Game Plug Analysis _ Vulnerability Research

Source: Internet
Author: User
Tags server memory
I mainly to plug the technology to analyze, as for the internal structure of the game is not the same, here is not to do the explanation, I am not so powerful, all know, hehe!
1 first game Plug the principle
Plug now divided into a number of kinds, such as analog keyboard, mouse, modify the packet, and modify the local memory, but it seems not to modify the server memory Oh! In fact, modify the server is also a way, but the technology is too high general people do not have the means to start it! (for example, please GM to nightclubs, gifts, money, etc.) can modify server data, haha)
Modify the game is nothing more than to modify the local memory data, or intercept API functions, and so on, here I can think of the method to make an introduction, I hope we can make a good plug-in to enable the game manufacturers better improve their own technology.
I saw an article about the Magic Baby's theoretical analysis, write well, probably that way.
Down I will explain the technical aspects, for the use of jade.
2 Technical Analysis Section
1 simulate a keyboard or mouse response
We generally use uint sendinput (
UINT ninputs,//Count of input events
Lpinput pinputs,//array of input events
int cbsize//size of structure
); API functions
The first parameter is the dimension of the matrix that describes the second parameter, and the second parameter contains the response event, which can be populated on its own, and finally the size of the structure, very simple, which is the simplest way to simulate a keyboard mouse, hehe
Note: This function also has an alternate function:
VOID keybd_event (
BYTE BVK,//Virtual key code
BYTE bscan,//Scan code
DWORD dwflags,
ULONG_PTR dwExtraInfo//Additional key status
);
VOID Mouse_event (
DWORD dwflags,//motion and click Options
DWORD DX,//horizontal position or change
DWORD dy,//Vertical position or change
DWORD dwdata,//wheel movement
ULONG_PTR dwExtraInfo//application-defined information
);
These two functions are very simple, I think those key wizard is the use of this bar, hehe, the above is an analog keyboard, the following is the simulation of the mouse.
This is just a simulation part, to play with the game we also need to find the window of the game, or include shortcuts, like the button Wizard that activates the key, we can use the GetWindow function to enumerate the window, you can use the FindWindow function to find the established window ( Note that there is also a FindWindowEx), FindWindowEx can find the window of the child window, such as buttons, and so on. When the game switches the scene we can use FindWindowEx to determine the characteristics of some of the current window, so as to determine whether the scene, A lot of ways, such as can getwindowinfo to determine something, such as when a button is not found to show that the game scene has been switched, and so on. Some games have no control in the inside, this is to do coordinate transformation of the image, This approach is bound to be limited. This requires that we use other methods to assist the analysis.
As for the shortcut keys we have to use Dynamic connection library to achieve, the inside to use hook technology, this is also very simple, we may be, in fact, is a global hook object and then Setwindowhook on it, callback functions are ready-made, and now the example of a lot of online, This implementation is already very common in the plug-in. If anyone else doesn't understand, check out the MSDN Lookup Setwindowhook.

This dynamic connection library's role is very large, do not underestimate oh, it can cut into all the process space, that is, can be loaded into all the games inside oh, as long as the use of right, you will find very useful!
This need you to review the basic knowledge of Win32 programming, OH, hurry to read it!

2 Intercept Message
Some of the game's response mechanism is relatively simple, is based on the message, or with what timer things, this time you can use intercepting messages to achieve some interesting features.
We intercept the message used is also hook technology, which includes keyboard messages, mouse messages, system messages, logs, etc., we do not have any big use, we only intercept the message callback function on it, this will not let me write examples, in fact this and above the same, All are written with Setwindowhook, see to understand very simple.
As for the interception of what to do is your business, such as in each timer message inside some of our data to judge, or in the timer in the simulation of a timer, then some data will be processed two times, oh, the consequences, not necessarily a good thing oh, hehe, However, if the data calculation on the client's game can really change the data, oh, try it! There are many uses, I think can also think out, hehe!

3 Block Socket Package
This technology is much more difficult than the original Oh, to be prepared.
First we want to replace WinSock.dll or Winsock32.dll, we write the substitution function and the original function is consistent, that is, what its function output, we also want to output what kind of function, and parameters, the order of the parameters are the same. And then we can call the real winSock32.dll inside of our function.
First: We can replace the dynamic library to the system path
Second: We can load the original dynamic library when the application is started, using this function loadlibary
Then the location function portal uses the GetProcAddress function to obtain the entry address of each true socket function.
When the game is done it will call our dynamic library, and then after processing from our dynamic library to jump to the real dynamic library function address, so that we can deal with their own data, should be all data. hehe!
Excited it, intercepted the packet we also have to analyze to be able to carry out the correct response, do not think this work is completed, hehe! Still early, and so analysis after we have to simulate the response mechanism to communicate with the server, a careless will be sealed, hehe, Woo ~~~~~~~~ I was sealed a lot of Ah!
Analysis of the data is the source of the workload, the game each upgrade is likely to encrypt the way will change, so we write the people are outlaws, ah, people have not known entertainment, hehe! (stating that I am not making money, I am free)
Well, give everyone a good starting point, here is the complete replacement socket source code, hehe!
Http://www.vchelp.net/vchelp/zsrc/wsock32_sub.zip

4 Intercept API
If the above technology can be used flexibly, we do not need to intercept the API function, in fact, this technology is a complementary technology. For example, we need to intercept a function other than the socket as our purpose, we will use this technology, in fact, we can also use it directly to intercept the function in the socket, This is more direct.
Now the interception API tutorial is everywhere, I do not enumerate, I used the more accustomed method is based on the input section to intercept, this method can be used on any operating system, such as 98/2000, and some methods are not cross-platform, I don't recommend it. This technique can be used to learn from the 545 pages of Windows core programming, if 98 systems can use the last chapter of Window System Mysteries.
Well, the method is so much, see how we use, some of the other targeted skills here I will not say, or someone will kill me, hehe!

Remember that each game changes are not the same, if a game of data processing all in the server, then you still don't write plug-in, oh, up to write an automatic walking plug-in, haha!
Data analysis When you must pay attention to, do not easily try to connect with the server, because it is very dangerous, avoid! When you have mastered a large number of data analysis results, more confident in the test, see your luck is good, very likely to succeed Oh, hehe!
In fact, like the net gold also crazy simulation of the client program is also good, very suitable for office people to see the product positioning.
Well, let's not say it, let's try! Avoid being amnesty by the game manufacturer, that is detrimental to our image, we are in order to let the game to do better and developed, also do not want to disrupt the balance of the game, hey, as if now is not the case! Don't say it with its natural!
qq:16055393
If you have any technical problems, you can call me.
The wind blowing in the net gold is my sister's organization OH

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.