Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 232
  • Last Modified:

Has my program been "patched" - in C++ (win32)

Let's say I *know* exactly where the casual cracker will patch some bytes in my program. And I want to write a patch detection routine. How would this be done?

For instance, let's assume I have a nag MessageBox. And I am almost sure they will NOP the call to the MessageBox. How can I test the bytes at the address of the CALL to the MessageBox for 90's (nop's)?

That's what I want to do. If you have another method of detecting a "patch", I am open minded! :)

Thanks. And simple sample code is always a plus for me. Just use the MessageBox as an example (no MFC).

0
edvinson
Asked:
edvinson
2 Solutions
 
brettmjohnsonCommented:
Even if you explicitly check for NOP, a patch could be a JMP around your check,
or a CALL to a NOP, or an OR of zero, or, or, or...  There are a lot of ways to do
nothing.

One way to detect a patch is to checksum the code in question.  However the
block of code you checksum should not contain any relocatable references.
["Relocation resolution" happens when the OS program loader fixes up address
values to reflect the actual physical memory address where the program gets
loaded.]

However, be careful about how much time you spend on this.  A determined
cracker could find a way around your check as well.  You could easily spend
more man-hours trying to do this right than you would recoup in theft-turn-sales.
Man-hours that just might be better spent improving the product.
0
 
WelkinMazeCommented:
Hi,
it's better to check if your code is still there, not to check if there are new values instead since as it is mentioned above they could be anything (not only NOP).
0
 
grg99Commented:
Here's how you would do it:


void Nag() {   MessageBox( "Please pay", 0,  0, 0 ); }

#define fudge  Approximately 6

void CheckNag(){ char * p;  p = (char *)  &Nag; p += fudge;  if( *p == 0x90 ) MessageBox("Gotcha!", 0, 0, 0 ); }


.... but if  they can patch the first messagebox, what's to stop them from patching the second one?


0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now