 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
mgostIH
Expert Cheater
 Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
 Posted: Sun Sep 04, 2016 7:37 am Post subject: How can I obfuscate WriteProcessMemory? |
 |
|
I want to make this question short and simple.
I make external trainers in C++ that do not rely on dll injection at all.
If somebody tries reverse engineering my executable, it requires just a breakpoint on WriteProcessMemory and he can understand what it writes and how.
How can I obfuscate the writing action of my executable? Is there some alternative call to WriteProcessMemory I can use, so that a script kiddie cannot discover what it writes?
I don't need this action to be hidden by the best reverse engineer, I just want it to somewhat non-obvious.
_________________
|
|
| Back to top |
|
 |
STN
I post too much
 Reputation: 42
Joined: 09 Nov 2005
Posts: 2672
|
| Posted: Sun Sep 04, 2016 9:27 am Post subject: |
 |
|
Use undocumented APIs like NTWriteVirtualMemory etc.
Use themida ( don't be cheap, buy it and get the taggant to help with antiviruses ), put various checks against known tools and crash your trainer as soon as they are detected. That will put a stop to most lamers.
But its pointless. You can never stop people from reversing, look at denuvo and where it is now. What does it matter you stop lamers but someone with a slight knowledge of reversing can still look at your stuff ? Your stuff still gets stolen.
If you truly don't want your stuff to be stolen then don't share it. Its as simple as that. Or put an online DRM, that shit can never be beaten and even if it does, you can punish the offending accounts and stop it from happening in future.
_________________
|
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Sun Sep 04, 2016 9:36 am Post subject: |
|
|
| STN wrote: | Use undocumented APIs like NTWriteVirtualMemory etc.
Use themida ( don't be cheap, buy it and get the taggant to help with antiviruses ), put various checks against known tools and crash your trainer as soon as they are detected. That will put a stop to most lamers.
But its pointless. You can never stop people from reversing, look at denuvo and where it is now. What does it matter you stop lamers but someone with a slight knowledge of reversing can still look at your stuff ? Your stuff still gets stolen.
If you truly don't want your stuff to be stolen then don't share it. Its as simple as that. Or put an online DRM, that shit can never be beaten and even if it does, you can punish the offending accounts and stop it from happening in future. |
In fact, I know for sure that I cannot make it impossible to reverse engineer, and it's not even my goal.
I want it to be obfuscated enough that who cannot reverse engineer the game by themselves won't be able to do the same to my hacks.
Anyway, thanks for responding so quick! +1
Edit:
Apparently NtWriteVirtualMemory is very easy to reverse engineer, I think I might re-create it using asm and some other tricks!
_________________
Last edited by mgostIH on Sun Sep 04, 2016 9:52 am; edited 1 time in total |
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Sep 04, 2016 9:50 am Post subject: |
|
|
I know there are simple ways to encrypt data and make code harder to read, but without using a packer of some type, I'm not sure how to obfuscate specific segments of code.
There was a tutorial by Lena151 that showed how to use the program's own, built-in decryption mechanism to expose the real assembly. I believe the target was implementing polymorphic code of some kind. The tutorial showed how to circumvent the protection scheme, but I don't know how something like that is implemented without using a special packer/shell of some kind. Most of the popular packers can be removed by the script kiddies, though, and they're a pain to work with from an end-user/AV standpoint.
I'd be interested to see what others have to say about it.
|
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Sun Sep 04, 2016 9:54 am Post subject: |
|
|
| ++METHOS wrote: | I know there are simple ways to encrypt data and make code harder to read, but without using a packer of some type, I'm not sure how to obfuscate specific segments of code.
There was a tutorial by Lena151 that showed how to use the program's own, built-in decryption mechanism to expose the real assembly. I believe the target was implementing polymorphic code of some kind. The tutorial showed how to circumvent the protection scheme, but I don't know how something like that is implemented without using a special packer/shell of some kind. Most of the popular packers can be removed by the script kiddies, though, and they're a pain to work with from an end-user/AV standpoint.
I'd be interested to see what others have to say about it. |
Thanks, but it's a little overkill for who I am trying to hide from. If they even knew how to deal with polymorphism, they wouldn't need to reverse engineer my program.
_________________
|
|
| Back to top |
|
|
panraven
Grandmaster Cheater
![]() Reputation: 55
Joined: 01 Oct 2008
Posts: 942
|
| Posted: Sun Sep 04, 2016 10:23 am Post subject: |
|
|
Just an old idea.
Like hide a tree in a forest, make many false positive (that cause debug break) with the actual write.
Not good in c++, hope this Lua illustrated the idea:
| Code: |
function makeForestWithTree( treeAddr, treeBytes)
local hash = {}
hash[ treeAddr ] = treeBytes
for i=1,100 do
local ok = false
while not ok do
local addr = treeAddr + math.random(-0x10000,0x10000)
if addr-20 < treeAddr and treeAddr > addr+20 then -- not in range of actual _tree_ address
local falsedata = readBytes(addr,math.random(1,20)) -- read random length of bytes
if falsedata~=nil then -- readable memory
hash[ addr ] = falsedata
ok = true
end
end
end -- while
end -- for
return hash
end
function writeForestWithTree( addr2databytesHashTable )
for addr, bytes in pairs(addr2databytesHashTable) do
writeBytes(addr,bytes)
-- may be this can be make in c++ as event trigger,
-- saw something in c# like sendMessage(func, arg1, arg2) that actually
-- execute func(arg1,arg2) somewhere else.
end
end
-- in actuall write moment,
pause() -- need to pause the process
writeForestWithTree(makeForestWithTree(addr,databytes))
unpause() -- unpause after |
The part of makeForestWithTree should be pure c++, so may be a bit harder to trace from writeProcessMemory by lamer.
It can also periodic trigger by a timer with even the treeData is false positive, so that the actual write timing is not easy to determined.
But this use CE functionality like pause the process, safely read of unreadable memory etc., I don't know if it is easy to implement if the idea worth to consider.
bye~
_________________
- Retarded. |
|
| Back to top |
|
|
kuntz
Cheater
![]() Reputation: 0
Joined: 29 Aug 2016
Posts: 44
Location: Canada
|
| Posted: Sun Sep 04, 2016 2:11 pm Post subject: |
|
|
discoveringireland-com/leprechauns/
| Quote: | | In one tale, a young farmer captures a Leprechaun and forces him to hand over his gold. The Leprechaun says that the gold is hidden beneath a tree in the woods and shows him which one it is. The farmer ties his red scarf around the tree and after making the Leprechaun promise not to remove the scarf he heads to his farm to get a shovel. But when the farmer returns he finds that the Leprechaun has tied a red scarf around every tree in the woods. |
If you're only going to use RPM/WPM to train, you'll be limited to tying a scarf around every tree. This will protect your trainer from novice individuals as well as the lazy. Call RPM on the whole memory image, and then call WPM thousands of times re-writing the same memory back to the same places (seed srand() with a static number and use the same PRNG generation each launch), and somewhere in there slip in the real WPM that actually makes a change to the memory/opcodes.
|
|
| Back to top |
|
|
++METHOS
I post too much
![]() Reputation: 92
Joined: 29 Oct 2010
Posts: 4197
|
| Posted: Sun Sep 04, 2016 4:16 pm Post subject: |
|
|
| mgostIH wrote: | | ++METHOS wrote: | I know there are simple ways to encrypt data and make code harder to read, but without using a packer of some type, I'm not sure how to obfuscate specific segments of code.
There was a tutorial by Lena151 that showed how to use the program's own, built-in decryption mechanism to expose the real assembly. I believe the target was implementing polymorphic code of some kind. The tutorial showed how to circumvent the protection scheme, but I don't know how something like that is implemented without using a special packer/shell of some kind. Most of the popular packers can be removed by the script kiddies, though, and they're a pain to work with from an end-user/AV standpoint.
I'd be interested to see what others have to say about it. |
Thanks, but it's a little overkill for who I am trying to hide from. If they even knew how to deal with polymorphism, they wouldn't need to reverse engineer my program. |
-I understand. To be clear, however, I was not suggesting that you make use of polymorphic code. I was only making note of that particular tutorial due to its relevant nature. Additionally, I do not recall whether or not that particular target was packed in any way, which to further my original point, I do not know how it could have been done, otherwise (and I'm curious to hear what others have to say about it) - whether it's strictly obfuscation or polymorphic is irrelevant.
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 198
Joined: 25 Jan 2006
Posts: 8517
Location: 127.0.0.1
|
| Posted: Sun Sep 04, 2016 11:38 pm Post subject: |
|
|
Create a function in the remote process that decompresses/decrypts data that is sent to it. Invoke it with CreateRemoteThread and pass your cheat data to it compressed / encrypted.
_________________
- Retired. |
|
| Back to top |
|
|
Dark Byte
Site Admin
 Reputation: 458
Joined: 09 May 2003
Posts: 25291
Location: The netherlands
|
| Posted: Mon Sep 05, 2016 4:20 am Post subject: |
|
|
it also depends on what you write.
is it writing a value/pointer? or do you do code injection?
if code injection, even the biggest noob can do a scan for changed memory in readonly executable memory
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
mgostIH
Expert Cheater
Reputation: 3
Joined: 01 Jan 2016
Posts: 159
|
| Posted: Mon Sep 05, 2016 4:35 am Post subject: |
|
|
| Dark Byte wrote: | it also depends on what you write.
is it writing a value/pointer? or do you do code injection?
if code injection, even the biggest noob can do a scan for changed memory in readonly executable memory |
I guess you would redefine "Biggest noob" if you'd see those guys ahaha
_________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
