Blizzard and hacker War 7: Evolution of warden and plug-ins (2)

Based on the three axes introduced in the previous article, the plug-in was able to cope with the first round of warden attacks. But there is another problem that cannot be solved: The plug-in works by installing the bypass point (detour patch) to modify the original game code process to gain control of the game. But from the anti-detection point of view, this way of working is simply a nightmare-detection is too easy. In this regard, plug-ins that do not rely on the interception of game code work (d2hackmap and autoit-based mmbot) have a natural advantage. Maphack, a plug-in that must be used to intercept game code, is a possible solution that uses x86 hardware breakpoint registers. Friends who are familiar with the X86 architecture know that the CPU after 80386 provides 4 debug address registers (DR0-DR3) Support Hardware breakpoint function. By setting hardware breakpoints where the game code is suitable, we can achieve the function of bypassing points without modifying the game code and gain control of the game. Later versions of Netter easymap/easyplay and some plug-ins of wow work based on hardware breakpoints. The disadvantage of this method is that there are only four debugging address registers, that is, you can only Intercept four places at the same time. Since there were no natural enemies in the maphack of D2, I did not expect that there would be such a warden thing later. It has been around 100 bypass points since now. In comparison, four hardware breakpoints are just a drop in the water and are not enough. This is the biggest reason for making a secure, full-featured maphack. Wow plug-ins are much happier. Some wow plug-ins I have seen are generally just interception of packet's receiving functions (I have a very limited understanding of wow, or maybe not, do not lose bricks when using wow plug-ins ). Even so, the solution is not none. I think a better idea is the method proposed on blackhat 2005: Shadow Walker: raising the bar for Windows rootkit detection. The main point of this method is to find a way to distinguish the execution attribute of the memory page from the read attribute, for the same memory virtual address, when the content in it is mapped to a physical memory when the code is executed, the content in it is mapped to another physical memory when it is read by other code. In this way, the plug-in application uses a dirty page (that is, the bypass point memory is installed) when the game code is executed ), maps to the "clean" page when performing memory probe detection in warden! This method is ideal, but the disadvantage is that it is quite troublesome to implement and has many details to consider.

Now let's look at warden's Mod. For manualmap and hardware breakpoint methods of easymap/easyplay ,. the MOD detects the API hook through memory scanning (some Win32 APIs need to be intercepted by the hardware breakpoint method) and detects specific strings. Later, it successfully captures easymap several times. For the. Mod signature, Blizzard has sent many. MOD files that can be deformed but have the same functions for a period of time (Is there something like a virus), which greatly interferes with players and hackers who use plug-ins. In addition, to prevent hackers from getting all. Mod, The same. MoD may not be sent to all players. Later,. MoD began to check data integrity. Players who have used maphack know that maphack will play some words in the game (for example, when entering the game, the welcome information "mousepad's Diablo II maphack 1.11b (v7.1) installed. ", d2jsp and Other plug-ins also have similar output information ). In the last attack, blizzard captured a lot of plug-ins by detecting these logs (mousepad re-wrote maphack 7.2 for half a year, in beta4, the welcome message is caught ). It is said that in WoW,. MoD also uses stack trace (analysis stack content) and other means.

In my opinion, Blizzard and hackers have their own advantages in this confrontation. Blizzard's advantage lies in that he is the game rule maker. How can he detect and detect what is determined by him? He just needs to seize a vulnerability and take the initiative. The advantage of a hacker is that he can use all the resources of the client to cheat warden, for example, using KMD and limiting the game process permissions. The biggest disadvantage is that he is hard to be careful, you may be arrested if you are not careful about it. In general, I think Blizzard has the upper hand over publicly released plug-ins, but hackers still have some advantages over private plug-ins.