1.WPE working principle and feasibility analysis
The WPE wants to change, not [value in the game], but [forged information packet]. What is the meaning of us to change it with WPE, it is not a thing of the "life of 10000", this kind of thing can't change it, we have to change, "I sold a 500 yuan "I changed to" I sold a 50,000 yuan "or change" I have 10 EXP "to" I have a 10,000 EXP ", or I haven't sold it in things," 500 yuan Things "or there is no monster" always hits 10 EXP ".
Because WPE is a package intercepting software, it can intercept the data package on the network, "Legend" uses the Client / Server mode, our information is all on the server, want to modify our personal user information from the server, possibly fine When the client is installed on your machine, when you play games, you send an instruction, in fact, you will send a package to the server, the server receives the package after analysis, then return the result, the result is also sent to your machine in the form of a package. After your machine is received, you can see the result.
This gives us a chance, if we change the data in the package? ? For example, I sent a small fireball, intercepted the code, then changed to a lightning code, then the effect of my machine should be the effect of lightning (already experimented, feasible). This method is theoretically viable, but why do you somet n't be realized? ? Because the server also has a countermeasure, some important data often need to be detected, and when we modify, it is only modified one, it is not. And often data packets are encrypted, which also makes us troubles with the right data.
However, the monitoring of the server is limited, so it is impossible to complete all of the servers. Many resource monitoring are placed on the client, and the early qi squats, half a month, and people have been monitored on this machine. The server does not have a corresponding monitoring mechanism, only recent updates have added some monitoring, but it also causes the entire server to be madness.
So we can also modify some of the servers. Of course, these things need to explore together.
A little technical tips:
The legendary C / S communication uses byte stream sockets, this communication is reliable, two-way, order, and therefore, the package can be in the original order.
The game uses 32-bit encryption (CRC / 32), so we cannot tamper with the information. If this server is in the check, it will disconnect the server connection, so it is more effective to use Li Dynasty. The tampering of identity certification information is of course no problem (pass a machine, the same user!)
The data we send contains a coordinate code, do not change the coordinates when it is correct. 2. WPE teaching - interception operation
At first, of course, it is to perform the game and press [ALT TAB] to jump out the game to open the WPE program (WPE VER1.3 interface as shown below)
Double-click SELECT GAME to open as shown above. We use the legend as an example, when you run the legend, we can see the legendary execution file, double click on mir.dat, now we will block the legendary package!
Please see the title bar now shows the legendary package.
Double click on Trace, open as shown in the figure, used to intercept the packet, start intercepting the package according to the triangle button in the figure, and press the red square to stop.
If you don't press the red square stop button, the tracking action will automatically stop according to the set value in the option. After intercepting the package, the number behind the S box is the content of the seal package, and the number behind the R box is the content of the receiving package. Embodiments in two ways and ACSII!
There are 3 options for the entire program to find 3 options!
At this point, the first step is composed. The following is to filter it, huh, don't sleep, the weight is played!
3.WPE Teaching - Filter
Filter executes the filter function, which can modify the data in the intercepted packet, then transfer the modified data to the server, and to deceive the destination of the server, this is the task we have to complete. First make a presentation, first double-click Filter to open the Filter window.
The detailed features are shown below
When the Filter is started, the ON button will present red. When you start Filter, you can close this window at any time. Filter will remain in the original state until you press the ON / OFF button again. Only the Filter Enable button can check the box before the Filter enable button to edit the modification. · When you want to edit a Filter, just double click on the name of the file.
Double-click the Filter name (such as Filter 1) to enter the editing state, please see the picture below
There are several nouns here, you need to pay attention to:
Normal General Mode If the location you modified is fixed in the packet, you can use a general mode, which is also our common mode Advanced process mode If the data you modified is not fixed in the packet, You can only use the progressive mode, and there will be examples thereon indicate that the following two can only choose the form the beginning of the packet from the first location of the intercepted package from the first location of the package from the first location of the encirclement. Replace the continuous value in the position where the value is discovered
Example 1: Let's take an example, modify the big fire ball in the game: two times in the game, the interception package is as follows Send-> 0000 23 33 60 4C 43 60 3C 48 60 47 3C 3C 3C 41 3C 3C 3C 3C 21 Send-> 0000 23 34 60 4C 43 60 3C 48 60 47 3C 3C 3C 41 3C 3C 3C 3C 21 in the game two times lightning, interception package is as follows Send-> 0000 23 31 60 4C 43 60 3C 48 60 4 3C 3C 3C 3C 21 Send-> 0000 23 32 60 4C 43 60 3C 48 60 47 3C 3C 3C 47 3C 3C 3C 3C 21 Advanceability Analysis Because the game is in the same position Magic, exclude positional factors, the analysis is only 2, and only the position of the 2nd place in each package is the same, so it is very possible that the second-out representative is the magical code. This is normal mode. The position of the value in the package is fixed:
Example 2:
When you are in a game, you don't want to use the real name, you want to transfer to each other with a modified false name.
After you use Trace, you will find some of your names in some packages.
Suppose your name is Shadow, conversion into 16 carry is "53 68 61 64 6f 77 [;" You intend to use Moon "6D 6F 6F 6E 20 20 [to replace him. 1) Send-> 0000 08 14 21 06 01 04 ... 2) Send-> 0000 01 06 99 53 68 61 64 6F 77 00 01 05 ... shadow ... 3) send-> 0000 03 84 11 09 11 09 ... 4) Send-> 0000 0A 09 C1 10 00 53 68 61 64 6F 77 00 11 ..... Shadow.5) Send-> 0000 0A 09 C1 10 00 00 00 00 00 00 00 00 0066 52 44 ....... But you look carefully, your name is not in the same location in each packet - in the second packet, the name appears in the 4th position - in the first In the 4 packets, the name appears in the 6th location in this case, you need to use Advanced Mode - you are searching for the list "Search [Fill: 53 68 61 64 6F 77" Be sure to start from position 1 Fill - You want to replace the new name from the original name Shadow, so you have to choose from the position that is discovered from the value to start replace the continuous value (from the position of the chain found). - Now, in the modified column "Modify [000], this is the corresponding position, that is, from the original search bar, the 001 position starts to exit the editing state, enjoy our modification results. !! WPE Teaching - Trainer Maker
At this time we can have a rush, filtering the packet, or modify the game. But every time you modified, you have to enter WPE, so, is there a simple way? ? ? Have! ! ! WPE comes with the modifier generator, which is the Trainer Maker function, you can make a single run from a single run from your own. This time you use you if you don't need to open WPE for cumbersome operation to enter the legend, open WPE, click Select Game Double Attack Mir.dat to then select Trainer Maker.
Continue by next, as shown below, here is the file name and execution window column name for you to fill in the exe file you want to generate
When you are finished, press Next, you will see
Point "Open File" button, select the FLT filter file you want to generate the exe program.
Next, enter the description of this program.
Here you choose Winsock version, and its options (recommended using the default).
OK has been next next, and after a while your WPE directory will generate an EXE file.
Note: This program cannot run with WPE.
Haha, look at our procedure! Now you can get it on other machines!
Although there are many external hanging, it is now looking back. It is also a great help to use WPE for our study. The following articles are actual experience, and the way inside is worth learning, how to analyze Question, how to find critical data, where to start, and so on. These articles have been copied from the website, first apologize to their authors, because some authors can't find it, there is no signature. Let's take a look at it: Tiger Wei version of the crack Tiger Wei version updated the mir.dat file, there is a process of verify the identity when we enter the game. For example: The server to the Mir.dat file is "Tianwang Gen Tiger" and the Tiger Wei's mir.dat answer is "Baota Town Snake", so that the server knows that mir.dat is legal. The mir.dat document for half a month is not to know what the correct answer is, only a hard scide says an answer. So it is soon being exposed. The final result is that we have been kicked out by the server! Now, what we need to do is --- deceive the server, let it think that the mir.dat file in half a month is legal. We know that one of the main features of the software WPE is to replace the packet sent to the server. As long as the server does not receive the answer from the Mir.dat file submitted by the half-month, use WPE to modify the answer to correctly, the server will think that the mir.dat file of half a month is legal. In this way, the full-screen blood, the full-screen blood, the function of running, super burning, etc. can be achieved. The following is a specific practice. (Required Tools: WPE) Preparation: Change this file with this file, so that the server will automatically update the Mir.dat file of the half-month version (Dual size of the two versions) If you do this, you will prompt the Patch.exe program that you can't use it, don't take him, you can click OK. One of the most critical steps is to know the correct answer in the test papers submitted by the legal mir.dat file. Before you enter the game, what we need to do is to choose which server is in your own game account, select the characters. Every time you choose here, you will send a corresponding packet to the server. The first few steps that the Tiger Wei version and the half-month version are not taken before entering the game. In the final selection of characters, there will be differences after "start" ---- use half a month to see blood will be kicked out by the server. Therefore, we can initially identify, it is this step in the submission test. So we can use different mir.dat to enter the game. Use WPE with WPE before you start, you can know what the correct answer and the wrong answer are. Note: It is best to set this software before using WPE, so it only intercepts we send it to the server. Such a package is we can modify freely.
Below is the data I intercepted for half a month mir.dat send-> 0000 23 35 3C 3C 3C 3C 3C 42 58 3C 3C 3C 3C 3C 3C 3C # 5 <<<<< bx <<<<<< send-> 0010 3C 3C 56 62 61 5D 57 63 5D 65 57 5F 3C 6C 49 6e << VBA] WC] EW_
0000 23 37 3C 3C 3C 3C 3C 41 40 3C 3C 3C 3C 3C 3C 3C # 7 <<<<< a @ <<<<<< send-> 0010 3C 3C 21 < 0000 2a * send -> 0000 2A * It can be seen that the half-month version has intercepted 5 sets of packages, and the Tiger Wei version is 7 groups. Here we don't have to pay attention to how much data is, and the half-month version is compared. Tiger Wei version of the data is because we have already entered the game. Many data may be that the client tells the server that you have already entered so that the server will tell the client. What items do he have, how much is the level ... I didn't get me, the time in front of me is a waste of time. Here. It can be seen that each of the data can be seen that each group of data begins with 23, followed by 3X (X represents 0-9), which is the packet number information, which can ignore it. On the right is the symbol corresponding to these 16-en-applied data, we can know what the information in the right side can know what the information in the same group is different. It can be found that the second set of packets sent by the two versions are the largest. So, this group of data became a focus! That day, I used WPE filter function, (instructions for using filter in the tutorial), write all the information other than the monthly version to all the information other than the filter, and written the information of Tiger Wei to fake In the value, the filter is run. It is full of success, and the server is not wrong. Here I was wasted in the middle of the night ~~~~~~ Later, I got my point guidance, I realized that even the same version used the same version of the mir.dat file to log in, the second group obtained Data will also be different. Individuals believe that different data may be related to the time of landing, the status of the server. If you know, you can exclude the different parts of the random change. Then compare the other parts of the data that are cut off in both versions, find that only the first 1-6 values of the seril of Send-> 0030 are different. Fill in the six values of the half-month version into the correct value in the filter, then fill in the six values in the same position in the tiger sweatstream to deceive the server. You should use its "progressive modification" when using the filter, and select "Self-locating modification", (after setting, WPE will continue these 6 values as long as the continuous 6 correct values are found Replacing the "Finding Length Max" in the Ferry) Filter (I understand that in how long a set of packages look for related data) The default is 40, but we know that the package length of the value we have to modify has exceeded 40 bytes, so we can set the "Finding Length Maximum" to greater than the value of the package length. (I am an association is 80. I am setting it myself.) In addition, when we choose "progressive mode" and select "self-positioning modification", the fake value ranges to -124 to 124, The fake value should be filld from 000 to make the filter really take effect. Ok, run the filter, try to use the half-month version to enter the legend, the result is - success. In this step, I am happy, I finally succeeded! However, the good view is not long, and this filter has been invalid after a few hours. Re-press the previous method to intercept the data, discovering the data that was intercepted. I fell, the original server exam is also divided into a, b volume. So did not make mistakes, and made two films ---- this completely stacked the server.
(Being able to use the package you can run away from WPE, you can use this package to use this package. If you don't have an automatic update, you will have an ID does not exist. Error message. A lot of friends gave a solution to this problem, with manual modification of the mir.ini file, use Win2000 to simulate the FTP server, and use the firewall intercept PATCH and do not let it update. Personally think that the above method is still a little course in using the above method. I am at home. After the Patch file is changed, I entered the game will appear "Patch.exe programs" prompt, each time I have to point "ok", too much. I put the half-month mir.dat into read-only *, so that patch can't update it into a tiger sweaters. However, there is a problem with the ID landing of other districts. Everyone thinks the way to completely solve this problem. The package of WPE series tutorials is different from different servers in different regions. It is impossible to use it in each server. This requires us to modify the original packet. If you don't have to be a package, you have to packet, learn to modify the package, you can do it yourself. Everyone will speak with NPC before the package, then search, get a batch of data, is the 16 credited code. What to do is to open the package you want to send, then select the command to send such as Packet N 1, send it. Now, a package command will go out, this is the use of WPE, I want to say how to modify, everyone will continue to see: Now we double-click on the left Packet N 1, will come out a dialog, there is 16 credits I What you need to do is to modify the first row of 3.4.5.6.4 groups into your corresponding data you just searched. (Note: His corresponding data is when searching, the left side with S symbols Data) If there is a lot of data rows with S symbols, there is a place, there is an error, you withdraw from the legend and search again, usually only 2-3 rows of s, while other R Don't worry about him. You have now changed the package of other servers into a package that you can use. For example, the casino package, search on the 1st room and modify the package data, Sata 6 to 7 rooms, then search and modify the No. 2 packet data, and then push it to the 40 room. Note that the No. 9 package is also the time to get the money package, you must wait for you to change the success of the NPC. If you can't get the money, you have no need for any use, so you have to modify the money. Packet, you must first get a money first, but if you have successfully changed it, you will start a success, and you have to succeed, slow down, think about modifying steps, otherwise you fail again NPC, you will send you back. . So, although the casino is sealed, you can also try the mysterious shop or unknown packet, you can change it.
WPE series tutorial brush package package production information articles first 23 demonstrate # 开 开 The second is the data transfer ID from 0-9 (ASCII code) The third four digits are the data you placed in the item basket. Then please study your own items! WPE series tutorial blessing oil and ghost gloves now let you stand in Bichi people 2 bundles of newcomers 2 bundles (random tape, casual, see yourself), 4000gold now starts Long March, I random ... (省 省 省) 省 比 比 比 比 4 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 到 !! Open WPE If you can't find the place where I have explained it! Please download this version of the control. Double click Select to choose mir.dat (now your legend should be opened, don't tell me you) Double click TRACE Select start, which arrow sign cut back to the legendary Point Lin, cut out the legend, stop intercepted, it is to start with your head now, you should be able to see which big blank place you just opened WPE, there is data. Take a look at the most in front of the data, do you see the little press that starts with S or R, now find such a data with SX xx yy yy yy oo xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx XX OK, now continue to double-click any one of the S or R, you will see a window, write a number, this number is not fixed, but usually 44 or 56 double click Send packet, see To the << Package list >> Which of the small books below is not?, Right, click he to choose the blessing oil and the ghost glove package, then click <> Which trash can double click << Pack list >> below Packet N 1 starts with your head, you should be able to see the following data XX XX ZZ ZZ ZZ ZZ oo xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx xx now continue to put ZZ ZZ ZZ zz replacement with YY YY YY YY! See why you want to replace it! Because Miss Lin's code for each server is not the same written, you can leave it! Now put packet n 1 point! You will find Packet N 1 change blue! Yes, now there is 3 floors, there is a three-dimensional, painted a button to the pointed head, you will see <>, become 1% And there is a packet n 1, ok on the right side ,. You are close to success! If you use you, which WPE version, you can see that there is a number in the << Open the socket, if If you have no words, it is wrong. If not, repeat step 6. Click on the button in the right to draw a black arrow, start sending! Now switch back to the legend, you will see a dialog box! Select 3, it is a ghost glove! Pay attention ! You didn't quit the whole legend! You a newcomer to go! Just implementing step 13, we can 7 people! An alliance, a beech, the remaining 5 are running new people ... ........... so tired! If someone will not use it! I have nothing to say, the mysterious package of WPE series tutorials, everyone will come here (since there is ready-made thing, He Le Not, CC), let's talk about the legend we play now. I will give an example of a mysterious store here. 1. Enter the legend to run to the orc 2f Liu Lao Tou 2, open the WPE Click SELECT GAME to double-click Mir.dat 3, click on the TRAC button on WPE (at this time, a 3-angle play button and 4-party stop button) The play button starts to intercept data 4, immediately switch back to the legend, click on Liu's head, and the dialog box appears (Liu Lao said to you said XXX very powerful words) and then switch back to WPE point 4-square stop keys.
This way we intercepting a set of S and R data (sending the server to click on the data received from the server) Exclude the receipt of data. We will see a set of send data classes 23 3?????????????????????????????????????? 3F 4B 48 3F 3C 3C 3C 3C 3C 3C 3C 3C 21 (specifically, how much you look, all the sample) then click the Send Packet button. Open (download or others) into the mysterious packet. View 刘 老头 's data, copy or use the screenshot program to cut. Close the Send Packet window. Go back to the WPE main window Click the Filter button, (here you can use Normal mode) to fill the data of Liu's head yourself into the first line and start comparing the difference between the data that is intercepted with the data in the package. . . Different data are found in the same location in the second line. For example: position 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 173 3??????? 3F 4B [48] 3F 3C 3C 3C 3C 3C 3C 3C 3C [ 21] Modify data 23 3??????? 3F 4B [44] 3F 3C 3C 3C 3C 3C 3C 3C 3C [4C] ?? ?? ?? So you only need to be on the second line Fill in the 44 and 19 positions to fill in 4C, if the modified data length exceeds the original data, he will continue to fill in the different data after 19 positions. However, in the packet length box on the right, you must customize the length of the package, or filter only the data of 1-19 position. Package length To see if you modify the length, large and modify the data length. How to achieve a general area --- In the same case of legendary versions, each seal package is the same. Different are only positional code, let's take a look at the top 2 data, the first bit 23 is the start code, the second bit is the number of 31-39, the data number, 3-6 bit is the location code. The 3-6-bit emptying of the original data line is not filtered in the FILTER, and it can be easily implemented. Check again to see if there is any error, if you can press Quit to launch the Filter edit box. Back to the Filter Control window, hook the Filter that has just been modified, starting the Filter (from left to right 5 buttons) into the legend, point Liu Lao, if normal, Liu Yantou will take you 5000 yuan to talk to you nonsense back To the WPE Filter Configuration Save the Filter, which has just been modified, the attack code of the FLT file WPE series tutorial: Point ordinary repairs, sometimes (special first click) will not come? "Exactly, the price is Three times, what is nonsense, you need to go back and repair it until you have already come out, basically the second time. Legendary error: (personal idea) is mainly a package length problem. Packing package length When the package is filtered It is greater than the package to be filtered. Leading the legend. I haven't solved it yet. I hope that the masters can send a post ... attack method: the warrior has three kinds of attacks in the legendary attack mode (holding down Shift empty), play SHIFT There are 4 kinds of four (basic, attacking, assassination, fire), 8 attacks, code 3C, 3D, 3E, 3F, 41, 42, etc. The attack code is 64, the assassination is 68, the sprouts and assassination are The client is determined immediately. Assassination is conditional (also determined by the client). So just the one-to-enclosure filtering attack method is one byte.
