======================================================================

=
======================================================================
=
hello to everyone!
hope you guys know the game Audition. I am wondering why no one here
in the forum is tryingto make such hack for it. I got one tutorial but
sad to say because it is written in vietnamese language(wherei cant
even undertand) but i think for you guys who has a lot of experience
with game hacking, you can eaily understand what was all about in the
give picture. here is the tut in vietnamese laguage:

Preface.
1. Launch.
Sự Nghe, Stoutly who' s also known, Trò chơi trực tuyến Of vtc,
children donation embossed t'ing buoyancy albow 2 and bestowal 3).
What rumble ad on VTC, be Trò chơi 5 is stellar, such as musical,
fashion. <--- listen to banana forsooth. .
There Will have questioner why Trò chơi Do turbid sock give many poses
to children that I am played? Reason here ko fải is gaming for the
hell of it, for paries pro, which is played to know law, is sad. Bboy
then fải example made Về đích Di chuyển 3 Beautiful novum, 178 8 K
Nabla(toán tử nabla) It be khủng rank, vv.vv.
Know ruse law, type plays #PP,. để what perform the duties of? sake
last that here be make tự động trò chơi-- program play according to
some 1 senses himself. If who go through look up other played Sự Nghe
Will see, with more fast songs, claw player must viewed and fast
press. Of course, tense music is might quickly acquired, final
particle with player only come to one more threshold which that that
is up to limiter, wished fast also ko đc. Machine final particle had
right where People.Our translation server is too busy, please try
again later.Our translation server is too busy, please try again
later.Our translation server is too busy, please try again later.Our
translation server is too busy, please try again later.gif). Play Ô tô
chơi Its machine is squeeze for med, N
2. One a couple screenshots:.
ở cadence regime played normal, arrow buttons player need to pressed 1
series, later on arrivals continue to press không gian---> way played
is very simple.
Back this is 1 a couples screenshots (ko fải of such button Nghe VN
but In also ranked AuVN).
(arrow to presses position attention)

4 arrow key:
8 arrow key+ chance mode:
Finish move 8 key:
I hold up a numbers of screenshots to insist arrows position need to
squeeze only In round 1 fixation region. Continue how position is
strict then pavilion Cái trụ Next will discussed is concrete B-)

3. Sake.
This written papers Series sends out techniquess was used in program Ô
tô chơi Of mine, process bringing is parsed gropingly of mine with
respect to Nghe VN. In addition who also telescope up to guide
everybody analysable and a program autographic Ô tô chơi Give Sự Nghe.
Of course must a such program ko who it is also possible to write
himself. Để obtain 1 master routines temporarily at least need to know
a number of problems :.
- Concept import/ export Of DLL.
- DirectInput SDK.
- A number of basic brevets GDI.
- A number of another universal brevets API such as keybd_event,
SendInput, SendMessage.
In addition at instant Cái trụ This article are having 1 articles "
How to write 1 hack Pefect program Sự Nghe One's self donation " At
this place. However here just share is embossed of iceberg).
Especially essential Share writes mã dll then ko there is guideline).
In the past (when DX not already in 4 vn) also there is 4 vn group
implement " AuMod ", chiefly be Miếng vá Into course Sự Nghe To C

II. Exec.
1. Parse first steps.
With program Ô tô chơi Materially give Sự Nghe Tense can easy deem
there is 2 main functions:.
- "ĐọC " and touchs inculcation is pressed làm sự Nghe manifest
faceplate.
- "ấN touch " recpectively with string appearred. Of course " touch
Press " here is program Ô tô chơi " Press " For user.
OK, continue know that be have 2 already such main functions. Look via
directory Sự Nghe VTC possession be to see:

- Directory ABM: Enclose pavilion Hồ sơ Music used ben Sự Nghe There

is en suite formatting,.
- Directory Dữ liệu: Enclose pavilion Hồ sơ Data, probably is pavilion
Những kết cấu, Pavilion Những mô hình People, clothes, Những mô hình
Dance floors.
- Directory HSHIELD: Enclose pavilion Hồ sơ Of HackShield. Main
HackShield is denfense mechanism Khách hàng trò chơi Another course "
prods #PP " the defendant henosis enter. Đâmedicine is object deserve
care very much. However it seems that HackShield already and busy ko
round of task own along of Ô tô chơi Mines and AuMod of 4 vn already "
proded " is acquired Mỉm cười.gif).
- Directory RECDATA: Enclose pavilion Hồ sơ Chơi lại, To player can
revise timess of dance own.
- Directory SCREENSHOT: Enclose possessions screenshots Trò chơi In
the course of who play.
- Directory Những nguyên bản: Enclose pavilion Những nguyên bản In Trò
chơi.
- Directory Âm thanh: Enclose pavilion Hồ sơ Basic sound. Almost it be
mp3 and wav become is hearable.
- Directory Nhân viên tạm thời: Just its possession literal meaning
biggrin.gif.
Ok. Next looks over the file audition.exe:.
Pavilion Những mục(khu vực) Riches Hồ sơ:

- 2 sections (khu vực) head is AHNLAB0 and AHNLAB1 :-?

HexView phần đầu file thì:

Có text "UPX" ! . Nhiều khả năng đây chính là file nén bởi UPX.
Xem code tại entrypoint:

Đây chính là UPX ( http://upx.sourceforge.net ) .

Tôi tiến hành giải nén bằng tay file này với OllyDbg, LordPE và
ImpREC, sau đó xem danh sách các DLL nó cần dùng:
Nhận thấy nó có sử dụng dinput8.dll, nghĩa là nó sử dụng DirectInput
để nhận các phím bấm từ bàn phím. Ngoài ra nó còn sử dụng fmod.dll là
thư viện FMOD ( http://fmod.org ) dùng để quản lý chơi file nhạc.

2. "Đọc" phím (Read "Key")

Like Cái trụ In advance paaim, function is first need to perform is

touch " read ". I am carried out Mã Program read is some of Điểm On
riches window Sự Nghe Purfunctoriness is equal to VC,++ As follows :

Code:

Code:
HANDLE hWnd = FindWindow(NULL, "Audition"); // window retrevial
Audition
HDC hdc = GetWindowDC(hWnd); // steal DeviceContext from window
DWORD dwColor = (DWORD) GetPixel(hdc, 200, 200); // take out
possession colour điểm at window's position (200, 200)

However dwColor value that I am right along received is 0 (Chữ số

không)!!. There is problem aught in segment Mã Top. I try throw-in Sự
Nghe And readed Điểm Regarding window is different ( Example Sổ ghi
chép As for example) Colour that I am readable is again true,. Đthis
iều signified sự Nghe already ko enables another program " readed "
điểm of window sự Nghe.
There is reason along of Sự Nghe Is run In form " GetPixel " my full-
screen regime becomming #PP ko. Way Google give Sự Nghe Run live in
retrevial my window regime 1 programs " dxWnd " enable to place a
programs use DirectX in spite of ko to entered is ridiculed (full
screen).

http://gamevn.com/showpost.php?p=4285966

My Tải xuống It returns, configuration and test run. Sự Nghe Who live
in formed " GetPixel " window regime however still ko. I see this
program also lathed due to who just can run Sự Nghe Just can run
another programs another. I decide to use it always.
After a couple days made unceasingly that ko is acquired, I change
program somewhat of, Sao chép Total faceplate region into scratchpad
(screenshot!)

Code:

Code:
// init DC & bmps
HWND hWindow = GetDesktopWindow();
HDC DC = GetWindowDC(hWindow);
RECT Rect;
GetWindowRect(hWindow, &Rect);
int nWidth = Rect.Right;
int nHeight = Rect.Bottom;
HBITMAP hBmp = CreateCompatibleBitmap(DC, nWidth, nHeight);
HDC hMemDC = CreateCompatibleDC(DC);
SelectObject(hMemDC, hBmp);
BitBlt(hMemDC, 0, 0, nWidth, nHeight, DC, 0, 0, SRCCOPY);
sau đó mới "GetPixel" trong vùng nhớ này:

Code:

Code:
COLORREF nColor = GetPixel(hMemDC, 200, 200)

This time be to acquire. . I seek to calculate " arrows " position is

on- screen. Screen Shot it a couple Times, later is ben open Sơn
Enlargement go up and appear, Lưới Easy donation viewed:
Each is " nomial " (arrow) Enclose in 1 diametrical rounds 31 Những
điểm Each round is separated from each other, 3 điểm Arrow stream on
the same comencement In stream is No. 419, all position,. Consequently
recipe is to determine coordinate X Thing round's comencement Idx
among orbed Num be:

Code:

Code:
nSize = Num * 31 + (Num-1) * 3; // 31px per circle and 3px per circle
padding
X = 400 - (nSize/2) + (Idx-1) * 31 + (Idx-2) * 3 + 2; // +2 to fix up
Among them nSize: overall length according to X axis of orbed Num.
400 : coordinate X of window central axis Thử giọng, làm window
audition there is 800 x600 size.
After calculate position start of rounds, we is continuable that
determine arrow in round by GetPixel at a number of inner points hì.

For instance, wherewith arrow go up On me GetPixel at hued point

position is red:

mũi tên xuống dưới (arrow down) cũng cùng nguyên tắc:

Analogue give another to arrows. Take out 8 gently ditto points ko is

confused between arrow #Pluz and amount Điểm Need to Take out ko
colour much. If Pavilion Điểm Read evenly is alba (values RGB outgrow
200) see like detect those arrow

Thus to account As concluded on- screen arrow " read ". Để give
handily ben trò chơi autoplay program can wait some press touch from
F1 to F9 (by GetAsyncKeyState brevet for simplicity), when user is
pressed,. F1 recpectively with 1 arrows, 2 arrow Induced F2,. Induced
F9 with 9 arrows ( Main arrow number is " Num " in segment Mã Arrow
recipient orbed position finding above). .
Of course after master routine escaped, may be accretion let it
automatically detect on- screen arrow number. My this Female so simply
become ko go detail here.
This problem disquiet about " GetPixel " harvest direct that on window
Nghe ko acquired, I turn back. Selves Sự Nghe Probably ko bar
allocutions concernment " GetPixel ", stout that HackShield tackled of
mine.
Come-back to website of HackShield, enter entries Những đặc tính There
is quality comparison of different versions HackShield:

xem tại đây : http://hackshields.com/product.html

Ko seen has function tackle read Điểm. I think that it tackles a
number of final particle brevets API ko fải just that tackle en suite
is readed Điểm. Come-back to HSHIELD directory, there is a numbers of
later hồ sơ DLL:

Code:

Directory of D:\Program Files\VTCGame\Audition\HSHIELD

06/29/2006 01:41 PM 178,273 EGRNAP.dll

06/29/2006 01:41 PM 95,232 EGRNAPX2.dll
01/19/2007 11:06 AM 447,071 EhSvc.dll
11/10/2006 05:15 AM 20,480 psapi.dll
01/04/2007 01:13 PM 131,153 v3pro32s.dll

There is a things a bit not least after escaping #Pst course Sự Nghe
Tense hồ sơ EGRNAPX2.changeable form dll still ko ( I detect this when
happen to take Hiew set Soạn thảo hệ 16 it's after fitting escape sự
Nghe). Đthis iều mean hồ sơ EGRNAPX2.dll still are is somewhere
charging

I take LordPE revises hồ sơ DLL list admission is ben 1 course Sổ ghi

chép Provisionally in time Sự Nghe Is running :

Gynic Main EGRNAPX2.dll to another course intake. Probably it be

HackShield already Cái móc To Miếng vá Allocutions come to 1 brevet
numbers. I am revised Hồ sơ This :
Again have Văn bản " UPX!". Đâmedicine get squashed by UPX. Of course
it was changes a little ought to direct compression demob form ko by
UPX. Consequently I change school 13 intrinsical bit Những đặc trưng
To port hồ sơ DLL to become probable hồ sơ EXE Tải And Gỡ lỗi To ben
OllyDbg. Later I take OllyDbg, LordPE and ImpREC to resolve to squash
egress, some of finding Chuỗi:

Code:

AHNLAB1:1002A2B8 aTextoutw db 'TextOutW',0

AHNLAB1:1002A2C4 aTextouta db 'TextOutA',0
AHNLAB1:1002A2D0 aLineto db 'LineTo',0
AHNLAB1:1002A2D8 aBitblt db 'BitBlt',0
AHNLAB1:1002A2E0 aGetpixel db 'GetPixel',0
AHNLAB1:1002A2EC aGetdcex9x db 'GetDCEx9x',0
AHNLAB1:1002A2F8 aGetdc9x db 'GetDC9x',0
AHNLAB1:1002A310 aEnablewindow db 'EnableWindow',0
AHNLAB1:1002A320 aShowwindow db 'ShowWindow',0
AHNLAB1:1002A32C aGetwindowdc db 'GetWindowDC',0
....

Đâmedicine probably is brevets API list that it tackles #Pst. Among

them there is a whole GetPixel, GetWindowDC, SendMessageA,
PostMessageA, SendMessageW, PostMessageW, keybd_event, SendInput. I
see it tackle good much, almost be brevets serve for concernment Ô tô.
Đó it was reason who why previously I am tried take keybd_event and
SendInput for touch pseudo is squeeze butted without success

3. "ấN " touch(Send "Key")

Can say this is most sophisticated concernment in total process made Ô
tô công cụ chơi. As aforesaid Reside Cái trụ Anticus, HackShield Cái
móc Enter different (as numerously as possible) courses, bar a number
of brevet allocutions API related to concernment Ô tô ( Like touch
press even if. HackShield tackles brevet API allocution by a commands
jmp insert In brevet API head to remembrance region encloses
allocution monitoring instruction code.
Of course there is this way to bear down helpful that tackle: program
Ô tô chơi Restoring go back to command In this brevets head In course
Ô tô chơi For norm. Only need program Ô tô To run prior that when
HackShield is charged, we will have fiducial instruction statement,
this commands re-recording, later when admission HackShield đc, me kh.
Like that can use keybd_event and SendInput. I haven't been try
command rectification stout ko HackShield had continuous My this way
become In brevets API head or ko.
My that ko implement this way along of such, postulated is had Công
việc Tense for fiability Ô tô chơi To Me there must bottom Tiêu điểm
For window Sự Nghe ( For pseudo keybd_event and SendInput ng.Our
translation server is too busy, please try again later

2 variant in order to can pretend to press touch be falsifies (đồ giả)

DirectInput. Good point this Way more sophisticated but abounded
with:.
- May be press touch pseudo at which ko is behoved Tiêu điểm For
window Sự Nghe. Just Tán gẫu Just Ô tô chơi To^^.
- Simple easy program update is functional additive.
- Have a DLL in course Sự Nghe. Too handily to correct this course
internal storage contents (if necessary^^). Program Ô tô chơi May be
easiness himself communicates wherewith Mô đun This Pass FileMapping
Or Cái ống ( Ô tô chơi Mine use 2 too)

Courses Audition Norm will communicate with keyboard as follows:.

(Equal Draw Sơn Ought to bad flatus - _- Spruce be touched,!)

Audition use DirectInput to sink arrow buttons, still take Windows

những thông báo to sink remaining touchs as một.z, 0.9 để serve tán
gẫu, and Không gian/ Ctrl to implement that times danced.
(my selves also ko understands why it have to parts such, but its
ledge elution, excusal be ô tô chơi body công việc it be all right
then^^).
Tense pseudo the defendant Time DirectInput Sự Nghe There will
communicate with this such keyboard:

Module MyDirectInput will sink control command from programs Ô tô chơi

Main to port give Sự Nghe. In addition it also still receive touch
press results from fiducial DirectInput. Ergo MyDirectInput play all-
important in programs role Ô tô chơi.
Martinet be like that, but is to implement a bit sophisticated tense
somewhat of:.
- Abidance hồ sơ dinput8.dll become orgdinput8.dll (directory system32
inbuilt).
- Make 1 pseudos DLL (Đồ giả) Use to name dinput8.dll, among them had
xuất khẩu brevet DirectInput8Create.
Share is most difficult live in this entries main is mã hồ sơ
dinput8.dll such that it act, this means, repayment give sự Nghe all
of what it receive from mô đun orgdinput8.dll (fiducial DirectInput)
and what receive literature reports ô tô chơi main. .

In DirectX SDK is have to say that know very muched, DirectInput it be

either a COM Đối tượng That, for enough of its possession method
quites sophisticated pose rewritten, especially regarding people ised
haven't

Already My that google with pseudo contents presss touch to

Application take DirectInput and I find 1 libraries DirectInputHook In
gamedev.mạng(lưới) it also by analogy like that but again acts
according to mechanism, cái móc ought to action ko with respect to
HackShield. I changed it that true a little demands riches Ô tô chơi.
Đó be xuất khẩu brevet DirectInput8Create, in this brevet:.
- Recall DirectInput8Create of orgdinput8.dll in order to create
DirectInput object is fiducial.
- Application monitoring are ring DirectInput8Create looked up had
right Nghe ko, if any create a object preserve oneself defined descend
from DirectInput class, have enough of socking. .
Each method returnned is true received result from DirectInput object
is fiducial, modal subduction " GetDeviceData ". Đâmain medicine is
what method sự Nghe be used to sink touch from DirectInput. (most
application program takes this equilateral DirectInput using method).
- Use general remembrance region with program Ô tô chơi Main with
techniques ánh xạ hồ sơ, In addition still use mechanism Cái ống To
sink control from programs. Each time is ben ring method GetDeviceData
will testted looked up Cái ống Have ko data, if any be to demount and
return donation Sự Nghe

In short, get ditto pseudo DirectInput be could pretend to press arrow

key give Sự Nghe To. Privately with respect to touch Không gian, sự
Nghe Use Windows Những thông báo It is normal (Situated that this is
WM_KEYDOWN and WM_KEYUP) to receive. .
Nevertheless, HackShield stop brevets SendMessageA, SendMessageW,
finis PostMessageA, PostMessageW. In the past I am pinchbeck that
press touch Không gian As follows :.
- When pseudo mô đun DirectInput is Instantiated, writing go back to
pavilion Bai Keybd_event brevet's head in course Sự Nghe Again.
- When pseudo DirectInput8Create brevet is called, restoring go back
to pavilion Bai This head.
- Create a sự kiện and wait for this sự kiện, when program Ô tô This
sự kiện laying himself ring course internal keybd_event Sự Nghe To
touch pseudo Không gian.
Fine action this Way, however still meet with blemish is keybd_event
use ought to right Tiêu điểm Into window Sự Nghe To become still
unpropitiousness.
Near here I at random in MSDN newly see API SendNotifyMessage brevet
there is function Anigh like SendMessage. Use very efficiently, just
take it send WM_KEYDOWN and WM_KEYUP to window Sự Nghe Be. Like that Ô
tô Present of mine completely ko need to layed Tiêu điểm Into those
window, fit Tán gẫu Just Ô tô chơi Excusal is " seen " for ch arrow
region right,

4. A number of another techniquess.

If did you have form Mã To 1 Ô tô chơi Materially with entriess 1.2.3.
ở on who still lack of a number of qualities: determination when press
tense không gian, to who determine song's bpm, definitely when article
finis to be to stop ô tô chơi,. in addition there is 1 qualities
deserve those care be very much " hoàn hảo x ".
All of capability on who based on fmod library, for selvess Sự Nghe
Completely use this library.
Để can definitely when press không gian we need to take present song's
bpm,. Tùy into ever version that it lay at positions is different in
course Sự Nghe. 6019 edition present with AU VN then laying bpm
address is 0 x819E58. Bpm is real number 4 bai ( Form Nổi). This
address Retrevial ko difficult, who choose 1 songs, enter dance only,
Sự đổ xuống Egress ( Take pseudo very DirectInput set Sự đổ xuống)
Retrevial is ben those,.
When once there second (ms) milli number easy computable bpm of give
press to each time Không gian As follows :

Code:

Code:
dwAverageFinalTime = Round((1 / (StrToInt(GetText(dwEBBPM)) / 60)) * 4
* 1000)
Cứ theo đó giả Space là okie .
Ipsofacto those is pinchbeck Không gian It be okie.
Have service success everybody in the house!!

/** END OF TUTORIAL **/

======================================================================
======================================================================