zoukankan      html  css  js  c++  java

  • 自制 war3 map hack

    http://blog.csdn.net/aj3423/article/details/6670529

    0. 工具

      OD(ollydbg), CE (cheat engine),war3 1.24, win7

    1. 目标功能

      去除战争迷雾,只是走过的地方永久可见。

    3. 猜测

      如果你来写 war3,你是否会用一个 bool 变量比如 hasFog, 界面每次重画时候都判断该变量,是 true 就加迷雾,false 就去迷雾。至于你会不会这样写,我反正会这样写。

    4. 用 CE 找当前游戏 hasFog 内存地址

      用 OD 加载 war3.exe(加参数-window),建一单机游戏,此时是有迷雾的(hasFog == true)。

      操作:用CE打开war3.exe,搜索内存为1的值(true==1),列出无数个地址。然后输入全图指令 iseedeadpeople,此时 hasFog == false,到CE中,在上次搜索结果里继续搜索0的值。

      重复上述操作步骤,直到剩下少数几个地址

      范围被缩小到了7个地址,一个个试。先双击第一个,CE下方会出现该地址,双击value那一列,修改为0,war3迷雾还在,说明不是这个地址。

      重复上述步骤, 直到 这个地址

      0A8D009C 就是 hasFog,到此 CE 的工作结束

      写段代码直接改这个地址为 0 就ok了?no

      上面找到的 hasFog 地址,在每次建游戏时候都会变(从CE中也可以看出,静态地址是绿色,黑色的是动态地址)

    5. OD 分析

      如何动态找这个 hasFog 地址?war3 是怎么找的我们也怎么找,如果在 hasFog 处加写断点,然后打全屏指令,war3 就会找到该地址,并且写入值。

      ok,换到 OD,在 0A8D009C 处加内存写入断点,然后到 war3 输入 iseedeadpeople, 断在 6F408906

    (ctrl+A 分析该函数可以看到整个函数范围)

    分析: esi 可能是指向这样一个struct

    [cpp] view plaincopy

    1. struct MapInfo { 
    2. BYTE unknown[0x14]; 
    3. bool hasFog; 
    4.   .... 

    看这个esi是怎么来的,往上几行可以看到

    注释1:war3是vc编译的,vc处理类成员函数时候就是把 this 指针放到 ecx 中,然后 call 函数,比如

    [cpp] view plaincopy

    1. class A { 
    2. void hello() {} 
    3. }; 
    4. A a; 
    5. a.hello(); // 这句的汇编代码为

    [cpp] view plaincopy

    1. mov ecx, a 
    2. call hello 

    猜测: 全局变量 [6FACD44C] 里放的是 GAME 指针,包含各种游戏信息,
    GAME + 0x34 处,放的是 MapInfo 指针,里面放的map信息,包括 hasFog, 大致是

    [cpp] view plaincopy

    1. struct GAME { 
    2. BYTE unknown[0x34]; 
    3.   MapInfo* map_info; 
    4.   ... 

    在 od 中,按工具条的 M 按钮,查看内存镜像

    因为 dll 每次加载到内存的位置可能不同,所以 dll 的内存地址采用 基址+偏移 组成,基址可能会变,但偏移不变。
    对于全局变量 6FACD44C,是由基址 6F000000 + ACD44C组成,
    整个过程就是
    1. 找 game.dll 基址
    2. 用 基址+ACD44C 找全局变量 GAME 指针
    3. 从GAME 的 0x34 偏移处找到 MapInfo
    4. 修改 MapInfo 0x14 偏移处的 hasFog
    以下是代码:

    [cpp] view plaincopy

    1. // main.cpp
    2. #include <windows.h>
    4. #include <iostream>
    5. using namespace std; 
    7. #define W3_CLASS "Warcraft III"
    9. #include "mem_manip.h"
    11. typedef struct process_info_ { 
    12. HWND    hwnd; 
    13. DWORD   pid; 
    14. HANDLE  hProcess; 
    15. } process_info; 
    18. int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nCmdShow) { 
    20.     process_info ps; 
    22.     ps.hwnd = ::FindWindow(W3_CLASS, NULL); 
    23. if(!ps.hwnd) { 
    24. throw("no war3 found"); 
    25.     } 
    27.     ::GetWindowThreadProcessId(ps.hwnd, &ps.pid); 
    29.     EnableDebugPrivilege(); 
    31.     ps.hProcess = ::OpenProcess(0x1FFFFF, FALSE, ps.pid); //0x1FFFFF from dll_injector
    33. if (ps.hProcess == NULL) { 
    34. throw("OpenProcess error"); 
    35.     } 
    37. DWORD GAME_DLL_BASE = GetBaseAddress(ps.pid, "game.dll"); 
    38.     cout << "base of game.dll: " << hex << GAME_DLL_BASE << dec << endl; 
    41. DWORD GAME = GAME_DLL_BASE + 0x00ACD44C; 
    42. DWORD addr; 
    44.     cout << "try to read: " << hex << GAME << dec << endl; 
    45.     ReadProcessBYTES(ps.hProcess, GAME, &addr, 4); 
    46.     cout << "1. addr = " << hex << addr << dec << endl; 
    48.     addr += 0x34; 
    49.     ReadProcessBYTES(ps.hProcess, addr, &addr, 4); 
    51.     cout << "2. addr = " << hex << addr << dec << endl; 
    53.     addr += 0x14; 
    55. DWORD zero = 0; 
    56.     WriteProcessBYTES(ps.hProcess, addr, &zero, 4); 
    58.     cout << "done!" << endl; 
    60. return 0; 

    [cpp] view plaincopy

    1. // mem_manip.h
    2. #include <windows.h>
    3. #include <stdio.h>
    4. #include <tlhelp32.h>
    6. void  EnableDebugPrivilege() { 
    7. HANDLE hToken; 
    8.   LUID seDebugNameValue; 
    9.   TOKEN_PRIVILEGES tkp; 
    11. if ( !OpenProcessToken( GetCurrentProcess(), 
    12.       TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) return; 
    14. if ( !LookupPrivilegeValue( NULL, SE_DEBUG_NAME, &seDebugNameValue) ) 
    15.      { CloseHandle( hToken ); return; } 
    17.   tkp.PrivilegeCount = 1; 
    18.   tkp.Privileges[0].Luid = seDebugNameValue; 
    19.   tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; 
    21. if ( !AdjustTokenPrivileges( hToken, false, &tkp, sizeof(tkp), NULL, NULL)) 
    22.      { CloseHandle( hToken ); return; } 
    26. void WriteProcessBYTES(HANDLE hProcess, DWORD lpAddress, void* buf, int len) { 
    27. DWORD oldprot,dummy = 0; 
    28.     VirtualProtectEx(hProcess, (void*) lpAddress, len, PAGE_READWRITE, &oldprot); 
    29.     WriteProcessMemory(hProcess, (void*) lpAddress, buf, len, 0); 
    30.     ::FlushInstructionCache(hProcess, (void*)lpAddress, len); 
    31.     VirtualProtectEx(hProcess, (void*) lpAddress, len, oldprot, &dummy); 
    34. void ReadProcessBYTES(HANDLE hProcess, DWORD lpAddress, void* buf, int len) { 
    35. DWORD oldprot, dummy = 0; 
    36.     VirtualProtectEx(hProcess, (void*) lpAddress, len, PAGE_READWRITE, &oldprot); 
    37.     ReadProcessMemory(hProcess, (void*) lpAddress, buf, len, 0); 
    38.     VirtualProtectEx(hProcess, (void*) lpAddress, len, oldprot, &dummy); 
    44. DWORD GetBaseAddress(DWORD pid, const char* ModuleName) { 
    45. // Typedefs for toolhelp32
    46. typedef BOOL (WINAPI *fnModule32First)(HANDLE hSnapshot, LPMODULEENTRY32 lpme); 
    47. typedef BOOL (WINAPI *fnModule32Next)(HANDLE hSnapshot, LPMODULEENTRY32 lpme); 
    48. typedef HANDLE (WINAPI *fnCreateToolhelp32Snapshot)(DWORD dwFlags, DWORD th32ProcessID); 
    50. // Find out if the toolhelp API exists in kernel32
    51. HMODULE k32=GetModuleHandle("kernel32.dll"); 
    53. if (!k32) { 
    54. throw("Unable to get handle of KERNEL32.DLL."); 
    55.     } 
    57.     fnModule32First Module32First = (fnModule32First)GetProcAddress(k32, "Module32First"); 
    58.     fnModule32Next Module32Next = (fnModule32Next)GetProcAddress(k32, "Module32Next"); 
    59.     fnCreateToolhelp32Snapshot CreateToolhelp32Snapshot=(fnCreateToolhelp32Snapshot)GetProcAddress(k32,"CreateToolhelp32Snapshot"); 
    62. // Verify that the ToolHelp32 API is available
    63. if (!(Module32First) || !(Module32Next) || !(CreateToolhelp32Snapshot)) { 
    64. throw("Your operating system does not support the TOOLHELP32 API.\nCheck back for updates that use PSAPI instead."); 
    65.     } else { 
    66. // toolhelp code
    68. HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid); 
    70. if ((int)hSnapshot == -1) { 
    71. throw("Can't create toolhelp32 snapshot of game."); 
    72.         } 
    74.         MODULEENTRY32 lpme; 
    75.         lpme.dwSize=sizeof(MODULEENTRY32); 
    77. // Get first module, this is needed for win9x/ME
    78. if (!Module32First(hSnapshot, &lpme)) { 
    79.             CloseHandle(hSnapshot); 
    80. throw("Can't get first module of game."); 
    81.         }; 
    83. // Loop through all other modules
    84. while (TRUE) { 
    85. if (!stricmp(lpme.szModule, ModuleName)) { 
    86.                 CloseHandle(hSnapshot); 
    87. return (DWORD)lpme.modBaseAddr; 
    88.             } 
    90. if (!Module32Next(hSnapshot, &lpme)) { 
    91.                 CloseHandle(hSnapshot); 
    92. return 0; 
    93.             }; 
    94.         } 
    96. return 0; 
    97.     } 

    [javascript] view plaincopy

    1. <pre name="code" class="cpp"><pre name="code" class="javascript"><pre name="code" class="php"></pre> 
    2. <pre></pre> 
    3. <pre></pre> 
    4. <pre></pre> 
    5. <pre></pre> 
    6. <pre></pre> 
    7. <pre></pre> 
    8. <pre></pre> 
    10. </pre></pre> 
  • 相关阅读:
    Maximum Flow Exhaustion of Paths Algorithm
    ubuntu下安装java环境
    visualbox使用(二)
    vxworks一个超级奇怪的错误(parse error before `char')
    February 4th, 2018 Week 6th Sunday
    February 3rd, 2018 Week 5th Saturday
    February 2nd, 2018 Week 5th Friday
    February 1st, 2018 Week 5th Thursday
    January 31st, 2018 Week 05th Wednesday
    January 30th, 2018 Week 05th Tuesday
  • 原文地址:https://www.cnblogs.com/adodo1/p/4327409.html
Copyright © 2011-2022 走看看