0

I program for a PC game called Crysis Wars, and lately players have been constantly asking for a new game update (a community patch) to fix problems, including a rather ironic scripting error.

There are several game hacks known as Infinium, Gamg, Annihilator & Longpoke which rely on DLL injection methods to place hacks & cheats within the game without the internal anticheat system noticing. These hacks are quite simple and exploit the main game DLL's code through hex value modifications, and some (like Gamg) are made with the game engine's own SDK (I know the creator of this hack).

Like others, I have access to the CryEngine 2 (the game engine) SDK (includes the source code to the main game dll) and I propose to modify the name & location of all game functions (for both client and server) so the existing hacks will not work anymore.

Would this work to stop hacks made with modifying the hex values of the main game dll? I confirm that hacks made with the SDK will no longer function, but I want to check with others before attempting this since it will require a lot of work.

Basically, what I am asking:

Hackers are exploiting a DLL in a game by changing the source code, if I change all functions in the source code and issue a (community) update for the game (without releasing the new source code), would the hackers be able to use the same hacks without any problems?

I apologise if this seems confusing- please do say if I need to be clearer.

AStopher
  • 4,207
  • 11
  • 50
  • 75
  • Answer: Depends. See: http://stackoverflow.com/questions/3784389/difference-between-api-and-abi – dgrat Feb 14 '14 at 12:39
  • 1
    I'm a bit naive on this. Are they changing the addresses of function calls? Would ASLR help? – Simple Feb 14 '14 at 12:40
  • Going to do some testing- I'll answer my own question when I gather the results. @Simple Yes, they are changing the addresses of function calls. ASLR looks interesting- I'll give it a go. – AStopher Feb 14 '14 at 12:54
  • I think you can do something akin to ASLR pretty trivially by creating a "fixed address" memory mapping address (with a not-so-fixed fixed address somewhere in the 0x400k-0x600k range) _before_ loading the game DLL. That will force the OS to relocate the DLL, and consequentially all functions. Legitimate users of the DLL should not be affected, since they use `GetProcAddress` and don't tamper with hex values at known addresses. Same for non-static in-game variables. Do a `new int[rand() & 0xffff];` as the first thing. That will practically guarantee that ... – Damon Feb 14 '14 at 13:59
  • ... the otherwise more or less deterministic allocator produces "random" addresses. Of course many addresses (such as a loaded asset) will be "random" anyway since objects are unpredictably created and deleted throughout the game on an as-needed base, but some main structures which are created in a well-defined order at startup might still be exactly predictable. They're not if you allocate a random amount of scratch first. – Damon Feb 14 '14 at 14:01

1 Answers1

3

You'll break everything, legal and illegal mods. The illegal mods will probably be fixed quite soon; it's quite trivial to reverse-engineer your proposed changes.

A better method is to turn on Data Execution Prevention and hook the VirtualProtect function which is needed to bypass DEP. You'll then be able to catch attempts to install a later hook. Of course, do check that there's no existing hook for VirtualProtect, nor any known DLL hack already present.

MSalters
  • 173,980
  • 10
  • 155
  • 350
  • Yeah, but it'll take a lot of work do reverse-engineer the changes. As well as this, hackers cannot touch the functions what the client uses to send data to the server. This means that if they do end up reverse-engineering it, they won't actually be able to do any harm with their changes. I'll have a look at VirtualProtect. – AStopher Feb 14 '14 at 13:10
  • 2
    @zyboxenterprises: I expect it takes hackers about 2 hours to reverse-engineer a name change; how much time will it cost you? And of course hackers can't touch your server code, but that's already a given now. You don't need to do anything for that. – MSalters Feb 14 '14 at 13:12
  • *One single name change*, all the hacks need at least three changes in the default code in order to actually work, and they can be found and changed quite easily via a hex editor. If the function names are changed (and also the content of the functions), the hex value will be changed, making it almost impossible to find the correct function. – AStopher Feb 14 '14 at 13:17
  • 1
    @zyboxenterprises: You're not experienced enough in thinking like a hacker. Besides the exact hex signature, functions can also be effectively identified by their place in the call graph, as well as their run-time call order. To give you an idea: I once reverse-engineered a similar DLL _without using names at all_, and I didn't have the old hex values to compare with either. – MSalters Feb 14 '14 at 13:27
  • @zyboxenterprises I'm pretty sure that any hack that is being maintained will be back up and working within at most few weeks and if someone takes this as a challenge, within days. Sure, it would break no longer developed hacks and temporarily active ones but not for long. And if you do it again they will be more experienced and faster at working around it every time. I'm not sure it's worth it. – user2802841 Feb 14 '14 at 13:49