Offset knowledge in .net programs

N

neodammer

Centurion
Joined
Sep 10, 2003
Messages
197
Location
Atlanta GA
During my ploy for creating cheats for various games I came across methods used by many new programming teams that involve what would almost seem like they knew how to control where their variables would be controled at via offset changing etc.. Is this even possible? You could in theory have a bunch of variables doing the same thing in different locations to try and slow down or stop folks from cheating etc.. But I thought variables in a program had a specific place in the code, but then i realized that wouldnt make any sense. Is there a way to tell where in your compiled program variables will be stored? For instance before you compile? or would one have to open the compiled program and check the offsets etc then go back into the code and rearrange the various variables? Is this even possible with .net?
 
Variables are just memory locations. Those memory locations, in .NET, aren't stored in the EXE as offsets. A .NET EXE doesn't contain machine instructions like traditional executables. Instead, the code is compiled "just in time" (JIT'd) as needed.

.NET will still allocate variables in memory when the JIT'd code is turned into machine code. There are two places variables are stored: the heap and the stack. This is true for any language. I don't recall what determines whether a variable is on the heap or stack - not sure it would help you anyway :)

As for preventing hacks, why would you? Why not open it up and provide a simple interface for other programmers to modify things about a game?

The bottom line is that .NET should make it harder to determine memory locations that cheat programs use. On the other hand, you can easily "decompile" a .NET EXE using simple tools like Reflector. There are ways around that, too, but I'm not sure how far you want to take this.

-ner
 
Generally classes and boxed values go on the heap and local variables (value type or ref address) go on the stack.

Here's a few simple ways you could protect a value. For the first method you'd use a ProtectedValue<int> to rebox the value on every get/set. This means it will be moving around the heap. The second method using ProtectedInt splits your value apart using a random xor'ed key and stores them in random array positions on every get/set. The third method would be to combine the two by using ProtectedValue<ProtectedInt>.
C#: 
struct ProtectedValue<T> where T : struct
{
    object boxed;

    public T Value
    {
        get { T v = (T)boxed; boxed = v; return v; }
        set { boxed = value; }
    }

    public ProtectedValue(T initialValue) { boxed = initialValue; }

    public static implicit operator T(ProtectedValue<T> x) { return x.Value; }
    public static implicit operator ProtectedValue<T>(T x) { return new ProtectedValue<T>(x); }
}

struct ProtectedInt
{
    static readonly System.Random random = new System.Random();

    const int arraySize = 4;
    int keyIndex;
    int xorIndex;
    int[] key;
    int[] xor;

    public int Value
    {
        get
        {
            int v = xor[xorIndex] ^ key[keyIndex];
            xor[xorIndex = random.Next(arraySize)] =
                v ^ (key[keyIndex = random.Next(arraySize)] = random.Next());
            return v;
        }
        set 
        {
            xor[xorIndex = random.Next(arraySize)] =
                value ^ (key[keyIndex = random.Next(arraySize)] = random.Next()); 
        }
    }

    public ProtectedInt(int intiialValue) 
    {
        keyIndex = 0;
        xorIndex = 0;
        key = new int[arraySize];
        xor = new int[arraySize];
        Value = intiialValue; 
    }

    public static implicit operator int(ProtectedInt x) { return x.Value; }
    public static implicit operator ProtectedInt(int x) { return new ProtectedInt(x); }
}
 
Interesting. Has this been the case in all versions of .net? or just the recent version?

I have been studying asm for a few months now and its very interesting to me and im trying to take some games and well create cheats for them (even though these games already have cheats for them I just want to see if i can locate them without any prior knowledge of where they are stored)

Older games (pre .net) are easy to check..very easy.
 
Ye Ol' buffer overrun attack (or something similiar) will still work in .Net, right? In C, that was a piece of cake . ;)
 
marble_eater said:
How do you manage a buffer overrun in a managed environment?
Click to expand...


Ive heard it done but nobodies ever show me so i still think you cannot.

There are many programs which will try to track certain variables in the ram down for you for game cheats but the problem in the new games (some) is the math used in the variable manipulation is actually calculated at a different time than when displayed on the screen so in terms of the asm its not 'around' each other in terms of what changed etc making searching for the actual offsets much harder.

I just find it interesting since im still working on my insane obfuscating-type idea with compiles. I believe if i can understand exactly how they are doing this variable manipulation (i believe its just some common algy that companies are using) to protect from trainers etc..
 
Trainers that merely track down values in memory are very easy to protect against (as seen above). The good trainers use code injection to rewrite routines. However, since .NET is JIT'ed it makes this type of exploit next to impossible to pull off. If you're writing a game in .NET you'll probably be NAMKE'ing it so it might be a good idea to ensure you do something different with your important methods.
 
For years I've been using a program called "WinHack" to cheat in games. IT even lets you create Trainers once you're done, but it doesn't work on all games.
 
Right, you have 10,432 gold but no matter how much searching you do you just can't find it. Try making a simple app and use WinHack to mod a value in it. Then use the code I posted above and try to mod it. :)
 
Back
Top