How to use Delphi to develop online games plug

1, action, the so-called action, refers to the API command to the window or API control mouse, keyboard, etc., so that the characters in the game flow or attack, the earliest before the "stone" plug is this way.
2, local modification, this plug-in with the traditional some of the game modifier is no different, do this plug-in programming only need to have a little knowledge of memory address and grasp the API can be achieved, "Genie" plug This is written in this way, it is difficult to find those address code, find the address generally to rely on other people's tools, Some games also have double-code check, is looking up will be more difficult.
3, Trojan, the purpose of this plug-in is to help plug-in users to steal the user's password, do this plug has a certain degree of difficulty, need to hook or keyboard monitoring technology to do the base, can be completed, its principle is the first cut the user's account number or password, and then sent to the designated mailbox.
4, accelerated, this plug-in can speed up the game. Originally I always thought that the speed of the plug is for a game and write, and later found that I am not the concept of the so-called acceleration plug-in is actually modified clock frequency to achieve the purpose of accelerating.
5, sealed package, this plug-in is a high-difficulty plug-in, need to have a strong programming skills can be written out. Its principle is to intercept the packet first, then modify, then forward. This plug-in is suitable for most online games, such as WPE and some online game plug-ins are written in this way, to write this plug-in need Apihook technology, Winsock2 technology ...
The following is the use of Delphi to implement online game plug.


--------------------------------------------------------------------------------


On the last five types of plug-ins to do a general summary, we have a certain number of plug-ins have some understanding, and now in turn (making difficulty) from shallow to deep talk about my external production of some understanding it ~ ~ ~
First of all, to talk about the action-style plug-in, which is my first time to write the plug when the simplest one.
Remember still in the "Stone Age" time, I saw others hanging a software (external) characters can recruited walk (at that time I do not know how to ^_^), so find this software come to study (take it to listen to others said this is called plug-in), found that the east is not difficult to realize it actually, Baby tenant Look In fact the walk is nothing more than a mouse in different places point to point to, see after the impulse to achieve this function, then ran to MSDN to read some information, found this realization of these several functions, only need a few simple API functions can be done:
1, first of all we need to know the position of the mouse now (in order to restore the position of the mouse now) so we will use the API function GetCursorPos, it is used as follows:
BOOL GetCursorPos (

Lppoint Lppoint//address of structure for cursor position
);
2, we move the position of the mouse to the character to go to the place, we will use the Setcursorpos function to move the mouse position, it is used as follows:
BOOL Setcursorpos (

int X,//Horizontal position
int Y//Vertical position
);
3, simulation mouse issued press and release action, we have to use the mouse_event function to achieve, with the use of the following method:
VOID Mouse_event (

DWORD dwFlags,//flags specifying various Motion/click variants
DWORD DX,//horizontal mouse position or position change
DWORD dy,//vertical mouse position or position change
DWORD dwdata,//amount of wheel movement
DWORD dwExtraInfo//bits of application-defined information
);
In its dwflags, there are many events, such as Mobile Mouseeventf_move, left-click Mouseeventf_leftdown, leave the Mouseeventf_leftup, the specific east or check the MSDN it ~~~~~
Well, with the knowledge of the past, we can take a look at how the character removal is done:

GetCursorPos (point);
Setcursorpos (Ranpoint (80,WINDOWX), Ranpoint (80,windowy));//ranpoint is a self-made random coordinate function
Mouse_event (mouseeventf_leftdown,0,0,0,0);
Mouse_event (mouseeventf_leftup,0,0,0,0);
Setcursorpos (POINT.X,POINT.Y);

Read the above code, is not that the character's walk is very simple ~ ~, a imitation of three, there are a lot of good things can be achieved with this technique (I have said, TMD, this is the practice of garbage plug-in, believe it ~ ~ ~), then, then look at the game inside the automatic attack method (must attack support shortcuts) , the reason is still the same, just use the API is different ~ ~ ~, this time we want to use the keybd_event function, its usage is as follows:
VOID keybd_event (

BYTE BVK,//Virtual-key code
BYTE Bscan,//Hardware scan code
DWORD dwFlags,//flags specifying various function options
DWORD dwExtraInfo//Additional data associated with keystroke
);
We also need to know that the scanning code can not be used directly, to use the function Mapvirtualkey to turn the key value into a scanning code, mapvirtualkey the specific use of the following:
UINT Mapvirtualkey (

UINT UCode,//Virtual-key code or scan code
UINT umaptype//translation to perform
);
Well, rather than saying this quick-connect is CTRL + A, let's see how the actual code is written:

Keybd_event (Vk_control,mapvirtualkey (vk_control,0), 0,0);
Keybd_event (65,mapvirtualkey (65,0), 0,0);
Keybd_event (65,mapvirtualkey (65,0), keyeventf_keyup,0);
Keybd_event (Vk_control,mapvirtualkey (vk_control,0), keyeventf_keyup,0);

First simulation Press the CTRL key, and then simulate pressing a key, and then the simulation release a key, finally release the CTRL key, this is a simulation by the shortcut key cycle.
(see here, almost to the simple plug-in has a certain understanding of it ~ ~ ~ ~ To do a try? If you give a imitation of three can also have better things out, it depends on your ability to comprehend ~ ~, but don't be happy too early this is just the beginning, after there is more complex east waiting for you ~ ~)


--------------------------------------------------------------------------------

Last time we have done an analysis of the action-style plug-in, the action is the simplest plug-in, now we bring to see, more than the action of plug-in plug-in-place modification of the entire production process for a detailed decomposition.
As I know, the most typical application of local modified plug-in is in the "Elf" game, because I was nearly a year ago ("Genie" is still in beta), my company has a lot of colleagues play "Elf", so I looked at the game of data processing methods, found that the information it sends to the server is in memory (I see the first feeling is: modify this game and modify the single-player version of the game is not much different, in other words, before he submitted information to the server to modify the memory address on it), I found the address and then modified the memory address, sure enough, According to my idea changed the address, so that the system automatically submitted after the success of the ~~~~~, and then the "Wizard" and changed to double address school, memory, and so on, in here I will not nonsense ~~~~,ok, we will see how this kind of plug-in is produced:
Before doing the plug-in we have a specific understanding of Windows memory, and here we refer to the memory refers to the system's memory offset, that is, relative memory, and we want to modify it, then we have a few Windows API to understand, OK, With examples let us see clearly this plug-in production and API application (in order to ensure the normal operation of the network game, I will not find the memory address of the method detailed explanation):
1, first we want to use FindWindow, know the game window handle, because we want to through it to know the game after the running process ID, the following is the use of FindWindow:
HWND FindWindow (

LPCTSTR lpclassname,//Pointer to class name
LPCTSTR lpwindowname//Pointer to window name
);
2, we getwindowthreadprocessid to get the process ID of the game window relative to the process, the function usage is as follows:
DWORD GetWindowThreadProcessId (

HWND hwnd,//Handle of window
Lpdword Lpdwprocessid//Address of variable for process identifier
);
3, get the game process ID, the next thing is to open the process with the highest privileges, the use of the function of the OpenProcess method is as follows:
HANDLE OpenProcess (

DWORD dwdesiredaccess,//Access flag
BOOL bInheritHandle,//Handle inheritance Flag
DWORD DWPROCESSID//Process identifier
);
In the dwdesiredaccess is the place to set up access, it can set a lot of permissions, we are here to use as long as the use of process_all_access to open the process can be, the other way we can check MSDN.
4, open the process, we can use the function of the memory in the operation, here we just use the writeprocessmemory to write data to the RAM address (other operating methods such as: ReadProcessMemory, I do not introduce here), Let's take a look at the usage of writeprocessmemory:
BOOL WriteProcessMemory (

HANDLE hprocess,//HANDLE to process whose memory are written to
LPVOID lpbaseaddress,//address to start writing to
LPVOID lpbuffer,//pointer to buffer to write data to
DWORD nSize,//number of bytes to write
Lpdword Lpnumberofbyteswritten//Actual number of bytes written
);
5, the following with CloseHandle closed process handle is completed.
This is this kind of game plug-in program implementation part of the method, well, with this method, we have a rational understanding, we look at the actual example, enhance our perceptual knowledge bar, the following is XX Game plug code, we follow the above method corresponding to study it:
Const
Resourceoffset:dword = $004219F4;
Resource:dword = 3113226621;
Resourceoffset1:dword = $004219f8;
Resource1:dword = 1940000000;
Resourceoffset2:dword = $0043fa50;
Resource2:dword = 1280185;
Resourceoffset3:dword = $0043fa54;
Resource3:dword = 3163064576;
Resourceoffset4:dword = $0043fa58;
Resource4:dword = 2298478592;
Var
Hw:hwnd;
Pid:dword;
H:thandle;
tt:cardinal;
Begin
HW: = FindWindow (' XX ', nil);
If HW = 0 Then
Exit;
GetWindowThreadProcessId (HW, @pid);
H: = OpenProcess (Process_all_access, FALSE, PID);
If h = 0 Then
Exit;
If Flatcheckbox1. Checked=true Then
Begin
WriteProcessMemory (H, Pointer (Resourceoffset), @Resource, sizeof (Resource), TT);
WriteProcessMemory (H, Pointer (ResourceOffset1), @Resource1, sizeof (RESOURCE1), TT);
End
If Flatcheckbox2. Checked=true Then
Begin
WriteProcessMemory (H, Pointer (ResourceOffset2), @Resource2, sizeof (RESOURCE2), TT);
WriteProcessMemory (H, Pointer (ResourceOffset3), @Resource3, sizeof (RESOURCE3), TT);
WriteProcessMemory (H, Pointer (RESOURCEOFFSET4), @Resource4, sizeof (RESOURCE4), TT);
End
MessageBeep (0);
CloseHandle (h);
Close
This game is a multi-address to submit the data to be verified, so that this kind of game plug-in production is not very difficult, the hardest is to find these addresses.


--------------------------------------------------------------------------------


I've never been able to figure out how to make an accelerated plug-in. The next half of the 2001-year "Programmer's book", "The Book of variable Speed Gears" was re-aftertaste once again, only a little enlightenment, and then with Delphi rewrite again, below I put my experience said to everyone listen to, And thanks to the "speed gear" research notes, author Shary Big 虲 gave hints. Nonsense I will not say more, then start the magic of the accelerated plug-in experience of the journey it!
Originally I always thought that the speed of the plug is for a game and write, and later found that I am not the concept of the so-called acceleration plug-in is actually modified clock frequency to achieve the purpose of accelerating.
Before the DOS era played programming people will immediately think, it is very simple is not directly modify the 8253 register, which in the previous DOS era may be able to work, but Windows is not. Windows is a 32-bit operating system, not where you want to change where to change (Microsoft is so domineering, said not to change you do not change ^_^), but to change is not impossible, we can be achieved by two methods: the first is to write a hardware driver to complete, The second is to use the RING0 to achieve (this method is the author of the CIH organizations Hao, it is the principle of modifying the IDT table, creating an interrupt door-to enter the ring0-> call interrupt modification vector, but there is no way can only use ASM assembly to achieve all this *_*, Be a user of high-level language! ), using the first method with a bit of trouble, so we are here in the second way to achieve it ~ ~ ~
Let's take a look at the idea before we do it:
1, we must first write a process in the process of embedding assembly language to achieve the modification of the IDE table, create an interrupt gate, modify the vector and other work
2, call this process to achieve the acceleration function
Well, now that the idea is there, let's look at the code side to explain it:
First we establish a process, which is the core part of this program:
Procedure setring (Value:word); stdcall;
Const ZDH = $03; Set an interrupt number
Var
Idt:array [0..5] of byte; Save IDT Table
Og:dword; storing old vectors
Begin
Asm
Push EBX
Sidt IDT//Read into interrupt descriptor
mov ebx, DWORD ptr [idt+2]//idt table base Address
Add ebx, 8*ZDH//calculates the position of the interrupt in the Interrupt descriptor table
CLI//Off interrupt
MOV dx, word ptr [ebx+6]
SHL edx, 16d
MOV dx, word ptr [ebx]
mov [OG], edx
mov eax, offset @ @Ring0//point to RING0 Level code snippet
mov word ptr [ebx], AX//Low 16 bit, saved in 1, 2 bit
shr eax, 16d
mov word ptr [ebx+6], AX//High 16 bit, saved in 6, 7 bit
int ZDH//Interrupt
mov ebx, DWORD ptr [idt+2]//reposition
Add ebx, 8*ZDH
mov edx, [OG]
mov word ptr [ebx], DX
SHR edx, 16d
mov word ptr [ebx+6], dx//restore vector changed
Pop ebx
JMP @ @exitasm//To Exitasm
@ @Ring0://RING0, this is also the most core of the east
MOV al,$34//write 8253 control register
Out $43,al
MOV ax,value//write timed value
Out $40,al//write timer value low
MOV Al,ah
Out $40,al//write timed value high
IRETD//Return
@ @exitasm:
End
End
The core of the thing has been written, most of the reader is aware of its why it does not know, hehe, but I do not know why it is also. Now let's try to use this process to make a kind of "speed gear" of a thing!
Add a window, put a TrackBar control on the window, set its max to 20,min to 1, set position to 10, and write in the change event of this control:

Setring (Strtoint (' $ ' +inttostr (1742+) (10-trackbar1. Position) (*160)));

Because the default value of Windows is $1742, so we have 1742 as the base, and because the lower the value of the faster, the inverse of the principle of slower, so write a formula, OK, this is the "speed gear" of a delphi+asm version (only applicable to Win9x), hehe, try it, It will be a great help to you, hehe.
In the Win2000, we can not achieve in the direct operation of the port, RING0 is also ineffective, some people will think, we may write the driver to complete it, but here I tell you, Windows2000 driver is not a VxD can be achieved, Low hand like me is not able to write Windows to drive WDM, no way, I only with the help of the implementation, Prottalk is a very good device driver, he is very convenient to achieve the operation of the lower port, so as to achieve the acceleration plug-in.
1, we first want the next Porttalk Drive, his official website is http://www.beyondlogic.org
2, we have to copy the Prottalk.sys inside.
3, the establishment of a Protalk.sys interface (I want to omit, you can http://www.freewebs.com/liuyue/porttalk.pas next pas file to see it)
4, to achieve accelerated plug-in.
Originally in the article is to supplement the principle I do not want to talk too much, the following about the implementation of this procedure, if said with Prottalk to operate the port is much easier, than the Win98 under the ring permission to operate conveniently.
1, a new project, just under the interface file and Protalk.sys copied to the project files saved folder.
2. We add our interface file in our new project
Uses
Windows,prottalk ...
3, we establish a process
Procedure setring (Value:word);
Begin
If not openporttalk then exit;
OUTPORTB ($43,$34);
OUTPORTB ($40,lo (Value));
OUTPROTB ($40,hi (value));
Closeporttalk;
End

4, first add a window, put a TrackBar control on the window to set its max to 20,min set to 1, set position to 10, in the Change event of this control write:

Setring (Strtoint (' $ ' +inttostr (1742+) (10-trackbar1. Position) (*160)));


--------------------------------------------------------------------------------


The encapsulation technology of the network game is one of the concerns that most programming enthusiasts pay more attention to, so let's study this problem together in this article.
Although this is a package of the problem, but the scope of the technology involved is very wide, the way to achieve a lot (such as apihook,vxd,winsock2 can be achieved), here we are not possible each technology and methods involved, so I am here with Winsock2 technology to explain in detail, Even if it makes a brief.
Since most readers do not know much about packet programming, here is a brief introduction to the relevant knowledge:
Apihook:
Since Windows encapsulates the functionality provided by the kernel into the API, so that you have to implement functionality through the API, in other words, we want to capture data packets, we must first know and capture the API, from the API to get packet information.
Vxd:
The capture of packet information is implemented directly by controlling the VxD driver, although VxD can only be used for Win9x.
Winsock2:
Winsock is a Windows network programming interface, and Winsock works at the application layer, which provides high-level data transfer programming interfaces unrelated to the underlying transport protocol, and Winsock2 is the service provider interface provided by winsock2.0, but can only be used under Win2000.
OK, let's get into the Winsock2 package programming bar.
In the package programming I will be divided into two steps to explain to you: 1, packet capture, 2, packet delivery.
The first thing we want to achieve is the capture of the packet:
Delphi's package of Winsock is version 1.0, very natural Winsock2 will not be used. If we want to use Winsock2 we want to Winsock2 in Delphi inside to do an interface, can use Winsock2.
1, how to do the Winsock2 interface?
1) We must first define the type of winsock2.0 used, here we wsa_data type to do the demonstration, you can give an imitation of three to achieve Winsock2 other types of encapsulation.
We need to know that the Wsa_data type will be used for WSAStartup (Wversionrequired:word; var wsdata:twsadata): Integer; you'll find that Wsdata is a reference parameter, In the incoming parameter simultaneous is the address of the variable, so we do the following encapsulation for Wsa_data:
Const
Wsadescription_len = 256;
Wsasys_status_len = 128;
Type
Pwsa_data = ^twsa_data;
Wsa_data = Record
Wversion:word;
Whighversion:word;
Szdescription:array[0..wsadescription_len] of Char;
Szsystemstatus:array[0..wsasys_status_len] of Char;
Imaxsockets:word;
Imaxudpdg:word;
Lpvendorinfo:pchar;
End
Twsa_data = Wsa_data;
2) We are going to introduce Winsock2 functions from Ws2_32.dll, and here we also take the example of WSAStartup as a function introduction:
function WSAStartup (Wversionrequired:word; var wsdata:twsadata): Integer; stdcall;

Implementation

Const WINSOCKET2 = ' Ws2_32.dll ';
function WSAStartup; External winsocket name ' WSAStartup ';

Through the above method, we can do interface to Winsock2, below we can use Winsock2 to do the packet capture, but first there must be a network card. Because it involves the security of a running network game, so here we take the IP packet as an example to do packet capture, if some of the following data types you are not very clear, please consult MSDN:
1) to start the WSA, this is the WSAStartup function to use, as follows:
INTEGER WSAStartup (
Wversionrequired:word,
Wsdata:twsa_data
)；
2) Use the socket function to get the socket handle, M_hsocket:=socket (Af_inet, Sock_raw, IPPROTO_IP); Use the following:
INTEGER socket (Af:integer,
Struct:integer,
Protocol:integer
);

M_hsocket:=socket (Af_inet, Sock_raw, ipproto_ip); M_hsocket as a Socket handle in the program, Af_inet,sock_raw,ipproto_ip are constants.

3) Define the SOCK_ADDR type, follow our network card IP to the SOCK_ADDR type value, then we use the bind function to bind our network card, the BIND function uses as follows:

Type
IN_ADDR = Record
S_addr:pchar;
End;

Type
TSOCK_ADDR = Record
Sin_family:word;
Sin_port:word;
Sin_addr:in_addr
SIN_ZERO:ARRAY[0..7] of Char;
End;

Var
LOCALADDR:TSOCK_ADDR;

localaddr.sin_family: = af_inet;
Localaddr.sin_port: = 0;
Localaddr.sin_addr. S_ADDR: = inet_addr (' 192.168.1.1 '); Here is the IP address of your own NIC, and inet_addr This function is the function of Winsock2.

Bind (M_hsocket, localaddr, sizeof (LOCALADDR));

4) Use the WSAIoctl to register the WSA input and output components, which are used as follows:

INTEGER WSAIoctl (S:integer,
Dwiocontrolcode:integer,
Lpvinbuffer:integer,
Cbinbuffer:integer,
Lpvoutbuffer:integer,
Cboutbuffer:integer,
Lpcbbytesreturned:integer,
Lpoverlapped:integer,
Lpcompletionroutine:integer
);
5) The following dead loop, in the dead loop block, to achieve data reception. But the sacrifice ring in the middle to use sleep () to do delay, or the program will be wrong.
6) in the loop block, using the RECV function to receive data, the RECV function uses the following:
INTEGER recv (S:integer,
buffer:array[0..4095] of Byte,
Length:integer,
Flags:integer,
)；
7) in buffer is the data we receive back, if we want to know where the data is sent, then, we want to define a certain IP packet structure, with CopyMemory () to the IP information from the buffer to read out on it, However, the hexadecimal data needs to be translated.

See the whole process of the packet capture sequence, for you are not a bit of a hair, but here to tell everyone is the package is easy to get, but many of the game's packets are encrypted, if you want to find out what the content also need to self-packet decryption.


--------------------------------------------------------------------------------


In this chapter, we mainly study the production and delivery of the package, again, the method we use is delphi+winsock2 to produce. Previously said in Delphi only encapsulated Winsock1,winsock2 need to self-encapsulation, I do not introduce how to encapsulate.
Here's a step-by-step implementation of our packet encapsulation and delivery:
First of all, we should know that the packet is divided into two paragraphs, an IP, a section is a protocol (TCP,UDP, other protocols), IP is like ZIP code, which identifies you where the packet is from where, and the protocol records the target to use the package format and calibration, In the network game protocol is generally self-defined, to crack the network game is the most important to learn to crack the network Game Protocol Network Game Protocol crack, in order not to affect the security of the network game now running, I will take the UDP protocol as an example, introduce the network protocol packet and send the whole process.
Next, we can begin to look at the whole package:
1) We want to start the Sock2, this time to use the WSAStartup function, the use of the following:
INTEGER WSAStartup (
Wversionrequired:word,
Wsdata:twsa_data
)；
In the program wversionrequired we pass in a structure with a value of $0002,wsdata to Twsa_data.
2) Use the socket function to create and get the socket handle; Use the following:
INTEGER socket (Af:integer,
Struct:integer,
Protocol:integer
);
Note that in our program packets are filled with the IP header, so our struct parameter here to pass in the parameter value of 2, indicating that contains the Baotou. The function returns a handle to the winsocket that was just created.
3) Use the SetSockOpt function to set the sock option; Use the following:
INTEGER setsockopt (S:integer,
Level:integer,
Optname:integer,
Optval:pchar,
Optlen:integer
);
A socket handle is passed in S, and in this program level is entered with a value of 0 for IP (if 6 means tcp,17 for UDP, etc.), Optname writes 2, and Optval's initial value fills 1,optlen to optval size.
4) Next we'll take a few steps to implement the build envelope:
1, convert the IP to sock address, with INET_ADDR to convert.
Longint inet_addr (
Cp:pchar
);
2, define the total size of the package, IP version information for the IP structure:
Total packet size =ip the size of the header +udp the size of the header +udp the size of the message,
The version of IP, defined in this program as 4,
3, fill in the structure of the IP header:
Ip.ipverlen: = version of IP SHL 4;
Ip.iptos: = 0; IP Service Type
Ip.iptotallength: =; Total package Size
Ip.ipid: = 0; Unique identification, typically set to 0
Ip.ipoffset: = 0; Offset field
Ip.ipttl: = 128; Timeout period
Ip.ipprotocol: = $11; Defining protocols
Ip.ipchecksum: = 0; Total number of tests
IP.IPSRCADDR: =; Source Address
IP.IPDESTADDR: =; Destination Address
4. Fill in the structure of the UDP header:
Udp.srcportno: =; Source port number
Udp.dstportno: =; Destination port number
Udp.udplength: =; The size of the UDP packet
Udp.udpchecksum: =; Total number of tests
5, put the IP header, UDP header and message, put into the cache.
6. Define Remote information:
Remote.family: = 2;
Remote.port: =; Remote port
REMOTE.ADDR.ADDR: =; Remote Address

5) We use SendTo to send the packet, using the following:
INTEGER sendto (S:integer,
var Buf:integer,
var Len:integer,
var Flags:integer,
var addrto:tsock_addr;
Tolen:integer
);
In the S place is the socket handle, BUF is just built a packet, Len the total length of the packet has just been calculated, flag is the incoming tag here we set to 0,addto sent to the destination address, here we will be passed to the remote, Tolen writes the size of the remote.

6) At the end, don't forget to close the socket with closesocket (SH) and turn off the Winsock with WSACleanup.

The last thing to say is this way of sending, can only send a completely cracked network protocol, if you want to send data in the middle of someone else's program only with Apihook or in Winsock2 do the middle tier.

How to use Delphi to develop online games plug