[DOWNLOAD] Anti-Cheat Concept

[Guy]

0xF4: PE File Infection

When it comes to Gunz, this is a fantastic way to implement some sort of anti-cheat, automatically to any runnable. In the provided project, you'll have to write the x86/x64 assembly to be embedded yourself. Any Windows API functions can't be used without:

a) Referencing some sort of IAT (Volatile).
b) Manually looking up functions (Reliable). This would involve fetching the PEB (For x86, stored at FS:[0x30]; for x64, stored at GS:[0x30]). Grabbing the module list (Varying location in the PEB). Enumerating the module list, comparing name members until the desired module is found. Grab that modules base, enumerate its headers to find the EAT, then walk the EAT until the desired function is located.

Here's a download of the project: Download Obscurity.zip from Sendspace.com - send big files the easy way

Usage is either handing off the filename to work with as the first parameter, or to simply run the executable, and you'll be prompted for it.

Currently, the sample embeds an anti-debugger check in the resulting executable; if a debugger is running, the application will halt execution until it's detached from the debugger.

[MentaL]

[Rotana]

Thanks for this , i will take an better look to it once i'm @home again.
Maybe i will inplant this into mine tribal patcher
First 5 days belgium for me rl job

[Evil[]Power]

Goodjob , will test it sooon when i comeback from school :)

[ThroneX]

Crashed when loading.
Here is the mlog.txt:

Code:

sound engine create.
Load XML from memory : System/tips.xml(0x0016)- SUCCESS
start log bipmap
end of load bitmaps2
loading pictures : 0.942000 
warning : bitmap slot_head.tga not found.
warning : bitmap slot_head.tga not found.
warning : bitmap icon_gameroom.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
IDLResource Loading Success!!
IDL resources : 0.219000 
start InitInterface option
Number of Display mode : 10
Number of Display mode : 10
end of InitInterface option ok
Init maps : no Current ChannelRule 
Screen Effect Manager Create : 0.141000 
Screen effect manager create success.
Effect manager create success.
Client create success.
Crash ( 07:32:55 )
Build Jun 12 2007 11:36:39


[Exception]
Address	:	6443fffc
ExpCode	:	c0000005
Flags	:	00000000
#Param	:	00000002
other	:	00000000

[Context]
GS : 0000002b  FS : 00000053  ES : 0000002b  DS : 0000002b
EDI: 0066cd78  ESI: 04a14b10  EBX: 00000000  EDX: 706f6853
ECX: 04a14e17  EAX: 00000007  EBP: 048d1730  EIP: 6443fffc
CS : 00000023  Flg: 00010297  ESP: 0018f094  SS : 0000002b

[Stack]
048cf250 72c326f0 0018f310 0066e238 0018f078 00000007 048cf250 0018f0c4 
00000000 00000000 00000190 00000002 00000000 00000040 048d42a0 00000003 
00000000 000000a8 00000000 0018f11c 005740d9 002b0000 00000000 005740de 
0000009c 048cf250 00000000 00573aa4 0018f0f4 ffffffff 65746e69 63616672 
696b5365 ffff006e 005740de 005740fb 0000009c 00000000 048cf250 048d42a0 
72c3271c 06ee64bb 00000000 00002710 00000000 0044252d 0018f198 3df5c28f 
00000000 3e7ae147 3f800000 d97b7c7e 0018f304 005d7460 ffffffff 00497b10 
0018f198 00000000 03eb06a0 ffffffff 048cf250 19e69fc0 0066e238 00000001 
000f4240 656d6147 65746e49 63616672 73020065 00000000 0018f190 00000000 
0018f210 75330155 af984a77 fffffffe 75317182 753172f1 029f3af0 76ecf87a 
75317304 0018f330 3df5c28f 3df5c28f 3eb33333 3e7ae147 00000000 00000000 
021a0408 00000000 00000000 0018f278 76ec00e6 0018f218 00000000 0018f5a0 
76ec0070 029f3af0 00000000 00000281 00000001 c000000f 6f425088 76ee2432 
00000000 7531723b 75321c01 00a90956 00000281 6e756f53 c0000064 00000000 
000002b1 00000000 00a90956 00000281 00000000 00a90956 00a90901 00a90956 
00000956 0018f29c 7531cd81 029f3af0 00000000 0018f330 00000000 00000000 

SymLoadModule failed 0 ( module =  ) 
SymGetSymFromAddr error 487
frame : (01) : PC Address : 6443fffc
     Param[0] : 72c326f0
     Param[1] : 0018f310
     Param[2] : 0066e238
     Param[3] : 0018f078
     ModuleName : l
SymGetLineFromAddr error 487
     Function Name : <nosymbols>
SymGetSymFromAddr error 126
frame : (02) : PC Address : 048cf250
     Param[0] : 00000000
     Param[1] : 048c24f0
     Param[2] : 00000004
     Param[3] : 00000000
SymGetModuleInfo error 126
SymGetLineFromAddr error 126
     Function Name : <nosymbols>
SymGetSymFromAddr error 126
frame : (03) : PC Address : 048cf250
     Param[0] : 0041e390
     Param[1] : 0041ba50
     Param[2] : 0041ba30
     Param[3] : 0054d8d0
SymGetModuleInfo error 126
SymGetLineFromAddr error 126
     Function Name : <nosymbols>
SymGetSymFromAddr error 487
frame : (04) : PC Address : 0041b980
     Param[0] : 000000a1
     Param[1] : 89645000
     Param[2] : 00000025
     Param[3] : 20685100
     ModuleName : theduel
SymGetLineFromAddr error 487
     Function Name : <nosymbols>
SymGetSymFromAddr error 487
frame : (05) : PC Address : 64005d5d
     Param[0] : 00000000
     Param[1] : 00000000
     Param[2] : 00000000
     Param[3] : 00000000
     ModuleName : l
SymGetLineFromAddr error 487
     Function Name : <nosymbols>

[Guy]

Crashed when loading.
Here is the mlog.txt:

Code:

sound engine create.
Load XML from memory : System/tips.xml(0x0016)- SUCCESS
start log bipmap
end of load bitmaps2
loading pictures : 0.942000 
warning : bitmap slot_head.tga not found.
warning : bitmap slot_head.tga not found.
warning : bitmap icon_gameroom.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
warning : bitmap icon_gameroom_s.tga not found.
IDLResource Loading Success!!
IDL resources : 0.219000 
start InitInterface option
Number of Display mode : 10
Number of Display mode : 10
end of InitInterface option ok
Init maps : no Current ChannelRule 
Screen Effect Manager Create : 0.141000 
Screen effect manager create success.
Effect manager create success.
Client create success.
Crash ( 07:32:55 )
Build Jun 12 2007 11:36:39


[Exception]
Address	:	6443fffc
ExpCode	:	c0000005
Flags	:	00000000
#Param	:	00000002
other	:	00000000

[Context]
GS : 0000002b  FS : 00000053  ES : 0000002b  DS : 0000002b
EDI: 0066cd78  ESI: 04a14b10  EBX: 00000000  EDX: 706f6853
ECX: 04a14e17  EAX: 00000007  EBP: 048d1730  EIP: 6443fffc
CS : 00000023  Flg: 00010297  ESP: 0018f094  SS : 0000002b

[Stack]
048cf250 72c326f0 0018f310 0066e238 0018f078 00000007 048cf250 0018f0c4 
00000000 00000000 00000190 00000002 00000000 00000040 048d42a0 00000003 
00000000 000000a8 00000000 0018f11c 005740d9 002b0000 00000000 005740de 
0000009c 048cf250 00000000 00573aa4 0018f0f4 ffffffff 65746e69 63616672 
696b5365 ffff006e 005740de 005740fb 0000009c 00000000 048cf250 048d42a0 
72c3271c 06ee64bb 00000000 00002710 00000000 0044252d 0018f198 3df5c28f 
00000000 3e7ae147 3f800000 d97b7c7e 0018f304 005d7460 ffffffff 00497b10 
0018f198 00000000 03eb06a0 ffffffff 048cf250 19e69fc0 0066e238 00000001 
000f4240 656d6147 65746e49 63616672 73020065 00000000 0018f190 00000000 
0018f210 75330155 af984a77 fffffffe 75317182 753172f1 029f3af0 76ecf87a 
75317304 0018f330 3df5c28f 3df5c28f 3eb33333 3e7ae147 00000000 00000000 
021a0408 00000000 00000000 0018f278 76ec00e6 0018f218 00000000 0018f5a0 
76ec0070 029f3af0 00000000 00000281 00000001 c000000f 6f425088 76ee2432 
00000000 7531723b 75321c01 00a90956 00000281 6e756f53 c0000064 00000000 
000002b1 00000000 00a90956 00000281 00000000 00a90956 00a90901 00a90956 
00000956 0018f29c 7531cd81 029f3af0 00000000 0018f330 00000000 00000000 

SymLoadModule failed 0 ( module =  ) 
SymGetSymFromAddr error 487
frame : (01) : PC Address : 6443fffc
     Param[0] : 72c326f0
     Param[1] : 0018f310
     Param[2] : 0066e238
     Param[3] : 0018f078
     ModuleName : l
SymGetLineFromAddr error 487
     Function Name : <nosymbols>
SymGetSymFromAddr error 126
frame : (02) : PC Address : 048cf250
     Param[0] : 00000000
     Param[1] : 048c24f0
     Param[2] : 00000004
     Param[3] : 00000000
SymGetModuleInfo error 126
SymGetLineFromAddr error 126
     Function Name : <nosymbols>
SymGetSymFromAddr error 126
frame : (03) : PC Address : 048cf250
     Param[0] : 0041e390
     Param[1] : 0041ba50
     Param[2] : 0041ba30
     Param[3] : 0054d8d0
SymGetModuleInfo error 126
SymGetLineFromAddr error 126
     Function Name : <nosymbols>
SymGetSymFromAddr error 487
frame : (04) : PC Address : 0041b980
     Param[0] : 000000a1
     Param[1] : 89645000
     Param[2] : 00000025
     Param[3] : 20685100
     ModuleName : theduel
SymGetLineFromAddr error 487
     Function Name : <nosymbols>
SymGetSymFromAddr error 487
frame : (05) : PC Address : 64005d5d
     Param[0] : 00000000
     Param[1] : 00000000
     Param[2] : 00000000
     Param[3] : 00000000
     ModuleName : l
SymGetLineFromAddr error 487
     Function Name : <nosymbols>

Could be that the value of EAX shouldn't be modified pre-runtime; maybe the data at the end of the CS is needed, or there's some kind of inteity check in the file you used.

[fuxpro321]

SO now how do i stop it?

lol i cant play Gunz now.

[ThroneX]

Could be that the value of EAX shouldn't be modified pre-runtime; maybe the data at the end of the CS is needed, or there's some kind of inteity check in the file you used.

Wtf ?? What's that EAX ? Tell me what to do please

[fuxpro321]

@ alish1558 you got the same prob as me

[SecretsOThePast]

Wtf ?? What's that EAX ? Tell me what to do please

Why does he have to tell you what to do? That's a bit rude to be demanding like that.

Here, this'll help:

An Introduction to Assembly Language: Part II - CodeGuru

[Guy]

Another potential fix would be to replace this line:

Code:

#define MAX_INSTRUCTION_LENGTH 0 // 15

Like so:

Code:

#define MAX_INSTRUCTION_LENGTH 15

In the file main.cpp, under the solution name "Obscurity", project "Infector".

[Joe9099]

excellent piece of work my friend gj

[unnamed123a]

Goodjob... Thsi is nice