请教下C++内嵌汇编传递参数

h5587686

include <windows.h>

include<iostream>

using namespace std;
void zhuru();
const int   x = 2;
const int   y = 2;
void main()
{

    HWND hw = FindWindow(NULL, TEXT("Plants vs. Zombies"));
    DWORD ProcessID;
    DWORD id = GetWindowThreadProcessId(hw, &ProcessID);
    HANDLE hp = OpenProcess(PROCESS_ALL_ACCESS, false, ProcessID);
    PVOID add = VirtualAllocEx(hp, NULL, 4096, MEM_COMMIT, PAGE_EXECUTE_READWRITE);

    WriteProcessMemory(hp, add,                zhuru, 4096, 0);
    CreateRemoteThread(hp, NULL, NULL, (LPTHREAD_START_ROUTINE)add, NULL, NULL, NULL);

}

__declspec(naked)  void  zhuru()
{

    __asm
    {
            pushad
            pushfd
            push - 1
            push 2
            mov eax,1(y)
            push 1(x)
            mov ebx, ds: [0x00755e0c]
            mov ebx, ds : [ebx + 0x00000868]
            push ebx
            mov edx, 0x00418D70
            call edx
            popfd
            popad
            ret
    }

}

为什么传入XY的时候就不起作用了呢,程序到不会崩溃只是传入的XY不起作用了,常量就正常呢
寄存器和声明的变量有冲突？

Aperodry

把 const int x定义为 dword x
__asm mov eax,x
__asm push eax
__asm mov eax,y
__asm push eax

这样试试呢

klamauk

x,y变量是你自己程序的内存地址，你祼函数执行的内存地址是植物大战僵尸的内存地址，植物大战僵尸怎么读取你程序的内存地址呢。
方法是把x,y的值都写入到你申请的内存空间中。

h5587686

klamauk 发表于 2021-1-17 13:53
x,y变量是你自己程序的内存地址，你祼函数执行的内存地址是植物大战僵尸的内存地址，植物大战僵尸怎么读取 ...

我好像明白是怎么回事了
汇编函数是一块我手动在游戏开辟的单独内存地址吧,main函数是一块不属于游戏的内存地址
两者没有任何联系吧 所以我调用XY完全就写不进去
意思我要把XY的值也就是2个变量的地址也注入进去？

虚无空幻

楼上师兄说的对啊.
你是没走流程
实际汇编代码的编译结果,不是 mov eax,2 而是 mov eax,[全局变量内存地址]   

klamauk

是的，你申请的内存空间是属于游戏的，不是你自己程序的。

Jack2002

注入dll，代码就好写了！

古月不傲

[C++] 纯文本查看 复制代码

//进程提权
BOOL CzwdzjsfuzhuDlg::EnablePriv()
{
	HANDLE hToken;
	LUID luid;
	TOKEN_PRIVILEGES tkp;

	OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken);

	LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &luid);

	tkp.PrivilegeCount = 1;
	tkp.Privileges[0].Luid = luid;
	tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;

	AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL);

	CloseHandle(hToken);
	return TRUE;
}

//选中的植物ID
void CzwdzjsfuzhuDlg::OnCbnSelchangeComboPlantsId()
{
	// TODO: 在此添加控件通知处理程序代码
	CComboBox *cboBox = (CComboBox *)GetDlgItem(IDC_COMBO_PLANTS_ID);
	this->m_nId = (UINT)cboBox->GetCurSel();
}

//统一处理
void CzwdzjsfuzhuDlg::MyProc(LPVOID baseAddr, DWORD dwBuffer, DWORD dwLength, 
		DWORD oneOffset, DWORD twoOffset, DWORD dwValue)
{
	DWORD processId = 0;
	this->m_hWnd = ::FindWindow(NULL, TEXT("Plants vs. Zombies 1.2.0.1073 RELEASE"));
	GetWindowThreadProcessId(this->m_hWnd, &processId);
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);

	if (hProcess != NULL)
	{
		if (!ReadProcessMemory(hProcess, baseAddr, &dwBuffer, 4, &dwLength))
		{
			::MessageBox(NULL, TEXT("读取基地址失败!"), TEXT("错误类型!"), MB_ICONHAND);
			CloseHandle(hProcess);
			return;
		}
		dwBuffer += oneOffset;
		if (!ReadProcessMemory(hProcess, (LPVOID)dwBuffer, &dwBuffer, 4, &dwLength))
		{
			::MessageBox(NULL, TEXT("读取一级偏移地址失败!"), TEXT("错误类型!"), MB_ICONHAND);
			CloseHandle(hProcess);
			return;
		}
		dwBuffer += twoOffset;
		if (!WriteProcessMemory(hProcess, (LPVOID)dwBuffer, &dwValue, 4, &dwLength))
		{
			::MessageBox(NULL, TEXT("写入内存失败!"), TEXT("错误类型!"), MB_ICONHAND);
			CloseHandle(hProcess);
			return;
		}
		CloseHandle(hProcess);
	}
}

//无限阳光
void CzwdzjsfuzhuDlg::OnBnClickedButtonSun()
{
	// TODO: 在此添加控件通知处理程序代码
	LPVOID baseAddr = (LPVOID)0x007794F8;
	DWORD dwBuffer = 0;
	DWORD dwLength = 0;
	DWORD oneOffset = 0x868;
	DWORD twoOffset = 0x5578;
	DWORD dwSun = 999999;

	MyProc(baseAddr, dwBuffer, dwLength, oneOffset, twoOffset, dwSun);
}

//无限金币
void CzwdzjsfuzhuDlg::OnBnClickedButtonMoney()
{
	// TODO: 在此添加控件通知处理程序代码
	LPVOID baseAddr = (LPVOID)0x00779618;
	DWORD dwBuffer = 0;
	DWORD dwLength = 0;
	DWORD oneOffset = 0x950;
	DWORD twoOffset = 0x50;
	DWORD dwMoney = 999999;

	MyProc(baseAddr, dwBuffer, dwLength, oneOffset, twoOffset, dwMoney);
}

//统一无CD
void CzwdzjsfuzhuDlg::NoCd(LPVOID baseAddr, UCHAR *dwValue, SIZE_T *tLength)
{
	DWORD processId;

	GetWindowThreadProcessId(this->m_hWnd, &processId);
	HANDLE process = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processId);

	WriteProcessMemory(process, (LPVOID)baseAddr, dwValue, 2, tLength);

	CloseHandle(process);
}

//无冷却时间
void CzwdzjsfuzhuDlg::OnBnClickedButtonCd()
{
	// TODO: 在此添加控件通知处理程序代码
	LPVOID baseAddr = (LPVOID)0x004B2FF3;
	UCHAR dwNOP[2] = { 0x90, 0x90 };
	SIZE_T tLength = sizeof(dwNOP);
	NoCd(baseAddr, dwNOP, &tLength);
}

//大嘴无CD
void CzwdzjsfuzhuDlg::OnBnClickedButtonEatingNocd()
{
	// TODO: 在此添加控件通知处理程序代码
	LPVOID baseAddr = (LPVOID)0x004855F5;
	UCHAR dwNOP[2] = { 0x90, 0x90 };
	SIZE_T tLength = sizeof(dwNOP);
	NoCd(baseAddr, dwNOP, &tLength);
}

//注入安放植物代码
void CzwdzjsfuzhuDlg::InjectCode(LPVOID lpThreadParameter)
{
	param parameter = (param)lpThreadParameter;
	UINT plantsId = parameter->plantsId;
	UINT xPos = parameter->xPos;
	UINT yPos = parameter->yPos;

	if (plantsId == 0)
		plantsId = 2;
	else if (plantsId == 1)
		plantsId = 6;
	else
		plantsId = 3;
	__asm
	{
		pushad
		pushfd
		mov edx, plantsId
		mov eax, yPos
		push -1
		push edx
		mov ecx, xPos
		push ecx
		mov edi, dword ptr ds : [0x007794F8]
		mov edi, dword ptr ds : [edi + 0x868]
		push edi
		mov ebx, 0x00422610
		call ebx
		popfd
		popad
	}	
}

//植物安放call
void CzwdzjsfuzhuDlg::OnBnClickedButtonPlantCall()
{
	// TODO: 在此添加控件通知处理程序代码
	UpdateData(TRUE);
	DWORD dwProcessId = 0;
	GetWindowThreadProcessId(this->m_hWnd, &dwProcessId);
	parameter param;
	param.plantsId = this->m_nId;
	param.xPos = this->m_uX;
	param.yPos = this->m_uY;
	InjectRemoteFunc(dwProcessId, InjectCode, ¶m, sizeof(param));
}

//远程线程处理
void CzwdzjsfuzhuDlg::InjectRemoteFunc(DWORD dwPid, LPVOID mFunc, LPVOID lpRemoteParam, DWORD dwParamSize)
{
	HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwPid);
	PVOID pFunAddr = VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT, PAGE_READWRITE);
	if (pFunAddr == NULL)
	{
		::MessageBox(NULL, TEXT("分配函数内存失败!"), TEXT("错误类型!"), MB_ICONHAND);
		CloseHandle(hProcess);
		return;
	}
	DWORD dwWriteSize = 0;

	if ((hProcess != NULL) && (pFunAddr != NULL))
	{
		if (!WriteProcessMemory(hProcess, pFunAddr, mFunc, 4096, &dwWriteSize))
		{
			::MessageBox(NULL, TEXT("写入内存失败!"), TEXT("错误类型!"), MB_ICONHAND);
			CloseHandle(hProcess);
			return;
		}
		PVOID pParamAddr = VirtualAllocEx(hProcess, NULL, dwParamSize, MEM_COMMIT, PAGE_READWRITE);
		if (pParamAddr == NULL)
		{
			::MessageBox(NULL, TEXT("分配参数内存失败!"), TEXT("错误类型!"), MB_ICONHAND);
			CloseHandle(hProcess);
			return;
		}
		if (!WriteProcessMemory(hProcess, pParamAddr, lpRemoteParam, dwParamSize, &dwWriteSize))
		{
			::MessageBox(NULL, TEXT("写入内存失败!"), TEXT("错误类型!"), MB_ICONHAND);
			CloseHandle(hProcess);
			return;
		}
		HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)pFunAddr, pParamAddr, 0, NULL);
		if (hRemoteThread == NULL)
		{
			::MessageBox(NULL, TEXT("创建远程线程失败!"), TEXT("error"), MB_ICONHAND);
			VirtualFreeEx(hProcess, pFunAddr, 4096, MEM_DECOMMIT);
			CloseHandle(hProcess);
			return;
		}
		WaitForSingleObject(hRemoteThread, INFINITE);

		VirtualFreeEx(hProcess, hRemoteThread, 0, MEM_RELEASE);
		CloseHandle(hRemoteThread);
		CloseHandle(hProcess);
	}
}
//注入全屏炸弹
void CzwdzjsfuzhuDlg::InjectFullBom()
{
	for (UINT yPos = 0; yPos < 5; yPos++)
	{
		for (UINT xPos = 0; xPos < 9; xPos++)
		{
			__asm
			{
				pushad
				pushfd
				mov edx, 2
				mov eax, yPos
				push - 1
				push edx
				mov ecx, xPos
				push ecx
				mov edi, dword ptr ds : [0x007794F8]
				mov edi, dword ptr ds : [edi + 0x868]
				push edi
				mov ebx, 0x00422610
				call ebx
				popfd
				popad
			}
		}
	}
}

//全屏炸弹
void CzwdzjsfuzhuDlg::OnBnClickedButtonFullBom()
{
	// TODO: 在此添加控件通知处理程序代码
	DWORD dwProcessId = 0;
	GetWindowThreadProcessId(this->m_hWnd, &dwProcessId);
	HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
	PVOID pFunAddr = VirtualAllocEx(hProcess, NULL, 4096, MEM_COMMIT, PAGE_READWRITE);
	if (pFunAddr == NULL)
	{
		::MessageBox(NULL, TEXT("分配函数内存失败!"), TEXT("错误类型!"), MB_ICONHAND);
		CloseHandle(hProcess);
		return;
	}
	DWORD dwWriteSize = 0;

	if ((hProcess != NULL) && (pFunAddr != NULL))
	{
		if (!WriteProcessMemory(hProcess, pFunAddr, InjectFullBom, 4096, &dwWriteSize))
		{
			::MessageBox(NULL, TEXT("写入内存失败!"), TEXT("错误类型!"), MB_ICONHAND);
			CloseHandle(hProcess);
			return;
		}
		HANDLE hRemoteThread = CreateRemoteThread(hProcess, NULL, NULL, (LPTHREAD_START_ROUTINE)pFunAddr, NULL, 0, NULL);
		if (hRemoteThread == NULL)
		{
			::MessageBox(NULL, TEXT("创建远程线程失败!"), TEXT("error"), MB_ICONHAND);
			VirtualFreeEx(hProcess, pFunAddr, 4096, MEM_DECOMMIT);
			CloseHandle(hProcess);
			return;
		}
		WaitForSingleObject(hRemoteThread, INFINITE);

		VirtualFreeEx(hProcess, hRemoteThread, 0, MEM_RELEASE);
		CloseHandle(hRemoteThread);
		CloseHandle(hProcess);
	}
}

//去掉游戏暂停
void CzwdzjsfuzhuDlg::OnBnClickedCheckClearPause()
{
	// TODO: 在此添加控件通知处理程序代码
	DWORD dwProcessId = 0;
	CButton* pBtn = (CButton*)GetDlgItem(IDC_CHECK_CLEAR_PAUSE);
	int state = pBtn->GetCheck();
	if (state == 1)
	{
		GetWindowThreadProcessId(this->m_hWnd, &dwProcessId);

		HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
		LPVOID lpBaseAddr = (LPVOID)0x00472B50;
		UCHAR param[] = { 0xC2, 0x04, 0x00 };
		int nParamSize = sizeof(param);
		if (!WriteProcessMemory(hProcess, lpBaseAddr, param, nParamSize, NULL))
		{
			AfxMessageBox(TEXT("写入内存失败!"));
			CloseHandle(hProcess);
		}
		CloseHandle(hProcess);
	}
	else 
	{
		GetWindowThreadProcessId(this->m_hWnd, &dwProcessId);

		HANDLE hProcess = ::OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
		LPVOID lpBaseAddr = (LPVOID)0x00472B50;
		UCHAR param[] = { 0x55, 0x8B, 0xEC };
		int nParamSize = sizeof(param);
		if (!WriteProcessMemory(hProcess, lpBaseAddr, param, nParamSize, NULL))
		{
			AfxMessageBox(TEXT("写入内存失败!"));
			CloseHandle(hProcess);
		}
		CloseHandle(hProcess);
	}
}

以前写的供参考
不要使用裸函数，将要用到的参数传递过去
你在植物大战僵尸中申请内存，这段代码在它的内存空间中运行，你说呢?