Bug in Enigma Protector x64: 0xc0000018 error on Win10 x64

x64 version issues
Post Reply
Posts: 11
Joined: Fri May 01, 2020 10:07 am

Bug in Enigma Protector x64: 0xc0000018 error on Win10 x64

Post by robert256 »

Hi Enigma,

On one of my 64-bit Win10 test-PCs I'm experiencing the exact same problem as described here:
When my program is protected with EP (with one dll in the virtual box option) it works on several PCs, but on this particular PC it gives the 0xc0000018 (The application was unable to start correctly) error when starting and then exits. When I use VirtualBox to pack the exe and dll, all is fine (but when I first pack the DLL with UPX and put that in the VirtualBox, I get the same error).

Things I have tested so far:
- SFC /scannow: doesn't find any problems
- APPINIT_DLLS registry key is empty
- Remove virus scanner
- Disable Eploit Protection in Win10
- Run different compatibility modes
- Make sure I use only small static buffers, so no overflow to another DLL memory occurs.

But I still get that error.

That leaves only one thing that might be causing this error: it probably is caused by a memory-mapping collision.

My C++ executable (Visual Studio) is compiled using the "Randomized Base Address" option (/DYNAMICBASE), and I made sure the dll I'm packing also has this setting (both have .reloc sections). However, the EP-protected executable doesn't seem to have /DYNAMICBASE enabled (I don't see a .reloc section), so I assume it (or at least the Virtual Box option) is using a static base address, which in this PC probably collides with an already present dll in that memory space.

I have tried protecting the exe without packing the dll in the virtual box (but with virtual box option on), and I get exactly the same error, so it seems the problem is caused in the main executable, not in the dll itself. When I disable the EP virtual box option, everything works fine (but then my data and dll are not protected :( ).

Is it possible to change the current static base address to another value? Or have a few different options? Or maybe add an option to randomize this? (for instance change it per protection build, so when a customer encounters this error, I can simply re-protect the exe with a different base address and send him an updated file?). Or, even better, provide support for /DYNAMICBASE?

Thank you in advance!

Best regards, Robert

Update 1: when the exe is called from another program, the protected exe sometimes does start (so it seems that forces the exe in another memory space. Will investigate this further.

Update 2: I found a workaround, by just calling the exe from a loader program, using the WinExec function. Then it starts without problems. Still, it would be better if EP didn't cause these problems.
Post Reply