==============================================================================================================================================hello to everyone!hope you guys know the game Audition. I am wondering why no one here in the forum is tryingto make such hack for it. I got one tutorial but sad to say because it is written in vietnamese language(wherei cant even undertand) but i think for you guys who has a lot of experience with game hacking, you can eaily understand what was all about in the give picture. here is the tut in vietnamese laguage:

Preface.1. Launch.Sự Nghe, Stoutly who' s also known, Trò chơi trực tuyến Of vtc, children donation embossed t'ing buoyancy albow 2 and bestowal 3). What rumble ad on VTC, be Trò chơi 5 is stellar, such as musical, fashion. <--- listen to banana forsooth. .There Will have questioner why Trò chơi Do turbid sock give many poses to children that I am played? Reason here ko fải is gaming for the hell of it, for paries pro, which is played to know law, is sad. Bboy then fải example made Về đích Di chuyển 3 Beautiful novum, 178 8 K Nabla(toán tử nabla) It be khủng rank, vv.vv.Know ruse law, type plays #PP,. để what perform the duties of? sake last that here be make tự động trò chơi-- program play according to some 1 senses himself. If who go through look up other played Sự Nghe Will see, with more fast songs, claw player must viewed and fast press. Of course, tense music is might quickly acquired, final particle with player only come to one more threshold which that that is up to limiter, wished fast also ko đc. Machine final particle had right where People.Our translation server is too busy, please try again later.Our translation server is too busy, please try again later.Our translation server is too busy, please try again later.Our translation server is too busy, please try again later.gif). Play Ô tô chơi Its machine is squeeze for med, N2. One a couple screenshots:.ở cadence regime played normal, arrow buttons player need to pressed 1 series, later on arrivals continue to press không gian---> way played is very simple.Back this is 1 a couples screenshots (ko fải of such button Nghe VN but In also ranked AuVN).(arrow to presses position attention)

4 arrow key:

8 arrow key+ chance mode:

Finish move 8 key:

I hold up a numbers of screenshots to insist arrows position need to squeeze only In round 1 fixation region. Continue how position is strict then pavilion Cái trụ Next will discussed is concrete B-)

3. Sake.This written papers Series sends out techniquess was used in program Ô tô chơi Of mine, process bringing is parsed gropingly of mine with respect to Nghe VN. In addition who also telescope up to guide everybody analysable and a program autographic Ô tô chơi Give Sự Nghe. Of course must a such program ko who it is also possible to write himself. Để obtain 1 master routines temporarily at least need to know a number of problems :.- Concept import/ export Of DLL.- DirectInput SDK.- A number of basic brevets GDI.- A number of another universal brevets API such as keybd_event, SendInput, SendMessage.In addition at instant Cái trụ This article are having 1 articles " How to write 1 hack Pefect program Sự Nghe One's self donation " At this place. However here just share is embossed of iceberg). Especially essential Share writes mã dll then ko there is guideline).In the past (when DX not already in 4 vn) also there is 4 vn group implement " AuMod ", chiefly be Miếng vá Into course Sự Nghe To C

II. Exec.1. Parse first steps.With program Ô tô chơi Materially give Sự Nghe Tense can easy deem there is 2 main functions:.

- "ĐọC " and touchs inculcation is pressed làm sự Nghe manifest faceplate.- "ấN touch " recpectively with string appearred. Of course " touch Press " here is program Ô tô chơi " Press " For user.OK, continue know that be have 2 already such main functions. Look via directory Sự Nghe VTC possession be to see:

- Directory ABM: Enclose pavilion Hồ sơ Music used ben Sự Nghe There is en suite formatting,.- Directory Dữ liệu: Enclose pavilion Hồ sơ Data, probably is pavilion Những kết cấu, Pavilion Những mô hình People, clothes, Những mô hình Dance floors.- Directory HSHIELD: Enclose pavilion Hồ sơ Of HackShield. Main HackShield is denfense mechanism Khách hàng trò chơi Another course " prods #PP " the defendant henosis enter. Đâmedicine is object deserve care very much. However it seems that HackShield already and busy ko round of task own along of Ô tô chơi Mines and AuMod of 4 vn already " proded " is acquired Mỉm cười.gif).- Directory RECDATA: Enclose pavilion Hồ sơ Chơi lại, To player can revise timess of dance own.- Directory SCREENSHOT: Enclose possessions screenshots Trò chơi In the course of who play.- Directory Những nguyên bản: Enclose pavilion Những nguyên bản In Trò chơi.- Directory Âm thanh: Enclose pavilion Hồ sơ Basic sound. Almost it be mp3 and wav become is hearable.- Directory Nhân viên tạm thời: Just its possession literal meaning biggrin.gif.

Ok. Next looks over the file audition.exe:.Pavilion Những mục(khu vực) Riches Hồ sơ:

- 2 sections (khu vực) head is AHNLAB0 and AHNLAB1 :-?

HexView phần đầu file thì:

Có text "UPX" ! . Nhiều khả năng đây chính là file nén bởi UPX.

Xem code tại entrypoint:

Đây chính là UPX ( http://upx.sourceforge.net ) .

Tôi tiến hành giải nén bằng tay file này với OllyDbg, LordPE và ImpREC, sau đó xem danh sách các DLL nó cần dùng:

Nhận thấy nó có sử dụng dinput8.dll, nghĩa là nó sử dụng DirectInput để nhận các phím bấm từ bàn phím. Ngoài ra nó còn sử dụng fmod.dll là thư viện FMOD ( http://fmod.org ) dùng để quản lý chơi file nhạc.

2. "Đọc" phím (Read "Key")

Like Cái trụ In advance paaim, function is first need to perform is touch " read ". I am carried out Mã Program read is some of Điểm On riches window Sự Nghe Purfunctoriness is equal to VC,++ As follows :

Code:

Code:HANDLE hWnd = FindWindow(NULL, "Audition"); // window retrevial AuditionHDC hdc = GetWindowDC(hWnd); // steal DeviceContext from window DWORD dwColor = (DWORD) GetPixel(hdc, 200, 200); // take out possession colour điểm at window's position (200, 200)

However dwColor value that I am right along received is 0 (Chữ số không)!!. There is problem aught in segment Mã Top. I try throw-in Sự Nghe And readed Điểm Regarding window is different ( Example Sổ ghi chép As for example) Colour that I am readable is again true,. Đthis iều signified sự Nghe already ko enables another program " readed " điểm of window sự Nghe.There is reason along of Sự Nghe Is run In form " GetPixel " my full-screen regime becomming #PP ko. Way Google give Sự Nghe Run live in retrevial my window regime 1 programs " dxWnd " enable to place a programs use DirectX in spite of ko to entered is ridiculed (full screen).

http://gamevn.com/showpost.php?p=4285966

My Tải xuống It returns, configuration and test run. Sự Nghe Who live in formed " GetPixel " window regime however still ko. I see this program also lathed due to who just can run Sự Nghe Just can run another programs another. I decide to use it always.After a couple days made unceasingly that ko is acquired, I change program somewhat of, Sao chép Total faceplate region into scratchpad (screenshot!)

Code:

Code:// init DC & bmpsHWND hWindow = GetDesktopWindow();HDC DC = GetWindowDC(hWindow);RECT Rect;

GetWindowRect(hWindow, &Rect);int nWidth = Rect.Right;int nHeight = Rect.Bottom;HBITMAP hBmp = CreateCompatibleBitmap(DC, nWidth, nHeight);HDC hMemDC = CreateCompatibleDC(DC);SelectObject(hMemDC, hBmp);BitBlt(hMemDC, 0, 0, nWidth, nHeight, DC, 0, 0, SRCCOPY);sau đó mới "GetPixel" trong vùng nhớ này:

Code:

Code:COLORREF nColor = GetPixel(hMemDC, 200, 200)

This time be to acquire. . I seek to calculate " arrows " position is on- screen. Screen Shot it a couple Times, later is ben open Sơn Enlargement go up and appear, Lưới Easy donation viewed:

Each is " nomial " (arrow) Enclose in 1 diametrical rounds 31 Những điểm Each round is separated from each other, 3 điểm Arrow stream on the same comencement In stream is No. 419, all position,. Consequently recipe is to determine coordinate X Thing round's comencement Idx among orbed Num be:

Code:

Code:nSize = Num * 31 + (Num-1) * 3; // 31px per circle and 3px per circle paddingX = 400 - (nSize/2) + (Idx-1) * 31 + (Idx-2) * 3 + 2; // +2 to fix up

Among them nSize: overall length according to X axis of orbed Num.400 : coordinate X of window central axis Thử giọng, làm window audition there is 800 x600 size.After calculate position start of rounds, we is continuable that determine arrow in round by GetPixel at a number of inner points hì.

For instance, wherewith arrow go up On me GetPixel at hued point position is red:

mũi tên xuống dưới (arrow down) cũng cùng nguyên tắc:

Analogue give another to arrows. Take out 8 gently ditto points ko is confused between arrow #Pluz and amount Điểm Need to Take out ko colour much. If Pavilion Điểm Read evenly is alba (values RGB outgrow 200) see like detect those arrow

Thus to account As concluded on- screen arrow " read ". Để give handily ben trò chơi autoplay program can wait some press touch from F1 to F9 (by GetAsyncKeyState brevet for simplicity), when user is pressed,. F1 recpectively with 1 arrows, 2 arrow Induced F2,. Induced F9 with 9

arrows ( Main arrow number is " Num " in segment Mã Arrow recipient orbed position finding above). .Of course after master routine escaped, may be accretion let it automatically detect on- screen arrow number. My this Female so simply become ko go detail here.This problem disquiet about " GetPixel " harvest direct that on window Nghe ko acquired, I turn back. Selves Sự Nghe Probably ko bar allocutions concernment " GetPixel ", stout that HackShield tackled of mine.Come-back to website of HackShield, enter entries Những đặc tính There is quality comparison of different versions HackShield:

xem tại đây : http://hackshields.com/product.html

Ko seen has function tackle read Điểm. I think that it tackles a number of final particle brevets API ko fải just that tackle en suite is readed Điểm. Come-back to HSHIELD directory, there is a numbers of later hồ sơ DLL:

Code:

Directory of D:\Program Files\VTCGame\Audition\HSHIELD

06/29/2006 01:41 PM 178,273 EGRNAP.dll06/29/2006 01:41 PM 95,232 EGRNAPX2.dll01/19/2007 11:06 AM 447,071 EhSvc.dll11/10/2006 05:15 AM 20,480 psapi.dll01/04/2007 01:13 PM 131,153 v3pro32s.dll

There is a things a bit not least after escaping #Pst course Sự Nghe Tense hồ sơ EGRNAPX2.changeable form dll still ko ( I detect this when happen to take Hiew set Soạn thảo hệ 16 it's after fitting escape sự Nghe). Đthis iều mean hồ sơ EGRNAPX2.dll still are is somewhere charging

I take LordPE revises hồ sơ DLL list admission is ben 1 course Sổ ghi chép Provisionally in time Sự Nghe Is running :

Gynic Main EGRNAPX2.dll to another course intake. Probably it be HackShield already Cái móc To Miếng vá Allocutions come to 1 brevet numbers. I am revised Hồ sơ This :

Again have Văn bản " UPX!". Đâmedicine get squashed by UPX. Of course it was changes a little ought to direct compression demob form ko by UPX. Consequently I change school 13 intrinsical bit Những đặc trưng To port hồ sơ DLL to become probable hồ sơ EXE Tải And Gỡ lỗi To ben OllyDbg. Later I take OllyDbg, LordPE and ImpREC to resolve to squash egress, some of finding Chuỗi:

Code:

AHNLAB1:1002A2B8 aTextoutw db 'TextOutW',0AHNLAB1:1002A2C4 aTextouta db 'TextOutA',0AHNLAB1:1002A2D0 aLineto db 'LineTo',0AHNLAB1:1002A2D8 aBitblt db 'BitBlt',0AHNLAB1:1002A2E0 aGetpixel db 'GetPixel',0AHNLAB1:1002A2EC aGetdcex9x db 'GetDCEx9x',0AHNLAB1:1002A2F8 aGetdc9x db 'GetDC9x',0AHNLAB1:1002A310 aEnablewindow db 'EnableWindow',0AHNLAB1:1002A320 aShowwindow db 'ShowWindow',0AHNLAB1:1002A32C aGetwindowdc db 'GetWindowDC',0....

Đâmedicine probably is brevets API list that it tackles #Pst. Among them there is a whole GetPixel, GetWindowDC, SendMessageA, PostMessageA, SendMessageW, PostMessageW, keybd_event, SendInput. I see it tackle good much, almost be brevets serve for concernment Ô tô. Đó it was reason who why previously I am tried take keybd_event and SendInput for touch pseudo is squeeze butted without success

3. "ấN " touch(Send "Key")

Can say this is most sophisticated concernment in total process made Ô tô công cụ chơi. As aforesaid Reside Cái trụ Anticus, HackShield Cái móc Enter different (as numerously as possible) courses, bar a number of brevet allocutions API related to concernment Ô tô ( Like touch press even if. HackShield tackles brevet API allocution by a commands jmp insert In brevet API head to remembrance region encloses allocution monitoring instruction code.Of course there is this way to bear down helpful that tackle: program Ô tô chơi Restoring go back to command In this brevets head In course Ô tô chơi For norm. Only need program Ô tô To run prior that when HackShield is charged, we will have fiducial instruction statement, this commands re-recording, later when admission HackShield đc, me kh. Like that can use keybd_event and SendInput. I haven't been try command rectification stout ko HackShield had continuous My this way become In brevets API head or ko.My that ko implement this way along of such, postulated is had Công việc Tense for fiability Ô tô chơi To Me there must bottom Tiêu điểm For window Sự Nghe ( For pseudo keybd_event and SendInput ng.Our translation server is too busy, please try again later

2 variant in order to can pretend to press touch be falsifies (đồ giả) DirectInput. Good point this Way more sophisticated but abounded with:.- May be press touch pseudo at which ko is behoved Tiêu điểm For window Sự Nghe. Just Tán gẫu Just Ô tô chơi To^^.- Simple easy program update is functional additive.- Have a DLL in course Sự Nghe. Too handily to correct this course internal storage contents (if necessary^^). Program Ô tô chơi May be easiness himself communicates wherewith Mô đun This Pass FileMapping Or Cái ống ( Ô tô chơi Mine use 2 too)

Courses Audition Norm will communicate with keyboard as follows:.(Equal Draw Sơn Ought to bad flatus - _- Spruce be touched,!)

Audition use DirectInput to sink arrow buttons, still take Windows những thông báo to sink remaining touchs as một.z, 0.9 để serve tán gẫu, and Không gian/ Ctrl to implement that times danced.(my selves also ko understands why it have to parts such, but its ledge elution, excusal be ô tô chơi body công việc it be all right then^^).Tense pseudo the defendant Time DirectInput Sự Nghe There will communicate with this such keyboard:

Module MyDirectInput will sink control command from programs Ô tô chơi Main to port give Sự Nghe. In addition it also still receive touch press results from fiducial DirectInput. Ergo MyDirectInput play all-important in programs role Ô tô chơi.Martinet be like that, but is to implement a bit sophisticated tense somewhat of:.- Abidance hồ sơ dinput8.dll become orgdinput8.dll (directory system32 inbuilt).- Make 1 pseudos DLL (Đồ giả) Use to name dinput8.dll, among them had xuất khẩu brevet DirectInput8Create.Share is most difficult live in this entries main is mã hồ sơ dinput8.dll such that it act, this means, repayment give sự Nghe all of what it receive from mô đun orgdinput8.dll (fiducial DirectInput) and what receive literature reports ô tô chơi main. .

In DirectX SDK is have to say that know very muched, DirectInput it be either a COM Đối tượng That, for enough of its possession method quites sophisticated pose rewritten, especially regarding people ised haven't

Already My that google with pseudo contents presss touch to Application take DirectInput and I find 1 libraries DirectInputHook In gamedev.mạng(lưới) it also by analogy like that but again acts according to mechanism, cái móc ought to action ko with respect to HackShield. I changed it that true a little demands riches Ô tô chơi. Đó be xuất khẩu brevet DirectInput8Create, in this brevet:.- Recall DirectInput8Create of orgdinput8.dll in order to create DirectInput object is fiducial.- Application monitoring are ring DirectInput8Create looked up had right Nghe ko, if any create a object preserve oneself defined descend from DirectInput class, have enough of socking. .Each method returnned is true received result from DirectInput object is fiducial, modal subduction " GetDeviceData ". Đâmain medicine is what method sự Nghe be used to sink touch from DirectInput. (most application program takes this equilateral DirectInput using method).- Use general remembrance region with program Ô tô chơi Main with techniques ánh xạ hồ sơ, In addition still use mechanism Cái ống To sink control from programs. Each time is ben ring method GetDeviceData will testted looked up Cái ống Have ko data, if any be to demount and return donation Sự Nghe

In short, get ditto pseudo DirectInput be could pretend to press arrow key give Sự Nghe To. Privately with respect to touch Không gian, sự Nghe Use Windows Những thông báo It is normal (Situated that this is WM_KEYDOWN and WM_KEYUP) to receive. .Nevertheless, HackShield stop brevets SendMessageA, SendMessageW, finis PostMessageA, PostMessageW. In the past I am pinchbeck that press touch Không gian As follows :.- When pseudo mô đun DirectInput is Instantiated, writing go back to pavilion Bai Keybd_event brevet's head in course Sự Nghe Again.- When pseudo DirectInput8Create brevet is called, restoring go back to pavilion Bai This head.- Create a sự kiện and wait for this sự kiện, when program Ô tô This sự kiện laying himself ring course internal keybd_event Sự Nghe To touch pseudo Không gian.Fine action this Way, however still meet with blemish is keybd_event use ought to right Tiêu điểm Into window Sự Nghe To become still unpropitiousness.Near here I at random in MSDN newly see API SendNotifyMessage brevet there is function Anigh like SendMessage. Use very efficiently, just take it send WM_KEYDOWN and WM_KEYUP to window Sự Nghe Be. Like that Ô tô Present of mine completely ko need to layed Tiêu điểm Into those window, fit Tán gẫu Just Ô tô chơi Excusal is " seen " for ch arrow region right,

4. A number of another techniquess.If did you have form Mã To 1 Ô tô chơi Materially with entriess 1.2.3. ở on who still lack of a number of qualities: determination when press tense không gian, to who determine song's bpm, definitely when article finis to be to stop ô tô chơi,. in addition there is 1 qualities deserve those care be very much " hoàn hảo x ".All of capability on who based on fmod library, for selvess Sự Nghe Completely use this library.Để can definitely when press không gian we need to take present song's bpm,. Tùy into ever version that it lay at positions is different in course Sự Nghe. 6019 edition present with AU VN then laying bpm address is 0 x819E58. Bpm is real number 4 bai ( Form Nổi). This address Retrevial ko difficult, who choose 1 songs, enter dance only, Sự đổ xuống Egress ( Take pseudo very DirectInput set Sự đổ xuống) Retrevial is ben those,.When once there second (ms) milli number easy computable bpm of give press to each time Không gian As follows :

Code:

Code:dwAverageFinalTime = Round((1 / (StrToInt(GetText(dwEBBPM)) / 60)) * 4 * 1000)Cứ theo đó giả Space là okie .

Ipsofacto those is pinchbeck Không gian It be okie.Have service success everybody in the house!!

/** END OF TUTORIAL **/

============================================================================================================================================