Tools: SoftICE, Kingsoft Ranger 2002, VC ++ 7.0, PE viewer, SPY ++
Test Platform: Window2000 Professional SP2
Hello everyone! I would like to give you a good old age. I have been away from you for a year after a very quick start, and I have been separated from you for a year. I am so deeply impressed that I do not remember YY, but I will not forget everyone.
This year has been so busy that I have no time to write articles while listening to music in the middle of the night as I used to. Today, I am taking a vacation and charging everyone: D
What does YY bring to you today? Well, I can see the question. It looks cool. What is "Advanced Game hacker? You say you are a game hacker? Okay, it's "advanced! What is advanced? After reading this article, you will know: D
First, I will introduce the tools that will be used:
1. SoftICE (needless to say, I think you should use it)
2. Kingsoft Ranger 2002 (you should also use this)
3. VC ++ 7.0 (not required, but at least one programming tool)
4. PE Viewer (you can find one at will. It doesn't matter. I will teach you how to view it with SoftICE)
5. SPY ++ (a tool in VC for viewing program information, you can use other tools, such as Delphi and WinSight32 of C ++ Builder)
Then you should have the following knowledge:
1. Assembly Basics
2. Some programming basics should at least understand the several API functions I have introduced
3. It doesn't matter if the structure of the PE file is basic. I will explain it to you.
If you have all the above points, we can start.
Let me introduce what I want to teach you. You must have used some specialized game modifiers, such as dark, Red Police, and Monopoly games, I am not talking about generic modification tools like FPE.
Have you ever tried to use Kingsoft Ranger to change money of redship 2? If there is one, you should know that it should be changed every time you play, because the game dynamically allocates memory and changes every time you start again. So you will choose to download a special modifier online. Have you ever thought about doing it yourself? Thought? So why don't you do it? What? That's easy to do. After reading this tutorial, you will: D. Let me talk about the principle.
Some friends who often modify the game will know that no matter whether the memory address of the "item" in the game is dynamic, the distance between the item and the item remains unchanged, take "Chu Liuxiang xinchuan" as an example. I first use Kingsoft Ranger to find the memory address of the internal force value. The result is: 79F695C, and then the address of the item "Jin chuangyao" is 328D1DC, now I subtract 328D1DC from 79F695C and get: 4769780. This number is the offset between the internal force value and the value of Jin chuangyao. Didn't I understand it? Let's see, I haven't finished it yet. Now I can run the game again, find the address of the internal force value, and get: 798695C. Then I can find the address of Jin chuangyao: 321D1DC, the memory address of the two values has changed, but what is the result of subtracting the address of Jin chuangyao from the address of your internal force value? Yes, it's still 4769780. That is to say, no matter how many memory addresses the two values change, the distance between them will never change. Not only this game, but General games are, at least I have never met either: D
The above is a conclusion, that is, if we get any of the two addresses, We can get another one, as long as you know the offset between them.
The first step is to get this address, but the address in the memory is dynamically changed and useless. Here I will teach you to change it to static, so that it will never change! I will continue to take "Chu Liuxiang xinchuan" as an example. If you have this tour, you will do it with me. It doesn't matter if you don't have it. Just read these steps. Starting work!
First, go to the game and find the address of the internal value. The result is: 798695C (I don't know why the upstream does not change the memory address every time). Press Ctrl + D TO OPEN SoftICE, run the following command: BPM 798695C W (interrupted when writing this address). Return to the game and open the character attribute panel. The game is interrupted. In SofitICE, you will see this command:
Run the following command in 0047EB17 mov eax [EDX + 000003F4]: d edx + 3F4. The internal force value is displayed.
0047EB1D PUSH EAX
....................................
....................................
From the above we can see that the command at eb17 is to send the internal force value pointer to the EAX register. This is a typical addressing method. Imagine that we are the base address in EDX, when EDX + 3F4 is used, the address of the internal force value can be easily obtained. Because 000003F4 is a constant, it will not change, but only the address in EDX, so as long as there is a way to get the value in EDX, everything is easy. Do you understand? If you still don't understand it, read it again. What we need to do now is to get this value. Here I will teach you how to do it:
My solution is to design a piece of code, store the value in EDX in an address, run the code, and then return to the original instructions of the game for further execution. What? Patch technology? SMC? Whatever you say, everything is okay as long as it runs normally: D
Actual Operation:
First, find a blank space in the program to store the code we designed. It is very simple, as long as you know some PE file structure friends will know, generally in the EXE file data segment (. there will be a buffer at the end of the data segment. We can write anything in this segment. Of course, you can also use the "90 method" to find a blank segment, but I recommend that you use the methods I have taught you. As mentioned above, if you do not have a PE File Viewing tool, I can teach you how to use SoftICE to view it, and it is very easy to use, as long as a command: MAP32 "module name ", you can see how I did it.
Ctrl + D call to get SoftICE and run the command MAP32 CrhChs. You should see the information of each segment of the EXE. data Segment. Since we are looking for the end of the data segment, we will start from the next segment and look up, as shown below:
. Data 004FB000
. Rsrc 00507000
. The next segment of data is. rsrc segment, which starts from 00507000. That is to say, based on 00507000, the last byte is the end of the data segment. I choose to write code from 00506950, after talking about this for a long time, what exactly does our code look like? What is the modified command? Don't worry, please refer to the following:
Code modified after 0047EB17:
0047EB17 JMP 00506950 // jump to our code to execute
0047EB1C NOP // because the original length of this command is 6 bytes, and the modified length is 5 bytes, use an empty command to complete
0047EB1D PUSH EAX
// Our code:
00506950 mov dword ptr eax, [EDX + 20173f4] // restore the command we destroyed
00506956 mov dword ptr [00506961], EDX // save EDX to 00506961
0050695C JMP 0047EB1D // return the original Command for execution
Write the above Code with the command of SoftICE. OK!
Now let's try the running effect. Now you can use Kingsoft Ranger to search for the address of the Internal Force address. What has changed? If it remains the same, will we still use the expensive resources? Write down this address and return it to the game. Ctrl + D calls out SoftICE and run the command D * [00506961] + 000003F4. What do you see in the data window? Haha, that's right. I saw the address you just remembered. The value in it is the internal force value. Try to change it and go back to the game. Haha, the internal force value has changed: D
At this point, our work has completed % 90, but don't be too happy. % 10 is far longer than the previous % 90, because we need to implement it all through programming, because you cannot do it every time as you did just now!
Now let's take a look at the programming steps:
First, use the FindWindow function to get the window handle, then use the GetWindowThreadID function to get the ID of the process from the window handle, then use OpenProcess to get the read and write permissions of the process, and finally use WriteProcessMemory and ReadProcessMemory to read and write the memory, then .... Oh, your modifier is made: D
Below is a copy of the previously written modifier source code snippet. The first part is to dynamically write the code just now, and the second part is to read and modify the internal force value. Because I don't have time to sort and test, therefore, it cannot be guaranteed that there are no errors. If you find any omission, you can leave a message or write a letter to me on QQ. The Code is as follows:
Note the following points:
1. When writing machine code, one byte is required.
2. Be sure to write your own code first and then modify the instructions in the game (the following code does not do this because it does not affect, but you should pay attention to this problem)
//////////////////////////////////////// //////////////////////////////////////// //////////////////////////////////////// //////////////////////
// Write code dynamically
// 0047EB17
# Define MY_CODE1 0xE9
# Define MY_CODE2 0x34
# Define MY_CODE3 0x7E
# Define MY_CODE4 0x08
# Define MY_CODE5 0x00
# Define MY_CODE6 0x90
// 00506950
# Define MY2_CODE1 0x8B
# Define MY2_CODE2 0x82 // This part is the constant definition of the machine code to be written
# Define MY2_CODE3 0xF4
# Define MY2_CODE4 0x03
# Define MY2_CODE5 0x00
# Define MY2_CODE6 0x00
# Define MY3_CODE1 0x89
# Define MY3_CODE2 0x15
# Define MY3_CODE3 0x61
# Define MY3_CODE4 0x69
# Define MY3_CODE5 0x50
# Define MY3_CODE6 0x00
# Define MY4_CODE1 0xE9
# Define MY4_CODE2 0xBC
# Define MY4_CODE3 0x81
# Define MY4_CODE4 0xF7
# Define MY4_CODE5 0xFF
//-----------------------------------------------------------------------------//
DWORD A1 = MY_CODE1;
DWORD A2 = MY_CODE2;
DWORD A3 = MY_CODE3;
DWORD A4 = MY_CODE4;
DWORD A5 = MY_CODE5;
DWORD A6 = MY_CODE6;
DWORD B1 = MY2_CODE1;
DWORD B2 = MY2_CODE2;
DWORD B3 = MY2_CODE3; // This part is variable