Shulou(Shulou.com)06/01 Report--

Differential analysis positioning Ring 3 protection module

Because protection modules are usually protected by the native DLL interface of the Hook operating system, you can use the direct difference between the native DLL file and the native DLL loaded into memory to locate the Ring 3 module.

In the process of analysis, in order to prevent it from being discovered by the Ring 3 protection module, you can pause threads other than your own thread for the time being, as shown in figure 8-14.

Figure 8-14 suspending threads other than their own threads

As you can see from figure 8-14, the game has 58 threads in addition to its own threads, which can be suspended through the SuspendThread () function for subsequent analysis (the GS command is the ste serial number).

Next, let's compare the file and memory of three commonly used native DLL--ntdll.dll, kernel32.dll, and user32.dll, as shown in figure 8-15.

Figure 8-15 difference analysis of changes in primary DLL

As you can see from figure 8-15, there are three address changes in ntdll.dll, namely 0x7c921230, 0x7c92DEB6, and 0x7c97077B. Let's take a look at the current instructions at these three addresses, as shown in figure 8-16.

Figure 8-16 two-address jmp instruction

In figure 8-16, there is a jmp instruction that jumps to the address 0x45320F0. Let's see which module it belongs to, as shown in figure 8-17.

Figure 8-17 module section information

From the address range in figure 8-17, it contains 0x45320F0, so the address 0x7c92deb6 in ntdll.dll jumps into the X.dll module. So far, we can basically judge that the game protection module under ring 3 is X.dll.

In order to more accurately determine whether X.dll is a real protection module, let's take a look at the role of three changed addresses in ntdll.dll in native ntdll.dll.

You can use IDA to analyze the ntdll.dll and then locate the addresses 0x7c921230, 0x7c92DEB6, and 0x7c97077B.

As shown in figure 8-18, it turns out that the address here is the DbgBreakPoint function. This function is used for software breakpoints under the debugger, but in the game it is changed to ret instructions, which can prevent software breakpoints.

Figure 8-18 function where the 0x7c921230 address is located

As shown in figure 8-19, the 0x7c97077B address belongs to the DbgUiRemoteBreakin function. For a detailed description of this function, please see Section 10.6.4 of Mr. Zhang Yinkui's "Software debugging". Here is a brief explanation of the function of this function, so that the reader can understand.

Figure 8-19 function where the 0x7c97077B address is located

DbgUiRemoteBreakin is a function provided by ntdll to create a software breakpoint under a remote thread in the target process. The pseudo code is as follows.

DWORD WINAPI DbgUiRemoteBreakin (LPVOID lpParameter)

{

_ _ try

{

If (NtCurrentPeb- > BeingDebugged)

DbgBreakPoint ()

}

_ _ except (EXCEPTION_EXECUTE_HANDLER)

{

Return 1

}

RtlExitUserThread (0)

}

When the debugger creates a DbgUiRemoteBreakin thread in the target program through the CreateRemoteThread function, it is an int 3 software breakpoint from the code point of view. Because it is in a debugged state, the debugger can catch this exception. If the target program is not debugged, the S.H.E in DbgUiRemoteBreakin can obviously capture and process it.

Therefore, the game protection system is jmp the DbgUiRemoteBreakin, obviously in order to prevent debugging. Let's take a look at where the protection system jumps from DbgUiRemoteBreakin.

As shown in figure 8-20, the function that protects the system from jumping into execution from DbgUiRemoteBreakin, it is clear that LdrShutdownProcess is a function that shuts down the process.

Figure 8-20 function where the 0x7C943DEF address is located

Let's look at the meaning of the address 0x7c92DEB6 again.

As shown in figure 8-21, the protection module Hook the ZwProtectVirtualMemory function to prevent the protection properties of the page where the virtual memory is located from being changed.

Figure 8-21 function where the 0x7c92DEB6 address is located

For more ideas on analyzing game protection schemes, see Chapter 8.

A brief introduction to the author

Xu Sheng, who received his master's degree in computer science and engineering from University of Electronic Science and Technology in 2009, now works for Alibaba, engaged in mobile security research and development, his main research interests include: Windows platform * *, plug-in, Rootkit, firewall and binary reverse analysis, Android and iOS client software security, and Web and WAP security.

This article is excerpted from the book "Game plug-in Art". Xu Sheng, published by Electronic Industry Press.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.