Local modification plug-in now let's take a look at the entire production process of the other plug-in - the entire production process of local modified plugins. I know that the most typical application of local modified plug-in is to play on the "Elf" game, because I am in recent years ("Elf" is still in the test stage), there are many colleagues in my company to play "Elf". So I looked at the data processing method of the game. I found that the information it sent to the server was existing in memory (I got the first feeling: Modifying this game and modifying the stand-alone version of the game. In other words, it was possible to modify the memory address before he submitted information to the server). At that time, I found that the address was changed, and sure, according to my idea, modified the address, so that the system was automatically submitted, it really succeeded. ~~~~~, later "Elf" changed to a double address school inspection, memory school inspection, etc., I will not have nonsense here ~~~~, ok, let's take a look at how this kind of plunks are made We have to have a specific understanding of Windows's memory before doing plug-in, and the memory we refers to the system's memory offset, which is relatively memory, and we have to modify it, then we To understand several Windows APIs, OK, follow examples Let us see this plug-in production and API application (in order to ensure the normal operation of online games, I don't explain the way the memory address is detailed): 1 First we have to use FindWindow, know the handle of the game window, because we have to learn the ID of the process after the game is run, below is the usage of FindWindow:
HWnd FindWindow (lpctstr lpclassname, // pointer to class namelpctstr lpwindowname // pointer to window name);
2, we obtain GetWindowThreadProcessId game window corresponding to the process ID of the process, the use of the following function: DWORD GetWindowThreadProcessId (HWND hWnd, // handle of windowLPDWORD lpdwProcessId // address of variable for process identifier); 3, to give the game process ID, then The thing down is to open the process with the highest permission, and the specific usage of the function OpenProcess used is as follows:
Handle OpenProcess, // Access Flag Bool BinheritHandle, // Handle Inheritance Flag DWord DWProcessID // Process Identifier);
In the dwdesired, you can set an access mode. It can set the permissions, we use as long as you use process_all_access to open the process, and other ways we can check the MSDN. 4, after opening the process, we can use the function to operate, here we use WriteProcessMemory to write data to the memory address (other way of operation, such as: ReadProcessMemory, I am here. Introduced), let's take a look at the usage of WriteProcessMemory:
BOOL WriteProcessMemory (HANDLE hProcess, // handle to process whose memory is written to LPVOID lpBaseAddress, // address to start writing to LPVOID lpBuffer, // pointer to buffer to write data toDWORD nSize, // number of bytes to writeLPDWORD lpNumberOfBytesWritten // Actual Number of Bytes Written; 5. The following is done with CloseHandle. This is a method of implementing some of this type of game, well, there is this method, we have a rational understanding, let's take a look at the actual example, improve our sense of mind, the following is the plug-in XX game Code, we should study it according to the above method:
constResourceOffset: dword = $ 004219F4; resource: dword = 3113226621; ResourceOffset1: dword = $ 004219F8; resource1: dword = 1940000000; ResourceOffset2: dword = $ 0043FA50; resource2: dword = 1280185; ResourceOffset3: dword = $ 0043FA54; resource3: dword = 3163064576; ResourceOffset4: dword = $ 0043FA58; resource4: dword = 2298478592; varhw: HWND; pid: dword; h: THandle; tt: Cardinal; beginhw: = FindWindow ( 'XX', nil); if hw = 0 thenExit; GetWindowThreadProcessId (hw, @pid); h: = OpenProcess (PROCESS_ALL_ACCESS, false, pid); if h = 0 thenExit; if flatcheckbox1.Checked = true thenbeginWriteProcessMemory (h, Pointer (ResourceOffset), @Resource, sizeof (Resource), tt) ; WriteProcessMemory (h, Pointer (ResourceOffset1), @ Resource1, sizeof (Resource1), tt); end; if flatcheckbox2.Checked = true thenbeginWriteProcessMemory (h, Pointer (ResourceOffset2), @ Resource2, sizeof (Resource2), tt); WriteProcessMemory (h, pointer (resourceoffset3), @ resource3, sizeof (resource3), tt); WriteProcessMemory (H, Pointer (ResourceOffset4), @ Resource4, SIZ EOF (resource4), tt); end; messagebeep (0); CloseHandle (H); Close;
This game has been verified by multi-address for the data to be submitted, so this type of game plug-in production is not very difficult, and the hardest is to find these addresses.
