News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

Help protecting my app

Started by lelejau, December 27, 2010, 05:24:05 PM

Previous topic - Next topic

lelejau

Hello. I made one app that has become target of Memory Editors, Debuggers etc. I'm learning assembler (trying to, at least) and I was wondering if there is any way to block those kind of programs to access my app.
Programs like, OllyDbg, Memory Editors( Cheat Engine, MHS) etc.

My goal was to make a DLL in assembler, that my app would load it, and the dll would start to protect. Thanks in advance.

I was thinking using VirtualProtect, to make the data only read-mode. But these programs can easily change them to read-write, so I completely dont know what to do. :S
Learning assembly :)

redskull

IsDebuggerPresent() can be used to tell if someone is debugging your program, and various EXE packers can thwart would-be reversers.  However, all these do is slow down the determined, and more likely encourage them to keep trying.

-r
Strange women, lying in ponds, distributing swords, is no basis for a system of government

dedndave

apply all the methods known to man - lol
it may frustrate the inexperienced
in the end, there is no way to stop someone who really knows what they are doing

lelejau

I have already try packing with VMProtect, PECompact, ASpack, but I think it didn't work, because when you open the exe, it is unpacked and start to run from memory right? So, when I open the Memory Editor program, I can see all the data and change them, so packers wouldn't help me alot.. Is there another way? I'm already using IsDebuggerPresent()

@dedndave

AntiCheater programs like XTrap and NProtect (they're games anticheats, bus somehow they do exactly what I want to reproduce here), somehow detects wheter a memory editor program is running or not, and just close them. Is it possible to do the same?
Learning assembly :)

dedndave

that's some pretty involved stuff
and - there is probably a way to get around it, too
sounds like they hook an API
that level of "protection" is going to fall in the catagory of "violating forum rules"

i remember an old trick that went something like this...
        mov     edi,offset label
        mov     ecx,3
        mov     al,90h
        clc
label:
        rep     stosb
        stc
        jnc     debugger_found

something like that - i forget the exact details

lelejau

I see... geez, I'm completely lost now  :(

-EDIT

I cant understand what that block of code does  :red
Learning assembly :)

dedndave

it relies on the fact that a debugger will single-step - when it gets to the STC instruction, it has been over-written with a NOP
whereas, the CPU will have the STC instruction in the cache and execute it instead of a NOP

at any rate, that is one technique
as i mentioned before, use as many different methods as you can find and call it "good enough"

caseys

solution: EXECRYPTOR! not every pro cracker can deal with this stuff. its unbeatable
Uf, never been so hard to understand

lelejau

Protecting from debuggers isnt "priority", because if something in client is modified, I made something like MD5 check, and if its wrong, the application will show an error message and will ends. But with memory editors, that doesn't happen, so its kinda hard to identify who is using them.
Then, the main goal was to block its using. My app would start checking (in some way that IDK how) wheter the memory editor is open or not. If it is, just close my app.
But I dont have a clue of how to do it. Can you give just a few hints, if this goes outside the forum rules?

@caseys

but, as I said:
Quote
So, when I open the Memory Editor program, I can see all the data and change them, so packers wouldn't help me alot..
Or am I wrong?
Learning assembly :)

caseys

if you want to protect your app from debugging go here: http://www.openrce.org/reference_library/anti_reversing

they have some nice scripts
Uf, never been so hard to understand

lelejau

no, I mean, debugger isn't the main problem. What I DO need is to block memory editions. Like Cheat Engine.
Learning assembly :)

caseys

you can blacklist the whole known cheat engines (tspy, tsearch, pcfhacker etc) in your app by inserting their windows names (ive been used to do this in VB6). as i know BLIZZARD does the same thing =]
Uf, never been so hard to understand

lelejau

But, if the user changes the window name, the system would be bypassed :S. I think game anticheat programs identify some kind of signature of these exes. Like some block of code that is specific for memory editors. Like anti virus know wheter this files is a trojan or not.
Do you know what I mean?  Is it possible to do something like this, but instead of finding virus, find those programs?
Learning assembly :)

caseys

of course there are several ways to do this but i never did anything before. just keep in mind that there are no security that you can't bypass =] i mean DMA stealing
Uf, never been so hard to understand

lelejau

Sure, nothing is 100%. But, I think detecting some kind of exe signature and check if it is "black-listed", if yes closes the app should do the trick. But the question is:
How can I retreive such information from the exe file?
Learning assembly :)