请教下C++内嵌汇编传递参数
本帖最后由 h5587686 于 2021-1-21 20:21 编辑#include <windows.h>
#include<iostream>
using namespace std;
void zhuru();
const int x = 2;
const int y = 2;
void main()
{
HWND hw = FindWindow(NULL, TEXT("Plants vs. Zombies"));
DWORD ProcessID;
DWORD id = GetWindowThreadProcessId(hw, &ProcessID);
HANDLE hp = OpenProcess(PROCESS_ALL_ACCESS, false, ProcessID);
PVOID add = VirtualAllocEx(hp, NULL, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hp, add, zhuru, 4096, 0);
CreateRemoteThread(hp, NULL, NULL, (LPTHREAD_START_ROUTINE)add, NULL, NULL, NULL);
}
__declspec(naked)voidzhuru()
{
__asm
{
pushad
pushfd
push - 1
push 2
mov eax,1(y)
push 1(x)
mov ebx, ds:
mov ebx, ds :
push ebx
mov edx, 0x00418D70
call edx
popfd
popad
ret
}
}
为什么传入XY的时候就不起作用了呢,程序到不会崩溃只是传入的XY不起作用了,常量就正常呢
寄存器和声明的变量有冲突? 把 const int x定义为 dword x
__asm mov eax,x
__asm push eax
__asm mov eax,y
__asm push eax
这样试试呢 x,y变量是你自己程序的内存地址,你祼函数执行的内存地址是植物大战僵尸的内存地址,植物大战僵尸怎么读取你程序的内存地址呢。
方法是把x,y的值都写入到你申请的内存空间中。 本帖最后由 h5587686 于 2021-1-17 14:13 编辑
klamauk 发表于 2021-1-17 13:53
x,y变量是你自己程序的内存地址,你祼函数执行的内存地址是植物大战僵尸的内存地址,植物大战僵尸怎么读取 ...
我好像明白是怎么回事了
汇编函数是一块我手动在游戏开辟的单独内存地址吧,main函数是一块不属于游戏的内存地址
两者没有任何联系吧 所以我调用XY完全就写不进去
意思我要把XY的值也就是2个变量的地址也注入进去? 楼上师兄说的对啊.
你是没走流程
实际汇编代码的编译结果,不是 mov eax,2 而是 mov eax,[全局变量内存地址] 是的,你申请的内存空间是属于游戏的,不是你自己程序的。 注入dll,代码就好写了! 本帖最后由 古月不傲 于 2021-1-17 14:49 编辑
//进程提权
BOOL CzwdzjsfuzhuDlg::EnablePriv()
{
HANDLE hToken;
LUID luid;
TOKEN_PRIVILEGES tkp;
OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);
LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);
tkp.PrivilegeCount = 1;
tkp.Privileges.Luid = luid;
tkp.Privileges.Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL);
CloseHandle(hToken);
return TRUE;
}
//选中的植物ID
void CzwdzjsfuzhuDlg::OnCbnSelchangeComboPlantsId()
{
// TODO: 在此添加控件通知处理程序代码
CComboBox *cboBox = (CComboBox *)GetDlgItem(IDC_COMBO_PLANTS_ID);
this->m_nId = (UINT)cboBox->GetCurSel();
}
//统一处理
void CzwdzjsfuzhuDlg::MyProc(LPVOID baseAddr, DWORD dwBuffer, DWORD dwLength,
DWORD oneOffset, DWORD twoOffset, DWORD dwValue)
{
DWORD processId = 0;
this->m_hWnd = ::FindWindow(NULL, TEXT("Plants vs. Zombies 1.2.0.1073 RELEASE"));
GetWindowThreadProcessId(this->m_hWnd, &processId);
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
if (hProcess != NULL)
{
if (!ReadProcessMemory(hProcess, baseAddr, &dwBuffer, 4, &dwLength))
{
::MessageBox(NULL, TEXT("读取基地址失败!"), TEXT("错误类型!"), MB_ICONHAND);
CloseHandle(hProcess);
return;
}
dwBuffer += oneOffset;
if (!ReadProcessMemory(hProcess, (LPVOID)dwBuffer, &dwBuffer, 4, &dwLength))
{
::MessageBox(NULL, TEXT("读取一级偏移地址失败!"), TEXT("错误类型!"), MB_ICONHAND);
CloseHandle(hProcess);
return;
}
dwBuffer += twoOffset;
if (!WriteProcessMemory(hProcess, (LPVOID)dwBuffer, &dwValue, 4, &dwLength))
{
::MessageBox(NULL, TEXT("写入内存失败!"), TEXT("错误类型!"), MB_ICONHAND);
CloseHandle(hProcess);
return;
}
CloseHandle(hProcess);
}
}
//无限阳光
void CzwdzjsfuzhuDlg::OnBnClickedButtonSun()
{
// TODO: 在此添加控件通知处理程序代码
LPVOID baseAddr = (LPVOID)0x007794F8;
DWORD dwBuffer = 0;
DWORD dwLength = 0;
DWORD oneOffset = 0x868;
DWORD twoOffset = 0x5578;
DWORD dwSun = 999999;
MyProc(baseAddr, dwBuffer, dwLength, oneOffset, twoOffset, dwSun);
}
//无限金币
void CzwdzjsfuzhuDlg::OnBnClickedButtonMoney()
{
// TODO: 在此添加控件通知处理程序代码
LPVOID baseAddr = (LPVOID)0x00779618;
DWORD dwBuffer = 0;
DWORD dwLength = 0;
DWORD oneOffset = 0x950;
DWORD twoOffset = 0x50;
DWORD dwMoney = 999999;
MyProc(baseAddr, dwBuffer, dwLength, oneOffset, twoOffset, dwMoney);
}
//统一无CD
void CzwdzjsfuzhuDlg::NoCd(LPVOID baseAddr, UCHAR *dwValue, SIZE_T *tLength)
{
DWORD processId;
GetWindowThreadProcessId(this->m_hWnd, &processId);
HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);
WriteProcessMemory(process, (LPVOID)baseAddr, dwValue, 2, tLength);
CloseHandle(process);
}
//无冷却时间
void CzwdzjsfuzhuDlg::OnBnClickedButtonCd()
{
// TODO: 在此添加控件通知处理程序代码
LPVOID baseAddr = (LPVOID)0x004B2FF3;
UCHAR dwNOP = { 0x90, 0x90 };
SIZE_T tLength = sizeof(dwNOP);
NoCd(baseAddr, dwNOP, &tLength);
}
//大嘴无CD
void CzwdzjsfuzhuDlg::OnBnClickedButtonEatingNocd()
{
// TODO: 在此添加控件通知处理程序代码
LPVOID baseAddr = (LPVOID)0x004855F5;
UCHAR dwNOP = { 0x90, 0x90 };
SIZE_T tLength = sizeof(dwNOP);
NoCd(baseAddr, dwNOP, &tLength);
}
//注入安放植物代码
void CzwdzjsfuzhuDlg::InjectCode(LPVOID lpThreadParameter)
{
param parameter = (param)lpThreadParameter;
UINT plantsId = parameter->plantsId;
UINT xPos = parameter->xPos;
UINT yPos = parameter->yPos;
if (plantsId == 0)
plantsId = 2;
else if (plantsId == 1)
plantsId = 6;
else
plantsId = 3;
__asm
{
pushad
pushfd
mov edx, plantsId
mov eax, yPos
push -1
push edx
mov ecx, xPos
push ecx
mov edi, dword ptr ds :
mov edi, dword ptr ds :
push edi
mov ebx, 0x00422610
call ebx
popfd
popad
}
}
//植物安放call
void CzwdzjsfuzhuDlg::OnBnClickedButtonPlantCall()
{
// TODO: 在此添加控件通知处理程序代码
UpdateData(TRUE);
DWORD dwProcessId = 0;
GetWindowThreadProcessId(this->m_hWnd, &dwProcessId);
parameter param;
param.plantsId = this->m_nId;
param.xPos = this->m_uX;
param.yPos = this->m_uY;
InjectRemoteFunc(dwProcessId, InjectCode, ¶m, sizeof(param));
}
//远程线程处理
void CzwdzjsfuzhuDlg::InjectRemoteFunc(DWORD dwPid, LPVOID mFunc, LPVOID lpRemoteParam, DWORD dwParamSize)
{
HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
PVOID pFunAddr = VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT, PAGE_READWRITE);
if (pFunAddr == NULL)
{
::MessageBox(NULL, TEXT("分配函数内存失败!"), TEXT("错误类型!"), MB_ICONHAND);
CloseHandle(hProcess);
return;
}
DWORD dwWriteSize = 0;
if ((hProcess != NULL) && (pFunAddr != NULL))
{
if (!WriteProcessMemory(hProcess, pFunAddr, mFunc, 4096, &dwWriteSize))
{
::MessageBox(NULL, TEXT("写入内存失败!"), TEXT("错误类型!"), MB_ICONHAND);
CloseHandle(hProcess);
return;
}
PVOID pParamAddr = VirtualAllocEx(hProcess, NULL, dwParamSize, MEM_COMMIT, PAGE_READWRITE);
if (pParamAddr == NULL)
{
::MessageBox(NULL, TEXT("分配参数内存失败!"), TEXT("错误类型!"), MB_ICONHAND);
CloseHandle(hProcess);
return;
}
if (!WriteProcessMemory(hProcess, pParamAddr, lpRemoteParam, dwParamSize, &dwWriteSize))
{
::MessageBox(NULL, TEXT("写入内存失败!"), TEXT("错误类型!"), MB_ICONHAND);
CloseHandle(hProcess);
return;
}
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)pFunAddr, pParamAddr, 0, NULL);
if (hRemoteThread == NULL)
{
::MessageBox(NULL, TEXT("创建远程线程失败!"), TEXT("error"), MB_ICONHAND);
VirtualFreeEx(hProcess, pFunAddr, 4096, MEM_DECOMMIT);
CloseHandle(hProcess);
return;
}
WaitForSingleObject(hRemoteThread, INFINITE);
VirtualFreeEx(hProcess, hRemoteThread, 0, MEM_RELEASE);
CloseHandle(hRemoteThread);
CloseHandle(hProcess);
}
}
//注入全屏炸弹
void CzwdzjsfuzhuDlg::InjectFullBom()
{
for (UINT yPos = 0; yPos < 5; yPos++)
{
for (UINT xPos = 0; xPos < 9; xPos++)
{
__asm
{
pushad
pushfd
mov edx, 2
mov eax, yPos
push - 1
push edx
mov ecx, xPos
push ecx
mov edi, dword ptr ds :
mov edi, dword ptr ds :
push edi
mov ebx, 0x00422610
call ebx
popfd
popad
}
}
}
}
//全屏炸弹
void CzwdzjsfuzhuDlg::OnBnClickedButtonFullBom()
{
// TODO: 在此添加控件通知处理程序代码
DWORD dwProcessId = 0;
GetWindowThreadProcessId(this->m_hWnd, &dwProcessId);
HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
PVOID pFunAddr = VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT, PAGE_READWRITE);
if (pFunAddr == NULL)
{
::MessageBox(NULL, TEXT("分配函数内存失败!"), TEXT("错误类型!"), MB_ICONHAND);
CloseHandle(hProcess);
return;
}
DWORD dwWriteSize = 0;
if ((hProcess != NULL) && (pFunAddr != NULL))
{
if (!WriteProcessMemory(hProcess, pFunAddr, InjectFullBom, 4096, &dwWriteSize))
{
::MessageBox(NULL, TEXT("写入内存失败!"), TEXT("错误类型!"), MB_ICONHAND);
CloseHandle(hProcess);
return;
}
HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)pFunAddr, NULL, 0, NULL);
if (hRemoteThread == NULL)
{
::MessageBox(NULL, TEXT("创建远程线程失败!"), TEXT("error"), MB_ICONHAND);
VirtualFreeEx(hProcess, pFunAddr, 4096, MEM_DECOMMIT);
CloseHandle(hProcess);
return;
}
WaitForSingleObject(hRemoteThread, INFINITE);
VirtualFreeEx(hProcess, hRemoteThread, 0, MEM_RELEASE);
CloseHandle(hRemoteThread);
CloseHandle(hProcess);
}
}
//去掉游戏暂停
void CzwdzjsfuzhuDlg::OnBnClickedCheckClearPause()
{
// TODO: 在此添加控件通知处理程序代码
DWORD dwProcessId = 0;
CButton* pBtn = (CButton*)GetDlgItem(IDC_CHECK_CLEAR_PAUSE);
int state = pBtn->GetCheck();
if (state == 1)
{
GetWindowThreadProcessId(this->m_hWnd, &dwProcessId);
HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
LPVOID lpBaseAddr = (LPVOID)0x00472B50;
UCHAR param[] = { 0xC2, 0x04, 0x00 };
int nParamSize = sizeof(param);
if (!WriteProcessMemory(hProcess, lpBaseAddr, param, nParamSize, NULL))
{
AfxMessageBox(TEXT("写入内存失败!"));
CloseHandle(hProcess);
}
CloseHandle(hProcess);
}
else
{
GetWindowThreadProcessId(this->m_hWnd, &dwProcessId);
HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
LPVOID lpBaseAddr = (LPVOID)0x00472B50;
UCHAR param[] = { 0x55, 0x8B, 0xEC };
int nParamSize = sizeof(param);
if (!WriteProcessMemory(hProcess, lpBaseAddr, param, nParamSize, NULL))
{
AfxMessageBox(TEXT("写入内存失败!"));
CloseHandle(hProcess);
}
CloseHandle(hProcess);
}
}
以前写的供参考
不要使用裸函数,将要用到的参数传递过去
你在植物大战僵尸中申请内存,这段代码在它的内存空间中运行,你说呢?
页:
[1]