Trainer Protection

**PoZHx** · Last Online: Today 06:49 PM

Ok, i've created few nice trainers
i've added couple of anti-debugging protection on it coded in C++

There are few programs i know where people can rob my addresses which im witting too
(Not TrainerSpy) my anti-debug protection makes them crash

Also when my program is loaded up ollydbg can attach it and can see ASM codes but when you
try set breakpoint it and you run my program it will crash ollydbg

When trying to start up my trainer ollydbg without attaching it will just auto close but still leave
some ASM behind (there is few plug-in that bypass this.)

Was wondering anyone know any good packers that remove CLI headers so it people can't rob
my codes (would like it to not show us a virus on virus scanners)

Any suggestion, tip, guide would be great thanks for reading

Cha0sBG · 07-04-2009, 08:11 PM

Give me your program i'll break your protection

PS: Encrypt your program with Themdia

or something good

and still post your non encrypted exe so i can try to break your protection

mdk · 07-07-2009, 04:58 PM

Absolute protection is impossible. If your trainer works, there is always a way to find out how. It may just get more complicated with added security.

Using a protector for executable files (like Themida that was mentioned) is a easy to accomplish a first step. Next you can add custom security checks, like looking for special window-names (e.g. OllyDbg, TSearch) or trying to detect hooks placed on Read- and WriteProcessMemory.

If you found something suspicious don't just exit the trainer. Be more subtle, write to wrong addresses or stop reacting on hotkeys. If you want to be more aggresive try to terminate these programs.

You can protect your trainer by writing watermarks to your target process. Find an unused area and write special values to it. If your work is stolen, chances are these fake values are also written by the thief. Just check by using his trainer and look out for the watermark in memory.

**[Psych]** · 07-07-2009, 06:06 PM

Anything you do can be bypassed. And that doesn't even need to happen. All you have to do is watch the game's memory for alterations! Doesn't matter what you do to the trainer itself, the game is the final destination ultimately, and so you will ALWAYS be able to find ways around it. If people want to rip they can, and they do! Frequently atm, and it's annoying.

**PoZHx** · 07-07-2009, 07:26 PM

Thanks for reply guys...
I guess i'll just keep my packed program and add few findwindows like MDK suggested, although is very easy to bypass >.< I guess il add a nice little bit of code for them guys such as removing boot files

I was going to be using Themida like chaos suggestion (as i've tried cracking tht bitch myself lol) but totalvirus basically every virus scanned said virus so it would probs scare off average user wanting to use my released trainers lol

Quote Originally Posted by [Psych]

Anything you do can be bypassed. And that doesn't even need to happen. All you have to do is watch the game's memory for alterations! Doesn't matter what you do to the trainer itself, the game is the final destination ultimately, and so you will ALWAYS be able to find ways around it. If people want to rip they can, and they do! Frequently atm, and it's annoying.

Ah didnt know they was program that watch game memory for alterations! i know they was program to monitor WriteMemoryProcess calls from your trainer using int3 breakpoints... man that is fuckin lame! robbing our hard work

Anyways thanks for reply guys
PoZHx

**[Psych]** · 07-07-2009, 07:40 PM

Yeah. That's why I use PECompact for my trainers. Pretty much no protection at all, but it decreases my .exe size to a very acceptable level, and hardly AV will flag it up as suspicious

Just something we have to accept.

**SunBeam** · 09-11-2009, 03:42 PM

Your best protection would be your own personal library with to-be-written data and mutation of code. Hook game functions like so:

game.exe+0xoffset:
jmp [dll_function]

dll_function:
{mutated_code_here} // Themida or VMProtect
ret

Notice I said mutated and not virtualized. No need for crappy VMs..

**PoZHx** · 09-11-2009, 06:18 PM

Quote Originally Posted by SunBeam

Your best protection would be your own personal library with to-be-written data and mutation of code. Hook game functions like so:

game.exe+0xoffset:
jmp [dll_function]

dll_function:
{mutated_code_here} // Themida or VMProtect
ret

Notice I said mutated and not virtualized. No need for crappy VMs..

Hmm i dont quite understand that =/
Well currently im using:

Anti-Breakpoints (int3 and hardware)
Check Debug Flags using NtQueryInformationProcess
Checking Debugger using int2 (by setting up SEH? - not 100% sure on how that works)
Few Anti-Debugging API's e.g. CheckRemoteDebuggerPresent() etc

Is it worth taking a look into your suggestion?

**SunBeam** · 09-14-2009, 09:33 AM

Quote Originally Posted by PoZHx

Hmm i dont quite understand that =/
Well currently im using:

Anti-Breakpoints (int3 and hardware)
Check Debug Flags using NtQueryInformationProcess
Checking Debugger using int2 (by setting up SEH? - not 100% sure on how that works)
Few Anti-Debugging API's e.g. CheckRemoteDebuggerPresent() etc

Is it worth taking a look into your suggestion?

PM me please one of your trainers

Just curious :-P I'll then tell you how to bypass each of the options you named above..

**PoZHx** · 09-14-2009, 06:10 PM

Quote Originally Posted by SunBeam

PM me please one of your trainers

Just curious :-P I'll then tell you how to bypass each of the options you named above..

Ok your task is to find the address which "WriteProcessMemory" is writting to

I'd be grateful if you just posted the bypass to me instead of making it public post incase
we do have any crackers (leechers) on the forum going to crack my trainers

Feel to post the address and value though i dont mind that
Also thanks for taking the time to test my security on my trainers
**Check attachment for "CrackMe.Zip"**

**SunBeam** · 09-15-2009, 12:13 AM

Quote

0012FF48 00000000 |hProcess = NULL
0012FF4C 010056C8 |Address = 10056C8
0012FF50 0012FF70 |Buffer = 0012FF70
0012FF54 00000004 |BytesToWrite = 4
0012FF58 00000000 \pBytesWritten = NULL

Not much of a protection, sorry :-)

**PoZHx** · 09-15-2009, 12:33 AM

Quote Originally Posted by SunBeam

Not much of a protection, sorry :-)

Interesting the buffer (the value to be written was actually 1337)
but the address was correct

But yeah with the address you could of worked that out

Don't suppose you got any suggestions on securing it? and maybe
pointing out my mistakes

If your too busy or cba not to worry i'll do some of my own research

**SunBeam** · 09-15-2009, 04:14 PM

Here you go, ASM sources included:

Code:

http://ap0x.jezgra.net/protection.html

**STN** · 09-15-2009, 05:13 PM

You can add a specific dummy bytes sequence around your injection so you can recognize them if ripped from your trainer (considering the ripper is a n00b and blantantly copy/paste, huh he is a noob if he rips). My favorite is to write my nick inbetween the injection hehe.

But you shouldn't care about it, if your code gets ripped, its really easy to tell. And if a skilled reverser is interested in your code, he can grab it no matter how tough your protection is. There are several ways to do it, one like Psych mentioned, is watching the game for alterations.

Sunbeam, that is pretty easy to bypass aswell, dump the dll from memory or even debug it live

.

**PoZHx** · 09-15-2009, 07:18 PM

Ok thanks alot for your suggestions

Basically from what ive learned there is no possible way to hide
an "WriteProcessMemory" or any memory alteration within a program
as you can easily rip a WPM without debugging
Possibly what SunBeam may of done instead of cracking it in a debugger

So if im correct Anti-debug protection will protect your source such as
ReadProcessMemory and other code which don't actually leave traces within
the game process..

So e.g. lets say i created an AI BOT people actually would need to crack
my anti-debug protection before they could rip out my ReadProcessMemory
calls etc

Well im going to take my research deeper into how things are cracked in debuggers and
learn about NT Kernel

Once again thanks for all your suggestion

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

New To Site?	Need Help?
Register to Participate View our Activity Play In the Arcade View Forum Leaders Contact Us	Frequently Asked Questions Did you forget your password? Mark Forums Read

Cha0sBG Member 32-Bit Member Posts: 69 Join Date: Jun 2009 Location: C:\Windows\System32 Last Online: 01-24-2010 10:42 PM Reputation: User is Offline	07-04-2009, 08:11 PM Give me your program i'll break your protection PS: Encrypt your program with Themdia or something good and still post your non encrypted exe so i can try to break your protection Post in the right section ~ Give rep if someone helped you ~ Don't double post ~ Help people in need if you know the answer.

SunBeam Keeper of Kadesh 128-Bit Member Posts: 326 Join Date: Aug 2006 Location: Inside a SEH.. Last Online: 09-21-2009 08:26 AM Reputation: User is Offline	09-11-2009, 03:42 PM Your best protection would be your own personal library with to-be-written data and mutation of code. Hook game functions like so: game.exe+0xoffset: jmp [dll_function] dll_function: {mutated_code_here} // Themida or VMProtect ret Notice I said mutated and not virtualized. No need for crappy VMs..

SunBeam Keeper of Kadesh 128-Bit Member Posts: 326 Join Date: Aug 2006 Location: Inside a SEH.. Last Online: 09-21-2009 08:26 AM Reputation: User is Offline	09-15-2009, 12:13 AM Quote 0012FF48 00000000 \|hProcess = NULL 0012FF4C 010056C8 \|Address = 10056C8 0012FF50 0012FF70 \|Buffer = 0012FF70 0012FF54 00000004 \|BytesToWrite = 4 0012FF58 00000000 \pBytesWritten = NULL Not much of a protection, sorry :-)

SunBeam Keeper of Kadesh 128-Bit Member Posts: 326 Join Date: Aug 2006 Location: Inside a SEH.. Last Online: 09-21-2009 08:26 AM Reputation: User is Offline	09-15-2009, 04:14 PM Here you go, ASM sources included: Code: http://ap0x.jezgra.net/protection.html