oct 13, 2010 2:02 pm

Hello, i wanna know 'bout mutation of native vm code - does it present at all ? :P

Enigma
Site Admin
Posts: 2516
Joined: Wed Aug 20, 2008 2:24 pm

Re: Virtual Machine code mutation

Post by Enigma » Wed Oct 13, 2010 2:21 pm

Yes, surely.

Enigma embeds the loader in the protected file, just a set of many routines. Almost all of these routines are virtualized. Virtualization means that the native code being transformed to special p-code, that then is being executed on the internal virtual processor. When reverser is trying to analyze the code, he will not see the native, just a many calls of virtual machine.

Another virtualization for native code of your executable you may to set yourself. There are two ways how to do this:
1. By means VM markers, you may select a parts of code
2. By means Virtual Machine feature in Enigma, you may select particular functions
Virtualization of the native code of exe is similar to virtualization of the loader.

Sebastiano
Posts: 10
Joined: Wed Oct 13, 2010 1:55 pm
Contact:

Re: Virtual Machine code mutation

Post by Sebastiano » Wed Oct 13, 2010 7:36 pm

Thx, i hope that in every next build vm opcodes set will be different comparing with previous one, am i right ?

Enigma
Site Admin
Posts: 2516
Joined: Wed Aug 20, 2008 2:24 pm

Re: Virtual Machine code mutation

Post by Enigma » Thu Oct 14, 2010 6:36 am

Yes, you are correct, this is high priority task!

Do you think the current set of opcodes too simple?

Sebastiano
Posts: 10
Joined: Wed Oct 13, 2010 1:55 pm
Contact:

Re: Virtual Machine code mutation

Post by Sebastiano » Thu Oct 14, 2010 7:26 am

I didn't look inside of ur protector yet and don't know about vm organization :D Anyway on my opinion the best opcode set is risc-based, i used to write my own vm for few private projects, one is stack-based risc vm where im parsing each opcode into the set of add, imul etc opcodes that r not touching eflags, for ex.

Code: Select all

; lea edi , dword ptr [ecx+01h]
_PUSHIMM   0
_PUSHADDR   ecx
_ADD
_PUSHIMM   $01
_ADD
_SETLASTSTACKARGASADDR
_PUSHADDR   edi
LEA   32
Cheers

Enigma
Site Admin
Posts: 2516
Joined: Wed Aug 20, 2008 2:24 pm

Re: Virtual Machine code mutation

Post by Enigma » Thu Oct 14, 2010 3:17 pm

Common principals of VM are same in any kind it! Enigma VM is similar by opcode set, just one difference - it is not a stack VM.

The currently implemented VM is not only stable, it is also a quick. I just worry if I make it much complex (really, it is not a problem to make it complex, will take only a week to make it), the protected files will be starting and working very very slowly...

Anyway, current VM will be soon updated.

Post Reply