Game IP Packets

Source: Internet
Author: User
With the increasing popularity of online games, many players are involved in the game. Currently, many players rely on some game plug-ins for the game. So is it very difficult to build a game plug-in? The answer is "no". It is true that some basic knowledge is required to write some programs. Therefore, we want to teach you some skills and methods for writing plug-ins in the simplest language, and provide you with some basic auxiliary tools, even if you are a cainiao, read our tutorials and use the tools we provide you with tips, you can compile a plug-in that is entirely yours. In this tutorial, we provide an example of how to modify the game Jin yongqun and Xia Chuan, as well as the online Three Kingdoms games, because these two games both perform packet encryption operations, if you have a certain understanding of the changes made in these two games, I believe that you can also make your own plug-ins very well in other games. We provide 20 NPCs of Jin Yong's reinforcements and three countries of the Internet to take medicine automatically in the PK. The two actual examples of automatic sending and removing, make it easier for you to get started. In this tutorial, we will teach you how to crack the packet encryption algorithm and how to use the tools we provide you to forge and send packets. In addition to text tutorials, this tutorial also provides plug-ins for Jin Yong Qun Xia and the Three Kingdoms, as well as six plug-ins for your use. In the future, we hope that every player can grow up in the game. Not only can the game play well, but also can modify the game to make a real DIY game.

It requires a wealth of computer knowledge to make the game better. There are many computer experts who gradually become interested in and grow from playing games and modifying games. Do not envy what others can do, because you can do what others can! I believe that after reading this tutorial, you will have a new understanding of the game! (Don't hit me with eggs. Please help me! # ¥ % ...... *)
However, if you want to learn more about the game and increase your computer level, you cannot just modify the game!
You know, modifying a game is just a place to verify your understanding of some of your computer knowledge. You can only give you the opportunity to discover and solve problems, it can only help you increase your interest in learning computers, but it is not a shortcut to learning computers.
I. What is plug-ins?

Currently, online games are mostly based on the Client/Server mode on the Internet. The server runs on the game server, where game designers create a huge game space, players from all over the world can log on to the game at the same time by running the client program. Simply put, online games are actually a game environment provided by game developers, in which players perform game operations relatively freely and openly. Now that we have the server concept in online games, our traditional method of modifying the game is powerless. I remember that in a single-host game, we can use the Memory search as needed to modify the various attributes of the role, which is useless in online games. Because all the attributes and important materials of the roles we play in online games are stored on the server, and only the role status is displayed on our own machine (client, therefore, it is impractical to modify the role attributes in the client memory. Is there any way for us to make changes in online games? The answer is "no ". We know that Internet client/server communication generally uses TCP/IP communication protocol, and data exchange is implemented through IP packet transmission. Generally, our client sends some requests to the server, for example, commands such as mobile and combat exchange data with servers through packets. The local sending message is called send, which means to send data. After the server receives the sent message, it will send the relevant information to the client according to the established program. For example, coordinates of movement, the type of combat. The client receives a message from the server called Recv. Now that we know this, the next thing we need to do is to analyze the data (that is, packets) between the client and the server, so that we can extract and modify the useful data, then, simulate sending the server to the client, or simulate sending the client to the server, so that we can modify the game.

In addition to modifying the game package to modify the game, we can also modify the client program to meet our requirements. We know that the computing power of each server is limited. Especially in games, it is almost impossible for a game server to calculate the status of all players in the game, therefore, some operations still need to be completed by our client, which provides some convenience for us to modify the game. For example, we can discover some program judgment branches by shelling the client program. Through tracking and debugging, we can remove some unfavorable judgments to meet our needs for modifying the game.
In the next sections, we will introduce the concept of encapsulation and the knowledge of modifying the Tracking Client. Are you ready?

Game data format and storage:
Before doing our work, we need to know some knowledge about how to store data in computers and the features of storing data in games. This section is provided to cainiao gamers. If you are a master, you can skip this section!

If you want to become an invincible swordsman, it will take some time for you. If you only want to be a tourist of the rivers and lakes, it doesn't matter whether you understand these things or not. You can choose whether to be a swordsman or a tourist!

Now let's start! First, you need to know several formats of data stored in the game. These formats are byte, word, and double
Word), or 8-bit, 16-bit, and 32-bit storage. Bytes, that is, 8-bit storage can be 0 ~ 255 of the number; the word or the 16-bit storage method can store 0 ~ 65535 of the number; dual-word storage can be 0 to 32-bit ~ 4294967295.

Why do we need to understand this knowledge? In the game, the maximum values of various parameters are different, and some may be about 100, for example, the level of the role in the JINYONG group and the number of randomly encountering enemies. However, some of them need to be greater than 255 or even greater than 65535, and the money value of the role in the JINYONG group can reach millions. Therefore, different data types in the game are different. When we modify a game, we need to find the packets that prepare the modified data. In this case, correct determination of the data type is an important condition to quickly find the correct address.

In a computer, data is stored in bytes. Each byte is assigned a number to determine its location. This number is called an address.

When a word or double word is required, the computer uses two consecutive bytes to form a word, and two consecutive words constitute a double word. A word or double-character address is their low-byte address.
In Windows 9x, the address is represented by a 32-bit binary number. When we usually use a memory address, we always use an 8-bit hexadecimal number to represent it.
What is binary and hexadecimal?

To put it simply, the binary number is a counting carry method that only has two digits: 0 and 1. Every two digits are full, one digit is entered. Similarly, the hexadecimal system is the counting carry method that goes into one digit every 16 digits. In hexadecimal notation, there are 0--f Sixteen digits, which use six numbers A, B, C, D, E, and F to represent the numbers from 10 to 15, they correspond to decimal: A corresponds to 10, B Corresponds to 11, C corresponds to 12, D corresponds to 13, E corresponds to 14, F corresponds to 15. In addition, there is a simple correspondence between the hexadecimal number and the binary number, that is, the four-digit binary number is equivalent to the one-digit hexadecimal number. For example, a four-digit binary number of 1111 is equivalent to hexadecimal F, and 1010 is equivalent to.

Understanding these basic knowledge will be of great help to modify the game. Next I will discuss this issue. Because data in a computer is stored in binary format, the conversion between hexadecimal numbers and binary values is very simple, therefore, most modification tools will display hexadecimal code when displaying data in the computer, and you also need to enter hexadecimal numbers when modifying. Are you clear?

The data displayed in the game can be in decimal format. To find and modify the parameter values, you can use the calculator provided by windows to convert the values in decimal or hexadecimal format, we can find it in the attachment in the program group in the Start Menu.

The knowledge you want to know is almost the same now! However, there is a problem that requires attention in game modification. In computers, data is stored in Low-bit bytes, while in high-bit bytes. For example, if the decimal number 41715 is converted to the hexadecimal number a2f3, this number is saved as f3a2 in the computer.

After reading the above content, do you understand the data storage and data ing relationships? Now, let's tell you what the packaging is in the game. Come on! Let's roll up your cuffs and let's work!

Ii. What is a packet?
How to intercept a game package?
How can I check the IP address and port number of the game server?

The communication information of various information services used by Internet users can all be attributed to information transmission in units of IP packets. In addition to the data information to be transmitted, it also contains the destination IP address to be sent, the source IP address to be sent, and some related control information. When a router receives an IP packet, it searches for the route table based on the destination IP address in the packet and sends the IP packet to the corresponding port based on the search result. The next IP router continues forwarding after receiving the packet until it is sent to the destination. Routers can exchange route information through the routing protocol to update the route table.

So we only care about the data information in the IP packet. We can use many listening Network Tools to intercept data exchange between the client and the server, here is a tool: WPE.
WPE usage:
To run WPE, you can select the following functions:
Select game
Select the program you want to intercept in the memory. You only need to double-click the program name.
Trace
Tracking function. Used to track the packets sent and received by a program.
WPE must first click the program name to be tracked to use this project.
Press the play key to start retrieving the packets sent and received by the program.
You can press | pause tracking at any time. If you want to continue, Press |.
By pressing the square, you can stop capturing packets and display all captured packets.
If you do not press the Square stop key, the tracing will automatically stop Based on the set value in option.
If you have not obtained any information, try to change option to Winsock version 2.
WPE and trainers can be executed only when the display color is at least 16 bits.
Filter
Filter. Used to analyze the captured packets and modify them.
Send Packet
Send packets. Allows you to send fake packets.
Trainer maker
Make a modifier.
Options
Set the function. Let you adjust some settings of the WPE.
Filter details

-When the filter is enabled, the on button is red.
-When you start filter, you can close this window at any time. The filter will remain in the original state until you press the on/off button again.
-Only when the filter enable button is off can you select the box before the filter to edit the modification.
-To edit a filter, double-click the Filter Name.
Normal Mode:

Example:
When you use a fireball twice and hit the other party in the street fighter online (online edition) game, you will capture the following packets:
Send-> 0000 08 14 21 06 01 04
Send-> 0000 02 09 87 00 67 ff A4 AA 11 22 00 00 00 00
Send-> 0000 03 84 11 09 11 09
Send-> 0000 0a 09 C1 10 00 00 FF 52 44
Send-> 0000 0a 09 C1 10 00 00 66 52 44
Your first fireball reduced the opponent's life by 16 drops (16 = 10 h,
However, you can see that the position of the 4th and 5th packets has a value of 10 h, which should be here.
You can see that the 0a 09 C1 before 10 h has not changed in both packages. The three values are the key to Fireball.
Therefore
10 fill in the search column [Search], and then fill in FF in position 4 of the modify column [modify. In this way, when you send a fireball again, FF will replace the previous 10, that is, the fireball with an attack force of 255!

Advanced Mode:

Example:

When you are in a game, you do not want to use a real name, you want to use a modified katakana to send it to the other party. After you use Trace, you will find that your name appears in some packets. Assume that your name is shadow, and the value is [53
68 61 64 6f 77], and you intend to replace Moon (6D 6f 6f 6e 20 20.
1) Send-> 0000 08 14 21 06 01 04
2) Send-> 0000 01 06 99 53 68 61 64 6f 77 00 01 05
3) Send-> 0000 03 84 11 09 11 09
4) Send-> 0000 0a 09 C1 10 00 53 68 61 64 6f 77 00 11
5) Send-> 0000 0a 09 C1 10 00 00 66 52 44
However, after careful consideration, your name does not appear in the same position in each packet.
-In the first 2nd packets, the name appears in the second position.
-In the first 4th packets, the name appears in the second position.
In this case, you need to use advanced mode
-In the search column [Search], enter 53 68 61 64 6f 77 (please start from position 1 〕
-You want to replace the new name from the first letter of the original name shadow. Therefore, you need to replace the continuous value [from the position of
Chain found 〕.
-Now, enter 6D 6f 6f 6e 20 20 at the position of the modified column [modify] 000 (this is the relative position, that is, hand over the original position of + 001 in the search bar 〕
-If you want to modify the value from the first position of the packet, select [from the beginning of the packet 〕

Anyone familiar with TCP/IP knows that the Internet package information data and then transfer it out. Each packet is divided into header information and data information. The header information includes the packet Sending address and arrival address. Data Information includes information about the operations we perform in the game. Before intercepting packets, we need to know the IP address, port number, and other information of the game server. In fact, the simplest thing is to check whether there is a server in our game directory. ini configuration file. In this file, you can view the IP address of a game server. For example, if this is the case of Jin yongqun Xia, we can also use the netstat command in DOS,

The netstat command displays network connection, route table, and network interface information, allowing you to know which network connections are currently in operation. Alternatively, you can use tools such as Trojan Horse star to view network connections. There are many tools, depending on which one you like to use.

The common format of the netstat command is:
Netstat [Option]
The meanings of the options in the command are as follows:
-A displays all sockets, including those being monitored.
-C is re-displayed every one second until the user interrupts it.
-I: displays information about all network interfaces.
-N is replaced by a network IP address to show network connection conditions.
-R displays the core route table in the same format as "route-e ".
-T shows the TCP connection status.
-U: displays the connections of the UDP protocol.
-V: displays ongoing work.
3. How to analyze the intercepted packets?
First, we will save the packet intercepted by WPE as a text file, and then open it, then we will see the following data (here we will explain the data sent by the PK store client in jinyongqun Xiaoxiao as an example ):
First file:
Send-> 0000 E6 56 0d 22 7E 6B E4 17 13 13 12 13 12 13 67 1b
Send-> 0010 17 12 dd 34 12 12 12 12 17 12 0e 12 12 12 9 B
Send-> 0000 E6 56 1E F1 29 06 17 12 3B 0e 17 1A
Send-> 0000 E6 56 1B C0 68 12 12 12 5A
Send-> 0000 E6 56 02 C8 13 C9 7E 6B E4 17 10 35 27 13 12 12
Send-> 0000 E6 56 17 C9 12
The second file:
Send-> 0000 83 33 68 47 1B 0e 81 72 76 76 77 76 77 76 02 7E
Send-> 0010 72 77 07 1C 77 77 77 77 72 77 77 77 77 77 6d
Send-> 0000 83 33 7b 94 4C 63 72 77 5E 6B 72 F3
Send-> 0000 83 33 7E A5 21 77 77 77 3f
Send-> 0000 83 33 67 AD 76 CF 1B 0e 81 72 75 50 42 76 77 77
Send-> 0000 83 33 72 AC 77
We found that the data format of the primary key store two times is the same, but the content is different. We are the same NPC of the primary key. Why is it different?
In the past, the packets transmitted by Jin yongqun and Xia were encrypted before being transmitted on the network. The problem we faced was how to decrypt the ciphertext into plain text and analyze it again.
Because data packet encryption is usually an exclusive or operation, let's talk about what is exclusive or.

In short, the difference or is "0 for the same, 1 for the different" (this is for Binary bitwise). For example, 0001 and 0010 for the same or, we compare the values by bit and obtain the variance or result of 0011. The calculation method is as follows: The 0001 bits of 4th are 0, and the 4th bits of are 0. They are the same, then, the 4th bits of the XOR result follow the principle that "the same is 0, the difference is 1", and the 3rd bits of 3rd of BITs are 0, bits of BITs are 0, if the 3rd bits of the XOR result are 0, 2nd bits of 2nd bits of 2nd are 0, 1st bits of 1st are 1, then the bits of the XOR result are 0, then the 1st bits of the XOR result get 1, and the combination is 0011. The exclusive or operation will encounter many problems in the future. You can familiarize yourself with the operation and be familiar with the analysis.

Next, let's continue to look at the two files above. According to common sense, data in data packets will not all have values. During Game Development, some bytes will be reserved to facilitate future expansion, that is to say, there will be some "00" bytes in the data packet. Observe the above file and we will find that there are many "12" and many "77" in file 2 ", so does this mean we are talking about "00? Let's get started with this reasoning!

We compare file 1 with "12", and file 2 with "77". Of course, it is very troublesome to use your hands, we use the "M2M 1.0 plus sealing package analysis tool" for computation. The following result is displayed:
First file:
1 send-> 0000 F4 44 1f 30 6C 79 F6 05 01 01 01 00 01 75 09
Send-> 0010 05 00 CF 26 00 00 00 00 05 00 1C 00 00 89
2 send-> 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 08
3 send-> 0000 F4 44 09 D2 7A 00 00 00 48
4 send-> 0000 F4 44 10 da 01 dB 6C 79 F6 05 02 27 35 01 00 00
5 send-> 0000 F4 44 05 dB 00
The second file:
1 send-> 0000 F4 44 1f 30 6C 79 F6 05 01 01 01 00 01 75 09
Send-> 0010 05 00 70 6B 00 00 00 05 00 00 00 1A
2 send-> 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 84
3 send-> 0000 F4 44 09 D2 56 00 00 00 48
4 send-> 0000 F4 44 10 da 01 B8 6C 79 F6 05 02 27 35 01 00
5 send-> 0000 F4 44 05 dB 00
Haha, most of the two files are the same, which indicates that our reasoning is correct. The above is the plaintext we need!
The next step is to figure out the meaning of some key bytes, which requires intercepting a large amount of data for analysis.
First, we will find that each packet starts with "F4 44", and the 3rd bytes are changed, but the changes are quite regular. Let's take a look at the length of each package. What did we find? By the way, the length of the package is 3rd bytes!
By intercepting a large number of data packets, we can determine that 4th bytes represent commands, that is, the client tells the server what operations are performed. For example, request the combat command to the server is "30", and the combat moving command is "D4.
Next, we need to analyze the first package above "F4 44 1f 30 6C 79 F6 05 01 01 01 00 01 75 09 05 00 cf
26 00 00 00 00 05 00 1C 00 00 00
89 ", what information does this package contain? We should inform the server of the NPC of your PK. Let's look for the code of this store employee.
We have another primary account, Mr. Luo (the one outside the Dali Inn ):
Send-> 0000 F4 44 1f 30 D4 75 F6 05 01 01 00 01 75 09
Send-> 0010 05 00 8A 19 00 00 00 00 11 00 02 00 00 C0

According to common sense analysis, although the number of NPCS in the game does not exceed 65535 (FFFF), it does not limit itself to the word range during development, which is not conducive to game expansion, so let's look at it in double words. Through the comparison between the "store xiao'er" and "xiaoyunluo" packages, we put the goal in "6c
79 F6 05 "and" CF 26 00
00. (It's easy to compare, but you can't be too dull, huh, huh) Let's look at the back of the package, there should be NPC code in the back of the package, such as moving the package, when a game allows watching, the server must know the coordinates of the NPC and broadcast them to other gamers. In the next 4th packages, "Send->
0000 F4 44 10 da 01 dB 6C 79 F6 05 02 27 35 01 00 00 ", we see" 6C 79 F6
05 ", initially concluded that the store's code is it!
(This analysis involves a lot of work. You can use WPE to cut data and analyze it yourself)
The analysis of the first package is now here (we do not need to be completely clear about the information contained)
Let's take a look at the 4th packages "send-> 0000 F4 44 10 da 01 dB 6C 79 F6 05 02 27 35 01 00
00 ", then we will intercept the PK Yellow Dog package (the dog will come out with two) and check the package format:
Send-> 0000 F4 44 1A da 02 0b 4B 7d F6 05 02 27 35 01 00 00
Send-> 0010 EB 03 F8 05 02 27 36 01 00 00
According to the above analysis, the yellow dog code is "4B 7d F6 05" (100040011), but how can we identify the two yellow dog servers? Check out "Eb 03 F8
05 "(100140011): Add 100000 to the previous Code, so that the server can recognize the two yellow dogs. We confirmed it through the data packets intercepted by the enemy in the wild.

The package format should be clear: 3rd bytes indicates the package length, "da" indicates the instruction, and 5th bytes indicates the number of NPCs, the 10 bytes starting from 7th bytes represent the information of one NPC. If one more NPC is used, 10 more bytes are used.

If you have played online gold, you must know that random enemy reinforcements sometimes occur. We will use the game reinforcements to enable the reinforcements for every battle.
Through the interception of data packets in the battle, we will find that the server sends such a package:
F4 44 12 E9 EB 03 F8 05 02 00 00 03 00 00 00 00 00 00
5th-8th bytes are used to reinforce the NPC code (here we will simply use the yellow dog code as an example ).
Then, we will use the stand-alone proxy technology to spoof the client and server at the same time!
Now, the call to NPC is half done here. Next, let's continue to explain how to modify and send packets.
4. How do I impersonate a "client" and send the packets we need to the "server?
Here we need to use a tool that is located between the client and the server. Its job is to receive and forward data packets. This tool is called a proxy.
This is meaningless if the proxy simply receives and forwards data packets, but note that all data packets must be transmitted through it. This is of great significance. We can analyze the received data packets, forward them directly, or forward the packets after modification, or suppress the packets that are not forwarded, or even forge the packets we need to send them.

Next we will continue to explain how to spoof servers and clients at the same time, that is, to modify and forge packets.
Through the analysis in the previous section, we already know the packaging format of multiple NPCs, so let's get started!
First, we need to find the packet sent by the client and find the combat feature, that is, to request the 1st packets of the battle. We will find the feature "F4 44 1f 30", which will not change, of course, you need to decrypt it and find it later.
After the packet is found, the client is requesting a battle from the server. We will not move the packet and forward it.

Continue to look down. The pattern to be searched is not very easy. We first look for "da", which is the command for the client to send packets of NPC information, so other packages may also contain "da ", it doesn't matter. Let's see if the first three bytes have "F4 ".
44. After finding it, our work begins!

We are sure the number of NPCS to be played. This quantity cannot be very large because the length of the net gold package is expressed in one byte, so a packet can have 255 bytes. We have analyzed above that adding an NPC will increase by 10 bytes, therefore, we know that it is appropriate to set up 20 NPCs.

Then we need to analyze and calculate the original NPC code of the client, because the added NPC code should be added with 100000. Calculate the added NPC code and combine it into a new package. Note that the bytes representing the package length must be modified and then forwarded to the server, in this step, you should pay attention to algorithms when writing programs, so as not to cause large latency.

As we have completed the above process, it is easy to cheat the client, ^-^
After the above packet is sent, we construct the packet based on the newly added NPC code and send it to the client immediately. The format is "F4 44 12 E9 NPC code 02 00 00 03 00 00 00 00
00 00 00 ", construct such a package for each newly added NPC, and send the package together to the client in order, so the client will be cheated by us. It's easy.
In the future, we will not care about other things in the battle. Let's do it as much as possible.
The above Section requires a certain degree of programming basics, but it is not difficult. Even if you do not program, I believe you will gain some benefits if you continue to look at it.

4. How do I impersonate a "client" and send the packets we need to the "server?
Here we need to use a tool that is located between the client and the server. Its job is to receive and forward data packets. This tool is called a proxy.
This is meaningless if the proxy simply receives and forwards data packets, but note that all data packets must be transmitted through it. This is of great significance. We can analyze the received data packets, forward them directly, or forward the packets after modification, or suppress the packets that are not forwarded, or even forge the packets we need to send them.

Next we will continue to explain how to spoof servers and clients at the same time, that is, to modify and forge packets.
Through the analysis in the previous section, we already know the packaging format of multiple NPCs, so let's get started!
First, we need to find the packet sent by the client and find the combat feature, that is, to request the 1st packets of the battle. We will find the feature "F4 44 1f 30", which will not change, of course, you need to decrypt it and find it later.
After the packet is found, the client is requesting a battle from the server. We will not move the packet and forward it.

Continue to look down. The pattern to be searched is not very easy. We first look for "da", which is the command for the client to send packets of NPC information, so other packages may also contain "da ", it doesn't matter. Let's see if the first three bytes have "F4 ".
44. After finding it, our work begins!

We are sure the number of NPCS to be played. This quantity cannot be very large because the length of the net gold package is expressed in one byte, so a packet can have 255 bytes. We have analyzed above that adding an NPC will increase by 10 bytes, therefore, we know that it is appropriate to set up 20 NPCs.

Then we need to analyze and calculate the original NPC code of the client, because the added NPC code should be added with 100000. Calculate the added NPC code and combine it into a new package. Note that the bytes representing the package length must be modified and then forwarded to the server, in this step, you should pay attention to algorithms when writing programs, so as not to cause large latency.

As we have completed the above process, it is easy to cheat the client, ^-^
After the above packet is sent, we construct the packet based on the newly added NPC code and send it to the client immediately. The format is "F4 44 12 E9 NPC code 02 00 00 03 00 00 00 00
00 00 00 ", construct such a package for each newly added NPC, and send the package together to the client in order, so the client will be cheated by us. It's easy.
In the future, we will not care about other things in the battle. Let's do it as much as possible.
The above Section requires a certain degree of programming basics, but it is not difficult. Even if you do not program, I believe you will gain some benefits if you continue to look at it.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.