Bugs in Enigma Virtual Box
While working on a new version of my static EnigmaVB unpacker, I tried to generate test files to cover most of the Enigma Virtual Box features. In the process, I ran into quite a few bugs in Enigma Virtual Box v7.40.
So, here's a short list:
Registry virtualization
1. Importing REG file with wrapped lines:
1 2 |
"RootFolder"=hex:01,00,00,00,00,00,00,00,01,00,00,00,04,00,00,00,01,00,00,00,\ 64,00,00,00 |
Data get truncated at the end of first line.
2. Importing REG file with entry type REG_NONE:
1 |
"WMP11.AssocFile.3G2"=hex(0): |
It gets virtualized as a string value "hex(0):"
File virtualization
1. If size of any embedded file > 4GB: creates invalid x86 executable;
2. If total size of all embedded files > 4GB: creates invalid x86 executable;
3. If size of main EXE > 2 GB: creates executable that seems to be valid but won't run;
..and that's only for x86 executables. I wonder how many more issue will surface when I start testing x64 executables. wink
TLS callbacks
Since Enigma Virtual Box uses TLS callbacks to initialize its hooks and handlers, it will (accidentally?) break any executable that also uses TLS callbacks. However, it preserves TLS StartAddressOfRawData, EndAddressOfRawData and AddressofIndex fields. Very weird.. smile
Have fun (and remember to test your software properly)!