发一个mir2的内挂代码

LRESULT CALLBACK HookProc(int nCode, WPARAM wParam, LPARAM lParam)

{

if(nCode==HSHELL_WINDOWCREATED)

{

char buf[1024];

DWORD dwPid;

GetWindowText((HWND)wParam,buf,1024);

if(strcmp(buf,"legend of mir2")==0)

{

GetClassName((HWND)wParam,buf,1024);

if( strcmp(buf,"TfrmMain")==0 ||

//strcmp(buf,"TApplication")==0 ||

strcmp(buf,"TFrmMain")==0 )

{

GetWindowThreadProcessId((HWND)wParam,&dwPid);

if(dwPid==GetCurrentProcessId())

{

DWORD d;

d=(DWORD)my_DDrawwCreate;

char bb[5];

bb[0]=bb[1]=bb[2]=bb[3]=bb[4]=(char)0x90;

DWORD dwOldFlag;

VirtualProtect((void*)0x44c586,9,PAGE_READWRITE,&dwOldFlag);

memcpy((void*)0x44c586,&d,4);

memcpy((void*)0x44c58a,bb,5);

VirtualProtect((void*)0x44c586,9,dwOldFlag,&dwOldFlag);

}

return CallNextHookEx(g_hhook, nCode, wParam ,lParam);

}

void InstallHook()

{

if(g_hhook==NULL)

{

g_hhook=SetWindowsHookEx(WH_SHELL,(HOOKPROC)HookProc,theApp.m_hInstance,0);

if(g_hhook==NULL)

MessageBox(0,"SetWindowsHookEx Failed!!",NULL,MB_OK);

}

通过InstallHook来安装一个WH_SHELL类型的钩子目的是在游戏窗口创建的第一时间取得控制权然后通过改写相关代码来实现对DirectDrawCreate函数的拦截使之流向我们设置的代码my_DDrawwCreate

HRESULT __stdcall my_DDrawwCreate(GUID*lpGUID,LPDIRECTDRAW*lplpDD,IUnknown*pUnkOuter)

{

HRESULT retVal;

HWND hWnd=NULL;

if(hWnd==NULL)

hWnd=FindWindow("TfrmMain","legend of mir2");

//if(hWnd==NULL)

// hWnd=FindWindow("TApplication","legend of mir2");

if(hWnd==NULL)

hWnd=FindWindow("TFrmMain","legend of mir2");

{

retVal=DirectDrawCreate(lpGUID,lplpDD,pUnkOuter);

if(g_isWindowMir)

{

LPDIRECTDRAW lpDD=*lplpDD;

DWORD p1=(DWORD)*lplpDD;

DWORD p2=*(DWORD*)p1;

*((DWORD*)(p2+0x54))=(DWORD)(FARPROC)my_SetDisplayMode;

old_SetCooperativeLevel=*((DWORD*)(p2+0x50));

*((DWORD*)(p2+0x50))=(DWORD)(FARPROC)my_SetCooperativeLevel;

}

DWORD*psend;

psend=(DWORD*)0x4fa720;

*psend=(DWORD)my_send;

{

AFX_MANAGE_STATE(AfxGetStaticModuleState());

pToolDlg=new CToolDialog;

pToolDlg->Create(IDD_TOOL_DIALOG);

pToolDlg->SetWindowText("太子");

pToolDlg->ShowWindow(pToolDlg->IsWindowVisible() ? SW_HIDE : SW_SHOW);

//数字显示

FARPROC p=(FARPROC)_DispFunc;

DWORD dwP=(DWORD)p-0x47AA1B;

DWORD dwOldFlag;

VirtualProtect((void*)0x47AA17,4,PAGE_READWRITE,&dwOldFlag);

*((DWORD*)0x47AA17)=dwP;

VirtualProtect((void*)0x47AA17,4,dwOldFlag,&dwOldFlag);

//取消程序自检验

VirtualProtect((void*)0x45EC00,1,PAGE_READWRITE,&dwOldFlag);

*((BYTE*)0x45EC00)=(BYTE)0xC3;

VirtualProtect((void*)0x45EC00,1,dwOldFlag,&dwOldFlag);

//战斗退出

VirtualProtect((void*)0x4620E6,2,PAGE_READWRITE,&dwOldFlag);

*((WORD*)0x4620E6)=(WORD)0x9090;

VirtualProtect((void*)0x4620E6,2,dwOldFlag,&dwOldFlag);

VirtualProtect((void*)0x462162,2,PAGE_READWRITE,&dwOldFlag);

*((WORD*)0x462162)=(WORD)0x9090;

VirtualProtect((void*)0x462162,2,dwOldFlag,&dwOldFlag);

VirtualProtect((void*)0x4914CA,2,PAGE_READWRITE,&dwOldFlag);

*((WORD*)0x4914CA)=(WORD)0x9090;

VirtualProtect((void*)0x4914CA,2,dwOldFlag,&dwOldFlag);

VirtualProtect((void*)0x491576,2,PAGE_READWRITE,&dwOldFlag);

*((WORD*)0x491576)=(WORD)0x9090;

VirtualProtect((void*)0x491576,2,dwOldFlag,&dwOldFlag);

//显物品id

p=(FARPROC)ShowItemId;

dwP=(DWORD)p-0X0048C458;

//VirtualProtect((void*)0X0048C430,0x23,PAGE_READWRITE,&dwOldFlag);

//for(char i=0;i<0x23;i++)

//{

// *((BYTE*)(0X0048C430+i))=0x90;

//}

//VirtualProtect((void*)0X0048C430,0x23,dwOldFlag,&dwOldFlag);

VirtualProtect((void*)0X0048C454,4,PAGE_READWRITE,&dwOldFlag);

*((DWORD*)(0X0048C454))=dwP;

VirtualProtect((void*)0X0048C454,4,dwOldFlag,&dwOldFlag);

//InstallGameHooks();

}

/**//*

p=(FARPROC)MagicLock;

dwP=(DWORD)p-0x4627ab;

VirtualProtect((void*)0x4627a7,4,PAGE_READWRITE,&dwOldFlag);

*((DWORD*)0x4627a7)=dwP;

VirtualProtect((void*)0x4627a7,4,dwOldFlag,&dwOldFlag);

p=(FARPROC)EatItem;

dwP=(DWORD)p-0x4623a6;

VirtualProtect((void*)0x4623a2,4,PAGE_READWRITE,&dwOldFlag);

*((DWORD*)0x4623a2)=dwP;

VirtualProtect((void*)0x4623a2,4,dwOldFlag,&dwOldFlag);

dwP=(DWORD)p-0x48c1e6;

VirtualProtect((void*)0x48c1e2,4,PAGE_READWRITE,&dwOldFlag);

*((DWORD*)0x48c1e2)=dwP;

VirtualProtect((void*)0x48c1e2,4,dwOldFlag,&dwOldFlag);

dwP=(DWORD)p-0x48c223;

VirtualProtect((void*)0x48c21f,4,PAGE_READWRITE,&dwOldFlag);

*((DWORD*)0x48c21f)=dwP;

VirtualProtect((void*)0x48c21f,4,dwOldFlag,&dwOldFlag);

VirtualProtect((void*)0x4674a6,1,PAGE_READWRITE,&dwOldFlag);

*((BYTE*)0x4674a6)=0xeb;

VirtualProtect((void*)0x4674a6,1,dwOldFlag,&dwOldFlag);

return retVal;

}

return DirectDrawCreate(lpGUID,lplpDD,pUnkOuter);

}

my_DDrawwCreate根据设置对SetDisplayMode及SetCooperativeLevel进行拦截进行窗口化

然后修改游戏程序的相应代码来实现游戏功能的增强

最后附上相应的代码

const DWORD p1=0x44D8B4,p2=0x41834C,p3=0x406434,p_disp=0x4a09a0;

const DWORD old_proc=0x44d6cc;

const DWORD p4=0x44d104;

void DispText(DWORD _eax, LPCTSTR string, DWORD x, DWORD y, DWORD color=0xffffff, DWORD bcolor=0x0)

{

delphi_string dstring;

//sprintf(dstring.text,"%s",string);

strcpy(dstring.text,string);

dstring.len=strlen(string);

DWORD address=(DWORD)(dstring.text);

_asm

{

/**//* mov eax, _eax

call p1

call p2

push 1

push eax

call p3*/

push color

push bcolor

push address

mov ecx, y

mov edx, x

mov eax, _eax

call p_disp

}

DWORD fps=0,last_tick_count=0,frame=0;

const DWORD p5=0x40f6a0;

DWORD last_time_pickup=0;

CString MenuItems[6];

BOOL eat_item=TRUE;

__stdcall DispFunc(DWORD _EAX)

{

if(GetTickCount()-last_tick_count>1000)

{

fps=frame;

frame=0;

last_tick_count=GetTickCount();

}

frame++;

struct tm *now;

char buf[128];

time_t tval;

tval = time(NULL);

now = localtime(&tval);

strftime(buf,sizeof(buf),"太子辅助时间:%I:%M:%S %p",now);

DispText(_EAX,buf,340,454);

DWORD p_hpmp=*(DWORD*)0x4F7EF8;

DWORD hp,hpmax,mp,mpmax,exp,expmax,weight,weightmax,gold;

hp=*((WORD*)(p_hpmp+0x3c));

hpmax=*((WORD*)(p_hpmp+0x40));

mp=*((WORD*)(p_hpmp+0x3e));

mpmax=*((WORD*)(p_hpmp+0x42));

exp=*((DWORD*)(p_hpmp+0x48));

expmax=*((DWORD*)(p_hpmp+0x4c));

weight=*((WORD*)(p_hpmp+0x50));

weightmax=*((WORD*)(p_hpmp+0x52));

gold=*((DWORD*)(p_hpmp+0x58));

sprintf(buf,"生命:%u/%u 魔法:%u/%u",hp,hpmax,mp,mpmax);

DispText(_EAX,buf,25,550);

sprintf(buf,"鼠标:%u:%u",*(DWORD*)0x4F948C,*(DWORD*)0x4F9490);

DispText(_EAX,buf,350,580);

sprintf(buf,"经验:%u/%u",exp,expmax);

DispText(_EAX,buf,666,538);

sprintf(buf,"负重:%u/%u",weight,weightmax);

DispText(_EAX,buf,666,571);

sprintf(buf,"金币:%u",gold);

DispText(_EAX,buf,666,507);

sprintf(buf,"FPS=%u",fps);

DispText(_EAX,buf,10,8,RGB(255,255,255),RGB(255,0,0));

//显示装备持久

if(bShowDura)

{

item_in_mem*item=(item_in_mem*)0x4F7EFC;

char namebuf[128];

int off;

for(off=0;off<9;off++)

{

if(item[off].magic!=0)

{

memcpy(namebuf,item[off].name,item[off].magic);

namebuf[item[off].magic]=(char)0;

sprintf(buf,"%s %u/%u",namebuf,item[off].dura,item[off].dura_max);

DispText(_EAX,buf,10,26+off*16);

}

//显示地面物品名字

DWORD i;

DWORD count;

DWORD get_droped_item=0x40F6A0;

DWORD map_rect_left;

DWORD map_rect_top;

DWORD defx,defy;

DWORD my_x,my_y;

_asm

{

mov eax, 004a42dch

mov eax, dword ptr [eax]

mov edx, dword ptr [eax+0002ae54h]

mov map_rect_left, edx

mov edx, dword ptr [eax+0002ae58h]

mov map_rect_top, edx

mov eax, 04F7DA4h

mov eax, dword ptr [eax]

mov eax, dword ptr [eax+08h]

mov count, eax

mov eax, 004A3E9Ch

mov eax, dword ptr [eax]

mov edx, 0FFFFFFA0h

sub edx, dword ptr [eax+00000098h]

add edx, 00000010h

add edx, 0000000Eh

mov defx, edx

mov eax, 004A3E9Ch

mov eax, dword ptr [eax]

mov edx, 0FFFFFFC0h

sub edx, dword ptr [eax+0000009Ch]

mov defy, edx

mov eax, 004A3E9Ch

mov eax, dword ptr [eax]

movzx eax, word ptr [eax+08h]

mov my_x, eax

mov eax, 004A3E9Ch

mov eax, dword ptr [eax]

movzx eax, word ptr [eax+0ah]

mov my_y, eax

}

drop_item item;

DWORD p,x,y;

bool bChecked=false;

for(i=0;i<count;i++)

{

_asm

{

mov eax, 04F7DA4h

mov eax, dword ptr [eax]

mov edx, i

call get_droped_item

mov p, eax

}

memcpy(&item,(void*)p,sizeof(drop_item));

x=(item.x - map_rect_left) * 48 + defx + 0;

y=(item.y - map_rect_top - 1) * 32 + defy + 0;

if(x>=0 && x<800 && y>=0 && y<600)//屏幕外的不显示

{

memcpy(buf,(void*)(p+sizeof(drop_item)+1),*(BYTE*)(p+sizeof(drop_item)));

buf[*(BYTE*)(p+sizeof(drop_item))]=(char)0;

DispText(_EAX,buf,x,y);

if(!bChecked && item.x==my_x && item.y==my_y && GetTickCount()-last_time_pickup>100)

{

last_time_pickup=GetTickCount();

SendPickUp();

bChecked=true;

}

//数字显血

DWORD act_list;

DWORD act;

act_list=(*(DWORD*)0x4a3dd8);

act_list=(*(DWORD*)act_list);

act_list=(*(DWORD*)(act_list+0x5a854));

count=(*(DWORD*)(act_list+0x8));

typedef struct

{

DWORD x,y,hp,hpmax;

}act_struct;

act_struct actor;

for(i=0;i<count;i++)

{

_asm

{

mov eax, act_list

mov edx, i

call p5

mov act, eax

}

actor.x= (*(DWORD*)(act+0x8c));

actor.y= (*(DWORD*)(act+0x90));

actor.hp= (*( WORD*)(act+0x3c));

actor.hpmax= (*( WORD*)(act+0x40));

if(actor.hpmax!=0)

{

sprintf(buf,"%u/%u",actor.hp,actor.hpmax);

DispText(_EAX,buf,actor.x-15,actor.y-20,RGB(0xff,0,0));

}

__declspec(naked) _DispFunc()

{

__asm

{

//保存参数

push eax

push edx

push ecx

//调用自己的函数

push eax

call DispFunc

pop ecx

pop edx

pop eax

jmp p_disp

}

发一个mir2的内挂代码相关推荐

qq邮件太多如何一键删除？发一个自动删邮件的代码
到qq邮箱,收件箱,打开f12 粘贴代码就可以了 async function delmail(){ document.querySelector("#mainFrame").co ...
H5游戏（二）给某html5游戏做内挂
h5游戏的上一篇内容 H5游戏(一)登录某某首富H5游戏之WebSockets初涉易语言wss 第二篇:给某html5游戏做内挂上一期研究了易语言伪造wss,后来觉得每个发送请求都要分析有点麻烦, ...
java判断一个文件有多少行_Java关于条件判断练习--统计一个src文件下的所有.java文件内的代码行数(注释行、空白行不统计在内)...
要求:统计一个src文件下的所有.java文件内的代码行数(注释行.空白行不统计在内) 分析:先封装一个静态方法用于统计确定的.java文件的有效代码行数.使用字符缓冲流读取文件,首先判断是否是块注释 ...
LWN：在另一个进程的地址空间内执行代码！
关注了就能看到更多这么棒的文章哦- Running code within another process's address space By Jonathan Corbet April 16, 2 ...
cpc卡内计费信息异常包括_抖音信息流广告投放收费标准是什么?抖音发一个广告多少钱?...
抖音短视频平台到目前为止已拥有超过5亿的用户,且年龄比例较为年轻化,可以说,在短视频与人流量双层有优势的情况下,抖音受到了广大广告主的青睐.那么,抖音信息流广告收费标准是多少?抖音发一个广告多少钱?我 ...
支持自动打怪（内挂）的网游，更新日期15.3.2
更新日期:15.3.2 持续更新中,希望大家多多支持,未涉及到的内容可通过留言或其他方式联系我,我会及时添加的. 极乐空间-----------------15.3.2,3D画面不错,Ctrl+Z开启 ...
Python实现在远端服务器挂代码—发送定时天气预报至邮箱+每日一句（小白教程）
Python实现在远端服务器挂代码-发送定时天气预报至邮箱+每日一句(小白教程) 人生苦短,我用python.下面来讲解一个python每天定时发送天气预报和每日一句至指定邮箱的脚本挂在服务器运行的程 ...
python怎么把程序挂在远端服务器_Python实现在远端服务器挂代码—发送定时天气预报至邮箱+每日一句（小白教程）...
Python实现在远端服务器挂代码-发送定时天气预报至邮箱+每日一句(小白教程) 人生苦短,我用python.下面来讲解一个python每天定时发送天气预报和每日一句至指定邮箱的脚本挂在服务器运行的程 ...
python图片直接保存到远端_Python在远程服务器中的实现挂代码-发送定期天气预报到邮箱+每天一句话（小白教程）,远端,定时,至,每日...
Python实现在远端服务器挂代码-发送定时天气预报至邮箱+每日一句(小白教程) 人生苦短,我用python.下面来讲解一个python每天定时发送天气预报和每日一句至指定邮箱的脚本挂在服务器运行的程 ...

发一个mir2的内挂代码

发一个mir2的内挂代码

发一个mir2的内挂代码相关推荐

最新文章

热门文章