为游戏制作地址查找器
[英]Making address finder for a game
问题描述
Ok, so I've looked at quite a few articles over the last few days describing the concept of .dll injection, using tools to manually find values at certain memory addresses, etc. but I have some questions that I wasn't able to answer through my research. 
好的,所以最近几天我看了很多文章,描述了.dll注入的概念,使用工具手动在某些内存地址中查找值,等等。但是我有一些我无法解决的问题通过我的研究回答。 I'll need to give some background on what I am trying to do in order for this to make sense. 为了使这有意义,我需要提供一些背景信息。
I am writing an application that is going to communicate with a game, this game was not designed to communicate with any third-party applications. 我正在编写一个将与游戏进行通信的应用程序,该游戏并非旨在与任何第三方应用程序进行通信。 The program will be required to keep records of certain things happening in-game and write them to a file (eg, character x dies, 3 total characters dead, etc.). 该程序将需要保留游戏中发生的某些事情的记录并将其写入文件(例如,角色x死亡,总共3个角色死亡,等等)。 I'm not trying to maliciously "hack" the game or change memory, just read it. 我不是在试图恶意“入侵”游戏或更改内存,而只是阅读它。
So I read articles on dll injection, using tools such as CheatEngine, etc. and that is where my confusion set in. I realize that the addresses I find using CheatEngine are going to be different when loaded on a different computer, and so I cannot just hard-code these addresses into the .dll. 因此,我使用诸如CheatEngine之类的工具阅读了有关dll注入的文章,这就是我的困惑所在。我意识到,在不同计算机上加载时,使用CheatEngine找到的地址将有所不同,因此我无法只需将这些地址硬编码到.dll中即可。 This manual process obviously won't work because the target user demographic for this program are people even more clueless about memory hacking than I am. 显然,此手动过程将无法正常工作,因为该程序的目标用户人群是比我更不了解内存黑客的人们。
So, my question boils down to this: Is it even possible to build one of these programs that will find the addresses I want automatically, based on some type of criteria, and also (if anyone is so kind as to do this) could you point to some starter/reference material for learning how to do this? 因此,我的问题可以归结为:甚至有可能基于某种类型的标准来构建其中一个程序来自动找到我想要的地址,并且(如果有人愿意这样做的话)指向一些入门/参考资料以学习如何做?
My warmest regards to anyone kind enough to respond. 我最诚挚地问候任何足以回应的人。
1 个解决方案
解决方案1
1 已采纳 2014-02-12 23:36:31
Yes, its actually pretty simple. 是的,它实际上很简单。
If you do eg Foo* objPtr = new Foo(); 如果您这样做,例如Foo* objPtr = new Foo(); your Foo object becomes allocated in a different place everytime you start the application. 每次启动应用程序时,您的Foo对象都会分配到其他位置。 To find it though, you have to find the variable pointing to it, objPtr in this case which is basically "static" . 但是要找到它,您必须找到指向它的变量,在这种情况下为objPtr ,它基本上是“ static”的 。 However this can go through multiple levels. 但是,这可以经历多个级别。 You can hardcode this value if you want, however this is not preferred. 您可以根据需要对此值进行硬编码,但这不是首选。
Usually you search for eg getters, which provide you with global objects or search for function in which these global objects are referenced directly. 通常,您搜索例如为您提供全局对象的getter或搜索直接引用这些全局对象的函数。 Through these global objects you now get the actual objects you want. 通过这些全局对象,您现在可以获得所需的实际对象。
You find the them on runtime by searching for a sequence of bytes. 您可以在运行时通过搜索字节序列找到它们。 Imagine a very simple function: 想象一个非常简单的函数:
PUSH EBP
MOV EBP, ESP
MOV EAX, globalVar
POP EBP
You create a binary pattern which represents this code snippet (the opcodes etc.) and simply iterate over the whole programm trying to find this specific method. 您创建一个表示此代码段(操作码等)的二进制模式 ,并简单地遍历整个程序以尝试找到此特定方法。 However, you pattern need to be unique, it should only match one location in the whole binary. 但是,您的模式需要唯一,它只能与整个二进制文件中的一个位置匹配。 This can sometimes be a bit tricky and requires you te be creative. 有时这可能会有些棘手,并且需要您富有创造力。 In this case it probably wont be possible to find a unique pattern (the function is too generic). 在这种情况下,可能将无法找到唯一的模式(该函数过于通用)。 Once you found this function, you can call it to acquire the object or read the address directly from it (parsing MOV EAX, globalVar ). 找到此函数后,可以调用它以获取对象或直接从中读取地址(解析MOV EAX, globalVar )。 Although, calling is probably better because the code might change, its functionality/signature usually not. 尽管调用可能会更好,因为代码可能会更改,但其功能/签名通常不会更改。
Actually such pattern scanning isnt required if your searching for fucntions, which usually only move on recompilation but not on every start of the programm. 实际上,如果您搜索功能(通常仅在重新编译时移动而不是在程序的每次启动时都移动),则不需要这种模式扫描 。 However, the above example should give you an impression on how it is done. 但是,上面的示例应该给您印象如何完成。 Also notice that if you dont search for methods but hardcode their addresses, your code will probably break on the next game patch. 还要注意,如果您不搜索方法而对地址进行硬编码,则您的代码可能会在下一个游戏补丁时中断。
The hard part is to find the fucntions, identify the structures and simply understand what your target programm does under the hood/ how it works. 困难的部分是找到功能,确定结构并简单地了解目标程序在幕后的工作/工作方式。 We call this process reverse engineering . 我们称此过程为逆向工程 。 Usually you always need some kind of "entry point" into the application (as you can imagine, a game is actually quite big). 通常,您总是需要在应用程序中添加某种“入口点” (您可以想象,游戏实际上非常大)。 These can be multiple things, but the most common ones are certainly programms like cheat engine in conjunction with memory breakpoints, referenced strings from the target programm, library function calls (which expose public available names, eg Win32, 3rd party libs) or already available knowledge (eg: I know this object is an agent, so somewhere there must be a position member in it). 这些可能是多种事情,但最常见的肯定是程序,例如作弊引擎与内存断点,目标程序中引用的字符串,库函数调用(公开了公共可用名称,例如Win32、3rd party库)或已经可用。知识(例如:我知道该对象是一个代理,因此在其中必须有一个位置成员)。 But once you done that, actually finding the things you reversed in the programm is quite easy. 但是一旦完成,在程序中实际找到要逆转的内容就很容易了。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.