Help protecting my app

[lelejau]

Hello. I made one app that has become target of Memory Editors, Debuggers etc. I'm learning assembler (trying to, at least) and I was wondering if there is any way to block those kind of programs to access my app.
Programs like, OllyDbg, Memory Editors( Cheat Engine, MHS) etc.

My goal was to make a DLL in assembler, that my app would load it, and the dll would start to protect. Thanks in advance.

I was thinking using VirtualProtect, to make the data only read-mode. But these programs can easily change them to read-write, so I completely dont know what to do. :S

[redskull]

IsDebuggerPresent() can be used to tell if someone is debugging your program, and various EXE packers can thwart would-be reversers.  However, all these do is slow down the determined, and more likely encourage them to keep trying.

-r

[dedndave]

apply all the methods known to man - lol
it may frustrate the inexperienced
in the end, there is no way to stop someone who really knows what they are doing

[lelejau]

I have already try packing with VMProtect, PECompact, ASpack, but I think it didn't work, because when you open the exe, it is unpacked and start to run from memory right? So, when I open the Memory Editor program, I can see all the data and change them, so packers wouldn't help me alot.. Is there another way? I'm already using IsDebuggerPresent()

@dedndave

AntiCheater programs like XTrap and NProtect (they're games anticheats, bus somehow they do exactly what I want to reproduce here), somehow detects wheter a memory editor program is running or not, and just close them. Is it possible to do the same?

[dedndave]

that's some pretty involved stuff
and - there is probably a way to get around it, too
sounds like they hook an API
that level of "protection" is going to fall in the catagory of "violating forum rules"

i remember an old trick that went something like this...

Code Select Expand

        mov     edi,offset label
        mov     ecx,3
        mov     al,90h
        clc
label:
        rep     stosb
        stc
        jnc     debugger_found
something like that - i forget the exact details

[lelejau]

I see... geez, I'm completely lost now  :(

-EDIT

I cant understand what that block of code does  :red

[dedndave]

it relies on the fact that a debugger will single-step - when it gets to the STC instruction, it has been over-written with a NOP
whereas, the CPU will have the STC instruction in the cache and execute it instead of a NOP

at any rate, that is one technique
as i mentioned before, use as many different methods as you can find and call it "good enough"

[caseys]

solution: EXECRYPTOR! not every pro cracker can deal with this stuff. its unbeatable

[lelejau]

Protecting from debuggers isnt "priority", because if something in client is modified, I made something like MD5 check, and if its wrong, the application will show an error message and will ends. But with memory editors, that doesn't happen, so its kinda hard to identify who is using them.
Then, the main goal was to block its using. My app would start checking (in some way that IDK how) wheter the memory editor is open or not. If it is, just close my app.
But I dont have a clue of how to do it. Can you give just a few hints, if this goes outside the forum rules?

@caseys

but, as I said:

So, when I open the Memory Editor program, I can see all the data and change them, so packers wouldn't help me alot..

Or am I wrong?

[caseys]

if you want to protect your app from debugging go here: http://www.openrce.org/reference_library/anti_reversing

they have some nice scripts

[lelejau]

no, I mean, debugger isn't the main problem. What I DO need is to block memory editions. Like Cheat Engine.

[caseys]

you can blacklist the whole known cheat engines (tspy, tsearch, pcfhacker etc) in your app by inserting their windows names (ive been used to do this in VB6). as i know BLIZZARD does the same thing =]

[lelejau]

But, if the user changes the window name, the system would be bypassed :S. I think game anticheat programs identify some kind of signature of these exes. Like some block of code that is specific for memory editors. Like anti virus know wheter this files is a trojan or not.
Do you know what I mean?  Is it possible to do something like this, but instead of finding virus, find those programs?

[caseys]

of course there are several ways to do this but i never did anything before. just keep in mind that there are no security that you can't bypass =] i mean DMA stealing

[lelejau]

Sure, nothing is 100%. But, I think detecting some kind of exe signature and check if it is "black-listed", if yes closes the app should do the trick. But the question is:
How can I retreive such information from the exe file?