Trick Protection Analyzers

[Majid]

Hi Enigma

I have an opinion . I don't know if this is possible .
When you analyze an executable that is protected with enigma , Analyzer will show "Enigma Protector x.x version" .
So I think analyzer will read "Enigma Protector" in protected exe & they show it .
So you can rename All enigma protector to "Nothing Found" . Then "nothing found" will be a protector & analyzers show "nothing found" .
I think if this is possible then we can trick so many crackers but advanced ones .
What do you think ? Am I right ?

[Sebastiano]

No, u don't. Analyzer technique depends on signatures (some unique bytes sequence, one of thousands for enigma) also called as stubs. U can't hide from a scanner and hiding is not the point of the executable protection, this one goes to malware.

[Majid]

Hi My Friend Sebastiano

Ok , Then is there any way to change signatures ? I mean the developer of enigma (Vladimir) may change signatures to "Nothing found" , not us .

[Sebastiano]

No, he can't. Why u think that undetection will help in protection ?

[Majid]

Hi My Friend Sebastiano

No, he can't. Why u think that undetection will help in protection ?

Because so many crackers can not find protection & they think really nothing is Found .
So I Think undetection is a professional protection mode .

By The Way , My post just is a question . Ok, If He can't no problem .
But Please Let me wait for his answer too .
Thank You Again

[Enigma]

Really, there is a feature in Enigma called PROTECTION FEATURES - File Analyzer Deception. There you may choose a signature that will be using to hide Enigma Protector from file analyzers.

As Sebastiano correctly wrote, the effect of this function depends on what techniques the file analyzer is using. This feature may hide Enigma from many analyzers, but some advanced still could detect it.

Anyway, I think this feature is little useless. Because if cracker can't detect Enigma due to File Analyzer Deception feature, I'm 100% guaranty he/she will not crack anything in Enigma.

[Majid]

Hi My Friend Enigma

So Can you guide me ? I have just one Exe file . "URL 2 IP" As you saw in my tutorial .
So how can I change signature To trick Analyzers ? I try several times , but every time Analyzers show Enigma Protector as packer .
Can you guide me to hide Enigma ?

[Enigma]

that's very simple, open your project file, to go PROTECTION FEATURES - File Analyzer Deception panel, and there select, for example, Borland C++. After you protect the file, some analyzers should show Borland C++ instead of Enigma Protector.

But as I wrote, this does not work with all kind of file analyzers.

[Majid]

Hi MY Friend Enigma

I'm using PiED & Protection ID . The most famous Analyzers .what should I write in "Name of the protection code section" ? Anything ?
PiED Can not detect but Protection ID can .
So Now ?

[Enigma]

Hi Majid,

.what should I write in "Name of the protection code section" ? Anything ?

You may write there anything, write ".data" without quotes

PiED Can not detect but Protection ID can .

yes, when I developed it, I've based on PEiD and not Protection ID. How to avoid detection of Protection ID? Looks like no way. Because to add additional deception methods I have to add new signatures to Enigma, but this may cause huge amount of false detections by antiviruses.

I just repeat, if cracker cannot determine what protection is used, even if protection is hidden like in this feature, this cracker will not pass the protection.