C/C++封装的DLL封装到易语言模块中易调用----例:扫雷
本帖最后由 Patty 于 2020-5-30 16:26 编辑语言:C/C++ 易语言
工具:VS2017,OD,Dll查看器depends_32,扫雷
知识: 远程线程汇编代码注入技术,调试分析,动态链接库dll编写,VS封装DLL易调用
------------------------------------------------------------------------------------------------------------------------------
一、调试
1.通过程序涉及的API,雷的位置随机可以推出,用了srand 、rand函数获取的随机值。
从而找到重新开始Call和【数据地址和数据存储的方式】用来实现重新开始Call与雷标记旗的功能
//0x10=墙//0x8F=雷//0x8E=旗//0x40=空//0x41=1//0x42=2//0x43=3//0x44=4//0x45=5
2.通过程序窗口的消息机制,找到点击坐标Call依据获取的数据储存方式遍历坐标实现秒杀
------------------------------------------------------------------------------------------------------------------------------
二、用VS2017的控制台测试出功能
------------------------------------------------------------------------------------------------------------------------------
三、将VS控制台的代码封装到Dll中
------------------------------------------------------------------------------------------------------------------------------
完毕感谢观看~!
扫雷exe:
扫雷辅助exe://程序我加了签名应该不会报毒
扫雷模块ec:
扫雷Dll:
控制台源码大家试试看能否自己实现封装调用
#include <windows.h>
#include <stdio.h>
typedef struct g_GETPROCESSINFO {
HWND WindowsHwand;
DWORD Pid;
HANDLE ProcessHandle;
PVOID AllocMemoryAddr;
DWORD ThunderArrayBase;//雷数组基址
DWORD WidthBase;//宽度基址
}g_GetProcessInfo, *g_pGetProcessInfo;
//重新开始
void Restart(g_GetProcessInfo& info)
{
byte RestartCallCode[] = { 0x60 ,0x9C ,0xB8 ,0x7A ,0x36 ,0x00 ,0x01 ,0xFF ,0xD0 ,0x61 ,0x9D ,0xC3 };
WriteProcessMemory(info.ProcessHandle, info.AllocMemoryAddr, RestartCallCode, sizeof(RestartCallCode), NULL);
CreateRemoteThread(info.ProcessHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)info.AllocMemoryAddr, NULL, NULL, NULL);
}
//点击Call
void ClickCallCode(g_GetProcessInfo& info,BYTE x, BYTE y)
{
BYTE Code1[] = { 0x60 ,0x9C ,0x6A ,x ,0x6A ,y ,0xB8 ,0x12 ,0x35 ,0x00 ,0x01 ,0xFF ,0xD0 ,0x61 ,0x9D ,0xC3 };
WriteProcessMemory(info.ProcessHandle, info.AllocMemoryAddr, Code1, sizeof(Code1), NULL);
}
//点击
void Click(g_GetProcessInfo& info)
{
DWORD Width = 0;
BYTEThunderValue = 0;
ReadProcessMemory(info.ProcessHandle, (LPCVOID)info.WidthBase, &Width, 0x4, NULL);
for (BYTE i = 1; i < (Width + 0x1); i++)//行
{
DWORD FirstThunderArray = info.ThunderArrayBase + i * 0x20;//定位左上角第一个框的内存地址
DWORD index = 0;
for (BYTE j = 1; j < (Width + 0x1); j++)//列
{
DWORD FirstBase = FirstThunderArray + j * 0x1;
ReadProcessMemory(info.ProcessHandle, (LPCVOID)FirstBase, &ThunderValue, 0x1, NULL);
if (ThunderValue == 0x10)//墙
{
break;
}
//0x8F=雷 0x8E=旗 0x40=空 0x41=1 0x42=2 0x43=3 0x44=4 0x45=5
if (ThunderValue != 0x8F
&& ThunderValue != 0x8E
&& ThunderValue != 0x40
&& ThunderValue != 0x41
&& ThunderValue != 0x42
&& ThunderValue != 0x43
&& ThunderValue != 0x44
&& ThunderValue != 0x45)
{
ClickCallCode(info, i, j);
Sleep(10);
CreateRemoteThread(info.ProcessHandle, NULL, NULL, (LPTHREAD_START_ROUTINE)info.AllocMemoryAddr, NULL, NULL, NULL);
Sleep(20);
}
index++;
}
if (index==0)
{
break;
}
}
}
//判断是否有雷并标记
void ThunderArray(g_GetProcessInfo& info)
{
BYTEifThunder = 0;
for (int i = 0; i < (int)0x360; i++)
{
ReadProcessMemory(info.ProcessHandle, (LPCVOID)(info.ThunderArrayBase +i), &ifThunder, 0x1, NULL);
if (ifThunder == (byte)0x8F)//雷
{
BYTE Flag = 0x8E;//旗
WriteProcessMemory(info.ProcessHandle, (LPVOID)(info.ThunderArrayBase + i), &Flag, 0x1, NULL);
}
}
RECT rt = { 0 };
GetClientRect(info.WindowsHwand, &rt);
InvalidateRect(info.WindowsHwand, &rt, true);
}
void GetProcessInfo(g_GetProcessInfo& info)
{
info.WindowsHwand = FindWindow(NULL, L"扫雷");
GetWindowThreadProcessId(info.WindowsHwand, &info.Pid);
info.ProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, info.Pid);
info.AllocMemoryAddr = VirtualAllocEx(info.ProcessHandle, NULL, 0x4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
}
void HotKey(g_GetProcessInfo& info)
{
MSG msg;
SecureZeroMemory(&msg, sizeof(msg));
DWORDKeyCodeF1 = 112;
DWORDKeyCodeF2 = 113;
DWORDKeyCodeF3 = 114;
RegisterHotKey(NULL, KeyCodeF1, NULL, KeyCodeF1);
RegisterHotKey(NULL, KeyCodeF2, NULL, KeyCodeF2);
RegisterHotKey(NULL, KeyCodeF3, NULL, KeyCodeF3);
while (GetMessageA(&msg, NULL, 0, 0) != 0)
{
if (msg.message == WM_HOTKEY)
{
if (msg.wParam == KeyCodeF1)
{
Restart(info);
}
if (msg.wParam == KeyCodeF2)
{
ThunderArray(info);
}
if (msg.wParam == KeyCodeF3)
{
Click(info);
}
}
}
}
int main()
{
g_GetProcessInfo info = {0};
GetProcessInfo(info);//取游戏信息
info.ThunderArrayBase = 0x1005340;//雷数组基址
info.WidthBase = 0x10056AC;//宽度基址
printf("F1=重新开局\n");
printf("F2=雷标记旗\n");
printf("F3=激活框框\n\n");
HotKey(info);
getchar();getchar();
return 0;
}
小非凡 发表于 2020-5-31 00:16
大佬你好,我问一下,是不是不兼容Win10啊,
绑定游戏、标记雷棋,这两个功能都是正常的。
但是,重 ...
兼容Win10的,我的问题:远程线程是直接调用Call的不需要保存栈环境
Hook调用才需要保存栈环境去掉栈保存寄存器Win10运行没问题
大大的厉害!!小白观摩中~~ 小白只能摩拜了 小白只能摩拜了 小白赶紧膜拜【滑稽】 学习了,多谢楼主 谢谢分享,下来看看
北京朝阳望京北路9号叶青大厦C座一层 高存玉13241743772
页:
[1]
2