Research On Attack And Detection Algorithm And Its Application Based On Reverse Engineering

At present,reverse analysis of games and development of plug-in programs to attack and detect illegal behaviors have become key issues in the field of game security.The attack needs to be based on data,and the analysis of the data has the problem that it is difficult to find the plaintext call;the detection needs to be considered from different angles and starting points.However,there are still deficiencies in the detection of modifying the PE import table to inject DLL and the plug-in programs' malicious behaviors at runtime.Therefore,this thesis studies the attack and detection algorithm based on reverse engineering,and designs and implements a set of attack and detection software system that can be used in online games.The main contributions are as follows:(1)A method of reverse analysis of plaintext call in online games is proposed.By setting breakpoints on the outgoing function,the packet contents can be analyzed for write operations or the packet length can be tracked.In the process of reverse tracing,we can flexibly choose interrupt or monitor according to whether protection is triggered.When we analyze the upper function,we can change the analysis point according to the change law of packet data,the address appearing in the instruction,and when the content contained changes.Experimental results show that the proposed method can analyze the plaintext calls of different online games,and quickly obtain the addresses of other function calls based on plaintext call.(2)An algorithm for mining the internal call path of a function is proposed.Mainly for the problem of a certain API function failure,it is found that a certain sub-API called internally is hooked.If we want to bypass it,we need to know the complete path of the sub-API called in the API so as to bypass it from the upper layer.(3)The detection algorithm of modifying the PE import table to inject DLL and the detection algorithm of hiding malicious behavior when the plug-in is running are proposed.The former is divided into two detection strategies,which are a normal detection algorithm based on the legal scope and a deep detection algorithm based on exception backtracking,which detects the injected DLL from a static and dynamic perspective.The latter aims at the situation where the plug-in program has been completely running,and the protection measures of the game itself do not contain the detection function of malicious behavior.From this perspective,a malicious behavior detection algorithm is proposed.The experimental results show that the algorithm can effectively detect the DLL injected by modifying the PE import table and the malicious behavior of the plug-in runtime and output warning prompts.