Do what you like!
------ You will plug-in on your own tomorrow. As online games become increasingly popular, many players will join the game. Currently, many players rely on some game plug-ins. Program To play the game. So is it very difficult to build a game plug-in? The answer is "no". It is true that some basic knowledge is required to write some programs. Therefore, we want to teach you some skills and methods for writing plug-ins in the simplest language, and provide you with some basic auxiliary tools, even if you are a cainiao, read our tutorials and use the tools we provide you with tips, you can compile a plug-in that is entirely yours. In this tutorial, we provide an example of how to modify the game Jin yongqun and Xia Chuan, as well as the online Three Kingdoms games, because these two games both perform packet encryption operations, if you have a certain understanding of the changes made in these two games, I believe that you can also make your own plug-ins very well in other games. We provide 20 NPCs of Jin Yong's reinforcements and three countries of the Internet to take medicine automatically in the PK. The two actual examples of automatic sending and removing, make it easier for you to get started. We will also attach these two software in this tutorial for your use and learning. We will teach you how to crack the encryption of packets in the tutorial. Algorithm , How to use the tools we provide you to forge and send packets. In addition to text tutorials, this tutorial also provides plug-ins for Jin Yong Qun Xia and the Three Kingdoms, as well as six plug-ins for your use. In the future, we hope that every player can grow up in the game. Not only can the game play well, but also can modify the game to make a real DIY game. It requires a wealth of computer knowledge to make the game better. There are many computer experts who gradually become interested in and grow from playing games and modifying games. Do not envy what others can do, because you can do what others can! I believe that after reading this tutorial, you will have a new understanding of the game! (Don't hit me with eggs. Please help me! # ¥ % ...... *) But if you want to learn more about the game and increase your computer level, you cannot just modify the game! You know, modifying a game is just a place to verify your understanding of some of your computer knowledge. You can only give you the opportunity to discover and solve problems, it can only help you increase your interest in learning computers, but it is not a shortcut to learning computers.
--------------------------------------------------------------------------------
I. What is plug-ins?
Currently, online games are mostly based on the Client/Server mode on the Internet. The server runs on the game server, where game designers create a huge game space, players from all over the world can log on to the game at the same time by running the client program. Simply put, online games are actually a game environment provided by game developers, in which players perform game operations relatively freely and openly. Now that we have the server concept in online games, our traditional method of modifying the game is powerless. I remember that in a single-host game, we can use the Memory search as needed to modify the various attributes of the role, which is useless in online games. Because all the attributes and important materials of the roles we play in online games are stored on the server, and only the role status is displayed on our own machine (client, therefore, it is impractical to modify the role attributes in the client memory. Is there any way for us to make changes in online games? The answer is "no ". We know that Internet client/server communication generally uses TCP/IP communication protocol, and data exchange is implemented through IP packet transmission. Generally, our client sends some requests to the server, for example, commands such as mobile and combat exchange data with servers through packets. The local sending message is called send, which means to send data. After the server receives the sent message, it will send the relevant information to the client according to the established program. For example, coordinates of movement, the type of combat. The client receives a message from the server called Recv. Now that we know this, the next thing we need to do is to analyze the data (that is, packets) between the client and the server, so that we can extract and modify the useful data, then, simulate sending the server to the client, or simulate sending the client to the server, so that we can modify the game. In addition to modifying the game package to modify the game, we can also modify the client program to meet our requirements. We know that the computing power of each server is limited. Especially in games, it is almost impossible for a game server to calculate the status of all players in the game, therefore, some operations still need to be completed by our client, which provides some convenience for us to modify the game. For example, we can discover some program judgment branches by shelling the client program. Through tracking and debugging, we can remove some unfavorable judgments to meet our needs for modifying the game. In the next sections, we will introduce the concept of encapsulation and the knowledge of modifying the Tracking Client. Are you ready?
Game data format and storage:
Before doing our work, we need to know some knowledge about how to store data in computers and the features of storing data in games. This section is provided to cainiao gamers. If you are a master, you can skip this section! If you want to become an invincible swordsman, it will take some time for you. If you only want to be a tourist of the rivers and lakes, it doesn't matter whether you understand these things or not. You can choose whether to be a swordsman or a tourist!
Now let's start! First, you need to know several formats of data stored in the game. These formats are byte, word, and double word ), or 8-bit, 16-bit, and 32-bit storage. Bytes, that is, 8-bit storage can be 0 ~ 255 of the number; the word or the 16-bit storage method can store 0 ~ 65535 of the number; dual-word storage can be 0 to 32-bit ~ 4294967295.
Why do we need to understand this knowledge? In the game, the maximum values of various parameters are different, and some may be about 100, for example, the level of the role in the JINYONG group and the number of randomly encountering enemies. However, some of them need to be greater than 255 or even greater than 65535, and the money value of the role in the JINYONG group can reach millions. Therefore, different data types in the game are different. When we modify a game, we need to find the packets that prepare the modified data. In this case, correct determination of the data type is an important condition to quickly find the correct address.
In a computer, data is stored in bytes. Each byte is assigned a number to determine its location. This number is called an address.
When a word or double word is required, the computer uses two consecutive bytes to form a word, and two consecutive words constitute a double word. A word or double-character address is their low-byte address. In Windows 9x, the address is represented by a 32-bit binary number. When we usually use a memory address, we always use an 8-bit hexadecimal number to represent it.
What is binary and hexadecimal?
To put it simply, the binary number is a counting carry method that only has two digits: 0 and 1. Every two digits are full, one digit is entered. Similarly, the hexadecimal system is the counting carry method that goes into one digit every 16 digits. In hexadecimal notation, there are 0--f Sixteen digits, which use six numbers A, B, C, D, E, and F to represent the numbers from 10 to 15, they correspond to decimal: A corresponds to 10, B Corresponds to 11, C corresponds to 12, D corresponds to 13, E corresponds to 14, F corresponds to 15. In addition, there is a simple correspondence between the hexadecimal number and the binary number, that is, the four-digit binary number is equivalent to the one-digit hexadecimal number. For example, a four-digit binary number of 1111 is equivalent to hexadecimal F, and 1010 is equivalent to.
Understanding these basic knowledge will be of great help to modify the game. Next I will discuss this issue. Because data in a computer is stored in binary format, the conversion between hexadecimal numbers and binary values is very simple, therefore, most modification tools display hexadecimal data when displaying data in the computer.CodeAnd you also need to enter a hexadecimal number when modifying. Are you clear?
The data displayed in the game can be in decimal format. To find and modify the parameter values, you can use the calculator provided by windows to convert the values in decimal or hexadecimal format, we can find it in the attachment in the program group in the Start Menu.
The knowledge you want to know is almost the same now! However, there is a problem that requires attention in game modification. In computers, data is stored in Low-bit bytes, while in high-bit bytes. For example, if the decimal number 41715 is converted to the hexadecimal number a2f3, this number is saved as f3a2 in the computer.
After reading the above content, do you understand the data storage and data ing relationships? Now, let's tell you what the packaging is in the game. Come on! Let's roll up your cuffs and let's work!
--------------------------------------------------------------------------------
Ii. What is a packet?
How to intercept a game package? How can I check the IP address and port number of the game server? The communication information of various information services used by Internet users can all be attributed to information transmission in units of IP packets. In addition to the data information to be transmitted, it also contains the destination IP address to be sent, the source IP address to be sent, and some related control information. When a router receives an IP packet, it searches for the route table based on the destination IP address in the packet and sends the IP packet to the corresponding port based on the search result. The next IP router continues forwarding after receiving the packet until it is sent to the destination. Routers can exchange route information through the routing protocol to update the route table.
So we only care about the data information in the IP packet. We can use many listening Network Tools to intercept data exchange between the client and the server, here is a tool: WPE.
How to Use WPE: To Run WPE, you can select the following functions:
Select game: select the program you want to intercept in the memory. You only need to double-click the program name.
Trace tracing. Used to track the packets sent and received by a program. WPE must first click the program name to be tracked to use this project. Press the play key to start retrieving the packets sent and received by the program. You can press | pause tracking at any time. If you want to continue, Press |. By pressing the square, you can stop capturing packets and display all captured packets. If you do not press the Square stop key, the tracing will automatically stop Based on the set value in option. If you have not obtained any information, try to change option to Winsock version 2. WPE and trainers can be executed only when the display color is at least 16 bits.
Filter. Used to analyze the captured packets and modify them.
Send packet to send packets. Allows you to send fake packets.
Creates a modifier for the trainer maker.
Options setting function. Let you adjust some settings of the WPE.
Filter details
-When the filter is enabled, the on button is red. -When you start filter, you can close this window at any time. The filter will remain in the original state until you press the on/off button again. -Only when the filter enable button is off can you select the box before the filter to edit the modification. -To edit a filter, double-click the Filter Name.
Normal Mode:
Example:
When you use a fireball twice and hit the other party in the street fighter online replaying tornado online game, you will capture the following packets: send-> 0000 08 14 21 06 01 04 send-> 0000 02 09 87 00 67 ff A4 AA 11 22 00 00 00 00 send-> 0000 03 84 11 09 11 09 send-> 0000 0a 09 C1 10 00 00 FF 52 44 send-> 0000 0a 09 C1 10 00 00 66 52 44
Your first fireball reduced the lifetime of the other side by 16 drops of bytes 16 = 10 h, And you observed that the location of the 4th and 5th packets 4 had a value of 10 h, it should be here.
You can see that the 0a 09 C1 before 10 h has not changed in both packages. The three values are the key to Fireball.
Therefore, you enter 0a 09 C1 10 in the search column 'elasticsearch into', and then fill in 'ff 'in position 4 of the modify into' column. In this way, when you send a fireball again, FF will replace the previous 10, that is, the fireball with an attack force of 255!
Advanced Mode:
Example: in a game, if you do not want to use your real name, you want to transfer it to the other party using a modified pseudonym. After you use Trace, you will find that your name appears in some packets. Assume that your name is shadow, and convert it to a 16-digit value, the value is 53 68 61 64 6f 77 rows. You intend to replace the value with Moon given 6D 6f 6e 20 20 bytes. 1) Send-> 0000 08 14 21 06 01 042) Send-> 0000 01 06 99 53 68 61 64 6f 77 00 01 05 3) send-> 0000 03 84 11 09 11 094) Send-> 0000 0a 09 C1 10 00 53 68 61 64 6f 77 00 11 5) send-> 0000 0a 09 C1 10 00 00 66 52 44
However, after careful consideration, your name does not appear in the same position in each packet.
-In 2nd packets, the name appears in 4th locations-in 4th packets, the name appears in 6th locations
In this case, you need to use advanced mode-fill in the search column elastic search engines: 53 68 61 64 6f 77 Rows be sure to fill in "rows" from position 1-you want to replace the new name from the first letter of the original name shadow, therefore, you must choose to replace the continuous value from the position of the chain found when the value is found ﹞. -Now, fill in "6D 6f 6f 6e 20 20" at the position of the modify limit 000 column. This is the relative position, that is, you can change the value from the + 001 position in the original search column. If you want to change the value from the first position of the package, select begin from the beginning of the packet threshold ﹞
Anyone familiar with TCP/IP knows that the Internet package information data and then transfer it out. Each packet is divided into header information and data information. The header information includes the packet Sending address and arrival address. Data Information includes information about the operations we perform in the game. Before intercepting packets, we need to know the IP address, port number, and other information of the game server. In fact, the simplest thing is to check whether there is a server in our game directory. ini configuration file. In this file, you can view the IP address of a game server. For example, if this is the case of Jin yongqun Xia, we can also use the netstat command in DOS,
The netstat command displays network connection, route table, and network interface information, allowing you to know which network connections are currently in operation. Alternatively, you can use tools such as Trojan Horse star to view network connections. There are many tools, depending on which one you like to use.
The general format of the netstat command is: netstat [Option]
The meaning of each option in the command is as follows:-A displays all sockets, including those being monitored. -C is re-displayed every one second until the user interrupts it. -I: displays information about all network interfaces. -N is replaced by a network IP address to show network connection conditions. -R displays the core route table in the same format as "route-e ". -T shows the TCP connection status. -U: displays the connections of the UDP protocol. -V: displays ongoing work.
--------------------------------------------------------------------------------
3. How to analyze the intercepted packets?
First, we will save the packet intercepted by WPE as a text file, and then open it, then we will see the following data (here we will explain the data sent by the PK store client in jinyongqun Xiaoxiao as an example ):
First file: send-> 0000 E6 56 0d 22 7E 6B E4 17 13 13 12 12 12 13 67 1bsend-> 0010 17 12 dd 34 12 12 12 12 12 12 17 12 0e 12 12 12 12 9bsend-> 0000 E6 56 1E F1 29 06 17 12 3B 0e 17 1asend-> 0000 E6 56 1B C0 68 12 12 12 5asend-> 0000 E6 56 02 C8 13 C9 7E 6B E4 17 10 35 27 13 12 12send-> 0000 E6 56 17 C9 12
The second file: send-> 0000 83 33 68 47 1B 0e 81 72 76 76 77 76 77 76 02 7esend-> 0010 72 77 07 1C 77 77 77 77 72 77 77 77 6dsend-> 0000 83 33 7b 94 4C 63 72 77 5E 6B 72 f3send-> 0000 83 33 7E A5 21 77 77 77 3fsend-> 0000 83 33 67 AD 76 CF 1B 0e 81 72 75 50 42 76 77 77send-> 0000 83 33 72 AC 77
We found that the data format of the primary key store two times is the same, but the content is different. We are the same NPC of the primary key. Why is it different? In the past, the packets transmitted by Jin yongqun and Xia were encrypted before being transmitted on the network. The problem we faced was how to decrypt the ciphertext into plain text and analyze it again.
Because data packet encryption is usually an exclusive or operation, let's talk about what is exclusive or. In short, the difference or is "0 for the same, 1 for the different" (this is for Binary bitwise). For example, 0001 and 0010 for the same or, we compare the values by bit and obtain the variance or result of 0011. The calculation method is as follows: The 0001 bits of 4th are 0, and the 4th bits of are 0. They are the same, then, the 4th bits of the XOR result follow the principle that "the same is 0, the difference is 1", and the 3rd bits of 3rd of BITs are 0, bits of BITs are 0, if the 3rd bits of the XOR result are 0, 2nd bits of 2nd bits of 2nd are 0, 1st bits of 1st are 1, then the bits of the XOR result are 0, then the 1st bits of the XOR result get 1, and the combination is 0011. The exclusive or operation will encounter many problems in the future. You can familiarize yourself with the operation and be familiar with the analysis.
Next, let's continue to look at the two files above. According to common sense, data in data packets will not all have values. During Game Development, some bytes will be reserved to facilitate future expansion, that is to say, there will be some "00" bytes in the data packet. Observe the above file and we will find that there are many "12" and many "77" in file 2 ", so does this mean we are talking about "00? Let's get started with this reasoning!
We compare file 1 with "12", and file 2 with "77". Of course, it is very troublesome to use your hands, we use the "M2M 1.0 plus sealing package analysis tool" for computation. The following result is displayed:
First file: 1 send-> 0000 F4 44 1f 30 6C 79 F6 05 01 01 01 00 01 75 09send-> 0010 05 00 CF 26 00 00 00 00 05 00 1C 00 00 892 send -> 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 083 send-> 0000 F4 44 09 D2 7A 00 00 00 484 send-> 0000 F4 44 10 da 01 dB 6C 79 f6 05 02 27 35 01 00 005 send-> 0000 F4 44 05 dB 00
The second file: 1 send-> 0000 F4 44 1f 30 6C 79 F6 05 01 01 01 00 01 75 09send-> 0010 05 00 70 6B 00 00 00 00 05 00 00 00 00 1A2 send -> 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 843 send-> 0000 F4 44 09 D2 56 00 00 00 484 send-> 0000 F4 44 10 da 01 B8 6C 79 f6 05 02 27 35 01 00 005 send-> 0000 F4 44 05 dB 00
Haha, most of the two files are the same, which indicates that our reasoning is correct. The above is the plaintext we need!
The next step is to figure out the meaning of some key bytes, which requires intercepting a large amount of data for analysis.
First, we will find that each packet starts with "F4 44", and the 3rd bytes are changed, but the changes are quite regular. Let's take a look at the length of each package. What did we find? By the way, the length of the package is 3rd bytes! By intercepting a large number of data packets, we can determine that 4th bytes represent commands, that is, the client tells the server what operations are performed. For example, request the combat command to the server is "30", and the combat moving command is "D4. Next, we need to analyze the first package above, "F4 44 1f 30 6C 79 F6 05 01 01 01 01 00 01 75 09 05 00 CF 26 00 00 00 00 05 00 1C 00 00 00 89 ", what information does this package contain? We should inform the server of the NPC of your PK. Let's look for the code of this store employee. We have another primary account, Mr. Luo (the one outside the Dali Inn ): send-> 0000 F4 44 1f 30 D4 75 F6 05 01 01 00 01 00 01 75 09send-> 0010 05 00 8A 19 00 00 00 00 11 00 02 00 00 00 C0 based on common sense analysis, although the number of NPCS in the game will not exceed 65535 (FFFF), it will not limit itself to the word range during development, which is not conducive to the expansion of the game, so let's look at it in double words. Through the comparison between the "Store" and "xiaoyunluo" packages, we put the goal on "6C 79 F6 05" and "CF 26 00 00. (It's easy to compare, but you can't be too dull, huh, huh) Let's look at the back of the package, there should be NPC code in the back of the package, such as moving the package, when a game allows watching, the server must know the coordinates of the NPC and broadcast them to other gamers. In the next 4th packets, "Send-> 0000 F4 44 10 da 01 dB 6C 79 F6 05 02 27 35 01 00 00", we can see "6C 79 F6 05 ", it is preliminarily concluded that the store's code is it! (This analysis involves a lot of work. You can use WPE to cut data and analyze it yourself)
The analysis of the first package is now here (we do not need to be completely clear about the information contained)
Let's take a look at the 4th packets "send-> 0000 F4 44 10 da 01 dB 6C 79 F6 05 02 27 35 01 00 00", and then intercept the PK Yellow Dog package, (two dogs will come out.) Check the package format: send-> 0000 F4 44 1A da 02 0b 4B 7d F6 05 02 27 35 01 00 00send-> 0010 EB 03 F8 05 02 27 36 01 00 00
According to the above analysis, the yellow dog code is "4B 7d F6 05" (100040011), but how can we identify the two yellow dog servers? Look at "Eb 03 F8 05" (100140011). It's the last code plus 100000. Haha, so the server can recognize the two yellow dogs. We confirmed it through the data packets intercepted by the enemy in the wild.
The package format should be clear: 3rd bytes indicates the package length, "da" indicates the instruction, and 5th bytes indicates the number of NPCs, the 10 bytes starting from 7th bytes represent the information of one NPC. If one more NPC is used, 10 more bytes are used.
If you have played online gold, you must know that random enemy reinforcements sometimes occur. We will use the game reinforcements to enable the reinforcements for every battle.
Through the interception of data packets in the battle, we will find that the server sends such a package: f4 44 12 E9 EB 03 F8 05 02 00 00 00 00 00 00 00 00 5th-8th bytes reinforce the NPC code (here we will simply use the yellow dog code as an example) ). Then, we will use the stand-alone proxy technology to spoof the client and server at the same time!
Now, the call to NPC is half done here. Next, let's continue to explain how to modify and send packets.
--------------------------------------------------------------------------------
4. How do I impersonate a "client" and send the packets we need to the "server?
Here we need to use a tool that is located between the client and the server. Its job is to receive and forward data packets. This tool is called a proxy. This is meaningless if the proxy simply receives and forwards data packets, but note that all data packets must be transmitted through it. This is of great significance. We can analyze the received data packets, forward them directly, or forward the packets after modification, or suppress the packets that are not forwarded, or even forge the packets we need to send them.
Next we will continue to explain how to spoof servers and clients at the same time, that is, to modify and forge packets. Through the analysis in the previous section, we already know the packaging format of multiple NPCs, so let's get started!
First, we need to find the packet sent by the client and find the combat feature, that is, to request the 1st packets of the battle. We will find the feature "F4 44 1f 30", which will not change, of course, you need to decrypt it and find it later. After the packet is found, the client is requesting a battle from the server. We will not move the packet and forward it. Continue to look down. The pattern to be searched is not very easy. We first look for "da", which is the command for the client to send packets of NPC information, so other packages may also contain "da ", it doesn't matter. Let's see if the first three bytes have "F4 44. After finding it, our work begins!
We are sure the number of NPCS to be played. This quantity cannot be very large because the length of the net gold package is expressed in one byte, so a packet can have 255 bytes. We have analyzed above that adding an NPC will increase by 10 bytes, therefore, we know that it is appropriate to set up 20 NPCs.
Then we need to analyze and calculate the original NPC code of the client, because the added NPC code should be added with 100000. Calculate the added NPC code and combine it into a new package. Note that the bytes representing the package length must be modified and then forwarded to the server, in this step, you should pay attention to algorithms when writing programs, so as not to cause large latency.
As we have completed the above process, it is easy to cheat the client, ^-^
After the preceding packet is sent, we construct the packet based on the newly added NPC code and send it to the client immediately. The format is "F4 44 12 E9 NPC code 02 00 00 03 00 00 00 00 00 00 00 ", construct such a package for each newly added NPC and send the package to the client in sequence. Then, the client will be cheated. It's easy.
In the future, we will not care about other things in the battle. Let's do it as much as possible.
Http://blog.csdn.net/raphyer/archive/2003/10/02/15673.aspx