Page 2 of 2

Re: Protection required for online games

Posted: Wed Aug 28, 2013 11:31 am
by Enigma
Hi Tony,

Sorry for the delay in reply. There is the following situation with the game protection.

1. Nothing can avoid memory editing inside the process. How usually this is being dealing to avoid that:
- hide the process from processes list, to avoid the memory editing tools to just find the process to edit. This protection is used in GameGuard which you're using. Good way to hide the game process can be made only using drivers technology. Driver should also use undocumented Windows features, and it should be made for almost each version of Windows, since there are many changes in these undocumented functions between different versions of Windows. Driver is the main problem of such method, it is quite unstable, that's because you have so many issues with GameGuard. Moreover, it may cause false alerts from antiviruses and may be incompatible with the active/runtime protections of the antiviruses too (they also use drivers technology).
- another way to avoid memory editing - remove the code/data that is being edited to another location. For example, if cheaters modify the code then you may apply Virtual Machine feature to this code and this will help to avoid memory editing. If there is edited the data (not the code), then you may find the code that use this data, and, for eg, modify it so to replace the data to another location. That's difficult - yes, but possible.

2. Anti-injection - imagine, there are few kinds of code injection. Some kinds can be bypassed, but some - do not. So, there is no ideal method to avoid injection at all!
So, 2 protection techniques described above may help only.

Re: Protection required for online games

Posted: Wed Aug 28, 2013 12:26 pm
by Tony
Hello mr enigma, could it be possible for you to send me a plugin to make the protected client hidden by using the driver technology as you stated? I would want to test it out if that is ok for you

Re: Protection required for online games

Posted: Wed Aug 28, 2013 2:57 pm
by Enigma
No Tony, unfortunately, we do not have such plugin. Moreover, as I said, it's too difficult to make such plugin/driver, to make it stable and functional on all operation systems. This technology itself is not stable, so I doubt you find a solution in this direction.

It would be better to understand what address of your game the cheaters are modifying and then apply a code virtualization feature.

Re: Protection required for online games

Posted: Wed Aug 28, 2013 6:00 pm
by Tony
There are just too many addresses that can be modified, so what can I do, do you have an alternative method to hide the protected application?? like masking it as a windows process?? or any other suggestions?

Re: Protection required for online games

Posted: Fri Aug 30, 2013 12:16 pm
by Enigma
Tony wrote:There are just too many addresses that can be modified
Then it is even more important to apply code virtualization. You will solve the problem with cheaters and also make your client - unique.
Tony wrote:like masking it as a windows process??
Unfortunately no. Hiding process without a driver is impossible...
Tony wrote:or any other suggestions?
Maybe using Executed Processes Checkup, to check the program that injects or modify the memory. It will not help to avoid all memory editing programs, but it will help to avoid most of them. Moreover, you may use checkup only by Window Text, and, for eg, block all programs that contain a text "cheat", "inject" and so on.

Re: Protection required for online games

Posted: Fri Aug 30, 2013 12:59 pm
by Tony
The problem with the code virtualization is that the cheater edits specific stuff which is not in the client, but other scripts loaded by the client. The client only loads these scripts in execution, so how would I be able to virtualize this code if its not in the client itself? Regarding the process checkup, yeah i know about the "cheat", etc but there are just too many type of memory editors and also source codes where they can just build a new one with a different name and use it.
Mr.Enigma I would pay you if you could build a stable plugin to properly hide a protected process, maybe there could be other ways? or a better method on using the driver technology?
I would be happy to test the plugin for you sir :)

Re: Protection required for online games

Posted: Sun Sep 01, 2013 12:42 pm
by xenoglyph
Like he said, you can't really stop memory hacking. ReadProcessMemory/WriteProcessMemory can't really be blocked unless you want to make a driver and hook them system wide. Same goes for hiding processes.

You just can't do the things you want to do, you have think of a more creative solution. If the memory hack is constantly scanning your process looking for the signature to modify you could try putting a fake honeypot target in memory, and then checking to see if it gets modified.

Re: Protection required for online games

Posted: Mon Sep 02, 2013 6:35 am
by Enigma
Fake signature maybe a helpful way, but not always. Applying code virtualization is the better way.

Re: Protection required for online games

Posted: Fri Sep 13, 2013 11:16 am
by xenoglyph
Of course, if it's effective for his problem. I assumed he meant some piece of data (not code) was being modified in memory. If it is indeed a piece of data, and it's beyond his control to somehow encrypt that data he doesn't have many options. Your VM wouldn't protect against that, would it? Especially if a pointer to the data could reliably be located, or if the data has a reliable signature to search for.

PS - Just finished a PHP/MySQL online key verification system for Enigma, assuming the rest of the testing goes well I'll be buying it soon