揭祕手遊外掛:基於內存蜜罐的內存修改掛分析技術

{"type":"doc","content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"經過近幾年遊戲市場的變遷,手遊市場也在飛速發展。同時手遊本身的安全風險也逐漸暴露出來。無恆實驗室也在承擔着手遊安全評審的相關工作,上期我們分享了遊戲安全評審的技術進階歷程。2020 年市場上重度手遊的不斷推出,遊戲外掛的風險更是與日俱增,無恆實驗室也加入到反外掛的戰場。外掛分析作爲反外掛的第一步,分析的深度、質量和時效,又往往對外掛打擊起着決定性的作用。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文從外掛分類講起,給大家一個初步感性認知,之後對佔比高達 90%以上的內存修改掛的快速分析技巧進行詳細介紹。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"一、外掛分類"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"2020 年伊始,外掛情報同學收集了不同遊戲大量的外掛樣本,從技術實現上大概分爲以下幾類"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"定製掛:針對特定遊戲邏輯或數據特徵,通過直接修改客戶端邏輯、數據或讀取遊戲核心數據並展示,以實現遊戲作弊功能,常見的有以下幾類"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"root、越獄類注入型外掛"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基於應用多開形式的外掛"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基於 vmos、光速虛擬機等虛擬機掛"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"基於 windows+模擬器類型的外掛"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通用修改器:具備內存查找修改功能的通用或者自定義作弊工具,比如 gameguardian、igg、ce、葫蘆俠等"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"腳本輔助類:通過錄制玩家操作反覆重放,或通過取色點識圖等方式進行自動操作的輔助程序。比如按鍵精靈、叉叉助手等"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"破解版:修改遊戲客戶端邏輯、數據、資源,重打包形成具備一定作弊功能的非法客戶端,常見於單機休閒類遊戲。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"儘管技術表現形式多種多樣,但從原理上無外乎內存修改、函數調用、模擬點擊、協議模擬,其中尤以內存修改類外掛佔比居多,不完全統計內存修改類可佔到 90% 以上的比例。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"二、內存修改掛分析思路"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"內存修改主要包括代碼、數據、資源、顯存修改外掛,分析主要有三步驟"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"確定被修改內存的類型、修改前後的數據,可能存在多處修改。如果直接命中修改代碼段則大概率即是外掛功能與此代碼實現有關,可省略以下步驟。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"過濾篩選有效內存修改:通過還原內存修改位置,逐步排除無效的內存修改點。"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"確認外掛原理:根據不同的遊戲引擎不同的實現方式,實現方法不同,不過思想是一致的,即通過監控遊戲內存對象的分配釋放,搜索第二步得到的內存地址來精確匹配修改的內存對象即可。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"高質量的外掛分析,既需要知道外掛做了什麼,同時也應該分析清楚外掛爲什麼這麼做,搞清楚外掛功能的內在原理,對遊戲引擎、OpenGL、腳本等的理解提出了比較高的要求。限於篇幅,本文僅針對內存修改掛第一步提出了不同情景下的快速分析方法。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"2.1 場景 1 跨進程修改手遊內存"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"此類場景相信大家並不陌生,主要是通用修改器和定製掛,定位方法也較爲簡單。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2.1.1 通用修改器"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"先來看一段 GG 外掛腳本,如下所示,清楚寫明瞭外掛搜索替換流程,想象下如果分析外掛時能夠獲取到 GG 腳本,那麼外掛分析定位將極大的簡化。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/ff\/ffdbda4f60217f582b9bc973624c35a1.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"然而,現實是殘酷的,實際上外掛製作者爲了防止外掛腳本外泄,一般都會自定義 lua 解釋器並對 lua 腳本進行加密處理,如下圖所示,反編譯難度和時間成本大大增加。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/57\/57c52c8253466179d8da3dc09aec3831.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"其實沒必要硬碰硬,試想如果我們能夠對 GG api 掛鉤子,然後將 API 調用序列和參數都打印出來,不就變相的實現了腳本反編譯,在此僅提示思路,具體實現有興趣的同學可以動手嘗試。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"2.1.2 通用的跨進程監控分析"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"順着剛纔的思路繼續思考,既然是跨進程的內存讀寫,必然要調用系統 api,如果我們在系統 api 上做文章,不就可以得到通用的內存修改掛的分析定位方法嗎?經過實踐,大致總結以下四種跨進程讀寫方式,感興趣的同學可以動手實戰鍛鍊下,細節不再贅述。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"process_vm_readv、process_vm_writev"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"\/proc\/pid\/mem"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"\/dev\/mem(涉及整個物理內存的讀寫,外掛用的比較少)"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"Ptrace PTRACE_PEEKDATA\/"},{"type":"text","marks":[{"type":"strong"}],"text":"PTRACE_PEEKTEXT、PTRACE_POKETEXT\/POKEDATA"}]}]}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"2.2 場景 2 類似注入修改類(虛擬機、多開、Window+模擬器類)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"如果說場景 1 是定點 API 突破,那場景 2 就比較複雜了,常規思路只能通過定位外掛模塊,脫殼反編譯分析+動態調試定位,對於未加固的外掛程序還相對可接受,但如果外掛模塊保護比較強,在短短的一天左右時間內分析清楚外掛原理,堪稱地獄難度,對人的精力、技巧考驗極大,這也是本文重點要講述的問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"不止一次的問自己,有沒有更好更有效的方法,好在懶人有懶福,經過一段時間摸索思考,終於總結出一套較爲實際可行的方案。內存蜜罐分析方案作爲通用的分析方案,可有效解決注入類外掛的內存修改定位難題,對跨進程修改內存也有效,可以說統一內存修改類外掛的分析方法。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"三、內存蜜罐原理簡介"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"講原理之前,我們先回顧下內存修改掛的第一步搜索定位指定數據,可能涉及偏移和多級指針,第二步纔是修改。而我們的目標是定位修改的位置和長度,如果我們直接 dump 外掛修改前後的進程內存進行對比,則修改的位置必然在其中。但是面對茫茫多的修改位置,如何確定外掛究竟修改的哪一處呢?因此問題轉換爲修改後的內存精確定位問題,這也是內存蜜罐名稱的由來。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"內存蜜罐方案的核心就是監控對比外掛功能修改後和修改前的內存變化,精心構造具有指定關係的內存佈局,模擬修改前的內存狀態,誘導外掛功能關閉開啓後再次修改蜜罐內存,通過蜜罐前後的內存對比,即可定位外掛被修改的所有內存位置和修改前後數據,解決分析思路第一步的問題。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對第二步的問題,通過逐步還原外掛修改的內存並進行測試,即可定位有效內存位置及修改前後數據。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"3.1 概念介紹"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"3.1.1 結構體範圍"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對每一處內存修改,外掛一般通過特徵搜索定位內存地址+偏移,中間可能涉及多級指針問題。因此每一步內存修改需要確定結構體範圍。假設地址 0x1000 中的數據被修改,則構造 0x900 中-0x1100 中的數據,其中,0x100 爲結構範圍配置項,可考慮 4 字節對齊。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"3.1.2 指針級別"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"默認 1-3 級指針,最多支持 5 級指針,指針級別越高,所需內存越大。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"針對結構體中的地址地址範圍,進行全局搜索。"}]},{"type":"heading","attrs":{"align":null,"level":3},"content":[{"type":"text","text":"3.2 蜜罐實現步驟"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"3.2.1 DUMP"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"枚舉遊戲進程所有內存模塊,將關注的內存 dump 到磁盤中,作爲原始內存。由於進程運行中,各種內存時刻變化,爲了縮小蜜罐監控範圍,可以考慮凍結部分線程,並根據遊戲類型情況可有選擇的去除部分內存"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"非遊戲邏輯相關的內存,比如安卓中\/dev、apk、dex、jar、dalvik、zygote 進程空間內存的其他內存"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"可以考慮去除系統模塊內存"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"只監控遊戲引擎核心模塊內存及其分配的內存"}]}]}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"3.2.2 蜜罐構造"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"做完第一步,即可開啓開掛功能,待外掛修改內存完畢,即可構造蜜罐。蜜罐構造期間、可嘗試凍結遊戲進程,減少無效修改項的干擾。根據構造方式的不同,又分爲內存安全型蜜罐和內存破壞型蜜罐。"}]},{"type":"heading","attrs":{"align":null,"level":5},"content":[{"type":"text","text":"3.2.2.1 內存安全蜜罐"}]},{"type":"bulletedlist","content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"原理"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以指針級別 2,結構體範圍爲舉例:"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/5e\/5edca584d79a1e18b8de1c380816586f.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"實現流程"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以指針級別 2,結構體範圍爲舉例"}]},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"外掛功能開啓前,dump maps 文件中所有內存鏡像 imag0;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"根據級別篩選需要監控的內存範圍列表;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"外掛功能開啓後,對比監控的內存哪些位置發生改變,形成 modify1(地址、原始值、修改後的值)列表,若修改代碼段則僅報告修改內容,不存放到 modify1 中;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"指針級別 1,申請內存,直接存放 modify1 列表相關的結構體內存範圍;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":5,"align":null,"origin":null},"content":[{"type":"text","text":"指針級別 2,在 imag0 鏡像中,搜索 modify1 結構體範圍的指針,形成 modify2(地址、原始值)列表,申請內存,直接存放 modify2 列表相關的結構體內存範圍,並修正指針;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":6,"align":null,"origin":null},"content":[{"type":"text","text":"指針級別 3,在 imag2 鏡像中,搜索 modify1 結構體範圍的指針,形成 modify3(地址、原始值)列表,申請內存,直接存放 modify3 列表相關的結構體內存範圍,並修正指針;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":7,"align":null,"origin":null},"content":[{"type":"text","text":"將以上自己構造的多個內存蜜罐保存爲 image1,釋放 modify1、modify2、modify3;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":8,"align":null,"origin":null},"content":[{"type":"text","text":"關閉外掛功能並重新開啓,對比監控的內存蜜罐中哪些位置發生改變,此處即爲外掛實際修改的內存。"}]}]}]},{"type":"heading","attrs":{"align":null,"level":5},"content":[{"type":"text","text":"3.2.2.2 內存破壞性蜜罐"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"原理"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"該方式不存在多級指針問題,直接將所有指向一級指針的數據,改爲構造的內存蜜罐中的地址劣勢:可能會造成遊戲 crash 或者功能異常。"}]},{"type":"image","attrs":{"src":"https:\/\/static001.geekbang.org\/infoq\/33\/333279eed1629aafb7cdc92c29c29f3e.png","alt":"圖片","title":null,"style":[{"key":"width","value":"75%"},{"key":"bordertype","value":"none"}],"href":null,"fromPaste":true,"pastePass":true}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"實現流程"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"以指針級別 2,結構體範圍爲舉例,相比內存安全蜜罐,流程大大簡化。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"numberedlist","attrs":{"start":null,"normalizeStart":1},"content":[{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":1,"align":null,"origin":null},"content":[{"type":"text","text":"外掛功能開啓前,dump maps 文件中所有內存鏡像 imag0;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":2,"align":null,"origin":null},"content":[{"type":"text","text":"根據級別篩選需要監控的內存範圍列表;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":3,"align":null,"origin":null},"content":[{"type":"text","text":"外掛功能開啓後,對比監控的內存哪些位置發生改變,形成 modify1(地址、原始值、修改後的值)列表;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":4,"align":null,"origin":null},"content":[{"type":"text","text":"指針級別 1,申請內存,直接存放 modify1 列表相關的結構體內存範圍;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":5,"align":null,"origin":null},"content":[{"type":"text","text":"在進程內存空間中搜索 modify1 結構體地址範圍,只要命中,則替換爲內存蜜罐中的地址。;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":6,"align":null,"origin":null},"content":[{"type":"text","text":"將以上自己構造的多個內存蜜罐保存爲 image1;"}]}]},{"type":"listitem","attrs":{"listStyle":null},"content":[{"type":"paragraph","attrs":{"indent":0,"number":7,"align":null,"origin":null},"content":[{"type":"text","text":"關閉外掛功能並重新開啓,對比監控的內存蜜罐中哪些位置發生改變,此處即爲外掛實際修改的內存。"}]}]}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","marks":[{"type":"strong"}],"text":"3.2.3 計算差異"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"待內存蜜罐構造完成,重新關閉、打開外掛功能。由於上一步內存蜜罐已經按照外掛功能開啓前後的內存變化構造了所有被新修改內存的多級內存鏡像,因此重新打開外掛功能時內存蜜罐也會一併被搜索到進而修改。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"通過 dump 的鏡像內存和內存蜜罐現有內存的比對,即可定位出所有被外掛修改的蜜罐內存位置,進而映射出原始遊戲進程中被蜜罐修改的內存起始位置,修改前後的數據。"}]},{"type":"heading","attrs":{"align":null,"level":4},"content":[{"type":"text","text":"3.2.4 篩選有效內存"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"將第三步中定位出的所有原始內存修改位置,逐項還原測試外掛功能是否生效,即可精準定位有效內存的修改位置。"}]},{"type":"heading","attrs":{"align":null,"level":2},"content":[{"type":"text","text":"四、結束語"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"整個蜜罐原理和實現並不複雜,難點在於控制蜜罐內存佔用量,實際使用中需要控制好結構體範圍、多級指針深度和性能優化,由於時間倉促和保密問題,難以將整個方案詳盡的展示給大家,未盡之處望大家體諒,歡迎大家拍磚討論。"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null}},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"本文轉載自:字節跳動技術團隊(ID:toutiaotechblog)"}]},{"type":"paragraph","attrs":{"indent":0,"number":0,"align":null,"origin":null},"content":[{"type":"text","text":"原文鏈接:"},{"type":"link","attrs":{"href":"https:\/\/mp.weixin.qq.com\/s\/eDyjKWm90r-CnxqhLOmSFQ","title":"xxx","type":null},"content":[{"type":"text","text":"揭祕手遊外掛:基於內存蜜罐的內存修改掛分析技術"}]}]}]}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章