Since the online game company generally does not announce the structure, content and encryption algorithm of the communication package data of its game product, the key to the development of the second type of plug-in success is whether the structure, content, and encryption of the game package data correctly Algorithm, although some tool assistance can be used, this is still a hard and complex work. The subsequent part of the work is mainly based on the analysis results of the game in the previous period, using a large number of program development technologies to implement the plug-in program to control or modify the game. If the plug-in program is the first type of plug-in, the mouse simulation technology is usually used to implement the automatic position of the game role, using the keyboard simulation technology to implement the automatic attack of the game role. As the plug-in program is a second type of plug-in, it is usually used to block the SOCK and the API function technology to block the network packets sent from the game server and transfer the packet to the game server after the packet is modified. In addition, there are many plug-in use of the game client program memory data modification technology and game acceleration technology. This paper is mainly for program development technologies for the latter use of game plug-in procedures, focusing on program development technologies, which are commonly used in game plug-in: ● Action simulation technology: Mainly including keyboard simulation technology and mouse simulation technology. ● Packet technology: mainly includes blocking SOCK technology and blocking API technology. Fourth, the action simulation technology we introduced before, almost all games have a lot of cumbersome and boring attack actions to increase the player's skills, and those who have not finished the maze, these seem to be synonymous with the role game. Now, plug-in can help players from these cumbersome works, focus on the progress of the game plot. The plug-in program is required to implement functional functions such as automatic role position and automatic attacks, need to use keyboard simulation technology and mouse simulation technology. Below we will focus on these techniques and prepare a simple instance to help readers understand the implementation of action simulation technology. 1. Mouse simulation technology uses a mouse in almost all games to change the position and direction of the role. Players can use only a small mouse to enable the role to swim. So, how do we implement the role without players, can also walk automatically. In fact, this is not difficult, just a few Windows API functions can be customized, let us first understand these API functions. (1) Simulate the mouse action API function mouse_event, which can implement an analog mouse to press and release the action. Void mouse_event (DWORD DWFLAGS, / / mouse action ID. DWORD DX, / / mouse horizontal direction. DWORD DY, / / Mouse vertical position. DWORD DWDATA, // Mouse wheel rotation Number. DWORD DWEXTRAINFO // An associated mouse Action auxiliary information.); Where dwflags represents a wide variety of mouse action and click activities, its common value is as follows: mouseEventf_move represents analog mouse mobile event. MouseEventf_leftdown indicates that the analog presses the left mouse button. MouseEventf_leftUp indicates that the simulation releases the left mouse button. MouseEventf_rightdown indicates that the analog is right-click. MouseEventf_rightUp indicates that the analog releases the right mouse button. MouseEventf_middledown indicates that the analog Press the mouse button. MouseEventf_middleUp indicates that the analog release mouse button. (2) Set and get the API function of the current mouse position. Get the current mouse location Use the getCursorPos () function, set the current mouse location to use the setCursorpos () function. Bool getCursorpos (LPPOINT LPPOINT / / Returns the current location of the mouse.); Bool SetCursorpos (horizontal position of the INT X, / / mouse. The vertical position of the int y // mouse.
); Usually the walking role is moving through the mouse to the destination, then press the button to press the button. Below we use the API function described above to simulate the role walking process. Cpoint OldPoint, NewPoint; getCursorpos (& OLDPOINT); // Save the current mouse position. NewPoint.x = OldPoint.x 40; newpoint.y = OldPoint.y 10; setCursorpos (NewPoint.x, NewPoint.y); // Set the destination location. Mouse_Event (MouseEventf_RightDown, 0, 0, 0); // The analog is right-click on the mouse button. Mouse_event (MouseEventf_Rightup, 0, 0, 0); // Simulate the right mouse button. 2. Keyboard Simulation Technology In many games, but also provides a mouse operation, but also provides a keyboard operation, and shortcuts can be used when attacking the attack object. In order to make these attacks automatically, the plug-in program needs to use keyboard simulation technology. Like mouse simulation technology, Windows API also provides a series of API functions to complete analog to keyboard actions. Analog Keyboard Action API Function Keydb_Event, which simulates an action on a keyboard on a keyboard to perform or release actions. Void keybd_event (Byte BVK, // Virtual key value. BYTE BSCAN, / / hardware scanning code. DWORD DWFLAGS, // Auxiliary Unit information associated with the keyboard action.); Where BVK represents the virtual key Value, in fact it is a bYTE type value macro, which ranges from 1-254. For the virtual key values, please use the keyword "Virtual-Key Codes" to find relevant information on the MSDN. BSCAN means that when a key is pressed and released on the keyboard, the keyboard system hardware generated scan code, we can convert between the MapVirtualKey () function between the virtual key value and the scan code. DWFlags represents a variety of keyboard actions, which have two values: KeyEventf_extendedKey and KeyEventf_Keyup. Below we use a code to implement the Shift R shortcut to attack the attack object in the game. KeyBD_Event (VK_Control, MapVirtualKey (vk_control, 0), 0, 0); // Press the CTRL button. KeyBD_Event (0x52, MapVirtualKey (0x52, 0), 0, 0); // Under the R key. KeyBD_EVENT (0x52, MapVirtualKey (0x52, 0), KeyEventf_keyup, 0); // release the R key. KeyBD_EVENT (VK_Control, MapVirtualKey (vk_control, 0), keyeventf_keyup, 0); // release the CTRL button. 3. The mouse and keyboard simulation technique described above to activate the simulation of the action part of the game role, but you need to hang the game above the game, you need to connect it to the game's scene window or use a activation key, The activation key like a button crest. We can use the getWindow function to enumerate the window, or you can use the FindWindow function to find a specific window. There is another findwindowex function to find the sub-window of the window. When the game is switched, we can use FindWindowEx to determine some of the characteristics of the current window, thus judge whether it is still in this scene, the method is much more, such as getWindowInfo to determine something For example, when you find a button, you will explain the game scene has been switched.
When using the activation key, you need to develop a full keyboard hook using the Hook technology, which does not specifically introduce the development process of the global hook, in the later examples, we will use the global hook, will learn the global hook Related knowledge. Online game plug-in writing foundation 1
Author: Unknown
If you want to make a hundred battles in the modification of the game, it is necessary to have a quite rich computer knowledge. There are many computer masters to play games, modify the game, and gradually produce a strong interest in the computer, gradually grow up. Don't envy others can do it, because others can do it! I believe that after reading this tutorial, there will be a new understanding of the game, huh, because I am a good teacher! (Don't take the egg, hurt! # ¥% ... *) But want to learn knowledge from the modification of the game, increase your computer level, can not just modify the game! To know, modifying the game is just a place to verify that some computer knowledge you know, you can only give you some discovery questions, solve the opportunity to solve the problem, can only help you improve your interest in learning computers And it is not a way to learn the shortcut. One: What is hanging? Nowadays, online games are based on Internet access client / server mode. The server program runs on the game server. The game designer creates a huge game space, and players from all over the game can be logged in to the game by running client programs. . Simply put, online games actually provide a game environment by game developers, while players are relative free and openly in this environment. So since there is a server in the online game, we used to modify the game method for power. Remember that we have changed the various properties of the role in a single-machine version of the game, which is invited by memory search, which is not used in the online game. Because the various properties and various important information we played in online games are stored on the server, on our own machine (client) just displays the status of the role, so through the modification of the role in the client memory The species is unrealistic. So, don't we do any way to reach our modification in online games? The answer is "No". We know communication of Internet Customer / Server Mode Generally adopted TCP / IP communication protocols. Data exchange is implemented through the transmission of IP packets. Generally, our clients send certain requests to the server, such as mobile, combat and other instructions. It is switched through the form of the package and the server. Then we call the local news called Send, meaning to send data, after the server receives our Send, feedback the relevant information to the client, such as moving coordinates, and the type of battle. Then we collect the information sent by the client from the server called Recv. I know this truth, the work we have to do is to analyze the data between the client and the server (that is, the package) so that we can extract the data to us, and then simulate the server to the client. Or the simulated client is sent to the server so that we can implement the purpose of our modification. In addition to modifying the game packages to achieve the purpose of modifying the game, we can also modify the client's related procedures to meet our requirements. We know that the calculation capacity of each server is limited, especially in the game, the game server wants to calculate all the players in the game, so there are some operations to rely on our clients to complete, this is given We modify the game to provide some convenience. For example, we can detect the client program to find some programs to discover the branch. We can remove some of our unfavorable judgments to meet the needs of us to modify the game. In the next few chapters, we will tell you the concept of the package, and modify the relevant knowledge of the client.
Are you ready? Game data format and storage: Before conducting our work, we need to master some knowledge of the storage data in your computer and the characteristics of storage data in the game. This chapter is to provide a player who is provided to the rookie. If you are a master, you can skip. If you want to be an invincible swordsman, then you will spend some time; if, you just want to make a If the tourists of the rivers and lakes, then these things understand whether there is nothing to do. Is it a sword, or a tourist, you choose! Now we start! First, you have to know several formats in the game, these formats are: bytes, words (word), double words, or 8 bits, 16-bit, and 32-bit storage. the way. The byte is also a number of 0 to 255. The word or the 16-bit storage mode can store the number of 0 ~ 65535; the double word is 32-bit way to store 0 ~ 4294967295. Why do you want to understand this knowledge? The maximum value of various parameters in the game is different, and some may be enough 100 or so, for example, the level of the role in Jin Yong Qun Xia Chuan, the number of enemies, etc. Some of them need more than 255 or even greater than 65535, and the money value of the role in Jin Yong Qun Xia can reach millions. Therefore, the type of different data in the game is different. When we modify the game, you need to find a package that is prepared to modify, in which case the type of data correctly determines is an important condition for quickly finding the correct address. In the computer, data is based on bytes, each byte being given a number to determine the position of each. This number should be called address. When you need to use a word or double word, the computer makes a word with a continuous two bytes, and two consecutive words form a double word. And the address of a word or double word is the address of their low byte. Now that our usual Windows 9x operating system is represented by a 32-bit binary number. When we usually use the memory address, it always uses an 8-bit 16-based number to represent it. What is the binary and hexadecimal? Simply put, the number of binary is only 0 and 1 two digital, and each of the counting carrying encompacters. Similarly, the 16 credit is a count carrying method for every sixteen. 16 Entering 0 - f sixteen numbers, which uses the numbers of Ten to 15 using the numbers of A, B, C, D, E, F, and the correspondence between them and the decade is: a corresponds to 10, B correspond to 11, C correspond to 12, D correspond to 13, E correspond to 14, F corresponds to 15. Moreover, there is a simple correspondence between the 16-based number and the binary number, that is, the four-bit binary number is equivalent to a number of 16-based number. For example, a four-bit binary number 1111 is equivalent to 16-based f, 1010 is equivalent to A. Understanding these basic knowledge has a great help to modify the game, let's talk about this problem. Since the data is stored in the computer, the conversion relationship between the binary and the binary is very simple, so most modification tools displays 16-en-generated code when the data in the computer is displayed. You also need to enter 16-based numbers when you modify. Are you clear? The data seen in the game can be decimal. When you want to find and modify the value of the parameter, you can use the calculator provided by Windows to perform decimal and 16-based translation, we can be in the program group in the start menu. Find it in the attachment. The knowledge you have to know now is almost the same! However, there is a problem to pay attention to in the game modification. The storage method of data in the computer is typically stored in the low byte, and the high number is stored in the high byte.
For example, the decimal number 41715 is converted to 16-based number A2F
3, but this number is forth in the computer
3A
2. Have you seen the above content? Do you understand the relevant relationship between the storage and data of the data? Ok, let's tell everyone how you are in the game, come! Everyone rolls the sleeves and let us work! Second: What is a package? How to cut a package package? How to check the IP address and port number of the game server? Internet users use various information services, the information of its communication can ultimately be attributed to information transfer in units of IP, and the IP package includes information to be sent to the destination IP address, in addition to the data information to be transmitted. The source IP address sent by the information, as well as some related control information. When a router receives an IP packet, it will find the routing table according to the destination IP address item in the packet, and send this IP packet to the corresponding port based on the results of the lookup. The next IP router will continue to forward after receiving this packet until it is sent to the destination. Routers can be exchanged for routing information between routing protocols, thereby updating the routing table. Then we care about data information in the IP package, we can use many listening networks to intercept the exchange data between the client and the server, and you will introduce one of the tools: WPE. WPE Usage: Execute WPE There will be the following features to choose: Select Game Select the program you want to intercept in your memory, you only need to double-click the program name. Trace tracking function. Used to track packets sent by the capture. WPE must first complete the program name of the program to track, you can use this item. Press the PLAY key to open the package. You can press at any time | | Pause Track, please press again | |. Pressing the square to stop capturing packets and display all captured packages. If you do not press the square stop button, the tracking action will automatically stop according to the set value in the option. If you don't pick it up, try to adjust the Option to Winsock Version 2. WPE and Trainers are set to display at least 16 bits colors. Filter filtering function. It is used to analyze the packet captured and modified. Send Packet Sends a packet feature. Ability to give you a false package. Trainer Maker makes a modifier. Options setting function. Let you adjust some of WPE's setpoint. Filter's detailed teaching - When Filter is started, the button button will present red. - When you start Filter, you can close this window at any time. Filter will remain in the original state until you press the ON / OFF button again. - Only the Filter Enable button is in the state of OFF to check the box before the Filter is selected to edit the modification. - When you want to edit a Filter, just double click on the name of the file. Normal Mode: Example: When you are in the Strip Fighter Online, you use two fireballs and hit the other party. At this time, you will get the following package: send-> 0000 08 14 21 06 01 04 Send-> 0000 02 09 87 00 67 FF A4 AA 11 22 00 00 00 SEND-> 0000 03 84 11 09 11 09 Send-> 0000
0A
09 C
1 10 00 00 FF 52 44 Send-> 0000
0A
09 C
1 10 00 00 66 52 44 Your first fireball makes the other party reduce 16 drops of 16 = 10h ﹞ ﹞ 's life value, and you observed that the 4th level of the 5th packet appeared, it should be Here. You observe 0A before 10h
09 C
1 There is no change in the two packets, and it is obvious that these three values are the key to a fireball. So you will
0A
09 C
1 10 Fill in the Search Search ﹞, then fill in the FF in the position 4 of the modified column modify ﹞. As a result, when you send a fireball again, FF will replace the previous 10, which is a fireball of 255! Advanced Mode: Sample: When you are in a game, you don't want to use the real name, you want to transfer to each other with a modified fake name. After you use Trace, you will find some of your names in some packages. Suppose your name is Shadow, converting into 16 carry is ﹝ 53 68 61 64
6F
77 ﹞; and you plan to use Moon ﹝ 6D
6F
6F
6e 20 20 ﹞ to replace him. 1) Send-> 0000 08 14 21 06 01 042) Send-> 0000 01 06 99 53 68 61 64
6F
77 00 01 05 3) Send-> 0000 03 84 11 09 11 094) Send-> 0000
0A
09 C
1 10 00 53 68 61 64
6F
77 00 11 5) Send-> 0000
0A
09 C
1 10 00 00 66 52 44 But you look carefully, your name is not in the same location in each packet - in the second packet, the name appears in the 4th position - in the 4th In the package, the name is in this case in this case, you will need to use Advanced Mode - you are searching in the search: 53 68 61 64
6F
77 ﹝ Be sure to fill from the position 1 - You want to replace the new name from the original name Shadow, so you have to choose from the number of points discovered to replace the continuous value ﹝ from the position of the chain Found . - Now, fill in the position of the modified column modify ﹞ 000: 6D
6F
6F
6E 20 20 This is the corresponding position, that is, from the original search bar 001 position starts "If you want to modify the value from the first location of the package, please select ﹝ from the beginning of the packet. People who have common sense of TCP / IP protocol know that the Internet is then transmitted after packaging information data. Each packet is divided into two parts: header information and data information. The header information includes the transmission address of the packet and the arrival address, and the like. Data information includes all information we are related to the operations in the game. Then we must know various information such as the IP address and port number of the game server before doing the process of seating the package. In fact, it is the easiest to see if there is a Server.ini configuration file. You can view the IP address of a game server. For example, Jin Yong Qun Xia Chuan is the case, then in addition to this, we can use netstat in DOS, the network connection, routing table, and network interface information, You can let users know which network connections are working. Or you can use tools such as Trojan to view the network connection. Tools are very much, see which one you like. The general format of the netstat command is: The meaning of each option in the NetStat [Options] command is as follows: -a Displays all sockets, including listening. -c is redisplayed every 1 second until the user interrupts it. -i Displays information about all network interfaces. -n replaces the name in the network IP address, showing the network connection situation. -r Displays the core route table, formats with "route -e". -t shows the connection of the TCP protocol. -u Displays the connection of the UDP protocol. -v displays working in progress. Online game plug-in writing base 2
Author: Unknown
Three: How to analyze our intercepted packet? First we save WPE intercepted packets as text files, then open it, then see the following data (here we use the data sent by the PK shop in Jin Yong Qun Xia to explain as an example): The first file : Send-> 0000 e6 56 0D 22 7e 6b E4 17 13 12 13 12 13 67 1Bsend-> 0010 17 12 DD 34 12 12 12 12 17 12 12 12 12 12 9Bsend-> 0000 E6 56 1e F1 29 06 17 12 3B 0e 17 1asend-> 0000 E6 56 1B C0 68 12 12 12 5And-> 0000 E6 56
02 C
8
13 C
9 7e 6b E4 17 10 35 27 13 12 12send-> 0000 E6 56
17 C
9 12 Second Document: Send-> 0000 83 33 68 47 1B 0e 81 72 76 76 77 76 77 76 02 7ESEND-> 0010 72 77 07
1C
77 77 77 77 72 77 72 77 77 77 6Dsend-> 0000 83 33 7b 94
4C
63 72 77 5e 6b
72 f
3send-> 0000 83 33 7e A5 21 77 77 77 3fsend-> 0000 83 33 67 AD 76 CF 1B 0e 81 72 75 50 42 76 77 77Send-> 0000 83 33
72 AC
77 We have found that the data format of the PK shop is the same, but the content is different, we are the same NPC of PK, why is it different? The package of Jin Yong Qun Xia Chuan is transmitted on the Internet. Then we face the problem to decrypt the secret text to make a clear text. Because the general packet encryption is different or the operation, this will talk about what is different or. Simply put, the same is "the same is 0, and it is 1" (this is for binary bitwise), and an example, 0001 and 0010 are different or, our bit by bit, the difference is 0011, The calculated method is that the fourth bit of the 4th bit of 0001 is 0, which is the same, and the 4th place of the different or the result is "the same as 0, different 1", the first 0,0001 The third bit of 3 bits of 0,0010 is 0, the third bit of the different or the result is 1 of 0,0001, the second bit of 0,0010 is 1, then the second place of the different or the result is 1 The first bit of 1,0010 of 0001 is 0, then the first bit of the different or the result is 1, and the combination is 0011. The different or the operation will encounter a lot in the future, everyone can be familiar with familiarity, skilled in the analysis. Below we continue to look at the above two files, according to the common sense, the data of the packet is not all value, the game development will reserve some byte space to facilitate the future expansion, that is, the packet will exist. Some "00" bytes, observe the above documents, we will find a lot of "12" in the document, and there are many "77" in the file, then this is the "00" of us? We start to act! We divide the documents with "12", the document two and "77" are different or, of course, use the hand to work very much, we use "M2M
1.0 Encrypted Packet Analysis Tools "is more convenient to calculate. Get the following results: First file: 1 Send->
0000 f
4 44
Allf
30
6C
79 f
6 05 01 01 00 01 00 01 75 09send-> 0010 05 00 CF 26 00 00 00 05 00
1C
00 00 00 892 Send->
0000 f
4 44
0C
E3 3B 13 05 00 29
1C
05 083 Send->
0000 f
4 44 09 d2
7A
00 00 00 484 seund->
0000 f
4 44 10 da 01 DB
6C
79 f
6 05 02 27 35 01 005 Send->
0000 f
4 44 05 DB 00 Second file: 1 Send->
0000 f
4 44
Allf
30
6C
79 f
6 05 01 01 00 01 00 01 75 09SEND-> 0010 05 00 70 6B 00 00 00 00 05 00 05 00 00 00
1A
2 seund->
0000 f
4 44
0C
E3 3B 13 05 00 29
1C
05 843 Send->
0000 f
4 44 09 D2 56 00 00 00 484 Send->
0000 f
4 44 10 da 01 B8
6C
79 f
6 05 02 27 35 01 00 00 00 00 00 001
4 44 05 db 00, this one of the two files is the same, indicating that our reasoning is correct, the above is the plain text we need! Next is to understand the meaning representing some key bytes, which requires a large number of data to analyze. First we will find that each packet begins with "F4 44", and the third byte is changing, but the change is very regular. Let's take a look at the length of each package. I found out? Yes, the third byte is the length of the package! By intercepting a large number of data packets, we judge the 4th byte representative instruction, that is, what is the operation of the client tells the server. For example, to the server requesting the battle command is "30", the movement command is "D4" in the battle. Next, we need to analyze the first package "F4 44"
Allf
30
6C
79 f
6 05 01 01 00 01 00 01 75 09 05 00 CF 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
1C
00 00 00 00, what information is included in this package? Should there be a notification server Which NPC of your PK, let's find what is the code of this store, a small 小 喽 (就 Dali) The one outside the inn): Send->
0000 f
4 44
Allf
30 d4
75 f
6 05 01 01 00 01 00 01 75 09send-> 0010 05 00
8A
19 00 00 00 11 00 02 00 00
00 c
0 We will analyze according to common sense, although the NPC species in the game will not exceed 65535 (FFFF), but will not limit the scope of the word, which is not conducive to the expansion of the game, so we look at the two words. Through the comparison of "shop small two" and "small 小罗", we put the goal "
6C
79 f
6 05 "and" CF 26 00 00 ". (It is easy to compare, but you can't be too late, huh, huh), let's take a look at the back bag, in the back bag, there should be an NPC code, such as Moving bags, games allow for watching, server necessarily need to know the NPC mobile coordinates, broadcast other players to watch the game. In the back 4th package "Send->
0000 f
4 44 10 da 01 DB
6C
79 f
6 05 02 27 35 01 00 00 "We have seen it again"
6C
79 f
6 05 ", the code in the initial discord store is it! (This analysis contains a lot of work, everyone can use WPE cut data from the analysis and analysis) The first package is analyzed. The analysis is temporarily here (there is still Information We don't need to be completely clear forever) Let's take a look at the 4th package "Send->
0000 f
4 44 10 da 01 DB
6C
79 f
6 05 02 27 35 01 00 00 ", then cut the PK yellow dog's bag, (the dog will come out 2 Oh oh) Look at the format: Send->
0000 f
4 44
1A
DA 02 0B 4B 7D F6 05 02 27 35 01 00send-> 0010 EB
03 f
8 05 02 27 36 01 00 00 According to the above analysis, the yellow dog's code is "4B 7D F6 05" (100040011), but how is the two yellow dog servers distinguished? Take a look "EB03 F
8 05 "(100140011), is the last code plus 100000, huh, so that the server can recognize two yellow dogs. We have confirmed the data bag intercepted by the enemy in the wild. So, this package The format should be more clear: the third byte is the length of the package, "Da" is the directive, the 5th byte is NPC number, from the 10 bytes starting from the 7th byte represent an NPC information, More than one NPC is more than 10 bytes. If you play the net gold, you will inevitably know that the randomness sometimes has a reinforcement, we use the game to add a new NPC. By fighting Increased and intercepted packets in the middle, we will find such a package in the server: F4 44 12 E9 EB
03 f
8 05 02 00 00 00 00 00 00 00 00 00 0-81 by the code to reinforce NPC (here we simply use the yellow dog code). So, we use stand-alone proxy technology to deceive clients and servers at the same time! Ok, the work of calling NPC is a short half, the next thing, how to modify the package and send the package, let's continue explanation next section. Four: How to pretend to "client" to "server" to send us the package we need? Here we need to use a tool, which is between the client and the server side, and its work is to receive and forward the packet, which we call it a proxy. If the agent's work is simple to receive and forward, this is meaningless, but please note: All packets must be transmitted through it, and the meaning here is significant. We can analyze the received packets or forward them directly, or modify forward, or press the packets we need to send. Below we continue how to cheat the server and client at the same time, that is, modify the package and forgery packages. Through our previous analysis, we already know how to play multiple NPC package formats, then we will do it! First we have to find the package sent by the client, find the characteristics of the battle, is the first package of requesting battle, we find "F4 44
Allf
