You are not the first GDNet'er to go down this particular rabbit hole, by the way. Ysaneya beat you to it by 6 years, and the debate there would be well worth your time to read.
[quote name='wodinoneeye' timestamp='1328304241' post='4909320']
How many ordinary users know how to set those things up let alone make them work in an automated fashion for even the simplest parts of my solution (changing things frequently enough that the hackers have to constantly rebuild their hack mechanisms)
You are suggesting that your software will download a small module each time, and this module will perform the checks and authenticate the results with the server, right? That way you can change the module regularly, to outdate older hacks.
So my hack would also download the module, and run it, just like your software does, and let it authenticate with your server. How will that work with a patched executable? Because I will be running your module in a sandbox, and giving it the original executable to work with, instead of my patched one.
This method of hacking is completely impossible to defend against (well, excepting TPM, but nobody wants that), because it works by showing the security/DRM checker exactly what it wants to see - and there is no way to detect this kind of spoofing (again, except for TPM).
[/quote]
Yes one or more modules (binary code snippets) would get downloaded via the normal message transfer between server and client, would insert into the game executable and be run as part of the clients packet decryption scheme (actually I would see a window FIFO buffer list of these modules and the window would slide over as new modules are added/confirmed - but thats to cover the chicken/egg issue and also makes it a little more complex/obscufated - different packets call for use of packet selected modules or even cascade thru more than one)
Those encryption modules when executing reference bytes (via offsets) of the actual FULL game executable binary (not just the small encryption modules) as a cypher -- so they cannot run outside independantly without being mutated to fulfill the same functionality/results.
.
I have already figured in that your hack would attempt to use a reference image ('pristine') it maintains in sync -- of course the hack would now have to activate thru that image in order to execute the EXACT encryption scheme (your hack has to how to get in and out of this while executing - the cypher would be wrong now in this case). You HAD to change some of the adjacent code somehow to implement any hack functionality (ie - code to pull out the decrypted inbound packets and later insert outbound ones).
OR
You are running your Sandbox image with those new modules MUTATED to carry out those bothersome executable cypher fetches and the exactly the original algorithm (your solution needs to mutated its code to indirectly fetch EXACTLY the required cypher data from your pristine client image. CAN you make a PROGRAM that reengineers those modules ???
Like I said -- several components all have to work in concert for the whole to function securely and that includes measures that make 'sandbox' execution extrememly difficult. The server side that parallels all this can have whatever code solution it needs for the new modules to encrpt/decrypt there (part of the rebuilding there builds it to match correctly but only sends the client part to the client (and to your hack will get).
So you cannot just run the sent code snippets directly in your sandbox without changing them to run outside their intended context - they continually check that context in scrambled ways (any hack PROGRAM has to deal with lots of new variants constantly) . You HAVE TO programatically auto-mutate them and THAT is what Im betting on cannot be done by a program -- could be done manually by hand (the constant changing modules keep the scheme well ahead of that - it has to be done in a timely fashion).
The reengineering process -- disassemble, figure out EXACTLY what the code does, rebuilt it to work outside of context (emulate the cypher fetches which are random per packet), each module WOULD have different algorythms of how it mutates that key data. The rebuilt (hacked) code has to be inserted back into its place (the same binary slot - same size of code -- BTW I would pack the snippets into the module buffer - and THEY lots of mem space offsets built into it to foil your attempts to reengineer/rebuild)
I think I mentioned these modules are changed on-the-fly not just once on startup for the full solution. Even if its locked in and only changed with a executable DL once each time the game is played it would still be still designed with many countermeasures to prevent them running in a sandbox without your hack being required to be reengineered&rebuilt.
Another test is the server would expect an immediate response validation once the new module installation is achieved and if this takes too long (your whole hack rebuild/restart will take some time) the server can detect THAT and if it happens too often your user is put on an 'investigate for hack' list for human investigation.
Im not saying this whole scheme (or parts of it) doesnt require some clever programming and some added overhead on client and server.
Having the server side component match the functionality of the client (using a per client unique client executable as its cypher) adds to server side complexity.
And as I said before some existing or future OS might make the tricks that would need to be done impossible (ie - segment rwx permisssions).
------------------------------------------------------------------------------
OK assume we ONLY do some simplest countermeasures - daily rebuild of the client -- that client has the critical internal workings forced in different positions in the binary each rebuild and some of the encrypt/decrypt modules are programatically mutated/substituted each day. It should (of course) be built with minimum clues inside the binary itself. The client binary will now change frequently as run on the players machine. What does your hack rig have to do to try to realign itself and function when the client program binary changes like this ??? Can it do it ALL programatically (hands off) - 'automagically'???
Do you think an 'automagical' solution -- selfinstall/autorun -- can be created for brainless script kiddees thats it is NOT too much a 'complex rig' for them ??
Even YOU providing a 'hack of the day' DL: to match the ever changing client binaries adds extra work for any other cheaters you distribute a solution to.
Cutting out 99+% of the cheaters - isnt that a pretty good partial solution ???