View previous topic :: View next topic |
Author |
Message |
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Tue Sep 16, 2008 6:30 pm Post subject: |
|
|
I still don't understand how this bypassed the hash checks. If you alter the variable the checks should fail.
|
|
Back to top |
|
|
Noz3001 I'm a spammer Reputation: 26
Joined: 29 May 2006 Posts: 6220 Location: /dev/null
|
Posted: Tue Sep 16, 2008 6:32 pm Post subject: |
|
|
Hehe, go re-check your checks and ill look out for another revision tomorrow.
|
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Tue Sep 16, 2008 7:24 pm Post subject: |
|
|
I've updated the code and I'm now doing some funky stuff with the value. I attempted your method and I can't get it to work now (whereas I did in the old version). Test it out
|
|
Back to top |
|
|
rapion124 Grandmaster Cheater Supreme Reputation: 0
Joined: 25 Mar 2007 Posts: 1095
|
Posted: Tue Sep 16, 2008 8:05 pm Post subject: |
|
|
Wow. All these things fail. As long as people have access to the assembly code of your program, they can defeat any protection. All they need to do is trace onto your decryption routine and either recreate it or call it.
You should do some integrity checking on each instance of your class. Even that can be patched with a simple CreateThread() hook.
Also, why go through all this trouble? Why not just use the Crypto APIs and encrypt/decrypt the value? The advantage of using them is it is very hard to crack the algorithm as they are usuallly very complex. But, a simple hook will defeat this too.
Easiest way is to get a very powerful PE packer. That will stop people from debugging your code.
|
|
Back to top |
|
|
Flyte Peanuts!!!! Reputation: 6
Joined: 19 Apr 2006 Posts: 1887 Location: Canada
|
Posted: Tue Sep 16, 2008 11:20 pm Post subject: |
|
|
rapion124 wrote: | Easiest way is to get a very powerful PE packer. That will stop people from debugging your code. |
Which are less useful than you may think.
|
|
Back to top |
|
|
Noz3001 I'm a spammer Reputation: 26
Joined: 29 May 2006 Posts: 6220 Location: /dev/null
|
Posted: Wed Sep 17, 2008 3:35 am Post subject: |
|
|
Burningmace wrote: | I've updated the code and I'm now doing some funky stuff with the value. I attempted your method and I can't get it to work now (whereas I did in the old version). Test it out |
Exactly the same =|.
Code: | 695A4615:
mov ecx,32000000 |
|
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Wed Sep 17, 2008 6:43 am Post subject: |
|
|
Ok, now I'm really lost.
Also, what's with that 32000000 value? I don't get how that makes it 5000.
|
|
Back to top |
|
|
Noz3001 I'm a spammer Reputation: 26
Joined: 29 May 2006 Posts: 6220 Location: /dev/null
|
Posted: Wed Sep 17, 2008 8:38 am Post subject: |
|
|
Burningmace wrote: | Ok, now I'm really lost.
Also, what's with that 32000000 value? I don't get how that makes it 5000. |
I got the value by testing them in one of the registers.
I ended up making this one of my daily projects XD. http://forum.cheatengine.org/viewtopic.php?p=2857542#2857542
Last edited by Noz3001 on Wed Sep 17, 2008 3:39 pm; edited 2 times in total |
|
Back to top |
|
|
G0DFATHER How do I cheat? Reputation: 0
Joined: 14 May 2008 Posts: 0 Location: C:/Nexon/Maplestory
|
Posted: Wed Sep 17, 2008 1:14 pm Post subject: |
|
|
wow noz3001 ur smart anyways how do that with ollydbg mind posting me a lnk to a tut.
_________________
GROOT FTW!!! |
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Wed Sep 17, 2008 6:50 pm Post subject: |
|
|
I've added a serialization integrity check. I'm not sure if this will get round your modification but have a go.
|
|
Back to top |
|
|
Noz3001 I'm a spammer Reputation: 26
Joined: 29 May 2006 Posts: 6220 Location: /dev/null
|
Posted: Thu Sep 18, 2008 2:16 am Post subject: |
|
|
Burningmace wrote: | I've added a serialization integrity check. I'm not sure if this will get round your modification but have a go. |
Same, address is now 69B34617.
|
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Thu Sep 18, 2008 6:11 am Post subject: |
|
|
I don't know how you're managing that... are you sure you're not just tripping out one of the jump operations or something? Setting the internal value to 32000000 every time makes no sense whatsoever - when it's xor'ed with the random value it'll come out with something completely different every single time you run it.
For example:
internalValue = 32000000
randomValue = -134905492
realValue = -165820052
You don't need me to tell you that -165820052 isn't 5000.
Not only that, but there are six separate checks (things like checking internalValue % 8 against a stored value) for integrity and the entire class is serialised and hashed. If the memory changes, shouldn't the serialised data change too?
|
|
Back to top |
|
|
Trucido Moderator Reputation: 6
Joined: 08 Sep 2007 Posts: 2792
|
Posted: Thu Sep 18, 2008 6:30 am Post subject: |
|
|
Burningmace, you might wanna check out the CrackMe subsection of general programming.
And SF or Safcow Might wanna bump this over there.
_________________
I'm out. |
|
Back to top |
|
|
SFP+ Comp. talk moderator Reputation: 26
Joined: 02 May 2007 Posts: 1228 Location: Sweden
|
Posted: Thu Sep 18, 2008 8:39 am Post subject: |
|
|
Trucido wrote: | Burningmace, you might wanna check out the CrackMe subsection of general programming.
And SF or Safcow Might wanna bump this over there. |
Done.
|
|
Back to top |
|
|
|