VMProtect Ultimate for Cheats

Issues related to VMProtect
Post Reply
foxinug
Posts: 5
Joined: Sun Feb 10, 2019 4:07 am

VMProtect Ultimate for Cheats

Post by foxinug »

Hello!

I have a few questions before I make a purchase for VMProtect Ultimate. I am running a company for cheat software for online games. Long story short, there's been a cracking issue going on and it's raising the number of detection vectors for me to manage when facing anti-cheats. I'd like to maximize the protection for the product regardless of the performance decrease.

To preface, the cheats I create are composed of three parts: the loader distributed to each user which downloads a dll from the server then manually maps it into local executable directory and runs it; the said dll, which downloads and manually maps the cheat dll from server into the target game while erasing PE headers and thread hijacking for the primary thread; the cheat dll, which is periodically checks with the server to verify a user's authenticity.

First, I'd like to know if there is anything important I should know about injection when protecting a product. I am willing to recreate my injection system entirely if you recommend something other than manual mapping, or really just any noteworthy changes I should make. I've seen some threads here before talking about virtualization tools causing issues and memory protection causing issues. Please, tell me anything you think I need to know before purchasing.

Second, I understand that there is already some debug detection. Is there anyway for me to avoid the default message boxes that come up and handle the results myself? I understand that there are some SDK functions for it, but I'd like to disable the default handler.

Third, is there any debug prevention? Obviously, no detection is perfect, so are there measures in place to stop debugging from occurring? What about things like dumping? A large vulnerability for me is the ability to dump the dll from memory, so detection for that would be great. Even better would be prevention, even something basic like replacing the image base so novice dumpers could not dump the product.

Fourth, as I understand, there are refined techniques for VMProtected software reversing. Is there anyway to mask that I have used VMP for my software other than renaming the default .VMP section?

Fifth, I am running Windows. My web server is not. Would I need to purchase two copies in order to compile on both my windows machine and on the server? I have no problem with doing so, I'd just like some clarification before hand. If that is the case, can I purchase one version for personal use and then one version for the company as commercial use since only one will be used commercially or do they both need to be commercial?

Sixth, is there a way to automatically ultra-protect all functions then selectively unprotect those that are unnecessary (i.e. ones that need execution speed and otherwise don't matter) WITHOUT protecting external lib functions?

Seventh, is it possible to check binary modifications myself? I'd like to log attempts where the binary has been modified to the server before just refusing to allow execution of the binary.

Finally, I currently am using a system where it compiles the binaries for each user on use based on their user identification. This way, when I get my hands on the cracked version of my product, I can see who leaked what. I saw that there is a watermark system, does this function in a similar way to what I have in place? I can only assume that my current method of signature scanning for the user id area will be too protected for me to find when analyzing the binary, so I wanted to make sure there is still something I can use to identify each user.

Thank you so much for taking the time to read all of this and respond. I sincerely appreciate it.
Admin
Site Admin
Posts: 2566
Joined: Mon Aug 21, 2006 8:19 pm
Location: Russia, E-burg
Contact:

Re: VMProtect Ultimate for Cheats

Post by Admin »

First, I'd like to know if there is anything important I should know about injection when protecting a product. I am willing to recreate my injection system entirely if you recommend something other than manual mapping, or really just any noteworthy changes I should make. I've seen some threads here before talking about virtualization tools causing issues and memory protection causing issues. Please, tell me anything you think I need to know before purchasing.
Please notice that all manual mapped DLLs don't support exception handling (when an exception will occur in your DLL then Windows will terminate whole process). You can check it with very simple code:

Code: Select all

try {
   throw 1;
}
catch(...)
{
  // do nothing
}
Second, I understand that there is already some debug detection. Is there anyway for me to avoid the default message boxes that come up and handle the results myself? I understand that there are some SDK functions for it, but I'd like to disable the default handler.
You have to use VMProtectIsDebuggerPresent and disable the "Debugger detection" option. Anyway, VMProtectIsDebuggerPresent uses internal exceptions, so your manual mapped DLL will crash.
What about things like dumping? A large vulnerability for me is the ability to dump the dll from memory, so detection for that would be great. Even better would be prevention, even something basic like replacing the image base so novice dumpers could not dump the product.
Anything can be dumped from the memory :)) It seems you need own driver for creation of the protection.
Fourth, as I understand, there are refined techniques for VMProtected software reversing. Is there anyway to mask that I have used VMP for my software other than renaming the default .VMP section?
Yes, the renaming of .VMP section will be enough for automatic detection, but a cracker will find out anyway what you used.
Fifth, I am running Windows. My web server is not. Would I need to purchase two copies in order to compile on both my windows machine and on the server? I have no problem with doing so, I'd just like some clarification before hand. If that is the case, can I purchase one version for personal use and then one version for the company as commercial use since only one will be used commercially or do they both need to be commercial?
If you are going to use VMProtect in your company (protect software developed by your company, etc.) you have to purchase a Company License, otherwise a Personal License.
Sixth, is there a way to automatically ultra-protect all functions then selectively unprotect those that are unnecessary (i.e. ones that need execution speed and otherwise don't matter) WITHOUT protecting external lib functions?
You can add all functions from MAP file into VMP project.
Seventh, is it possible to check binary modifications myself? I'd like to log attempts where the binary has been modified to the server before just refusing to allow execution of the binary.
It seems VMProtectIsValidImageCRC will be enough.
Finally, I currently am using a system where it compiles the binaries for each user on use based on their user identification. This way, when I get my hands on the cracked version of my product, I can see who leaked what. I saw that there is a watermark system, does this function in a similar way to what I have in place? I can only assume that my current method of signature scanning for the user id area will be too protected for me to find when analyzing the binary, so I wanted to make sure there is still something I can use to identify each user.
Yes, watermarks can help you with your user identification.
Mattiwatti
Posts: 1
Joined: Sat Feb 23, 2019 1:41 am

Re: VMProtect Ultimate for Cheats

Post by Mattiwatti »

Just a note re: exception handling: on x64 it is possible to have limited support for exceptions due to the unwind data present in the PE. For this you can add an assembly stub to your injector that executes before DllMain and calls RtlAddFunctionTable, where FunctionTable is a pointer to the IMAGE_RUNTIME_FUNCTION_ENTRY of the PE, EntryCount is the total size of the table divided by sizeof(IMAGE_RUNTIME_FUNCTION_ENTRY), and ImageBase points to your DLL. You can free the memory used by the stub afterwards (assuming you fix up the stack so DllMain doesn't return to freed memory).

There are a few limitations:
- This works only for SEH exceptions, not C++ ones (at least with MSVC, this may be implementation dependent).
- This doesn't work on x86 due to the lack of unwind data.
- As noted, VMProtectIsDebuggerPresent will fail due to the use of probably many different types of exceptions.

What does work:
- SEH exceptions, including nested ones.
- (Vectored) exception handlers, as they are added at runtime by definition.

You shouldn't normally be using SEH in user mode, but some MS APIs are designed in a way that they are impossible to avoid. So this may be helpful to some.
foxinug
Posts: 5
Joined: Sun Feb 10, 2019 4:07 am

Re: VMProtect Ultimate for Cheats

Post by foxinug »

I've implemented exception support in my manual mapper, so I believe this is a non-issue now. Exceptions are now handled fine for all of the ones I could think of.

I will consider implementation of a driver. The biggest concern is loading the driver, and getting certification from MS is expensive and unlikely; I'm sure I'll come up with something. I suppose an alternative would be if VMProtect has history clearing and runtime encryption. Does it? As in, is executable code cleared after its final use? For runtime encryption, the execution code is encrypted, decrypted to execute, then re-encrypted? This would significantly hinder memory dumping. I already do validity checks for the process I am injecting into, so this would be great if you guys have this.

Is there anything else I can do to minimize the risk for detection of VMProtect? Or is it just an unavoidable thing that people will know it is protected by VMP? Is it an issue if they know?

Got it, one commercial license is enough, then.

Is there anyway to do the VMProtectIsValidImageCRC checks myself and not do the checks automatically at launch? Like I said, I'd like to log if the image has been modified in any way. I don't really need to know what the modification is; so CRC will work fine.

Thank you so much for the detailed information. I look forward to business with you.
foxinug
Posts: 5
Joined: Sun Feb 10, 2019 4:07 am

Re: VMProtect Ultimate for Cheats

Post by foxinug »

Mattiwatti wrote:Just a note re: exception handling: on x64 it is possible to have limited support for exceptions due to the unwind data present in the PE. For this you can add an assembly stub to your injector that executes before DllMain and calls RtlAddFunctionTable, where FunctionTable is a pointer to the IMAGE_RUNTIME_FUNCTION_ENTRY of the PE, EntryCount is the total size of the table divided by sizeof(IMAGE_RUNTIME_FUNCTION_ENTRY), and ImageBase points to your DLL. You can free the memory used by the stub afterwards (assuming you fix up the stack so DllMain doesn't return to freed memory).

There are a few limitations:
- This works only for SEH exceptions, not C++ ones (at least with MSVC, this may be implementation dependent).
- This doesn't work on x86 due to the lack of unwind data.
- As noted, VMProtectIsDebuggerPresent will fail due to the use of probably many different types of exceptions.

What does work:
- SEH exceptions, including nested ones.
- (Vectored) exception handlers, as they are added at runtime by definition.

You shouldn't normally be using SEH in user mode, but some MS APIs are designed in a way that they are impossible to avoid. So this may be helpful to some.
Thank you for the detailed explanation, but don't worry about it. There are many more methods to implement exception support for manual map that support as many exceptions as I can think of.
Admin
Site Admin
Posts: 2566
Joined: Mon Aug 21, 2006 8:19 pm
Location: Russia, E-burg
Contact:

Re: VMProtect Ultimate for Cheats

Post by Admin »

I've implemented exception support in my manual mapper, so I believe this is a non-issue now. Exceptions are now handled fine for all of the ones I could think of.
As I remember some functions of exceptions handling in MSVC's runtime/Windows require SEC_IMAGE for the address of exception handler. So I don't understand how you can fix it without hooking of NtQueryVirtualMemory :))
I suppose an alternative would be if VMProtect has history clearing and runtime encryption. Does it? As in, is executable code cleared after its final use? For runtime encryption, the execution code is encrypted, decrypted to execute, then re-encrypted?
VMProtect doesn't change code at the runtime.
Is there anything else I can do to minimize the risk for detection of VMProtect? Or is it just an unavoidable thing that people will know it is protected by VMP? Is it an issue if they know?
You can change the default names of sections (".vmp") at the options to other, but in a common case it will be useless.
Is there anyway to do the VMProtectIsValidImageCRC checks myself and not do the checks automatically at launch? Like I said, I'd like to log if the image has been modified in any way. I don't really need to know what the modification is; so CRC will work fine.
Yes, you can.
Post Reply