General Solutions against plug-ins and Trojans

Plug-ins, Trojans, and private servers have been the three dead enemies of online games. A good online game will be ruined if it is accidentally knocked down by any guy.
Here I want to talk about a general solution to prevent plug-ins and Trojans, hoping to solve most plug-ins and Trojans. In principle, it can also be used to prevent private servers. Please consider whether it is feasible or not. Inspired by the legendary anti-plug-in solution, I would like to express my gratitude for this solution.

This solution includes the "2.1 line ". One "point" is to detect code and check whether plug-ins and Trojans exist, a bit like a "Scout ". Another "point" is the attack code. It can capture players to jail, or notify the players to change their passwords, a bit like a "sniper ". A "line" means that information about plug-ins or Trojans should be securely transmitted from the scouts to the sniper, which is a bit like a "Telephone Line ". Next I will introduce the design points of the "2.1 line.

1. "Scouts ".
What are the characteristics of scouts?
First, it will be hidden.
It is not easy to train scouts, and it is not easy to write a detection code. Once discovered by the enemy, it is easy to be armed or killed. The next time I wrote another paragraph, I was found to have done it again. This is not the way to win the enemy.
If we put a piece of detection code on the client, be sure not to be easily checked by hackers using dynamic analysis (such as SoftICE) or decompilation (such as MASM. For example, do not include any string that can be identified in the code segment, such as an error message text string, used to find the plug-in keyword string, including the plug-in program name, plug-in process name ....... In short, try not to include strings. If you want to use them, encrypt them and store them, and put the temporary string variables used in the string decryption process on the stack, it is recommended that all values be set to 0 after use.
Do not perform any I/O operations in the detection code, such as all communication, interface messages, disk reading and writing, display, and receiving keyboard and mouse input, it is easy for hackers to find your code segment. Do not read or write any memory that is easily monitored by hackers, including global variables and heap variables. Because hackers can easily find your code segment by monitoring memory modifications.
Do not embed the detection code in the "program initialization" section that is easy to dynamically track, or in any part that runs at a fixed time or under fixed conditions. It is better to trigger the detection code randomly to make it more difficult for hackers to track you.
Another point is that it is recommended that you do not write an independent function in the detection code, but make the code into an embedded macro, which is not easily found by hackers in the middle of the function code.

Second, diversification is required.
The problem of correctness can be solved through diversification. Everyone knows what the consequences of capturing and killing the wrong person are. 1. You can force a gamer who has no plug-ins into the plug-in jail, or lock the account that has not been stolen by Trojans, it will cause more serious damage to players by capturing 10 or even 100 fewer than you.
In addition to carefully testing before the release, a better method is to do a few more "Scouts". The sniper will make weighted judgments based on the situation reported by Multiple scouts, rather than kill them. "Man" must be killed.
The benefit of doing more scouts is that, in case some scouts are "killed" by hackers, the sniper will not become "blind ". Meanwhile, the sniper can report that the scouts at the headquarters have been killed based on the problematic scouts, and ask the headquarters to send more scouts.
Therefore, three types of detection code can be designed in the program based on the length of time. One is to detect and report the attack to the sniper as soon as it is started. This kind of code is easy to be detected by hackers. It can also be used as a trap to understand how hackers crack us.
The other is to detect the code after several minutes or tens of minutes, which is difficult to crack because hackers often try to crack a piece of code many times, the detection time is delayed, which will undoubtedly increase the time cost for cracking. This type of detection report can be used as the main basis for determining whether the attack is being attacked.
The third type of detection should be started one hour later or even several times. In this Code report, you can check whether all the previous detection code has been cracked by hackers to remind programmers whether to reconstruct the defense system or use other solutions. This type of detection method is not mandatory and can be used or not.
In addition, each part of the detection code must not use the same code (that is, the program binary code is the same), or each part of the code is used to detect a unique plug-in or Trojan feature. If you want to place the same piece of detection code in different locations and perform detection in different time periods, you must adjust the order of some code lines without affecting the function, in case hackers use the same code string to find the code of another detection point. In short, each detection code should be as different as possible, and the detection plug-in features or Trojan features should also be diversified.

Ii. "sniper ".
What are the characteristics of a sniper?
First, we need to hide it.
Why is it concealed? If it's not concealed, do you still have a chance to take a second shot? Do people know where you are?
A good way to hide plug-ins and Trojans is to place snipers on the server. Hackers cannot modify the server. The server can catch players in the plug-in jail or notify players to change their passwords. Plug-ins and Trojans cannot stop me.
Private servers are troublesome because snipers must be kept in the servers of hackers. The attack should not only trigger randomly, but also adopt relatively hidden methods such as random writing memory. Triggering a blue screen is also a way, but it is necessary to prevent hackers from "Hook" the path that triggers the blue screen, otherwise they will expose themselves.

The second is latency.
Never take a shot immediately when the scouts report an attack. This undoubtedly directly tells the hacker what mountain the scouts are, so that the other party can easily destroy our scouts. A good sniper problem will wait for the best shooting time.
Make sure you have enough latency to allow the enemy to take several more mountain heads before shooting and killing the enemy. In this way, hackers do not know which mountain the scouts are on, which can effectively protect our lovely scouts.
For example, a piece of detection code on our client will check whether there is a plug-in when opening the repository. If a player just opens the warehouse, you will immediately take the player to the plug-in jail. Then the hacker can guess that a piece of detection code is embedded in the code that opens the repository. We only need to trace or read the code, so we can easily find our scouts. He can't help but decide whether to stop or not?
However, if we have latency, after players start to use plug-ins to practice, use plug-ins to collect money, and use plug-ins to walk. The sniper took another shot and sent the players to the plug-in jail. In this way, hackers will be very busy. check whether there is any code in the areas of practice, money collection, and walking, and they may not be able to find out the code after a long time, I thought my level was too bad. The sniper will be able to smile.

Third, protection is required.
Because of the original delay attack, the enemy may be able to kill in the time delay, causing significant losses. In this case, you must protect the potential damage. To reduce the loss of innocent players before the attack.
For example, the client discovers a Trojan and reports it to the server. At this time, if the sniper shot immediately and told the gamer that the password had been stolen, it would undoubtedly violate the second "to be delayed" principle and easily expose the location of our scouts.
A better solution is to immediately use a method such as "locking the player account" after discovering a Trojan to protect the player from hacking during the delay period, and notify the player to change the password in time after the delay.
One thing to note is that protection should be carried out quietly. If a hacker detects when you start protection, he will be able to know the time when the scout finds him. This violates the second sniper code "delay ". So while protecting the player's interests, it is also necessary to protect the scouts.
For example, if a trojan is detected, the repository lock is immediately locked to protect the player's important assets. At this time, a hacker will be given a method to detect when a scout finds a trojan. As long as an excellent weapon is often thrown to check whether the server automatically locks the repository lock, the time when the trojan is detected by the scouts. In fact, it is meaningless to protect the currently logged-on player assets. Generally, this player's identity is correct. Only the next time you log on can a hacker be logged on. Therefore, you only need to lock the repository lock next time you log on to protect your player assets.

3. "Telephone Line ".
How can I make a call to ensure security?
First, do not connect directly.
If the scout pulls a telephone line from the sniper, it is easy to find the other one. Then, all the Members will be defeated.
If both the detection code and attack code are placed on the client (in case of private servers), do not directly call the attack code in the detection code. Otherwise, if one is found, both are finished. It is safer to merge the detection results into a variable that is frequently used by a large number of codes (for example, to increase the integer variable by 1000000 ), then, the variable is computed and changed in the normal code before being written to more other variables, and the attack code only reads and analyzes the signals sent by the scouts in "other locations.
It is better for plug-ins and Trojans, because the sniper is on the server, there is no problem that will be exposed.

The second communication must be kept confidential.
If the scouts find the enemy, they call it "I saw the enemy!" in plain words on the phone! I see the enemy !", Undoubtedly, this scout must be short-lived.
The correct method is to conceal the information of the enemy in a lot of normal upload messages. For example, when uploading a walking or combat message, upload a special "unreasonable" data. For example, the walking direction is 9, or the attacked monster ID is an invalid fixed value of 98372472. In a large number of walking messages or attack messages, this illegal value occasionally appears, which is difficult to attract the attention of hackers, moreover, he does not know when I will upload this "concealed message". How can he find our communication secrets?

With the above "2.1 lines" (in fact, multi-point and multi-line), the entire defense system has been established. No matter how rampant plug-ins, Trojans, and private servers are, we can also "One shot, one kill !".