Virtual Machine code mutation
-
- Posts: 10
- Joined: Wed Oct 13, 2010 1:55 pm
- Contact:
Virtual Machine code mutation
Hello, i wanna know 'bout mutation of native vm code - does it present at all ?
Re: Virtual Machine code mutation
Yes, surely.
Enigma embeds the loader in the protected file, just a set of many routines. Almost all of these routines are virtualized. Virtualization means that the native code being transformed to special p-code, that then is being executed on the internal virtual processor. When reverser is trying to analyze the code, he will not see the native, just a many calls of virtual machine.
Another virtualization for native code of your executable you may to set yourself. There are two ways how to do this:
1. By means VM markers, you may select a parts of code
2. By means Virtual Machine feature in Enigma, you may select particular functions
Virtualization of the native code of exe is similar to virtualization of the loader.
Enigma embeds the loader in the protected file, just a set of many routines. Almost all of these routines are virtualized. Virtualization means that the native code being transformed to special p-code, that then is being executed on the internal virtual processor. When reverser is trying to analyze the code, he will not see the native, just a many calls of virtual machine.
Another virtualization for native code of your executable you may to set yourself. There are two ways how to do this:
1. By means VM markers, you may select a parts of code
2. By means Virtual Machine feature in Enigma, you may select particular functions
Virtualization of the native code of exe is similar to virtualization of the loader.
-
- Posts: 10
- Joined: Wed Oct 13, 2010 1:55 pm
- Contact:
Re: Virtual Machine code mutation
Thx, i hope that in every next build vm opcodes set will be different comparing with previous one, am i right ?
Re: Virtual Machine code mutation
Yes, you are correct, this is high priority task!
Do you think the current set of opcodes too simple?
Do you think the current set of opcodes too simple?
-
- Posts: 10
- Joined: Wed Oct 13, 2010 1:55 pm
- Contact:
Re: Virtual Machine code mutation
I didn't look inside of ur protector yet and don't know about vm organization Anyway on my opinion the best opcode set is risc-based, i used to write my own vm for few private projects, one is stack-based risc vm where im parsing each opcode into the set of add, imul etc opcodes that r not touching eflags, for ex.
Cheers
Code: Select all
; lea edi , dword ptr [ecx+01h]
_PUSHIMM 0
_PUSHADDR ecx
_ADD
_PUSHIMM $01
_ADD
_SETLASTSTACKARGASADDR
_PUSHADDR edi
LEA 32
Re: Virtual Machine code mutation
Common principals of VM are same in any kind it! Enigma VM is similar by opcode set, just one difference - it is not a stack VM.
The currently implemented VM is not only stable, it is also a quick. I just worry if I make it much complex (really, it is not a problem to make it complex, will take only a week to make it), the protected files will be starting and working very very slowly...
Anyway, current VM will be soon updated.
The currently implemented VM is not only stable, it is also a quick. I just worry if I make it much complex (really, it is not a problem to make it complex, will take only a week to make it), the protected files will be starting and working very very slowly...
Anyway, current VM will be soon updated.