CN114307165A - Plug-in detection method, device, equipment and medium - Google Patents
Plug-in detection method, device, equipment and medium Download PDFInfo
- Publication number
- CN114307165A CN114307165A CN202111669760.8A CN202111669760A CN114307165A CN 114307165 A CN114307165 A CN 114307165A CN 202111669760 A CN202111669760 A CN 202111669760A CN 114307165 A CN114307165 A CN 114307165A
- Authority
- CN
- China
- Prior art keywords
- plug
- detection
- target
- file
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 308
- 238000012545 processing Methods 0.000 claims abstract description 41
- 238000000034 method Methods 0.000 claims abstract description 36
- 230000006870 function Effects 0.000 claims description 90
- 230000008439 repair process Effects 0.000 claims description 10
- 238000004458 analytical method Methods 0.000 claims description 7
- 238000004422 calculation algorithm Methods 0.000 claims description 7
- 238000004590 computer program Methods 0.000 claims description 6
- 230000008569 process Effects 0.000 description 7
- 238000010586 diagram Methods 0.000 description 6
- 230000008901 benefit Effects 0.000 description 4
- 230000007246 mechanism Effects 0.000 description 4
- 230000002441 reversible effect Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 238000005336 cracking Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000001788 irregular Effects 0.000 description 2
- 230000000670 limiting effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000002265 prevention Effects 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 239000000470 constituent Substances 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000003780 insertion Methods 0.000 description 1
- 230000037431 insertion Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 230000002452 interceptive effect Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000036961 partial effect Effects 0.000 description 1
- 238000009527 percussion Methods 0.000 description 1
- 230000002085 persistent effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 230000001052 transient effect Effects 0.000 description 1
- 238000013519 translation Methods 0.000 description 1
Images
Landscapes
- Stored Programmes (AREA)
Abstract
The invention discloses a plug-in detection method, a plug-in detection device, plug-in detection equipment and a plug-in detection medium, which are applied to the field of computers, wherein the method comprises the following steps: acquiring and storing a plug-in detection original file; processing the plug-in detection original file according to a preset processing rule to obtain a target plug-in detection code; and issuing the target plug-in detection code to the game client according to the anti-plug-in detection time rule so that the game client executes the current plug-in detection according to the target plug-in detection code. The scheme can improve the reliability of the anti-plug-in detection.
Description
Technical Field
The invention relates to the field of computers, in particular to a plug-in detection method, device, equipment and medium.
Background
The plug-in means that some people use the computer technology of the others to specially aim at one or more online games, and cheating programs are manufactured by changing partial programs of online game software, so that the balance of the game world is damaged, and the fairness of the games is influenced.
In the existing anti-plug-in mechanism, a detection code is implanted into a game client to collect suspicious plug-in information and then send the suspicious plug-in information to a remote server, and a plug-in program is identified manually. In the existing anti-plug-in mechanism, an anti-plug-in engine library can be loaded on a game client, so that a plug-in detection program contained in the anti-plug-in engine library is responsible for detecting and identifying the plug-in program of the game client. Obviously, the existing anti-plug-in mechanism can easily find a plug-in detection program through a reverse or debugging technology, so that the anti-plug-in mechanism fails. And if the anti-plug-in program needs to be updated, the game client needs to be updated, so that the game client can be perceived by the user.
Disclosure of Invention
The embodiment of the invention provides a plug-in detection method, device, equipment and medium, which can at least effectively solve the problems.
In a first aspect, an embodiment of the present invention provides a plug-in detection method, where the method includes: acquiring and storing a plug-in detection original file; processing the plug-in detection original file according to a preset processing rule to obtain a target plug-in detection code; and issuing the target plug-in detection code to a game client according to an anti-plug-in detection time rule so that the game client executes current plug-in detection according to the target plug-in detection code.
Preferably, the issuing the target plug-in detection code to the game client according to the anti-plug-in detection time rule includes: determining issuing time for issuing the target plug-in detection code according to a pre-configured unequal interval time sequence, or determining issuing time for issuing the target plug-in detection code according to random number time generated by a random number generation algorithm; and issuing the target plug-in detection code to the game client according to the determined issuing time.
Preferably, the processing the plug-in detection original file according to a predetermined processing rule to obtain a target plug-in detection code includes: analyzing an original plug-in detection code from the plug-in detection original file; and randomly inserting confusion codes aiming at the original plug-in detection codes to obtain target plug-in detection codes, wherein the target plug-in detection codes are used for the game client to execute the current plug-in detection.
Preferably, issuing the target plug-in detection code to the game client includes: and sending the target plug-in detection code to a game server so that the game server encrypts the target plug-in detection code and distributes the encrypted target plug-in detection code to each game client in an encryption mode negotiated with each game client.
Preferably, the acquiring and storing a plug-in detection original file includes: acquiring an intermediate code file compiled by a plug-in detection source program; carrying out function combination processing on the intermediate code file to form an external hanging detection original file with invisible self-defined function symbols, wherein the self-defined function symbols are various function symbols except a main function symbol and a system function symbol; and storing the plug-in detection original file to an anti-plug-in server.
Preferably, the storing the plug-in detection original file to an anti-plug-in server includes: and storing the plug-in detection original file in an xml format which is not self-defined.
Preferably, the intermediate code file comprises a symbol table and a relocation table; the function combination processing is carried out on the intermediate code file to form the plug-in detection original file with the invisible user-defined function symbol, and the method comprises the following steps: determining a user-defined function symbol from the intermediate code file according to the symbol table; and removing the determined custom function symbols from the symbol table and the repositioning table.
Preferably, the determining a custom function symbol from the intermediate code file according to the symbol table includes: respectively taking each symbol in the symbol table as a target symbol object; judging whether the target symbol object is in a code segment or not according to the table item information related to the target symbol object in the symbol table, and judging whether the target symbol object is a function name type symbol or not; and if the target symbol object is in the code segment and the target symbol object is a symbol of a function name type, determining that the target symbol object is a self-defined function symbol.
In a second aspect, an embodiment of the present invention provides a plug-in detection method, which is applied to a game client, and the method includes: receiving a target plug-in detection code issued by an anti-plug-in server, wherein the target plug-in detection code is obtained by processing the plug-in detection original file by the anti-plug-in server; analyzing the target plug-in detection code to obtain an anti-plug-in target file; dynamically loading a dynamic link library file depended by the anti-plug-in target file to a memory space of the game client, and performing address repair on each repositioning item according to a repositioning table of the anti-plug-in target file to form an executable file corresponding to the anti-plug-in target file; and executing the executable file to finish the current external hanging detection of the game client.
In a third aspect, an embodiment of the present invention provides a plug-in detection device, including: the file acquisition unit is used for acquiring and storing the plug-in detection original file; the file processing unit is used for processing the plug-in detection original file according to a preset processing rule to obtain a target plug-in detection code; and the code issuing unit is used for issuing the target plug-in detection code to the game client according to an anti-plug-in detection time rule so that the game client executes current plug-in detection according to the target plug-in detection code.
In a fourth aspect, an embodiment of the present invention provides an external hanging detection apparatus, including:
the system comprises a code receiving unit, a target plug-in detection unit and a plug-in detection unit, wherein the code receiving unit is used for receiving a target plug-in detection code issued by an anti-plug-in server, and the target plug-in detection code is obtained by processing a plug-in detection original file by the anti-plug-in server;
the code analysis unit is used for analyzing the target plug-in detection code to obtain an anti-plug-in target file;
the link unit is used for dynamically loading a dynamic link library file depended by the anti-plug-in target file to a memory space of the game client, and executing address repair on each repositioning item according to a repositioning table of the anti-plug-in target file to form an executable file corresponding to the anti-plug-in target file;
and the file execution unit is used for executing the executable file so as to finish the current plug-in detection of the game client.
In a fifth aspect, an embodiment of the present invention provides an electronic device, including: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method according to any of the embodiments of the first aspect or the method according to any of the embodiments of the second aspect when executing the program.
In a sixth aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the method according to any one of the embodiments of the first aspect or the method according to any one of the embodiments of the second aspect.
One or more technical solutions provided by the embodiments of the present invention at least achieve the following technical effects or advantages:
the embodiment of the invention obtains and stores the plug-in detection original file; processing the plug-in detection original file according to a preset processing rule to obtain a target plug-in detection code; and issuing the target plug-in detection code to the game client according to the anti-plug-in detection time rule so that the game client executes the current plug-in detection according to the target plug-in detection code. The target plug-in detection codes which are re-issued by the anti-plug-in server are used for plug-in detection of the game client each time, namely, the target plug-in detection codes are dynamically issued to the game client by the plug-in server instead of being pre-implanted in the game client, and plug-in crackers cannot find the target plug-in detection codes in the reverse game client, so that the plug-in detection codes can be prevented from being cracked at the game client, and the plug-in prevention reliability is improved.
In addition, the target plug-in detection code is dynamically issued to the game client instead of being implanted in the game client in advance, so that the update of the plug-in detection code is not required to update the game client, and the update of the plug-in detection code is not sensed by a game user. Therefore, the user experience is improved, the plug-in detection code can be updated more conveniently and frequently, and the plug-in prevention reliability is improved.
The foregoing description is only an overview of the technical solutions of the present invention, and the embodiments of the present invention are described below in order to make the technical means of the present invention more clearly understood and to make the above and other objects, features, and advantages of the present invention more clearly understandable.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a diagram illustrating a system architecture of an anti-cheating system in an embodiment of the present disclosure;
FIG. 2 is a flow chart of a method for detecting a store-in an embodiment of the present disclosure;
FIG. 3 is a detailed flowchart of the step of acquiring and storing the plug-in detection original file in FIG. 1;
FIG. 4 is a flow chart of a cheating detection method applied to a game client in the embodiment of the present specification;
FIG. 5 is a block diagram of a plug-in detection apparatus according to an embodiment of the present disclosure;
FIG. 6 is a block diagram showing a plug-in detection apparatus applied to a game client in an embodiment of the present specification;
fig. 7 is a schematic structural diagram of an electronic device taking a server as an example in the embodiment of the present invention.
Detailed Description
Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art.
As shown in fig. 1, fig. 1 is a system architecture diagram of a plug-in detection system in an embodiment of the present invention, where the plug-in detection system includes: anti-plug-in server, game server and game client, wherein: the anti-plug-in server is used for acquiring and storing plug-in detection original files; processing the plug-in detection original file according to a preset processing rule to obtain a target plug-in detection code; issuing a target plug-in detection code to the game client according to the anti-plug-in detection time rule; and the game client is used for executing the current plug-in detection according to the target plug-in detection code issued by the anti-plug-in server.
It can be understood that the anti-plug-in server can send the processed target plug-in detection code to the game server, and the game server encrypts the target plug-in detection code and distributes the encrypted target plug-in detection code to each game client through an encryption mode negotiated with each game client.
For better understanding of the embodiment of the present invention, a plug-in detection method provided by the embodiment of the present invention is described below with reference to fig. 2, and the plug-in detection method can be applied to an anti-plug-in server or other similar devices, and specifically includes the following steps S101 to S102:
s101, acquiring and storing the plug-in detection original file.
The plug-in detection original file is generated according to the plug-in detection source program, for example, the plug-in detection original file is an intermediate code file obtained by compiling the plug-in detection source program, wherein the intermediate code file may be a binary text file, for example: an obj file (object file) that contains all the code and data in the compilation unit in the form of machine code.
In the external detection source program, all the self-defined function bodies are arranged in sequence behind the main function; therefore, in the intermediate code file compiled by the plug-in detection source program, the binary codes of all the self-defined functions are also sequentially arranged behind the main function according to the sequence, so that the initial position of the intermediate code file is the starting position of the core code, and the function calling is convenient to realize.
Specifically, the format of the plug-in detection source program can be cpp or c, and the plug-in detection source program in the cpp or c format is compiled through a vs compiler to obtain an intermediate code file (obj file);
furthermore, the subsequent analysis of the external hanging detection original file by the anti-external hanging server is facilitated, and the connection of the external hanging detection program in the external hanging detection original file by the game client is facilitated. And (4) the self-defined function symbol in the plug-in detection original file is in an invisible state. Specifically, as shown in fig. 3, the following steps S201 to S203 may be implemented to make the custom function symbol in the plug-in detection original file invisible:
s201, obtaining an intermediate code file compiled by the plug-in detection source program.
S202, carrying out function combination processing on the intermediate code file to form an invisible plug-in detection original file with a user-defined function symbol, wherein the user-defined function symbol is various function symbols except a main function symbol and a system function symbol.
And S203, storing the plug-in detection original file to an anti-plug-in server.
It should be understood that, in the steps S201 to S202, the process of generating the plug-in original file with the invisible custom function symbol according to the plug-in detection source program may be directly executed by the anti-plug-in server, or may be executed by other electronic devices to generate the plug-in original file with the invisible custom function symbol according to the plug-in detection source program and then upload the plug-in original file to the anti-plug-in server, so as to store the plug-in original file to the anti-plug-in server.
In the embodiment of the invention, the address for calling between the self-defined functions in the plug-in detection original file can be as follows: the called function address-current calling address +5 is calculated, so that whether the user-defined function symbol exists in the symbol table and the redirection table or not has no influence on the called of the user-defined function, and the user-defined function symbol can be completely deleted from the symbol table and the redirection table.
Taking the intermediate code file as an obj file as an example, the constituent elements include: symbol table, relocation table, code segment and data segment. Based on this, the process of performing function merging processing on the intermediate code file is as follows: determining a self-defined function symbol from the intermediate code file; the determined user-defined function symbols are removed from the symbol table of the intermediate code file and the relocation table of the intermediate code file, so that only main function symbols and system function symbols are reserved in function name symbols in the symbol table and the relocation table, and the main function symbols and the system function symbols need to be used when the game client side carries out link operation on target plug-in detection codes after receiving target plug-in detection codes issued by the anti-plug-in server, so that the main function symbols and the system function symbols need to be reserved in the symbol table and the relocation table and cannot be deleted.
In the compiling stage, the compiler scans the whole plug-in detection source program to collect the symbols such as function name, variable name, segment name and the like in the plug-in detection source program and write the symbols into the symbol table, so that various symbols exist in the symbol table, and one embodiment of determining the self-defined function symbols from the intermediate code file based on the symbols is as follows: respectively taking each symbol in the symbol table as a target symbol object; judging whether the target symbol object is in a code segment of the intermediate code file or not according to the table entry information related to the target symbol object in the symbol table, and judging whether the target symbol object is a symbol of a function name type or not; and if the target symbol object is in the code segment and the target symbol object is a symbol of the function name type, determining that the target symbol object is a self-defined function symbol.
It should be noted that the relocation table and the symbol table have respective data structures. For example, there are multiple entries in the data structure of the symbol table, where the value of the "Type" entry marks the Type of the symbol, and specifically, there are various types of symbols in the relocation table and the symbol table, such as function name, variable name, segment name, and some constant information. Wherein, if the value of the "Type" entry is "DT _ FUNCTION", it indicates that the symbol belongs to the FUNCTION name Type. The "Section Number" entry represents whether the corresponding symbol is in the code segment. Specifically, the value of "Section Number" is "text", which indicates that the symbol is in the code segment, and the value of "Section Number" is other, which indicates that the symbol is not in the code segment. Thus, it can be determined from the symbol table whether each symbol is a function name type and whether the symbol is in a code segment.
It should be noted that the system function is a data segment in the intermediate code file, and the custom function is a code segment in the intermediate code file, so the location of the custom function is different from that of other types of functions, and therefore, by determining whether the symbol belonging to the function name type is in the code segment, it can be distinguished whether the symbol of the function name type is a custom function symbol.
The anti-plug-in server is convenient to store plug-in detection original files on the anti-plug-in server and send the files to the game client. The plug-in detection original file can be stored in the anti-plug-in server in a self-defined XML (Extensible Markup Language) format.
Specifically, after the anti-plug-in server obtains the plug-in detection original file, the plug-in detection original file is converted into a self-defined XML format and then is stored in the anti-plug-in server, and the XML format is in a hexadecimal byte stream form, so that the storage of data can be simplified.
The method comprises the following steps of converting a plug-in detection original file into a self-defined XML format, specifically: various useful information is analyzed from the plug-in detection original file, and the analyzed useful information is stored according to a self-defined xml format, wherein the useful information analyzed from the plug-in detection original file comprises the following information: entry information in a symbol table, code information in a code segment, entry information in a relocation table, and so on.
It should be noted that the custom xml format includes: and customizing the tag, the tag content and the specific storage format so as to store various information analyzed from the plug-in detection original file into a customized xml format.
S102: and processing the plug-in detection original file according to a preset processing rule to obtain a target plug-in detection code.
It should be noted that, the plug-in detection original file is processed according to the predetermined processing rule, and the plug-in detection original file may be analyzed only according to a predetermined file analysis manner to obtain an original plug-in detection code, and the original plug-in detection code is directly used as a target plug-in detection code to be issued to the game client. The preset file analysis mode is related to the format of the plug-in detection source file, and the plug-in detection source file is analyzed according to the file analysis mode which is suitable for the file format of the plug-in detection source file.
It should be noted that, if the plug-in detection original file is stored in the anti-plug-in server in the customized XML format, the anti-plug-in server may use the DOM parser to parse the plug-in detection original file to obtain the original plug-in detection code. It should be understood that, the storage format of the plug-in detection original file in the anti-plug-in server is different, and the parser collected by the anti-plug-in server is different, and is not limited to use of the DOM parser.
In order to increase the difficulty of cracking the target plug-in detection codes at the game client, the original plug-in detection codes are analyzed from the plug-in detection original file; and inserting confusion codes aiming at the original plug-in detection codes to obtain target plug-in detection codes to be issued to the game client, wherein the target plug-in detection codes are used for executing the current plug-in detection of the game client.
The confusion code is inserted into the original plug-in detection code, and a flower instruction can be randomly inserted into the original plug-in detection code, so that the offset address corresponding to the function generates dynamic change. Specifically, the original plug-in detection code is translated through a disassembling engine, and according to a translation result, any one or more assembly instructions are randomly selected to be inserted into the flower instruction before or after the assembly instruction, so that the target plug-in detection code is obtained.
In the specific implementation process, the confusion code is inserted aiming at the original plug-in detection code, and the method can also be as follows: and a confusion code library is pre-configured in the anti-plug-in server, and the analyzed original plug-in detection code is subjected to disassembly processing to obtain a key assembly code. Wherein, the key assembly code can be instructions such as jz and call; one or more confusion codes are randomly selected from a confusion code library and inserted before key assembly codes, so that the purposes of deceiving OD (olyDBG) dynamic debugging tools, IDA PRO (Interactive platform, IDA for short) static debuggers and other reverse debugging tools are achieved, dynamic confusion is realized under the condition that script codes are not changed, plug-in detection programs issued to game clients each time are dynamically changed along with different confusion codes and insertion positions of the confusion codes and are not constant, and the difficulty of the game clients in cracking the detection programs is further increased by the plug-in detection programs.
S103: and issuing the target plug-in detection code to the game client according to the anti-plug-in detection time rule so that the game client executes the current plug-in detection according to the target plug-in detection code.
Specifically, issuing the target plug-in detection code to the game client according to the anti-plug-in detection time rule may be: and the anti-plug-in server periodically transmits the target plug-in detection code to the game client. In order to further improve the safety of the plug-in detection process, the anti-plug-in server can issue the target plug-in detection code to the game client at irregular time.
For the situation that the anti-plug-in server issues the target plug-in detection code to the game client at irregular time, the following steps can be taken: determining issuing time for issuing the target plug-in detection code according to a pre-configured unequal interval time sequence, or determining issuing time for issuing the target plug-in detection code according to random number time generated by a random number generation algorithm; and issuing the target plug-in detection code to the game client according to the determined issuing time.
It should be noted that the unequal interval time sequence may be configured by the user according to the plug-in percussion strategy, and is not limited herein.
The random number time generated by the random number generation algorithm is 50 s-120 s, so that the random number time generated each time does not exceed the range of 50 s-120 s, and the plug-in detection frequency can be controlled. In a specific implementation process, when the current plug-in detection is executed on the game client, a random number generation algorithm is adopted to generate random number time for executing the plug-in detection next time.
By the two implementation modes, the execution time of the target plug-in detection code issued by the anti-plug-in server is variable, so that the client cannot predict the time point of next plug-in detection execution, and therefore, the plug-in detection code is more effectively prevented from being cracked at the client.
It can be understood that the issuing of the target plug-in detection code by the anti-plug-in server to the game client needs to depend on the game server. Specifically, the anti-plug-in server sends the target plug-in detection code to the game server, and the game server encrypts the target plug-in detection code in a negotiation encryption mode negotiated with each game client and then distributes the encrypted target plug-in detection code to each game client.
The anti-plug-in server distributes the target plug-in detection codes to each game server in a byte stream mode, each game server encrypts the received target plug-in detection code byte stream and distributes the encrypted byte stream to each game client side served by the game server.
Specifically, the game server randomly selects an encryption mode from a plurality of preset encryption modes for carrying out encryption transmission on the target plug-in detection code, wherein a data packet for transmitting the target plug-in detection code comprises an encryption mode zone bit, and the encryption mode zone bit represents the encryption mode used by the game server for encrypting and transmitting the target plug-in detection code at the current time. Further, the game server develops the target plug-in detection code and a key for decrypting the target plug-in detection code to the game client, so that transmission safety is improved.
Based on the same inventive concept, referring to fig. 4, an embodiment of the present invention provides a plug-in detection method applied to a game client, including the following steps S301 to S304:
s301, receiving a target plug-in detection code issued by the anti-plug-in server, wherein the target plug-in detection code is obtained by processing a plug-in detection original file by the anti-plug-in server.
In step S301, the game client may decrypt and receive the target plug-in detection code by using the encryption method and the password agreed with the game server.
Specifically, the game client determines the encryption mode used by the game server at the current time according to the encryption mode flag bit, and the game client decrypts and receives the target plug-in detection code by adopting a decryption mode matched with the encryption mode used at the current time. Therefore, dynamic change of the encryption and decryption algorithm used for transmitting the target plug-in detection code between the game server and the game client is realized, and the safety of transmitting the target plug-in detection code is improved.
S302, analyzing the target plug-in detection code to obtain an anti-plug-in target file.
And analyzing an anti-plug-in target file from the received byte stream of the target plug-in detection code by an anti-plug-in engine of the game client.
It should be understood that the anti-plug-in target file parsed by the game client is a file with the same format as the plug-in detection original file generated by the game server. Specifically, both the anti-plug-in target file and the plug-in detection original file belong to the obj file, and the anti-plug-in target file has more randomly inserted confusion codes relative to the plug-in detection original file. Taking the example that the anti-plug-in target file and the plug-in detection original file are obj files, the method comprises the following steps: code segments, data segments, symbol tables, relocation tables, etc.
Similarly, after the game client analyzes the anti-cheating target file, the following step S303 is continuously executed: dynamically loading a dynamic link library file depended by the anti-plug-in target file to a memory space of the game client, and executing address repair on each repositioning item according to a repositioning table of the anti-plug-in target file to form an executable file corresponding to the anti-plug-in target file.
Specifically, a Dynamic Link Library (DLL) file, on which the anti-plug-in target file depends, is dynamically loaded to a memory space of the game client; the game client executes the repair operation on the anti-plug-in target file: and performing address repair on each relocation item according to the relocation table of the anti-plug-in target file, and replacing the default address filled in the compiling stage by a real address.
And a linker of the anti-plug-in engine dynamically loads a dynamic link library file which is depended by the anti-plug-in target file to a memory space of the game client through an api function-loadlibrary () provided by windows, and relocates each relocation item according to the relocation table so as to replace the real address of the called object with the default address filled in the compiling stage, thereby completing the repair operation of the address. This is because the location of some called objects (functions or data) cannot be determined when the plug-in detection source program is compiled into the plug-in detection original file in the compiling stage. Therefore, the addresses of these called objects in the hang detection original file are default addresses. Therefore, in the anti-plug-in target file after the confusion code is inserted, the addresses of the called objects are also default addresses. Therefore, in the link stage, address repair needs to be performed on each relocation item according to the relocation table of the anti-plug-in target file, so that the default address of the called object is replaced by the real address.
After the executable file is formed, step S304 is performed: and executing the executable file to complete the current external hanging detection of the game client.
And executing the anti-plug-in script codes in the executable file through a call instruction of the anti-plug-in engine to realize one-time plug-in detection of the game client. Specifically, since the call address used in the call instruction may be according to: the called function address-current calling address +5 is obtained by calculation, so that the self-defined function symbols do not need to be reserved in a symbol table, and the calling of each self-defined function is not influenced.
According to the plug-in detection method provided by the embodiment of the invention, through interaction between the server and the game client, the server issues the target plug-in detection codes to the game client again every time the game client executes plug-in detection, the game client processes the target plug-in detection codes and utilizes the processed executable file to perform plug-in detection, and as the plug-in detection program is not pre-implanted in the game client, a plug-in cracker cannot find the plug-in detection program in the reverse game client, and the program updating does not need to update the client, the anti-plug-in operation can be more flexible and mobile, and the aim of dynamically issuing the plug-in detection program to the game client to execute the plug-in detection is achieved under the condition that a user feels no.
Based on the same inventive concept, the embodiment of the invention provides an external hanging detection device 40. Referring to fig. 5, the hang detection apparatus 40 includes:
a file acquiring unit 401, configured to acquire and store a plug-in detection original file;
the file processing unit 402 is configured to process the plug-in detection original file according to a predetermined processing rule to obtain a target plug-in detection code;
the code issuing unit 403 is configured to issue the target plug-in detection code to the game client according to the anti-plug-in detection time rule, so that the game client performs current plug-in detection according to the target plug-in detection code.
In some embodiments, the code issuing unit 403 further includes:
the issuing time determining subunit is used for determining issuing time for issuing the target plug-in detection code according to a pre-configured unequal interval time sequence, or determining issuing time for issuing the target plug-in detection code according to random number time generated by a random number generation algorithm;
and the issuing execution subunit is used for issuing the target plug-in detection code to the game client according to the determined issuing time.
In some embodiments, the file processing unit 402 is specifically configured to: analyzing an original plug-in detection code from a plug-in detection original file; and randomly inserting confusion codes aiming at the original plug-in detection codes to obtain target plug-in detection codes, wherein the target plug-in detection codes are used for executing the current plug-in detection of the game client.
In some embodiments, the code issuing unit 403 is specifically configured to: and sending the target plug-in detection code to the game server so that the game server encrypts the target plug-in detection code and distributes the encrypted target plug-in detection code to each game client in an encryption mode negotiated with each game client.
Under some embodiments, the file obtaining unit 401 includes: the acquisition subunit is used for acquiring an intermediate code file compiled by the plug-in detection source program; the merging subunit is used for carrying out function merging processing on the intermediate code file to form an external hanging detection original file with invisible self-defined function symbols, wherein the self-defined function symbols are various function symbols except a main function symbol and a system function symbol; and the storage subunit is used for storing the plug-in detection original file to the anti-plug-in server.
In some embodiments, the storage subunit is specifically configured to: and storing the plug-in detection original file in an xml format which is not self-defined.
In some embodiments, the intermediate code file includes a symbol table and a relocation table; the merging subunit is specifically configured to: determining a self-defined function symbol from the intermediate code file according to the symbol table; the determined symbols of the custom function are removed from the symbol table and the relocation table.
In some embodiments, the merging subunit is specifically configured to: respectively taking each symbol in the symbol table as a target symbol object; judging whether the target symbol object is in a code segment or not and judging whether the target symbol object is a symbol of a function name type or not according to table item information related to the target symbol object in the symbol table; and if the target symbol object is in the code segment and the target symbol object is a symbol of the function name type, determining the target symbol object as a self-defined function symbol.
Based on the same inventive concept, the embodiment of the invention provides a plug-in detection device 50 applied to a game client. Referring to fig. 6, the hang detection apparatus 50 includes:
a code receiving unit 501, configured to receive a target plug-in detection code issued by an anti-plug-in server, where the target plug-in detection code is obtained by processing a plug-in detection original file by the anti-plug-in server;
a code analysis unit 502, configured to analyze a target plug-in detection code to obtain an anti-plug-in target file;
a link unit 503, configured to dynamically load a dynamic link library file that the anti-plug-in target file depends on to a memory space of the game client, and perform address repair on each relocation item according to a relocation table of the anti-plug-in target file, so as to form an executable file corresponding to the anti-plug-in target file;
and the file execution unit 504 is configured to execute the executable file to complete the current-time plug-in detection of the game client.
With regard to the apparatus in the above embodiments, the specific manner in which the respective functional units perform operations has been described in detail in the embodiments related to the method, and will not be elaborated upon here.
Based on the same inventive concept, an embodiment of the present specification further provides an electronic device, which includes a memory, a processor, and a computer program that is stored in the memory and can be run on the processor, and when the processor executes the program, the plug-in detection method according to any one of the foregoing embodiments is implemented.
Fig. 7 is a schematic structural diagram of the electronic device in this embodiment of the present disclosure when the electronic device is a server. The server 1900 may vary widely by configuration or performance and may include one or more Central Processing Units (CPUs) 1922 (e.g., one or more processors) and memory 1932, one or more storage media 1930 (e.g., one or more mass storage devices) storing applications 1942 or data 1944. Memory 1932 and storage medium 1930 can be, among other things, transient or persistent storage. The program stored in the storage medium 1930 may include one or more modules (not shown), each of which may include a series of instructions operating on a server. Still further, a central processor 1922 may be provided in communication with the storage medium 1930 to execute a series of instruction operations in the storage medium 1930 on the server 1900.
The server 1900 may also include one or more power supplies 1926, one or more wired or wireless network interfaces 1950, one or more input-output interfaces 1958, one or more keyboards 1956, and/or one or more operating systems 1941, such as Windows Server, Mac OS XTM, UnixTM, LinuxTM, FreeBSDTM, etc.
In an exemplary embodiment, a non-transitory computer readable storage medium comprising instructions, such as the memory 1932 comprising instructions, executable by a processor of an electronic device to perform the method of detecting a cheating condition as described in any one of the above embodiments, is also provided, and may be, for example, a ROM, a Random Access Memory (RAM), a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like.
Other embodiments of the invention will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the invention and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the invention being indicated by the following claims.
It will be understood that the invention is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present invention is defined only by the appended claims, and the above-described preferred embodiments of the present invention are not intended to be limiting, and any modifications, equivalents, improvements, etc. within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (13)
1. A method for detecting a store-on, the method comprising:
acquiring and storing a plug-in detection original file;
processing the plug-in detection original file according to a preset processing rule to obtain a target plug-in detection code;
and issuing the target plug-in detection code to a game client according to an anti-plug-in detection time rule so that the game client executes current plug-in detection according to the target plug-in detection code.
2. The method of claim 1, wherein said issuing the target store detection code to a game client according to an anti-store detection time rule comprises:
determining issuing time for issuing the target plug-in detection code according to a pre-configured unequal interval time sequence, or determining issuing time for issuing the target plug-in detection code according to random number time generated by a random number generation algorithm;
and issuing the target plug-in detection code to the game client according to the determined issuing time.
3. The method of claim 1, wherein the processing the plug-in detection original file according to a predetermined processing rule to obtain a target plug-in detection code comprises:
analyzing an original plug-in detection code from the plug-in detection original file;
and randomly inserting confusion codes aiming at the original plug-in detection codes to obtain target plug-in detection codes, wherein the target plug-in detection codes are used for the game client to execute the current plug-in detection.
4. The method of claim 3, wherein issuing the target store detection code to the game client comprises:
and sending the target plug-in detection code to a game server so that the game server encrypts the target plug-in detection code and distributes the encrypted target plug-in detection code to each game client in an encryption mode negotiated with each game client.
5. The method according to any one of claims 1 to 4, wherein the obtaining and storing the plug-in detection original file comprises:
acquiring an intermediate code file compiled by a plug-in detection source program;
carrying out function combination processing on the intermediate code file to form an external hanging detection original file with invisible self-defined function symbols, wherein the self-defined function symbols are various function symbols except a main function symbol and a system function symbol;
and storing the plug-in detection original file to an anti-plug-in server.
6. The method of claim 5, wherein storing the plug-in detection origin file to an anti-plug-in server comprises:
and storing the plug-in detection original file in an xml format which is not self-defined.
7. The method of claim 5, wherein the intermediate code file includes a symbol table and a relocation table; the function combination processing is carried out on the intermediate code file to form the plug-in detection original file with the invisible user-defined function symbol, and the method comprises the following steps:
determining a user-defined function symbol from the intermediate code file according to the symbol table;
and removing the determined custom function symbols from the symbol table and the repositioning table.
8. The method of claim 7, wherein said determining custom function symbols from said intermediate code file from said symbol table comprises:
respectively taking each symbol in the symbol table as a target symbol object;
judging whether the target symbol object is in a code segment or not according to the table item information related to the target symbol object in the symbol table, and judging whether the target symbol object is a function name type symbol or not;
and if the target symbol object is in the code segment and the target symbol object is a symbol of a function name type, determining that the target symbol object is a self-defined function symbol.
9. A plug-in detection method is applied to a game client, and is characterized by comprising the following steps:
receiving a target plug-in detection code issued by an anti-plug-in server, wherein the target plug-in detection code is obtained by processing the plug-in detection original file by the anti-plug-in server;
analyzing the target plug-in detection code to obtain an anti-plug-in target file;
dynamically loading a dynamic link library file depended by the anti-plug-in target file to a memory space of the game client, and performing address repair on each repositioning item according to a repositioning table of the anti-plug-in target file to form an executable file corresponding to the anti-plug-in target file;
and executing the executable file to finish the current external hanging detection of the game client.
10. An external hanging detection device, comprising:
the file acquisition unit is used for acquiring and storing the plug-in detection original file;
the file processing unit is used for processing the plug-in detection original file according to a preset processing rule to obtain a target plug-in detection code;
and the code issuing unit is used for issuing the target plug-in detection code to the game client according to the anti-plug-in detection time rule so that the game client executes the current plug-in detection according to the target plug-in detection code.
11. The utility model provides a plug-in detection device, is applied to game client, its characterized in that, plug-in detection device includes:
the system comprises a code receiving unit, a target plug-in detection unit and a plug-in detection unit, wherein the code receiving unit is used for receiving a target plug-in detection code issued by an anti-plug-in server, and the target plug-in detection code is obtained by processing a plug-in detection original file by the anti-plug-in server;
the code analysis unit is used for analyzing the target plug-in detection code to obtain an anti-plug-in target file;
the link unit is used for dynamically loading a dynamic link library file depended by the anti-plug-in target file to a memory space of the game client, and executing address repair on each repositioning item according to a repositioning table of the anti-plug-in target file to form an executable file corresponding to the anti-plug-in target file;
and the file execution unit is used for executing the executable file so as to finish the current plug-in detection of the game client.
12. An electronic device, comprising: memory, processor and computer program stored on the memory and executable on the processor, the processor implementing the method of any one of claims 1 to 8 when executing the program or implementing the method of claim 9.
13. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method of any one of claims 1 to 8 or carries out the method of claim 9.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111669760.8A CN114307165B (en) | 2021-12-30 | 2021-12-30 | Plug-in detection method, device, equipment and medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202111669760.8A CN114307165B (en) | 2021-12-30 | 2021-12-30 | Plug-in detection method, device, equipment and medium |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114307165A true CN114307165A (en) | 2022-04-12 |
CN114307165B CN114307165B (en) | 2024-10-11 |
Family
ID=81020886
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202111669760.8A Active CN114307165B (en) | 2021-12-30 | 2021-12-30 | Plug-in detection method, device, equipment and medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114307165B (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1909447A (en) * | 2005-08-03 | 2007-02-07 | 盛趣信息技术(上海)有限公司 | Method for network data communication by using dynamic encryption algorithm |
KR20120020609A (en) * | 2010-08-30 | 2012-03-08 | 주식회사 엔씨소프트 | Method of detecting unknown bot of online game |
CN105843640A (en) * | 2016-03-21 | 2016-08-10 | 武汉斗鱼网络科技有限公司 | Dynamic link library injection method and apparatus |
CN108629162A (en) * | 2017-03-23 | 2018-10-09 | 北京小唱科技有限公司 | A kind of source code means of defence and device |
CN111389012A (en) * | 2020-02-26 | 2020-07-10 | 完美世界征奇(上海)多媒体科技有限公司 | Method, device and system for anti-plug-in |
CN112214736A (en) * | 2020-11-02 | 2021-01-12 | 杭州安恒信息技术股份有限公司 | Code encryption method and related assembly |
CN112363710A (en) * | 2021-01-14 | 2021-02-12 | 之江实验室 | Multi-variable user program compiling method based on multi-heterogeneous execution controller |
-
2021
- 2021-12-30 CN CN202111669760.8A patent/CN114307165B/en active Active
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1909447A (en) * | 2005-08-03 | 2007-02-07 | 盛趣信息技术(上海)有限公司 | Method for network data communication by using dynamic encryption algorithm |
KR20120020609A (en) * | 2010-08-30 | 2012-03-08 | 주식회사 엔씨소프트 | Method of detecting unknown bot of online game |
CN105843640A (en) * | 2016-03-21 | 2016-08-10 | 武汉斗鱼网络科技有限公司 | Dynamic link library injection method and apparatus |
CN108629162A (en) * | 2017-03-23 | 2018-10-09 | 北京小唱科技有限公司 | A kind of source code means of defence and device |
CN111389012A (en) * | 2020-02-26 | 2020-07-10 | 完美世界征奇(上海)多媒体科技有限公司 | Method, device and system for anti-plug-in |
CN112214736A (en) * | 2020-11-02 | 2021-01-12 | 杭州安恒信息技术股份有限公司 | Code encryption method and related assembly |
CN112363710A (en) * | 2021-01-14 | 2021-02-12 | 之江实验室 | Multi-variable user program compiling method based on multi-heterogeneous execution controller |
Also Published As
Publication number | Publication date |
---|---|
CN114307165B (en) | 2024-10-11 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6257754B2 (en) | Data protection | |
CN104680039B (en) | A kind of data guard method and device of application program installation kit | |
CN111143869B (en) | Application package processing method and device, electronic equipment and storage medium | |
CN107786331B (en) | Data processing method, device, system and computer readable storage medium | |
CN104363271B (en) | Document breakpoint transmission method and device | |
CN105631355A (en) | Data processing method and device | |
CN109885990B (en) | Script management method | |
JP2018502524A (en) | Encryption control for information, information analysis method, system and terminal | |
KR102374887B1 (en) | Systems, programs, methods and servers for conducting communications | |
WO2017095727A1 (en) | Systems and methods for software security scanning employing a scan quality index | |
CN105574371A (en) | Text watermark based android application information hiding and software protection method | |
JP2015106914A (en) | Malware communication analyzer and malware communication analysis method | |
CN114307165B (en) | Plug-in detection method, device, equipment and medium | |
CN110401631A (en) | System upgrade information acquisition method, device, storage medium and block chain node | |
US20170279777A1 (en) | File signature system and method | |
CN104965720B (en) | Using installation method and device | |
CN114416108B (en) | Anti-decompilation method, system and device based on Android resource file index table | |
CN113742340B (en) | Database table processing method and related equipment | |
JP2016526746A (en) | Data processing system, center apparatus, and program | |
CN114035797A (en) | Front-end code encryption method, operation method, device, equipment and storage medium | |
CN114244600A (en) | Method for interfering malicious program | |
JP2006235688A (en) | Program obfuscation device and method and program thereof | |
CN109445798B (en) | LuaJIT byte code processing method, device and storage medium | |
CN110740112B (en) | Authentication method, apparatus and computer readable storage medium | |
CN104965906A (en) | Network resource provision method and apparatus |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant |