ner0
July 29th, 2012, 11:23
Hello,
Firstly I would like to start by saying that despite this question being in the area of malware analysis, the question itself is not directly related to it.
I just posted this here because I do think that it is the area best suited for my question and the experienced users that may read it, and can also be useful in malware analysis, despite not being my subject. For this I apologize, and if a moderator finds it inappropriate, please feel free to delete it or relocate it.
Now that we have taken that out of the way, here is my question/situation:
I am trying to create an anti-cheat detection system for several wide-spread cheating tools/DLLs (video games).
Most of those cheating tools work by injecting the game process and changing several values.
I started of with one of them and by using IDA I could track the memory pointers by looking at the WriteMemoryProcess area in the debugger.
The problem I'm having is with my second attempt with another cheating DLL where I can't seem to be able to find any useful references to track down the static memory pointers that are changed by it. In sum, the anti-cheat technique is very basic, I use memcmp() to detect the cheat injection or more precisely, the memory region that is changed, for example:
The code above, even if it might not be the best approach, works fine. The memory pointer 0x4AC590 is just an example for the one I was able to pinpoint on my first attempt. The problem I'm having is pinpointing the exact game addresses that are targeted by this new injected DLL that I'm looking at. I'm having a real hard time doing it and most tutorials I have read so far were either too broad or had too much overwhelming info that I couldn't follow every aspect of it. I would appreciate if someone could give me a few tips on how to precisely track them down.
Thank you for your time.
Firstly I would like to start by saying that despite this question being in the area of malware analysis, the question itself is not directly related to it.
I just posted this here because I do think that it is the area best suited for my question and the experienced users that may read it, and can also be useful in malware analysis, despite not being my subject. For this I apologize, and if a moderator finds it inappropriate, please feel free to delete it or relocate it.
Now that we have taken that out of the way, here is my question/situation:
I am trying to create an anti-cheat detection system for several wide-spread cheating tools/DLLs (video games).
Most of those cheating tools work by injecting the game process and changing several values.
I started of with one of them and by using IDA I could track the memory pointers by looking at the WriteMemoryProcess area in the debugger.
The problem I'm having is with my second attempt with another cheating DLL where I can't seem to be able to find any useful references to track down the static memory pointers that are changed by it. In sum, the anti-cheat technique is very basic, I use memcmp() to detect the cheat injection or more precisely, the memory region that is changed, for example:
Code:
const char* cleanMem = "\xAC\x51";
if (memcmp(cleanMem, (void*)0x4AC590, 2))
{
// Cheat detected, take action.
}
The code above, even if it might not be the best approach, works fine. The memory pointer 0x4AC590 is just an example for the one I was able to pinpoint on my first attempt. The problem I'm having is pinpointing the exact game addresses that are targeted by this new injected DLL that I'm looking at. I'm having a real hard time doing it and most tutorials I have read so far were either too broad or had too much overwhelming info that I couldn't follow every aspect of it. I would appreciate if someone could give me a few tips on how to precisely track them down.
Thank you for your time.