Reprinted from ：Anti-Cheat Expert Game security expert
dried food ！ What is game plug-in , Types and implementation principles of plug-ins

Many fans know , I have written several games before AI Open the article , These articles mainly use in-game data to train Games AI Predict the state of the enemy , In this way, we can make AI Learn to perform the next step in real-time combat .

https://mp.weixin.qq.com/s/_SzK8FTITuZz8uW_UH__GA

But the above method often needs to obtain a large amount of game data and feed it to the model for training , Develop such games AI Plug in has a certain cost . In order to let readers know more about how daily plug-ins are done , So I brought this “ Game plug-in ” The article popularizes Science .

1. What is game plug-in

plugin , It originally refers to all tools or cracked versions used to destroy the normal game data and logic of game programs . For example, you can modify the game memory data modifier , Another example is the packet capturing tool that can modify network packets . This kind of plug-in will more or less affect the memory data of the game 、 File data 、 network data , Even code logic .

But with the development of plug-in market , The plug-in has derived other malicious variants . This kind of plug-in will not affect the game data and logic , for example Offline hanging 、 Simulator and script wizard .

Offline hanging is an illegal client independently developed by the plug-in author after reversing the game protocol , It can save players a lot of time and open more games ; The simulator allows players to PC Play mobile games on , stay FPS Wait for the game to get a better operating environment , So as to help players crush opponents in disguise ; Script wizard can record and simulate player behavior , Respond to game events , Realize the function of automatically swiping gold coin experience . But these emerging plug-ins have a common feature ： That is to deceive the game server , Cheat the client 、 Equipment and operators .

2. Classification and implementation principle of plug-ins

No matter the mobile game , A large number of plug-in samples have appeared on the market , According to its characteristics, it can be sorted into the classification diagram shown in the following figure .

in general , Plug ins can be divided into two categories ： Auxiliary and cracked version , The core difference between these two types of plug-ins is ： Whether to rely on the game client . Auxiliary plug-ins need to be run in combination with the game client ; The cracked version is an illegal client that can run independently .

2.1 Auxiliary plug-in

The auxiliary plug-in needs to rely on the game client , Can't work alone . According to its scope of action, it can be divided into two sub categories ： Special plug-ins and general tools .

Realization principle :
The auxiliary plug-in is based on the game client , Dynamically modify the game data type plug-in .

2.2 Special plug-in class plug-ins

Special plug-in class plug-ins , The scope of action is only for specific games , It belongs to customized plug-in . Its form of existence varies according to different platforms , stay Android In the following SO form , And in the IOS In the following dylib form . Its internal integration of a number of Android Mobile game function plug-in , For different mobile games, inject different SO Realize plug-in function .

Allied IOS There have also been related AIDS on , For many popular mobile games, inject different Dylib Achieve invincibility 、 Second strange function . This kind of special plug-in plug-ins , The plug-in function is more flexible , Generally, it can be closed or opened at any time .

Realization principle ：
Special plug-in class plug-ins , It belongs to customized plug-in , Each plug-in is only for one game . The implementation of this kind of plug-in is just as the name suggests , It's in the form of plug-ins ： Use injection technology to inject functional modules into the game process space , And execute the function module entry function . After the plug-in function module is injected into the game process , Will execute HOOK Operate to realize the plug-in function .

Assemble at the bottom ,HOOK Operation can be understood as at a specific code address , Add a jump instruction to jump to the plug-in author-defined function .

therefore , Special assistance can be very flexible to modify the game code logic , Realize the second monster by calling back the monster's blood deduction function many times 、 Achieve invincibility by shielding the player's blood deduction function .

2.3 General tools

seeing the name of a thing one thinks of its function , General tools are for all games , It supports general functions .

Realization principle ：
This kind of plug-in tools , Platform or game engine related , It has nothing to do with the specific game , It realizes a kind of plug-in function across Games .

2.4 Memory modifier

Used to search and modify game memory data . stay Android More mainstream on the platform . Players usually rely on the precise data in the game panel , Use the modifier to search for the corresponding value , Then search and exclude multiple times according to the law of numerical change, and locate the location of the corresponding attribute in memory , Directly modify it to exaggerated effect value .

There are also various varieties in the later stage , Such as fuzzy search , Search only by making the data bigger and smaller ; Encrypted search , With anti simple encryption （ XOR encryption, etc ） Function search . This kind of modifier plug , The common plug-in function is to change the character attribute to realize the second monster 、 Invincible, etc .

Realization principle ：
The essence of the memory modifier plug-in function is to read and write the memory data of the specified process . Its implementation technology is mainly reflected in how to read and write game memory data .

2.5 The transmission

The main function of the transmission plug-in is to speed up the pace of the game , Save players time ; Or slow down the game , Reduce the difficulty of operation . It affects the update frequency of game frames , It can speed up the clearance 、 External functions such as deceleration and avoidance skills . Common plug-in functions are in game matches , Use the transmission acceleration function , Protagonists and monsters AI The pace of attack accelerates , Can quickly end the battle .

Realization principle ：
Usually the game needs to play pictures in frames , Calculate the time required for each frame of animation in the process of playing the picture （ It can also be understood as the interval between the switching of two pictures ）, The game needs to call C The library function obtains the system time for calculating each frame update .

2.6 Key wizard

Simulate user buttons . The simple version is to record a fixed key sequence directly , Then cycle to simulate the key sequence . Later, it developed into a recognizable image that triggers a specific key . It is common in mobile games with more repetitive operations such as brushing . For example, in an airplane game , You can use the button wizard to randomly move the copy of the plane brush to save gold experience .

Realization principle ：
Call the system API, Send a specific sequence of operations , Simulate user buttons . Implementation of this kind of plug-in function , It is highly related to the system , Because its implementation is through the corresponding system API Send operation event to simulate global key .

2.7 Simulator

Allow players to PC Run mobile games on . Such tools are used in PC End operation . because PC Good mouse 、 Keyboard operation feel , This kind of plug-in tool is used in FPS Or fighting hand Swim .FPS It can quickly slide the angle of view to aim and shoot , Fighting mobile games can be coquettish and release continuous moves, etc .

Realization principle ：
PC The simulator on , Its core implementation , Or based on VirtualBox simulation Android System , It can directly simulate x86 Architecturally Android System .

Caught tools
Used to intercept uplink and downlink packets of the game , Tamperable 、 retransmission 、 discarded . For games without protocol encryption , This kind of plug-in tool is more harmful . For example, in a fighting game, there was a phenomenon that the distribution of character attribute data packets was clear text , After being found by the player, the player directly modifies the corresponding attribute to a larger value, which realizes the second monster function .

The tool mainly exploits the loopholes in the game protocol , On the one hand, whether the protocol content is encrypted ; On the other hand, whether there are logical loopholes in the protocol design （ retransmission 、 Whether there will be plug-in function when discarding packets ）.

Realization principle ：
The essence is network packet editor . One type of implementation is based on hardware , For example, let the network card be in a chaotic mode , You can intercept packets ; The other is through HOOK, in the light of send and recv Class function to intercept , Get network packets .

2.8 Cracked versions

The cracked version plug-in is essentially an illegal client . Common can be divided into two categories ： Offline hanging and minor changes to the cracked version .

Offline hanging , It is the analysis of the plug-in author based on the game protocol , A game client developed by myself . Usually , This kind of client can be used to open more functions such as direct copy brushing , The benefits are huge . The studio has a great demand for this kind of plug-in .

Damaged cracked version , Damage is defined here because this kind of cracked version is based on the modification of genuine client . Its function is less flexible than the auxiliary plug-in , Generally, a kind of cracked version will enable a kind of plug-in function , Cannot close during the game .

Realization principle :
The cracked version is an independent game client after static modification in advance . An offline hang mentioned earlier , Popular on the end game for a while . After the plug-in author reverse analyzed the network protocol of the game in the early stage , You can write your own independent third-party client . This kind of plug-in technology is more difficult , It is mainly reflected in the reverse analysis of game protocols .

The other is the cracked version of the game after the modification of the game client . It can be classified according to the modified client data ： Logical code and data resources .

Analysis and debugging , This kind of implementation effect is the same as the substitution method , But in the early stage, the function and encryption method of resources are confirmed through static analysis or dynamic debugging analysis .

The content of this issue is professional 、 Comprehensively analyze the types of plug-ins 、 Function and implementation principle . Of course, the existing plug-in implementation methods are more than those mentioned above , Now the higher end , It can also be made directly “AI Auxiliary hook ”、“AI Self aiming hook “ etc. .

https://www.bilibili.com/video/BV1VZ4y1U73t?spm_id_from=333.337.search-card.all.click

Okay , That's it for this issue , I am a leo, See you next time ~