Cerbere Anti-Cheat : Source Code

Discussion dans 'Web, design' créé par neku, 26 Décembre 2006.

Statut de la discussion:
Fermée.
  1. Offline
    neku Codeur roumain
    Bon voila, vu que j'ai trop de mal à continuer ce projet, j'ai décidé de mettre les codes source de ce que j'ai déjà fait afin d'avoir de l'aide ou inspirer d'autres personnes.

    SecureApi.c

    Code:
    [size=2]#include "SecureApi.h"
    #pragma warning( disable :4311 )
    #pragma warning( disable :4312 )
    //Kernel32.dll
    FARPROC pOrig_GetModuleHandleA;
    FARPROC pOrig_GetProcAddress;
    FARPROC pOrig_OpenProcess;
    FARPROC pOrig_Sleep;
    FARPROC pOrig_CreateThread;
    FARPROC pOrig_GetCurrentProcessId;
    //User32.dll
    FARPROC pOrig_MessageBoxA;
    FARPROC pOrig_FindWindowA;
    FARPROC pOrig_GetWindowThreadProcessId;
    //Psapi.dll
    FARPROC pOrig_GetModuleInformation;
    //Vars
    DWORD dwReturnValue;
    CSecure SecureApi;
    //Functions
    FARPROC ExportGet(const HMODULE Image, const char* Function);
    void CSecure::s_Initialize (void) {
    //Chargement du kernel32.dll
    HINSTANCE hTemp = ::LoadLibrary("Kernel32.dll");
    HINSTANCE hTemp2 = ::LoadLibrary("Psapi.dll");
    pOrig_GetModuleHandleA = ::GetProcAddress(hTemp,"GetModuleHandleA");
    pOrig_GetModuleInformation = ::GetProcAddress(hTemp2,"GetModuleInformation");
     
    HINSTANCE hUser32 = SecureApi.s_GetModuleHandle("USER32.dll");
    HINSTANCE hKernel32 = SecureApi.s_GetModuleHandle("KERNEL32.dll");
     
    //User32.dll
    pOrig_MessageBoxA =	 ExportGet(hUser32,"MessageBoxA");
    pOrig_FindWindowA =	 ExportGet(hUser32,"FindWindowA");
    pOrig_GetWindowThreadProcessId = ExportGet(hUser32,"GetWindowThreadProcessId");
     
    //Kernel32.dll
    pOrig_Sleep =	 ExportGet(hKernel32,"Sleep");
    pOrig_CreateThread =	ExportGet(hKernel32,"CreateThread");
    pOrig_OpenProcess =	 ExportGet(hKernel32,"OpenProcess"); 
    pOrig_GetProcAddress =	ExportGet(hKernel32,"GetProcAddress");
    pOrig_GetCurrentProcessId = ExportGet(hKernel32,"GetCurrentProcessId");
    }
    DWORD CSecure::s_GetCurrentProcessId () {
    __asm {
    call dword ptr [pOrig_GetCurrentProcessId]
    mov dwReturnValue, eax
    }
    return (DWORD)dwReturnValue;
    }
    FARPROC CSecure::s_GetProcAddress (HMODULE hModule, LPCSTR lpProcName) {
    _asm {
    push lpProcName
    push hModule
    call dword ptr [pOrig_GetProcAddress]
    mov dwReturnValue, eax
    }
    return (FARPROC)dwReturnValue;
    }
    BOOL CSecure::s_GetModuleInformation (HANDLE hProcess, HMODULE hModule, LPMODULEINFO lpmodinfo, DWORD cb) {
    _asm {
    push cb
    push lpmodinfo
    push hModule
    push hProcess
    call dword ptr [pOrig_GetModuleInformation]
    mov dwReturnValue, eax
    }
    return (BOOL)dwReturnValue;
    }
    HANDLE CSecure::s_OpenProcess (DWORD dwDesireAccess, BOOL bInheritHandle, DWORD dwProcessId) {
    _asm {
    push dwProcessId
    push bInheritHandle
    push dwDesireAccess
    call dword ptr [pOrig_OpenProcess]
    mov dwReturnValue, eax
    }
    return (HANDLE)dwReturnValue;
    }
    VOID CSecure::s_Sleep (DWORD dwMilliseconds) {
    _asm {
    push dwMilliseconds
    call dword ptr [pOrig_Sleep]
    }
    }
    DWORD CSecure::s_GetWindowThreadProcessId (HWND hWnd, LPDWORD lpdwProcessId) {
    _asm {
    push lpdwProcessId
    push hWnd
    call dword ptr [pOrig_GetWindowThreadProcessId]
    mov dwReturnValue, eax
    }
    return dwReturnValue;
    }
    HMODULE CSecure::s_GetModuleHandle (LPCSTR lpModuleName) {
    _asm {
    push lpModuleName
    call dword ptr [pOrig_GetModuleHandleA]
    mov dwReturnValue, eax
    }
    return (HMODULE)dwReturnValue;
    }
    int CSecure::s_MessageBox (HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType) {
    _asm {
    push uType
    push lpCaption
    push lpText
    push hWnd
    call dword ptr [pOrig_MessageBoxA]
    mov dwReturnValue, eax
    }
    return (int)dwReturnValue;
    }
    HWND CSecure::s_FindWindow (LPCSTR lpClassName, LPCSTR lpWindowName) {
    _asm {
    push lpWindowName
    push lpClassName
    call dword ptr [pOrig_FindWindowA]
    mov dwReturnValue, eax;
    }
    return (HWND)dwReturnValue;
    }
    HANDLE CSecure::s_CreateThread (LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId) {
    _asm {
    push lpThreadId;
    push dwCreationFlags
    push lpParameter
    push lpStartAddress
    push dwStackSize
    push lpThreadAttributes
    call dword ptr [pOrig_CreateThread]
    mov dwReturnValue, eax
    }
    return (HANDLE)dwReturnValue;
    }
     
    FARPROC ExportGet(const HMODULE Image, const char* Function) {
     
    IMAGE_DOS_HEADER* DosHeader;
    IMAGE_NT_HEADERS* PeHeader;
    IMAGE_EXPORT_DIRECTORY* ExportDirectory;
    FARPROC* ExportAddressTable;
    char** ExportNameTable;
    WORD* ExportOrdinalTable;
    char* Name;
    int i, max;
    if (!Image)
    return NULL;
    DosHeader = (IMAGE_DOS_HEADER*)Image;
    if (DosHeader->e_magic != IMAGE_DOS_SIGNATURE)
    return NULL;
    if (!DosHeader->e_lfanew)
    return NULL;
    PeHeader = (IMAGE_NT_HEADERS*)((DWORD)Image + DosHeader->e_lfanew);
    if (PeHeader->Signature != IMAGE_NT_SIGNATURE)
    return NULL;
    if (PeHeader->FileHeader.Machine != IMAGE_FILE_MACHINE_I386)
    return NULL;
    ExportDirectory = (IMAGE_EXPORT_DIRECTORY*)((DWORD)Image + PeHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
    ExportAddressTable = (FARPROC*)((DWORD)Image + ExportDirectory->AddressOfFunctions);
    ExportNameTable = (char**)((DWORD)Image + ExportDirectory->AddressOfNames);
    ExportOrdinalTable = (WORD*)((DWORD)Image + ExportDirectory->AddressOfNameOrdinals);
    max = ExportDirectory->NumberOfNames;
    for (i = 0; i < max; i++) {
    Name = (char*)((DWORD)Image + ExportNameTable[i]);
    if (!strcmp(Name,Function)) {
    return (FARPROC)((DWORD)Image + (DWORD)ExportAddressTable[ExportOrdinalTable[i]]);
    }
    }
    return NULL;
    }[/size]
    
    SecureApi.h

    Code:
    #ifndef _H_SecureApi_
    #define _H_SecureApi_
    #include <windows.h>
    #include <Psapi.h>
    class CSecure {
    public:
    //API's
    HMODULE s_GetModuleHandle (LPCSTR lpModuleName);
    FARPROC s_GetProcAddress (HMODULE hModule, LPCSTR lpProcName);
    HWND s_FindWindow (LPCSTR lpClassName, LPCSTR lpWindowName);
    DWORD s_GetWindowThreadProcessId (HWND hWnd, LPDWORD lpdwProcessId);
    HANDLE s_OpenProcess (DWORD dwDesireAccess, BOOL bInheritHandle, DWORD dwProcessId);
    BOOL s_GetModuleInformation (HANDLE hProcess, HMODULE hModule, LPMODULEINFO lpmodinfo, DWORD cb);
    int s_MessageBox (HWND hWnd, LPCSTR lpText, LPCSTR lpCaption, UINT uType);
    HANDLE s_CreateThread (LPSECURITY_ATTRIBUTES lpThreadAttributes, SIZE_T dwStackSize, LPTHREAD_START_ROUTINE lpStartAddress, LPVOID lpParameter, DWORD dwCreationFlags, LPDWORD lpThreadId);
    VOID s_Sleep (DWORD dwMilliseconds);
    DWORD s_GetCurrentProcessId ();
    //Class functions
    void s_Initialize (void);
    };
    extern CSecure SecureApi;
    #endif
    
    PeInfos.c

    Code:
    #include "PeInfos.h"
    #include "SecureApi.h"
    #include <windows.h>
    #pragma warning( disable :4311 )
    PE_INFOS PeInfos;
    bool PEInitialize(void) {
    //Recup l'Handle de Cs
    //HWND HL = SecureApi.s_FindWindow("Valve001", NULL);
    MODULEINFO lpmodinfo;
    DWORD ProcessID;
    ProcessID = SecureApi.s_GetCurrentProcessId();
    //SecureApi.s_GetWindowThreadProcessId(HL, &ProcessID);
    HANDLE hWnd = SecureApi.s_OpenProcess(PROCESS_ALL_ACCESS, false, ProcessID);
    //Anti-Cheat Module Informations
    SecureApi.s_GetModuleInformation(hWnd, SecureApi.s_GetModuleHandle("AC.dll"), &lpmodinfo, sizeof(lpmodinfo));
    PeInfos.dwACStartAddress = (DWORD)lpmodinfo.lpBaseOfDll;
    PeInfos.dwACSize = lpmodinfo.SizeOfImage;
    PeInfos.dwACEndAddress = PeInfos.dwACStartAddress + PeInfos.dwACSize;
    //OpenGL32.dll Informations
    SecureApi.s_GetModuleInformation(hWnd, SecureApi.s_GetModuleHandle("opengl32.dll"), &lpmodinfo, sizeof(lpmodinfo));
    PeInfos.dwOGLStartAddress = (DWORD)lpmodinfo.lpBaseOfDll;
    PeInfos.dwOGLSize = lpmodinfo.SizeOfImage;
    PeInfos.dwOGLEndAddress = PeInfos.dwOGLStartAddress + PeInfos.dwOGLSize;
    PeInfos.dwHWStartAddress = 0x01D00000;
    PeInfos.dwHWSize = 0x0000FFFF;
    PeInfos.dwHWEndAddress = PeInfos.dwACStartAddress + PeInfos.dwHWSize;
    return true;
    }
    
    PeInfos.h

    Code:
    #ifndef _H_PeInfos_
    #define _H_PeInfos_
    #include <windows.h>
    typedef struct {
    DWORD dwACStartAddress;
    DWORD dwACEndAddress;
    DWORD dwACSize;
    DWORD dwOGLStartAddress;
    DWORD dwOGLEndAddress;
    DWORD dwOGLSize;
    DWORD dwHWStartAddress;
    DWORD dwHWEndAddress;
    DWORD dwHWSize;
    DWORD dwHLStartAddress;
    } PE_INFOS;
    bool PEInitialize (void);
    extern PE_INFOS PeInfos;
    #endif
    
    DetoursDetection.c

    Code:
    #include "DetoursDetection.h"
    #include "SecureApi.h"
    bool CheckForDetour( DWORD dwAddress )
    {
    PBYTE pbLocation = (PBYTE)dwAddress;
    //Simple detour.
    //Call, Jmp, Jmp Short
    if( pbLocation[0] == 0xE8 || pbLocation[0] == 0xE9 || pbLocation[0] == 0xEB )
    {
    //Detours Detected !
    return true;
    }
    //'Non-visible' detour.
    //Push Eax, Push Edx -> retn, retn X
    if( pbLocation[0] == 0x50 || pbLocation[0] == 0x52 )
    {
    if( pbLocation[1] == 0xC3 || pbLocation[1] == 0xC2 )
    {
    //Detours Detected !
    return true;
    }
    }
    //Push Address detour.
    //Push 00000000h -> retn, retn X
    if( pbLocation[0] == 0x68 )
    {
    if( pbLocation[5] == 0xC3 || pbLocation[5] == 0xC2 )
    {
    //Detours Detected !
    return true;
    }
    }
    //Nop action detour.
    //Nop -> Jmp, Call ou autres actions ...
    if( pbLocation[0] == 0x90 )
    {
    //Detours Detected !
    return true;
    }
    return false;
    }
    
    OpenGL.c

    Code:
    #include "OpenGL.h"
    #include "SecureApi.h"
    #include "DetoursDetection.h"
    #include "EngineHook.h"
    #include <windows.h>
    #pragma warning( disable :4311 )
    PE_OPENGL PeOGL;
    bool OpenGLInitialize (void) {
    PeOGL.dwAddr_glBegin = (DWORD)SecureApi.s_GetProcAddress(SecureApi.s_GetModuleHandle("opengl32.dll"),"glBegin");
    PeOGL.dwAddr_glBlendFunc = (DWORD)SecureApi.s_GetProcAddress(SecureApi.s_GetModuleHandle("opengl32.dll"),"glBlendFunc");
    PeOGL.dwAddr_glClear = (DWORD)SecureApi.s_GetProcAddress(SecureApi.s_GetModuleHandle("opengl32.dll"),"glClear");
    PeOGL.dwAddr_glClearColor = (DWORD)SecureApi.s_GetProcAddress(SecureApi.s_GetModuleHandle("opengl32.dll"),"glClearColor");
    PeOGL.dwAddr_glColor3f = (DWORD)SecureApi.s_GetProcAddress(SecureApi.s_GetModuleHandle("opengl32.dll"),"glColor3f");
    PeOGL.dwAddr_glEnable = (DWORD)SecureApi.s_GetProcAddress(SecureApi.s_GetModuleHandle("opengl32.dll"),"glEnable");
    PeOGL.dwAddr_glEnd = (DWORD)SecureApi.s_GetProcAddress(SecureApi.s_GetModuleHandle("opengl32.dll"),"glEnd");
    PeOGL.dwAddr_glFrustum = (DWORD)SecureApi.s_GetProcAddress(SecureApi.s_GetModuleHandle("opengl32.dll"),"glFrustum");
    PeOGL.dwAddr_glPopMatrix = (DWORD)SecureApi.s_GetProcAddress(SecureApi.s_GetModuleHandle("opengl32.dll"),"glPopMatrix");
    PeOGL.dwAddr_glPushMatrix = (DWORD)SecureApi.s_GetProcAddress(SecureApi.s_GetModuleHandle("opengl32.dll"),"glPushMatrix");
    PeOGL.dwAddr_glTranslatef = (DWORD)SecureApi.s_GetProcAddress(SecureApi.s_GetModuleHandle("opengl32.dll"),"glTranslatef");
    PeOGL.dwAddr_glVertex2f = (DWORD)SecureApi.s_GetProcAddress(SecureApi.s_GetModuleHandle("opengl32.dll"),"glVertex2f");
    PeOGL.dwAddr_glVertex3f = (DWORD)SecureApi.s_GetProcAddress(SecureApi.s_GetModuleHandle("opengl32.dll"),"glVertex3f");
    PeOGL.dwAddr_glVertex3fv = (DWORD)SecureApi.s_GetProcAddress(SecureApi.s_GetModuleHandle("opengl32.dll"),"glVertex3fv");
    PeOGL.dwAddr_glViewport = (DWORD)SecureApi.s_GetProcAddress(SecureApi.s_GetModuleHandle("opengl32.dll"),"glViewport");
    PeOGL.dwAddr_wglSwapBuffers = (DWORD)SecureApi.s_GetProcAddress(SecureApi.s_GetModuleHandle("opengl32.dll"),"wglSwapBuffers");
    return true;
    }
    bool OpenGLCheck (void) {
    bool Detected = false;
    Detected |= CheckForDetour(PeOGL.dwAddr_glBegin);
    Detected |= CheckForDetour(PeOGL.dwAddr_glBlendFunc);
    Detected |= CheckForDetour(PeOGL.dwAddr_glClear);
    Detected |= CheckForDetour(PeOGL.dwAddr_glClearColor);
    Detected |= CheckForDetour(PeOGL.dwAddr_glColor3f);
    Detected |= CheckForDetour(PeOGL.dwAddr_glEnable);
    Detected |= CheckForDetour(PeOGL.dwAddr_glEnd);
    Detected |= CheckForDetour(PeOGL.dwAddr_glFrustum);
    Detected |= CheckForDetour(PeOGL.dwAddr_glPopMatrix);
    Detected |= CheckForDetour(PeOGL.dwAddr_glPushMatrix);
    Detected |= CheckForDetour(PeOGL.dwAddr_glTranslatef);
    Detected |= CheckForDetour(PeOGL.dwAddr_glVertex2f);
    Detected |= CheckForDetour(PeOGL.dwAddr_glVertex3f);
    Detected |= CheckForDetour(PeOGL.dwAddr_glVertex3fv);
    Detected |= CheckForDetour(PeOGL.dwAddr_glViewport);
    Detected |= CheckForDetour(PeOGL.dwAddr_wglSwapBuffers);
    return Detected;
    }
    
    OpenGL.h

    Code:
    #ifndef _H_OpenGL_
    #define _H_OpenGL_
    #include <windows.h>
    typedef struct {
    DWORD dwAddr_glBegin;
    DWORD dwAddr_glEnd;
    DWORD dwAddr_glBlendFunc;
    DWORD dwAddr_glClear;
    DWORD dwAddr_glClearColor;
    DWORD dwAddr_glColor3f;
    DWORD dwAddr_glPopMatrix;
    DWORD dwAddr_glPushMatrix;
    DWORD dwAddr_glVertex3fv;
    DWORD dwAddr_glVertex3f;
    DWORD dwAddr_glVertex2f;
    DWORD dwAddr_wglSwapBuffers;
    DWORD dwAddr_glEnable;
    DWORD dwAddr_glTranslatef;
    DWORD dwAddr_glViewport;
    DWORD dwAddr_glFrustum;
    } PE_OPENGL;
     
    bool OpenGLInitialize (void);
    bool OpenGLCheck (void);
    extern PE_OPENGL PeOGL;
    #endif
    
    AC.c
    Code:
    #include <windows.h>
    #include "detours.h"
    #pragma comment (lib,"Psapi.lib")
    #include "SecureApi.h"
    #include "PeInfos.h"
    #include "OpenGL.h"
    #include "DetoursDetection.h"
    //#include "EngineHookDetection.h"
    #include "EngineHook.h"
     
    DWORD Init (LPVOID lpArgs) {
     
    PEInitialize();
    //SecureApi.s_Sleep(4000); //Laisser le temps au moteur de se charger ;)
    if (OpenGLInitialize()){
    if (OpenGLCheck()) {
    	SecureApi.s_MessageBox(0,"OpenGL Detours Detected","Warning",MB_OK);
    }
    }
    if (ActiveEngine()) {
    pEngfuncs->pfnClientCmd("toggleconsole");
    pEngfuncs->Con_Printf("Cerbere 0.1 Beta as been loaded\n");
    pEngfuncs->Con_Printf("Develloper Team:\n");
    pEngfuncs->Con_Printf("\tLeandre 'Neku' Gohy : [url="http://www.nekuz0r.net/n"]www.nekuz0r.net\n[/url]");
    pEngfuncs->Con_Printf("Sponsors & Partners:\n");
    pEngfuncs->Con_Printf("\tEasy Portail : [url="http://www.easyportail.be/n"]www.easyportail.be\n[/url]");
    pEngfuncs->Con_Printf("\tNox-Design : [url="http://www.nox-design.net/n"]www.nox-design.net\n[/url]");
    pEngfuncs->Con_Printf("\t#EBL - Electronic Belgian League - Belgium has futur too : [url="http://www.distinct-gaming.be/ebl//n"]www.distinct-gaming.be/ebl/\n[/url]");
    }
    return 0;
    }
    bool WINAPI DllMain( HANDLE hModule, 
    					 DWORD ul_reason_for_call, 
    					 LPVOID lpReserved
    	 )
    { 
    if(ul_reason_for_call == DLL_PROCESS_ATTACH) {
     
    SecureApi.s_Initialize();
    //SecureApi.s_CreateThread(NULL, 0, (LPTHREAD_START_ROUTINE) Init, NULL, 0, new DWORD);
    Init(0);
    }
    else if (ul_reason_for_call == DLL_PROCESS_DETACH) {
    }
    	return true;
    }
     
    
    Si quelqu'un a une idée car pour le moment sa ne couvre pas tout les hook OpenGL possible.
    neku, 26 Décembre 2006
    #1
  2. Offline
    Loetheri Absent
    Pas que cela m'intéresse ... Mais du code sans commentaires, c'est comme un bébé sans mère : il a beaucoup de chances de mourir.

    Enfin, bonne chance à ceux qui tenteront de reprendre (et ce n'est pas étonnant que tu n'arrives pas au bout de tout :D)
    Loetheri, 26 Décembre 2006
    #2
  3. Offline
    Ahava Revenant
    La pire des sécurités d'un programme n'est pas de divulguer son code source ?

    (pas de débat open-source hein, jparles de programmes du genre anti-cheat, qui peuvent être "sensibles")
    Ahava, 26 Décembre 2006
    #3
  4. Offline
    Froggy fake geek
    bah de toute façon vu le nombre de manière de tracer les softs qui existe ... c'est pas vraiment qque chose qui ralenti les hackers ;)

    sinon c'est sur que du code sans coms ... ça pux. :dead:
    Froggy, 26 Décembre 2006
    #4
  5. Online
    grosnours ex membre
    Si les sources sont publiées, il y a des chances que d'autres gars s'y connaissant corrigent des bugs, ajoutent des fonctionnalités, etc.
    grosnours, 28 Décembre 2006
    #5
Statut de la discussion:
Fermée.