• Welcome to Valhalla Legends Archive.
 

Question? [VB]

Started by Sevatox, April 02, 2003, 03:02 AM

Previous topic - Next topic

Sevatox

Hrmm this is gonna be hard to explain clearly of what i have in my head so you can understand and possibly help, but here goes.

In my loading screen i have multiply tasks and such, what i want to do is add something that checks to see if the .exe has been modified in any way, shape or form.

Ex.
Checking for program modifications.....
[if none]
No mods found.
[if there is]
Modifications found. Shutting down.

Basiclly if there are some found the program won't load.

Im asking for ways/ideas that this could be done and possibly some steps on how to go about doing it.
All comments/suggestions welcome
Thanks in Advance.

Grok

Convert the project to VB.NET and sign it digitally.  Have it check its own signature for authorization to run.

Skywing

Quote from: Sevatox on April 02, 2003, 03:02 AM
Hrmm this is gonna be hard to explain clearly of what i have in my head so you can understand and possibly help, but here goes.

In my loading screen i have multiply tasks and such, what i want to do is add something that checks to see if the .exe has been modified in any way, shape or form.

Ex.
Checking for program modifications.....
[if none]
No mods found.
[if there is]
Modifications found. Shutting down.

Basiclly if there are some found the program won't load.

Im asking for ways/ideas that this could be done and possibly some steps on how to go about doing it.
All comments/suggestions welcome
Thanks in Advance.
By the way, putting up a message when it first detects an unauthorized modification makes it extremely easy to find and disable the protection scheme...

iago

Quote from: Skywing on April 02, 2003, 07:39 AM
Quote from: Sevatox on April 02, 2003, 03:02 AM
Hrmm this is gonna be hard to explain clearly of what i have in my head so you can understand and possibly help, but here goes.

In my loading screen i have multiply tasks and such, what i want to do is add something that checks to see if the .exe has been modified in any way, shape or form.

Ex.
Checking for program modifications.....
[if none]
No mods found.
[if there is]
Modifications found. Shutting down.

Basiclly if there are some found the program won't load.

Im asking for ways/ideas that this could be done and possibly some steps on how to go about doing it.
All comments/suggestions welcome
Thanks in Advance.
By the way, putting up a message when it first detects an unauthorized modification makes it extremely easy to find and disable the protection scheme...

I was going to say that.  You should either just die or, even better, make a modification to your own code somewhere else (ie, self re-writing code) that will cause it to crash.  Don't forget to take out their system and eat their children, too ;-)
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Zakath

Or better yet, kill the window but don't terminate the app, and start eating up masses of memory by causing an endless string of memory leaks.
Quote from: iago on February 02, 2005, 03:07 PM
Yes, you can't have everybody...contributing to the main source repository.  That would be stupid and create chaos.

Opensource projects...would be dumb.

Arta

One method, but I have no idea if this is possible in VB:

Create a checksum of your file using whatever method you desire, but when calculating the checksum, miss out a portion of the file equivalent to the length of your completed checksum. For example, if you use a 32bit number to store your final checksum, ignore the last 32bits of the file when calculating it. You could ignore any part you wish, i'm just using the last bit as an example.

Then, using a hex editor or a specal program you could write, save the checksum value to the portion of the file you skipped when calculating your checksum. When you run, look at the checksum you saved and make sure it's correct. If it's not, quit. You should run this check at several points in your program so that if the first one is found, another will take it's place. You can expand on this and make it do other things if the checksum fails.

This is easily accomplished in real programming languages, not sure if it's workable in vb ;)

Sevatox

Quote from: Skywing on April 02, 2003, 07:39 AM
By the way, putting up a message when it first detects an unauthorized modification makes it extremely easy to find and disable the protection scheme...

i do realize that it would be easy to disable that portion, but i just wanted to know if its possible.
thx grok & arta for actually making REAL comments on how it could be done.

Banana fanna fo fanna

First, what a bad topic title.

Arta's idea is easy to implement and pretty solid. You could also look into encryption and use self-modifying code.

iago

Quote from: Sevatox on April 02, 2003, 01:14 PM
Quote from: Skywing on April 02, 2003, 07:39 AM
By the way, putting up a message when it first detects an unauthorized modification makes it extremely easy to find and disable the protection scheme...

i do realize that it would be easy to disable that portion, but i just wanted to know if its possible.
thx grok & arta for actually making REAL comments on how it could be done.

Me and skywing's comments were about how to implement it, which is half the battle :P

I like Arta's idea, but you have to make sure that the last 4 bytes aren't important for some reason.  If they are, it's probably a bad idea to overwrite them.  

Also, make sure you check this in many parts of your program in different ways to make sure people can't do a find/replace to remove all the references (ie, they don't all call the exact same function in the same way).  
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


WolfSage

Or you could have it close the window, run in the background, and fill up their hd  ;D

Adron

Quote from: iago on April 02, 2003, 06:13 PM
Also, make sure you check this in many parts of your program in different ways to make sure people can't do a find/replace to remove all the references (ie, they don't all call the exact same function in the same way).  

Btw, with the solution of writing the checksum to the last 4 bytes, you better make real sure that you don't do if(calculatechecksum() != readlast4bytes()) evil(); because then an attacker will just writelast4bytes(calculatechecksum());

Arta

Indeed, I was going to clarify that: you should store the checksum in several places as well as checking it in several places. This is what led me to believe that it might be hard to implement in VB, because of the lack of inline asm. In Delphi or C++ you could output a checksum into the file wherever you wanted to by doing it within a chunk of assembly.

iago

Should calculate it in different ways and store it in different places.
This'll make an interesting test for broken AV:
QuoteX5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*


Banana fanna fo fanna

Or you could port it to Palladium.

There is really no way to stop the problem, only make it harder for people to crack.