Anti-external series

xiaoxiao2021-03-06  60

May have a bit long, everyone is patient, huh, huh.

"Laozi can't see the hanging series of hangs"

Most of the mainstream plug-in, including buttons, automatic doing plug-in. They are all passed through the Hook, and use different hook types, for example, for the network, usually through the Hook message, get DLL to our game program, then get the address of their despicable functions in the DLL through GetProcadDress And real function addresses, then change our function addresses into their API addresses through WriteProcessMemory.

So when we executed in our game, you will first trigger their hooks first, etc. They arrange the evil trap, and then perform our procedure. So, how do you prevent this type of plug-in? As the saying goes, it is the way to him, The so-called magic is one foot, the road is high. The so-called evil is honest. The so-called sky network is restored. The so-called thief is confident.

Well, Windows hooks have a feature, which is hook chain, because for the same process, even more types of hooks, there are also many, that is, for the same game, open two functions, the same plug-in can also . So how do you decide the order of the hook? The so-called later, Windows practice is that the last hook has the first hooks to perform. And the inspiring message is that the next hook can be controlled in the hook.

This function is CallNexthookex, that is, if this function is not executed in a hook, the hook chain will be interrupted, then our ideas are very simple, in the game run, open a process, every other Time is hook our main program, then in the hook, do not perform CallNexthookex, so you can avoid others' hooks.

The so-called, just found that the enemy is not enough, but also destroy the enemy. No, let's take a look at how to thoroughly turn the enemy into a crushing fracture. Well, to destroy the enemy, it is more complicated. It is necessary to take different types of methods for different types of hooks, because the enemy's hook does not matter, it is nothing more than two purposes, one is to modify the data, and it is filter. data. Its core thinking is that our own game is registered with two hooks, one is always in the bottom of the hook chain, and the other is always in the uppermost layer of the hook chain, and if there are two hooks received, if you know if there is anything else Hook. One, find that there are other hooks, don't think, must be plug-in, the least use button elves, title, killing, how to do it,

Of course, the enemy is not so fragile. It is said that someone uses Raw Socket to intercept all the network news, this is not related to the hook, this is more underlying. But don't be afraid, as the saying goes, with the way, pay attention to it. The so-called magic is one foot, and the road is high. The so-called evil is honest. The so-called sky network is restored. The so-called thief is confident. Up to intercept Raw Socket, will be broadcast in the next focus, please pay attention. .

============================================================================================================================================================================================================= ============ "Laozi does not usually hang a series to prevent interception network messages" Here first, the enemy must be classified, and the method is much more simpler for the most enemy level. The most used method is generally written by writing a WSOCK32.DLL in the same directory of the game, replacing the system's WSOCK32.DLL. For this kind of stupid method, there is a lot of solutions, and the load time is loaded into wsock32.dll to change to the load of Run Time, then specify the path, there is no problem. Simple point, check if there is any WSOCK32.DLL in the current directory, then, then it is definitely a hook.

A little enemy with a little higher than the highest level, you will use the hook to hook directly, the general approach is to get the address of the socket API by getProcAddress, then modify the entry address through the WriteProcessMemory method, change it to JMP its own function address. This method is actually very despicable. The so-called non-toxic can't worry, we can prevent others to intercept socket by modifying the universal GetProcaddress code, so that the firewall can break through the firewall.

The technical difficulty here is that we can't write memory with WriteProcessMemory because we don't know which process exactly, so we need to modify the Windows code segment, which is impossible, but unfortunately whispered to himself. Inside the latter, in Kernel.dll, Uint Allocstodsalias (UINT), by passing the selector of the API code to it, you can return a selector of a writable data segment, then new selectors and APIs The entrance address is added to obtain a pointer to which a writable code segment can be obtained.

There are this principle of domestic spending software and full-screen translation software. For example, the specific examples are as follows: such as getProcaddress this API, in Kernel.dll, we have to do the general hooks for it, you should follow the following steps: TypedEf uint (WINAPI * FOO) (UINT); FOO AllocCsToDsAlias; HMODULE hKernel = GetModuleHandle ( "kernel"); AllocCsToDsAlias ​​= (FOO) GetProcAddress (hKernel, "AllocCsToDsAlias"); FARPROC entry = GetProcAddress (hKernel, "GetProcAddress"); WORD offset = (Word); uint selector = alloccstodsalias (fp_seg (entry)); byte * addr = (byte *) mk_fp (selector, offset);

Then you can write 5 Byte's things to the address, the first BYTE is JMP, and the different CPUs may be different, and one of the DWORD is your function of your function. . In this way, you can do the hook switch by saving the data of the ADDR. When the hook is opened, all getProcadDress calls will be called to our function. At this time, if someone wants to getProcaddress wsock32.dll. We do it. .

Similarly, if someone calls the Raw Socket monitoring network by opening the Socket this API, we can also achieve the first into the top, see who is monitoring our network transmission.

============================================================================================================================================================================================================= ================= "Laozi did not usually hang the series or started from social" "

In fact, the principle of investing plug-in and the principle of catching viruses is just that technology is now unsuccessful. When doing external technology and anti-exact techniques, it is impossible to prevent exactly from technology.

In fact, it is helplessly, anti-virus software is a new virus, announced its special code in the first time, then update all clients, see this feature, kill. In fact, it is otherwise that the CHATING-Death, which is in fact, the CHATING-Death is this principle, no matter what new plug-in, the CD is always updated within the first time, and the client is still stupid as long as I see this The feature is kill it. In fact, think about it, this is a very good idea, from the motivation of the extension developer. They have to develop plug-in, and it is estimated that the sports technology is on the one hand, but more importantly, I still want to make money, or used to hang up, I will definitely be discovered or reported by other players, this time should be done. It is to download a plug-in as soon as possible, or study it according to its behavior, and record the next signature, it is not too complicated, the easiest way is to remember the name of its plug-in window, then as long as Seeing this plug-in window, just do some processing.

Then, the key technique is in how to design out this structure, first of all the client needs an extension engine, and an plug-in feature library, generate a fixed version number according to the engine and the character library, then Use this version number when you log in, compare the version number on the server. If you don't have the same, you automatically download the latest check-out engine and plug-in feature library from the server.

In this way, although it can't be killed, it can be more exclusive to encircle the wind. I believe that players who use plug-in players just want to play games, but they only have a little bit, but their starting point is still good. As long as he uses more plug-in to block or induce him without using plug-in, this effect will be much better. Imagine, who is willing to wait a plug-in update every day, and don't play the game he wants to play. In this way, people who make plugins will gradually decrease, thus entering a benign cycle. It is like writing a virus today and is not as popular as it is. . . -

============================================================================================================================================================================================================= ================

转载请注明原文地址:https://www.9cbs.com/read-118867.html

New Post(0)