1. Action style, the so-called action style refers to using the API to send commands to windows or APIs to control the mouse, keyboard, etc., so that the characters in the game can be moved or attacked. This is the earliest "Stone" plug-in. (This kind of plug-in is completely garbage, TMD, anyone who knows a little bit of API knows what to do, but this plug-in is also an entry-level good thing. Although it cannot improve your combat effectiveness, it can improve your morale^_ ^)
2. Local modification style. This plug-in is no different from some traditional game modifiers. When doing this plug-in, you only need to have a little understanding of the memory address and master the API to achieve it. This is the plug-in of "留" The difficulty of writing the method is to find the address codes. Generally, you need to use other people's tools to find the address. Some games also have double-code verification, which will be more difficult to find. (This kind of plug-in is a little bit more difficult than the previous one, but it is also difficult to use this plug-in~~ This plug-in can quickly improve your understanding and application of memory addresses. It is you Good things to improve programming technology)
3. Trojan-style. The purpose of this plug-in is to help the plug-in makers steal the user's password (TMD, "bad" is just one word, but you need to know what you already know, so you still have to talk about it~~). If you do this plug-in, you can It has a certain difficulty and requires HOOK or keyboard monitoring technology to be the foundation. Its principle is to first intercept the user's account or password and then send it to the specified email address. (I have written something like this before, but I have never used it. I know that this thing is very immoral, so don't use it in the future! ~~)
4. Acceleration type, this plug-in can speed up the game... (I'm sorry, I haven't actually done this kind of thing, so I can't comment on myself, I'm ashamed~~)
5. Packet-style, this plug-in is a high-difficulty plug-in and requires strong programming skills to be written. Its principle is to intercept the packet first, modify it, and then forward it (Kao, it's simple to say, you can try it~~~~). This plug-in is suitable for most online games. WPE and some online game plug-in are written in this way. Writing this plug-in requires APIhook technology, winsock technology...
Among these plug-ins, the first three can be easily implemented using languages such as VB and DELEPS, while the latter two must be easily implemented using programming tools such as VC. (Ph, please listen to the next breakdown)
(I am a program enthusiast and not a professional plug-in, so please forgive me if there is any inappropriate article. In future articles, I will do the writing process of action, local modification, Trojan, and packet-style. Detailed explanation)
Last time we analyzed the action plug-in. Action plug-in is the simplest plug-in. Now let’s take a look at it. A detailed breakdown of the entire production process of local modified plug-in. .
As far as I know, the most typical application of local modified plug-ins is in the "Elf" game, because I was nearly a year ago (the "Elf" is still in the testing stage), and many colleagues in my company played "Elf" So I looked at the data processing method of the game and found that the information it sent to the server exists in memory (my first feeling after reading it is: there is not much difference between modifying this kind of game and modifying a stand-alone version of the game. In other words, it is enough to modify the memory address before he submitted the information to the server). At that time, I found the address and modified the memory address. Sure enough, I modified the address according to my idea and let the system submit it automatically, and it was indeed successful. ~~~~~, Later, "Elf" was changed to dual-address school inspection, memory school inspection, etc. I won't talk nonsense here~~~~, OK, let's take a look at how this type of plug-in is made of:
Before doing plug-in, we need to have a specific understanding of Windows memory. Here, the memory we refer to refers to the system's memory offset, that is, relative memory, and what we want to modify, then we need to do the same. Understand several Windows APIs, OK, and follow the examples to let us see clearly the production of this plug-in and API application (in order to ensure the normal operation of online games, I will not explain in detail the method of finding memory addresses):
1. First of all, we need to use FindWindow to know the handle of the game window, because we need to know the ID of the process after the game is running. The following is the usage of FindWindow:
HWND FindWindow(
LPCTSTR lpClassName, // pointer to class name
LPCTSTR lpWindowName // pointer to window name
);
2. We GetWindowThreadProcessId to get the process ID of the corresponding process of the game window. The function usage is as follows:
DWORD GetWindowThreadProcessId(
HWND hWnd, // handle of window
LPDWORD lpdwProcessId // address of variable for process identifier
);
3. After obtaining the game process ID, the next thing is to open the process with the highest permissions. The specific usage method of the function OpenProcess used is as follows:
HANDLE OpenProcess(
DWORD dwDesiredAccess, // access flag
BOOL bInheritHandle, // handle inheritance flag
DWORD dwProcessId // process identifier
);
Where dwDesiredAccess is the place where access methods are set, it can set a lot of permissions. We can use PROCESS_ALL_ACCESS to open the process. We can check MSDN for other methods.
4. After opening the process, we can use functions to operate in memory. Here we just need to use WriteProcessMemory to write data to memory addresses (other operation methods such as ReadProcessMemory, etc., I am not the same here. First introduced), let’s take a look at the usage of WriteProcessMemory:
BOOL WriteProcessMemory(
HANDLE hProcess, // handle to process whose memory is written to
LPVOID lpBaseAddress, // address to start writing to
LPVOID lpBuffer, // pointer to buffer to write data to
DWORD nSize, // number of bytes to write
LPDWORD lpNumberOfBytesWritten // actual number of bytes written
);
5. The following is to close the process handle with CloseHandle and it is completed.
This is the method of implementing the program of this type of game plug-in. Okay, with this method, we have a rational understanding. Let’s take a look at the actual examples and improve our perceptual understanding. The following is the plug-in of XX Games Let’s study the code according to the above method:
const
ResourceOffset: dword = $004219F4;
resource: dword = 3113226621;
ResourceOffset1: dword = $004219F8;
resource1: dword = 1940000000;
ResourceOffset2: dword = $0043FA50;
resource2: dword = 1280185;
ResourceOffset3: dword = $0043FA54;
resource3: dword = 3163064576;
ResourceOffset4: dword = $0043FA58;
resource4: dword = 2298478592;
var
hw: HWND;
pid: dword;
h: THandle;
tt: Cardinal;
Begin
hw := FindWindow(''XX'', nil);
if hw = 0 then
Exit;
GetWindowThreadProcessId(hw, @pid);
h := OpenProcess(PROCESS_ALL_ACCESS, false, pid);
if h = 0 then
Exit;
if flatcheckbox1.Checked=true then
Begin
WriteProcessMemory(h, Pointer(ResourceOffset), @Resource, sizeof(Resource), tt);
WriteProcessMemory(h, Pointer(ResourceOffset1), @Resource1, sizeof(Resource1), tt);
end;
if flatcheckbox2.Checked=true then
Begin
WriteProcessMemory(h, Pointer(ResourceOffset2), @Resource2, sizeof(Resource2), tt);
WriteProcessMemory(h, Pointer(ResourceOffset3), @Resource3, sizeof(Resource3), tt);
WriteProcessMemory(h, Pointer(ResourceOffset4), @Resource4, sizeof(Resource4), tt);
end;
MessageBeep(0);
CloseHandle(h);
close;
This game uses multiple addresses to verify the data to be submitted, so it is not difficult to create plug-ins of this type of game, and the most difficult thing is to find these addresses.
(You have already seen the method clearly, and the specific practice depends on everyone. Haha~~~~~~, but don’t be too happy too early. This kind of online game accounts for a minority, so I will use other types of plug-ins in future articles. To give a detailed explanation, by the way, please post and encourage me, otherwise I really don’t have the confidence to write the following article, thank you)
Last time I made a general summary of the five types of plug-ins. Everyone has a certain understanding of these plug-ins. Now let’s talk about my understanding of plug-ins in sequence (production difficulty) from shallow to deep. ~
First of all, let’s talk about action-style plug-ins, which is also the easiest one I did when I first wrote plug-ins.
I remember when I was still in the "Stone" era, I saw someone else having a software (plug-in) and people could wander around (I didn't know what the plug-in was going on at that time^_^), so I found this kind of software Come here to study (I heard others call it plug-in after I took it), and found that this kind of thing is not difficult to implement. In fact, the character's walking is nothing more than clicking the mouse in different places. After reading it, I had the urge to implement this function, and then went to MSDN to read some information. I found that this way of implementing these functions only requires a few simple API functions:
1. First of all, we need to know the current mouse position (to restore the current mouse position) so we need to use the API function GetCursorPos, which is used as follows:
BOOL GetCursorPos(
LPPOINT lpPoint // address of structure for cursor position
);
2. When we move the mouse position to the place where the character is going to, we need to use the SetCursorPos function to move the mouse position. Its usage is as follows:
BOOL SetCursorPos(
int X, // horizontal position
int Y // vertical position
);
3. Simulate the mouse to press and release the action. We need to use the mouse_event function to implement it. Use the following methods for using it:
VOID mouse_event(
DWORD dwFlags, // flags specifying various motion/click variants
DWORD dx, // horizontal mouse position or position change
DWORD dy, // vertical mouse position or position change
DWORD dwData, // amount of wheel movement
DWORD dwExtraInfo // 32 bits of application-defined information
);
In its dwFlags, there are many available events such as moving MOUSEEVENTF_MOVE, press MOUSEEVENTF_LEFTDOWN with the left button, release MOUSEEVENTF_LEFTUP with the left button. For specific things, please check MSDN~~~~~
Okay, with the previous knowledge, we can see how character removal is implemented:
getcursorpos(point);
setcursorpos(ranpoint(80,windowX),ranpoint(80,windowY));//ranpoint is a homemade random coordinate function
mouse_event(MOUSEEVENTF_LEFTDOWN,0,0,0,0);
mouse_event(MOUSEEVENTF_LEFTUP,0,0,0,0);
setcursorpos(point.x,point.y);
After reading the above code, do you think the characters' wandering is very simple?~, I can draw one and imitate three, and there are many good things that can be implemented using this technique (I have said long ago, TMD, this is a garbage plug-in method , believe it~~~), Next, let's take a look at the automatic attack method in the game (must support shortcut keys for attacks in the game). The reason is still the same, but the API used is different~~~~, this time What we want to use is the keybd_event function, which is used as follows:
VOID keybd_event(
BYTE bVk, // virtual-key code
BYTE bScan, // hardware scan code
DWORD dwFlags, // flags specifying various function options
DWORD dwExtraInfo // additional data associated with keystroke
);
We also need to know that the scan code cannot be used directly. We need to use the function MapVirtualKey to convert the key value into the scan code. The specific usage method of MapVirtualKey is as follows:
UINT MapVirtualKey(
UINT uCode, // virtual-key code or scan code
UINT uMapType // translation to perform
);
Okay, let's say that this quick-connect key is CTRL+A. Next, let's see how the actual code is written:
keybd_event(VK_CONTROL,mapvirtualkey(VK_CONTROL,0),0,0);
keybd_event(65,mapvirtualkey(65,0),0,0);
keybd_event(65,mapvirtualkey(65,0),keyeventf_keyup,0);
keybd_event(VK_CONTROL,mapvirtualkey(VK_CONTROL,0),keyeventf_keyup,0);
First, press the CTRL key in simulation, then press the A key, then release the A key, and finally release the CTRL key. This is a cycle of pressing the shortcut key.
(Seeing here, I have almost got a certain understanding of simple plug-ins~~~~ Let's try it? If you can get something better if you draw one or three, it depends on your ability to comprehend it. ~~, but don't be happy too early. This is just the beginning. There are more complicated things waiting for you in the future~~)