This chapter will discuss how protections work in theory, and different methods used.

How to detect memory manipulation?

Usually games come with a kernel driver on pc, or a shield library on android, that have a deamon (background thread) running, constantly checking for memory modifications or attacks.
A common way to do this is by calculating checksum of functions and comparing it with a pre-computed checksum of the good bytes, they mostly use IEEE-checksum which results in a number as a result.

How to detect hooks?

You might be wondering, what if our code is big? will we constantly check checksum of every function? Will we constantly go over all functions to check them entirely?
Well... if we only want to check if a function is hooked, we can check the first 8 to 12 bytes, which as said earlier, they are the most likely to be modified.

How to make code understanding harder?

This is commonly known as Code Obfuscation. It is very common yet very hard, as with the advance of technology, lot of debuggers and out of the box static and dynamic analysis tools have been made, making code obfuscation a real challange.
Obfuscations can range from string encryption, to MBA (Mixed Boolean Arithmetic), to agressive inliner, basic block splitter, functions shuffler, and more!

Smart Anti-Hooking

Another way to prevent hooking is by simply revsersing the bytes of the function. This was discovered by a friend of mine while reverse engineering a game.
The game was protected by Arxan, owned today by digital.ai.
What this protection did was constructing a table of functions first 12 bytes when the binary loads, and constantly patching these bytes back to the function. This would overwrite our hook, silently!
It would be painful to find it... unless you notice your hook is being discarded :P
If you are fast enough, you can find the protection location by simply removing write permission from the function address, and causing the application to crash, then checking the crash address in the backtrace.

Binary Encryption

Some companies do not want to use protection software directly integrated within their code, and thus they go to binary encryption.
A shield would be added in the app to run protections, and after passing all checks, it would decrypt the game library after running some succesful checks, that range from checking for APK signature, assets, checsums, to the existence of debuggers, hooking frameworks and more.