Enjoy the veil of the high-grade game hacker, teach you to create game modifier tools: Softice, Jinshan Ranger 2002, VC 7.0, PE viewer, Spy test platform: Window2000 Professional SP2 Hello everyone! I will give you a happy life, time is really fast, I have passed a year, I have been separated for a year, I really feel very much, I don't know how to remember YY, but I will not forget. Everyone. This year is too busy. There is no time to write a post in the night, when you listen to the music while listening to the music, today is a holiday, then charge you: D Today YY gives you some what? Oh, I will know the title, it looks cool, "high-grade game hackers", what? Do you say that you will play hackers? Optimistic, it is "advanced"! What is advanced? Waiting for you to read this article, you will know: D First, I will introduce the tools that will be used: 1, Softice (don't say more, I think you should use) 2, Jinshan Ranger 2002 (this should also Will use) 3, VC 7.0 (do not require you to use, but at least one programming tool) 4, PE viewer (you can find one free, no relationship, I will teach you to view with Softice) 5, SPY (a tool for viewing program information in VC, you can be with other, such as Delphi and C Builder's winsight32) then you should know: 1, assembly base 2, some programming foundations, at least I understand the foundation of several API functions I introduced, the foundation of the PE file structure will not do it. I will explain that you have more than you have more, we can start. Let me introduce something I want to teach. If you want everyone to play PC tour, then there must be some dedicated game modifier, such as dark, red police, the classic games in the Dawee have their dedicated modifiers, pay attention, I am not the FPE Generic modification tool for class. Have you tried to modify the money of Red Police two with Jinshan Ranger? If you have any words, you should know once every time, because this game is dynamically allocated, and each resin will change. So you will choose to download a dedicated modifier online, then have you ever thought about it? Think about it? Then why don't you do it? What will it? That's good, I will see this tutorial. You will: d, I will talk, I will talk about the principle.
There are some friends who often modify the tour must know that regardless of whether the memory address of "items" in the game is dynamic, the distance between the items and items is constant, I will take "Chu Liuxiang New Biography" as an example, I First use Jinshan Ranger's memory address, found the result: 79f695c, then find the address "Golden Pharmacy" address is: 328D1DC, now I use 79f695c to minus 328D1DC, get: 4769780, this is the internal force value The offset value of Jinchuang medicine did not understand? Then, I haven't finished it yet, now re-run the game, find the address of the internal force value, get: 798695c and then find the address obtained by the golden products is: 321D1DC, the memory address of the two values has changed, but used What is the result of your address minus the address of Jinchuang medicine? Yes, or 4769780, that is, no matter how much the memory address of these two values becomes, the distance between them will never change, not only this game, the general game is, at least I have never seen it. : D. above, summarizes a conclusion, that is, we can get another one as long as we get any of these two addresses, as long as you know how much the offset between them is. The first step is to get this address, but the address in memory is dynamically changed, it is not used, here I will teach you to static, called it will never change! I will continue to take "Chu Liuxiang New Biography" as an example. If you have this tour, you will do it with me, there is no relationship, just understand these steps. start! First enter the game, find the address of the value, get: 798695C (I don't know why this upstream is not changed every time you change the memory address, press Ctrl D to open Softice, under the command: bpm 798695c w (write this address When it is interrupted, return to the game, open the character property panel, the game is interrupted, you will see this instruction in Sofitice: 0047EB17 MOV EAX [EDX 000003F4] Next command: D EDX 3F4 will see internal strength value 0047EB1D PUSH EAX .............................................................. From above, the instructions at 0047EB17 are sent to the EAX register, this is A typical addressing method, imagine that we are at the base address in the EDX, then whenever you use EDX 3F4 to easily get an internal force address, because 000003F4 is a constant, it does not change , Changed only the address in the EDX, so as long as there is a way to get the value in the EDX, do you understand, do you understand? If you still don't understand, then please read it again.
What I have to do now is how to get this value, I will tell you how to do: My way is to design a code, put the value in the EDX in an address, then run this code, return to the original directive of the game Continue, what? Patch technology? SMC? As you say, just run normal, everything is ok: D actual operation: First find a blank place in the program, it is very simple, just know how some PE file structure will know, generally in EXE There will be a buffer in the end of the file data segment (.data segment), we can write anything in this area, of course, you can also find a blank area with "90 Dafa", but I still recommend you to teach you. Give you a method. Top the same time, if you don't have a PE file to see the tool, I can teach you to view with Softice, and it is very simple, just a command: Map32 "Module name", look at how I did it.
Ctrl D calls Softice, then the command: map32 crhchs, then you should see the information of each paragraph of EXE, we have to pay attention to just .data paragraph, since we are looking for the end of the data segment, then we will The next segment begins to look up, as follows: .data 004fb000.rsrc 00507000 .data's next paragraph is the .RSRC segment, it starts from 00507000, that is to say that one byte is based on 00507000 is the end of the data segment. I have started writing code at 00506950, saying that the code is what is the way? What is the modified instruction? Don't worry, please see below: Modify 0047EB17 Postcod: 0047EB17 JMP 00506950 // Jump to our code to execute 0047EB1C NOP // Due to this command is 6 bytes, and the modified length is 5 words Festival, so use an empty command to make up 0047EB1D PUSH EAX // Our code: 00506950 MOV DWORD PTR EAX, [EDX 00003F4] // Restore our destruction of the instruction 00506956 MOV DWORD PTR [00506961], edx // Save EDX Return to the original instruction to perform the above code to write, OK! Now let's try the effect of running, you now use Jinshan Ranger to search for the address of the inner site, what is changed? That is, if it doesn't turn it, do you still use it? Make a note of this address to the game, CTRL D calls out Softice, under the command d * [00506961] 000003F4, what did you see in the data window? Oh, yes, I saw the address you just remember, the value inside is the value of internal strength, try to change it, return to the game, huh, the internal force is changed: D tells here, our work % 90 has been completed, but don't be happy too early, the next% 10 is far more than the time before the% 90, because we have to use programming, because you can't do it every time you just do it. ! Now let's talk about the steps: first use the FINDWINDOW function to get the window handle, then use the getWindowThreadID function to get the ID of this process, then use OpenProcess to get the process of read and write permissions, and finally read and write memory with WriteProcessMemory and ReadProcessMemory, then . . . .
Oh, your modifier is made: D is the first part of the modifier source program that I have written before. The first part is dynamically written into the code, the second part is to read and modify the internal force, because I don't have time Soruption and testing, so you can't guarantee that there is no mistake. If you find an omission, you can give me a message or write to me, the code is as follows: There are a few points to pay attention: 1, write the machine code to be a byte Write 2, pay attention to write to your own code first, then modify the instructions in the tour (the following code does not do this, because it does not affect, but you should pay attention to this problem) // // dynamically write code // 0047EB17 #define MY_CODE1 0xE9 #define MY_CODE2 0x34 #define MY_CODE3 0x7E #define MY_CODE4 0x08 #define MY_CODE5 0x00 #define MY_CODE6 0x90 // 00506950 #define MY2_CODE1 0x8B #define MY2_CODE2 0x82 // this section is to be written in machine code constant defines #define MY2_CODE3 0xF4 #define MY2_CODE4 0x03 #define MY2_CODE5 0x00 #define MY2_CODE6 0x00 #define MY3_CODE1 0x89 #define MY3_CODE2 0x15 #define MY3_CODE3 0x61 #define MY3_CODE4 0x69 #define MY3_CODE5 0x50 #define MY3_CODE6 0x00 #define MY4_CODE1 0xE9 #define MY4_CODE2 0xBC #define my4_code3 0x81 #define my4_code4 0xf7 #define my4_code5 0xff // -------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------- // DWORD A1 = MY_CODE1; DWORD A2 = MY_CODE2; DWORD A3 = my_code3; dwor D A4 = MY_CODE4; DWORD A5 = MY_CODE5; DWORD A6 = MY_CODE6; DWORD B1 = MY2_CODE1; DWORD B2 = MY2_CODE2; DWORD B3 = MY2_CODE3; // DWORD partly defined variable B4 = MY2_CODE4; DWORD B5 = MY2_CODE5; DWORD B6 = MY2_CODE6; DWORD C1 = MY3_CODE1; DWORD C2 = MY3_CODE2; DWORD C3 = MY3_CODE3; DWORD C4 = MY3_CODE4; DWORD C5 = MY3_CODE5; DWORD C6 = MY3_CODE6; DWORD D1 = MY4_CODE1; DWORD D2 = MY4_CODE2; DWORD D3 = MY4_CODE3; DWORD D4 = My4_code4; dword d5 = my4_code5;
/ / -------------------------------------------------------------------------------------------- -------------------------- // hWnd hwnd = :: FindWindow ("crhclass", null); // Get window handle IF (hwnd == FALSE) MessageBox ( "the game is not running!"); else {GetWindowThreadProcessId (hWnd, & hProcId); // get the process ID hANDLE nOK = OpenProcess (PROCESS_ALL_ACCESS from the window handle | PROCESS_TERMINATE | PROCESS_VM_OPERATION | PROCESS_VM_READ | PROCESS_VM_WRITE, FALSE, hProcId) // Open the process and get read and permission IF (Nok == NULL) MessageBox ("Out of the process"); Else {// 0047eb17 WriteProcessMemory (Nok, (lpvoid) 0x0047EB17, & A1, 1, NULL); WriteProcessMemory nOK, (LPVOID) 0x0047EB18, & A2,1, NULL); WriteProcessMemory (nOK, (LPVOID) 0x0047EB19, & a3,1, NULL); WriteProcessMemory (nOK, (LPVOID) 0x0047EB1A, & A4,1, NULL); WriteProcessMemory (nOK, (LPVOID) 0x0047EB1B, & A5, 1, NULL); WriteProcessMemory (Nok, (lpvoid) 0x0047EB1C, & A6, 1, NULL); // 00506950 WriteProc essMemory (nOK, (LPVOID) 0x00506950, & B1,1, NULL); WriteProcessMemory (nOK, (LPVOID) 0x00506951, & B2,1, NULL); WriteProcessMemory (nOK, (LPVOID) 0x00506952, & B3,1, NULL); WriteProcessMemory ( NOK, (LPVOID) 0x00506953, & B4, 1, NULL); WriteProcessMemory (Nok, (LPVOID) 0x00506954, & B5, 1, NULL); WriteProcessMemory (Nok, (lpvoid) 0x00506955, & B6, 1, null); // Second sentence WriteProcessMemory (nOK, (LPVOID) 0x00506956, & C1,1, NULL); WriteProcessMemory (nOK, (LPVOID) 0x00506957, & C2,1, NULL); WriteProcessMemory (nOK, (LPVOID) 0x00506958, & C3,1, NULL);
WriteProcessMemory (nOK, (LPVOID) 0x00506959, & C4,1, NULL); WriteProcessMemory (nOK, (LPVOID) 0x0050695A, & C5,1, NULL); WriteProcessMemory (nOK, (LPVOID) 0x0050695B, & C6,1, NULL); // Finally, a WriteProcessMemory (nOK, (LPVOID) 0x0050695C, & D1,1, NULL); WriteProcessMemory (nOK, (LPVOID) 0x0050695D, & D2,1, NULL); WriteProcessMemory (nOK, (LPVOID) 0x0050695E, & D3,1, NULL); WriteProcessMemory (NOK, (LPVOID) 0x0050695F, & D4, 1, NULL; WriteProcessMemory (Nok, (lpvoid) 0x00506960, & D5, 1, NULL); CloseHandle (Nok); // Close process handle}}} // read and modify the internal forces DWORD hProcId; HWND hWnd = :: FindWindow ( "CRHClass", NULL); if (hWnd == FALSE) MessageBox ( "No"); else {GetWindowThreadProcessId (hWnd, & hProcId); HANDLE nOK = OpenProcess (PROCESS_ALL_ACCESS | Process_Terminate | Process_VM_Operation | Process_vm_read | Process_VM_WRITE, HPROCID; if (Nok == Null) MES SageBox ("Procno!"); Else {DWORD BUF1; DWORD WRITE; BOOL OK = ReadProcessMemory (NOK, (LPCVOID) 0x00506961, (LPVOID) & BUF1, 4, NULL); // Read We save EDX base IF ( OK == true) {Write = buf1 0x000003F4; // Get internal force value address DWORD WRITEED = 0x00; // To modify the value BOOL B = WriteProcessMemory (NOK, (LPVOID) Write, & writeed, 1, null; if (B == false) MessageBox ("writeno");}} closehandle (nok);}, I wrote it, I'm here, I will have an omission of it, I will have an omission, please advise, if I don't Will or I don't like to use VC,
