All geek questions in one place

Delphi Anti Cheat (enable any disabled button)

There are several buttons in my application that I have disabled for some reason. But these buttons are easily activated by TNTEnforcer.

Is there any easy way to prevent this?

I tried to pack with some packer / obfuscator, but you can still enable it.

What is TNTEnforcer

+6
source share
3 answers

VCL controls are supported by Win32 controls, and they are inherently unsafe. You cannot restrict access to their properties and state. External programs can easily change state, press buttons, etc.

You may be tempted to start a timer that resets the user interface at high frequency. This can make it a little harder for a cracker. But still not particularly difficult, and at what price is your program and code?

So, in my opinion, you should not try to stop external programs that impede the state of the user interface. Instead, you can add checks and protections to OnClick handlers and other code behind the interface. This is also awesome, but at least it takes a little more effect from the cracker.

You can write:

 button.Enabled := False; button.OnClick := nil;

when you turn off the button. When you turn it back on, you can write:

 button.Enabled := True; button.OnClick := MyOnClickHandler;

This is a pretty crude way to do this. It might be preferable to click on call chain checking in the OnClick handler OnClick or, better yet, further into your business logic. Thus, no matter how the code reaches the business logic, if it needs to be locked, it will.

+7
source

If an attacker is not aware of the internal operation of a particular version of VCL that your application uses so that he can directly manipulate the VCL's internal memory, the best way is to use the standard Win32 APIs to manage your applicationโ€™s publicly available EnableWindow() , for example, using EnableWindow() , followed by BM_CLICK .

Thus, one simple defense is to remove the attack vector that you want to protect - in this case, replacing TButton with TSpeedButton . TButton is a descendant of TWinControl , so it has HWND. TSpeedButton is a descendant of TGraphicControl , so it does not have HWND and therefore is not accessible to external processes, because it is a custom control that is controlled exclusively by VCL, not the OS.

+4
source

If your application uses the traditional TButton component (from StdCtrls.pas ), this button is a standard Windows control. Anyone who knows the control descriptor can access it. An attacking TNTEnforcer can iterate through the windows and find the button handle. After that, malware can turn on your button and simulate mouse clicks.

Solution 1: Since the disabled buttons are not CM_ENABLECHANGED , my first idea is to intercept the CM_ENABLECHANGED messages (David mentioned by WS_DISABLE ) so that the malware cannot change the enable button - state. The solution is similar to David, but more complicated. As David mentioned, we can temporarily remove the OnClick handler when we intend to disable the button.

Solution 2: Another idea is to protect the button handle from searching. You can transform your traditional Vcl-based application into a cross-platform FireMonkey-based application. Since FMX draws the components themselves, TNTEnforcer cannot attack at all in the old way. I have never done this before. Transformation gain can be high.

+1
source

Source: https://habr.com/ru/post/970675/

More articles:


All Articles