Agreement plug-in production tutorial three
BY RIX
In the previous section, we said that the plug-in platform is built, we have finished hook.dll and wg.exe, but how to let WG.EXE call the function in hook.dll, you can view CB tutorials or online. Here I am adding the following statement to the wg.exe hook button event:
IF (GamethreadID)
{
Enablehook (GamethreadID) == false)
ShowMessage ("Error");
}
You can click the hook button to come out after the game interface, and then press the F12 key in the game interface to adjust the plug-in window.
After yesterday's tail, start today's tutorial. Today I want to talk about Apidhook. Although APIHOOK is not necessary in the plug-in production of the big call game, in order to make in the order of the general production process, this part will first go inside.
The reason for using APIHOK is also very simple. The game must call some system functions. Use APIHOOK to simply view some key information and modify (as simple reason? Yes, we have always used the knife slaughtered of...).
Jeffrey Richter uses a lot of space how to insert DLL and hook the API, if you don't know who Jeffrey Richter is, you should know the author of "Windows Core Programming". If you don't know, I poured, the system throws exceptions. You are an alien. Our program runs on the user layer, J. R is proposed, one is to rewrite the code, I just started to use this method, and later found that this way did a lot of vulnerabilities, and J. R is the same. Finally, the input section of the operation module is used.
In the process of viewing the information, I found J. R 's code is not running on Chinese Windows 2000 (is it is the system of foreign people and China's different?), Later J. R's idea, rearrange the function, but most of the functions are the same. For the sake of convenience, I didn't capture LoadLibrarya, LoadLibraryw, LoadLibraryExa, LoadLibraryExa, and LoadLibraryExwwwwW in the class. It is also because our plug-in program is running, and the load is usually loaded.
Below is the source code of my APIHOOK class, the source code is re-organized according to J.R's idea:
/*HOOKAPI.H*/
#include "windows.h"
Class Capihook
{
PUBLIC:
Capihook (PSTR PszcalleemodName, PSTR PSZFUNCNAME, PSTR PSZFUNCNAME, PSTR PSZFUNCNAME, PSTR PFNHOK, HANDLE, HMODULE HMOD);
~ Capihook ();
Operator proc () {return (m_pfnorig);
PUBLIC:
Static pvoid sm_pvmaxappaddr;
Static Capihook * SM_PHEAD;
Capihook * m_pnext;
PCSTR m_pszcalleemodname;
PCSTR M_PSZFUNCNAME;
Proc m_pfnorig;
Proc m_pfnhook;
Bool M_FexCludeapiHookMod;
HModule M_Module;
Handle M_Handle;
Private:
Pfnorig, Proc Pfnhook, Bool FexCludeapiHookMod;
void WINAPI ReplaceIATEntryInOneMod (PCSTR pszCalleeModName, PROC pfnOrig, PROC pfnHook, HMODULE hmodcaller, HANDLE handle); void WINAPI FixupNewlyLoadedModule (HMODULE hmod, DWORD dwFlags);
FarProc WinAPI getProcaddress (HModule Hmod, PCSTR PSZProcname);
}
/*Hookapi.cpp*/
#include "hookapi.h"
#include
#include "imagehlp.h"
PVOID CAPIHOK :: SM_PVMAXAPPADDR = NULL;
Const byte cpushopcode = 0x68;
Capihook * CapiHook :: sm_phead = null;
Capihook :: Capihook (pstr pszcalleemodname, pstr pszfuncname, proc pfnhook,
Handle Prochandle, HModule HMOD
{
m_handle = prochandle;
IF (SM_PVMAXAPPADDR == NULL)
{
System_info si;
GetSystemInfo (& S);
SM_PVMAXAPPADDR = Si.LPMaxImumApplicationAddress;
}
m_pnext = SM_PHEAD;
SM_PHEAD = THIS;
m_pszcalleemodname = pszcalleemodname;
m_pszfuncname = pszfuncname;
m_pfnhook = pfnhook;
M_PFNORIG = :: getProcadDress (pszcalleemodname),
m_pszfuncname);
Assert (m_pfnorig! = null);
IF (m_pfnorig == null)
{
Return;
}
IF (M_PFNorig> SM_PVMAXAPPADDR)
{
PBYTE PB = (PBYTE) m_pfnorig;
IF (PB [0] == CPUSHOPCODE)
{
PVOID PV = * (PVOID *) & PB [1];
m_pfnorig = (proc) PV;
}
}
M_Module = getModuleHandle (pszcalleemodname);
ReplaceiatenTryinonemod (m_pszcalleemodName, M_PFNORIG, M_PFNHOK, M_MODULE,
prochandle;
}
Capihook :: ~ Capihook ()
{
ReplaceiatenTryinonemod (m_pszcalleemodname, m_pfnhook, m_pfnorig, m_module,
m_handle);
Capihook * p = SM_PHEAD;
IF (p == this)
{
SM_PHEAD = P-> m_pnext;
}
Else
{
BOOL FFOUND = FALSE;
For (;! ffound && (p-> m_pnext! = null); P = P-> m_pnext)
{
IF (p-> m_pnext == this) {
P-> m_pnext = p-> m_pnext-> m_pnext;
Break;
}
}
Assert (ffound);
}
}
Void WinAPI CapiHook :: FixNewlyLoadedModule (HModule Hmod, DWORD DWFLAGS)
{
IF ((hmod! = null) && ((dwflags & load_library_as_datafile) == 0))
{
For (CAPIHOK * P = SM_PHEAD; P! = NULL; P = P-> m_pnext)
{
ReplaceiatenTryinonemod (p-> m_pszcalleemodName, P-> m_pfnorig, p-> m_pfnhook,
HMOD, M_HANDLE);
}
}
}
FarProc WinApi CapiHook :: getProcaddress (HModule Hmod, PCSTR PSZPROCNAME)
{
FarProc PFN = :: getProcaddress (HMOD, PSZProcname);
Capihook * p = SM_PHEAD;
For (; (pfn! = null) && (p! = null); p = p-> m_pnext)
{
IF (PFN == P-> m_pfnorig)
{
PFN = P-> m_pfnhook;
Break;
}
}
Return (PFN);
}
Void WinApi CapiHook :: Replace AttemInnemod (PCSTR PszcalleemodName, Proc
Pfncurrent, Proc Pfnhook, HModule Hmodcaller, Handle Handle
{
Ulong ulsize;
PIMAGE_IMPORT_DESCRIPTOR PIMPORTDESC = (PIMAGE_IMPORT_DESCRIPTOR)
ImageDirectoryEntryTodata (Hmodcaller, True, Image_Directory_entry_import,
& ULSIZE);
IF (pimportdesc == null)
{
Return;
}
For (; pimportdesc-> name; pimportdesc )
{
PSTR pszmodname = (pstr) ((pbyte) hmodcaller pimportdesc-> name);
IF (LSZMPIA (PszcalleemodName) == 0)
{
Break;
}
}
IF (PimportDesc-> Name == 0)
{
Return;
}
PIMAGE_THUNK_DATA PTHUNK = (PIMAGE_THUNK_DATA) ((Pbyte) HMODCALLER
PimportDesc-> firstthunk);
For (; pthunk-> u1.function; pthunk )
{
PROC * PPFN = (Proc *) & pthunk-> u1.function;
BOOL FFOUND = (* ppfn == pfncurrent);
IF (! FFound && (* PPFN> SM_PVMAXAPPADDR)) {
PBYTE PBINFUNC = (PBYTE) * PPFN;
IF (Pbinfunc [0] == CPUSHOPCODE)
{
PPFN = (Proc *) & Pbinfunc [1];
FFound = (* PPFN == PFNCURRENT);
}
}
IF (FFound)
{
Handle Handle1 = OpenProcess (Process_All_access, False,
GetCurrentProcessId ());
DWORD DWIDOLD;
VirtualProtectex (Handle1, PPFN, SIZEOF (PFNHOOK), Page_Readwrite, & DWIDOLD
;
IF (WriteProcessMemory (Handle1, PPFN, & Pfnhook, Sizeof (Pfnhook, NULL) ==
False)
{
Return;
}
Else
{
VirtualProtectex (Handle1, PPFN, Sizeof (Pfnhook, Dwidold, & dwidold);
Return;
}
}
}
}
The above is the complete code of the APIHOK. The following is an example (blocking WString2ID function):
Typedef unsigned long (__ stdcall * wstring2id) (char const *);
Unsigned long __stddcall mywstring2id; char const *);
Capihook * my_wstring2ID;
MY_WSTRING2ID = New CapiHook ("Windsoul.dll", "? WString2ID @@ ygkpbd @ z",
(Proc) MyWString2ID, GameHandle, GameInstance;
Implementation of your MyWString2ID:
Unsigned long __stdcall mywstring2id (char const * a)
{
// SendMessage (WGHANDLE, WM_USER 1, (WPARAM) A, NULL);
Return ((WString2ID) my_wstring2id-> m_pfnorig) (a));
}
Here is the WndProc function used to intercept the game. At the time, it was comprehensively, as for how to use it, casually, anyway, I didn't use it.
GamehWnd = getActiveWindow ();
GameHandle = getCurrentProcess ();
GameInstance = (Hinstance) getWindowlong (GamehWnd, GWL_HINSTANCE);
GameProc = (WndProc) setWindowlong (GamehWnd, GWL_Wndproc, (long)
Mymsgproc);
WndProc functions used to replace the game:
LResult Apientry Mymsgproc (HWND HWND, UINT MESSAGE, WPARAM WPARAM, LPARAM
lparam)
{
/ * Do things you want to do here, the rest of the game's WndProc to process * /
Return CallWindowProc (GameProc, Hwnd, Message, WPARAM, LPARAM);
}
This section is over here, the next section starts the research of the game program. It is best to prepare the last version of the big-call client 9.16 update. Do not use the latest version with the following reasons: 1. If there are too many transpares to the current client, it will find that the programs that are theft class are plugged. Simple, this is not what I want to see.
2, the new version adopted (double-precision floating point number encryption) is very troublesome, not a general person easy to get started, but the solution is the same as 9.16, but it is only cumbersome.
3, the shelling process has more parts that need to be artificially identified, which will cause unnecessary trouble, so as not to mislead everyone.
This article is only attached to the blog of www.9cbs.net and www.gameres.com, do not use the article for any business, if this tutorial causes other consequences, it has nothing to do with I, I only talk about technology. . If you want to post, please indicate the source, if you have questions or negotiate, please send E-mail to Zeze0556@sina.com or QQ: 23033206 message, msn: zeze0556@msn.com. In addition, please don't give me a spam. When you add your friends, you must write a good post. I have been scared by inexplicably advertising letters and rumors. It is, I ask you prawn.
