其实很简单.主要针对D3D游戏.主要思路:Hook IDirect3DDevice9::Present,在其中加入sleep函数.让系统获得更多的CPU时间片.
试验游戏:剑网三(以D3D9为例)
学习各种外挂制作技术,马上去百度搜索 "魔鬼作坊" 点击第一个站 去那里学习喽。
具体实现步骤:
1.HOOK Direct3DCreate9来获得类型为LPDIRECT3D9的Direct3D对象的接口指针,它有一个成员函数为 IDirect3D9::CreateDevice,所以,只要根据Direct3D对象接口指针找到Direct3D对象的虚函数表,再根据虚函数表确定IDirect3D9::CreateDevice的内存地址,就可以hook这个函数,从而获得类型为LPDIRECT3DDEVICE9的设备对象指针,然后根据设备对象指针找到设备对象的虚函数表,根据虚函数表找到IDirect3DDevice9::Present在内存中的地址,对其进行HOOK,在其中加入sleep函数.
----------------------------------------------------------------------------------------------------
//代码参考runjin
#include <d3d9.h>
#include <D3dx9core.h>
#pragma comment(lib, "D3D9.lib")
#pragma comment(lib, "D3Dx9.lib")
void GameD3D_HOOK();
IDirect3D9 * _stdcall New_Direct3DCreate9(UINT SDKVersion);
HRESULT _stdcall New_CreateDevice(
LPDIRECT3D9 pDx9,
UINT Adapter,
D3DDEVTYPE DeviceType,
HWND hFocusWindow,
DWORD BehaviorFlags,
D3DPRESENT_PARAMETERS * pPresentsentationParameters,
IDirect3DDevice9 ** pPresentturnedDeviceInterface
);
HRESULT _stdcall New_Present(
LPDIRECT3DDEVICE9 pDxdevice,
CONST RECT * pSourceRect,
CONST RECT * pDestRect,
HWND hDestWindowOverride,
CONST RGNDATA * pDirtyRegion
);
LPDIRECT3D9 m_pD3D=NULL; //Direct3D对象的接口指针
void * pDirect3DCreate9=NULL;//Direct3DCreate9函数地址指针
void * pCreateDevice=NULL;//IDirect3D9::CreateDevice函数地址指针
void * pPresent=NULL;//IDirect3DDevice9::Present函数地址指针
int Sleeptime=50;//延时时间
BYTE Direct3DCreate_Begin[5];//用于保存Direct3DCreate9入口的5字节
BYTE CreateDevice_Begin[5];//用于保存IDirect3D9::CreateDevice入口的字节
BYTE Present_Begin[5];//用于保存IDirect3DDevice9::Present入口的5字节
void GameD3D_HOOK()
{
//hook Direct3DCreate9
pDirect3DCreate9=GetProcAddress(GetModuleHandle("d3d9.dll"),"Direct3DCreate9");
DWORD oldproc=0;
memcpy(Direct3DCreate_Begin,pDirect3DCreate9,5);
VirtualProtect(pDirect3DCreate9,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pDirect3DCreate9=0xe9;
*(DWORD*)((BYTE*)pDirect3DCreate9+1)=(DWORD)New_Direct3DCreate9-(DWORD)pDirect3DCreate9-5;
}
//当运行到Direct3DCreate9时跳转到这里
IDirect3D9 * _stdcall New_Direct3DCreate9(
UINT SDKVersion
)
{
__asm pushad
memcpy(pDirect3DCreate9,Direct3DCreate_Begin,5);//首先还原入口的5个字节
m_pD3D=Direct3DCreate9(SDKVersion);
if(m_pD3D){//如果成功
pCreateDevice=(void*)*(DWORD*)(*(DWORD*)m_pD3D+0x40);//获得IDirect3D9::CreateDevice的地址指针
DWORD oldpro=0;
memcpy(CreateDevice_Begin,pCreateDevice,5);//保存IDirect3D9::CreateDevice入口5个字节
VirtualProtect(pCreateDevice,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pCreateDevice=0xe9;
*(DWORD*)((BYTE*)pCreateDevice+1)=(DWORD)New_CreateDevice-(DWORD)pCreateDevice-5;
}else{//如果失败就再hook一次
DWORD oldpro=0;
VirtualProtect(pDirect3DCreate9,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pDirect3DCreate9=0xe9;
*(DWORD*)((BYTE*)pDirect3DCreate9+1)=(DWORD)New_Direct3DCreate9-(DWORD)pDirect3DCreate9-5;
}
__asm popad
return m_pD3D;
}
//hook CreateDevice
HRESULT _stdcall New_CreateDevice(
LPDIRECT3D9 pDx9,
UINT Adapter,
D3DDEVTYPE DeviceType,
HWND hFocusWindow,
DWORD BehaviorFlags,
D3DPRESENT_PARAMETERS * pPresentsentationParameters,
IDirect3DDevice9 ** pPresentturnedDeviceInterface
)
{
__asm pushad
memcpy(pCreateDevice,CreateDevice_Begin,5);//先还原入口的5个字节
HRESULT ret=pDx9->CreateDevice( //创建设备
Adapter,
DeviceType,
hFocusWindow,
BehaviorFlags,
pPresentsentationParameters,
pPresentturnedDeviceInterface);
if (ret==D3D_OK){//如果创建设备成功
LPDIRECT3DDEVICE9 m_pDevice=*pPresentturnedDeviceInterface;
pPresent=(void*)*(DWORD*)(*(DWORD*)m_pDevice+0x44);//获得IDirect3DDevice9::Present的地址指针
memcpy(Present_Begin,pPresent,5);//保存IDirect3DDevice9::Present入口的5个字节
DWORD oldpro=0;
VirtualProtect(pPresent,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pPresent=0xe9;
*(DWORD*)((BYTE*)pPresent+1)=(DWORD)New_Present-(DWORD)pPresent-5;
}else{//如果失败再hookIDirect3D9::CreateDevice一次
DWORD oldpro=0;
VirtualProtect(pCreateDevice,5,PAGE_EXECUTE_READWRITE,&oldpro);
*(BYTE*)pCreateDevice=0xe9;
*(DWORD*)((BYTE*)pCreateDevice+1)=(DWORD)New_CreateDevice-(DWORD)pCreateDevice-5;
}
__asm popad
return ret;
}
//当程序运行到IDirect3DDevice9::Present入口处将跳转到这里
HRESULT _stdcall New_Present(
LPDIRECT3DDEVICE9 pDxdevice,//类的this指针
CONST RECT * pSourceRect,//此参数请参考dx sdk
CONST RECT * pDestRect,//同上
HWND hDestWindowOverride,//同上
CONST RGNDATA * pDirtyRegion//同上
)
{
Sleep(Sleeptime);
__asm pushad
if(pDirect3DCreate9 && pCreateDevice && pPresent)
memcpy(pPresent,Present_Begin,5);//先还原IDirect3DDevice9::Present入口的5字节
HRESULT retdata= pDxdevice->Present(pSourceRect,pDestRect,hDestWindowOverride,pDirtyRegion);
if(pDirect3DCreate9 && pCreateDevice && pPresent){
//DWORD oldpro=0;
//VirtualProtect(pPresent,5,PAGE_EXECUTE_READWRITE,&oldpro);
//调用完IDirect3DDevice9::Present后再hook一次
*(BYTE*)pPresent=0xe9;
*(DWORD*)((BYTE*)pPresent+1)=(DWORD)New_Present-(DWORD)pPresent-5;
}
__asm popad
return retdata;
}
-----------------------------------------------------------------------------------------------------
sleep 50ms的效果..
未HOOK,剑三客户端CPU占用率在我的本本上是:60%左右
HOOK后,剑三客户端CPU占用率在我的本本上是:15%左右
学习各种外挂制作技术,马上去百度搜索 "魔鬼作坊" 点击第一个站 去那里学习喽。