》》》》》自己某游戏公开课实录,玩High按键内存,免得别人先公布,毕竟版权是自己的,无私奉献》》》》》
类人猿技术版权Q:578052137
FunctionGetGameDLLFunAddr(Fun_Name,Dll_Name)//第一个参数函数名称,第二个参数是dll的名字
DimAddr_GetProcAddress
Addr_GetProcAddress = LibE.AsmCode.获取函数地址A("kernel32.dll","GetProcAddress")
//TracePrint "Addr_GetProcAddress:"&Hex(Addr_GetProcAddress)
base_addr = Runer.GetModuleBaseAddr(hwnd,Dll_Name)
//TracePrint "dll的基地址= "&Hex(base_addr)
addr = Runer.VirtualAllocEx(hwnd, 0, 200,0) //分配空间给函数名称
//TracePrint HEX(addr)
addr4 = Runer.VirtualAllocEx(hwnd, 0, 4,0)//用来储存地址,call返回值
//TracePrint HEX(addr4)
Runer.WriteStringhwnd,cstr(hex(addr)),0,Fun_Name//函数名称
Runer.AsmClear //这个是正确的
Runer.AsmAdd "push 0x" &hex(addr)
Runer.AsmAdd "PUSH 0X" &Hex(base_addr)
Runer.AsmAdd "call 0x"&Hex(Addr_GetProcAddress)
Runer.AsmAdd "mov [0"&HEX(addr4) & "],eax" //储存返回值
Runer.AsmCall hwnd, 1//0本地调用,1是远程程序调用
value = Runer.ReadInt(hwnd, HEX(addr4), 0)
//TracePrint "获取函数地址是:"& Hex(value)
GetGameDLLFunAddr= Hex(value)
Runer.VirtualFreeEx hwnd,addr
End Function
Function 特征码定位地址(模块名, 最大范围, 偏移, 特征码, 数值种类)//注意偏移是10进制,返回值0是地址,1是数值
base_addr = Runer.GetModuleBaseAddr(hwnd,模块名)
范围 =Hex(base_addr) & "-" & Hex(base_addr + 最大范围)
TracePrint 范围
特征码= Replace(特征码,"","")//这里是去掉空格
result = Runer.FindData(hwnd,范围,特征码)
result = split(result,"|")
count = ubound(result)+1
traceprint "找到"&count&"个地址"
TracePrint result(0)
If count>0 then
ret1 = Lib.算法.十六进制转十进制(result(0))
ret2 = 偏移
定位地址值 = int(ret1) + int(ret2)
If 数值种类=0 Then
特征码定位地址 = 定位地址值
TracePrint "call的的地址是:" & Hex(定位地址值)
ElseIf 数值种类=1 Then
value = Runer.ReadInt(hwnd, Hex(定位地址值), 0)
TracePrint "最终定位得到的数值:" & Hex(value)
特征码定位地址 = value
Else
TracePrint "出错,没有找到任何数值"
特征码定位地址 = 0
End if
End If
End Function
Hwnd = Plugin.Window.Find(0, "【XXXX】")
Addr_GetProcAddress = Lib.AsmCode.获取函数地址API("kernel32.dll","GetProcAddress")
//远程获取明文函数
名字_地址 = Runer.VirtualAllocEx(hwnd,0,50,0) //得到地址
TracePrint Hex(名字_地址)
怪物基地址值 =GetGameDLLFunAddr("?g_objPlayerSet@@3VCGamePlayerSet@@A","3Drole.dll") //怪物 ,PNC, 玩家基地址
TracePrint 怪物基地址值
怪物基地址 = "012EC450"
人物基地址 = &H12EC47C
交朋友基地址=&H12EC420
交朋友call =GetGameDLLFunAddr("?MakeFriend@CHero@@QAEHKH@Z","3Drole.dll")
TracePrint "个体技能call="& 交朋友call
Call 批量交好友()
Function 批量交好友() //Q:578052137
Dim 怪物数量
dim 玩家ID
怪物数量 = Runer.ReadInt(hwnd,"["&怪物基地址&"]+0x40",0)
TracePrint 怪物数量
i=0
For 怪物数量
玩家ID = Runer.ReadInt(hwnd, "[[[" & 怪物基地址 &"]+0x20]+" & Hex(i * 4) & "]+F4", 0)
TracePrint Hex(玩家ID)
Call MakeFriends(玩家ID)
Delay 300
i = i + 1
Next
End Function
Function MakeFriends(玩家ID)
Runer.AsmClear
Runer.AsmAdd "pushad"
Runer.AsmAdd "mov eax,dword ptrds:["& Hex(人物基地址) &"]"
Runer.AsmAdd "mov ecx,dword ptrds:[eax]"
Runer.AsmAdd "push 0x0"
Runer.AsmAdd "push 0"& Hex(玩家ID)
Runer.AsmAdd "call ["& Hex(交朋友基地址)&"]"
Runer.AsmAdd "popad"
Runer.AsmAdd "ret"
Runer.AsmCall hwnd, 1
End function
类人猿技术版权Q:578052137
FunctionGetGameDLLFunAddr(Fun_Name,Dll_Name)//第一个参数函数名称,第二个参数是dll的名字
DimAddr_GetProcAddress
Addr_GetProcAddress = LibE.AsmCode.获取函数地址A("kernel32.dll","GetProcAddress")
//TracePrint "Addr_GetProcAddress:"&Hex(Addr_GetProcAddress)
base_addr = Runer.GetModuleBaseAddr(hwnd,Dll_Name)
//TracePrint "dll的基地址= "&Hex(base_addr)
addr = Runer.VirtualAllocEx(hwnd, 0, 200,0) //分配空间给函数名称
//TracePrint HEX(addr)
addr4 = Runer.VirtualAllocEx(hwnd, 0, 4,0)//用来储存地址,call返回值
//TracePrint HEX(addr4)
Runer.WriteStringhwnd,cstr(hex(addr)),0,Fun_Name//函数名称
Runer.AsmClear //这个是正确的
Runer.AsmAdd "push 0x" &hex(addr)
Runer.AsmAdd "PUSH 0X" &Hex(base_addr)
Runer.AsmAdd "call 0x"&Hex(Addr_GetProcAddress)
Runer.AsmAdd "mov [0"&HEX(addr4) & "],eax" //储存返回值
Runer.AsmCall hwnd, 1//0本地调用,1是远程程序调用
value = Runer.ReadInt(hwnd, HEX(addr4), 0)
//TracePrint "获取函数地址是:"& Hex(value)
GetGameDLLFunAddr= Hex(value)
Runer.VirtualFreeEx hwnd,addr
End Function
Function 特征码定位地址(模块名, 最大范围, 偏移, 特征码, 数值种类)//注意偏移是10进制,返回值0是地址,1是数值
base_addr = Runer.GetModuleBaseAddr(hwnd,模块名)
范围 =Hex(base_addr) & "-" & Hex(base_addr + 最大范围)
TracePrint 范围
特征码= Replace(特征码,"","")//这里是去掉空格
result = Runer.FindData(hwnd,范围,特征码)
result = split(result,"|")
count = ubound(result)+1
traceprint "找到"&count&"个地址"
TracePrint result(0)
If count>0 then
ret1 = Lib.算法.十六进制转十进制(result(0))
ret2 = 偏移
定位地址值 = int(ret1) + int(ret2)
If 数值种类=0 Then
特征码定位地址 = 定位地址值
TracePrint "call的的地址是:" & Hex(定位地址值)
ElseIf 数值种类=1 Then
value = Runer.ReadInt(hwnd, Hex(定位地址值), 0)
TracePrint "最终定位得到的数值:" & Hex(value)
特征码定位地址 = value
Else
TracePrint "出错,没有找到任何数值"
特征码定位地址 = 0
End if
End If
End Function
Hwnd = Plugin.Window.Find(0, "【XXXX】")
Addr_GetProcAddress = Lib.AsmCode.获取函数地址API("kernel32.dll","GetProcAddress")
//远程获取明文函数
名字_地址 = Runer.VirtualAllocEx(hwnd,0,50,0) //得到地址
TracePrint Hex(名字_地址)
怪物基地址值 =GetGameDLLFunAddr("?g_objPlayerSet@@3VCGamePlayerSet@@A","3Drole.dll") //怪物 ,PNC, 玩家基地址
TracePrint 怪物基地址值
怪物基地址 = "012EC450"
人物基地址 = &H12EC47C
交朋友基地址=&H12EC420
交朋友call =GetGameDLLFunAddr("?MakeFriend@CHero@@QAEHKH@Z","3Drole.dll")
TracePrint "个体技能call="& 交朋友call
Call 批量交好友()
Function 批量交好友() //Q:578052137
Dim 怪物数量
dim 玩家ID
怪物数量 = Runer.ReadInt(hwnd,"["&怪物基地址&"]+0x40",0)
TracePrint 怪物数量
i=0
For 怪物数量
玩家ID = Runer.ReadInt(hwnd, "[[[" & 怪物基地址 &"]+0x20]+" & Hex(i * 4) & "]+F4", 0)
TracePrint Hex(玩家ID)
Call MakeFriends(玩家ID)
Delay 300
i = i + 1
Next
End Function
Function MakeFriends(玩家ID)
Runer.AsmClear
Runer.AsmAdd "pushad"
Runer.AsmAdd "mov eax,dword ptrds:["& Hex(人物基地址) &"]"
Runer.AsmAdd "mov ecx,dword ptrds:[eax]"
Runer.AsmAdd "push 0x0"
Runer.AsmAdd "push 0"& Hex(玩家ID)
Runer.AsmAdd "call ["& Hex(交朋友基地址)&"]"
Runer.AsmAdd "popad"
Runer.AsmAdd "ret"
Runer.AsmCall hwnd, 1
End function
