1, skilled knowledge of C language
most of the current plug-vc with BC or written, with skilled external C language knowledge is a basic condition for writing
2, has a strong basis for
general assembly can not have the original game code, disassemble, or tracking must rely on ways to explore the mechanisms involved
,
cheap vibram bikila DST, so there are strong base is essential for assembly
3, proficient grasp of trace and debug tools
With the above two conditions, it is useful to grasp some of the tools necessary to
tracking tool, softice of course, is the best choice, as a tool for disassembly, I recommend using IDA PRO
disassemble the tool out of the code structure clearly, very good read if
You do not have the above conditions, or lay a solid foundation first, to write plug it again, No pain, no gain, and the world is not white out the pie
Second, the basic skills of written questions facing plug
1, the implementation of the code revision process
process to modify the code, first to obtain the process ID, be it by the plug-in program starts, there is the return value in the process of ID, if not words,
need findwindow find window handle, then get the process GetWindowProcessID ID,
cheap coach shoes Chemical processing, obtained after the process ID, you can use
writeprocessmemory to modify the process to execute code, and make the program as we willingness to perform, stone plug-in is not Yudi, Yudi
tiny step is to use this method to achieve
2, intercept packets sent and received external
In addition to modify the code to implement the functions, many of the functions are achieved by modifying the packet, to modify the packet, first of all to be able to intercept it.
first step is to track the location of the start and close, as to how track, I will mention later, to find the position that, there are two methods, namely, in that position one plus one
jmp statement, jump to the location of your handler, dealt with, jump back, this method requires relatively high, need to address a lot of things, another approach is to
article written at that location can cause exception of the instruction, such as int 3, then the game DebugActiveProcess debug process, so that whenever the game to that
executive position and they will stop, to plug into the inside, such as plug-processed after ContinueDebugEvent continue to run with the program.
first write so many today, next time will discuss the specific features of the plug-in how to achieve
address today to talk about the subject of the investigation, the address to write plug-in survey is the most difficult and most challenging of things, many of my friends asked me to plug the original program, it has plug-in the original program, if you do not investigate the address, or useless,
the relationship between the original program and address as in the martial arts moves and internal strength of the relationship, there is no internal strength of the moves, just a superfluous. And deep internal strength after any normal moves, the impossible is possible, plug the address into two categories, one is the program address, one is the data address. Like a stone in a double stone, true color, not Yudi, tiny step Yudi, sending and receiving packets, etc., all belong to the first category, while the figure coordinates, status, etc., all belong to the second category. For the first type addresses, mainly rely on to investigate softice address, the address of the second category, you can use a number of game tools, such as fpe, game expert, game master, etc. to investigate, I have been using game expert, because I can not find the next 2000 usable fpe,
before you change the game with fpe when he did not think it can be used to do this for the second class data
survey methods, and most people very familiar, and I soon after that, and now the first major turn to the specific investigation class data, such as packets that we send the location to investigate, how to go about it, the client to the server to send many packets, but the most simple way to none other than the packet into the hand from the speaker, the first to say that long if it is in English, check it convenient, finished, with any kind of way into the game program into the process space (such as first detected by spy the game window handle, and then switch to the softice window handle scored bmsg wm_lbuttondown, so a little mouse in the game program, he entered into the process space) and then use the s command to find out the phrase put the memory address, write down the address, just in softice scored bpm investigation to address the meaning of this command have access to this memory as long as the action, immediately interrupted, and then switch to the game, a word, you will find softice automatically interrupted to a certain position, and from this location to the next track, the location is not far away to send the packet.
mentioned above are for a brand new game procedures, if an old program, a senior a lot of work, you can also use some other means, such as disassembly, etc. to investigate. After the game version of the update as well, as long as the address of the location of the old version of the code around it down to the new version of the code inside the search about to ok.
Well, take a break, take a break
plug my main technology for the analysis, as to which the internal structure of each game is different, do not explain here, I did not so powerful, all know that, huh, huh!
1 the first principle of the game
plug-in plug is now divided into so many different kinds, such as analog keyboard, mouse, and modify data packets, as well as modify the local memory, but it does not seem to modify the server memory Oh, Oh! it is also a way to modify the server, only high technology into the hands there is no way most people only! (such as your GM to night clubs, gifts, collection of black money, and so all else You can modify server data, ha ha)
modify the game is simply changed a bit local memory data, or intercept api functions, and so, here I can think of methods to make a first volume, we do hope to see a good plug-in to the game makers to better improve their skills.
I saw an article is about the theory of Magic Baby, write well, probably that way.
down and I'll explain technical things to be used for jade technical analysis
2 Part
1 simulated keyboard or mouse response
we generally use UINT SendInput (Mask
UINT nInputs, / / count of input events
LPINPUT pInputs, / / array of input events
int cbSize / / size of structure
); api function
first argument is that the second argument of the matrix dimension, and the second parameter contains the response the event, this can fill their own, and finally the size of this structure, very simple, this is the easiest way to simulate keyboard and mouse, and Oh
note: This function is also a replacement function:
VOID keybd_event (
BYTE bVk, / / virtual-key code
BYTE bScan, / / scan code
DWORD dwFlags,
ULONG_PTR dwExtraInfo / / application-defined information
);
these two functions is very simple, I think that this key is to use the wizard, huh, huh, the above is a simulation of the keyboard, the following is the analog of the mouse.
the only analog part, linked to and the game play we need to find a window for the job or contains shortcuts, like buttons that activate key wizard, we can use the GetWindow function to enumerate the window can also be used to develop Findwindow function to find the window (note there is a FindWindowEx), FindwindowEx can find the window a child window, such as buttons, so what. When the game when the scene switches we can use FindWindowEx to identify the characteristics of the current window to determine whether still in this scene, the method a lot, such as something you can GetWindowInfo to determine, for example when a button can not find the time to explain the game scene has been switched, and so way. Some games do not control the inside, this is the image coordinate transformation to do so, This method will be limited. This requires us to use other means to aid analysis.
The shortcuts we use to achieve a dynamic link library, which use technology to the hook, this is also very simple, we may all,
abercrombie fitch uk Big Penguin Arctic, and it is a global hook object then SetWindowHook on it, the callback function are readily available, and the plethora of examples of the internet now, this has been achieved in the plug-in is common. If there are who do not understand, then to look at msdn to find SetWindowHook on it.
the role of a dynamic link library much, do not underestimate, oh, it can be cut into all of the process space, that is can be loaded into All the games inside Oh, as long as right, you will find great use!
need you to brush up the basics of win32 programming, and Oh, Ganjin Wang read it!
2 intercepted messages
some response mechanism is relatively simple game, is based on the information, or something with no timer, you can use this time to intercept the message to achieve some interesting functionality.
We also use a message hook to intercept technology, which includes a keyboard messages, mouse messages, system messages, logs, etc., we do not have much else on the usefulness, we only use the callback function to intercept the message can be, this will not let me write an example, it is the same as above, are written with SetWindowHook to see a very simple to understand.
As for what the future is blocked by your things, For example, in each of the timer message which some of our data to determine treatment, or a timer inside the timer in the simulation, then some data will be processed twice, Oh, the consequences Well, not necessarily a good thing Oh, Oh, but If the data calculated on the customer really a game can really change the data, and Oh, give it a try! use a lot, they want to you can come up with, huh, huh!
3 to intercept socket package
this technical difficulty is much higher than the original Oh, there must be thinking of preparation.
First, we want to replace the winSock.dll or winsock32.dll, we write the replacement function to be consistent with the original function before OK, that is, what its function output, we have what looks like the output function, and the parameters, parameter order to be the same for the job and then the function which we call the real function can winSock32.dll inside the
First of all: we can replace the dynamic library to the system path
Second: when our application starts to load the original DLL, use this function and then LoadLibary
positioning function with GetProcAddress function to obtain import socket function for each real import address
When the game when it calls our dynamic library, and then we dealt with the dynamic library after the jump to the real dynamic library function addresses, so that we can handle your data in it, and it should be all the data. Oh!
excited about it, blocking of data packets only after we have the correct answer, do not think This work is done, Oh! still early, so after we have completed analysis of simulation response mechanism to communicate with the server, a title will be careless, Oh, I was sealed Ming ~~~~~~~~ a lot ah!
analysis of data is the source of the workload of it, the game may be encrypted each upgrade will change, so we are desperate people who write plug-ah, was entertaining do not know, huh, huh! (statement I do not have money, I was free)
Well, give us a good starting point, there is a complete replacement socket source code, Oh!
http://www.vchelp.net/vchelp/zsrc/wsock32_sub.zip
4 intercept api
If the above techniques can be applied flexibly so that we do not intercept api functions, and it is This technology is a complementary technology. For example, we need to intercept socket function other than as part of our purpose, we will use this technology, and indeed we can use it directly in the function block in the socket, so more directly.
intercept api tutorial is now everywhere, I'm not listed, I use the more used method is based on input into the section of the block, this method can be used in any kind of control system, such as the 98 / 2000, and some methods are not cross-platform, I do not recommend. this technique we can refer to the windows kernel programming inside the 545 beginning of the content to learn, if a 98 can use window system, the mystery of the final chapter to learn.
good way is so much to see how we use, and some other specific skills I do not say here, or else someone would kill me, huh, huh!
record living modified approach each game is different, if a game all on the server side data processing, then you still do not write plug-in, Oh, walk up to automatically write a plug, haha!
data analysis when we must pay attention to, Do not try and connection to the server, because it has very dangerous, should not have! waiting for you to take a lot of data analysis later, have a good chance in a try to see if your luck is good, likely success of Oh, Oh!
gold is also crazy like a network client really a kind of simulation program is also good, very suitable for people who use the office to see all products positioned.
Well, do not say, we work hard! should not be game makers do not pacify Oh, so detrimental to our image, we do better to make the game developed, but also do not want to upset the balance of the game ,
true religion shorts, hey, it seems that now is not it! do not say it with its natural!
: What is the external good calf
'x $ u * D * T / B + P) L & a
create 1 q. X8 n) C2 l
7 G8 A; o & I8 [a large space for play, players can run around the client program while logged into the game. Simply put, the actual online game is the start of the game on) A9 w, ^ & T. c environment relatively free and open to manipulation of the game. Well, since the game has been in the network server 6 A8 y 'D, R7 z & o
2 p' ~: L (R & D O7 @ ) ^ 8 n + x
this concept, we used traditional methods to modify the game becomes helpless. Remember that in the stand-alone version of the game, do whatever they want to search through the memory to fix - Y This is the game in the network to no use. As we in the network's role in the game and a variety of important information of various properties are
3 D # H & O # m F & b, Y2 K x +? ( O. O
stored on the server, in our own machine (the client) only shows the role of the state, so the client memory by modifying the role of various attributes on 7 v: m3 k (O ! Y0 R9 A
7 U. h * o2 p (u7 d) A _ 'T) b3 x2 F1 S unrealistic. So if there is no way we achieve our game in the network changes the purpose of ? answer is / IP communications protocols, data exchange is through the transmission of IP data packets to achieve a
o4 I8 b% F. z1 (] as for our client to the server some requests, such as mobile, fighting and other forms of instruction through the packet and the server exchange data. then we put the
) i1 g0 F * l; r $} 5 e3 ~ / c 'H! v + i2 @% Q o! V & m F # q # s% U) I1 K & c
to send messages are called SEND, means to send data, the server receives the message SEND we will follow the established procedure to the feedback to the client, u-b% J% a9 E $ G8 k7 @ + D9 ^
8 g So we put the client receives the server sends to the relevant information as RECV. Know this truth, then I
+] * O / T-N $ B * c Y
* t2 {! U%] $ H) {# v8 p) Q% | We work to be done is to analyze relationships between the client and server data (ie packet), so that we can extract the useful data to our revised 3 N # T & [9 c # m2 Q2 P6 w) i) Z
>
5 I & F really a relevant procedures to meet our requirements. We know now
# k2 M * f + h-D; ^ -]
9 h 'j2 @ 4 R8] 8 H3 k6 e; o% C all servers is limited computing power , especially in the game, the game server to calculate the status of all players in the game is almost impossible, so there are some
& e: B1 [+ X1 G. j
$ %? * g3] $ y6 C; v operations still have to rely on our clients to complete, so that gave us modify the game provides some convenience. For instance, we can shelling by the client program to send B; J1 c2 B $? 4] # i7 l
1 X4 x2 W + K & O2 | 1 y
are certain procedures to determine the branch, by tracking some of the debugging we can We are determined to out negative, we modify the game in order to meet the demand. In the next 5 _3 L4 e9 _3 | 5 w , Y a few chapters, we will give you about the concept of the packet, and change tracking customers with truly relevant knowledge. We ready yet?
, ^; h9 mask h) F6] 5 |) N. {2 E
: D, r & O $ c & n + z + [
3 L8 i + J s4 I /?) K / x, D (B carrying out our work, we need to grasp something about the way computers store data knowledge and data characteristics stored in the game. This section is provided
3 r (I i 'S' f; R: p
& @: Z4 B3 E supply rookie-level players to see, if you are a master can skip if you want to be invincible swordsman, then it will cost you some of these things, (} - K-U: p 'i # _3}, U
No matter. is for the swordsman, or as tourists, you choose it!
# j) z ({/ J ! o3 M2 G + q Now we begin! First of all, you know the game data stored in several formats, these types of format: byte (BYTE), word (WORD) and double word (DOUBLE
5 I9 d 8-bit mode can store numbers from 0 to 255; word or 16-bit storage method is able to store
4 N / T # P9 a 'H9 E, n8 B + L3 B' L7 i $ {2 x
0 ~ number; two-way word that can store 32-bit number 0. + k8 l7 H1 {, b0 v-s% P
: s6 x * C% A: s , ~ - H5 s7 w; n
why this knowledge to understand it? various parameters in the maximum value of the game is different, some may about 100, enough, for example, in Jin Yong's Heroes angle% j * r6 u * Z; G b2 l
(] 6 V: Z! V + r0 D6 I
color grade, the number of random Yudi and so on. and some are need is greater than 255 or even more than, like Jing Yong role of money in the value of up to several million. so
$ F. I3 `/ Y% d7 o #} # d9 {0 F
'z / [) MA # h6 p * N-T & H; e, in the game a variety of different data types are not the same. As we prepared to modify the game need to find modified data packets, in the This time, the correct sentence
& P (}. T '_8 c # s4 X% W; {6 W4? 4 f $ A! E
off to quickly find the type of data is correct address an important condition.) H4 L * P! r '|) {1 V, $ E
/ F3 s) g3 ^ + jg in the computer data storage in bytes as the basic unit, each byte is assigned a number to determine their location. This number is called the address of our / Y1 z9 X3 I # K + ^ '_ u2 f, u & X 'a * z