Have you people ever considered the following:
Run MetaTrader as you usually do. Load your damn heavily protected Indicators or whatever. Run a process dumping tool and dump the entire memory of the terminal.exe process to a file (... and maybe other memory ranges it allocates) use a hexeditor or normal texteditor and search for fragments of your so perfectly protected Indicators.
I haven't tried this but I do have nearly 30 years of knowledge in low level programming (680x0 assembler, powerpc and so on).
Ok I was a bit in a hurry when I replied to this thread and thus like to extend a few lines. Something like real code protection does not exist. You might be able to crypt, move, rotate, copylock your code but at the end it's naked again.
For example: In former times I have written programs and dumped the start and end address of the code into a file. All jumps inside the code were set to a relative offset and the code (which is normal data after all) got rotated by 1 bit. The code is therefore not existing anymore. You can append a loader part to your code and have it unrotate again and have it re-allocate the addresses of the labels (usually found in hunks). Jump to entry and voila you run the program again.
Therefore the majority of people will believe that your program or indicator is well protected because you can't read any labels or other things from the crypt (executable). At the end it's visible again. Visible once you run it and have it executed through your process (or program).
You can cripple, shift code and or do protection as much you want. Once the program runs, then most of the protection is gone again (with some exceptions like keyfile or serial numbers etc.).
So I am assuming the same for indicators. They get compiled yes. Is it a binary ? Don't know. Is it a bytecode ? I don't know either. But I am quite sure that once you run it in terminal.exe and you dump the memory areas that terminal.exe allocated for the indicator, that you might be able to get traces of your code (even if it's strings of used text inside it or similar).
Maybe you might get some sort of CODE back as in your *.mql4 files. Maybe you won't. Maybe you get some bytecode, maybe not. Maybe you get something. Maybe terminal.exe has it's own code-interpreter inside that interprets the code generated by the metaeditor.exe so terminal.exe understands. As I previously said, I haven't tried it.
What I like to explain is that if you want to crypt or protect your code then don't always see it from one side (e.g. the ex4 files that the metaeditor compiled and covered with some unknown code. See it also from the otherside. Once you run it, your protected code is naked again. And this is one part to get the fingers on it. Can work. Must not.
One negative effect by dumping the start and end address of a running code is this. Everything is initialized. Arrays are filled with values, placeholders could have values etc.
Good points Ali. Thanks.
The mining in the memory dump seems to be expensive solution. So far the only cheap solution came from knowledge leakage from Metaquotes. I expect that someone - who is capable of memory code mining - can code the MQL4 himself from scratch for less effort. It makes me currently feeling safe until the new knowledge leakage appears to enable cheap decoders. Then the plan B comes - coding it the way which makes the disassembled code tampering worth high cost.
To add comments, please log in or register