Do your favorite!
------ Tomorrow you come to do itself to hanging with online games, many players are involved in the game. Many players currently rely on the plug-in program of the game. So is it very difficult to do a game's plug-in? The answer is "No", and it is true that some programs are needed for some basic knowledge, so we want to give you some skills, some methods, some methods, and some ways to give you some basic auxiliary tools in the simple language. You are a rookie, watching our tutorial, and skillfully using the tools we provide to you, you can completely write a whole belonging to your own plug-in. In this tutorial, we offer the modified actual example of Jin Yong Qun Xia Chuan, and the two games of the Internet, because these two games are encrypted with the package, if you have the modification of these two games After a certain understanding, I believe that you can do your own plug-in in other games. We provide Jin Yong to add 20 NPCs and network three countries to automatically take medicine in PK, automatic darts, and make you easier. We will also attach these two software in this tutorial to provide you with use and learn. We will give you how to crack the encryption algorithm to crack the package in the tutorial, how to use us to provide you with the tool to fake and send a package. In addition to the text tutorial, we will also provide plug-in procedures in Jin Yongxun and the Three Kingdoms, and there are also 6 plug-in production tools for you to use. I hope that every player can grow up in the game, not only the game is excellent, and the game is also excellent, be a real game DIY. If you want to make a hundred battles in the modification of the game, it is necessary to have a quite rich computer knowledge. There are many computer masters to play games, modify the game, and gradually produce a strong interest in the computer, gradually grow up. Don't envy others can do it, because others can do it! I believe that after reading this tutorial, there will be a new understanding of the game, huh, because I am a good teacher! (Don't take the egg, hurt! # ¥% ... *) But want to learn knowledge from the modification of the game, increase your computer level, can not just modify the game! To know, modifying the game is just a place to verify that some computer knowledge you know, you can only give you some discovery questions, solve the opportunity to solve the problem, can only help you improve your interest in learning computers And it is not a way to learn the shortcut.
-------------------------------------------------- ------------------------------
One: What is hanging?
Nowadays, online games are based on Internet access client / server mode. The server program runs on the game server. The game designer creates a huge game space, and players from all over the game can be logged in to the game by running client programs. . Simply put, online games actually provide a game environment by game developers, while players are relative free and openly in this environment. So since there is a server in the online game, we used to modify the game method for power. Remember that we have changed the various properties of the role in a single-machine version of the game, which is invited by memory search, which is not used in the online game. Because the various properties and various important information we played in online games are stored on the server, on our own machine (client) just displays the status of the role, so through the modification of the role in the client memory The species is unrealistic. So, don't we do any way to reach our modification in online games? The answer is "No". We know communication of Internet Customer / Server Mode Generally adopted TCP / IP communication protocols. Data exchange is implemented through the transmission of IP packets. Generally, our clients send certain requests to the server, such as mobile, combat and other instructions. It is switched through the form of the package and the server. Then we call the local news called Send, meaning to send data, after the server receives our Send, feedback the relevant information to the client, such as moving coordinates, and the type of battle. Then we collect the information sent by the client from the server called Recv. I know this truth, the work we have to do is to analyze the data between the client and the server (that is, the package) so that we can extract the data to us, and then simulate the server to the client. Or the simulated client is sent to the server so that we can implement the purpose of our modification. In addition to modifying the game packages to achieve the purpose of modifying the game, we can also modify the client's related procedures to meet our requirements. We know that the calculation capacity of each server is limited, especially in the game, the game server wants to calculate all the players in the game, so there are some operations to rely on our clients to complete, this is given We modify the game to provide some convenience. For example, we can detect the client program to find some programs to discover the branch. We can remove some of our unfavorable judgments to meet the needs of us to modify the game. In the next few chapters, we will tell you the concept of the package, and modify the relevant knowledge of the client. Are you ready? Game data format and storage:
Before conducting our work, we need to master some knowledge about the use of storage data in your computer and the characteristics of storage data in the game. This chapter is to provide a player who is provided to the rookie. If you are a master, you can skip, huh, huh! If you want to become a stealthy swordsman, then, these things will spend some time; if you only want to make a rivers and lake tourists, then these things understand whether it is insignificant. Is it a sword, or a tourist, you choose!
Now we start! First, you have to know several formats in the game, these formats are: bytes, words (word), double words, or 8 bits, 16-bit, and 32-bit storage. the way. The byte is also a number of 0 to 255. The word or the 16-bit storage mode can store the number of 0 ~ 65535; the double word is 32-bit way to store 0 ~ 4294967295.
Why do you want to understand this knowledge? The maximum value of various parameters in the game is different, and some may be enough 100 or so, for example, the level of the role in Jin Yong Qun Xia Chuan, the number of enemies, etc. Some of them need more than 255 or even greater than 65535, and the money value of the role in Jin Yong Qun Xia can reach millions. Therefore, the type of different data in the game is different. When we modify the game, you need to find a package that is prepared to modify, in which case the type of data correctly determines is an important condition for quickly finding the correct address. In the computer, data is based on bytes, each byte being given a number to determine the position of each. This number should be called address.
When you need to use a word or double word, the computer makes a word with a continuous two bytes, and two consecutive words form a double word. And the address of a word or double word is the address of their low byte. Now that our usual Windows 9x operating system is represented by a 32-bit binary number. When we usually use the memory address, it always uses an 8-bit 16-based number to represent it.
What is the binary and hexadecimal?
Simply put, the number of binary is only 0 and 1 two digital, and each of the counting carrying encompacters. Similarly, the 16 credit is a count carrying method for every sixteen. 16 Entering 0 - f sixteen numbers, which uses the numbers of Ten to 15 using the numbers of A, B, C, D, E, F, and the correspondence between them and the decade is: a corresponds to 10, B correspond to 11, C correspond to 12, D correspond to 13, E correspond to 14, F corresponds to 15. Moreover, there is a simple correspondence between the 16-based number and the binary number, that is, the four-bit binary number is equivalent to a number of 16-based number. For example, a four-bit binary number 1111 is equivalent to 16-based f, 1010 is equivalent to A.
Understanding these basic knowledge has a great help to modify the game, let's talk about this problem. Since the data is stored in the computer, the conversion relationship between the binary and the binary is very simple, so most modification tools displays 16-en-generated code when the data in the computer is displayed. You also need to enter 16-based numbers when you modify. Are you clear?
The data seen in the game can be decimal. When you want to find and modify the value of the parameter, you can use the calculator provided by Windows to perform decimal and 16-based translation, we can be in the program group in the start menu. Find it in the attachment.
The knowledge you have to know now is almost the same! However, there is a problem to pay attention to in the game modification. The storage method of data in the computer is typically stored in the low byte, and the high number is stored in the high byte. For example, the decimal number 41715 is converted to a 16-based number A2F3, but this number is stored as F3A2 in the computer.
Have you seen the above content? Ok, let's tell everyone how you are in the game, come! Everyone rolls the sleeves and let us work!
-------------------------------------------------- ------------------------------
Second: What is a package?
How to cut a package package? How to check the IP address and port number of the game server? Internet users use various information services, the information of its communication can ultimately be attributed to information transfer in units of IP, and the IP package includes information to be sent to the destination IP address. The source IP address sent by the information, as well as some related control information. When a router receives an IP packet, it will find the routing table according to the destination IP address item in the packet, and send this IP packet to the corresponding port based on the results of the lookup. The next IP router will continue to forward after receiving this packet until it is sent to the destination. Routers can be exchanged for routing information between routing protocols, thereby updating the routing table. Then we care about data information in the IP package, we can use many listening networks to intercept the exchange data between the client and the server, and you will introduce one of the tools: WPE.
WPE Usage: Execute WPE will have the following features to choose:
SELECT GAME Select the program you want to intercept in your memory, you only need to double-click the program name.
Trace tracking function. Used to track packets sent by the capture. WPE must first complete the program name of the program to track, you can use this item. Press the PLAY key to open the package. You can press at any time | | Pause Track, please press again | |. Pressing the square to stop capturing packets and display all captured packages. If you do not press the square stop button, the tracking action will automatically stop according to the set value in the option. If you don't pick it up, try to adjust the Option to Winsock Version 2. WPE and Trainers are set to display at least 16 bits colors.
Filter filtering function. It is used to analyze the packet captured and modified.
Send Packet Sends a packet feature. Ability to give you a false package.
Trainer Maker makes a modifier.
Options setting function. Let you adjust some of WPE's setpoint.
Filter's detailed teaching
- When Filter is started, the ON button will present red. - When you start Filter, you can close this window at any time. Filter will remain in the original state until you press the ON / OFF button again. - Only the Filter Enable button is in the state of OFF to check the box before the Filter is selected to edit the modification. - When you want to edit a Filter, just double click on the name of the file.
Normal Mode:
example:
When you are in the STREET Fighter Online, you use two fireballs, you use a fireball and hit the other party, then you will get the following package: send-> 0000 08 14 21 06 01 04 Send-> 0000 02 09 87 00 67 FF A4 AA 11 22 00 00 00 sent-> 0000 03 84 11 09 11 09 Send-> 0000 0A 09 C1 10 00 00 FF 52 44 Send-> 0000 0A 09 C1 10 00 00 66 52 44
Your first fireball makes the other party reduce 16 drop 16 = 10h ﹞ 's health, and you observed that the 4h of the 5th packet of the 5th package appeared, it should be here.
You observed that 0A 09 C1 before 10h did not change in both packets, and it was obvious that these three values were the key to playing a fireball.
Therefore, you will fill in the 0A 09 C1 10 in the search column Search, and then fill in FF in the position 4 of the modified column Modify ﹞. As a result, when you send a fireball again, FF will replace the previous 10, which is a fireball of 255!
Advanced Mode:
Example: When you are in a game, you don't want to use the real name, you want to deliver to each other with a modified false name. After you use Trace, you will find some of your names in some packages. Suppose your name is Shadow, converted into a 16-in-one, ﹝ 53 68 61 64 6f 77 ﹞; and you plan to replace him with Moon ﹝ 6d 6f 6f 6e 20 20. 1) Send-> 0000 08 14 21 06 01 042) Send-> 0000 01 06 99 53 68 61 64 6F 77 00 01 05 3) Send-> 0000 03 84 11 09 11 094) Send-> 0000 0A 09 C1 10 00 53 68 61 64 6F 77 00 11 5) Send-> 0000 09 C1 10 00 00 66 52 44 But you look carefully, your name is not in the same location in each packet
- In the second packet, the name appears in the 4th position - in the 4th packet, the name appears in the 6th position.
In this case, you will need to use Advanced Mode - you are searching in Search, Search (53 68 61 64 6F 77) Be sure to start filling from location 1 - You want from the original name Shadow's first Letters begin to replace new names, so you have to choose from the position of the value to be discovered to replace the continuous value ﹝ from the position of the chain found ﹞. - Now, in the position of the modification column modify ﹞ 000, the 6D 6F 6F 6e 20 20 is now the corresponding position, that is, from the original search bar 001 position to start a hand - if you want to packet Modify the value in a location, please select ﹝ from the beginning of the packet ﹞
It is understood that people who know the common sense of TCP / IP agreement know that the Internet is then transferred after packaging information data. Each packet is divided into two parts: header information and data information. The header information includes the transmission address of the packet and the arrival address, and the like. Data information includes all information we are related to the operations in the game. Then we must know various information such as the IP address and port number of the game server before doing the process of seating the package. In fact, it is the easiest to see if there is a Server.ini configuration file in our game directory. You can view the IP address of a game server, such as Jin Yong Qun Xia Chuan, then in addition to this, we can use netstat in DOS,
The function of the NetStat command is to display the network connection, routing tables, and network interface information, allowing users to know what network connects are currently working. Or you can use tools such as Trojan to view the network connection. Tools are very much, see which one you like.
The general format of the NetStat command is: NetStat [option]
The meaning of each option in the command is as follows: -a Displays all sockets, including listening. -c is redisplayed every 1 second until the user interrupts it. -i Displays information about all network interfaces. -n replaces the name in the network IP address, showing the network connection situation. -r Displays the core route table, formats with "route -e". -t shows the connection of the TCP protocol. -u Displays the connection of the UDP protocol. -v displays working in progress.
-------------------------------------------------- ------------------------------
Three: How to analyze our intercepted packet?
First, we save WPE intercepted packets as text files, then open it, then see the following data (here we have an example to explain the data sent by the PK shop in Jin Yong Qun Xia):
The first file: send-> 0000 E6 56 0D 22 7e 6b E4 17 13 12 13 12 13 67 1Bsend-> 0010 17 12 DD 34 12 12 12 12 17 12 0e 12 12 12 9Bsend-> 0000 E6 56 1E F1 29 06 17 12 3B 0e 17 1ASend-> 0000 E6 56 1B C0 68 12 12 12 54 5Send-> 0000 E6 56 02 C8 13 C9 7E 6B E4 17 10 35 27 13 12 SeriesND-> 0000 E6 56 17 C9 12 Second Document: send-> 0000 83 33 68 47 1B 0e 81 72 76 76 77 77 77 72 77 07 1C 77 77 77 77 72 77 72 77 77 77 6Dsend-> 0000 83 33 7B 94 4C 63 72 77 5E 6B 72 F3send-> 0000 83 33 7E A5 21 77 77 77 3fsend-> 0000 83 33 67 AD 76 CF 1B 0e 81 72 75 50 42 76 77 77send-> 0000 83 33 72 AC 77
We have found that the data format of the PK shop is the same, but the content is different. We are the same NPC of PK, why is it different? The package of Jin Yong Qun Xia Chuan is transmitted on the Internet. Then we face the problem to decrypt the secret text to make a clear text.
Because the general packet encryption is different or the operation, this will talk about what is different or. Simply put, the same is "the same is 0, and it is 1" (this is for binary bitwise), and an example, 0001 and 0010 are different or, our bit by bit, the difference is 0011, The calculated method is that the fourth bit of the 4th bit of 0001 is 0, which is the same, and the 4th place of the different or the result is "the same as 0, different 1", the first 0,0001 The third bit of 3 bits of 0,0010 is 0, the third bit of the different or the result is 1 of 0,0001, the second bit of 0,0010 is 1, then the second place of the different or the result is 1 The first bit of 1,0010 of 0001 is 0, then the first bit of the different or the result is 1, and the combination is 0011. The different or the operation will encounter a lot in the future, everyone can be familiar with familiarity, skilled in the analysis.
Below we continue to look at the above two files, according to the common sense, the data of the packet is not all value, the game development will reserve some byte space to facilitate the future expansion, that is, the packet will exist. Some "00" bytes, observe the above documents, we will find a lot of "12" in the document, and there are many "77" in the file, then this is the "00" of us? We start to act!
We divide the documents with "12" different or the document two and "77" are different or, of course, use the hand to work very much, we use the "M2M 1.0 Encrypted Packet Analysis Tool" to be more convenient. Get the following results:
The first file: 1 send-> 0000 F4 44 1F 30 6C 79 F6 05 01 01 00 01 00 01 75 09send-> 0010 05 00 cf 26 00 00 00 00 00 1C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00144 0C E3 3B 13 05 00 29 1C 05 083 Send-> 0000 F4 44 09 D2 7A 00 00 00 00 00140 DA 01 DB 6C 79 F6 05 02 27 35 01 00 005 send-> 0000 F4 44 05 DB 00 second file: 1 SEND-> 0000 F4 44 1F 30 6C 79 F6 05 01 01 00 01 00 01 75 09SEND-> 0010 05 00 70 6B 00 00 00 00 05 00 05 00 00 00 1A2 SEND-> 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 843 Send-> 0000 F4 44 09 D2 56 00 00 00 484 Send-> 0000 F4 44 10 da 01 B8 6C 79 F6 05 02 27 35 01 00 00 00 005 send-> 0000 f4 44 05 dB 00
Ha, most of this two files are the same, indicating that our reasoning is correct, the above is the plain text we need!
Next is to understand the meaning representing some key bytes, which requires a large number of data to analyze.
First we will find that each packet begins with "F4 44", and the third byte is changing, but the change is very regular. Let's take a look at the length of each package. I found out? Yes, the third byte is the length of the package! By intercepting a large number of data packets, we judge the 4th byte representative instruction, that is, what is the operation of the client tells the server. For example, to the server requesting the battle command is "30", the movement command is "D4" in the battle. Next, we need to analyze the first package above "F4 44 1F 30 6C 79 F6 05 01 01 00 01 00 01 75 09 05 00 CF 26 00 00 00 05 00 1C 00 00 00 89", in this package What information is included? Which NPC you should notify the server, let's find what the code is looking for this store. We re-PK a little Luo Luo (that is, the one outside the Dali Inn): send-> 0000 F4 44 1F 30 D4 75 F6 05 01 01 00 01 00 01 75 09send-> 0010 05 00 8A 19 00 00 00 11 00 02 00 00 00 C0 We are analyzed according to the common sense, although the NPC species in the game will not exceed 65535 (FFFF), but will not limit the scope of the word when developing, so it is not conducive to the expansion of the game, so we are in double words Look. By comparing the two packages of "small two" and "small Luo Luo", we put the goal in "6C 79 F6 05" and "CF 26 00 00". (It is easy to compare, but you can't be too late, huh, we will look at the back package, in the back bag, there should be an NPC code, such as mobile package, game allowance, server must know NPC mobile coordinates, broadcasting other players to watch the battle. In the back 4th package "Send-> 0000 F4 44 10 da 01 DB 6C 79 F6 05 02 27 35 01 00 00" We also saw "6C 79 F6 05", the code in the initial discord store is it! (This analysis contains a lot of work, you can use WPE cut data from paying analysis) The first package analysis is temporarily here (there is still information, we don't need to be completely clear)
Let's take a look at the 4th package "Send-> 0000 F4 44 10 da 01 DB 6C 79 F6 05 02 27 35 01 00", then cut the PK yellow dog's bag, (the dog will come out 2 oh) look at the package Format: Send-> 0000 F4 44 1A da 02 0B 4B 7D F6 05 02 27 35 01 00 00send-> 0010 EB 03 F8 05 02 27 36 01 00 00
According to the above analysis, the yellow dog's code is "4B 7D F6 05" (100040011), but how is the two yellow dog servers distinguished? Look at "EB 03 F8 05" (100140011), it is the last code plus 100,000, huh, so that the server can recognize two yellow dogs. We have confirmed that the packets intercepted by the enemy through the wild. Sure enough.
Then, the format of this package should be more clear: the third byte is the length of the package, "DA" is instruction, the 5th byte is NPC, 10 bytes starting from the 7th byte representative An NPC information, more NPCs, more than 10 bytes. If you play the net gold, you will inevitably know that the randomness sometimes has a reinforcement, and we use the game to reinforce the NPC for each battle.
By adding a package in the battle, we will find the server side to send such a package: F4 44 12 E9 EB 03 F8 05 02 00 00 00 00 00 00 00 5 - 8th byte NPC's code (here we are simply illustrated by the yellow dog code). So, we use stand-alone proxy technology to deceive clients and servers at the same time!
Ok, the work of calling NPC is a short half, the next thing, how to modify the package and send the package, let's continue explanation next section.
-------------------------------------------------- ------------------------------
Four: How to pretend to "client" to "server" to send us the package we need?
Here we need to use a tool, which is between the client and the server side, and its work is to receive and forward the packet, which we call it a proxy. If the agent's work is simple to receive and forward, this is meaningless, but please note: All packets must be transmitted through it, and the meaning here is significant. We can analyze the received packets or forward them directly, or modify forward, or press the packets we need to send.
Below we continue how to cheat the server and client at the same time, that is, modify the package and forgery packages. Through our previous analysis, we already know how to play multiple NPC package formats, then we will do it!
First we have to find the package sent by the client, find the feature of the battle, is the first package of the request battle, we find "F4 44 1F 30" character, this is not changed, of course, it is necessary to decrypt. After found, it means that the client will ask the server to ask the server, we don't move this package, forward. Continue to find down, then the signature that needs to be found is not good, let's find "Da" first, this is the directive of the client to send NPC information, then there may be "Da", there is no relationship, we look The first three bytes do not have "F4 44". After finding it, our work begins!
We determine the NPC number to be hit. This quantity is not very big. The reason is that the package length of the net gold is indicated by a byte. Then a package can have 255 bytes, we have analyzed it, adding an NPC to add 10 bytes, so everyone is counted. It is appropriate to play 20 NPCs.
Then we have to calculate the original NPC code analysis of the client, because the added NPC code should add 100000. Calculate our increased NPC code, and combine into a new package, pay attention to the byte representing the length of the package to modify, then forward to the server, this step should pay attention to the algorithm when writing the program, do not cause a large delay.
Above we deceive the server end, the deception of the client is simple, ^ - ^
After sending the above package, we will send it to the client according to the new NPC code construction package. The format is "F4 44 12 E9 NPC code 02 00 00 00 00 00 00 00 00", putting each new NPC Constructing such a package, sequentially send it together to the client in order, the client is also deceived, very simple. In the future, there are other things in the battle, we will not care, let's play, huh, huh.
