在bpsend看到的,转下来
武林外传 117 常用Call(VC Dll)
这是我用VC写的武林117版的一些常用Call 函数,现给出Dll源代码,没什么技术含量,参考一些资料
VC新建Dll工程,添加cpp文件,名字为wulin2,添加一个文本文件,命名为 wulin2.def,拷贝下面的代码到相应文件,编译后就可以使用了
 //文件 wulin2.cpp
// wulin2.cpp : Defines the entry point for the DLL application.
//
#include "StdAfx.h"
#include "windows.h"
#pragma data_seg("Shared")
typedef struct paramdata
   {
 long param1;
long param2;
DWORD param3;
DWORD param4;
 }paramdata,*paramp;
#pragma data_seg()
#pragma comment(linker,"/Section:Shared,RWS")
LPVOID ThreadAdd;
LPVOID ParamAdd;
const DWORD wSize=1024*4;
HANDLE hpid;
int NormalHit() //普通攻击 For 117
{
DWORD addr=0x005A3090;
__asm
  {
call addr
 }
return 0;
}
int CallTab() //Tab选怪键 For 117
{
DWORD addr=0x0045BF80;
__asm
{
mov eax,0x008FC85C
mov eax,[eax]
mov eax,[eax+0x1C]
mov ecx,[eax+0x24]
push 0
call addr
}
return 0;
}
int KuaiJie(LPVOID lParam) //1~0 分别对应 0~9 For 117
{
paramdata * lp;
lp=(paramdata *)lParam;
DWORD lp1=lp->param1;
__asm
{
mov eax,0x008FC85C
mov eax,[eax]
mov eax,[eax+0x1C]
mov eax,[eax+0x24]
mov eax,[eax+0x8E8]
mov eax,[eax+0xC]
mov edx,lp1
mov eax,[eax+edx*4]
mov edx,[eax]
mov ecx,eax
mov eax,[edx+0x8]
call eax
}
return 0;
}
int KuaiJieF(LPVOID lParam) //F1~F8 分别对应 0~7 For 117
{
paramdata * lp;
lp=(paramdata *)lParam;
DWORD lp1=lp->param1;
__asm
{
mov eax,0x008FC85C
mov eax,[eax]
mov eax,[eax+0x1C]
mov eax,[eax+0x24]
mov eax,[eax+0x8F4]
mov eax,[eax+0xC]
mov edx,lp1
mov eax,[eax+edx*4]
mov edx,[eax]
mov ecx,eax
mov eax,[edx+0x8]
call eax
}
return 0;
}
int Sit(LPVOID lParam) //打坐 For 117
{
DWORD addr=0x005A3710;
paramdata * lp;
lp=(paramdata *)lParam;
__asm
{
call addr
}
return 0;
}
int UnSit(LPVOID lParam) //取消打坐 For 117
{
DWORD addr=0x005A36D0;
paramdata * lp;
lp=(paramdata *)lParam;
__asm
{
call addr
}
return 0;
}
int DeadBack(LPVOID lParam) //死亡回城 For 117
{
DWORD addr=0x005A34B0;
paramdata * lp;
lp=(paramdata *)lParam;
__asm
{
call addr
}
return 0;
}
int PickUp(LPVOID lParam) //捡物 For 117
{
DWORD addr=0x005A30D0; //0x00578C70;
paramdata * lp;
lp=(paramdata *)lParam;
DWORD lp1=(DWORD)lp->param3;
DWORD lp2=(DWORD)lp->param4;
__asm
{
pushad
// mov ecx,0x8FC85C
// mov ecx,[ecx]
mov edx, lp1
mov eax, lp2
push edx
// mov ecx,[ecx+0x20]
push eax
// add ecx, 0xD4
call addr
add esp,8
popad
}
return 0;
}
int AutoGo(LPVOID lParam) //自动寻路 For 117
{
DWORD addr=0x00429F60;
paramdata * lp;
lp=(paramdata *)lParam;
float lp1=(float)lp->param1;
float lp2=(float)lp->param2;
__asm
{
pushad
mov eax,0x8FC85C
mov eax,[eax]
mov eax,[eax+0x1C]
mov ecx,[eax+0x24]
lea ecx,[ecx+0x3C]
mov eax,[eax+0x8]
mov eax,[eax+0x88]
push eax
mov eax, lp1
mov ds:[0x902568], eax
mov eax, 0
mov ds:[0x90256C], eax
mov eax, lp2
mov ds:[0x902570], eax
push 0x00902568
push ecx
mov ecx,0x008FC810
call addr
popad
}
return 0;
}
void DoFunc(void *funcptr,paramdata pdata) //选择函数
{
HANDLE TmpHandle;
::WriteProcessMemory(hpid, ParamAdd,&pdata, sizeof(pdata), NULL);//将要注入的参数写到上面建立的内存空间中
::WriteProcessMemory(hpid, ThreadAdd,funcptr, wSize, NULL);//将要注入的过程写到上面建立的内存空间中
TmpHandle = ::CreateRemoteThread(hpid, NULL, 0, (LPTHREAD_START_ROUTINE)ThreadAdd,ParamAdd, 0, NULL);
//获得注入后过程的句柄ID
::ResumeThread(TmpHandle); //运行注入的CALL线程
::WaitForSingleObject(TmpHandle, INFINITE); //等待线程结束
::CloseHandle(TmpHandle); //关闭线程
}
void __stdcall ChooseKeys(HANDLE mhpid,intmkeycode,long lparm1=0,long lparm2=0,DWORD lparm3=0,DWORD lparm4=0)
//可导出函数,用于其他函数声明
{
hpid=mhpid;
paramdata pdata;
pdata.param1=lparm1;
pdata.param2=lparm2;
pdata.param3=lparm3;
pdata.param4=lparm4;
if(mkeycode==-1)
{
//申请内存
ThreadAdd = ::VirtualAllocEx(hpid, NULL, wSize, MEM_COMMIT, PAGE_EXECUTE_READWRITE);//在目标进程建立内存空间
ParamAdd = ::VirtualAllocEx(hpid, NULL, sizeof(paramdata), MEM_COMMIT, PAGE_READWRITE);//在目标进程建立内存空间
}
else if(mkeycode==-2)
{
//释放内存
if(ThreadAdd!=NULL) ::VirtualFreeEx(hpid,ThreadAdd,wSize,MEM_RELEASE);
if(ParamAdd!=NULL) ::VirtualFreeEx(hpid,ParamAdd,sizeof(paramdata),MEM_RELEASE);
if(ThreadAdd!=NULL) ::VirtualFreeEx(hpid,ThreadAdd,wSize,MEM_RELEASE);
if(ParamAdd!=NULL) ::VirtualFreeEx(hpid,ParamAdd,sizeof(paramdata),MEM_RELEASE);
}
else if(mkeycode==0) //普通攻击
{
DoFunc(NormalHit,pdata);
}
else if(mkeycode==1) //捡物品
{
DWORD BassAddr=0x008FC85C;
DWORD mecxi,meax,m1,m2;
::ReadProcessMemory(hpid,LPVOID(BassAddr),(LPVOID)&meax,4,NULL);
::ReadProcessMemory(hpid,LPVOID(meax+0x1C),(LPVOID)&mecxi,4,NULL);
::ReadProcessMemory(hpid,LPVOID(mecxi+0x08),(LPVOID)&meax,4,NULL);
::ReadProcessMemory(hpid,LPVOID(meax+0x24),(LPVOID)&mecxi,4,NULL);
::ReadProcessMemory(hpid,LPVOID(mecxi+0x18),(LPVOID)&meax,4,NULL);
::ReadProcessMemory(hpid,LPVOID(meax+(DWORD)lparm1*0x04),(LPVOID)&mecxi,4,NULL);
::ReadProcessMemory(hpid,LPVOID(mecxi+0x04),(LPVOID)&meax,4,NULL);
::ReadProcessMemory(hpid,LPVOID(meax+0x110),(LPVOID)&m1,4,NULL);
::ReadProcessMemory(hpid,LPVOID(meax+0x10C),(LPVOID)&m2,4,NULL);
pdata.param3=m1;
pdata.param4=m2;
DoFunc(PickUp,pdata);
}
else if(mkeycode==2) //打坐
{
DoFunc(Sit,pdata);
}
else if(mkeycode==3) //取消打坐
{
DoFunc(UnSit,pdata);
}
else if(mkeycode==4) //死亡回城
{
DoFunc(DeadBack,pdata);
}
else if(mkeycode==5) //自动寻路
{
DoFunc(AutoGo,pdata);
}
else if(mkeycode==100)
{
//Tab 选怪
DoFunc(CallTab,pdata);
}
else if(mkeycode>=0x30 && mkeycode <=0x39) //快捷键0-9
{
DoFunc(KuaiJie,pdata);
}
else if(mkeycode>=0x70 && mkeycode <=0x77) //快捷键F1-F8
{
DoFunc(KuaiJieF,pdata);
}
}
extern BOOL __stdcall APIENTRY DllMain( HINSTANCE hInstance, DWORD ul_reason_for_call, LPVOID lpReserved)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
}
case DLL_THREAD_ATTACH:
break;
case DLL_THREAD_DETACH:
break;
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
//文件 wulin2.def
|
|
|
随笔:2
文章:5
评论:0
引用:0
| | 日 | 一 | 二 | 三 | 四 | 五 | 六 |
|---|
| 23 | 24 | 25 | 26 | 27 | 28 | 1 | | 2 | 3 | 4 | 5 | 6 | 7 | 8 | | 9 | 10 | 11 | 12 | 13 | 14 | 15 | | 16 | 17 | 18 | 19 | 20 | 21 | 22 | | 23 | 24 | 25 | 26 | 27 | 28 | 29 | | 30 | 31 | 1 | 2 | 3 | 4 | 5 |
|
常用链接
留言簿(2)
随笔档案
文章分类
文章档案
开源库
搜索
最新评论
阅读排行榜
评论排行榜
|
|