This article was first published in Walker AI

Since its birth, electronic games have been suffering from the trouble of plugins, which have caused immeasurable damage to game companies. This paper hopes to introduce the relevant knowledge of plugins, so that students interested in game security and willing to understand game security knowledge have a basic understanding of game security.


1. Basic concepts of plug-ins

1.1 Basic definition of plug-ins

Without official permission, can achieve the game cheating effect of the game tools. Using this tool, you can achieve results in a short period of time that other honest players cannot achieve, or that other honest players can only achieve by playing the game for a long time. Satisfy the tool of afore-mentioned effect, call it “plug in”.

1.2 Impact of plug-ins

Plugins cheat very badly affected the development of the game industry.

First, the use of plug-ins undermines the fairness of the game. The most direct harm of cheating in games such as plugins is that it affects the fairness of the game and undermines the interests of honest players. Second, it undermines gameplay and the quality of the game, thereby shortening the game’s life cycle. By using plugins, plugins can be particularly easy to win or score higher, and losing the challenge makes the game less playable. In addition, the use of plug-ins can affect the quality of service on the server and accelerate the loss of players. Third, it destroys the economic interests of game companies and players. Crimes caused by game plugins are also common. Game companies make money by charging premium services or online gamers to pay. The use of plugins destroys the playability of online games, reduces the online time of game users and the life cycle of this kind of products, which greatly damages the economic interests of production companies.

1.2 Classification of plug-ins

Nowadays there are many kinds of plugins in the game, in the face of so many plugins it is necessary to do some classification, convenient analysis and summary of plugins technology and characteristics.

“Simulation hang” “script hang” without changing game logic and data

Represented by the key Sprite, it does not enter the game in nature, but in the periphery through the recognition of game pictures, text and other ways to simulate the click, to achieve the purpose of benefit. Use plug-ins to help players complete the tedious actions or repetitive, boring and time-consuming processes and tasks in online games, so as to achieve the purpose of convenience and liberation of players. For example, in the online game “Dungeons and Warriors”, there is a hierarchical system for the role. The higher the level, the better the equipment, but it is not a wonderful thing to practice, and it takes a long time to reach the full level. Before the game reaches the full level, it is necessary to keep killing monsters and brush the map, and the same map may be brushed hundreds of times. And brush figure monsters will have been pressing the skill and the process of tapping keys, such as general attack is the X key, according to the thousands of tens of thousands of times, the day and its boring and dull, so the plugin makers to develop this plugin can replace people to operate, can use its key point function, to reduce the game boring and pain, according to a can use X rows in a row, To achieve the effect of always general attack, after the game character into the game, just press the X key, the character can always attack, players only need to control the movement of the character can, so that players away from this boring continuous click on the keyboard or mouse operation.

Figure 1. Schematic usage of button Sprite (picture source network)

– Fixed “memory hang” in game memory

Memory modification plugins can be divided into the following three types:

(1) The first method is to use virtual X driver (virtual device driver) to directly find the game memory allocation address. This method requires plug-in developers to have a good programming foundation and the underlying driver knowledge of the system, which is technically difficult and has a high threshold.

(2) The second method is to use the ToolHelp API function, which enumerates processes and modules to get their ids and information. Hackers use the ReadProcess Memory function to read the game’s Memory data from the process of online games. However, this method has no function to modify the Memory and cannot write data into the Memory. Therefore, this method needs the cooperation of other methods, which has certain disadvantages.

(3) The third method is to use the corresponding function of game progress. This method is much more convenient and simple than the first two methods. The corresponding function of game progress can be easily obtained, for example, using: The ReadProcessMemory and writeProcess-memory functions that read and write game processes are the most popular and popular methods to modify most game Memory on the market.

Here are some examples:

(1) Take call of Duty OL card accessories as an example. In the game, the weapon can be equipped with different accessories, and normally, the M4A1 can only be equipped with 2 accessories. Use the debugger to debug the game and analyze the weapon’s accessory logic. It can be found that every time an accessory is equipped, a game function will be called, which is defined as AddWeaponAttachment(the author’s own definition, the same below). The calling parameters of this function can be predicted as slot Index and accessory ID through continuous debugging and analysis, that is: AddWeaponAttachment (SlotIndex AttachmentID). An additional call to this function, an additional call to the game logic, enables M4A1 to use multiple accessories.

(2) Take DNF double attack as an example. Players now have a stack of attack power when they attack. Also through debugging analysis, find the role Attack function, defined as Attack(Target, Power), the parameter represents the Attack object and the Attack force, plug-ins can modify the Attack function, make Target is all monsters in the current area, Power is infinite, Then the effect of Attack is full screen double Attack.

(3) Take CF fluoroscopy as an example. The game uses the Windows DiretX module (DX games) when rendering graphics. Generally speaking, during the rendering of each frame, the game logic will render the images displayed in the current screen according to the sequence from far to near, and in the final rendering, it will truly reflect the current scene according to the occlusion relationship of objects, and finally feel the current picture. Plug-ins can modify DirectX rendering logic to force occlusion relationships to be modified so that objects that should be blocked are displayed on the screen, forming a perspective of the character.

(4) Take chess and card games as an example. Due to the need of the game logic, the player’s bottom card will be stored in memory, and through the memory viewing tool to constantly change the viewing conditions, you can find the corresponding bottom card record in memory, know other people’s bottom card, the play is very random.

Tampering with network data “packet hang” “protocol hang”

Packet type plug is a difficult plug technology, involving a number of technical problems, network game server and client communication is the use of socket, the server to apply for a socket to listen to the message, and bound to a corresponding IP address and port, waiting for the game client connection, Plugin makers using packet capture tools interception communication packets, after many intercept packets, analysis of data, get the packet data corresponding to the operation or attribute characters, if the packet encryption the analysis of the encryption algorithm, in the early period of the network game because of the limitation of its server function general packet encryption or don’t use xor encryption is very good crack, modify the corresponding data, Then the packet interception tool is used to forward the packet to the server to tamper with the communication data to achieve cheating. WPE is a popular package editing tool for plugins. The diagram below shows the WPE tool. You can catch and modify packets sent by game progress, and if the game itself has a packet bug, it can be discovered and exploited by plugins.

Figure 2. Schematic diagram of WPE.

Other class plug-ins

In addition to the above “simulation hanging”, “memory hanging”, “seal package hanging” besides, there are still a few relatively small crowd hanging on the market.

(1) graphics card driver level plug-ins, directly modify the graphics card driver.

(2) Hardware plug-in. Customized mouse chip, advanced mouse macro, customized keyboard or manipulator, etc.

(3) AI plug-in. Artificial intelligence plug-in based on deep learning and reinforcement learning. The form of expression is similar to analog hanging.

2. Some ways to defend against plug-ins

2.1 Common methods for detecting plug-ins

(1) Variable detection. Set a global variable. Assign values to the outer functions of the game’s key functions and check them inside. Normal game calls must be executed step by step, it is necessary to assign values to variables, but the game plugins will directly call the function function, function found inside the variable is not assigned values, and detect the plugins.

(2) Stack detection. Variable detection has a weakness, that is, a global variable must be set to convey information, it may be the plug-in author using the memory scanning tool to scan back and forth to find variables, before the call to avoid detection. Stack detection avoids this by reading the stack information inside the game function to get the source of the code calling the function. If the stack is not called by the normal code, it is a plug-in.

(3) Data detection. Read critical data repeatedly to see if it has been tampered with by a plugin, but it is too easy for the plugin author to see it directly, usually in the game’s normal reading code to see if there is an exception.

(4) CRC detection. CRC detection is mainly to protect the game code from being tampered with by plugins. There are some key logic codes in the game, for example, if the health is 0, it will judge the death of the character. Plugins can maliciously tamper with the judgment logic, so that the program will not execute the death code no matter what, so as to achieve invincible effect. The PRINCIPLE of CRC detection is to continuously read the value of critical code to see if the code has been tampered with. CRC and other algorithms to their own complete effect of the complete effect of the hook function, some important code segment separately verified, verified the relevant code segment VMP, if necessary back to the server for verification.

(5) Process detection. Obtain the system process list and check whether there is a common plug-in process name. If there is a plug-in process detected. Force offline directly.

(6) Behavior detection. Now to develop the emerging detection If a penguin DXF has the protection effect is very good Even cannot figure color auxiliary on its survival make some direct mechanical arm, is different from the above several ways: this inspection is mainly the user’s behavior, mainly used in depth study of artificial intelligence data to the behavior of the players is analyzed. For example, a game in a player headshot and kill rate are particularly high, the mouse movement trajectory is almost straight line, then you can put these data abnormal players out into manual detection, or very abnormal direct seal processing.

2.2 Anti-tamper

(1) Game landing related package processing. The login packet of the game is as complicated as possible. It is necessary to use multiple encryption for part of data in different packet types, and multiple ports communicate out of order. These login subcontracting is one-time, so there is no need to worry too much about algorithm efficiency, but this operation can greatly increase the reverse difficulty.

(2) Game reverse debugging protection. The main idea is to drive the debugger process detection, flag bit detection, HOOK important functions and other methods, and to the game execution file to add a fierce shell using the function of the shell to achieve reverse modulation.

(3) Server data verification. After receiving the message from the client, verify the validity of the message. For example, the second pass packet vulnerability mentioned above. The server can verify the battle data to further determine if the battle was successfully completed.

(4) Quick and small updates to the game. The updates are code obfuscation and base address changes.

(5) Protocol asymmetric encryption exchange key, symmetric encryption transmission content, protect server-side private key, prevent man-in-the-middle attack. Streaming encryption, the same packet sent twice different content.

(6) Occasionally pop up anti-plug-in questions, reward experience for correct answers, error will be off line.

(7) Client encryption shell to prevent debugging and injection, program signature to prevent tampering with binary.

(8) Important codes are put into virtual machines or scripts to run (script bytecode needs to be modified). Ordinary hackers mainly analyze disassembly, while hackers will be confused if there are multiple sets of complex logic and several layers.

(9) Key data do not fall into memory, all use getxx, setXX and other interfaces, after the real data after transformation before falling into memory.

(10) The daemon dynamically tracks the monitoring situation.

(11) Deterministic logic is always on the server side.

(12) It is found that a hacker/plug-in tool used a vulnerability to crack the game, first see how big the impact is, and then see whether he earns money. If the impact does not make money, you can support him first. When he earns money and users are many, a command will seal it before large activities, and users can refund it so that he can not climb up.

(13) The logic that must be placed on the client side will synchronize the input and result hash to other clients for checking. If it is not correct, it will be kicked out.

(14) When detecting that the client touches a certain rule, it is not urgent to kick it, but to have a probability to kick it, and to kick it in a random few seconds, so that the hacker will find that it breaks here and there, and will be confused.

3. Summary

Nowadays there are more and more game plugins, network developers and players are troubled, any relatively popular game, will become the focus of plugins makers, resulting in plugins flooding, loss of players, resulting in the game to shorten the operation time. Network game security problem is increasingly serious, because of my capacity and time is limited, this paper puts forward some ideas of the external detection mechanism and tamper-proof still has a lot of need to modify and perfect place, so hope more people can more in-depth research, purification of today’s network game environment at an early date, can let the later researchers little detours.

We are walker AI, and we are moving forward in “AI+ games”.

Go to the public account [Walker AI] and discuss technical issues with us!