Home » Support » User Manual » Working with VMProtect » Main window » "Options" tab

"Options" tab

The "Options" tab is used to specify protection options:

File

  • Memory protection – this option allows protection of the file image in memory from any changes (the data integrity is checked in all sections that have no WRITABLE attribute). The image integrity is checked before control is handed over to the original entry point of the program. If the integrity is broken, the corresponding message will be displayed and the further execution of the program will be completely stopped.
  • Import protection – this option allows you to hide the list of APIs used by the protected program from the cracker (it is recommended to use it together with packing the output file).
  • Resource protection – option allows to encrypt resources, except icons, manifest and some other system types.
  • Pack the output file – this option enables packing of the protected file, which makes it smaller. The protected file is unpacked automatically once it is run. The file is unpacked completely in RAM without writing any data to the disk. There are two compression modes:
    • Fast – the mode offers the minimum compression level and maximum unpacking rate
    • Best – the mode offers the maximum compression level and minimum unpacking rate

    If this option is used, it is recommended to include EntryPoint in the list of protected objects. The EntryPoint address is displayed on the status bar of the main window:

    Important:
    Once the program is run, control will be handed over to EntryPoint after the program is unpacked. If the code of EntryPoint is virtualized, this code will be executed on the same VM interpreter as the code of the unpacker. Virtualizing EntryPoint together with packing the protected file prevents the "manual" unpacking of the protected file because the cracker will have to restore the code of EntryPoint in order to get a working file image.

Compilation

  • Virtual Machines – Each VM will have its own unique set of properties. Different VMs from those specified will be used to virtualize different sections of the code. This option makes it harder to analyze and decompile bytecode since the cracker will have to analyze all VM interpreters used in the protected file.
  • Debug mode (search of external addresses) – during protection VMProtect uses the space freed during the compilation process for its needs, including storing various data (virtualized, mutated code, VM interpreters, etc). This is why there may be situations when jumps from other parts of the program "inside" the protected code take place (addresses that jumps may be directed to are called external). Similar situations may occur if code markers are used when a jump takes place from an unprotected section of the code inside the marker: 
    VMProtectBegin(nil);
for  I:=0 to 10 do
begin
  Inc(J);
  VMProtectEnd;
end;

    This loop in the form of assembler instructions looks like this:

    ------------------ marker start -----------------
0044D12C 	mov eax, 0000000B
0044D131 	inc ebx
------------  ----- marker end-------------------
0044D132 	dec eax
0044D133 	jnz 0044D131

    It is obvious that after the virtualization of the instructions with addresses 0044D12C and 0044D131, an error will occur during the execution of the non-virtualized conditional jump instruction with address 0044D133 (since there is various data or just garbage at 0044D131 instead of the original code). Address 0044D131 will be external in this example.

    When the "Debug mode" option is enabled, the INT 03 instruction will take the place of the original code. It is a regular breakpoint and a service instruction when the program is running in the debugger. In case control is handed over at 0044D131 while the protected program is running in the debugger, the breakpoint will be called and the address this jump took place at can be viewed after the debugger window is opened.

    In case such jumps are detected, it is recommended to check whether code markers are inserted correctly. In some cases the protected code is not marked with markers or it will be impossible to change the logic of the program so that there are no jumps from other sections of the program inside the protected code. In these circumstances, use the GUI version of the application to mark these addresses as external.

  • Check the integrity of VM objects – this option allows you to silently check the integrity of all virtualized sections of the code and VM interpreters. A silent check means that the protected program will not show any messages in case the integrity of VM objects is broken, but it will cause the virtualized code to function incorrectly, which will lead to critical errors and, therefore, to the complete crash of the protected program. Also, this option allows you to monitor changes in the integrity of VM interpreters that is broken when software breakpoints are used during the debugging of the protected program in a debugger.
  • Encrypt registers at VM output – if this option is enabled, the registers of the processor will contain encrypted values at VM output and these values will be decrypted in different places for each protected section of the code. This option prevents the analysis of register states at VM output.
  • Hide constants – if this option is enabled, it will be impossible to find the addresses of variables or the addresses of called functions in the bytecode in the open form. This option does not allow the protection of string constants.

Detection

  • Debugger – this option prevents the debugging of the protected file. There are 2 types of debuggers: user-mode (OllyDBG, WinDBG, etc) and kernel-mode (SoftICE, Syser, etc). Debuggers are detected before control is handed over to the original entry point of the program. If a debugger is detected, the corresponding message will be displayed and the further execution of the program will be stopped.
  • Virtualization tools – this option prevents the protected file from being run in all kinds of virtual environments: VMware, Virtual PC, VirtualBox, Sandboxie. Virtual environments are detected before control is handed over to the original entry point of the program. If a virtual environment is detected, the corresponding message will be displayed and the further execution of the program will be stopped.

Sections

  • VM sections – additional sections will be added to the file during compilation. Data will be written to these sections (virtualized code, mutated code, VM interpreters, watermarks, etc). This option allows the specification of names for new sections. It is recommended to change the standard ".vmp" section names (for example, to ".UPX").
  • Remove fixup elements – some compilers (Delphi in particular) create a list of fixup elements for EXE files, but the operating system does not use these elements while loading EXE files. If the option is enabled, the section occupied by the list of fixup elements will be used for VM needs.

Watermarks

Use the drop-down list to select the necessary watermark in order to include it in the protected file. The drop-down list contains only those watermarks that are enabled for use.

Licensing parameters

Use the file with parameters created in License Manager here. By default current project file is being used.

Additional options for the SenseLock Edition

Use these licensing options for all procedures

If this option is used, these licensing options will be applied to all objects included in the project with the "Use key" option enabled:

  • Do not use license – if this option is used, during code execution of the current object the system will be checked for a connected SenseLock key without a licensing system;
  • Use license – if this option is used, during code execution of the current object the SenseLock key will be checked for a license with the specified number and version.

SenseLock

  • Master key password – use this field to specify which password VMProtect uses to access the master key containing the software protection module. The master key comes with the VMProtect SenseLock Edition and is used only by the software product developer;
  • User PIN – use this field to specify which password the protected application uses to access the user key that is delivered to the end user together with the protected application. User keys are not delivered together with the VMProtect SenseLock Edition;
  • Key identifier – this parameter may contain the key identifier that the particular copy of the protected application is bound to. To automatically enter the identifier, connect the corresponding user key to the computer and click the button.