Analysis and production of game plug-ins and Analysis of game plug-ins

Analysis and production of game plug-ins and Analysis of game plug-ins

This chapter describes how to use advanced languages to find memory addresses based on variable values. Take C # as an example.

I used C # To write a WinForm Demo. The interface is as follows:

　　

Source code:

// Initial private int value = 1000; public Form1 () {InitializeComponent () ;}/// <summary> // refresh the interface: display the latest blood volume on the page /// </summary> /// <param name = "sender"> </param> /// <param name = "e"> </param> private void btn_refresh_Click (object sender, eventArgs e) {this. label_display.Text = value. toString () ;}/// <summary> // update the blood volume: write the custom value to the blood volume variable // </summary> /// <param name = "sender"> </param> /// <param name = "e"> </param> private void btn_update_Click (object sender, eventArgs e) {int iVaule =-1; bool ParseResult = int. tryParse (this. textBox_value.Text, out iVaule); if (ParseResult) {value = iVaule; this. label_display.Text = this. textBox_value.Text ;}}

A simple Demo: a variable named value, in integer type, with an initial value of 1000. Two buttons: Modify the button and assign the value of the text box to value, modify the label text = the value of the modified value; click the other refresh button to update the latest value of the label text = value.

　　

Looking back at the previous chapter, we mentioned that two functions VirtualQueryEx and ReadProcessMemory are required to query the memory address of a numeric value:

The third parameter of VirtualQueryEx is a struct pointer used to receive memory information.

// The structure for receiving memory information: public struct MEMORY_BASIC_INFORMATION {// region base address: public int BaseAddress; // allocate the base address: public int AllocationBase; // The protection attribute public int AllocationProtect granted when the region is reserved for the first time; // The region size public int RegionSize; // The State public int State; // The protection attribute public int Protect; // type public int lType ;}

I have excerpted these annotations from Baidu encyclopedia. For more accurate explanations, I suggest reading the msdn api. When I post the code below, I will explain the involved members according to my understanding, however, it is recommended that you thoroughly study the operating system principles of computers to grasp these terms and their meanings. Specifically, I think this is the most important step in the plug-in production process. Using our ready-made templates or using a series of auxiliary tools that I will mention in the future to create plug-ins is very difficult to grow. some well-known games rely on tools to search their base addresses, only by understanding these APIs, registers, and assembly languages can we go further.

 

　　As it turns out, I will explain it step by step with the actual test:

1) Open the test program

　　

Program name: WinMemory_Test

　　

2). Obtain the PID = 7956 based on the process name in the previous chapter.

　　

3). As mentioned in the previous chapter, get the Process Handle = 7956 through PID = 1072.

　　

4). cyclically traverse the read/write memory address through Handle to obtain the byte array.

Public void SearchAddress () {MEMORY_BASIC_INFORMATION MBInfo = new MEMORY_BASIC_INFORMATION (); // obtain the struct size [number of bytes read per time] int MBSize = Marshal. sizeOf (MBInfo); // query StartAddress = 0x000000 starting from 0x00; // the actual number of bytes read int ReadSize = 0; // query starting from 0, until the maximum integer value is 2147483647 while (StartAddress> = 0 & StartAddress <= 0x7fffffff & MBInfo. regionSize> = 0) {// Save the read result to the output parameter MBInfo MBSize = VirtualQueryEx (hProcess, (IntPtr) StartAd Dress, out MBInfo, Marshal. sizeOf (MBInfo); // if the number of bytes actually read is equal to the number of bytes in the structure MEMORY_BASIC_INFORMATION, the read is successful if (MBSize = Marshal. sizeOf (typeof (MEMORY_BASIC_INFORMATION) {// PAGE_READWRITE: memory area that can be read/written. // MEM_COMMIT: allocated physical memory [the value to be queried is determined, so the memory must be allocated in advance]. If (MBInfo. protect = PAGE_READWRITE & MBInfo. state = MEM_COMMIT) {byte [] FindArray = new byte [MBInfo. regionSize]; // write the read bytes to the byData array defined above. if (ReadProcessMemory (hProcess, (IntPtr) StartAddress, FindArray, MBInfo. regionSize, out ReadSize) // if the number of bytes read is correct if (ReadSize = MBInfo. regionSize) {// process data [comparative analysis] DealData (DataArray, StartAddress) ;}} else {break;} StartAddress + = MBInfo. regionSize ;}}

5). Convert the obtained byte array to an integer type and compare it with 1000, and save all the results to the global List.

public void DealData(byte[] DataArray, int StartAddress)        {            byte[] intBuff = new byte[4];            for (int i = 0; i < DataArray.Length - 4; i++)            {                Array.Copy(DataArray, i, intBuff, 0, 4);                int num = BitConverter.ToInt32(intBuff, 0);                if (num == 1000)                {                    AddressList.Add(StartAddress + i);                }            }        }

Take a look at the results:

　　

So far, we have found all the addresses with an integer equal to 1000 in the Demo. The next chapter explains how to locate the "1000" we are looking for and modify its value.

 

PS: Reprint Please attach the original path: http://www.cnblogs.com/lene-y/p/7107526.html, I have commissioned the "server guard" for my article to protect rights.

You are welcome to pay attention to the public account [analysis and production of game plug-ins]. If you have any questions or different opinions about this article, please leave a message and make a reply.