Basics of plug-in writing

Others 2020-04-13 08:56:33 views: null

Basics of plug-in writing

Packet interception

How to intercept a game packet? How to check the IP address and port number of the game server? The various information services used by Internet users can ultimately be attributed to the transmission of information in IP packets. In addition to the data information to be transmitted, IP packets also contain the destination IP address to which the information is sent Source IP address of the information sent, and some related control information. When a router receives an IP data packet, it will look up the routing table according to the destination IP address item in the data packet, and send the IP data packet to the corresponding port according to the search result. After receiving the data packet, the next IP router continues to forward it until it reaches its destination. Routers can exchange routing information through routing protocols to update routing tables. What we care about is only the data information in the IP packet. Many tools that monitor the network can be used to intercept the exchange data between the client and the server, such as one of the tools: WPE.

How to use WPE: When WPE is executed, the following functions can be selected:

SELECT GAME selects the program you want to block in the memory, you only need to double-click the program name. TRACE tracking function. Used to track packets received by the capture program. WPE must first select the name of the program to be tracked before it can use this item. Press the Play button to start capturing the packets sent by the program. You can press | | to pause tracking at any time, and press | | when you want to continue. Press the square to stop capturing packets and display all captured packets. If you do not press the square stop button, the tracking action will automatically stop according to the setting in OPTION. If you have not retrieved the data, try adjusting OPTION to Winsock Version 2. WPE and Trainers can only be executed when displaying at least 16 bits of color.

FILTER filtering function. It is used to analyze the captured packets and modify them.

SEND PACKET sends out the packet function. Allows you to send fake packets.

TRAINER MAKER makes a modifier.

OPTIONS setting function. Allows you to adjust some settings of WPE.

FILTER detailed teaching   
when FILTER state at startup, ON button will appear red. -When you start FILTER, you can close this window at any time. FILTER will remain in its original state until you press the on / off button again. -Only when the FILTER enable button is OFF, you can check the box in front of Filter to edit and modify. -When you want to edit a filter, just double-click the filter name.

NORMAL MODE:

Example:

In the game, use two attacks and hit the other party, then the following packets will be captured: SEND-> 0000 08 14 21 06 01 04 SEND-> 0000 02 09 87 00 67 FF A4 AA 11 22 00 00 00 00 SEND-> 0000 03 84 11 09 11 09 SEND-> 0000 0A 09 C1 10 00 00 FF 52 44 SEND-> 0000 0A 09 C1 10 00 00 66 52 44

The first attack reduced the opponent's health by 16 drops (16 = 10h), and observed that the 4th and 5th packet position 4 has a 10h value, which should be here.

Observe that 0A 09 C1 before 10h has not changed in both packets, and it can be seen that these three values ​​are the key to launching the attack.

Therefore, fill 0A 09 C1 10 in the search column (SEARCH), and then fill in FF in position 4 of the modification column (MODIFY). In this way, when the attack is issued again, FF will replace the previous 10, which is an attack with 255 attack power.

ADVANCED MODE:

Example: If you do n’t want to use your real name in a game, you want to send it to the opponent using a modified pseudonym. After using TRACE, you will find that the names appear in some packets. Assuming the name is Shadow, converted to hexadecimal is (53 68 61 64 6F 77); if it is replaced with moon (6D 6F 6F 6E 20 20). (1) SEND-> 0000 08 14 21 06 01 04 (2) SEND-> 0000 01 06 99 53 68 61 64 6F 77 00 01 05 (3) SEND-> 0000 03 84 11 09 11 09 (4) SEND- > 0000 0A 09 C1 10 00 53 68 61 64 6F 77 00 11 (5) SEND-> 0000 0A 09 C1 10 00 00 66 52 44

A closer look will reveal that the name does not appear in the same position in each packet

In the second packet, the name appears in the fourth position-in the fourth packet, the name appears in the sixth position

At this time, you need to use ADVANCED MODE- to search for some zSEARCH and fill in: 53 68 61 64 6F 77 (start from position 1), want to replace the new name from the first letter of the original name Shadow, so choose from The position where the value is found begins to replace the continuous value (from the position of the chain found). Now, fill in the position of the Modification column (MODIFY) 000: 6D 6F 6F 6E 20 20 (this is the corresponding position, that is, starting from the +001 position of the original search bar), if you want to start from the first packet Modify the value at the location, select (from the beginning of the packet)

The Internet packages information data and transmits it. Each data packet is divided into two parts: header information and data information. The header information includes the sending address and the arriving address of the data packet. Data information includes various information about our operations in the game. Then before doing the process of intercepting the packet, you must first know the game server's IP address and port number and other information. The simplest thing is to see if there is a SERVER.INI configuration file in the game directory. This file can be viewed The IP address of a game server, in addition to this method, you can also use the NETSTAT command under DOS

The function of the NETSTAT command is to display network connection, routing table and network interface information, so that users can know which network connections are currently in operation. Or you can use tools such as Trojan horse star to check the network connection.

The general format of the NETSTAT command is: NETSTAT [options]

The meaning of each option in the command is as follows: -a displays all sockets, including those being monitored. -c displays again every 1 second until the user interrupts it. -i Display information about all network interfaces. -n Replace the name with the network IP address to show the network connection. -r Display the core routing table, the format is the same as "route -e". -t Show TCP connection status. -u Display the connection status of UDP protocol. -v Show work in progress.

Analysis of intercepted packets

First save the packet intercepted by WPE as a text file, and then open it, then you will see the following data (take Daguai as an example)

第一个文件:SEND-> 0000 E6 56 0D 22 7E 6B E4 17 13 13 12 13 12 13 67 1BSEND-> 0010 17 12 DD 34 12 12 12 12 17 12 0E 12 12 12 9BSEND-> 0000 E6 56 1E F1 29 06 17 12 3B 0E 17 1ASEND-> 0000 E6 56 1B C0 68 12 12 12 5ASEND-> 0000 E6 56 02 C8 13 C9 7E 6B E4 17 10 35 27 13 12 12SEND-> 0000 E6 56 17 C9 12

Second file: SEND-> 0000 83 33 68 47 1B 0E 81 72 76 76 77 76 77 76 02 7ESEND-> 0010 72 77 07 1C 77 77 77 77 72 77 72 77 77 77 6DSEND-> 0000 83 33 7B 94 4C 63 72 77 5E 6B 72 F3SEND-> 0000 83 33 7E A5 21 77 77 77 3FSEND-> 0000 83 33 67 AD 76 CF 1B 0E 81 72 75 50 42 76 77 77SEND-> 0000 83 33 72 AC 77

The two monsters are the same. The data format of the two packets is the same, but the content is not the same. I guess this was transmitted on the network after encryption.

The general data packet encryption is XOR operation. Generally, the data of the data packet will not all have value. When developing the game, some byte space will be reserved to facilitate future expansion. There are some "00" bytes. Looking at the above file, we will find a lot of "12" in file one and a lot of "77" in file two. Guess this is "00".

XOR the file 1 with "12", XOR the file 2 with "77", use "M2M 1.0 plus sealed package analysis tool" to calculate the following results:

第一个文件:1 SEND-> 0000 F4 44 1F 30 6C 79 F6 05 01 01 00 01 00 01 75 09SEND-> 0010 05 00 CF 26 00 00 00 00 05 00 1C 00 00 00 892 SEND-> 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 083 SEND-> 0000 F4 44 09 D2 7A 00 00 00 484 SEND-> 0000 F4 44 10 DA 01 DB 6C 79 F6 05 02 27 35 01 00 005 SEND-> 0000 F4 44 05 DB 00

第二个文件:1 SEND-> 0000 F4 44 1F 30 6C 79 F6 05 01 01 00 01 00 01 75 09SEND-> 0010 05 00 70 6B 00 00 00 00 05 00 05 00 00 00 1A2 SEND-> 0000 F4 44 0C E3 3B 13 05 00 29 1C 05 843 SEND-> 0000 F4 44 09 D2 56 00 00 00 484 SEND-> 0000 F4 44 10 DA 01 B8 6C 79 F6 05 02 27 35 01 00 005 SEND-> 0000 F4 44 05 DB 00

Most of the two documents are the same, which proves that the conjecture is correct

The next step is to understand the meaning of some key bytes, which requires intercepting a large amount of data for analysis.

flowwaterdog
Published 10 original articles · Likes0 · Visits 182
Private letter concerns

Guess you like

Origin blog.csdn.net/flowwaterdog/article/details/105479213
Recommended
Ranking
Enter the root node and an integer of a binary tree, and print out all paths where the sum of the node values in the binary tree is the input integer. Pop explanation in.
HTTP, HTTPS, FTP und TCP im Detail erklärt: die Funktionen und Eigenschaften der Protokolle
[Study notes] Berlekamp-Massey
Some insights as a junior front-end developer
[linux command] echo command and usage tips
Verilig-- state machine
Knowing the center point coordinates, angle, half length, and half width of Retangle2, calculate the four vertex coordinates and the midpoint coordinates of the four line segments
【uniapp】Google Maps
Unity uses Camera to make a small map display, and players can reach any location by clicking the small map
algorithmic analysis
Daily
More
2024-07-22(0)
2024-07-21(0)
2024-07-20(0)
2024-07-19(0)
2024-07-18(0)
2024-07-17(0)
2024-07-16(0)
2024-07-15(0)
2024-07-14(0)
2024-07-13(0)

Code World

© 2018 codetd.com