Trick Protection Analyzers

Post here any topics that related to Enigma Protector, its functionality, your misunderstanding, offers to improvements etc etc etc
Majid
Posts: 138
Joined: Mon Nov 29, 2010 2:54 pm
Location: Iran
Contact:

Trick Protection Analyzers

Post by Majid » Sat Dec 25, 2010 9:09 am

Hi Enigma

I have an opinion . I don't know if this is possible .
When you analyze an executable that is protected with enigma , Analyzer will show "Enigma Protector x.x version" .
So I think analyzer will read "Enigma Protector" in protected exe & they show it .
So you can rename All enigma protector to "Nothing Found" . Then "nothing found" will be a protector & analyzers show "nothing found" .
I think if this is possible then we can trick so many crackers but advanced ones .
What do you think ? Am I right ?
Brothers To The End...

Sebastiano
Posts: 10
Joined: Wed Oct 13, 2010 1:55 pm
Contact:

Re: Trick Protection Analyzers

Post by Sebastiano » Sat Dec 25, 2010 10:03 am

No, u don't. Analyzer technique depends on signatures (some unique bytes sequence, one of thousands for enigma) also called as stubs. U can't hide from a scanner and hiding is not the point of the executable protection, this one goes to malware.

Majid
Posts: 138
Joined: Mon Nov 29, 2010 2:54 pm
Location: Iran
Contact:

Re: Trick Protection Analyzers

Post by Majid » Sat Dec 25, 2010 10:45 am

Hi My Friend Sebastiano

Ok , Then is there any way to change signatures ? I mean the developer of enigma (Vladimir) may change signatures to "Nothing found" , not us .
Brothers To The End...

Sebastiano
Posts: 10
Joined: Wed Oct 13, 2010 1:55 pm
Contact:

Re: Trick Protection Analyzers

Post by Sebastiano » Sat Dec 25, 2010 12:06 pm

No, he can't. Why u think that undetection will help in protection ?

Majid
Posts: 138
Joined: Mon Nov 29, 2010 2:54 pm
Location: Iran
Contact:

Re: Trick Protection Analyzers

Post by Majid » Sat Dec 25, 2010 12:26 pm

Hi My Friend Sebastiano
My Friend Sebastiano wrote:No, he can't. Why u think that undetection will help in protection ?
Because so many crackers can not find protection & they think really nothing is Found .
So I Think undetection is a professional protection mode .

By The Way , My post just is a question . Ok, If He can't no problem .
But Please Let me wait for his answer too .
Thank You Again
Brothers To The End...

Enigma
Site Admin
Posts: 2516
Joined: Wed Aug 20, 2008 2:24 pm

Re: Trick Protection Analyzers

Post by Enigma » Sun Dec 26, 2010 12:45 pm

Really, there is a feature in Enigma called PROTECTION FEATURES - File Analyzer Deception. There you may choose a signature that will be using to hide Enigma Protector from file analyzers.

As Sebastiano correctly wrote, the effect of this function depends on what techniques the file analyzer is using. This feature may hide Enigma from many analyzers, but some advanced still could detect it.

Anyway, I think this feature is little useless. Because if cracker can't detect Enigma due to File Analyzer Deception feature, I'm 100% guaranty he/she will not crack anything in Enigma.

Majid
Posts: 138
Joined: Mon Nov 29, 2010 2:54 pm
Location: Iran
Contact:

Re: Trick Protection Analyzers

Post by Majid » Sun Dec 26, 2010 12:48 pm

Hi My Friend Enigma

So Can you guide me ? I have just one Exe file . "URL 2 IP" As you saw in my tutorial .
So how can I change signature To trick Analyzers ? I try several times , but every time Analyzers show Enigma Protector as packer .
Can you guide me to hide Enigma ?
Brothers To The End...

Enigma
Site Admin
Posts: 2516
Joined: Wed Aug 20, 2008 2:24 pm

Re: Trick Protection Analyzers

Post by Enigma » Sun Dec 26, 2010 1:08 pm

that's very simple, open your project file, to go PROTECTION FEATURES - File Analyzer Deception panel, and there select, for example, Borland C++. After you protect the file, some analyzers should show Borland C++ instead of Enigma Protector.

But as I wrote, this does not work with all kind of file analyzers.

Majid
Posts: 138
Joined: Mon Nov 29, 2010 2:54 pm
Location: Iran
Contact:

Re: Trick Protection Analyzers

Post by Majid » Sun Dec 26, 2010 1:10 pm

Hi MY Friend Enigma

I'm using PiED & Protection ID . The most famous Analyzers .what should I write in "Name of the protection code section" ? Anything ?
PiED Can not detect but Protection ID can .
So Now ?
Brothers To The End...

Enigma
Site Admin
Posts: 2516
Joined: Wed Aug 20, 2008 2:24 pm

Re: Trick Protection Analyzers

Post by Enigma » Sun Dec 26, 2010 4:55 pm

Hi Majid,
Majid Pasha wrote:.what should I write in "Name of the protection code section" ? Anything ?
You may write there anything, write ".data" without quotes
Majid Pasha wrote:PiED Can not detect but Protection ID can .
yes, when I developed it, I've based on PEiD and not Protection ID. How to avoid detection of Protection ID? Looks like no way. Because to add additional deception methods I have to add new signatures to Enigma, but this may cause huge amount of false detections by antiviruses.

I just repeat, if cracker cannot determine what protection is used, even if protection is hidden like in this feature, this cracker will not pass the protection.

Post Reply