[League of Legends][LOL]Riot Servers bypass inline hook

ImKK 发布于 2024-03-30 1355 次阅读

AI 摘要

【技术分享】LOL反检测Hook绕过方案 核心思路:通过篡改Riot客户端内存中的函数哈希校验值实现Inline Hook绕过。关键代码已放出,包含哈希结构体操作、内存页遍历及动态修复逻辑。当前版本(13.24)的校验偏移量为0x2D6A10,采用四组64位哈希存储。实现时需注意: 1. 备份原始哈希以便恢复 2. 遍历内存页定位目标函数所属区域 3. 清零目标页面的校验哈希 (注:完整实现需自行提取对应版本stub.dll验证)

多了不说 说多了怕大家不懂 懂得都懂 直接上代码 实在不行大家自己找一下 对应版本的 stub.dll 看看


constexpr uint64_t hash_array = 0x2D6A10; // 13.24

struct hash_struct {
	char pad1[ 0x68 ];   // will be change
	uint64_t hash[ 4 ];
};

struct section_hash {
	uint64_t og_hash[ 4] ;
	hash_struct* hash_ptr;

	section_hash() = default;

	explicit section_hash( hash_struct* hash ) : hash_ptr( hash ) {
		for ( int i = 0; i < 4; i++ ) {
			og_hash[ i ] = hash_ptr->hash[ i ];
		}
	}

	void restore_hash( ) const {
		for ( int i = 0; i < 4; i++ ) {
			hash_ptr->hash[ i ] = og_hash[ i ];
		}
	}

	void bypass_hash( ) const {
		for ( unsigned long long& i : hash_ptr->hash ) {
			i = 0x0;
		}
	}
};

void replace_hash( const uint64_t func_address ) {
	const int nb_pages = get_league_nb_pages( );
	const uint64_t league = reinterpret_cast< uint64_t >( GetModuleHandleA( nullptr ) );

	for ( int i = 4; i <= nb_pages; i++ ) {
		uint64_t curr_page = league + static_cast< uint64_t >( 0x1000 ) * i;
		const uint64_t next_page = league + static_cast< uint64_t >( 0x1000 ) * ( i + 1 );

		if ( func_address < curr_page || func_address > next_page ) {
			continue;
		}

		if ( hashes.contains( curr_page ) ) {
			hashes[ curr_page ].bypass_hash( );
		}
	}
}

uint64_t hook( void* src, void* dest, size_t size ) {
	const uint64_t detour = detour_func( src, dest, size );
	replace_hash( reinterpret_cast< uint64_t >( src ) );

	return detour;
}

当然这只是最基础的 其他的看心情 不定时更新