某平台作弊检测方法&bypass思路

AmIzero

在分析某平台检测作弊玩家方式时，发现此平台思路与众不同，将反作弊的方法与地图联系在一起。
该地图内嵌lua脚本，似乎使用了 https://github.com/actboy168/YDWE 这个项目制作

解包地图后发现大量无规律编号的lua脚本
根据“作弊”关键字定位到有关的lua脚本 __f0361__.lua

[Lua] 纯文本查看 复制代码

local __0x0046__=require '__F1098__'
local __0x0004__=require 'jass.message'
local __0x0000__=require 'jass.common'
local __0x0001__=require '__F1094__'
local __0x0001__=require '__F0273__'
local __0x0004__=require '__F0777__'
local __0x0111__=require '__F0157__'
local __0x0080__=require 'jass.storm'
__0x0004__.__0x0002__:__0x0006__ '\xe6\xb8\xb8\xe6\x88\x8f-\xe8\x84\x9a\xe6\x9c\xac\xe9\x87\x8d\xe8\xbd\xbd\xe7\xbb\x93\xe6\x9d\x9f' (function(__0x0006__)
__0x0006__:__0x0010__()
reload '__F0361__'
end)
local __0x0196__=math.random
local __0x0007__={__0x0258__=0,__0x0259__=0,__0x0259__=0,__0x0259__=0,__0x2593__=0,__0x2594__=0,}local function __0x2595__(__0x2596__)
if __0x0049__.__0x0050__.self:__0x1654__() then
__0x0049__.__0x0050__.self:__0x0074__(__0x2596__)
end
end
local function __0x2597__(__0x0058__)
local __0x2598__=0
local __0x2599__=false
local __0x2600__=89
if __0x0058__.__0x2591__>0 then
__0x2599__=true
end
if __0x0058__.__0x2592__>0 then
__0x2599__=true
end
if __0x0058__.__0x2593__>0 then
__0x2598__=__0x2598__+99
__0x2600__=99
end
if __0x0058__.__0x2590__>30 then
local __0x2601__=0.7
local __0x2602__=__0x0058__.__0x2589__/__0x0058__.__0x2590__/__0x2601__*100
__0x2598__=__0x2598__+__0x2602__
if __0x2602__>=100 then
__0x2599__=true
end
end
if __0x0058__.__0x2594__>0 then
__0x2598__=math.max(__0x2598__,50)
local __0x2603__=10
__0x2598__=__0x2598__+__0x0058__.__0x2594__*__0x2603__
end
if __0x2599__ then
__0x2598__=100
else
__0x2598__=math.min(__0x2598__,__0x2600__)
end
return math.floor(__0x2598__)
end
local function __0x2604__(__0x0050__)
if __0x0050__.__0x2605__>=99 then
if __0x1963__(1,100)<=20 then
__0x0050__.__0x2606__=true
else
__0x0050__.__0x2606__=false
end
end
end
local function __0x2607__(__0x0050__)
if __0x0050__:__0x1654__() then
return
end
local __0x2608__=__0x0050__.__0x2609__
local __0x2610__=__0x0050__.__0x2606__ and 1 or 0
local __0x0709__=(string.char(37,115,44,37,100,44,37,100,44,37,100,44,37,100,44,37,100,44,37,100,111,102,37,100,44,37,100)):format(__0x0050__:__0x0072__(),__0x0050__.__0x2605__,__0x2610__,__0x2608__.__0x2591__,__0x2608__.__0x2592__,__0x2608__.__0x2593__,__0x2608__.__0x2589__,__0x2608__.__0x2590__,__0x2608__.__0x2594__)
__0x1224__.__0x1238__(__0x1114__.__0x0888__,__0x0050__.__0x1229__,(string.char(68,75)),__0x0709__)
if __0x0050__.__0x2606__ then
local __0x2611__=__0x1114__.__0x1264__(__0x0050__)
local __0x0709__=(string.char(123,34,116,121,112,101,34,58,34,112,105,99,107,95,105,116,101,109,34,44,34,100,97,116,97,34,58,34,123,92,34,117,115,101,114,105,100,92,34,58,37,115,125,34,125)):format(__0x2611__)
__0x1224__.__0x1238__(__0x1114__.__0x0888__,"",(string.char(105,116,101,109,95,105,110,102,111)),__0x0709__)
__0x0273__.info(__0x0709__)
end
end
local __0x2612__=true
local function __0x2613__(__0x0050__)
local __0x2608__=__0x0050__.__0x2609__
__0x2595__((string.char(37,115,32,230,142,167,229,136,182,32,230,178,161,230,156,137,232,139,177,233,155,132,32,239,188,136,32,231,173,137,231,186,167,32,37,100,37,37,239,188,137,124,99,102,102,102,102,51,51,48,48,40,37,100,41,124,114,124,99,102,102,48,48,102,102,48,48,40,37,100,41,40,37,100,41,124,114,32,37,100,47,37,100,32,40,37,100,41)):format(__0x0050__:__0x0446__(),__0x0050__.__0x2605__,__0x2608__.__0x2591__,__0x2608__.__0x2592__,__0x2608__.__0x2593__,__0x2608__.__0x2589__,__0x2608__.__0x2590__,__0x2608__.__0x2594__))
if __0x0049__.__0x0050__.self:__0x1654__() then
local __0x0459__=(string.char(68,111,116,65,95,76,111,103,92,68,101,72,97,99,107,92,83,66,76,105,115,116,46,116,120,116))
local __0x2614__={}if __0x2612__ then
__0x2612__=false
table.insert(__0x2614__,(string.char(45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45,45)))
table.insert(__0x2614__,base.version)
table.insert(__0x2614__,os.date((string.char(37,89,45,37,109,45,37,100,32,37,72,58,37,77,58,37,83))))
end
local __0x0709__=(string.char(68,75,9,37,115,9,37,100,9,37,100,9,37,100,9,37,100,9,37,100,47,37,100,9,37,100)):format(__0x0050__:__0x0072__(),__0x0050__.__0x2605__,__0x2608__.__0x2591__,__0x2608__.__0x2592__,__0x2608__.__0x2593__,__0x2608__.__0x2589__,__0x2608__.__0x2590__,__0x2608__.__0x2594__)
table.insert(__0x2614__,__0x0709__)
__0x0808__.save(__0x0459__,(__0x0808__.load(__0x0459__) or '') .. table.concat(__0x2614__,'\n') .. '\n')
end
end
local function __0x2615__()
local __0x0048__=__0x0049__.__0x0050__[13]:__0x0051__((string.char(101,50,49,76)),__0x0040__.__0x0052__[(string.char(233,128,137,228,186,186,229,140,186,229,159,159))]:__0x0053__())
__0x0048__:__0x0428__(string.char(233,154,144,232,186,171))
__0x0049__.__0x0112__(1000,function ()
__0x0048__:__0x0104__()
end)
local __0x2616__={{},{}}for __0x0285__=1,2 do
local __0x2617__=__0x0049__.__0x0050__.__0x1420__[__0x0285__]
__0x0013__.find(__0x0049__.__0x0239__(0,0),99999)(function(__0x0077__)
if __0x0077__:__0x0254__() and not __0x0077__:__0x0796__(__0x2617__) then
table.insert(__0x2616__[__0x0285__],__0x0077__)
end
end)
end
local function __0x2618__()
local __0x1765__=__0x0462__.__0x1765__
local __0x2619__=__0x0015__.__0x0060__(__0x0046__.selection())
local __0x0050__=__0x0049__.__0x0050__.self
local __0x1775__=__0x0050__:__0x0443__()
__0x0075__.__0x2589__=0
__0x0075__.__0x2590__=0
__0x0075__.__0x2591__=0
__0x0075__.__0x2592__=0
__0x0075__.__0x2593__=0
for _,__0x0077__ in ipairs(__0x2616__[__0x1775__]) do
__0x0050__:__0x0061__(__0x0077__)
local __0x2620__=__0x0015__.__0x0060__(__0x0046__.selection())
if __0x2620__==__0x0077__ then
__0x0075__.__0x2589__=__0x0075__.__0x2589__+1
if __0x2620__==__0x0048__ then
__0x0075__.__0x2591__=__0x0075__.__0x2591__+1
end
end
__0x0075__.__0x2590__=__0x0075__.__0x2590__+1
end
local __0x2621__=__0x0049__.__0x0050__[13]:__0x0051__((string.char(101,50,49,76)),__0x0040__.__0x0052__[(string.char(233,128,137,228,186,186,229,140,186,229,159,159))]:__0x0053__())
__0x0050__:__0x0061__(__0x2621__)
local __0x2622__=__0x0015__.__0x0060__(__0x0046__.selection())
if __0x2622__~=__0x2621__ then
__0x0075__.__0x2593__=__0x0075__.__0x2593__+1
end
__0x2621__:__0x0428__(string.char(233,154,144,232,186,171))
__0x0050__:__0x0061__(__0x2621__)
local __0x2623__=__0x0015__.__0x0060__(__0x0046__.selection())
__0x2621__:__0x0104__()
if __0x2623__==__0x2621__ then
__0x0075__.__0x2592__=__0x0075__.__0x2592__+1
end
if __0x2619__ then
__0x0050__:__0x0061__(__0x2619__)
else
__0x0001__.ClearSelection()
end
end
__0x2618__()
local __0x0293__={}for __0x0285__=1,12 do
if not __0x0049__.__0x0050__[__0x0285__]:__0x0445__() and __0x0049__.__0x0050__[__0x0285__]:__0x0449__() then
__0x0049__.__0x0050__[__0x0285__]:__0x0030__(__0x0075__,function (__0x0058__)
if type(__0x0058__)=='table' then
__0x0293__[__0x0285__]=table.copy(__0x0058__)
else
__0x0293__[__0x0285__]={__0x2589__=0,__0x2590__=0,__0x2594__=0,__0x2591__=0,__0x2592__=0,__0x2593__=0}end
end)
else
__0x0293__[__0x0285__]={__0x2589__=0,__0x2590__=0,__0x2594__=0,__0x2591__=0,__0x2592__=0,__0x2593__=0}end
end
local __0x0911__=200
__0x0049__.__0x0452__(100,function (__0x0912__)
local __0x0913__=true
local __0x0914__={}for __0x0285__=1,12 do
if not __0x0293__[__0x0285__] then
__0x0913__=false
table.insert(__0x0914__,__0x0049__.__0x0050__[__0x0285__])
end
end
if __0x0913__ then
local __0x2624__={}for __0x0285__=1,12 do
local __0x2625__=__0x2597__(__0x0293__[__0x0285__])
if __0x2625__>0 then
__0x0049__.__0x0050__[__0x0285__].__0x2605__=__0x2625__
__0x0049__.__0x0050__[__0x0285__].__0x2609__=__0x0293__[__0x0285__]
table.insert(__0x2624__,__0x0049__.__0x0050__[__0x0285__])
__0x2604__(__0x0049__.__0x0050__[__0x0285__])
end
end
if #__0x2624__>0 then
for _,__0x0050__ in ipairs(__0x2624__) do
__0x2613__(__0x0050__)
__0x2607__(__0x0050__)
end
else
__0x2595__((string.char(229,189,147,229,137,141,230,151,182,233,151,180,32,37,115)):format(os.date(string.char(37,89,45,37,109,45,37,100,32,37,72,58,37,77,58,37,83))))
end
__0x0912__:__0x0104__()
return
end
__0x0911__=__0x0911__-1
if __0x0911__<=0 then
__0x0912__:__0x0104__()
local __0x0915__={}for _,__0x0050__ in ipairs(__0x0914__) do
table.insert(__0x0915__,__0x0050__:__0x0073__())
end
local __0x0916__=(string.char(70,73,78,68,83,66,231,187,147,230,158,156,229,144,140,230,173,165,232,182,133,230,151,182,239,188,154,37,115)):format(table.concat(__0x0915__,(string.char(227,128,129))))
__0x2595__(__0x0916__)
__0x0273__.error(__0x0916__)
end
end)
end
__0x0049__.__0x0065__.__0x2626__=__0x0049__.__0x0028__:__0x0066__ (string.char(231,142,169,229,174,182,45,233,128,137,230,139,169,229,141,149,228,189,141)) (function(__0x0067__,__0x1176__,__0x0077__)
if __0x1176__:__0x0898__() then
local __0x2620__=__0x0015__.__0x0060__(__0x0046__.selection())
if not __0x1176__:__0x2370__(__0x0077__) and __0x2620__==__0x0077__ then
if __0x0077__:__0x2627__('Ane2')>0 then
return
end
if __0x0077__:__0x2627__('Aneu')>0 then
return
end
if __0x0077__:__0x2627__('A405')>0 then
return
end
if __0x0077__:__0x2627__('A408')>0 then
return
end
local __0x2628__=nil
for __0x0249__=0,3 do
for __0x0250__=0,2 do
local __0x2629__,__0x0068__=__0x0046__.button(__0x0249__,__0x0250__)
if __0x0068__ then
__0x2628__=true
end
end
end
if __0x2628__ then
__0x0075__.__0x2594__=__0x0075__.__0x2594__+1
end
end
end
end)
__0x0049__.__0x0028__:__0x0066__ (string.char(230,184,184,230,136,143,45,233,128,137,230,139,169,230,168,161,229,188,143,231,187,147,230,157,159)) (function(__0x0067__,__0x0050__,__0x0296__)
__0x0067__:__0x0104__()
local __0x2630__={[(string.char(105,109))]=true,[(string.char(97,112))]=true,[(string.char(99,109))]=true,[(string.char(99,100))]=true,[(string.char(114,100))]=true,[(string.char(111,103))]=true,[(string.char(109,103))]=true,}local __0x0644__=false
for _,__0x1039__ in pairs(__0x0296__) do
if __0x2630__[__0x1039__] then
__0x0644__=true
end
end
if __0x0644__ then
__0x0049__.__0x0065__.__0x2589__=__0x0049__.__0x0028__:__0x0066__ (string.char(231,142,169,229,174,182,45,232,129,138,229,164,169)) (function(self,__0x0050__,__0x0220__)
if not __0x0050__:__0x1654__() then
return
end
if __0x0220__==(string.char(45,77,65,32)) then
__0x2595__('开启MA')
__0x2615__()
end
end)
__0x0049__.__0x0112__(7*1000,function ()
local __0x0054__=__0x1963__(0x927C0,0x124F80)
local __0x0070__=__0x1963__(0x1D4C0,0x124F80)
__0x0049__.__0x0112__(__0x0054__,function ()
if __0x0049__.__0x0050__:__0x2631__()<10 then
return
end
__0x2595__('开启默认')
__0x2615__()
__0x0049__.__0x0112__(__0x0070__,function ()
__0x2615__()
end)
end)
end)
__0x0049__.__0x0112__(3000,function ()
local __0x2632__
for __0x0285__=1,12 do
if __0x0049__.__0x0050__[__0x0285__]:__0x1654__() then
__0x2632__=true
end
end
if __0x2632__ then
__0x2595__('开启开发者')
__0x2615__()
end
end)
end
end)

全图的检测
function __0x2597__ 根据检测是设置的标志 计算玩家为作弊玩家的置信值
function __0x2604__ 在置信度高于99的时候 有（20%）的几率设置作弊玩家的标志位 这主要是为了迷惑作弊玩家
function __0x2618__ 准备一个单位列表 然后通过LUA引擎调用JASS函数尝试选择单位 如果不可见的单位被选中 或者 可见的单位没有被选中 则 与作弊有关的标志被更新
有关的标志 __0x2589__  __0x2591__ __0x2590__ __0x2592__ __0x2593__
如果未检测到作弊 只有 __0x2590__  被设置

查看敌方技能 、技能cd的检测
标志位 __0x2594__ 通过LUA引擎获取玩家能观察到的单位技能 如果玩家能查看到敌对单位的技能则更新 __0x2594__

反检测的思路 检测时JASS函数selectunit会被平台调用，因此只要在selectunit的入口进行处理

检查堆栈中的返回地址
如果是来自Game.DLL的调用 则什么都不做
如果不是可以有多种操作方式 比较简单的就是暂时关闭作弊 经过一段延时后再开启作弊
反技能检测
直接patch GetPlayerAlliance 即可

AmIzero

reens 发表于 2019-2-9 00:08
能否告知是哪张地图？（地图名）

其实 已经相当明显了
不过在论坛里不好明说 （有打广告的嫌疑）

AmIzero

笨蛋の猫猫 发表于 2019-2-13 04:45
Warcraft3  看得清吗？

11 这么小的字看不清楚 也不怪你

Jack强

学习学习

sky_flb

11 war3 ???

金咏森

主要是有没有写出来软件是最重要的

章魚葛格

這個防作弊方法果然是思路清奇啊。。。

cao_jf

感觉很高级，可惜看不懂，路过支持了。

reens

能否告知是哪张地图？（地图名）

AmIzero

金咏森 发表于 2019-2-8 20:39
主要是有没有写出来软件是最重要的

软件当然写出来了

AmIzero

sky_flb 发表于 2019-2-8 20:16
11 war3 ???

不是 你说的那个平台