View previous topic :: View next topic |
Author |
Message |
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Tue Sep 16, 2008 5:36 pm Post subject: Anti-Cheat development challenge |
|
|
I'm working on a ProtectedInteger class in VB.NET that prevents memory editing and would like to know if you think you could crack it.
Here are the main principles behind the class:
1) The actual value is NEVER stored. It is XOR'ed with a random value. Every time there is an operation performed on the value, the random variable changes:
We call the New() method with RealValue as a parameter. The following sample code explains this:
Code: | Public Sub New(ByVal RealValue As Integer)
RandomValue = Integer.MinValue + Int(Rnd() * (Integer.MaxValue - Integer.MinValue))
StoredValue = RealValue Xor RandomValue
' Collect the garbage to ensure that all sensitive data is removed from memory.
GC.Collect()
End Sub |
When we add an Integer to the class (e.g. MyProtectedValue += 5), we check the protection values (see point 3), create a new random value, "decrypt" the stored variable, add the integer, then re-encrypt the value using the new random value.
2) Many "chaff" variables are generated that don't actually do anything but bog down people using memory editors with hundreds of possible values (for example storing the real value a few hundred times in an array along with other random values, but never actually reading back from the array). Single, Double, Decimal, UInt64, etc values are also created.
3) Storing hash values of the variable for protection. I create a set of protection variables that store things like Math.Log(variable), variable modulo 8 and value modulo 2. Every time the variable is accessed, the class checks to see if the stored value matches the protection variables. If they don't, an exception is raised and the game will either display a message, exit or crash. I'm working on storing at least one of these in the local key storage for extra protection.
4) The DLL that this code is compiled into is ran through the .NET obfuscator and a PE compression utility in order to hinder/prevent decompiling it.
I've attached a demonstration application. Usage is simple - run the app and try to set the value to 5000. Set a new value by clicking Randomise. If you think you've managed, click Check. If you've been detected, a message box will show and the protected variable will be completely re-created.
If anyone defeats it, please give details. In this case I've integrated the class and obfuscated the executable instead of including a DLL.
Happy memory hacking!
|
|
Back to top |
|
|
giga502 Grandmaster Cheater Reputation: 0
Joined: 19 Apr 2007 Posts: 820 Location: Behind my computer
|
Posted: Tue Sep 16, 2008 5:49 pm Post subject: |
|
|
did you have to do this for school or did you do this in your free time? because next year apparently Im doing somthing like this and id like to get a headstart on it.
_________________
|
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Tue Sep 16, 2008 5:51 pm Post subject: |
|
|
I did this on my own in my free time as a hobby. Security and cryptography are my specialties
|
|
Back to top |
|
|
giga502 Grandmaster Cheater Reputation: 0
Joined: 19 Apr 2007 Posts: 820 Location: Behind my computer
|
Posted: Tue Sep 16, 2008 5:59 pm Post subject: |
|
|
sweet so if you like continue with this mabn8e just mab8e if you get good enuff mab8e you good work for some companies or somthing o.0
_________________
|
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Tue Sep 16, 2008 6:02 pm Post subject: |
|
|
Got an interview in 14 hours or so for a software engineer position. Starting salary is £27500 per year, not bad considering I'm 20.
|
|
Back to top |
|
|
Flyte Peanuts!!!! Reputation: 6
Joined: 19 Apr 2006 Posts: 1887 Location: Canada
|
Posted: Tue Sep 16, 2008 6:03 pm Post subject: |
|
|
You realize that you would only need a bunch of NOPS (or a few well placed hooks) to defeat this since you do no integrity checking on the actual class, right?
Also, this should be in the CrackMe section.
|
|
Back to top |
|
|
giga502 Grandmaster Cheater Reputation: 0
Joined: 19 Apr 2007 Posts: 820 Location: Behind my computer
|
Posted: Tue Sep 16, 2008 6:07 pm Post subject: |
|
|
Burningmace wrote: | Got an interview in 14 hours or so for a software engineer position. Starting salary is £27500 per year, not bad considering I'm 20. | wow good luck lol. Wear some snappy suit or somthing well no don't lol just i hope u get the job =]
_________________
|
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Tue Sep 16, 2008 6:09 pm Post subject: |
|
|
I'm lost as to how that would defeat it.
1) You have to find the value first to get the memory address. Try it
2) There are some interesting things that I've done to prevent memory modification, just try it out.
3) In the full game, I do full integrity checking on the game's files and some of the memory segments.
If this is in the wrong place, I apologise. I haven't seen a CrackMe section.
|
|
Back to top |
|
|
Noz3001 I'm a spammer Reputation: 26
Joined: 29 May 2006 Posts: 6220 Location: /dev/null
|
Posted: Tue Sep 16, 2008 6:10 pm Post subject: |
|
|
Code: | 678D4615:
mov ecx, 32000000 |
What do I win?
Lol, was a bit of fun.
|
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Tue Sep 16, 2008 6:13 pm Post subject: |
|
|
noz3001 wrote: | 678D4615:
mov ecx, 32000000 |
I don't get it. Did you disassemble it or memory edit it? Disassembly doesn't count as the variable would be set from a value received from the server. Did you set it to 5000 and click Check without getting caught?
|
|
Back to top |
|
|
Noz3001 I'm a spammer Reputation: 26
Joined: 29 May 2006 Posts: 6220 Location: /dev/null
|
Posted: Tue Sep 16, 2008 6:15 pm Post subject: |
|
|
Burningmace wrote: | noz3001 wrote: | 678D4615:
mov ecx, 32000000 |
I don't get it. Did you disassemble it or memory edit it? Disassembly doesn't count as the variable would be set from a value received from the server. Did you set it to 5000 and click Check without getting caught? |
You can tell from the address that it's not static, but scanning for the value with CE and then finding out what accesses it brings you to that ^. And no, it didn't catch it.
EDIT: When i say it isnt static, it doesn't vary much
|
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Tue Sep 16, 2008 6:21 pm Post subject: |
|
|
So you opened up the app in a disassembler, looked for the button code and found the bit where it sets the value, then searched in CE for what the code modified?
I don't get how that bypassed the checks...
|
|
Back to top |
|
|
Noz3001 I'm a spammer Reputation: 26
Joined: 29 May 2006 Posts: 6220 Location: /dev/null
|
Posted: Tue Sep 16, 2008 6:23 pm Post subject: |
|
|
Burningmace wrote: | So you opened up the app in a disassembler, looked for the button code and found the bit where it sets the value, then searched in CE for what the code modified?
I don't get how that bypassed the checks... |
CE has an "increased value" and "decreased value" search option. It's easy to find the variable with that and then find out what writes to it. Thats always how I make sure values don't change in games and programs =|.
|
|
Back to top |
|
|
Burningmace Grandmaster Cheater Reputation: 5
Joined: 17 Feb 2008 Posts: 520 Location: Inside the Intel CET shadow stack
|
Posted: Tue Sep 16, 2008 6:26 pm Post subject: |
|
|
It shouldn't decrease and increase uniformly though. If the variable increases but is XOR'ed with a negative number, the variable will actually decrease.
|
|
Back to top |
|
|
Noz3001 I'm a spammer Reputation: 26
Joined: 29 May 2006 Posts: 6220 Location: /dev/null
|
Posted: Tue Sep 16, 2008 6:29 pm Post subject: |
|
|
Burningmace wrote: | It shouldn't decrease and increase uniformly though. If the variable increases but is XOR'ed with a negative number, the variable will actually decrease. |
Lol, I must be lucky then. 5 times out of 5 all the values increased or decreased with the one on screen.
|
|
Back to top |
|
|
|