 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Ksbunker
Advanced Cheater
![]() Reputation: 0
Joined: 18 Oct 2006
Posts: 88
|
 Posted: Sat Dec 15, 2007 10:17 pm Post subject: [MASM] File Integrity Check |
 |
|
I wrote this code for a trainer im making at the moment. Basically what it does is read the 'CheckSum' value in the PE Header. Then, using MapFileAndCheckSum (which is the same function used to calculate the PE checksum) it performs a calculation on the code. If the two values are equal, the files are 100% intact and non-modified. IF the values do not match, someone has patched/modified your file... here you can get creative and do what you please. I hope someone finds it useful and if so rep me, because I want rep.
| Code: | .386
.model flat, stdcall
option casemap :none ; case sensitive
; ###############################
include \masm32\include\windows.inc
include \masm32\include\user32.inc
include \masm32\include\kernel32.inc
include \masm32\include\imagehlp.inc
includelib \masm32\lib\user32.lib
includelib \masm32\lib\kernel32.lib
includelib \masm32\lib\imagehlp.lib
; ################################
GetFileName PROTO :DWORD
GetCheckSum PROTO :DWORD
.data
PECheckSum dd 0
szFailed db "CheckSums did NOT match, file has been modified!", 0
szSuccess db "CheckSums MATCH, continue!", 0
szBuffer db 256h dup(0)
.code
start:
push 0
call GetModuleHandle
mov edx, eax ;00400000
mov ecx, [edx+3Ch] ;Offset to PE signature
add ecx, edx ;ecx=PE Header
add ecx, 58h ;ecx=CheckSum
mov eax, dword ptr [ecx]
mov PECheckSum, eax ;save contents to PECheckSum
Invoke GetModuleFileName, 0, ADDR szBuffer, 256h
Invoke GetCheckSum, ADDR szBuffer
cmp eax, [PECheckSum] ;does PECheckSum = Our Generated CheckSum
jne @notequal
Invoke MessageBox, 0, ADDR szSuccess, 0, MB_OK
Invoke ExitProcess, 0
@notequal:
Invoke MessageBox, 0, ADDR szFailed, 0, MB_OK
invoke ExitProcess, 0
GetCheckSum PROC FileName:DWORD
.data
dwHeader dd 0
dwCheckSum dd 0
.code
Invoke MapFileAndCheckSum, FileName, addr dwHeader, addr dwCheckSum
cmp eax, CHECKSUM_SUCCESS
jne @error
mov eax, [dwCheckSum]
ret
@error:
mov eax, 0
ret
GetCheckSum EndP
end start |
|
|
| Back to top |
|
 |
Flyte
Peanuts!!!!
 Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Sat Dec 15, 2007 10:23 pm Post subject: |
|
|
Like I said on IRC, easily patch-able by some simple NOPs, or you can hook MapFileAndCheckSum() and in the hook function call the detoured MapFileAndCheckSum() and place that value into the PE header.
Not bad nonetheless.
|
|
| Back to top |
|
|
Ksbunker
Advanced Cheater
![]() Reputation: 0
Joined: 18 Oct 2006
Posts: 88
|
| Posted: Sat Dec 15, 2007 10:27 pm Post subject: re: |
|
|
Just because it's easily patchable doesn't mean its useless.
There are locksmiths out there that can defeat the lock and key on my door, does that mean I just leave it open for anyone else wanting to get in? Hell No.
But I do like the hook idea, get checksum, then write checksum to header, neato.
|
|
| Back to top |
|
|
Flyte
Peanuts!!!!
Reputation: 6
Joined: 19 Apr 2006
Posts: 1887
Location: Canada
|
| Posted: Sat Dec 15, 2007 10:29 pm Post subject: |
|
|
| Actually, on second thought you would be better off calling CheckSumMappedFile() in the hook instead of a detoured MapFileAndCheckSum().
|
|
| Back to top |
|
|
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
