Could anyone tell me how to check if an address is nopped?
I want it if it's nopped to show a msg box saying "nopped!" and if it isn't nopped i want it to say "not nopped."
Could anyone tell me how to check if an address is nopped?
I want it if it's nopped to show a msg box saying "nopped!" and if it isn't nopped i want it to say "not nopped."
Do you mean NULL, or are you talking about the nop asm instruction?
My homepage
Advice: Take only as directed - If symptoms persist, please see your debugger
Linus Torvalds: "But it clearly is the only right way. The fact that everybody else does it some other way only means that they are wrong"
NOP ASM instruction
Well an address being nop'ed does not make sense. NOP is an asm instruction and outside of that context it's hexadecimal equivalent could appear anywhere. But it only means NOP in the context of a program.
Ehm, what are you ACTUALLY trying to do?
The opcode for NOP is 0x90 [I'm a rather sad geek, as I knew that without even looking it up], so checking if the address to see if it's 0x90 at that address will tell you if it MAY be a NOP or not.
To properly know for sure, you'll need to know where the piece of code you're looking at starts, and then parse through each of the instructions until you get to the point you're looking at. Consider something like this:
That will contain something like:Code:int some_func(int x) { return x | 0x90; }
That code will contain 90 00 00 00 as a constant.Code:... or 90h, eax ...
Note also that at least AMD recommends using "other" instructions as NOP's when needing long NOP sequences (for aligning to 16-byte boundary for example), you could use things like "mov esi, esi", "lea [esi], esi", "lea [esi+0],esi" or a bunch of similar things [and not necessarily with ESI of course] - these are ALSO "NO-OPERATIONS", but of course not NOP. Another variant is to add a 0x66 prefix to the 0x90 opcode - that tells the processor to switch between 16- and 32-bit operands for this particular instruction, which is still a "NOP", but it takes up two bytes.
--
Mats
Do you mean, you want to find out if your program has NOP's?
The easiest way would be to enable compiler warnings. It should tell you when a statement has no effect.
I might be wrong.
Quoted more than 1000 times (I hope).Thank you, anon. You sure know how to recognize different types of trees from quite a long way away.
A complex checksum of the game would probably be a better idea - something like a CRC32 or MD5sum, so that if you change one bit in one place, the checksum is different. Do this over the entire code-base and you'd be OK. Run this periodically over the code, and you should be OK.
There's absolutely no reason why a game-hacker couldn't change the code in other places than where the NOP's are either - it's quite possible to add a "jump" in exisiting code and then replacing the existing code where the jump lands.
--
Mats
You mean, how would one use a checksum?
Or how would one add code to jump around like that?
dwk
Seek and ye shall find. quaere et invenies.
"Simplicity does not precede complexity, but follows it." -- Alan Perlis
"Testing can only prove the presence of bugs, not their absence." -- Edsger Dijkstra
"The only real mistake is the one from which we learn nothing." -- John Powell
Other boards: DaniWeb, TPS
Unofficial Wiki FAQ: cpwiki.sf.net
My website: http://dwks.theprogrammingsite.com/
Projects: codeform, xuni, atlantis, nort, etc.
> Well i'm trying to make an anti-hack dll for a game
Think of your anti-hack as a game in itself.
1. You get to write all the rules.
2. You only have a finite amount of time to implement the rules.
3. You only get to play the game once.
4. You are alone.
I mean, once you've released your s/w, the game is up as far as you're concerned. You've played your hand, and everyone can see your cards.
The opposition on the other hand are
1. Have potentially an infinite amount of time.
2. Can play as many times as they want.
3. Large in number.
What's the betting that you're going to win?
This being the internet and all, as soon as someone knows how to beat you, it doesn't take more than a few minutes before everyone else does as well.
If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
If at first you don't succeed, try writing your phone number on the exam paper.
If you mean "how do you replace an existing bit of code with a jump that does the overwritten code wher the jump lands", then it's pretty simple - of course, you DO need to find a space to store the code you jump to.
There are several ways to find some place for the code:
- allocate some more memory with execute privileges by the Win32 API -
- by replacing some "Unused code", e.g. some error handling code that only happens when the application does something unusual, like running out of memory or dividing by zero or some such that doesn't happen under normal operaiton - there's usually "unused" code in any application -
- if nothing else, overwriting the "exit-code" that leaves the application is always an option - it may not be able to exit nicely any longer, but who cares...
No, I haven't done exactly this sort of hacking, but I have replaced code in executables/binaries for professional reasons at work - and there's USUALLY some place to put the code even in a fixed size binary.
So, once we've found a target code and some place to put our "extra" code, we do:
- insert a "jmp my_code" in place of some other instruction(s).
- add those "other instructions" at the beginning or end of "my_code",
- my code also does whatever it is that I wanted to do that wasn't in the original code, say increase my points in the game by 100 every time the letter K is pressed, or add more lifes to my player when I press "&", etc, etc.
- jump back to just after the "jmp my_code", making sure this is a valid instruction.
--
Mats
The prefix is not a NOP.Another variant is to add a 0x66 prefix to the 0x90 opcode - that tells the processor to switch between 16- and 32-bit operands for this particular instruction, which is still a "NOP", but it takes up two bytes.
I have a very hard time believing NOPs are used for inserting hacks into games. There are much more elegant ways that do not mess with the core source code being ran. However as the discussion of these methods most certainly does not fall within the guidelines of this forum I will not discuss them.
But all this sounds very suspect right from the word "go".