Hello. I made one app that has become target of Memory Editors, Debuggers etc. I'm learning assembler (trying to, at least) and I was wondering if there is any way to block those kind of programs to access my app.
Programs like, OllyDbg, Memory Editors( Cheat Engine, MHS) etc.
My goal was to make a DLL in assembler, that my app would load it, and the dll would start to protect. Thanks in advance.
I was thinking using VirtualProtect, to make the data only read-mode. But these programs can easily change them to read-write, so I completely dont know what to do. :S
IsDebuggerPresent() can be used to tell if someone is debugging your program, and various EXE packers can thwart would-be reversers. However, all these do is slow down the determined, and more likely encourage them to keep trying.
-r
apply all the methods known to man - lol
it may frustrate the inexperienced
in the end, there is no way to stop someone who really knows what they are doing
I have already try packing with VMProtect, PECompact, ASpack, but I think it didn't work, because when you open the exe, it is unpacked and start to run from memory right? So, when I open the Memory Editor program, I can see all the data and change them, so packers wouldn't help me alot.. Is there another way? I'm already using IsDebuggerPresent()
@dedndave
AntiCheater programs like XTrap and NProtect (they're games anticheats, bus somehow they do exactly what I want to reproduce here), somehow detects wheter a memory editor program is running or not, and just close them. Is it possible to do the same?
that's some pretty involved stuff
and - there is probably a way to get around it, too
sounds like they hook an API
that level of "protection" is going to fall in the catagory of "violating forum rules"
i remember an old trick that went something like this...
mov edi,offset label
mov ecx,3
mov al,90h
clc
label:
rep stosb
stc
jnc debugger_found
something like that - i forget the exact details
I see... geez, I'm completely lost now :(
-EDIT
I cant understand what that block of code does :red
it relies on the fact that a debugger will single-step - when it gets to the STC instruction, it has been over-written with a NOP
whereas, the CPU will have the STC instruction in the cache and execute it instead of a NOP
at any rate, that is one technique
as i mentioned before, use as many different methods as you can find and call it "good enough"
solution: EXECRYPTOR (http://www.strongbit.com/execryptor.asp)! not every pro cracker can deal with this stuff. its unbeatable
Protecting from debuggers isnt "priority", because if something in client is modified, I made something like MD5 check, and if its wrong, the application will show an error message and will ends. But with memory editors, that doesn't happen, so its kinda hard to identify who is using them.
Then, the main goal was to block its using. My app would start checking (in some way that IDK how) wheter the memory editor is open or not. If it is, just close my app.
But I dont have a clue of how to do it. Can you give just a few hints, if this goes outside the forum rules?
@caseys
but, as I said:
Quote
So, when I open the Memory Editor program, I can see all the data and change them, so packers wouldn't help me alot..
Or am I wrong?
if you want to protect your app from debugging go here: http://www.openrce.org/reference_library/anti_reversing
they have some nice scripts
no, I mean, debugger isn't the main problem. What I DO need is to block memory editions. Like Cheat Engine.
you can blacklist the whole known cheat engines (tspy, tsearch, pcfhacker etc) in your app by inserting their windows names (ive been used to do this in VB6). as i know BLIZZARD does the same thing =]
But, if the user changes the window name, the system would be bypassed :S. I think game anticheat programs identify some kind of signature of these exes. Like some block of code that is specific for memory editors. Like anti virus know wheter this files is a trojan or not.
Do you know what I mean? Is it possible to do something like this, but instead of finding virus, find those programs?
of course there are several ways to do this but i never did anything before. just keep in mind that there are no security that you can't bypass =] i mean DMA stealing
Sure, nothing is 100%. But, I think detecting some kind of exe signature and check if it is "black-listed", if yes closes the app should do the trick. But the question is:
How can I retreive such information from the exe file?
by process id and/or window name =]
retrieve exe signature from its PID or Window Name? How? :eek
lelejeau,
Obviousely you do not have the skills needed to achieve something like this yet. You still have a lot to learn about creating applications and code in ASM and more important about basic computer concepts.
Besides this please understand that those forums DO NOT allow discussions about hooking or protecting or reading writing memory of applications that you have not written or other "gray area" issues under the disguise of protection or anti virus techniques .
I am aware that this kind of information can be used to perform legitimate tasks and that Microsoft does offer API's for this ...
BUT unfortunately the exact same information can be used to hack / crack legitimate applications or try to hide or protect viral code from debugging, analysis and detection.
If you want to go this way... then I do suggest that you learn ASM very well (not only some superficial skills) and the learn how to protect your application by yourself by self study.
Then there are a lot of other forums that allow such content on the net. We simply want to avoid this kind of "crap" in here.
From my own 15 years experience this is wasted time because it will annoy and reduce your legitimate paying clients and it will not stop experienced hackers not even for 5 minutes.
IMHO The only ways to "protect" you application today are:
=========================================
1) First to really write a great and useful application... and to get a lot of paying clients.
And honestly this is the very hard and very unlikely part in today's world economics
2) to update if often and serve only your paying clients desires and ignore hackers.
This Thread is locked and I kindly ask you not to continue asking this kind of questions here.