Thread: Nop's

  1. #1
    Registered User
    Join Date
    Jul 2007
    Posts
    61

    Nop's

    Could anyone tell me how to check if an address is nopped?
    I want it if it's nopped to show a msg box saying "nopped!" and if it isn't nopped i want it to say "not nopped."

  2. #2
    Algorithm Dissector iMalc's Avatar
    Join Date
    Dec 2005
    Location
    New Zealand
    Posts
    6,318
    Do you mean NULL, or are you talking about the nop asm instruction?
    My homepage
    Advice: Take only as directed - If symptoms persist, please see your debugger

    Linus Torvalds: "But it clearly is the only right way. The fact that everybody else does it some other way only means that they are wrong"

  3. #3
    Registered User
    Join Date
    Jul 2007
    Posts
    61
    NOP ASM instruction

  4. #4
    Registered User VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,607
    Well an address being nop'ed does not make sense. NOP is an asm instruction and outside of that context it's hexadecimal equivalent could appear anywhere. But it only means NOP in the context of a program.

  5. #5
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Ehm, what are you ACTUALLY trying to do?

    The opcode for NOP is 0x90 [I'm a rather sad geek, as I knew that without even looking it up], so checking if the address to see if it's 0x90 at that address will tell you if it MAY be a NOP or not.

    To properly know for sure, you'll need to know where the piece of code you're looking at starts, and then parse through each of the instructions until you get to the point you're looking at. Consider something like this:

    Code:
    int some_func(int x) {
        return x | 0x90;
    }
    That will contain something like:
    Code:
    ...
        or    90h, eax
    ...
    That code will contain 90 00 00 00 as a constant.

    Note also that at least AMD recommends using "other" instructions as NOP's when needing long NOP sequences (for aligning to 16-byte boundary for example), you could use things like "mov esi, esi", "lea [esi], esi", "lea [esi+0],esi" or a bunch of similar things [and not necessarily with ESI of course] - these are ALSO "NO-OPERATIONS", but of course not NOP. Another variant is to add a 0x66 prefix to the 0x90 opcode - that tells the processor to switch between 16- and 32-bit operands for this particular instruction, which is still a "NOP", but it takes up two bytes.

    --
    Mats

  6. #6
    The larch
    Join Date
    May 2006
    Posts
    3,573
    Do you mean, you want to find out if your program has NOP's?

    The easiest way would be to enable compiler warnings. It should tell you when a statement has no effect.
    I might be wrong.

    Thank you, anon. You sure know how to recognize different types of trees from quite a long way away.
    Quoted more than 1000 times (I hope).

  7. #7
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Quote Originally Posted by anon View Post
    Do you mean, you want to find out if your program has NOP's?

    The easiest way would be to enable compiler warnings. It should tell you when a statement has no effect.
    But that's not to say that the code generated by the compiler contains a NOP instruction - it just means that you did something like:

    Code:
    int j;
    ... 
    
        j;
    ;

    --
    Mats

  8. #8
    Registered User
    Join Date
    Jul 2007
    Posts
    61
    Quote Originally Posted by anon View Post
    Do you mean, you want to find out if your program has NOP's?

    The easiest way would be to enable compiler warnings. It should tell you when a statement has no effect.

    Well i'm trying to make an anti-hack dll for a game, and hacks nop adresses to activate there hacks (i know what adresses they will NOP), so i wanna check of there nop'ed and if they are i will terminate the adresses, but i use msgboxes for testing.

  9. #9
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    A complex checksum of the game would probably be a better idea - something like a CRC32 or MD5sum, so that if you change one bit in one place, the checksum is different. Do this over the entire code-base and you'd be OK. Run this periodically over the code, and you should be OK.

    There's absolutely no reason why a game-hacker couldn't change the code in other places than where the NOP's are either - it's quite possible to add a "jump" in exisiting code and then replacing the existing code where the jump lands.

    --
    Mats

  10. #10
    Officially An Architect brewbuck's Avatar
    Join Date
    Mar 2007
    Location
    Portland, OR
    Posts
    7,396
    Quote Originally Posted by brietje698 View Post
    Well i'm trying to make an anti-hack dll for a game, and hacks nop adresses to activate there hacks (i know what adresses they will NOP), so i wanna check of there nop'ed and if they are i will terminate the adresses, but i use msgboxes for testing.
    And what's to stop me from NOPping out the code which checks the NOPs?

  11. #11
    Registered User
    Join Date
    Jul 2007
    Posts
    61
    Quote Originally Posted by matsp View Post
    A complex checksum of the game would probably be a better idea - something like a CRC32 or MD5sum, so that if you change one bit in one place, the checksum is different. Do this over the entire code-base and you'd be OK. Run this periodically over the code, and you should be OK.

    There's absolutely no reason why a game-hacker couldn't change the code in other places than where the NOP's are either - it's quite possible to add a "jump" in exisiting code and then replacing the existing code where the jump lands.

    --
    Mats
    And how would this be done? ^^

  12. #12
    Frequently Quite Prolix dwks's Avatar
    Join Date
    Apr 2005
    Location
    Canada
    Posts
    8,057
    You mean, how would one use a checksum?

    Or how would one add code to jump around like that?
    dwk

    Seek and ye shall find. quaere et invenies.

    "Simplicity does not precede complexity, but follows it." -- Alan Perlis
    "Testing can only prove the presence of bugs, not their absence." -- Edsger Dijkstra
    "The only real mistake is the one from which we learn nothing." -- John Powell


    Other boards: DaniWeb, TPS
    Unofficial Wiki FAQ: cpwiki.sf.net

    My website: http://dwks.theprogrammingsite.com/
    Projects: codeform, xuni, atlantis, nort, etc.

  13. #13
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,656
    > Well i'm trying to make an anti-hack dll for a game
    Think of your anti-hack as a game in itself.
    1. You get to write all the rules.
    2. You only have a finite amount of time to implement the rules.
    3. You only get to play the game once.
    4. You are alone.

    I mean, once you've released your s/w, the game is up as far as you're concerned. You've played your hand, and everyone can see your cards.

    The opposition on the other hand are
    1. Have potentially an infinite amount of time.
    2. Can play as many times as they want.
    3. Large in number.

    What's the betting that you're going to win?

    This being the internet and all, as soon as someone knows how to beat you, it doesn't take more than a few minutes before everyone else does as well.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  14. #14
    Kernel hacker
    Join Date
    Jul 2007
    Location
    Farncombe, Surrey, England
    Posts
    15,677
    Quote Originally Posted by brietje698 View Post
    And how would this be done? ^^
    If you mean "how do you replace an existing bit of code with a jump that does the overwritten code wher the jump lands", then it's pretty simple - of course, you DO need to find a space to store the code you jump to.

    There are several ways to find some place for the code:
    - allocate some more memory with execute privileges by the Win32 API -
    - by replacing some "Unused code", e.g. some error handling code that only happens when the application does something unusual, like running out of memory or dividing by zero or some such that doesn't happen under normal operaiton - there's usually "unused" code in any application -
    - if nothing else, overwriting the "exit-code" that leaves the application is always an option - it may not be able to exit nicely any longer, but who cares...

    No, I haven't done exactly this sort of hacking, but I have replaced code in executables/binaries for professional reasons at work - and there's USUALLY some place to put the code even in a fixed size binary.

    So, once we've found a target code and some place to put our "extra" code, we do:

    - insert a "jmp my_code" in place of some other instruction(s).
    - add those "other instructions" at the beginning or end of "my_code",
    - my code also does whatever it is that I wanted to do that wasn't in the original code, say increase my points in the game by 100 every time the letter K is pressed, or add more lifes to my player when I press "&", etc, etc.
    - jump back to just after the "jmp my_code", making sure this is a valid instruction.

    --
    Mats

  15. #15
    Registered User VirtualAce's Avatar
    Join Date
    Aug 2001
    Posts
    9,607
    Another variant is to add a 0x66 prefix to the 0x90 opcode - that tells the processor to switch between 16- and 32-bit operands for this particular instruction, which is still a "NOP", but it takes up two bytes.
    The prefix is not a NOP.

    I have a very hard time believing NOPs are used for inserting hacks into games. There are much more elegant ways that do not mess with the core source code being ran. However as the discussion of these methods most certainly does not fall within the guidelines of this forum I will not discuss them.

    But all this sounds very suspect right from the word "go".

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. prog runs on 64bit - seg faults on 32bit
    By hollie in forum C Programming
    Replies: 13
    Last Post: 12-08-2006, 01:59 AM