Anti-hack tricks for protect your client!

[HappyDay]

Hello there, today i will share some piece of my expirience how to protect you MuOnline client from dll injections, bots, etc.
(Note: those snippets for users with hands).

Part 1, Code Obfuscation, Anti-reverse trick.

Code:

//Obfuscation method #1
#define  JUNK_CODE_ONE       \
    __asm{push eax}         \
    __asm{xor eax, eax}     \
    __asm{setpo al}         \
    __asm{push edx}         \
    __asm{xor edx, eax}     \
    __asm{sal edx, 2}       \
    __asm{xchg eax, edx}    \
    __asm{pop edx}          \
    __asm{or eax, ecx}      \
    __asm{pop eax}

//Obfuscation method #2 
inline void PushPopSS()
{
    __asm
    {
        push ss
        pop ss
        mov eax, 9
        xor edx, edx
    }
}

Usage example:

Code:

//Method #1
inline int JunkedCode(int Foo, int Bar)
{
    JUNK_CODE_ONE
    return ( (Foo + Bar) - 1 );
}

Method#2  + #1
inline int JunkedCode(int Foo, int Bar)
{
    PushPopSS();
    JUNK_CODE_ONE
    return ( (Foo + Bar) - 1 );
}

This methods used for harder understand your code in disasm. Good obfuscation = bad guy should waste +++ more time for bypass your protection things.

Part 2, Debugger Detection, crash OllyDbg, Anti-reverse trick.
isDebuggerPresent - so easy to detect & bypass, here the solution for it. Use ASM obfuscated instead WinAPI function

Code:

char Uìjÿh°†hh° = 0;
__asm {
     mov eax, fs:[30h]
     mov al, [eax + 2h]
     mov Uìjÿh°†hh°, al
}
//debugger detected!
if(Uìjÿh°†hh°){
        //that method will crash OllyDbg
       OutputDebugString( TEXT("%s%s%s%s%s%s%s%s%s%s%s")
                TEXT("%s%s%s%s%s%s%s%s%s%s%s%s%s")
                TEXT("%s%s%s%s%s%s%s%s%s%s%s%s%s")
                TEXT("%s%s%s%s%s%s%s%s%s%s%s%s%s") );
       //do other things here.
}

Just simple "example" of anti-re tricks. Those code make a bad guy life moar harder, and also require additional knownlege + time for bypass this. Not "ultimate protection" but still useful.

Part 3, "Defeat all injections" solution:
Bored to put modules(dll) and scan it manually? Easy! this solution for you!

Code:

*Header
struct WhitelistItem {
    std::string moduleName;
    unsigned int entryPoint;
};
const int WHITELIST_LENGTH = 40;
const std::string moduleWhitelist[WHITELIST_LENGTH] = {
"Main.exe", //Main.exe should be always here
"ntdll.dll",
"kernel32.dll",
"KERNELBASE.dll",
"GLU32.dll",
"msvcrt.dll",
"OPENGL32.dll",
"ADVAPI32.dll",
"SspiCli.dll",
"CRYPTBASE.dll",
"GDI32.dll",
"USER32.dll",
"LPK.dll"
.
.
.etc.
};

In white list, always you sould put ALL normally modules used by MuOnline.exe + put them self. Also, you may change MuOnline.exe name to any custom before assembly your white list. If user change exe name - they wont works too.

Code:

*Cpp
using namespace std;

//check module from WHITELIST
int ModuleIsSafe(std::string moduleName)
{
    for (int k = 0; k < WHITELIST_LENGTH; ++k) {
        if (moduleWhitelist[k] == moduleName) {
            return 1;
        }
    }
    return 0;
}

// check loaded modules
void CheckModules()
{
    std::string s;
        
    HANDLE hSnap;
    hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, 0);

    MODULEENTRY32 me32;
    ZeroMemory((void*)&me32, sizeof(MODULEENTRY32));
    me32.dwSize = sizeof(MODULEENTRY32);

    Module32First(hSnap, &me32);
    static int count = 0;
    do {
        s = me32.szModule;

        if (!ModuleIsSafe(s)) {
           //shutdown MuOnline
        }
    } while (Module32Next(hSnap, &me32));

    CloseHandle(hSnap);
}

For create white list in this cause (semi-auto), just put in CheckModules, something like that:

Code:

    ofstream whitelist;
    whitelist.open ("defaultModules.txt");
    Module32First(hSnap, &me32);
    static int count = 0;
    do {
        s = me32.szModule;

        if (!ModuleIsSafe(s)) {
           whitelist << s <<"\n";
        }
    } while (Module32Next(hSnap, &me32));
    whitelist.close();

And after simple add them to your const std::string moduleWhitelist[WHITELIST_LENGTH] Finally, with that code, you dont need anymore manually add to your code "cheat.dll, hack.dll, MuHack.dll" and other shit. This will check all legal modules (used by Main.exe self) and if something is wrong - crash muonline.

With all those described methods you may assembly your own client protection or improve one of public exists and make this stronger. All of that - just a "basic" things for protect your client, but they is very usefull (and better than same code in public anti-hack releases).

If those things are useful for community, next time, i will show you how to:
1) Protect MuOnline with VMProtect and also with useful code example, what can be integrated if you have a Main.exe source code for example.
2) Protect your *.dll from MemoryBreakpoints.
3) Hide MuOnline.exe modules from Memory.

Best Regards.

[MentaL]

[yeyei132]

How to use this? :/

[Masteru]

0 tutorial and 0 video how to use this :)) nice joob man

[Natzugen]

0 tutorial and 0 video how to use this :)) nice joob man

read a little

(Note: those snippets for users with hands).

Ps: if you see code inside code tags then it means you have to complete with your code.

[Dankend]

module checker not good use example all Antiviruses, TeamViewer Fraps and other programs inject DLL in your process its one problem other windowses have the number of dll example windows xp 30 dlls windows 7 have 60 thus not to create reliable protect