3

There is an application that checks for activation using DLL Check function. Check returns 1 if application is activated and 0 otherwise. I create simple application and DLL containing function MyCheck (which always returns 1) with the same signature and detoured Check function with my version using MS detours lib for function hooking. Obviously it works and the application is successfully cracked, so I need to avoid it.

  1. I tried to call Check function directly (by specifying exact address), without even using GetProcAddress, but looks like detours lib is modifying the function body itself, not export table.

    [UnmanagedFunctionPointer(CallingConvention.StdCall)]
private delegate bool CheckFunctionDelegate();

static void Main(string[] args)
{
    ProcessModule module = Process.GetCurrentProcess().Modules
        .Cast<ProcessModule>()
        .First(m => m.ModuleName == "licensing_check.dll");


    IntPtr procedurePtr = IntPtr.Add(module.BaseAddress, 0x00003FF0);

    // Calling validation function by pointer
    CheckFunctionDelegate checkFunction = (CheckFunctionDelegate)
        Marshal.GetDelegateForFunctionPointer(procedurePtr, typeof(CheckFunctionDelegate));

    if (checkFunction())
    {
        // do some stuff
    }
}

    }

  2. Then I tried to read function body and I see that after detour MD5 checksum differs from the original one. So I'm trying to read entire contents of DLL in memory and check it to confirm that DLL contents are not changed, but it doesn't work either. It throws AccessViolationException.

    Process.EnterDebugMode();

    ProcessModule module = Process.GetCurrentProcess().MainModule; byte[] data = new byte[module.ModuleMemorySize]; Marshal.Copy(module.BaseAddress, data, 0, module.ModuleMemorySize);

I used MainModule here, but it gives the same error for each module in Process.GetCurrentProcess().Modules collection.

I would appreciate any help on this, I'm not necessarily expecting to solve it in one of the ways I describe, any good solution is acceptable.

Thanks.

axe
  • 2,331
  • 4
  • 31
  • 53
  • 5
    FYI preventing an entirely stand alone client application from being cracked is *impossible*, not just difficult. You can always make it harder to crack, but it's provably impossible to stop a determined attacker under all circumstances. The only true defense is to have a key aspect of the program that runs on a server you control and interacts with the client app through a web service or similar mechanism. – Servy Nov 07 '12 at 19:30
  • Sure, I don't want to make it impossible, I want make it at least a bit harder, because cracking it took me 15 minutes, that doesn't look secure enough :) – axe Nov 07 '12 at 19:34
  • Write your own DLL loader, load the DLL yourself instead of having the OS do it and execute the check function that way. – jcopenha Nov 07 '12 at 19:36
  • Yes, I was trying to do this as well, but got stuck on calling DLL entry point. Do you know how to get DLL entry point address? I guess it should have always the same relative offset, right? – axe Nov 07 '12 at 19:37

0 Answers0