Deterring Hackers
Blitz3D Forums/Blitz3D Programming/Deterring Hackers
| ||
| I'm writting a piece of hack-sensitive code at the moment, and I got to thinking about how to protect it by thinking about how I would crack. Currently I can perceive a weekness that I do not know how to overcome: If somebody scans the .exe and identifies my variable holding decrypted data they can discern the memory address for that variable which would allow them to write a piece of software that looks for that offset in memory and reads the variable contents. Effectively they'd be letting the legitimate client do their decrypting for them. I can protect myself to some extent by using an obscure variable in the string table, but Blitz will still identify it as _v<something>. Is there any way I can make this polymorphic or any way I can use a non-standard datatype in memory? I havn't learned C++ yet so I cannot write a .dll to create a new datatype. The nearest I can think to secure would be creating a memory bank which would then move the offset depending on other data created first, but this would result in a _v holding the location of the bank. As I cannot hide the offset to my sensitive data, can I hide the contents? Bearing in mind that at some point I do have to decrypt it to read what is in there... |
| ||
| The more I think about this the more I can see a use (for me at least) for a .dll that organises the bit data of a variable according to a fractal pattern determined by calling a seeding routine within the dll so that the data format can polymorph during the realtime application. I do need to learn C++ don't I ! |
| ||
| Hello. No, you need to get out more. :o) Goodbye. |
| ||
| I just realised that the function return offset is readable thus making any .dll call traceable by reading the return offset. It's impossible to protect against this form of hacking without ASM and bit level acess to datatypes, and i'm not Geoff Crammond. Your right, I should go out and not worry about this! |
| ||
| If only windows default install would stop running every damn user as administrators most things would be more secure :) You can't read another process memory as a normal user. Oh well. Nothing we can do ;) |
| ||
| SoggyP - try to contribute a little more positively. For sure you would use this if Becky Rose cracked it. |
| ||
| piece of hack-sensitive code ? ever debugged your own exes ? |
| ||
| Why 'debug' your own exe when you can write a monitor to view data in other peoples online software? It's just a case of locating the offset of the data you want to view, which is very easy once you know what the decorated name of what you are looking for is and then peeking the data you want. I've hexed a game before now to mod it to my liking. Given myself more gold and what-not. The problem is stopping somebody like me from doing that to an online game. Most hacking issues can be resolved with encrypted data transmission and performing all game logic calculations server side, but I cannot stop somebody from writting a tool which monitors an online program by reading out it's variable space. Take this one for example: http://www.showeq.net/ This program is responsible for completely changing the dynamics of end game raid play in the original Everquest game, and is a helluva usefull tool when powerlevelling secondary accounts, and of course, identifies rare monsters the moment you enter a zone. It's total cheeting. I've even been asked to write a map position monitoring tool for Medal of Honour Allied Assault. So far i've resisted, but the financial bait is tempting (the rival product is £4k a copy). Whilst my own project isn't quite in the same leagues as these games it does use a centralised server - it's not an MMORG or anything like that but the temptation to cheat will still be there and cheating is big business in online software. Even in the indie game Web Space Alliance which had a small community of a few thousand players up until the demise of the game a few months back had a regular bi-weekly/monthly purge of cheaters and the lists of banned accounts would often be 10-20 long. Cheating in online games is big business. "Farmers" are millionaires... If "somebody" had worked out how to write an AI application to play an entire group of Everquest characters form one program that could be run on a single PC 4 times concurrently, thus playing 24 characters 24 hours a day via AI with constant play time, no searching for hunting partners or camps so able to get the best camps and hold them - they could therefore get 24 characters to maximum level in a week or so. That "somebody" could have made about £1000 per character sold .... And if I had realised the commercial possibilities of that when the game was popular I might even have finished writting it, but I was just playing around. (I got past handshaking / connection by directing the client to my own "server" and vice versa which was all editable in text files and then partly deciphered the ingame data packet format and got confused/stuck). Crickey, I didn't write all that to be defensive or anything - I just kinda started explaining and the next thing I know i've written war and peace ! doh, sorry... |
| ||
| I feel inadequate. ;} |
| ||
| hmm. everything can be hacked, if the data is there, it can be hacked. all you can do is make it more complicated for would-be hackers. i wouldn't worry about hackers if you're only an indie developer. if i made a game and someone hacked it, i'd take it as a complement! |
| ||
| "if i made a game and someone hacked it, i'd take it as a complement! " So, you wouldn't mind the almost complete loss of revenue for the last year's work? Meanwhile, in the real world, the rest of us are trying to make a living. |
| ||
| What worries me more than financial loss is the loss of the product. In all the major online games hacking changes the entire dynamic of the game and unfortunately the footprint of the cheaters impacts on the game for the genuine players. Last night whilst lying in bed I came up with a novel way of storing data where I would have bit level acess in Blitz and there wouldn't be static offset of a globalised variable or function return where it could be read and I could hold the data in memory in an encrypted format that polymorphs whenever I decide to change the seed internally. It might be a bit slow but for my project that should not matter, my plan is to RGBA values of image data and because Blitz uses a pointer system for image locations I can keep moving it about in memory - and I can move the pointer variable about by using non global variables to hold the image location in memory and pass it about. I'll move the image too by reserving randomly sized blank areas of memory before making the image to hold the data with, and i'll move it about and perhaps even on ocassion store it in texture memory. I'm not completely sure it will work yet and that it isn't fool proof - but I reckon if nothing else there's no way on Earth that I would attempt to hack that and so it'll hopefuly despoil even the most determined cheater. |
| ||
| if your worried about hackers finding your variables, you can use upx.exe and compress the code, it will scrable the code alot more. the next problem you'll face is that if someone knows your using upx, that can be reverse engineered, the bottom line is, no-software is completly hack proof |
| ||
| Heh, if someone knows your using UPX, which isnt difficult to find out, they only have to "upx <filename> -d" it to undo that. or something. |
| ||
| again, "no-software is completly hack proof" you can use a win32x hacker to alter the id of upx to slow the progress of looking to hack abit? |
| ||
| i dont think you can, my mate from college is a ex hacker and now works for some hi tech data security company. He maintains that no matter how effective you make the codes etc, at the end of the day inside your exe there is one point where its either on or off (might be in several places) and a few jmp instead of jne s(or whatever, theres a bit more to it im sure!) and protections usually gone. The closest thing to full security is serverside programs like citrix, or encrypted image filters. |
| ||
| "So, you wouldn't mind the almost complete loss of revenue for the last year's work?" let me ask you something, John. have you ever made anything that was hacked and the warez version results in a major loss of your revenue? do you even know anyone who has? my guess is no. you know, in the "real world" even major software companies can't prevent hacking. that is the real world. |
| ||
| The point though, is that I want to make something that I cannot personally hack by addressing all the vulnerabilities that I can think of too exploit in an online game rather than just accepting that it's going to get cracked and not do anything about security and then let every Tom Dick and Harry cheat in the game. Sure a commercial game is always going to get a NO-CD patch and a big online game is always going to cheaters - but currently even indie games with 1000 odd players get far too many cheaters because it's just so easy to do. EQ sent it's data raw, so if you wanted to read off the x/z position of all the monsters in the zone you just packet sniffed the floats and plotted them to screen and you've immediately got a huge advantage. That was just negligence... Sadly most of the other commercial games do exactly the same. And the thing is so many people are doing it and the big loosers are the people whyo actually play the game properly and as intended. If your not going to reduce cheating in an online game you may aswell write the gameplay with cheating in mind. |
| ||
| One thing u can do is to force player download patches. I can only say that STEAM got hacked but.. they detect ip adresses of hacked versions..store em for a coupple of months.. then black mark em. |
| ||
| @somethingfunky - the usual argument, I see. It's still called 'theft' in law. You ok with that? |
| ||
| Someone should make a game thats purely meant for hacking, make it fun enough for hackers that all hackers go and play that game, wala, problem solved! |
| ||
| In all the major online games hacking changes the entire dynamic of the game and unfortunately the footprint of the cheaters impacts on the game for the genuine players. The only way to deter hackers that has actually worked - has been online mainframe server based. Generally a server that keeps a log of each and everybody's keys - key is correct and not used before, then server sends down vital game information, like game files, decryption keys or a list of sessions that people are hosting. |
| ||
| Generally a server that keeps a log of each and everybody's keys That's a useless system. Firstly it doesn't stop cheating *at all*. It's for anti-piracy, and the big loosers here are the legitimate users. I tried to play my legitimate copy of Halflife onlin recently, I hadn't played it in quite a while - installed it and downloaded steam ... invalid key. Did that stop the pirate who used my key from playing? Or did he just move on to another key? It stopped me from playing. Who lost in that instance? Keys are an absolutely rubbish system and no, they dont work at all, not even remotely. The one game I played where keys worked was Everquest because the key becomes tied to a credit card - you've got to pay to play so there is no piracy anyway but in online frag-games they're a rediculous concept. Then, to cap it off, keyed software doesn't stop people from cheating - which is what is spoiling online software at the moment anyway. The extreme conclusion from this then is that investing all your efforts into a key system results in a game that only pirates and cheaters play... How ironic. |
| ||
| John, you didn't answer my question, so i won't answer yours... Becky, so youre trying to prevent software piracy, as well as online cheaters then? and what is wrong with the usual software protection methods, i ask? :-/ |
| ||
| @somethingfunky - I did answer your question. Re-read. You seem very defensive about someone improving software privacy prevention.... Sorry, Backy. It was your thread. I'm out of here. |
| ||
| Becky, so youre trying to prevent software piracy, as well as online cheaters then? *Bangs head against wall* No. No i'm not. I just want to detter hackers who want to cheat. As for whether it is worth preventing piracy - well that is a totally seperate arguement and discussion which we could get into - although it seems you've been trying to have that discussion for a while so i'm not too sure you understood the thread but my personal opinion there is: No. No it is *NOT* worth preventing piracy. No anti-piracy system I have ever seen has ever stopped a pirate copying or playing a game with the exception of Everquest and other credit card protected games* (*Although Everquest messed it up with the EQ play card system that was completely open to credit card fraud). * Lenslock prevented people with an astigmatism from playing games. * Manual protection prevented people with kids who have a glass of coke in their hands from playing the game... * Key protection stops legitimate users from playing the game. * CD Protection stops people who have owned a game for a few months from playing it (and in ST/AMIGA era the disk-protection resulted in broken floppy drives every 2-4 years too!). * Dongle protection only works for as long as the dongle does (and in the case of the first game to feature it - Robocop 3 - was released by the pirates 3 days before the genuine version). No anti-piracy system has ever stopped a single pirate from playing a game or any other software, not ever, not once. How many people here dont at least know about megagames and gamecopyworld? My guess is maybe 1 or 2 at most - but only because they have other sites they go to. I even use pirated software myself... I buy the originals but the first thing I do after patching is put a pirate NO-CD patch on! Anti-Piracy measures consistently hurt the legitimate users whilst at the same time not making the slightest scrap of difference to pirate users who will get past the protection regardless. All of this, is completely and utterly off topic of course, as none of these systems has any connection at all with preventing cheating. |
| ||
| Hey Becky, i've been into similar things lately as i'm concerned about my future project as well. Even though i didnt read what ShowEQ can do, i doubt it can get into a remote php server and steal a variables value from a certain offset, scan all offsets etc? Last night whilst lying in bed I came up with a novel way of storing data Well i've also found tools that can track where each of the values is even if you change its address, it will follow it. It can do that by taking snapshots of the whole memory or suspected area, finding the variable, then tracking it until it disappears, then finding its new address by doing a new big scan,etc. It can be slow to track them like this but i think blitz stores all the image data in a fairly limited predictable range of addresses so it wouldnt be a very big area to scan. But i agree it would make it harder so go for it. Well if its an online game as I said, i SERIOUSLY doubt you can steal variables from a php server just like that or any server for that matter. I mean you'd have to have complete access to be able to enter the servers RAM memory, and if you can do that you might as well execute any script and upload anything and change the exe itself! I dont understand how else you could see the variables the server has (i might be lacking info :( ). *Bangs head against wall* lol |
| ||
| I've just had a propper look at ShowEQ and it reads: ShowEQ is a packet analyzer for the game EverQuest. It passively monitors network traffic for EverQuest data and displays it on screen in an easily understandable format. So. Unless someone breaks into your computer and installs a trojan that is specifically designed to read your RAM memory and send all of it (could be a number of MB depending on your system) or a big part of it in order to find variables (in which case you have huge security issues), youre safe. That is, to say the least, unlikely to happen so i'd say you're about 99% secure if you run everyhing serverside. If you are worried about people sniffing packets, then simply send only what you absolutely must send (what you are 100% certain the player should see). This requires additional code. Of course maybe i didn't understand the design of your game, and what you meant to say was that youre worried the admins will cheat (if you mean to distribute the server software). In that case, what i said previously :D try make it as hard as possible but dont expect to stop it fully, blablabla. Good luck. |
| ||
| As far as that whole UPX thing, you can UPX and exe and then screw up the UPX header so that upx won't upx it, without lots of complaining. Perhaps there's a flag that will make it ignore it but without the header the hacker might not know its a UPX exe in the first place. As for memory security, creating a bank si probably the best way. Then write everything in very screwed up ways. have some number of byte order patters for integers: 1234 (normal int -prolly dont want to use this) 1423 2423 3241 2314 3214 etc etc. In this example I've got 5 ways of storing it. The position in the bank mod 5 determines which one to use ;). Strings can be stored backwards with all their charachters offset by the bank position mod 128, and when it runs out of space in front of it it could write say, charachter 4 followed by the offset of the string's continuation. I'd just have all the positiongs of variables the same run to run. no worrying about a dynamic data structure because the data inside is already messed up. You could also try doing stuff on non-byte border alignments - start the bank's data off at byte .5 so every byte is the last byte's lower 4 bits and the next byte's upper 4 bits. If this isn't enoguh for you i suppose you could have a second bank that stores screwed up strings for variable names->memory location stuff, and have it generated randomly each runtime. Its surprising how many people focus on higher bittage encryption algorithms where screwing upt eh order of the data in interesting ways works nearly as well, especially because there's so many things you can do. I've even had a program where the entire output file is randomly reversed, and whether or not it is reversed is determined by the very middle byte in the whole file which is 1 or 0. 0 for flipped 1 for not, among other protection schemes similar to the above stuff. |
| ||
| Nice idea. But they'd still figure out the relationship between the variable that matters and its value and the thing they're trying to change so in addition to this messup i'd still want to use variable addresses. I haven't looked into higher bittage encryoption algos, but that sounds interesting. |
| ||
| Why not write a program that decrpyts the data, uses the product key, as a key to the encrpytion? |
| ||
| Another method to prevent people from hacking the exe is to stick MD5 hashes or checksums at various places in the program. The master hash would be for the whole program minus the hash itself (it'd be nearly impossible to find one that corresponded to a file with itself inside it). Other hashes in the file could also be skipped. these ones storing the hashes of all the others stuck together. so as long as the hacker doesnt find one or neutralize all of the many checks of the hash of the exe, hopefully a few of these hidden in various ways with tricky math and no strings to find. Coming up with hacker detterants is fun :) |
| ||
| Hacking exes is only useful when dealing with cracks pretty much. For cheating purposes they just hack the memory. |
| ||
| Yeah. for memory obfusication I have code above. To make it so you can't memory hack. this still leaves open exe hacking for cheating. Then there's the whole space of network hacking , so you've gotta encrypt and mix up your data you send out. |
| ||
| why bothering about player hacking their client? You just have to verify the data received by the server is valid and if not disconnect them or perm bann them after several attempts and warnings. Depending on the type of game you do, there are different other things you can do to prevent users from cheating (or to punish them badly which is what I prefer. let them think they did it just to let them die again and again until they leave frustrated ;)) Btw: Even large companies do not think that much about it btw as Blizzard proofs with WoW and the Speed hack (how the f*** can a MMORPG be that crappy that you can modify your movement without the server realizing that you are faster than possible for your char?) |
| ||
| how the f*** can a MMORPG be that crappy that you can modify your movement without the server realizing that you are faster than possible for your char In Everquest you could teleport yourself... This is my beaf with online games - it's too easy to cheat and regrettably cheating has become big business - and it spoils the game for me and other normal* players. *The word "normal" used in a relative context... |
| ||
| How about the server sends a patch file that patches the original EXE, on each use and if a key number doesnt match, they can't connect? You wouldnt need to send an entire EXE, just a patch file used to modify it. |
| ||
| how the f*** can a MMORPG be that crappy that you can modify your movement without the server realizing that you are faster than possible for your char? It's a simple case of incredibly bad (or I perhaps should say, cheap) design. The client program works out the location of the character and lets the server know about it. People use packet sniffers to work out how this data is transferred and they write a program or whatever to change the data, or insert new data before it is sent from your computer. I had no idea WoW sufferred from this. I'm REALLY suprised they havn't learnt from Diablo 2. Maybe they aren't as rich as I thought. Plug for Final Fantasy XI - character position is calculated by the server and sent down to the clients. Cheating? What's that..? This means a big expensive server cluster to calculate 20k players and make it look real time... Then times the cost of that setup by 10 (the number of game worlds they run - could be more). This kind of setup is ... not cheap. Or fun to maintain. But I think Square proved with their movie that they have more cash than a games company probably should ;] There -are- cases where the client can correct the server on it's information (I think this is limited to area changes though)... but SE force down patches so often that a hole like that gets plugged within 2 months anyway (ie if it's not considered severe) - oh, and usually legal regals pursue. |
| ||
| cyg- they could quite easily remove the bit of asm that executes the patch exe. Vanilla - the server doesnt need to calculate movement, only needs to check speed and disconnect users that move too fast |
| ||
| In terms of client <> server structure, like a MMORPG, as long as what messages sent, how they are handled, etc, theres no problem. Apparently WoW and EQ wasnt well designed. |
| ||
| cyg- they could quite easily remove the bit of asm that executes the patch exe. Yup- maybe, but then theyd be forced to download the upgrade from the server, otherwise, the server wont let them in. THATS the key. |
| ||
| WOW and HL2 is good design :) if some one cheat they get Banned ! So they collect all ip adresses that cheat and banning em. They just upgrade software.. but how to ban an application witch has no connection to internet. |
| ||
| I'm guessing by no connection to the internet, you mean a game that isn't multiplayer? Why would you want to ban someone from hacking a single player game? Let them do what they want. :) |
| ||
| So they collect all ip adresses that cheat and banning em. The bannee then spoofs their IP and creates a new account and cheats again and gets banned again. Repeat this ad nauseam until Blizzard employees have a nervous break down and blow up the servers. Then again, Blizzard employees are pretty darn devoted, so maybe it could take a while before that happens ;] I say devoted, because they're still releasing patches for StarCraft. That's just crazy. =] |
| ||
| Yuh it's not to hard to spoof your IP# or even your mac# address. If you like I could appear to be from Romania using Bill Gates ethernet card... Assuming I can figure out Bill Gates mac# address that is. Then again the guy is so technically inept (see programming achievments for Bill Gates: ASCII hack of MS-DOS 1.0) he's probably using a Macintosh for ease of use so spoofing his mac# address for PC games would be a bit dumb. |
   |