الفريق العربي للهندسة العكسية

Enigma Protector operates through a multi-stage workflow that transforms a standard executable into a hardened, licensed package. The process is divided into the Protection Phase (during development) and the Execution Phase (when the user runs the software). Phase 1: Protection AlgorithmThe algorithm for securing the file follows these steps: 

1. Code Analysis & Function Selection: The protector analyzes the input file (e.g.,
   

   .exe
   

   or
   

   .dll
   

   ). Developers use a MAP file or Virtual Machine (VM) Markers in their source code to identify critical functions for virtualization.
   
2. Virtualization (PCODE Translation): The selected functions are translated from standard x86/x64 machine code into a proprietary PCODE (Pseudo-code). This code is only readable by Enigma’s custom virtual CPU.
   
3. VM Generation: A unique virtual machine interpreter is generated and embedded into the protected file. This interpreter handles the execution of the PCODE during runtime.
   
4. Encryption & Compression: The rest of the application code and data sections are encrypted. If enabled, an Encryption Constant is used, which is only recoverable if a valid license key is present.
   
5. Import Table Hardening: The original Import Address Table (IAT)—which lists external libraries the program needs—is modified or hidden to prevent reverse engineers from understanding the program's dependencies.
   
6. Injection of Protection Code: The Enigma loader code is injected into a new section of the executable to manage licensing, anti-debugging checks, and the VM.
   

Phase 2: Execution Algorithm When a user launches the protected application, the internal loader follows this sequence:  

1. Anti-Analysis Checks: The loader immediately scans for debuggers (like OllyDbg), virtual machines (VMware), or "blacklisted" processes. If detected, execution is terminated.
   
2. Integrity Check (Control Sum): It verifies the checksum of both the application and the protection code. If any part has been patched or modified (e.g., by a crack), it stops the process.
   
3. Licensing Verification: 
   • The loader checks for a stored registration key in the registry or a local file.
     
   • If a key is found, it uses a Public RSA key (up to 4096-bit) to verify the signature. If hardware locking is active, it compares the current Hardware ID against the ID stored in the key.
     
   • If no valid key exists, it enters Trial Mode (applying limits on days or executions) or shows a registration dialog.
     
4. Decryption & PCODE Execution: Once a valid license is confirmed, the loader uses the key to retrieve the Encryption Constant, decrypting necessary code sections. Virtualized functions are then executed through the internal VM.
   
5. Virtual Box Emulation: If external files were bundled, the loader hooks file-access APIs to "trick" the application into reading these files from memory rather than the physical disk.