Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Dwar
    Dwar is offline
    Veteran Dwar's Avatar
    Join Date
    2010 Mar
    Posts
    2,222
    Thanks Thanks Given 
    211
    Thanks Thanks Received 
    2,230
    Thanked in
    292 Posts
    Rep Power
    10

    GameGuard Analysis

    GameGuard Analysis


    With growing base population, online games are gaining the reputation as a great channel of entertainment. But, the rules defined in games are being damaged severely due to account plagiarism and illegal programs created by some malicious users, i.e., hacking, foul plays using game hack.

    INCA has been providing diagnostic service and malicious code blocking service in online games for many years, thus developing nProtect GameGuard, on which various requirements of customers were reflected and a new concept of hacking preventive method was applied, based on our know-how in game security technology.
    nProtect GameGuard is a program for game security which can block the use of game hack programs or hacking attempt on the client side.

    Characteristics
    • Diagnosis and Blocking of Malicious Codes. This system diagnoses and blocks, in real time, Backdoor/Trojan of BackOrifice, Netbus, and SubSeven, and the game hack program of ArtMoney, GameMaster, and GameWizard based on information on pre-registered malicious codes using a diagnosis method of pattern recognition.
    • Blocking of Auto Mouse & Macro Program. This module cuts off most hack programs that generate keyboard and mouse event such as auto mouse macro if they are attempted to use in games.
    • Speed Hack Diagnosis. Real-time diagnosis is possible though monitoring different timers of the system even if the user intentionally attempts to operate the timer using the speed hack program.
    • Blocking of Auto-Mouse and Macro Program. The function to block programs that send arbitrary mousse or keyboard input values to game client will basically block most of the widely used auto-mouse or macro programs. Recently released macro programs that use keyboard/mouse filter drives or PORT I/O kernel drives will mostly be blocked through the GameGuard’s driver scan and control function.
    • Scanning of memory patterns. In order to overcome the limit of file scanning patterns, GameGuard process a true meaning of pattern (major specific codes of hacking tools) scanning based on the uploaded data in the memory after being executed, possessing built-in powerful hacking tool scan engine that can avoid not only patterns through executable file compression programs but also new versions of hacking tools.
    • Safe as well as powerful operation. It has been developed to possess powerful security functions as well as operate stably in PCs in various countries based on the know-how that has accumulated while providing services to 70 games in 16 countries for many years.
    • Self-guard of Security Module. Because unique authentication method is applied to the related files of the nProtect GameGuard modules to verify reliablity and modification history, there is nearly no security vulnerability created by altering game security program modules. Since the communication method between nProtect GameGuard and game server is secured and does not allow any interference, there is nearly no posiblity of message communication manipulation.
    • Optimization of CPU Occupation Rate. The pattern catching method of GameGuard does not rely on periodical activation of process and file check system, but scans all running processes, then detects any new process initialization. This method yields almost 0% occupation of CPU if no other process is initiated, and helps the game flow more smoothly.


    Structure Diagram of GameGuard

    1. nProtect Game Library (NPGameLib.lib)
      • This is a static library that will be linked along with the game client.
      • As a static library to be linked to the game, this module provides such functions as update, GameMon execution, speed check load and execution, and secret communication with GameMon with a simple function call.
      • This library reports such messages as GameMon initialization failure, speed hack detection, game hack detection, and termination of GameMon through a callback function, and it is possible to easily attach the GameGuard to a game by only implementing a simple callback function.
    2. Speed Check Module (npsc.des, nppt9x.vxd, npptNT.sys)
      • This module monitors the timer of the system and detects the use of speed hack, if any.
      • Since this module controls system ports, different kernel mode drivers are used for 9x and NT.
      • Because the most reliable check result is returned by operating at game process, it is designed to load from the game.
    3. GameGuard Launcher (GameGuard.des)
      • This is a module that diagnoses malignant codes and executes recent updates of GameGuard.
      • Processes update task by internally using the update module (npgmup.des).
    4. Update Module (npgmup.des)
      • This module updates the game guard files.
      • If the results of Sign, CRC, and Hash tests on files show the unexpected, unconditional update is done, so altered or version-fabricated files are replaced with up-to-date modules.
    5. GameMon (GameMon.des)
      • As a process executed by game, this is the core management program in charge of authentication, execution of game guard modules and secret communication with the game.

      • This program authenticates currently installed modules, and checks if they are the latest modules.
      • This program has built-in debugging prevention codes, i.e., self-test of CRC32 of the memory image of execution time.
      • This is very hard to falsify since it has a powerful built-in debugging prevention code and a falsify diagnosis code.
    6. GameGuard Module (npgg9x.des, npggNT.des)
      • As a module loaded and executed by GameMon, this regulates access to game process in real time.
      • Since this cuts off illegal access attemps targeted on GameMon or game, it prevents forced termination of process as well as memory scan, memory value manipulation, etc.
      • This module can cut off hack programs that generate keyboard and mouse event such as auto mouse and macro.
      • Because of differences in OS structures, there are two seperate types: one for Windows 95/98/ME and the other for Windows NT/2K/XP.


    Game Guard Process

    ”Applying GameGurad to the game client”



    Latest GameGuard version is 2009.12.11.1

    Files and protectors:
    • GameGuard.des - UPX 0.89.6 - 1.02 / 1.05 - 2.90
    • GameMon.des – Themida 2.x
    • ggerror.des - UPX 0.89.6 - 1.02 / 1.05 - 2.90
    • ggscan.des - UPX 0.89.6 - 1.02 / 1.05 - 2.90
    • npgg9x.des - UPX 0.89.6 - 1.02 / 1.05 - 2.90
    • npggNT.des - UPX 0.89.6 - 1.02 / 1.05 - 2.90
    • npsc.des - UPX 0.89.6 - 1.02 / 1.05 - 2.90


    As we know, all strings within nProtect binaries are encoded in order to hide them from causal string search. In attachment you can find strings from GameMon.exe and GameGuard.exe

    Example



    All material is legal. Official documentation was used.
    by Dwar

    Please register or login to download attachments.

    Please, post your questions on forum, not by PM or mail

    I spend my time, so please pay a little bit of your time to keep world in equilibrium

  2. The Following 5 Users Say Thank You to Dwar For This Useful Post:


  3. #2
    isanswer
    isanswer is offline
    New member
    Join Date
    2010 Aug
    Posts
    5
    Thanks Thanks Given 
    12
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0

    Re: GameGuard Analysis

    Wow. Nice
    Thank you for sharing. Great help.

  4. #3
    fyyre
    fyyre is offline
    New member fyyre's Avatar
    Join Date
    2011 Apr
    Location
    0xfe
    Posts
    21
    Thanks Thanks Given 
    7
    Thanks Thanks Received 
    2
    Thanked in
    2 Posts
    Rep Power
    0
    Quote Originally Posted by Dwar View Post
    Recently released macro programs that use keyboard/mouse filter drives or PORT I/O kernel drives will mostly be blocked through the GameGuard’s driver scan and control function.
    AFAIK, this only works on X86 systems... by enabling direct I/O access from ring 3. The I/O port driver is a carbon copy of some code from 1995 called 'TOTALIO', by Dale Roberts.

    No protection is set on this driver, thus any program or code is able to access is, see my little 'poc code' here: rebootme.rar

    You can also scan the game client memory for signature: 8A 43 20 84 which is the function start for the 'speedhack module' initialization.

    Simply NOP the 0x84 0x## (jz addr), to have the code skip initialization of npsc.des

    Quote Originally Posted by Dwar View Post
    hacking tool scan engine that can avoid not only patterns through executable file compression programs but also new versions of hacking tools.
    Game client uploads its error-logfiles (.erl) to a remote FTP server via port 6600 everytime one exits a game running GameGuard. Simply put... they spy on you, collect data on all running processes, and loaded modules along with all running drivers on your system, username, computer name and IP address. This data collection occurs without consent of the user.

    Quote Originally Posted by Dwar View Post
    Because unique authentication method is applied to the related files of the nProtect GameGuard modules to verify reliablity and modification history, there is nearly no security vulnerability created by altering game security program modules. Since the communication method between nProtect GameGuard and game server is secured and does not allow any interference, there is nearly no posiblity of message communication manipulation.
    No possibility of message communication manipulation is at best, a lie. There is more than one way to manipulation this communication. A direct approach is via the method by which it communicates; NamedPipes.

    Quote Originally Posted by Dwar View Post
    The pattern catching method of GameGuard does not rely on periodical activation of process and file check system, but scans all running processes, then detects any new process initialization. This method yields almost 0% occupation of CPU if no other process is initiated, and helps the game flow more smoothly
    Sorry INCA, that too is bogus. The kernel mode driver manipulates the return of NtQueryInformationSystem -- making modification to kernel/usertimes and VMCounters to mask the presence of resource eating rootkit driver and VM packed modules. Removal of GameGuard from any game, results in a significant performance improvement.

    As for CGameGuard class ... best not to discuss such things in public.

    Encrypted strings, may be dumped using tool I created: nprotectdec.rar

  5. #4
    nodtem32
    nodtem32 is offline
    Guest
    Join Date
    2011 Mar
    Posts
    2
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    Oh GOD.
    fyyre is here. *0*

  6. #5
    faradila02
    faradila02 is offline
    New member
    Join Date
    2011 Jul
    Posts
    10
    Thanks Thanks Given 
    4
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    wow, it to complicated for noob like me.. but its nice to know it...

  7. #6
    pornpinoy
    pornpinoy is offline
    New member pornpinoy's Avatar
    Join Date
    2011 Nov
    Posts
    13
    Thanks Thanks Given 
    2
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    dry i've read every letter's on your post and i'm amazed... but what is that term namedPipes did u mean PIPES?

  8. #7
    line32
    line32 is offline
    New member
    Join Date
    2012 Jan
    Posts
    18
    Thanks Thanks Given 
    15
    Thanks Thanks Received 
    0
    Thanked in
    0 Posts
    Rep Power
    0
    wow now i can learn about game guard
    great man thx

  9. #8
    joao4024
    joao4024 is offline
    New member
    Join Date
    2012 Jan
    Location
    Jacareí
    Posts
    12
    Thanks Thanks Given 
    5
    Thanks Thanks Received 
    5
    Thanked in
    2 Posts
    Rep Power
    0
    Does it has the "hertbreak sistem" like on X-Trap?
    Thank you

  10. #9
    Grooguz
    Grooguz is offline
    BanHammer Holder
    Grooguz's Avatar
    Join Date
    2010 May
    Posts
    678
    Thanks Thanks Given 
    152
    Thanks Thanks Received 
    537
    Thanked in
    167 Posts
    Rep Power
    15
    Quote Originally Posted by joao4024 View Post
    Does it has the "hertbreak sistem" like on X-Trap?
    Nope. Clients with GG have different detection and protection techniques, like freezing client, a lot of GG checking, crypting ini files. Anyways, it's another rootkit

  11. #10
    blackreaperz
    blackreaperz is offline
    New member
    Join Date
    2013 Jan
    Location
    Klang
    Posts
    5
    Thanks Thanks Given 
    0
    Thanks Thanks Received 
    1
    Thanked in
    1 Post
    Rep Power
    0
    Nice share about Gameguard and quiet intersting to learn.

  12. The Following User Says Thank You to blackreaperz For This Useful Post:


Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •