GameGuard Analysis
With growing base population, online games are gaining the reputation as a great channel of entertainment. But, the rules defined in games are being damaged severely due to account plagiarism and illegal programs created by some malicious users, i.e., hacking, foul plays using game hack.
INCA has been providing diagnostic service and malicious code blocking service in online games for many years, thus developing nProtect GameGuard, on which various requirements of customers were reflected and a new concept of hacking preventive method was applied, based on our know-how in game security technology.
nProtect GameGuard is a program for game security which can block the use of game hack programs or hacking attempt on the client side.
Characteristics
- Diagnosis and Blocking of Malicious Codes. This system diagnoses and blocks, in real time, Backdoor/Trojan of BackOrifice, Netbus, and SubSeven, and the game hack program of ArtMoney, GameMaster, and GameWizard based on information on pre-registered malicious codes using a diagnosis method of pattern recognition.
- Blocking of Auto Mouse & Macro Program. This module cuts off most hack programs that generate keyboard and mouse event such as auto mouse macro if they are attempted to use in games.
- Speed Hack Diagnosis. Real-time diagnosis is possible though monitoring different timers of the system even if the user intentionally attempts to operate the timer using the speed hack program.
- Blocking of Auto-Mouse and Macro Program. The function to block programs that send arbitrary mousse or keyboard input values to game client will basically block most of the widely used auto-mouse or macro programs. Recently released macro programs that use keyboard/mouse filter drives or PORT I/O kernel drives will mostly be blocked through the GameGuard’s driver scan and control function.
- Scanning of memory patterns. In order to overcome the limit of file scanning patterns, GameGuard process a true meaning of pattern (major specific codes of hacking tools) scanning based on the uploaded data in the memory after being executed, possessing built-in powerful hacking tool scan engine that can avoid not only patterns through executable file compression programs but also new versions of hacking tools.
- Safe as well as powerful operation. It has been developed to possess powerful security functions as well as operate stably in PCs in various countries based on the know-how that has accumulated while providing services to 70 games in 16 countries for many years.
- Self-guard of Security Module. Because unique authentication method is applied to the related files of the nProtect GameGuard modules to verify reliablity and modification history, there is nearly no security vulnerability created by altering game security program modules. Since the communication method between nProtect GameGuard and game server is secured and does not allow any interference, there is nearly no posiblity of message communication manipulation.
- Optimization of CPU Occupation Rate. The pattern catching method of GameGuard does not rely on periodical activation of process and file check system, but scans all running processes, then detects any new process initialization. This method yields almost 0% occupation of CPU if no other process is initiated, and helps the game flow more smoothly.
Structure Diagram of GameGuard
- nProtect Game Library (NPGameLib.lib)
- This is a static library that will be linked along with the game client.
- As a static library to be linked to the game, this module provides such functions as update, GameMon execution, speed check load and execution, and secret communication with GameMon with a simple function call.
- This library reports such messages as GameMon initialization failure, speed hack detection, game hack detection, and termination of GameMon through a callback function, and it is possible to easily attach the GameGuard to a game by only implementing a simple callback function.
- Speed Check Module (npsc.des, nppt9x.vxd, npptNT.sys)
- This module monitors the timer of the system and detects the use of speed hack, if any.
- Since this module controls system ports, different kernel mode drivers are used for 9x and NT.
- Because the most reliable check result is returned by operating at game process, it is designed to load from the game.
- GameGuard Launcher (GameGuard.des)
- This is a module that diagnoses malignant codes and executes recent updates of GameGuard.
- Processes update task by internally using the update module (npgmup.des).
- Update Module (npgmup.des)
- This module updates the game guard files.
- If the results of Sign, CRC, and Hash tests on files show the unexpected, unconditional update is done, so altered or version-fabricated files are replaced with up-to-date modules.
- GameMon (GameMon.des)
- As a process executed by game, this is the core management program in charge of authentication, execution of game guard modules and secret communication with the game.
- This program authenticates currently installed modules, and checks if they are the latest modules.
- This program has built-in debugging prevention codes, i.e., self-test of CRC32 of the memory image of execution time.
- This is very hard to falsify since it has a powerful built-in debugging prevention code and a falsify diagnosis code.
- GameGuard Module (npgg9x.des, npggNT.des)
- As a module loaded and executed by GameMon, this regulates access to game process in real time.
- Since this cuts off illegal access attemps targeted on GameMon or game, it prevents forced termination of process as well as memory scan, memory value manipulation, etc.
- This module can cut off hack programs that generate keyboard and mouse event such as auto mouse and macro.
- Because of differences in OS structures, there are two seperate types: one for Windows 95/98/ME and the other for Windows NT/2K/XP.
Game Guard Process
”Applying GameGurad to the game client”
Generating GameGuard class object
Generate an object of CNPGameLib class as a global variable.
CNPGameLib npgl(“Cube”);
Or, you could just declare the pointer of CNPGameLib class as global and generate it as dynamic later on.
CNPGameLib *pNpgl = NULL;
pNpgl = new CNPGameLib(“Cube”);
At this time, insert the character strings as letters of the constructor. The game name of the above example is Cube.
This character string is a part the file name excluding the extension of the .ini file which is the configuration file. Ex) GameGuard will start initializing when Cube.ini, CNPGameLib objects are being generated.
Processing GameGuard initialization result
Right after the objects of CNPGameLib has been created call npgl.Init() function to process the result of GameGuard initialization.
DWORD dwResult = npgl.Init();
if (dwResult != NPGAMEMON_SUCCESS)
{
... // Refer to the examples below for the methods of handling each error codes.
}
If an object is created dynamically through new, process Init() in the next line.
If the object is created globally, process Init() in the start of a program, such as WinMain().
Make sure to diagnose the return value of Init(), and show the users the appropriate error messages, then close the game. (refer to the examples and error codes later on)
Transferring Game client main window handle
After initializing all graphic, UI related of the game client, transferring of main window handle (HWND) to GameGuard is made.
npgl.SetHwnd(g_hMainWnd);
GameGuard sends the message to the callback function after the window handle has been received.
Recording GameGuard callback function
Callback function is a function that independently handles the messages that are sent by GameGuard.
[c]BOOL CALLBACK NPGameMonCallback(DWORD dwMsg, DWORD dwArg)
{
// Refer to the examples below for a specific embodiment method
}]/c]
Messages such as gamehack detect, speed hack detect, game falsification, GameGuard falsification will be sent as a callback function.
Message box will be printed right before the game ends after processing the closure of the game first.
The reason message box is not printed first is because hackers will be able to easily analyze debugging, using the location as a hint, and the reason the callback function is being called is because the thread is different from the main thread of the game, and therefore, that could let the game continue with the message box left on.
Therefore, record only the message number or message character strings that will be printed later in the callback function, and right before the game is being shut down, show the recorded message after checking whether there are printed items.
When you are continuing with the game according to the callback function message, return TURE, and when you are ending the game return FALSE.
Way to Check whether GameGuard is running while Game is on
Basically, GameGuard communicates with game client whether it is running or not through a secret channel every few seconds, and therefore, if one side shuts down, the other side also become aware of this, and shuts down.
However, in preparation of a low quality debugging, it is good to check whether GameGuard is running by calling npgl.Check() function through timer from many parts of the game.
5-10 seconds is appropriate as checking period.
if (npgl.Check() != NPGAMEMON_SUCCESS) bAppExit = true; // Game ends
Checking if Any Illegal Program Is in Use
When the user ID is informed by npgl.Send() function after logging in the game, the use of illegal program can be confirmed through the user’s log, and the information gathered can be used for further customer assistance. Please be aware that if the user ID is not sent to GameGuard, some GameGuard options will be turned OFF.
npgl.Send(szUserID);
When an illegal program is detected NPGAMEMON_GAMEHACK_DETECT or NPGAMEMON_GAMEHACK_KILLED message is sent through the callback function of the game client.
At this time, npgl.GetInfo() or GetInfoFromGameMon() functions can be used in order to check the process names of the illegal programs inside the callback function.
strcpy(g_szHackInfo, npgl.GetInfo());
If the return value is NULL, the game hack might be a type that the process name cannot be obtained from, for an independent process does not exist.
The usage of illegal programs among the users can be confirmed by transmitting this kind of information to the game server and recording the log along with the user information.
In addition, users using illegal programs can be logged through the following game hack finding callback message.Information being returned as GetInfo() can be very useful information for hackers to bypass hack tools. Therefore, please leave out detailed information when the game hack found message is being displayed for the user.
NPGAMEMON_GAMEHACK_REPORT sends the game client the encrypted information after GameGuard finishes analyzing the hacking tools. When this message is sent to the callback function, the corresponding data will be sent to the server directly in the encrypted form, and can be used as an evidence to stop the certain user through data decrypting in the server. Please refer to sections 4, 5 and 6 for implementing methods.
Log forms can be differentiated through ‘|’ character. Below is the log format.
Hack type|GameGuard version|Date|Hack name|Pattern number|Details|Hack file TimeStamp
GameMon’ Message Types & Handling
- NPGAMEMON_COMM_ERROR – means that the communication with GameMon is disconnected. In most cases, it means an improper closing of GameMon, thus close the game as well.
- NPGAMEMON_COMM_CLOSE –GameMon is closed properly. Close the game, too.
- NPGAMEMON_SPEEDHACK – Speedhack is detected. Close the game with a relevant message.
- NPGAMEMON_GAMEHACK_KILLED- A running gamehack is detected, but successully forced to be closed. Although it is possible to proceed with the game, It is still highly recommended to close the game.
- NPGAMEMON_GAMEHACK_DETECT – Gamehack detected, but could not be closed by GameGuard. Close the game, displaying a relevant message.
- NPGAMEMON_GAMEHACK_DOUBT – Program is suspected to have a Gamehack currently running, or the game or GameGuard file has been corrupted. Display the message saying ‘Close all unnecessary programs and try the game again’, then close the game.
- NPGAMEMON_INIT_ERROR – A failure in initializing GameMon. Print a relevant message with the error code to user, and close the game.
- NPGAMEMON_GAMEHACK_REPORT – Game hack was found, however, operating normally. Game client has sent the received data to the game server and is operating normally.
Explanation on GameGuard library functions
DWORD PreInitNPGameMon(LPCSTR szGameName);
- Initialize the GameGuard
- In case of C++, automatically call from the constructor of CNPGameLib
- Return Value: NPGAMEMON_SUCCESS – Initialization success. Other values – Error code
- Rofer to examples or error codes in chapter 5
DWORD InitNPGameMon();
- Sends the initialization result of PrelnitNPGameMon()
- Same as Init() of CNPGameLib
- Return value: NPGAMEMON_SUCCESS – initialization success, other values – error code
- Rofer to examples or error codes in chapter 5
void SetHwndToGameMon(HWND hWnd);
- Transfer the main window handle of the game client to GameMon
- Same as SetHwnd() of CNPGameLib
- Return value: none
DWORD CheckNPGameMon();
- Check whether GameMon is running
- Same as Check() of CNPGameMon
- Return value: NPGAMEMON_SUCCESS – Running, other values – no GameMon
BOOL SendUserIDToGameMon(LPCSTR szUserID);
- Transfer the user ID to GameMon
- Return value: 0 – failure 1- success
LPCSTR GetInfoFromGameMon();
- Obtain name or information of hacking tools that are detected by GameMon
- Same as GetInfo() of CNPGameLib
- Return value: Hacking tool information character string or NULL
BOOL CloseNPGameMon();
- Close GameGuard
- In case of C++, it will be automatically called from the destructor of CNPGameLib
- Return value: 0 – failure, 1 – success
LPBYTE GetHackInfoFromGameMon(DWORD* dwSize);
- Bring detailed data when NPGAMEMON_GAMEHACK_REPORT message is received.
- Encrypted data(binary) is returned and data size is saved in the sending letters.
- Error 0 is returned if no data is received.
Latest GameGuard version is 2009.12.11.1
Files and protectors:
- GameGuard.des - UPX 0.89.6 - 1.02 / 1.05 - 2.90
- GameMon.des – Themida 2.x
- ggerror.des - UPX 0.89.6 - 1.02 / 1.05 - 2.90
- ggscan.des - UPX 0.89.6 - 1.02 / 1.05 - 2.90
- npgg9x.des - UPX 0.89.6 - 1.02 / 1.05 - 2.90
- npggNT.des - UPX 0.89.6 - 1.02 / 1.05 - 2.90
- npsc.des - UPX 0.89.6 - 1.02 / 1.05 - 2.90
As we know, all strings within nProtect binaries are encoded in order to hide them from causal string search. In attachment you can find strings from GameMon.exe and GameGuard.exe
Example
pos 9E968: zenos Engine
pos 9E97C: zenoshyperscansettings
pos 9E998: Kaspersky Engine
pos 9E9D0: Cheat Engine
pos 9E9E4: CEHYPERSCANSETTINGS
pos 9EA14: _NEO_AUTO_MAP_
pos 9EA28: DragonFarm macro
pos 9EA90: C:\Program Files\ND
All material is legal. Official documentation was used.
by Dwar
Please register or login to download attachments.