Hello fellow developers,
assume I had a program that required authorization granted to him by a server over the network. Obviously, at some point within my code there would be something along the lines of:
if (serverResponse == expectedResponse){
//Continue as the authorized user
}
This system has a very, very unlikely weakness. If anybody were to actually modify the executable file and chan开发者_开发问答ge the code of that if
(which I assume to be some sort of branching instruction) to code, that always branches to the true-case. Is there a way to detect such a modification from within my program?
To me this sounds like a psychologist checking his own sanity. If this is not possible, how would such a thing be done? How does software like Punkbuster check for manipulation of game code?
I guess it might be very relevant that this program of mine is written in C++ and compiled with the GCC compiler.
The trick here is not to rely on a simple if statement. As you say that is easily circumvented by someone who can reverse engineer your code. Instead you should use the value returned from the server for some vital function of your program. For instance the response from the server could be used as a key to decrypt some vital data on the client. That would be much harder for a reverse engineer to circumvent.
One approach is to take the address of the function and obtain the CRC of the memory at that address. This isn't very flexible however, because you have to either calculate the size of the function every time you modify it, or use a disassembler library like the magnificent and free BEAEngine to dynamically calculate it. But then there's the possibility of the reverse engineer modifying your CRC code. Or the checksum it's checking it against. They can also modify the server's response before your program gets it and change it to the expectedResponse
. So you really can't win.
There are also softwares such as the free UPX which will pack your executable (and obfuscate it if you tell them to) and make it very difficult for people to read and modify to achieve the correct result they are going for.
However, if someone has enough time and skill, there's really nothing you can do. As we used to say, the client always wins; all you can do is make the game more difficult.
精彩评论