Welcome to visit netease Cloud Community to learn more about Netease’s technical product operation experience.
Mobile games plug-in invasion
With the popularity of various popular mobile games, the proportion of mobile games in the current user has formed a huge market, there is a fierce competition in the market, there are PC versions ported to mobile phones, and there are new mobile games launched. With the expansion of the market, in addition to the rise and growth of the mobile game industry, also spawn a variety of mobile game plug-in industries.
Now popular mobile game plugins on the market, in general, including the analog touch class, accelerator, modifier, based on these plugins cover the function, can achieve the current vast majority of plugins ability, such as automatic upgrade to do tasks, unlimited blood, gold set, game speed and so on; In addition to the method with commonly used these tools to the party, some joined “professionals”, according to different games have different practices, generally can be summarized into the following means of cracking, injection Hook game related logic function, the debugging process, static tampering with resource files and code logic, etc., these operations require the relevant professional knowledge, It involves operations such as reverse, repackage, and unpacking, through which plug-ins with more customized functions can be realized. Here are two typical cases of mobile game protection.
Hack the game download store
(1) Case introduction
The case is a professional team, they are responsible for the cracking game, the game into their accelerators such as plug-in, then heavy package uploaded to their app store, players need to download their app store, only need to find the game, after installation into bringing various plugins to play games, unimpeded. When entering the game interface, there will be an auxiliary plug-in window, which provides acceleration and deceleration function. Therefore, it is necessary to deeply analyze the principle of implantation and find the implementation of acceleration and deceleration.
Store page display
(2) Case principle analysis
After further analysis, the game starts loading several new dynamic libraries, including libsubstrate. So, which is a well-known Hook framework. The analysis then finds two methods that it uses to export libmono.so by calling the Inline Hook framework. Hook method mono source code reference as follows:
Mono_class_from_name is a function that mono will pass when parsing DLL methods. After Hook this function, before calling it, judge the parameter name and namespace. The unityEngine.time. set_timeScale method is finally obtained by calling mono_class_get_method_from_name, which sets the gametime flow rate.
Hook code (IDA decompilation) :
The second hook function mono_runtime_invoke is used to call this method, pass in the set parameters, and change the setting of the game time flow rate to achieve the role of accelerator.
Hook code (IDA decompilation) :
Plug-in interface service provider
(1) Case introduction
Increased with the rise of the mobile game market, external and external market traders seem to realize the plugin developers are also a lot of flood, the vast majority are able to write the script development plugins, they set out to the underlying merchants, through to find the “professionals” of development of the underlying framework, provide interfaces for the upper developers call, betray the implementation of logic.
A plug-in framework is introduced
In recent customer feedback, a game came across a plugin customized to the framework class, which allows the plugin author to implement a set of automated click-through scripts without human intervention. The implementation of this kind of way, the underlying in-depth principle of the implementation of the package, and finally in the form of API provided to players, players only need a certain programming basis can master the secondary development.
(2) Case principle analysis
After in-depth analysis of the framework software, it was found that it started an executable file (/data/data/my.apk/app_data/input) suspected as input with ROOT permission, and extracted the executable file from this path for analysis. It found that it executed a file called input.jar using the app_process command.
Below is the pseudo-code parsed by IDA for your reference.
Use the tool to open the JAR package to check, the code is not confused, it is easy to find the key implementation function (the specific implementation principle can refer to “Android simulation click class software implementation principle exploration”, here mentioned the same implementation method) :
Through the JAR package to achieve the simulation of click, and the upper layer using socket and other processes to communicate, the user through lua script control code logic, the whole framework process is roughly like this.
Mobile games plug-in auxiliary industry chain rise
Case introduced
Received feedback from some of the games, found his hands to swim external auxiliary budding industry has been in a dark corner, these places may come from QQ group, post bar, BBS, a treasure, and so on, through teaching tools plugins using method of them to achieve purpose, have implemented by deciphering the tamper with the game code logic, even offer framework API calls.
QQ group search search
Cracked versions are sold online
It can be seen that from Q group to Taobao, both tool-party and professionals are beginning to start in the mobile game market and want to gain benefits in this market. From relevant games, we know that different games have more or less customized plug-ins.
In constantly and defend against a plugin, netease cloud yi dong has been strengthening our mobile game reinforcement products against external features, summarizes the characteristics of the different plugins and attack means, over to known plugins to resist function, and introduced the function of perception of the new plugins, do keep tapping in, proving inconclusive, new plugins system, in addition to the awareness of new plugins, There are users, equipment models, plug-in types and detailed characteristics of the use of plug-in positioning, better to malicious users for evidence and cleaning. You can try it for free.
FUI- How many steps are I still away from Iron Man? Introduction to the Crawler Python Toolkit (3)