Identifying licenses / users from packed executables

[Notmex]

Does maybe someone know if it is possible for protector vendors (like vmprotect) to identify the user that protected an executable? by watermarks or license hints that are implemented in the protected application?

[evlncrn8]

yes if they have designed such things in their products, its entirely possible

[giv]

Yes.
A simple hash in the protected executable code could identify the user who own the legitimate product that protected the file.
Many vendors do that.
That is why some antivirus software alarm when a file is suposed to be protected with a legitimate protector.
The AV company have the watermarks for the real products and they don't recognise the cracked/patched etc. products.

[Notmex]

Thats what I heard in the past.. Leaked versions get detected by AVs. So I guess they submitted a method to identify a packed/protected executable and even allow access to something like a hash or so to identify a leaked/cracked version to AV companies. So it wont be good to use a leggit purchased protector to protect something evil as it prolly can be tracked back and even released/leaked versions are more evil since the AVs are able to filter them out before execution.

[giv]

Is not good thing at all to do some evil stuff.

[Conquest]

Quote:

Originally Posted by Notmex

Thats what I heard in the past.. Leaked versions get detected by AVs. So I guess they submitted a method to identify a packed/protected executable and even allow access to something like a hash or so to identify a leaked/cracked version to AV companies. So it wont be good to use a leggit purchased protector to protect something evil as it prolly can be tracked back and even released/leaked versions are more evil since the AVs are able to filter them out before execution.

sometime AVs block virtualized protected apps just because they dont accompany a valid signature/certificate. but recently this trend has come to a stop . now a days most AVs just flag something illegal if they find out certain protector watermarks which are part of publicly compromised distributions. kaspersky and mcafee used to flag any vmp app which isnt digitally signed or has been tempered. I dont know if they still do so(i just comodo firewall nothing else since i am fed up with antiviruses triggering out now and then).
More or less if you are thinking about doing something malicious , dont rely on protectors . those days are gone.
rather learn something new by making ur own obfuscator.

[atomix]

Yes, it is possible to watermark an app or the result of using an app (packed exe, image file, audio/video) using a hash or a user-specific string. Watch out if you suspect something. I've seen this before, and fortunately I could compare my licensed copy with another one and found the culprit hash used.