- 注册时间
- 2011-10-30
- 最后登录
- 1970-1-1
该用户从未签到
|
本帖最后由 hapi 于 2011-11-13 16:33 编辑
转自懒猫blog
这是95版武林的,照抄会封号,看看理解一下;
unit pub;
interface
uses
Windows,messages,StrUtils,SysUtils;
Procedure InjectFunc(InHWND: HWND; Func: Pointer; Param: Pointer; ParamSize: DWORD);
Procedure PickWp(p:pointer); stdcall;//捡物CALL
Procedure UseWp(p:pointer); stdcall;
procedure ChooseGW(p:pointer);stdcall;
procedure xunlu(p:pointer);stdcall;
procedure goback;//回挂机点
procedure gohome;//死亡复活回城
procedure Pick;//捡物
procedure Choose(i:integer);//选怪
procedure eatHp;//吃红
procedure fast1(i word); //按快捷键1~0
procedure fast2(iword); //按快捷键F1~F8
procedure pushfastkey(p:pointer);Stdcall;
procedure checkBB;
var hwd:THandle;//窗口句柄
pid,hProcess,gwid,jsmTemp,zt,exp,Hys,Lysword;//游戏进程id
zt2:Word;
hp,mp,maxHp,maxMp:Integer;//存放生命,真气值
gjdx,gjdy:Single; //挂机点
jlx,jly:integer;//怪与挂机点的距离
gi:integer;//怪列表项
jsm:array[0..63]of widechar;
isInfo,isFire:boolean; //判断线程状态
const address=$12F824; //一级地址
implementation
uses unit1;
//-------------------------注入代码的函数----------------------------
{参数说明:
InHWND:被注入的窗口句柄
Func:注入的函数的指针
Param:参数的指针
ParamSize:参数的大小
}
Procedure InjectFunc(InHWND: HWND; Func: Pointer; Param: Pointer; ParamSize: DWORD);
var
hProcess_N: THandle;
ThreadAdd, ParamAdd: Pointer;
hThread: THandle;
ThreadID: DWORD;
lpNumberOfBytesWORD;
begin
GetWindowThreadProcessId(InHWND, @ThreadID);
hProcess_N := OpenProcess(PROCESS_ALL_ACCESS, False, ThreadID);//打开被注入的进程
ThreadAdd := VirtualAllocEx(hProcess_N, nil, 4096, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess_N, ThreadAdd, Func, 4096, lpNumberOfBytes); //写入函数地址
ParamAdd := VirtualAllocEx(hProcess_N, nil, ParamSize, MEM_COMMIT, PAGE_READWRITE);
WriteProcessMemory(hProcess_N, ParamAdd, Param, ParamSize, lpNumberOfBytes); //写入参数地址
hThread := CreateRemoteThread(hProcess_N, nil, 0, ThreadAdd, ParamAdd, 0, lpNumberOfBytes); //创建远程线程
WaitForSingleObject(hThread, INFINITE);//等待线程结束
VirtualFreeEx(hProcess_N, ThreadAdd, 4096, MEM_RELEASE);
VirtualFreeEx(hProcess_N, ParamAdd, ParamSize, MEM_RELEASE); //释放申请的地址
CloseHandle(hThread);
CloseHandle(hProcess_N); //关闭打开的句柄
end;
//使用物品
Procedure UseWp(p:pointer); stdcall;
var addrword;
begin
addr:=$0056FB80;
asm
pushad;
mov eax, dword ptr [$8EC9C4]
mov esi, dword ptr [eax+$20]
push 1
mov edx,p
mov eax,[edx+4]
mov edx,[edx]
push edx //ID同捡物的+110
push eax //位置
push 0
lea ecx, dword ptr [esi+$D4]
call addr
popad;
end;
end;
//捡取物品call
Procedure PickWp(p:pointer); stdcall;
var Addressword;
begin
Address :=$56FD50;
asm
pushad
mov edx,p
mov eax,[edx+$4]
push eax //压入物品系统ID
mov edx,[edx]
push edx //压入物品ID
mov ecx, dword ptr [$8EC9C4]
mov ecx, dword ptr [ecx+$20]
add ecx, $D4
call Address
popad;
end;
end;
procedure Pick;
type
pPickup = ^Pickup;//定义指针
Pickup = packed record
sidword ; //物品系统ID
id: Dword; //物品ID
end;
var picktime:integer;
mypickup ickup;
base,gbase,dmbase,point,wpid,sysid,i:dword;
num:Cardinal;
begin
picktime:=0;
ReadProcessMemory(hProcess,pointer(address),@base, 4, num);
ReadProcessMemory(hProcess,pointer(base + $8), @base, 4, num);
ReadProcessMemory(hProcess,pointer(base + $24), @gbase, 4, num);
ReadProcessMemory(hProcess,pointer(gbase + $18), @gbase, 4, num);
for i:=0 to 768 do
begin
ReadProcessMemory(hProcess,pointer(gbase + i*4), @dmbase, 4, num);
if dmbase>0 then
begin
ReadProcessMemory(hProcess,pointer(dmbase + $4), @point, 4, num);
ReadProcessMemory(hProcess,pointer(point + $110), @wpid, 4, num);
ReadProcessMemory(hProcess,pointer(point + $10c), @sysid, 4, num);
form1.list1.AddItem (inttostr(wpid),form1.list1);//添加地面物品ID到列表1
form1.list2.AddItem (inttostr(sysid),form1.list2);//添加物品的系统ID到列表2
end;
end;
//---------------物品列表读取完毕,开始捡物------------------------
if (form1.list1.Items.count>0) and (form1.list2.Items.count>0)then//若地上有物品则开始捡物
begin
repeat
for i:=form1.list1.Items.Count-1 downto 0 do
begin
mypickup.id:=strtoint(form1.list1.Items);
mypickup.sid:=StrToInt64(form1.list2.Items);
if (mypickup.id>0) and (mypickup.sid>0) then
begin
injectfunc(hwd,@Pickwp,@MyPickup,8);//捡物call
picktime:=picktime+1;
sleep(100);
end;
end;
until (form1.list1.Items.Count=0) or (picktime>form1.List3.Items.Count-1);//控制捡物次数
//---------------捡物完毕,清空物品列表------------------------
form1.list1.Clear;
form1.list2.Clear;
end;
end;
//选怪call
procedure ChooseGW(p:pointer);stdcall;
var addressword;
begin
Address :=$56fdc0;
asm
pushad
mov esi,p//怪物ID
mov esi,[esi]
push esi
MOV ECX,DWORD PTR DS:[$8ec9c4]
MOV ECX,DWORD PTR DS:[ECX+$20]
add ecx,$D4
call address
popad
end;
end;
//选怪过程
procedure Choose(i:integer);
type
pXuanGuai = ^XuanGuai;//定义指针
XuanGuai = packed record
id: Dword;
end;
var MyXG:Xuanguai;
begin
gi:=gi+1;
if gi>form1.List3.Count-1 then gi:=0;
MyXG.id:=StrToInt64(form1.list3.Items);
injectfunc(hwd,@ChooseGW,@MyXG,8);//选怪call
sleep(500);
end;
procedure xunlu(p:pointer);stdcall;
begin
asm
pushad
mov ebx, p
mov eax, dword ptr [ebx]//传X
mov [$8F2398], eax
mov eax, dword ptr [ebx+4]//传Z
mov [$8F239C], eax
mov eax, dword ptr [ebx+$8]//传Y
mov [$8F23A0], eax
mov eax, dword ptr [$12F824]//基地址
mov eax, dword ptr [eax+$24]
lea eax, dword ptr [eax+$3c]
mov ebx,dword ptr [$12F824]
mov ebx,dword ptr [ebx+$8]
mov ebx,dword ptr [ebx+$88] //计算出当前地图编号放入ebx
push ebx //压入地图编号
push $8F2398 //压入坐标x,y,z
push eax
mov ecx, $8EC978
mov eax, $42AA40
call eax
popad
end;
end;
procedure Pushfastkey(p:pointer);Stdcall;//快捷键call
begin
asm
mov ecx,p
mov ecx,[ecx]
mov edx,[ecx]
mov eax,[edx+8]
call eax
end;
end;
procedure gohome;//死亡复活回城
begin
CreateRemoteThread(hProcess,nil,0,Pointer($59A740),nil,0,pid);//复活回城
sleep(10000);
goback;//回挂机点
end;
procedure fast1(iword); //按快捷键1~0
type
pFastKey=^FastKey;
Fastkey=packed record
keyidword;
end;
var myFastKey:FastKey;
base:Dword;
num:Cardinal;
begin
ReadProcessMemory(hProcess,pointer(address),@base, 4, num);
ReadProcessMemory(hProcess,pointer(base + $24), @base, 4, num);//得到为人物基地址,方便以后使用
ReadProcessMemory(hProcess,pointer(base + $8e0), @base, 4, num);
ReadProcessMemory(hProcess,pointer(base + $C), @base, 4, num);
ReadProcessMemory(hProcess,pointer(base + 4*i), @base, 4, num);
myfastkey.keyid:=base;
if hwd<>0 then
//开始自动寻径
injectfunc(hwd,@pushfastkey,@myFastKey,4);
end;
procedure fast2(i:Dword); //按快捷键F1-F7
type
pFastKey=^FastKey;
Fastkey=packed record
keyid:Dword;
end;
var myFastKey:FastKey;
base:Dword;
num:Cardinal;
begin
ReadProcessMemory(hProcess,pointer(address),@base, 4, num);
ReadProcessMemory(hProcess,pointer(base + $24), @base, 4, num);//得到为人物基地址,方便以后使用
ReadProcessMemory(hProcess,pointer(base + $8ec), @base, 4, num);
ReadProcessMemory(hProcess,pointer(base + $C), @base, 4, num);
ReadProcessMemory(hProcess,pointer(base + 4*i), @base, 4, num);
myfastkey.keyid:=base;
if hwd<>0 then
//开始自动寻径
injectfunc(hwd,@pushfastkey,@myFastKey,4);
end;
procedure goback;//回挂机点
type
pzuobiao = ^zuobiao;//定义指针
zuobiao = packed record
x: single;
z: single; //无关紧要
y: single;
end;
var MyZuoBiao:zuobiao;
begin
MyZuoBiao.x:=gjdx;
MyZuoBiao.z:=0;
MyZuoBiao.y:=gjdy;
if hwd<>0 then
//开始自动寻径
injectfunc(hwd,@xunlu,@MyZuoBiao,12);
end; |
|
发表于 2011-11-13 16:30:38
楼主