[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 280
  • Last Modified:

Did someone tamper with my program?

I got this solution to a similar question I asked, but I already awarded points, so ...

This won't compile:

#include <windows.h>

#define fudge

void Nag()
{  

      MessageBox(NULL, TEXT("Please Pay!"), TEXT("Note"), MB_OK);

}



void CheckNag()

{
      char * p;  
      p = (char *)  &Nag;
      p += fudge;  
      if( *p == 0x90 )
            return false;

        return true;
}

int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
    LPSTR lpCmdLine, int nCmdShow)
{

   if(CheckNag()){

      // Program runs normal. The messagebox is in tact

    } else {

     // You should be ashamed of yourself! Patching this little program!

     MessageBox(NULL, TEXT("PATCH DETECTED!"), TEXT("Program has been tampered with"), MB_OK);

   }

    return 0;

}


This looks like exactly what I am trying to do! IF I can get it to work.
0
edvinson
Asked:
edvinson
  • 4
  • 2
1 Solution
 
cupCommented:
You have defined fudge as nothing so

     p += fudge;  

expands to

      p += ;  

which will cause a compilation error.
0
 
jkrCommented:
Apart from the #define issue - you want a 'void' function

void CheckNag()

{
     char * p;  
     p = (char *)  &Nag;
     p += fudge;  
     if( *p == 0x90 )
          return false;

        return true;
}

to return a boolean value? That won't work, it should be

bool CheckNag()

{
     char * p;  
     p = (char *)  &Nag;
     p += fudge;  
     if( *p == 0x90 )
          return false;

        return true;
}

BTW, that's quite error prone - if I was to patch your code, I'd add either remove the calls to 'Nag()' or overwrite it with 0x90 *eg*
0
 
jkrCommented:
One ather thing - make 'Nag()' an inline function and use it from various places, this will make it way harder to remove it.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
edvinsonAuthor Commented:
Ok this is my plan:

Get this little thing running, and step through it in my debugger to see what's going on. Then...

Add the code into my real program, and again step through it. When I get to the Messagebox I will copy the opcode, which is probably some form of a PUSH, right? Anyways, Then in my patch detection routine, I would check for what *should* be there.

Does that make sense?

Also, what do you mean inline function? Could you show me a small example? Thanks.
0
 
jkrCommented:
>>Also, what do you mean inline function? Could you show me a small example?

Sure:

__forceinline
void Nag()
{  

     MessageBox(NULL, TEXT("Please Pay!"), TEXT("Note"), MB_OK);

}

This means that the compiler will place the code directly where it finds a 'Nag()' rather than generating a call to that function. So, if you 'call' it 20 times in your code, you have 20 copies of that function around.
0
 
edvinsonAuthor Commented:
Would it be better to force inline with the function that actually does the check, rather than the nag?
0
 
jkrCommented:
If you have the function inline, the check won't work anymore, since there is no such thing as the address of that function. It is embedded in the code that "calls" it.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now