Has my program been "patched" - in C++ (win32)

Posted on 2006-04-24
Last Modified: 2010-04-01
Let's say I *know* exactly where the casual cracker will patch some bytes in my program. And I want to write a patch detection routine. How would this be done?

For instance, let's assume I have a nag MessageBox. And I am almost sure they will NOP the call to the MessageBox. How can I test the bytes at the address of the CALL to the MessageBox for 90's (nop's)?

That's what I want to do. If you have another method of detecting a "patch", I am open minded! :)

Thanks. And simple sample code is always a plus for me. Just use the MessageBox as an example (no MFC).

Question by:edvinson
    LVL 23

    Assisted Solution

    Even if you explicitly check for NOP, a patch could be a JMP around your check,
    or a CALL to a NOP, or an OR of zero, or, or, or...  There are a lot of ways to do

    One way to detect a patch is to checksum the code in question.  However the
    block of code you checksum should not contain any relocatable references.
    ["Relocation resolution" happens when the OS program loader fixes up address
    values to reflect the actual physical memory address where the program gets

    However, be careful about how much time you spend on this.  A determined
    cracker could find a way around your check as well.  You could easily spend
    more man-hours trying to do this right than you would recoup in theft-turn-sales.
    Man-hours that just might be better spent improving the product.
    LVL 11

    Expert Comment

    it's better to check if your code is still there, not to check if there are new values instead since as it is mentioned above they could be anything (not only NOP).
    LVL 22

    Accepted Solution

    Here's how you would do it:

    void Nag() {   MessageBox( "Please pay", 0,  0, 0 ); }

    #define fudge  Approximately 6

    void CheckNag(){ char * p;  p = (char *)  &Nag; p += fudge;  if( *p == 0x90 ) MessageBox("Gotcha!", 0, 0, 0 ); }

    .... but if  they can patch the first messagebox, what's to stop them from patching the second one?


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

      Included as part of the C++ Standard Template Library (STL) is a collection of generic containers. Each of these containers serves a different purpose and has different pros and cons. It is often difficult to decide which container to use and …
    Introduction This article is a continuation of the C/C++ Visual Studio Express debugger series. Part 1 provided a quick start guide in using the debugger. Part 2 focused on additional topics in breakpoints. As your assignments become a little more …
    The goal of the tutorial is to teach the user how to use functions in C++. The video will cover how to define functions, how to call functions and how to create functions prototypes. Microsoft Visual C++ 2010 Express will be used as a text editor an…
    The goal of the video will be to teach the user the difference and consequence of passing data by value vs passing data by reference in C++. An example of passing data by value as well as an example of passing data by reference will be be given. Bot…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now