130 likes | 266 Vues
THE STUDY OF BOT TECHNOLOGY FOR ONLINE GAMES. Authors: Chun Wu, Guo-hun Zhu, Yong-hua Wu , Rong Xiang Source: International Conference on Genetic and Evolutionary Computing 2009, Page 654-656, Oct. 2009 Presented by Chao-Chuan Chen 2010/08/05.
E N D
THE STUDY OF BOT TECHNOLOGY FOR ONLINE GAMES Authors: Chun Wu, Guo-hun Zhu, Yong-hua Wu , Rong Xiang Source: International Conference on Genetic and Evolutionary Computing 2009, Page 654-656, Oct. 2009 Presented by Chao-Chuan Chen 2010/08/05
Outline • Introduction • The Type of Bot • Bot Realization Principle • Bot System • DLL Inject Technology • Anti-global Hook Technology • Anti-Hook API Technology • Conclusions
Introduction • As network games increasingly prevail, the make of bot is established because a large number of PC online game player extremely demand the robot. • The problem of bot can be divided into the game harm, the players harm and the social harm.
The Type of Bot • (1) Action type. • (2) Local modification type. • (3) Packet type.
Bot Realization Principle Step 1 It is used disassembly game virtual memory to find data address. Step 2 Call function can be called by game source code. Step 3 Need to inject function. (thread technology or hook technology)
Bot System Bot Hook inject Send message Dll Game virtual address space Call Game client Receive Send Game server
DLL Inject Technology • DLL file which is called dynamic-link library file is the basis of Windows component. • SetWindowsHookEx. • CreateRemoteThread.
Anti-global Hook Technology(1/3) • The system cannot call function LoadLibrary. • If the function LoadLibrary return address is in the user32.dll address space. • We provide a new function whose name is newLoadLibraryExW to instead of function LoadLibraryExW.
Anti-global Hook Technology(2/3) 程序A LoadLibrayExW call LoadlibraryExW push 34h push 7C80E288h call 7C8024CB 9
Anti-global Hook Technology(3/3) 程序A LoadLibrayExW call LoadlibraryExW jmp newLoadlibraryExW load + 0 80 7C load + 5 call 7C8024CB load + 7 newLoadLibrayExW fakeLoadLibrayExW push 34h fake + 0 push 7C80E288h fake + 2 jmp LoadLibrayExW +7 fake + 7 do something call fakeLoadLibrayExW
Anti-hook API Technology(1/2) hLib=GetModuleHandle("MyDll"); pFun=GetProcAddress(hLib, MyFun"); Fun= etProcAddress(hLib, "..."); if(pFun<hLib||pFun>(hLib+codesize)) { ...// } LPBYTE pByte= (LPBYTE) pFun; if(pByte==0xE9) { ...// }
Anti-hook API Technology(2/2) hLib = GetModuleHandle("MyDll"); pFun = GetProcAddress(hLib,"MyFun"); if(pFun < hLib ||pFun > (hLib + codesize) ) { ...// } ---------------------------------------------- hLib = GetModuleHandle("MyDll"); pFun= GetProcAddress(hLib, "..."); LPBYTE pByte = (LPBYTE)pFun; if(*pByte == 0xE9) { ...// }
Conclusions • This method can successfully prevent the process hooked according to the system cannot call function LoadLibrary. • But as long as the bot designer find out the key technology of anti-bot…… • Therefore the anti-bot system must be start with the larger aspects, such as the system that the consumers use, the consumers’ qualities, the rule of low and so on.