I did some research last year and studied some plug-ins related technologies. I plan to share with you some of our ideas, principles, and hopes to introduce some of our ideas.
Plug-ins are used.ProgramInstead of manipulation, the simulator sends keyboard and mouse messages to the game program. The general process is:
1,PassWindowsSystemOpenProcess APIOpen the target process-That is, the game, so that it can read and write data in the target memory, or even call functions of the target process, such as some world-class gamesLuaFunction, or the game's ownC/C ++Function.
2,PassReadvirtualmemoryAndWritevirtualmemoryCome Read and modify some key information, such as the person's life value, the person's coordinates, and various elements on the map in the game.
3,Next
A)You can either call some functions in the game, bypass some constraints on the game client, and call some very powerful functions in the role to quickly kill monsters. However, the disadvantage of this method is obvious. The server will perform a lot of checks to determine whether you are hanging and block you.
B)You can either directly send a keyboard, mouse, or other message to the game process by determining that obstacles, monsters, and other things on the map have crossed the map. Of course, killing monsters is done by simulating buttons.
However, with the destructive impact of plug-ins on the game, anti-plug-ins and plug-ins have been entangled in the kernel layer, such:
1,To prevent external callsWindowsA series of key systemsAPI(For exampleOpenProcess,Read/writevirtualmemoryAnd so on), online games are generally started at the gameWindowsTo load a driver on the operating system, the driver aims to modify a series of keyAPIOfCodeSometimes the game process is hidden in the system, so that user-mode plug-ins and debuggers cannot access the game process.
2,To prevent the plug-in producer from passing throughKernel debugging technologyTo analyze the game's key to the SystemAPIAfter the anti-plug-in driver is started, kernel debugging is usually disabled (Anti-debugging technology,Anti-debugging Technology 2).
3,In addition, game programs are blocked.WindowsThe system is a function used to send keyboard, mouse, and other messages to game processes.
4,To prevent the key data in the game from being easily modified, the game program will encrypt these things and use an encryption function to read and write.
5,In addition, in order to prevent the plug-in from killing monsters too much and thus affecting the game balance, data such as the coordinates and types of monsters on the game server and a map are generally transferred to the client a little bit.
6,There are many more ...... (I do not have enough experience, and I will not be able to complete the enumeration at half past one ).
The first step of plug-in is to crack the anti-plug-in driver. Otherwise, not only cannot control the game process, but also cannot use the debugger to reverse analyze some key data in the game. The common practice is:
1,First, crack the anti-plug-in driver to disable kernel debugging.WindbgAnd Virtual MachineKernel debugging technology.
2,Then find out the anti-plug-in driver for the SystemAPI.
3,Then write another driver to bypass the anti-plug-in driver for the SystemAPI.
However, the above method is a little tiring, because some reverse actions are required to crack and disable kernel debugging, and reverse actions on the anti-plug-in driver are required, which is troublesome. However, it does not disable the local kernel debugging and memory file generation functions. Therefore, we can use this method to debug and develop the driver, which is a little easier than the dual-host kernel debugging.
1,Use the Local Kernel for debugging:
Windbg-KL
2,Generate memory (Dump) File:
Modify\ HKLM \ System \ CurrentControlSet \ Control \ crashcontrolIn:
AutoReboot
Crashdumpenabled
1-Indicates that the physical memory content is fully saved.
2 -?
3-minidump
If you change1,Bsod(Blue screen), full memory is saved in% Windir % \ Memory. dmp
If you change3,Bsod(Blue screen,MinidumpSave in% Windir % \ minidump \Folder.
Another relatively simple method is that you intentionallySsdtWrite some junk data, and then cause the systemBsod(Blue screen), used after restarting the machineWindbgOpenDumpOpenMemory. dmpFile, run! Analyze-VThe command automatically displays allHookFunctions andHookAddress, code, and other information, so that you can directly complete1And2Step.
The remaining codes are relatively simple. For specific codes, refer to the previous blog:Summary of the game driver protection process for cracking xxxAnother friend wrote a detailed description of the cracking process. We also recommend that you take a look:Dnf tp-driven protection (I).
Finally, if you are interested in debugging technology, you can purchase my new book: Application debugging technology. This video not only describes debugging skills, the technologies used in the surrounding area are explained as much as possible. This is because the debugging technology is good and requires a solid foundation of skills and background knowledge.
Thank you for your consideration ......