 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Buggy
Advanced Cheater
 Reputation: 0
Joined: 04 Jan 2008
Posts: 72
Location: Republic of Korea (South Korea)
|
 Posted: Tue Jan 29, 2008 6:43 am Post subject: [VB6 Tips] How to make program safe |
 |
|
I think everyone wants to protect their programs and I do, too.
I will introduce the ways to anti-crack. This methods can't displace any other protectors, but i think if you learn this then you might be great at anti-crack,,, ithink?
1. Using IsDebuggerPresent
This API get PEB Address on TIB block (FS:[18h]) and it returns you PEB.BeingDebugged.
You can declare like this :
| Code: |
Public Declare Function IsDebuggerPresent Lib "kernel32.dll" () As Long
|
and you can use like this :
| Code: |
If IsDebuggerPresent Then
MsgBox "Do NOT try to crack me hahahaahahahaaahaha", vbCritical, "You are an idiot"
End
End If
|
But it's really easy to bypass.
If you want to bypass, you can change PEB.BeingDebugged to 0.
2. Check the value of DebugPort
Debuggers send datas,,,,,,, by debug port. so a program can look for debugger with DebugPort.
First, a Native API that gets process' information is :
| Code: |
Private Declare Function ZwQueryInformationProcess Lib "ntdll" ( _
ByVal ProcessHandle As Long, _
ByVal ProcessInformationClass As Long, _
ByRef ProcessInformation As Any, _
ByVal ProcessInformationLength As Long, _
ByRef ReturnLength As Long _
) As Long
|
we'll put a constant, ProcessDebugPort (7) to ProcessInformationClass.
It's really simple and great.
| Code: |
Dim DebugPort As Long
ZwQueryInformationProcess -1&, 7&, DebugPort, 4, 0&
If DebugPort <> 0 Then End ' Exit the Program when debuggers found
|
Sometimes, some debugger hooks ZwQueryInformationProcess to hide debugger. 
3. Use GetModuleHandle
well if you use this more well then you might use to anti-crack.
and when you use it you have to add timer control named Timer1, its interval is 1 and enabled must be true.
I'll give you an example how to intercept WPE Pro.
| Code: |
Private Declare Function GetModuleHandle Lib "kernel32.dll" Alias "GetModuleHandleA" (ByVal lpModuleName As String) As Long
Private Declare Function FreeLibrary Lib "kernel32.dll" (ByVal hLibModule As Long) As Long
Private Declare Sub ExitProcess Lib "kernel32.dll" (ByVal uExitCode As Long)
Private Sub Timer1_Timer()
Dim hWPE As Long
hWPE = GetModuleHandle("WpeSpy.dll")
If hWPE Then
FreeLibrary hWPE
ExitProcess 0
End If
End Sub
|
Well WPE Pro injects WPESpy.dll to target process.And when the handle is , then it exits.
But, it's difficult to incapacitate WPE Pro. Because we have to change import table.
I think when we hook OpenProcess() or NtOpenProcess() or Hook ZwOpenProcess() on SDT but when we use ObOpenObjectByPointer() then it'll be useless................
I used those 2 methods on my crackme , too and i used more.....
But others are too long to explain you so I removed it...
Conclusion -
The best thing you have to when you make program safe is protecting.
Use protectors like Themida, SVKP, and other.
Thank you...>? 
_________________
[img]
<a><img></a>[/img]
iroo sooo hooooot
Last edited by Buggy on Tue Jan 29, 2008 10:52 pm; edited 1 time in total |
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Tue Jan 29, 2008 10:48 am Post subject: |
|
|
IsDebuggerPresent is so easy to bypass. There are so many different ways to do it. You can just overwrite the flag of the PEB block for BeingDebugged:
PEB.BeingDebugged = PEB+0x2
I made a hook to bypass this before:
| Code: | BOOL ResetIsDebuggerFound()
{
// Open The Process For Info Query (Mainly used just to get handle.)
HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId() );
// Kill The (PEB)->BeingDebugged Flag [PebBaseAddress+0x2]
PROCESS_BASIC_INFORMATION pbi = {0};
if( QueryProcessInformation( GetCurrentProcessId(), ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION) ) )
{
BYTE bBeingDebugged = 0;
memcpy( &bBeingDebugged, (LPVOID)((DWORD)pbi.PebBaseAddress+0x2), 1 );
if( bBeingDebugged == 1 )
{
memset( (LPVOID)((DWORD)pbi.PebBaseAddress+0x2), 0, 1 );
NtSetInformationProcess( hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION) );
return TRUE;
}
}
return FALSE;
} |
As with the DebugPort you can overwrite it also. Theres plugins for Olly that will do it a well as WinJect can do it for you too.
Then for GetModuleHandle you can just rename the dlls.
_________________
- Retired. |
|
| Back to top |
|
|
Buggy
Advanced Cheater
Reputation: 0
Joined: 04 Jan 2008
Posts: 72
Location: Republic of Korea (South Korea)
|
| Posted: Tue Jan 29, 2008 10:58 pm Post subject: |
|
|
| Wiccaan wrote: | IsDebuggerPresent is so easy to bypass. There are so many different ways to do it. You can just overwrite the flag of the PEB block for BeingDebugged:
PEB.BeingDebugged = PEB+0x2
I made a hook to bypass this before:
| Code: | BOOL ResetIsDebuggerFound()
{
// Open The Process For Info Query (Mainly used just to get handle.)
HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId() );
// Kill The (PEB)->BeingDebugged Flag [PebBaseAddress+0x2]
PROCESS_BASIC_INFORMATION pbi = {0};
if( QueryProcessInformation( GetCurrentProcessId(), ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION) ) )
{
BYTE bBeingDebugged = 0;
memcpy( &bBeingDebugged, (LPVOID)((DWORD)pbi.PebBaseAddress+0x2), 1 );
if( bBeingDebugged == 1 )
{
memset( (LPVOID)((DWORD)pbi.PebBaseAddress+0x2), 0, 1 );
NtSetInformationProcess( hProcess, ProcessBasicInformation, &pbi, sizeof(PROCESS_BASIC_INFORMATION) );
return TRUE;
}
}
return FALSE;
} |
As with the DebugPort you can overwrite it also. Theres plugins for Olly that will do it a well as WinJect can do it for you too.
Then for GetModuleHandle you can just rename the dlls. |
WOW VERY CURIOUS CODES! 
_________________
[img]
<a><img></a>[/img]
iroo sooo hooooot |
|
| Back to top |
|
|
tornarrow
Master Cheater
 Reputation: 0
Joined: 29 Jan 2008
Posts: 289
|
| Posted: Tue Jan 29, 2008 11:01 pm Post subject: |
|
|
| Bravo |
|
| Back to top |
|
|
Trow
Grandmaster Cheater
 Reputation: 2
Joined: 17 Aug 2006
Posts: 957
|
| Posted: Wed Jan 30, 2008 3:30 am Post subject: |
|
|
i'd suggest not using this api for "making your app safe"
_________________
Get kidnapped often. |
|
| Back to top |
|
|
L3gend
How do I cheat?
 Reputation: 0
Joined: 30 Jan 2008
Posts: 8
|
| Posted: Wed Jan 30, 2008 3:38 am Post subject: |
|
|
_________________
You Hear me?..Dead to me
 |
|
| Back to top |
|
|
Buggy
Advanced Cheater
Reputation: 0
Joined: 04 Jan 2008
Posts: 72
Location: Republic of Korea (South Korea)
|
| Posted: Fri Feb 08, 2008 2:01 am Post subject: |
|
|
hmm here is one more I used on my Crackme
| Code: |
Private Declare Function MessageBox Lib "user32" Alias "MessageBoxA" (ByVal hwnd As Long, ByVal lpText As String, ByVal lpCaption As String, ByVal wType As Long) As Long
Public Declare Function IsDebuggerPresent Lib "kernel32.dll" () As Long
Private Const MB_OK = &H0&
Private Const MB_ICONHAND = &H10&
Private Const MB_ICONSTOP = MB_ICONHAND
Public Declare Function CreateFile Lib "kernel32" Alias "CreateFileA" (ByVal lpFileName As String, ByVal dwDesiredAccess As Long, ByVal dwShareMode As Long, lpSecurityAttributes As SECURITY_ATTRIBUTES, ByVal dwCreationDisposition As Long, ByVal dwFlagsAndAttributes As Long, ByVal hTemplateFile As Long) As Long
Public Const GENERIC_READ = &H80000000
Public Const GENERIC_WRITE = &H40000000
Public Const FILE_SHARE_READ = &H1
Public Const FILE_SHARE_WRITE = &H2
Public Const OPEN_EXISTING = 3
Public Const FILE_ATTRIBUTE_NORMAL = &H80
Public Type SECURITY_ATTRIBUTES
nLength As Long
lpSecurityDescriptor As Long
bInheritHandle As Long
End Type
Private Type PROCESSENTRY32
dwSize As Long
cntUsage As Long
th32ProcessID As Long
th32DefaultHeapID As Long
th32ModuleID As Long
cntThreads As Long
th32ParentProcessID As Long
pcPriClassBase As Long
dwFlags As Long
szexeFile As String * 260&
End Type
Private Const TH32CS_SNAPPROCESS As Long = 2&
Private Declare Function CreateToolhelp32Snapshot Lib "kernel32" _
(ByVal lFlags As Long, lProcessID As Long) As Long
Private Declare Function ProcessFirst Lib "kernel32" Alias "Process32First" _
(ByVal mSnapShot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function ProcessNext Lib "kernel32" Alias "Process32Next" _
(ByVal mSnapShot As Long, uProcess As PROCESSENTRY32) As Long
Private Declare Function TerminateProcess Lib "kernel32" (ByVal ApphProcess As Long, _
ByVal uExitCode As Long) As Long
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Private ProcessList(100, 2) As String
Public Sub KillProcessById(ByVal p_lngProcessId As Long)
Dim lnghProcess As Long
Dim lngReturn As Long
lnghProcess = OpenProcess(1&, -1&, p_lngProcessId)
lngReturn = TerminateProcess(lnghProcess, 0&)
End Sub
Public Sub KillProcess(ByVal ProcessName As String)
Dim uProcess As PROCESSENTRY32
Dim mSnapShot As Long
Dim mName As String
Dim i As Integer
Dim pi As Integer
Dim dummy As Integer
pi = 1
DoEvents
uProcess.dwSize = Len(uProcess)
mSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0&)
' If failure -1 (false)
If mSnapShot Then
mresult = ProcessFirst(mSnapShot, uProcess)
' If failure -1 (false)
Do While mresult
i = InStr(1, uProcess.szexeFile, Chr(0))
mName = LCase$(Left$(uProcess.szexeFile, i - 1))
ProcessList(pi, 0) = uProcess.th32ProcessID
ProcessList(pi, 1) = uProcess.th32ParentProcessID
ProcessList(pi, 2) = mName
mresult = ProcessNext(mSnapShot, uProcess)
pi = pi + 1
Loop
End If
For i = 1 To 100
If ProcessList(i, 0) <> "0" Then
If InStr(LCase(Trim(ProcessList(i, 2))), LCase(ProcessName)) > 0 Then
KillProcessById (ProcessList(i, 0))
End If
End If
Next i
End Sub
Public Sub AntiDebug()
On Local Error Resume Next
Dim mm As SECURITY_ATTRIBUTES
If IsDebuggerPresent() Then End
If CreateFile("\\.\NTICE", GENERIC_READ Or GENERIC_WRITE, FILE_SHARE_READ Or FILE_SHARE_WRITE, _
mm, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0&) <> -1 Then End ' Check SoftIce(WinNT)
If CreateFile("\\.\SICE", GENERIC_READ Or GENERIC_WRITE, FILE_SHARE_READ Or FILE_SHARE_WRITE, _
mm, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0&) <> -1 Then End ' Check SoftIce(98/ME)
KillProcess "ollydbg"
KillProcess "softice"
KillProcess "w32dasm"
|
You have to put Call AntiDebug() in Form_Load
_________________
[img]
<a><img></a>[/img]
iroo sooo hooooot |
|
| Back to top |
|
|
atom0s
Moderator
Reputation: 205
Joined: 25 Jan 2006
Posts: 8587
Location: 127.0.0.1
|
| Posted: Fri Feb 08, 2008 4:33 pm Post subject: |
|
|
Like I said in the crackme you posted that contained this code, it is very simply to bypass all the checks.
- Hook all the API used and return the default value that will make them pass your checks.
- Rename all exe's used to something else since you are statically looking for exe names.
- IsDebuggerPresent has too many bypasses to list.
_________________
- Retired. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
