Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Anti-Cheat development challenge
Goto page 1, 2  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes
View previous topic :: View next topic  
Author Message
Burningmace
Grandmaster Cheater
Reputation: 5

Joined: 17 Feb 2008
Posts: 520
Location: Inside the Intel CET shadow stack

PostPosted: Tue Sep 16, 2008 5:36 pm    Post subject: Anti-Cheat development challenge Reply with quote

I'm working on a ProtectedInteger class in VB.NET that prevents memory editing and would like to know if you think you could crack it.

Here are the main principles behind the class:

1) The actual value is NEVER stored. It is XOR'ed with a random value. Every time there is an operation performed on the value, the random variable changes:

We call the New() method with RealValue as a parameter. The following sample code explains this:
Code:
Public Sub New(ByVal RealValue As Integer)
    RandomValue = Integer.MinValue + Int(Rnd() * (Integer.MaxValue - Integer.MinValue))
    StoredValue = RealValue Xor RandomValue
    ' Collect the garbage to ensure that all sensitive data is removed from memory.
    GC.Collect()
End Sub


When we add an Integer to the class (e.g. MyProtectedValue += 5), we check the protection values (see point 3), create a new random value, "decrypt" the stored variable, add the integer, then re-encrypt the value using the new random value.

2) Many "chaff" variables are generated that don't actually do anything but bog down people using memory editors with hundreds of possible values (for example storing the real value a few hundred times in an array along with other random values, but never actually reading back from the array). Single, Double, Decimal, UInt64, etc values are also created.

3) Storing hash values of the variable for protection. I create a set of protection variables that store things like Math.Log(variable), variable modulo 8 and value modulo 2. Every time the variable is accessed, the class checks to see if the stored value matches the protection variables. If they don't, an exception is raised and the game will either display a message, exit or crash. I'm working on storing at least one of these in the local key storage for extra protection.

4) The DLL that this code is compiled into is ran through the .NET obfuscator and a PE compression utility in order to hinder/prevent decompiling it.

I've attached a demonstration application. Usage is simple - run the app and try to set the value to 5000. Set a new value by clicking Randomise. If you think you've managed, click Check. If you've been detected, a message box will show and the protected variable will be completely re-created.

If anyone defeats it, please give details. In this case I've integrated the class and obfuscated the executable instead of including a DLL.

Happy memory hacking!
Back to top
View user's profile Send private message
giga502
Grandmaster Cheater
Reputation: 0

Joined: 19 Apr 2007
Posts: 820
Location: Behind my computer

PostPosted: Tue Sep 16, 2008 5:49 pm    Post subject: Reply with quote

did you have to do this for school or did you do this in your free time? because next year apparently Im doing somthing like this and id like to get a headstart on it.
_________________
Back to top
View user's profile Send private message
Burningmace
Grandmaster Cheater
Reputation: 5

Joined: 17 Feb 2008
Posts: 520
Location: Inside the Intel CET shadow stack

PostPosted: Tue Sep 16, 2008 5:51 pm    Post subject: Reply with quote

I did this on my own in my free time as a hobby. Security and cryptography are my specialties Smile
Back to top
View user's profile Send private message
giga502
Grandmaster Cheater
Reputation: 0

Joined: 19 Apr 2007
Posts: 820
Location: Behind my computer

PostPosted: Tue Sep 16, 2008 5:59 pm    Post subject: Reply with quote

sweet so if you like continue with this mabn8e just mab8e if you get good enuff mab8e you good work for some companies or somthing o.0
_________________
Back to top
View user's profile Send private message
Burningmace
Grandmaster Cheater
Reputation: 5

Joined: 17 Feb 2008
Posts: 520
Location: Inside the Intel CET shadow stack

PostPosted: Tue Sep 16, 2008 6:02 pm    Post subject: Reply with quote

Got an interview in 14 hours or so for a software engineer position. Starting salary is £27500 per year, not bad considering I'm 20.
Back to top
View user's profile Send private message
Flyte
Peanuts!!!!
Reputation: 6

Joined: 19 Apr 2006
Posts: 1887
Location: Canada

PostPosted: Tue Sep 16, 2008 6:03 pm    Post subject: Reply with quote

You realize that you would only need a bunch of NOPS (or a few well placed hooks) to defeat this since you do no integrity checking on the actual class, right?

Also, this should be in the CrackMe section.
Back to top
View user's profile Send private message
giga502
Grandmaster Cheater
Reputation: 0

Joined: 19 Apr 2007
Posts: 820
Location: Behind my computer

PostPosted: Tue Sep 16, 2008 6:07 pm    Post subject: Reply with quote

Burningmace wrote:
Got an interview in 14 hours or so for a software engineer position. Starting salary is £27500 per year, not bad considering I'm 20.
wow good luck lol. Wear some snappy suit or somthing well no don't lol just i hope u get the job =]
_________________
Back to top
View user's profile Send private message
Burningmace
Grandmaster Cheater
Reputation: 5

Joined: 17 Feb 2008
Posts: 520
Location: Inside the Intel CET shadow stack

PostPosted: Tue Sep 16, 2008 6:09 pm    Post subject: Reply with quote

I'm lost as to how that would defeat it.

1) You have to find the value first to get the memory address. Try it Smile
2) There are some interesting things that I've done to prevent memory modification, just try it out.
3) In the full game, I do full integrity checking on the game's files and some of the memory segments.

If this is in the wrong place, I apologise. I haven't seen a CrackMe section.
Back to top
View user's profile Send private message
Noz3001
I'm a spammer
Reputation: 26

Joined: 29 May 2006
Posts: 6220
Location: /dev/null

PostPosted: Tue Sep 16, 2008 6:10 pm    Post subject: Reply with quote

Code:
678D4615:
mov ecx, 32000000


What do I win?

Lol, was a bit of fun.
Back to top
View user's profile Send private message MSN Messenger
Burningmace
Grandmaster Cheater
Reputation: 5

Joined: 17 Feb 2008
Posts: 520
Location: Inside the Intel CET shadow stack

PostPosted: Tue Sep 16, 2008 6:13 pm    Post subject: Reply with quote

noz3001 wrote:
678D4615:
mov ecx, 32000000


I don't get it. Did you disassemble it or memory edit it? Disassembly doesn't count as the variable would be set from a value received from the server. Did you set it to 5000 and click Check without getting caught?
Back to top
View user's profile Send private message
Noz3001
I'm a spammer
Reputation: 26

Joined: 29 May 2006
Posts: 6220
Location: /dev/null

PostPosted: Tue Sep 16, 2008 6:15 pm    Post subject: Reply with quote

Burningmace wrote:
noz3001 wrote:
678D4615:
mov ecx, 32000000


I don't get it. Did you disassemble it or memory edit it? Disassembly doesn't count as the variable would be set from a value received from the server. Did you set it to 5000 and click Check without getting caught?


You can tell from the address that it's not static, but scanning for the value with CE and then finding out what accesses it brings you to that ^. And no, it didn't catch it.

EDIT: When i say it isnt static, it doesn't vary much
Back to top
View user's profile Send private message MSN Messenger
Burningmace
Grandmaster Cheater
Reputation: 5

Joined: 17 Feb 2008
Posts: 520
Location: Inside the Intel CET shadow stack

PostPosted: Tue Sep 16, 2008 6:21 pm    Post subject: Reply with quote

So you opened up the app in a disassembler, looked for the button code and found the bit where it sets the value, then searched in CE for what the code modified?

I don't get how that bypassed the checks...
Back to top
View user's profile Send private message
Noz3001
I'm a spammer
Reputation: 26

Joined: 29 May 2006
Posts: 6220
Location: /dev/null

PostPosted: Tue Sep 16, 2008 6:23 pm    Post subject: Reply with quote

Burningmace wrote:
So you opened up the app in a disassembler, looked for the button code and found the bit where it sets the value, then searched in CE for what the code modified?

I don't get how that bypassed the checks...


CE has an "increased value" and "decreased value" search option. It's easy to find the variable with that and then find out what writes to it. Thats always how I make sure values don't change in games and programs =|.
Back to top
View user's profile Send private message MSN Messenger
Burningmace
Grandmaster Cheater
Reputation: 5

Joined: 17 Feb 2008
Posts: 520
Location: Inside the Intel CET shadow stack

PostPosted: Tue Sep 16, 2008 6:26 pm    Post subject: Reply with quote

It shouldn't decrease and increase uniformly though. If the variable increases but is XOR'ed with a negative number, the variable will actually decrease.
Back to top
View user's profile Send private message
Noz3001
I'm a spammer
Reputation: 26

Joined: 29 May 2006
Posts: 6220
Location: /dev/null

PostPosted: Tue Sep 16, 2008 6:29 pm    Post subject: Reply with quote

Burningmace wrote:
It shouldn't decrease and increase uniformly though. If the variable increases but is XOR'ed with a negative number, the variable will actually decrease.


Lol, I must be lucky then. 5 times out of 5 all the values increased or decreased with the one on screen.
Back to top
View user's profile Send private message MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General programming -> Crackmes All times are GMT - 6 Hours
Goto page 1, 2  Next
Page 1 of 2

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You cannot download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites