LRESULT CALLBACK HookProc(int nCode, WPARAM wParam, LPARAM lParam)
{
if(nCode==HSHELL_WINDOWCREATED)
{
char buf[1024];
DWORD dwPid;
GetWindowText((HWND)wParam,buf,1024);
if(strcmp(buf,"legend of mir2")==0)
{
GetClassName((HWND)wParam,buf,1024);
if( strcmp(buf,"TfrmMain")==0 ||
//strcmp(buf,"TApplication")==0 ||
strcmp(buf,"TFrmMain")==0 )
{
GetWindowThreadProcessId((HWND)wParam,&dwPid);
if(dwPid==GetCurrentProcessId())
{
DWORD d;
d=(DWORD)my_DDrawwCreate;
char bb[5];
bb[0]=bb[1]=bb[2]=bb[3]=bb[4]=(char)0x90;
DWORD dwOldFlag;
VirtualProtect((void*)0x44c586,9,PAGE_READWRITE,&dwOldFlag);
memcpy((void*)0x44c586,&d,4);
memcpy((void*)0x44c58a,bb,5);
VirtualProtect((void*)0x44c586,9,dwOldFlag,&dwOldFlag);
}
}
}
}
return CallNextHookEx(g_hhook, nCode, wParam ,lParam);
}
void InstallHook()
{
if(g_hhook==NULL)
{
g_hhook=SetWindowsHookEx(WH_SHELL,(HOOKPROC)HookProc,theApp.m_hInstance,0);
if(g_hhook==NULL)
MessageBox(0,"SetWindowsHookEx Failed!!",NULL,MB_OK);
}
}
通過InstallHook來安裝一個WH_SHELL類型的鉤子 目的是在游戲窗口創建的第一時間取得控制權 然后通過改寫相關代碼來實現對DirectDrawCreate函數的攔截 使之流向我們設置的代碼my_DDrawwCreate
HRESULT __stdcall my_DDrawwCreate(GUID*lpGUID,LPDIRECTDRAW*lplpDD,IUnknown*pUnkOuter)
{
HRESULT retVal;
HWND hWnd=NULL;
if(hWnd==NULL)
hWnd=FindWindow("TfrmMain","legend of mir2");
//if(hWnd==NULL)
// hWnd=FindWindow("TApplication","legend of mir2");
if(hWnd==NULL)
hWnd=FindWindow("TFrmMain","legend of mir2");
{
retVal=DirectDrawCreate(lpGUID,lplpDD,pUnkOuter);
if(g_isWindowMir)
{
LPDIRECTDRAW lpDD=*lplpDD;
DWORD p1=(DWORD)*lplpDD;
DWORD p2=*(DWORD*)p1;
*((DWORD*)(p2+0x54))=(DWORD)(FARPROC)my_SetDisplayMode;
old_SetCooperativeLevel=*((DWORD*)(p2+0x50));
*((DWORD*)(p2+0x50))=(DWORD)(FARPROC)my_SetCooperativeLevel;
}
DWORD*psend;
psend=(DWORD*)0x4fa720;
*psend=(DWORD)my_send;
{
AFX_MANAGE_STATE(AfxGetStaticModuleState());
pToolDlg=new CToolDialog;
pToolDlg->Create(IDD_TOOL_DIALOG);
pToolDlg->SetWindowText("太子");
pToolDlg->ShowWindow(pToolDlg->IsWindowVisible() ? SW_HIDE : SW_SHOW);
//數字顯示
FARPROC p=(FARPROC)_DispFunc;
DWORD dwP=(DWORD)p-0x47AA1B;
DWORD dwOldFlag;
VirtualProtect((void*)0x47AA17,4,PAGE_READWRITE,&dwOldFlag);
*((DWORD*)0x47AA17)=dwP;
VirtualProtect((void*)0x47AA17,4,dwOldFlag,&dwOldFlag);
//取消程序自檢驗
VirtualProtect((void*)0x45EC00,1,PAGE_READWRITE,&dwOldFlag);
*((BYTE*)0x45EC00)=(BYTE)0xC3;
VirtualProtect((void*)0x45EC00,1,dwOldFlag,&dwOldFlag);
//戰斗退出
VirtualProtect((void*)0x4620E6,2,PAGE_READWRITE,&dwOldFlag);
*((WORD*)0x4620E6)=(WORD)0x9090;
VirtualProtect((void*)0x4620E6,2,dwOldFlag,&dwOldFlag);
VirtualProtect((void*)0x462162,2,PAGE_READWRITE,&dwOldFlag);
*((WORD*)0x462162)=(WORD)0x9090;
VirtualProtect((void*)0x462162,2,dwOldFlag,&dwOldFlag);
VirtualProtect((void*)0x4914CA,2,PAGE_READWRITE,&dwOldFlag);
*((WORD*)0x4914CA)=(WORD)0x9090;
VirtualProtect((void*)0x4914CA,2,dwOldFlag,&dwOldFlag);
VirtualProtect((void*)0x491576,2,PAGE_READWRITE,&dwOldFlag);
*((WORD*)0x491576)=(WORD)0x9090;
VirtualProtect((void*)0x491576,2,dwOldFlag,&dwOldFlag);
//顯物品id
p=(FARPROC)ShowItemId;
dwP=(DWORD)p-0X0048C458;
//VirtualProtect((void*)0X0048C430,0x23,PAGE_READWRITE,&dwOldFlag);
//for(char i=0;i<0x23;i++)
//{
// *((BYTE*)(0X0048C430+i))=0x90;
//}
//VirtualProtect((void*)0X0048C430,0x23,dwOldFlag,&dwOldFlag);
VirtualProtect((void*)0X0048C454,4,PAGE_READWRITE,&dwOldFlag);
*((DWORD*)(0X0048C454))=dwP;
VirtualProtect((void*)0X0048C454,4,dwOldFlag,&dwOldFlag);
//InstallGameHooks();
}
/**//*
p=(FARPROC)MagicLock;
dwP=(DWORD)p-0x4627ab;
VirtualProtect((void*)0x4627a7,4,PAGE_READWRITE,&dwOldFlag);
*((DWORD*)0x4627a7)=dwP;
VirtualProtect((void*)0x4627a7,4,dwOldFlag,&dwOldFlag);
p=(FARPROC)EatItem;
dwP=(DWORD)p-0x4623a6;
VirtualProtect((void*)0x4623a2,4,PAGE_READWRITE,&dwOldFlag);
*((DWORD*)0x4623a2)=dwP;
VirtualProtect((void*)0x4623a2,4,dwOldFlag,&dwOldFlag);
dwP=(DWORD)p-0x48c1e6;
VirtualProtect((void*)0x48c1e2,4,PAGE_READWRITE,&dwOldFlag);
*((DWORD*)0x48c1e2)=dwP;
VirtualProtect((void*)0x48c1e2,4,dwOldFlag,&dwOldFlag);
dwP=(DWORD)p-0x48c223;
VirtualProtect((void*)0x48c21f,4,PAGE_READWRITE,&dwOldFlag);
*((DWORD*)0x48c21f)=dwP;
VirtualProtect((void*)0x48c21f,4,dwOldFlag,&dwOldFlag);
VirtualProtect((void*)0x4674a6,1,PAGE_READWRITE,&dwOldFlag);
*((BYTE*)0x4674a6)=0xeb;
VirtualProtect((void*)0x4674a6,1,dwOldFlag,&dwOldFlag);
*/
return retVal;
}
return DirectDrawCreate(lpGUID,lplpDD,pUnkOuter);
}
my_DDrawwCreate根據設置對SetDisplayMode及SetCooperativeLevel進行攔截 進行窗口化
然后修改游戲程序的相應代碼來實現游戲功能的增強
最后附上相應的代碼
const DWORD p1=0x44D8B4,p2=0x41834C,p3=0x406434,p_disp=0x4a09a0;
const DWORD old_proc=0x44d6cc;
const DWORD p4=0x44d104;
void DispText(DWORD _eax, LPCTSTR string, DWORD x, DWORD y, DWORD color=0xffffff, DWORD bcolor=0x0)
{
delphi_string dstring;
//sprintf(dstring.text,"%s",string);
strcpy(dstring.text,string);
dstring.len=strlen(string);
DWORD address=(DWORD)(dstring.text);
_asm
{
/**//* mov eax, _eax
call p1
call p2
push 1
push eax
call p3*/
push color
push bcolor
push address
mov ecx, y
mov edx, x
mov eax, _eax
call p_disp
}
}
DWORD fps=0,last_tick_count=0,frame=0;
const DWORD p5=0x40f6a0;
DWORD last_time_pickup=0;
CString MenuItems[6];
BOOL eat_item=TRUE;
__stdcall DispFunc(DWORD _EAX)
{
if(GetTickCount()-last_tick_count>1000)
{
fps=frame;
frame=0;
last_tick_count=GetTickCount();
}
frame++;
struct tm *now;
char buf[128];
time_t tval;
tval = time(NULL);
now = localtime(&tval);
strftime(buf,sizeof(buf),"太子輔助 時間:%I:%M:%S %p",now);
DispText(_EAX,buf,340,454);
DWORD p_hpmp=*(DWORD*)0x4F7EF8;
DWORD hp,hpmax,mp,mpmax,exp,expmax,weight,weightmax,gold;
hp=*((WORD*)(p_hpmp+0x3c));
hpmax=*((WORD*)(p_hpmp+0x40));
mp=*((WORD*)(p_hpmp+0x3e));
mpmax=*((WORD*)(p_hpmp+0x42));
exp=*((DWORD*)(p_hpmp+0x48));
expmax=*((DWORD*)(p_hpmp+0x4c));
weight=*((WORD*)(p_hpmp+0x50));
weightmax=*((WORD*)(p_hpmp+0x52));
gold=*((DWORD*)(p_hpmp+0x58));
sprintf(buf,"生命:%u/%u 魔法:%u/%u",hp,hpmax,mp,mpmax);
DispText(_EAX,buf,25,550);
sprintf(buf,"鼠標:%u:%u",*(DWORD*)0x4F948C,*(DWORD*)0x4F9490);
DispText(_EAX,buf,350,580);
sprintf(buf,"經驗:%u/%u",exp,expmax);
DispText(_EAX,buf,666,538);
sprintf(buf,"負重:%u/%u",weight,weightmax);
DispText(_EAX,buf,666,571);
sprintf(buf,"金幣:%u",gold);
DispText(_EAX,buf,666,507);
sprintf(buf,"FPS=%u",fps);
DispText(_EAX,buf,10,8,RGB(255,255,255),RGB(255,0,0));
//顯示裝備持久
if(bShowDura)
{
item_in_mem*item=(item_in_mem*)0x4F7EFC;
char namebuf[128];
int off;
for(off=0;off<9;off++)
{
if(item[off].magic!=0)
{
memcpy(namebuf,item[off].name,item[off].magic);
namebuf[item[off].magic]=(char)0;
sprintf(buf,"%s %u/%u",namebuf,item[off].dura,item[off].dura_max);
DispText(_EAX,buf,10,26+off*16);
}
}
}
//顯示地面物品名字
DWORD i;
DWORD count;
DWORD get_droped_item=0x40F6A0;
DWORD map_rect_left;
DWORD map_rect_top;
DWORD defx,defy;
DWORD my_x,my_y;
_asm
{
mov eax, 004a42dch
mov eax, dword ptr [eax]
mov eax, dword ptr [eax]
mov edx, dword ptr [eax+0002ae54h]
mov map_rect_left, edx
mov edx, dword ptr [eax+0002ae58h]
mov map_rect_top, edx
mov eax, 04F7DA4h
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov count, eax
mov eax, 004A3E9Ch
mov eax, dword ptr [eax]
mov eax, dword ptr [eax]
mov edx, 0FFFFFFA0h
sub edx, dword ptr [eax+00000098h]
add edx, 00000010h
add edx, 0000000Eh
mov defx, edx
mov eax, 004A3E9Ch
mov eax, dword ptr [eax]
mov eax, dword ptr [eax]
mov edx, 0FFFFFFC0h
sub edx, dword ptr [eax+0000009Ch]
mov defy, edx
mov eax, 004A3E9Ch
mov eax, dword ptr [eax]
mov eax, dword ptr [eax]
movzx eax, word ptr [eax+08h]
mov my_x, eax
mov eax, 004A3E9Ch
mov eax, dword ptr [eax]
mov eax, dword ptr [eax]
movzx eax, word ptr [eax+0ah]
mov my_y, eax
}
drop_item item;
DWORD p,x,y;
bool bChecked=false;
for(i=0;i<count;i++)
{
_asm
{
mov eax, 04F7DA4h
mov eax, dword ptr [eax]
mov edx, i
call get_droped_item
mov p, eax
}
memcpy(&item,(void*)p,sizeof(drop_item));
x=(item.x - map_rect_left) * 48 + defx + 0;
y=(item.y - map_rect_top - 1) * 32 + defy + 0;
if(x>=0 && x<800 && y>=0 && y<600)//屏幕外的不顯示
{
memcpy(buf,(void*)(p+sizeof(drop_item)+1),*(BYTE*)(p+sizeof(drop_item)));
buf[*(BYTE*)(p+sizeof(drop_item))]=(char)0;
DispText(_EAX,buf,x,y);
if(!bChecked && item.x==my_x && item.y==my_y && GetTickCount()-last_time_pickup>100)
{
last_time_pickup=GetTickCount();
SendPickUp();
bChecked=true;
}
}
}
//數字顯血
DWORD act_list;
DWORD act;
act_list=(*(DWORD*)0x4a3dd8);
act_list=(*(DWORD*)act_list);
act_list=(*(DWORD*)(act_list+0x5a854));
count=(*(DWORD*)(act_list+0x8));
typedef struct
{
DWORD x,y,hp,hpmax;
}act_struct;
act_struct actor;
for(i=0;i<count;i++)
{
_asm
{
mov eax, act_list
mov edx, i
call p5
mov act, eax
}
actor.x= (*(DWORD*)(act+0x8c));
actor.y= (*(DWORD*)(act+0x90));
actor.hp= (*( WORD*)(act+0x3c));
actor.hpmax= (*( WORD*)(act+0x40));
if(actor.hpmax!=0)
{
sprintf(buf,"%u/%u",actor.hp,actor.hpmax);
DispText(_EAX,buf,actor.x-15,actor.y-20,RGB(0xff,0,0));
}
}
}
__declspec(naked) _DispFunc()
{
__asm
{
//保存參數
push eax
push edx
push ecx
//調用自己的函數
push eax
call DispFunc
pop ecx
pop edx
pop eax
jmp p_disp
}
}
posted on 2007-08-28 23:59
shaker(太子) 閱讀(3241)
評論(5) 編輯 收藏 引用 所屬分類:
C++