Jump to content

MetinGuard

Inactive Member
  • Posts

    3
  • Joined

  • Last visited

  • Days Won

    2
  • Feedback

    0%

Everything posted by MetinGuard

  1. A macro is a macro, they do the same things, ARRAY_SIZE looks a lot cleaner to me. But yeah, they both serve the same prupose. No, HMODULE is a typedef of HINSTANCE which is a typedef of HANDLE. Wow, that was a stupid mistake.
  2. The goal it to detect Wine which is an emulation environment on Linux, which allows you to run Windows executables. Its usually used when reverse engineering, this will simply detect that environment. Yeah I actually posted an old version which had been quickly mashed together, got my Git branches mucked up, updated the OP.
  3. This is a snippet from my anti-cheat system, MetinGuard. Wine is commonly used in reverse engineering as you can run PE (Windows executables) in an emulated environment, ntdll.dll on Wine will export the functions below listed in lpBadFunctions - we can try and get the address in the export table by using GetProcAddress and seeing if it succeeds. This is just a small part of MetinGuard's anti reverse engineering module. #define ARRAY_SIZE(a) (sizeof(a) / sizeof(a[0])) BOOL bCheckWine() { LPCSTR lpBadFunctions[] = { "wine_get_unix_file_name", "wine_get_version", "wine_nt_to_unix_file_name", "wine_server_call", "wine_server_handle_to_fd", "wine_server_release_fd", "__wine_init_codepages" }; HANDLE hNtLib = LoadLibraryA("ntdll.dll"); if (hNtLib == NULL) { return FALSE; } LPVOID lpNtFunc = NULL; for (SIZE_T i = 0; i < ARRAY_SIZE(lpBadFunctions); i++) { lpNtFunc = GetProcAddress(hNtLib, lpBadFunctions[i]); if (lpNtFunc != NULL) { FreeLibrary(hNtLib); return TRUE; } } FreeLibrary(hNtLib); return FALSE; }
×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.