How to Implement plug-ins

I. What is plug-ins?

Currently, online games are mostly based on the Client/Server mode on the Internet. The server runs on the game server, where game designers create a huge game Space
Players can log on to the game at the same time by running the client program. Simply put, online games are actually a game environment provided by game developers, and players are relatively free and open
Game operations. Now that we have the server concept in online games, our traditional method of modifying the game is powerless. Remember that in a single-host game, you can search by memory as you like.
To modify the various attributes of a role, which is useless in online games. Because the various attributes and important materials of the roles we play in online games are stored on servers and on our own machines.
(Client) only displays the role status. Therefore, it is impractical to modify the role attributes in the client memory. Is there any way for us to make changes in online games? Answer
Yes "no ". We know that Internet client/server communication generally uses TCP/IP communication protocol, and data exchange is achieved through IP packet transmission. Generally, our client
Sending certain requests to the server, such as mobile and combat commands, all exchange data with the server in the form of packets. The local sending message is called send, which means to send data, and the server receives me
After sending messages, the relevant information will be fed back to the client according to the established program, such as moving coordinates and fighting types. The client receives the message sent from the server
Recv. Now that we know this, the next thing we need to do is to analyze the data (that is, packets) between the client and the server, so that we can extract and modify the useful data,
Then, simulate sending the server to the client, or simulate sending the client to the server, so that we can modify the game. Currently, in addition to modifying game packets to modify the game, we can also modify
Modify the client program to meet our requirements. We know that the computing power of each server is limited. Especially in games, it is almost impossible for a game server to calculate the status of all players in the game,
Therefore, some operations still need to be completed by our client, which provides some convenience for us to modify the game. For example, we can discover some program judgment branches by shelling the client program.
Tracing debugging: we can remove some unfavorable judgments to meet our game modification needs. In the next sections, we will introduce the concept of encapsulation and the knowledge of modifying the Tracking Client.
Are you ready?

Game data format and storage:

Before doing our work, we need to know some knowledge about how to store data in computers and the features of storing data in games. This topic is provided to cainiao gamers.
You can skip this step! If you want to become an invincible swordsman, it will take some time for you. If you only want to be a tourist of the rivers and lakes, you will have no knowledge of these things.
Close it. You can choose whether to be a swordsman or a tourist!

Now let's start! First, you need to know several formats of data stored in the game. These formats are byte, word, double word, or
8-bit, 16-bit, and 32-bit storage. Bytes, that is, 8-bit storage can be 0 ~ 255 of the number; the word or the 16-bit storage method can store 0 ~ 65535 of the number; dual characters are 32-bit
Store 0 ~ 4294967295.

Why do we need to understand this knowledge? In the game, the maximum values of various parameters are different, and some may be about 100, for example, the level of the role in the JINYONG group and the number of randomly encountering enemies. However
But it needs to be greater than 255 or even greater than 65535. The money of a role in the legend of the kingdom can reach millions. Therefore, different data types in the game are different. We need
Looking for the packets of the data to be modified, in this case, correct determination of the data type is an important condition to quickly find the correct address.

In a computer, data is stored in bytes. Each byte is assigned a number to determine its location. This number is called an address.

When a word or double word is required, the computer uses two consecutive bytes to form a word, and two consecutive words constitute a double word. A word or double-character address is their low-byte address. Now I
In Windows 9x, the address is represented by a 32-bit binary number. When we usually use a memory address, we always use an 8-bit hexadecimal number to represent it.

 

What is binary and hexadecimal?

To put it simply, the binary number is a counting carry method that only has two digits: 0 and 1. Every two digits are full, one digit is entered. Similarly, the hexadecimal system is the counting carry method that goes into one digit every 16 digits. Hexadecimal
0--f: Sixteen digits. It uses six digits A, B, C, D, E, and F to indicate the numbers from 10 to 15. Their correspondence with decimal is: A corresponds to 10, B Corresponds to 11, C corresponds
12, D corresponds to 13, E corresponds to 14, F corresponds to 15. In addition, there is a simple correspondence between the hexadecimal number and the binary number, that is, the four-digit binary number is equivalent to the one-digit hexadecimal number. Ratio
For example, a four-digit binary number of 1111 is equivalent to hexadecimal F, and 1010 is equivalent to.

Understanding these basic knowledge will be of great help to modify the game. Next I will discuss this issue. In the computer, data is stored in binary format, and the conversion between binary and hexadecimal
The changing relationship is very simple, so most of the modification tools will display hexadecimal code when displaying data in the computer, and you also need to enter a hexadecimal number when you modify. Are you clear?

The data displayed in the game can be in decimal format. To find and modify the parameter values, you can use the calculator provided by windows to convert the values in decimal or hexadecimal format, we can find it in the attachment in the program group in the Start Menu.

The knowledge you want to know is almost the same now! However, there is a problem that requires attention in game modification. In computers, data is stored in Low-bit bytes, while in high-bit bytes. For example, if the decimal number 41715 is converted to the hexadecimal number a2f3, this number is saved as f3a2 in the computer.

After reading the above content, do you understand the data storage and data ing relationships? Now, let's tell you what the packaging is in the game. Come on! Let's roll up your cuffs and let's work!

Bytes ------------------------------------------------------------------------------------------------------------------

Ii. What is a packet?

How to intercept a game package? How can I check the IP address and port number of the game server? The communication information of various information services used by Internet users can all be attributed
An IP packet is a unit of information transmission. In addition to the data information to be transmitted, an IP packet also contains the destination IP address to which the information is sent, the source IP address to which the information is sent, and some related control information. When I
When a router receives an IP packet, it searches for the route table based on the destination IP address in the packet and sends the IP packet to the corresponding port based on the search result. The next IP router receives this packet
And then forward it to the destination. Routers can exchange route information through the routing protocol to update the route table.

So we only care about the data information in the IP packet. We can use many listening Network Tools to intercept data exchange between the client and the server, here is a tool: WPE.

How to Use WPE: To Run WPE, you can select the following functions:

Select game: select the program you want to intercept in the memory. You only need to double-click the program name.

Trace tracing. Used to track the packets sent and received by a program. WPE must first click the program name to be tracked to use this project. Press the play key to start retrieving
Packets. You can press | pause tracking at any time. If you want to continue, Press |. By pressing the square, you can stop capturing packets and display all captured packets. If you do not press the square to stop
Key. The tracing action is automatically stopped according to the set value in option. If you have not obtained any information, try to change option to Winsock version 2.
WPE and trainers can be executed only when the display color is at least 16 bits.

Filter. Used to analyze the captured packets and modify them.

Send packet to send packets. Allows you to send fake packets.

Creates a modifier for the trainer maker.

Options setting function. Let you adjust some settings of the WPE.

Filter details

-When the filter is enabled, the on button is red. -When you start filter, you can close this window at any time. The filter will be retained in the original
Status until you press the on/off button again. -Only when the filter enable button is off can you select the box before the filter to edit the modification. -When you want to edit
Double-click the name of a filter.

 

Normal Mode: Example: When you use a fireball twice and hit the other party in the street fighter online [Fast hitting online edition] game, you will obtain the following Package: send-> 0000 08 14 21 06 01 04 send-> 0000 02 09 87 00 67 ff A4 AA 11 22 00 00 00 00 send-> 0000 03 84 11 09 11 09 send-> 0000 0a 09 C1 10 00 00 FF 52 44 send-> 0000 0a 09 C1 10 00 00 66 52 44 Your first fireball reduced the life of 16 drops of [16 = 10 h], and you observed that there were 10 h Values in position 4 of 4th and 5th packets, it should be here. You can see that the 0a 09 C1 before 10 h has not changed in both packages. The three values are the key to Fireball. Therefore, enter 0a 09 C1 10 in the search column [Search], and then fill in ff at position 4 of the modify column [modify. In this way, when you send a fireball again, FF will replace the previous 10, that is, the fireball with an attack force of 255! Advanced Mode: Example: in a game, if you do not want to use your real name, you want to transfer it to the other party using a modified pseudonym. After you use Trace, you will find that your name appears in some packets. Hypothesis Your name is shadow. If it is converted to a hexadecimal value, it is [53 68 61 64 6f 77]. You are going to use Moon [6D 6f 6f 6e 20] Represent him. 1) Send-> 0000 08 14 21 06 01 042) Send-> 0000 01 06 99 53 68 61 64 6f 77 00 01 05 3) send-> 0000 03 84 11 09 11 094) Send-> 0000 0a 09 C1 10 00 53 68 61 64 6f 77 00 11 5) send-> 0000 0a 09 C1 10 00 00 66 52 44 However, after careful consideration, your name does not appear in the same position in each packet. -In 2nd packets, the name appears in 4th locations-in 4th packets, the name appears in 6th locations In this case, you need to use advanced mode-You fill in the search column [Search]: 53 68 61 64 6f 77 [Be sure to use Start from 1]-You want to replace the new name from the first letter of the original name shadow. Therefore, you need to replace the continuous value from the position where the value is found. [From the position of the chain found]. -Fill in the field where the column [modify] 000 is modified. Upper: 6d 6f 6f 6e 20 20 [This is the relative location, that is, you can change the value from the + 001 position in the original search box]-If you want to change the value from the first position of the package, please Select [from the beginning of the packet] Anyone familiar with TCP/IP knows that the Internet package information data and then transfer it out. Each packet is divided into header information and data information. Header information includes data Package sending Address and arrival address. Data Information includes information about the operations we perform in the game. Before intercepting packets, we need to know the IP address, port number, and other information of the game server. In fact, the simplest thing is to check whether there is a server. ini configuration file under our game directory. In this file, you can view the IP address of a game server, such Yes, in addition to this, we can also use the netstat command in DOS, The netstat command displays network connection, route table, and network interface information, allowing you to know which network connections are currently in operation. Alternatively, you can use tools such as Trojan Horse star to view network connections. There are many tools, depending on which one you like to use. The general format of the netstat command is: netstat [Option] The meaning of each option in the command is as follows:-A displays all sockets, including those being monitored. -C is re-displayed every one second until the user interrupts it. -I: display all network interfaces. . -N is replaced by a network IP address to show network connection conditions. -R displays the core route table in the same format as "route-e ". -T shows the TCP connection status. -U: displays the connections of the UDP protocol. -V: displays ongoing work. -------------------------------------------------------------------------------- 3. How to analyze the intercepted packets? First, we will save the packet intercepted by WPE as a text file, and then open it, then we will see the following data (here we will explain the data sent by the PK store client in jinyongqun Xiaoxiao as an example ): First Article Parts: send-> 0000 E6 56 0d 22 7E 6B E4 17 13 13 12 12 12 13 67 1bsend-> 0010 17 12 dd 34 12 12 12 12 12 12 17 12 0e 12 12 12 12 9bsend-> 0000 E6 56 1E F1 29 06 17 12 3B 0e 17 1asend-> 0000 E6 56 1B C0 68 12 12 12 5asend-> 0000 E6 56 02 C8 13 C9 7E 6B E4 17 10 35 27 13 12 12send-> 0000 E6 56 17 C9 12   Article 2 Parts: send-> 0000 83 33 68 47 1B 0e 81 72 76 76 77 76 77 76 02 7esend-> 0010 72 77 07 1C 77 77 77 77 72 77 77 77 6dsend-> 0000 83 33 7b 94 4C 63 72 77 5E 6B 72 f3send-> 0000 83 33 7E A5 21 77 77 77 3fsend-> 0000 83 33 67 AD 76 CF 1B 0e 81 72 75 50 42 76 77 77send-> 0000 83 33 72 AC 77 We found that the data format of the primary key store two times is the same, but the content is different. We are the same NPC of the primary key. Why is it different? In the past, the packets transmitted by Jin yongqun and Xia were encrypted before being transmitted on the network. The problem we faced was how to decrypt the ciphertext into plain text and analyze it again. Because data packet encryption is usually an exclusive or operation, let's talk about what is exclusive or. In short, the difference or is "the same is 0, the difference is 1" (this is for Binary bitwise), for example In this example, 0001 and 0010 are exclusive or. We compare the bitwise result to 0011. The calculation method is as follows: 0001 of 4th bits are 0, 4th of BITs are 0, and they are the same, returns or ends If the 4th bits follow the principle of "Same as 0, different as 1", the 3rd bits of 0, 3rd and bits of 0, are 0, the 3rd bits of the XOR result get the 2nd bits of 0, If the 2nd bits of 0, 2nd are 1, then the 1st bits of the XOR result get the 0010 bits of 1, 1st is 1, and the 1st bits of are 0, the bits of the XOR result get 1, combination is 0011. The exclusive or operation will encounter many problems in the future. You can familiarize yourself with the operation and be familiar with the analysis. Next we will continue to look at the two files above. According to common sense, the data of data packets will not all have values. During Game Development, some bytes will be reserved for future expansion, that is, the data packets will There are some "00" bytes. Observe the above files and we will find many "12" in file 1 and many "77" in file 2 ", so does this mean we are talking about "00? Reasoning here, Let's get started! We compare file 1 with "12", and file 2 with "77". Of course, it is very troublesome to use your hands, we use the "M2M 1.0 plus sealing package analysis tool" for computation. The following result is displayed: First Article Parts: 1 send-> 0000 F4 44 1f 30 6C 79 F6 05 01 01 01 00 01 75 09send-> 0010 05 00 CF 26 00 00 00 00 05 00 1C 00 00 892 send -> 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 083 send-> 0000 F4 44 09 D2 7A 00 00 00 484 send-> 0000 F4 44 10 da 01 dB 6C 79 f6 05 02 27 35 01 00 005 send-> 0000 F4 44 05 dB 00 Article 2 Parts: 1 send-> 0000 F4 44 1f 30 6C 79 F6 05 01 01 01 00 01 75 09send-> 0010 05 00 70 6B 00 00 00 00 05 00 00 00 00 1A2 send -> 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 843 send-> 0000 F4 44 09 D2 56 00 00 00 484 send-> 0000 F4 44 10 da 01 B8 6C 79 f6 05 02 27 35 01 00 005 send-> 0000 F4 44 05 dB 00 Haha, most of the two files are the same, which indicates that our reasoning is correct. The above is the plaintext we need! The next step is to figure out the meaning of some key bytes, which requires intercepting a large amount of data for analysis. First, we will find that each packet starts with "F4 44", and the 3rd bytes are changed, but the changes are quite regular. Let's take a look at the length of each package. What did we find? By the way, 3rd Bytes are the length of the package! By intercepting a large number of data packets, we can determine that 4th bytes represent commands, that is, the client tells the server what operations are performed. For example, request a combat command from the server Is "30", and the combat movement command is "D4. Next, we need to analyze the first Package "F4 44 1f 30 6C 79 F6 05 01 01 00 01 00 01 75 09 05 00 CF 26 00 00 00 00 05 00 1C 00 00 89 ", What information does this package contain? We should inform the server of the NPC of your PK. Let's look for the code of this store employee. We have another primary game, Mr. Luo (outside the Dali Inn ). That ): Send-> 0000 F4 44 1f 30 D4 75 F6 05 01 01 00 01 01 75 09send-> 0010 05 00 8A 19 00 00 00 00 11 00 02 00 00 00 C0 I According to common sense analysis, although the number of NPCS in the game does not exceed 65535 (FFFF), it does not limit itself to the word range during development, which is not conducive to game expansion, so let's look at it in double words. See. Through the comparison between the "Store" and "xiaoyunluo" packages, we put the goal on "6C 79 F6 05" and "CF 26 00 00. (It's easy to compare, but you can't It's too dull, huh, huh) Let's look at the back of the package. There should also be the NPC code in the back of the package, such as the mobile package. The game allows watching the war, the server must know the coordinates of the NPC and broadcast it again. To other gamers. Next 4th Package "send-> 0000 F4 44 10 da 01 dB 6C 79 F6 05 02 27 35 01 00 00" we can see "6C 79 F6 05", initially concluded that the store's code is it! (This analysis involves a lot of work. You can use WPE to cut data and analyze it yourself)   The analysis of the first package is now here (we do not need to be completely clear about the information contained) Let's look at 4th Package "send-> 0000 F4 44 10 da 01 dB 6C 79 F6 05 02 27 35 01 00 00", then the PK yellow Dog's bag (the dog will come out with two) Look at the bag's grid Formula: Send-> 0000 F4 44 1A da 02 0b 4B 7d F6 05 02 27 35 01 00 00send-> 0010 EB 03 F8 05 02 27 36 01 00 00 According to the above analysis, the yellow dog code is "4B 7d F6 05" (100040011), but how can we identify the two yellow dog servers? View Check "Eb 03 F8 05" (100140011). Add 100000 to the previous Code, so that the server can recognize the two yellow dogs. We can intercept it again by encountering an enemy in the wild. Data packets to confirm, it is true. The package format should be clear: 3rd bytes indicates the package length, "da" indicates the instruction, and 5th bytes indicates the number of NPCs, the 10 bytes starting from 7th bytes represent the information of one NPC. If one more NPC is used, 10 more bytes are used. If you have played online gold, you must know that random enemy reinforcements sometimes occur. We will use the game reinforcements to enable the reinforcements for every battle. Through the interception of data packets in the battle, we will find that the server sends such Package: F4 44 12 E9 EB 03 F8 05 02 00 00 00 00 00 00 00 00 5th-8th bytes are used to reinforce the NPC generation Code ). Then, we will use the stand-alone proxy technology to spoof the client and server at the same time! Now, the call to NPC is half done here. Next, let's continue to explain how to modify and send packets. -------------------------------------------------------------------------------- 4. How do I impersonate a "client" and send the packets we need to the "server? Here we need to use a tool that is located between the client and the server. Its job is to receive and forward data packets. This tool is called a proxy. If the proxy work is simply It makes no sense to receive and forward data packets, but note that all data packets must be transmitted through it. This is of great significance. We can analyze the received data packets, forward them directly, or modify the data packets. Forward, or press forward, or even forge the packets we need to send. Next we will continue to explain how to spoof servers and clients at the same time, that is, to modify and forge packets. Through the analysis in the previous section, we already know the packaging format of multiple NPCs, so let's get started! First, we need to find the packet sent by the client and find the combat feature, that is, to request the 1st packets of the battle. We will find the feature "F4 44 1f 30", which will not change, yes, of course. After decryption, search for it. After the packet is found, the client is requesting a battle from the server. We will not move the packet and forward it. Continue to look down. In this case, the pattern to be searched is not very easy. Let's first look for "da", which It is the command for the client to send the NPC data packet, so other packages may also have "da". It doesn't matter. Let's see if the first three bytes have "F4 44. After finding it, our work starts. Now! We are sure the number of NPCS to be played. This quantity cannot be very large because the length of the net gold package is expressed in one byte, so a packet can have 255 bytes. We have analyzed above that adding an NPC will increase by 10 bytes, therefore, we know that it is appropriate to set up 20 NPCs. Then we need to analyze and calculate the original NPC code of the client, because the added NPC code should be added with 100000. Calculate the added NPC code and combine it into a new package. Note that the bytes representing the package length must be modified and then forwarded to the server, in this step, you should pay attention to algorithms when writing programs, so as not to cause large latency. As we have completed the above process, it is easy to cheat the client, ^-^ After the preceding packet is sent, we construct the packet based on the newly added NPC code and send it to the client immediately. The format is "F4 44 12 E9 NPC generation Code 02 00 00 03 00 00 00 00 00 00 ", construct such a package for each newly added NPC, and send the package together to the client in sequence, so that the client will be You cheated... This is just a theoretical thing. To learn more, you must do it yourself ~ Then gradually write out useful things ~~ Haha ~~