和平精英模拟器检测分析

MTPnb

核心原理：读取elf头，判断机器类型是否为x86过检测方法（以雷电模拟器4为例）：第一种方法（推荐使用这种方法）：修改系统/system/lib中所有so的机器类型，改为arm，但是这样改了之后，加载so会报 unexpectede_machine，解决办法就是去掉系统加载so过程中判断机器类型的代码段。打开android7.1源码中linker_phdr.cpp，在VerifyElfHearder函数开头加上return true; 这样linker链接的时候就不会去判断elf头，也就不会报错，然后编译linker，把编译出来的linker替换掉模拟器中的/system/bin/linker，再重启模拟器即可。以后直接打开游戏就能过检测了。 另外一种方法(内存改错了，有几率会10年)：游戏打开后，再去修改系统的so，也能过检测，但是会被封1年。这是因为游戏打开的时候，/system/lib中的so会映射到内存中，相当于复制一份，还需要修改游戏内存中so的机器类型，可以通过/proc/$pid/maps文件查看游戏加载的so。  通过对游戏Lua对抗方案的代码段进行inlinehook，可以导出对应lua文件。例如:其中的detect_chicken就是用来检测鸡腿挂的。Scan_emulator_release用来检测模拟器，可以动态更新检测策略。Emu_info_collect用来收集模拟器信息，估计是用来追封用的吧。 以下是 scan_emulator_release 的lua代码：

[Lua] 纯文本查看 复制代码

?

001 002 003 004 005 006 007 008 009 010 011 012 013 014 015 016 017 018 019 020 021 022 023 024 025 026 027 028 029 030 031 032 033 034 035 036 037 038 039 040 041 042 043 044 045 046 047 048 049 050 051 052 053 054 055 056 057 058 059 060 061 062 063 064 065 066 067 068 069 070 071 072 073 074 075 076 077 078 079 080 081 082 083 084 085 086 087 088 089 090 091 092 093 094 095 096 097 098 099 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283

local function is_null(p)         if p == 0 or p == nil then                 return true         end         return false end   local function find_str(s1, s2)         local n1,n2 = string.find(s1, s2, 1, true)         if (n1 ~= nil and n2 ~= nil)         then                 return true         end         return false end   local function str_startswith(s1, s2)         local n1, n2 = string.find(s1, s2, 1, true)         if (n1 ~= nil and n2 ~= nil and n1 == 1)         then                 return true         end         return false end   local function str_endswith(s1, s2)         local n1, n2 = string.find(s1, s2, 1, true)         if (n1 ~= nil and n2 ~= nil and n2 == #s1)         then                 return true         end         return false end   local function open_file_exists(s_path)         local is_valid_path = false         if (str_startswith(s_path,"/system/") or                 str_startswith(s_path,"/data/") or                 str_startswith(s_path,"/lib/") or                 str_startswith(s_path,"/sbin/") or                 str_startswith(s_path,"/sys/")) and                 (str_endswith(s_path,".so")) then                 is_valid_path = true         end         if not is_valid_path then                 return false         end         local f = io.open(s_path, "r")         if f then io.close(f) end         return f ~= nil end   local function bin2hex(s)         s=string.gsub(s,"(.)",function (x) return string.format("%02X",string.byte(x)) end)         return s end   local function basename(str)         local name = string.gsub(str, "(.*[\\/])(.*)", "%2")         return name end   local function check_elf_file_x86_emulator(file_path)         local ret = 0         if not open_file_exists(file_path) then                 return ret         end         local f = io.open(file_path,'rb')         if f then                 local sizes = f:seek("end")                 if sizes > 1024 then                         f:seek("set")                         local content = f:read(4)                         local hexstr = bin2hex(content)                         if hexstr == "7F454C46" then                                 local is_32_64 = f:read(1)                                 hexstr = bin2hex(is_32_64)                                 if hexstr == "01" then                                         f:seek("set",18)                                         local cpu_type = f:read(2)                                         hexstr = bin2hex(cpu_type)                                         if hexstr == "0300" then                                                 ret = 1                                         end                                 end                         end                 end                 f:close()         end         return ret end   local function get_int_value(key, deft)         local value = TssSDK.get_value_by_key(key)         if not is_null(value) then                 local int_val = tonumber(value)                 if int_val then                         return int_val                 end         end         return deft end   local g_mark_scan_flag = "llua_ser_20200421_scanned" local g_module_cnt = 0 local g_libc_files_cnt = 0 local g_has_x86_file = 0 local g_x86_file_name = "" local g_tp_ver = "" local g_libhoudini_file_name = "" local g_libhoudini_file_size = 0   local function save_scan_result()         TssSDK.set_key_and_value("LEMC", ""..g_module_cnt)         TssSDK.set_key_and_value("LEFC", ""..g_libc_files_cnt)         TssSDK.set_key_and_value("LEHX", ""..g_has_x86_file)         TssSDK.set_key_and_value("LEXN", g_x86_file_name)         TssSDK.set_key_and_value("LETV", g_tp_ver)         TssSDK.set_key_and_value("LENM", g_libhoudini_file_name)         TssSDK.set_key_and_value("LESZ", ""..g_libhoudini_file_size) end   local function load_scan_result()         g_module_cnt = get_int_value("LEMC", 0)         g_libc_files_cnt = get_int_value("LEFC", 0)         g_has_x86_file = get_int_value("LEHX", 0)         g_x86_file_name = TssSDK.get_value_by_key("LEXN")         g_tp_ver = TssSDK.get_value_by_key("LETV")         g_libhoudini_file_name = TssSDK.get_value_by_key("LENM")         g_libhoudini_file_size = get_int_value("LESZ", 0) end   local function get_tp_ver()         local try_cnt = 0         local err_msg = ""         local err_code = 0         local dev_path = "/dev/virtpipe-sec"         while (try_cnt < 3) do                 try_cnt = try_cnt + 1                 local ret, acode = TssSDK.access(dev_path)                 if (ret ~= 0) then                         err_msg = "unfound"                         err_code = acode                 else                         local session = TssSDK.OpenWBSession()                         if (is_null(session)) then                                 err_msg = "open_failed"                                 local file, err, ocode = io.open(dev_path, "r+")                                 if (file) then                                         file:close()                                 end                                 if (ocode ~= nil) then                                         err_code = ocode                                 else                                         err_code = 0                                 end                         else                                 local tp_ver = TssSDK.SendWBCmd(session, "func=WB_GetTPShellVersion")                                 TssSDK.CloseWBSession(session)                                 if (is_null(tp_ver) or type(tp_ver) ~= "string") then                                         err_msg = "get_failed"                                         err_code = 0                                 else                                         return tp_ver.."-"..tostring(0)                                 end                         end                 end                 TssSDK.sleep(1000)         end         return err_msg.."-"..tostring(err_code) end   local function scan_emulator()         local try_cnt = 5         local handle = TssSDK.open_tphm()         while (try_cnt > 0 and is_null(handle)) do                 TssSDK.sleep(1000)                 handle = TssSDK.open_tphm()                 try_cnt = try_cnt - 1         end         if is_null(handle) then                 return         end           local libc_name = "libc.so"         local libc_files = {}         local libhoudini_name = "houdini"         while g_module_cnt < 10000 do                 local module_info = TssSDK.enum_tphm(handle)                 if is_null(module_info) then                         break                 end                 g_module_cnt = g_module_cnt + 1                   local module_name = TssSDK.get_tphm_name(module_info)                 local module_size = TssSDK.get_tphm_size(module_info)                 if not is_null(module_name) and not is_null(module_size) then                         local file_name = basename(module_name)                         if find_str(file_name, libc_name) then                                 if libc_files[module_name] == nil then                                         g_libc_files_cnt = g_libc_files_cnt + 1                                         libc_files[module_name] = {}                                 end                         elseif find_str(file_name, libhoudini_name) then                                 if g_libhoudini_file_name == "" then                                         g_libhoudini_file_size = module_size                                         g_libhoudini_file_name = module_name                                 end                         end                           if g_has_x86_file == 0 then                                 g_has_x86_file = check_elf_file_x86_emulator(module_name)                                 if g_has_x86_file == 1 then                                         g_x86_file_name = module_name                                         g_tp_ver = get_tp_ver()                                 end                         end                 end         end         save_scan_result()         TssSDK.close_tphm(handle) end   local function get_report_cnt()         local cnt = get_int_value("LERC", 0)         cnt = cnt % 1000 + 1         TssSDK.set_key_and_value("LERC", ""..cnt)         return cnt end   local function report_emulator()         local emu_name = TssSDK.QueryStr("emulator_name")         local maybe_emu = 1         if (emu_name == "NotEmulator")         then                 maybe_emu = 0         end           local is_download = TssSDK.IsEnabled("simulate", 0)         local report_cnt = get_report_cnt()         local info = tostring(g_has_x86_file).."|"..tostring(g_libc_files_cnt).."|"..tostring(g_libhoudini_file_size).."|"..tostring(maybe_emu).."|"..tostring(report_cnt)         TssSDK.set_key_and_value("li_emu", info)         TssSDK.ReportQosByGame(8, 2020061700, g_has_x86_file, g_libc_files_cnt, g_libhoudini_file_size, g_module_cnt, maybe_emu, is_download, report_cnt, 2, emu_name..','..g_libhoudini_file_name, g_tp_ver..','..g_x86_file_name) end   local function has_scanned()         return (not is_null(TssSDK.get_value_by_key(g_mark_scan_flag))) end   local function set_scanned()         TssSDK.set_key_and_value(g_mark_scan_flag, "1") end   local function do_exec()         if TssSDK.get_platform() ~= 0 then                 return         end           if (has_scanned()) then                 load_scan_result()         else                 scan_emulator()                 set_scanned()         end           report_emulator() end   local function exec()         local ver = TssSDK.get_sdk_version()         if is_null(ver) then                 return         end           local target_ver = "3.7.13.548645"         if ver < target_ver then                 return         end           do_exec() end   exec()

谢大门

大神,能不能弄个小红书模拟器登录过检测的啊,万分感谢

MIr李

大神,能不能弄个小红书模拟器登录过检测的啊,万分感谢

chan00132154

还是第一种方法比较好。你获取就让你获取。获取我想给你的

夕阳未必西下

找不到文件在哪里

aswcy815174418

chan00132154 发表于 2021-4-8 08:21
还是第一种方法比较好。你获取就让你获取。获取我想给你的

你有没有linux，我没这系统，学校网速不到1MB吐了，太慢了，下载了安卓7.1源码，找到了linker_phdr，windows编译不了，很难受