26 replies to this topic

[PaperClip]

Please note this quite a hard hackme, and it is only recommended for experienced game hackers..

I made a little Hack Me with an interesting protection method. The health is being saved as a normal integer format, and it is programmed using C++ MFC.

Here are a couple hack goals with different difficulty ratings. These are ranked from 1 being a simple straight-forward memory search, 2 being a straight-forward code injection, and 5 being a nearly impossible hack me.

Hack 1:
Difficulty: 3
Just hack it so that it says you win!

Hack 2:
Difficulty: 3.5
Hack it so that you don't lose health.

Hack 3:
Difficulty: 4.25
Be able to change your health to any value without code injection. (ie. by editing the health memory address)

I would be quite impressed if someone is able to achieve hack #3. Good luck! I am really looking forward to seeing how easy these objectives are with this protection system.

I will post some hints here if it is not turning out to be easily solvable.

ps. it is compiled in debug mode, try not to take advantage of this too much.


edit: I made a small mistake with the 'win' message. In the old version the program just closed when you win, without making a beep sound. Now it displays the proper winning message box.

[JAYRAY]

error message whilst running.

[PaperClip]

error message whilst running.

Thanks for the info. Are you running vista or xp? By any chance could you tell me the error message you get?

[jarnin123]

I made a little Hack Me with an interesting protection method. The health is being saved as a normal integer format, and it is programmed using C++ MFC.

Here are a couple hack goals with different difficulty ratings. These are ranked from 1 being a simple straight-forward memory search, 2 being a straight-forward code injection, and 5 being a nearly impossible hack me.

Hack 1:
Difficulty: 3
Just hack it so that it says you win!

Hack 2:
Difficulty: 3.5
Hack it so that you don't lose health.

Hack 3:
Difficulty: 4.25
Be able to change your health to any value without code injection. (ie. by editing the health memory address)

I would be quite impressed if someone is able to achieve hack #3. Good luck! I am really looking forward to seeing how easy these objectives are with this protection system.

I will post some hints here if it is not turning out to be easily solvable.

ps. it is compiled in debug mode, try not to take advantage of this too much.

Do you think you could send me the source code? I'm looking into MFC and I think it might help.

[PaperClip]

Do you think you could send me the source code? I'm looking into MFC and I think it might help.

No problem, I will upload it this evening.

The project is for Visual C++ 2008 using Visual Studio.

[jarnin123]

No problem, I will upload it this evening.

The project is for Visual C++ 2008 using Visual Studio.

Thanks Visual Studio 2008 is exactly what I'm using !

[PaperClip]

Thanks Visual Studio 2008 is exactly what I'm using !

Here is a good tutorial on how to edit the controls (like changing the progress bar).
http://www1bpt.bridg...MFC Handout.doc

Specifically changing the controls IDC and adding a Variable to the controls is critical.

The source isn't too clean or very commented since it was intended just as a hackme. Isn't it a sneaky way of protecting and hiding the memory address?

JAYRAY, I had another friend try the hackme and it seems to work for him as well. By any chance could I steal a copy of the error message?

ps. The protection code I wrote is in 'Hack MeDlg.cpp'

[jarnin123]

Here is a good tutorial on how to edit the controls (like changing the progress bar).
http://www1bpt.bridg...MFC Handout.doc

Specifically changing the controls IDC and adding a Variable to the controls is critical.

The source isn't too clean or very commented since it was intended just as a hackme. Isn't it a sneaky way of protecting and hiding the memory address?

JAYRAY, I had another friend try the hackme and it seems to work for him as well. By any chance could I steal a copy of the error message?

Thanks buddy.

[attilathedud]

Great hackme mate, provided me with some fun last night.

[PaperClip]

Thanks buddy.

No problem.

Great hackme mate, provided me with some fun last night.

Thanks, it is really quite tricky. Were you able to solve it?

I fixed a mistake where the winning message wouldn't be displayed if you win. I updated the file download in the first post.

[attilathedud]

Currently too busy with Call of Duty 4 to really focus on it, but I examined some of the code, and thought the method was pretty sexy. I'm holding off on viewing the source until I get it figured out though.

[iNTANGiBLE]

It's showing me this message: "This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem." and I downloaded it again and it's the same thing.

[PaperClip]

It's showing me this message: "This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem." and I downloaded it again and it's the same thing.

Thanks, I googled it a bit and found the problem. For this to work on your computer you need to download the Microsoft Visual C++ 2008 SP1 Redistributable Package (x86).

http://www.microsoft...&displaylang=en

Let me know know if this solves the problem

[Psych]

C++ Runtimes:
Microsoft Download Center: Search Results

*EDIT* - Already posted, fair enough


Oh, and PaperClip, you win by default after two attacks with this one :/

[PaperClip]

;29067']Oh, and PaperClip, you win by default after two attacks with this one :/

Darn, now I am an idiot. I uploaded the wrong version after I made the first change. It is fixed now, thanks

[SunBeam]

00412FFE    A1 74034200           MOV EAX,DWORD PTR DS:[420374] // why use static pointers?

00413003    50                    PUSH EAX // param for next func; holds player HP pointer

00413004    E8 51E5FFFF           CALL Hack_Me.0041155A // GetPlayerHP()

..

0041300C    83E8 0A               SUB EAX,0A // dec value by 10

0041300F    8945 F8               MOV DWORD PTR SS:[EBP-8],EAX // store

00413012    8B45 F8               MOV EAX,DWORD PTR SS:[EBP-8] // and refresh it



EBP:



$-8      > 0000005A // our HP

$-4      > CCCCCCCC

$ ==>    >/0012F3C0



00413025    A1 70034200           MOV EAX,DWORD PTR DS:[420370] // again pointered :-(

0041302A    50                    PUSH EAX // EAX is a pointer to enemy HP :-)

0041302B    E8 2AE5FFFF           CALL Hack_Me.0041155A // GetPlayerHP() 

00413033    83E8 05               SUB EAX,5 // dec by 5

00413036    8945 EC               MOV DWORD PTR SS:[EBP-14],EAX // store 

00413039    8B45 EC               MOV EAX,DWORD PTR SS:[EBP-14] // and refresh it



0041304C  |.  837D F8 00          CMP DWORD PTR SS:[EBP-8],0 // is my HP still kickin'?

00413050  |.  7F 46               JG SHORT Hack_Me.00413098 // no, you lose; yes, check enemy HP

..

00413098    837D EC 00            CMP DWORD PTR SS:[EBP-14],0 // enemy HP 0?

0041309C    7F 30                 JG SHORT Hack_Me.004130CE // yes, you win; no, update all HP bars

[Xain]

Lol pwned by Sunbeam:P

Can you re-upload it so I can try it on XP? It isn't working for me

[PaperClip]

Glad to see someone took a serious look at hacking this You made a great analysis of the code, but I don't see you bypassing the protection systems yet.

00412FFE    A1 74034200           MOV EAX,DWORD PTR DS:[420374] // why use static pointers?
00413003    50                    PUSH EAX // param for next func; holds player HP pointer

00413004    E8 51E5FFFF           CALL Hack_Me.0041155A // GetPlayerHP()
..
0041300C    83E8 0A               SUB EAX,0A // dec value by 10
0041300F    8945 F8               MOV DWORD PTR SS:[EBP-8],EAX // store
00413012    8B45 F8               MOV EAX,DWORD PTR SS:[EBP-8] // and refresh it

EBP:

$-8      > 0000005A // our HP
$-4      > CCCCCCCC
$ ==>    >/0012F3C0

00413025    A1 70034200           MOV EAX,DWORD PTR DS:[420370] // again pointered :-(
0041302A    50                    PUSH EAX // EAX is a pointer to enemy HP :-)
0041302B    E8 2AE5FFFF           CALL Hack_Me.0041155A // GetPlayerHP() 
00413033    83E8 05               SUB EAX,5 // dec by 5
00413036    8945 EC               MOV DWORD PTR SS:[EBP-14],EAX // store 
00413039    8B45 EC               MOV EAX,DWORD PTR SS:[EBP-14] // and refresh it

0041304C  |.  837D F8 00          CMP DWORD PTR SS:[EBP-8],0 // is my HP still kickin'?
00413050  |.  7F 46               JG SHORT Hack_Me.00413098 // no, you lose; yes, check enemy HP
..
00413098    837D EC 00            CMP DWORD PTR SS:[EBP-14],0 // enemy HP 0?
0041309C    7F 30                 JG SHORT Hack_Me.004130CE // yes, you win; no, update all HP bars

All correct, well done on your reversing


The only problem here is that you did a really great job at dissecting part of it, but you still haven't beat it. It has advanced protection code protecting the health value (even if you know where it is), and a basic method preventing code injection. If you say 'nop' the line 0x0041300C to become invulnerable, it won't work.

Were you able to hack it so that it says you win?


@Xain, what error message are you getting?

[SunBeam]

Oh sorry, I didn't bother to go on with it. But I will look and report with another analysis, if you guys are OK with it (am saying this because most - the snobs - will say I am trying to act smart and don't offer others a chance to take a shot at it. Well, for those, I got one thing to say - STOP READING MY POST BEFORE YOU TRY IT).

Cheers,
Sun

EDIT: It actually works with NOPing 41300C o_O

[PaperClip]

***Spoilers***

Good job, I must have made a mistake with my anti-code injection somehow. I won't bother fixing it.

Here is a description of the two anti-cheat systems in place (only the memory protection working apparently).

1. Memory Protection
The program allocates a page of memory to store the two health values, and PAGE_GUARD protection is set on this page. The PAGE_GUARD triggers a STATUS_GUARD_PAGE_VIOLATION exception if the memory is read or written to. Basically, this anti-cheat method monitored these exceptions, and if the memory was ever accessed when it didn't expect it, it closed the program for cheating.

As a result, if you search for memory using TSearch it skips over the PAGE_GUARD pages because it will trigger the exception within the program (yes, even if you use ReadProcessMemory it sets off the exception), and also because the PAGE_GUARD is a one-time exception. After setting the exception off, the PAGE_GUARD is removed. Even if you tell tsearch to look directly at the health address, it just sets off the exception and shows you a garbage value.

2. Code Protection (apparently didn't work)
Just a simple checksum check every time you click on the button:

int checksum()
{
	int value;
	for( int i = 0; i < 1000; i++ )
		value = ((char*) ((process)))[i];
	return value;
}

Where process() is the function which processes the 'attack' button. My mistake was value +=