Has my program been "patched" - in C++ (win32)

Let's say I *know* exactly where the casual cracker will patch some bytes in my program. And I want to write a patch detection routine. How would this be done?

For instance, let's assume I have a nag MessageBox. And I am almost sure they will NOP the call to the MessageBox. How can I test the bytes at the address of the CALL to the MessageBox for 90's (nop's)?

That's what I want to do. If you have another method of detecting a "patch", I am open minded! :)

Thanks. And simple sample code is always a plus for me. Just use the MessageBox as an example (no MFC).

LVL 1
edvinsonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

brettmjohnsonCommented:
Even if you explicitly check for NOP, a patch could be a JMP around your check,
or a CALL to a NOP, or an OR of zero, or, or, or...  There are a lot of ways to do
nothing.

One way to detect a patch is to checksum the code in question.  However the
block of code you checksum should not contain any relocatable references.
["Relocation resolution" happens when the OS program loader fixes up address
values to reflect the actual physical memory address where the program gets
loaded.]

However, be careful about how much time you spend on this.  A determined
cracker could find a way around your check as well.  You could easily spend
more man-hours trying to do this right than you would recoup in theft-turn-sales.
Man-hours that just might be better spent improving the product.
0
WelkinMazeCommented:
Hi,
it's better to check if your code is still there, not to check if there are new values instead since as it is mentioned above they could be anything (not only NOP).
0
grg99Commented:
Here's how you would do it:


void Nag() {   MessageBox( "Please pay", 0,  0, 0 ); }

#define fudge  Approximately 6

void CheckNag(){ char * p;  p = (char *)  &Nag; p += fudge;  if( *p == 0x90 ) MessageBox("Gotcha!", 0, 0, 0 ); }


.... but if  they can patch the first messagebox, what's to stop them from patching the second one?


0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
C++

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.