|
发表于 2024-3-9 00:14:19
|
查看: 1861 |
回复: 0
郁金香灬游戏外挂技术
www.yjxsoft.com
本教程视频1920*1080分辩率下观看最佳
VS2017+win10 64位 环境
郁金香灬老师:公司QQ 3003975536 手机 139 9636 2600
欢迎大家参加 游戏安全与外挂的研究学习。
兴趣是我们最好的老师
兴趣+坚持+时间+优秀老师会帮助你快速成功
学习目标:
DLL内存读取角色信息
重定向到控制台
参数 数据分析部分-> 008-分析寻路CALL
TLMyPc= [[[[[ RoleInfoBase ]+8]+20]+418]+B8]
TLMyPc = [[[[[ TL.exe+8F2E598]+8]+20]+418]+B8]
+4B0]+20 //FSTRING 名字 +8 whcar*
+4B0]+30 //FSTRING 名字 +8 whcar*
+490]+6A8]+48 //float hp 当前值 [[[[[[[TL.exe + 903CD98] + 8] + 20] + 418] + B8] + 490]+6A8]+48
+490]+6A8]+4C //float hp hpmax
+490]+6A8+08]+18 //float 法力MP 当前值 [[[[[[[TL.exe + 903CD98] + 8] + 20] + 418] + B8] + 490]+6B0]
+490]+6A8+08]+1C //float 法力MP 上限值
$+1B1 | 0F28CD | movaps xmm1,xmm5 |
$+1B4 | F3:0F59CD | mulss xmm1,xmm5 |
$+1B8 | F3:0F59D9 | mulss xmm3,xmm1 |
$+1BC | F3:0F5CE3 | subss xmm4,xmm3 |
$+1C0 | F3:0F59C4 | mulss xmm0,xmm4 |
$+1C4 | F3:0F58E8 | addss xmm5,xmm0 |
$+1C8 | 0F57C0 | xorps xmm0,xmm0 |
$+1CB | F3:0F59F5 | mulss xmm6,xmm5 |
$+1CF | F3:0F59FD | mulss xmm7,xmm5 |
$+1D3 | F3:0F1175 F7 | movss dword ptr ss:[rbp-9],xmm6 | z -50016.2
$+1D8 | F3:0F117D FB | movss dword ptr ss:[rbp-5],xmm7 | y 3148.77
$+1DD | F3:0F1145 FF | movss dword ptr ss:[rbp-1],xmm0 | x -4689.1
$+1E2 | F2:0F1045 F7 | movsd xmm0,qword ptr ss:[rbp-9] |
$+1E7 | 48:8D55 07 | lea rdx,qword ptr ss:[rbp+7] | 目的地坐标
$+1EB | 8B45 FF | mov eax,dword ptr ss:[rbp-1] |
$+1EE | 44:0FB6CE | movzx r9d,sil | DWORD 1
$+1F2 | 44:8B45 7F | mov r8d,dword ptr ss:[rbp+7F] | 0
$+1F6 | 48:8BCB | mov rcx,rbx | [GName+001B1*8+10]+54EC*2+2 // TLMyPc
$+1F9 | F2:0F1183 B0260000 | movsd qword ptr ds:[rbx+26B0],xmm0 | TLMyPc+26B0 //localation?
$+201 | 8983 B8260000 | mov dword ptr ds:[rbx+26B8],eax |
$+207 | E8 74000000 | call tl.7FF71ACD4F00 | 最大可能是 寻路CALL02
$+20C | B0 01 | mov al,1 |
$+20E | EB 02 | jmp tl.7FF71ACD4E92 |
E8 ???????? B0 01 EB 0? ????44
$-171 | 48:8D05 D7281307 | lea rax,qword ptr ds:[7FF67BD03D70] |
$-16A | F3:0F5C38 | subss xmm7,dword ptr ds:[rax] |
$-166 | F3:0F5C70 04 | subss xmm6,dword ptr ds:[rax+4] |
$-161 | F344:0F5C40 08 | subss xmm8,dword ptr ds:[rax+8] |
$-15B | 0F28C7 | movaps xmm0,xmm7 |
$-158 | 0F28CE | movaps xmm1,xmm6 |
$-155 | F3:0F59C7 | mulss xmm0,xmm7 |
$-151 | F3:0F59CE | mulss xmm1,xmm6 |
$-14D | F3:0F58C8 | addss xmm1,xmm0 |
$-149 | 0F2E0D 672D5B06 | ucomiss xmm1,dword ptr ds:[7FF67B184228] |
$-142 | 75 2A | jne tl.7FF674BD14ED |
$-140 | 0F57C0 | xorps xmm0,xmm0 |
$-13D | F3:0F117D E7 | movss dword ptr ss:[rbp-19],xmm7 |
$-138 | 44:0F2EC0 | ucomiss xmm8,xmm0 |
$-134 | F3:0F1175 EB | movss dword ptr ss:[rbp-15],xmm6 |
$-12F | 75 0B | jne tl.7FF674BD14E1 |
$-12D | F344:0F1145 EF | movss dword ptr ss:[rbp-11],xmm8 |
$-127 | E9 A6000000 | jmp tl.7FF674BD1587 |
$-122 | C745 EF 00000000 | mov dword ptr ss:[rbp-11],0 |
$-11B | E9 9A000000 | jmp tl.7FF674BD1587 |
$-116 | 0F2F0D 98295B06 | comiss xmm1,dword ptr ds:[7FF67B183E8C] |
$-10F | 73 24 | jae tl.7FF674BD151A |
$-10D | F3:0F1005 72281307 | movss xmm0,dword ptr ds:[7FF67BD03D70] |
$-105 | F3:0F100D 6E281307 | movss xmm1,dword ptr ds:[7FF67BD03D74] |
$-FD | F3:0F1145 E7 | movss dword ptr ss:[rbp-19],xmm0 |
$-F8 | F3:0F1005 65281307 | movss xmm0,dword ptr ds:[7FF67BD03D78] |
$-F0 | F3:0F114D EB | movss dword ptr ss:[rbp-15],xmm1 |
$-EB | EB 68 | jmp tl.7FF674BD1582 |
$-E9 | F3:0F1025 222C5B06 | movss xmm4,dword ptr ds:[7FF67B184144] |
$-E1 | 0F28E9 | movaps xmm5,xmm1 |
$-DE | 0F28D9 | movaps xmm3,xmm1 |
$-DB | 0F28D4 | movaps xmm2,xmm4 |
$-D8 | F3:0F52EB | rsqrtss xmm5,xmm3 |
$-D4 | F3:0F59DC | mulss xmm3,xmm4 |
$-D0 | 0F28C5 | movaps xmm0,xmm5 |
$-CD | F3:0F59C5 | mulss xmm0,xmm5 |
$-C9 | 0F28CB | movaps xmm1,xmm3 |
$-C6 | F3:0F59C8 | mulss xmm1,xmm0 |
$-C2 | 0F28C5 | movaps xmm0,xmm5 |
$-BF | F3:0F5CD1 | subss xmm2,xmm1 |
$-BB | F3:0F59C2 | mulss xmm0,xmm2 |
$-B7 | F3:0F58E8 | addss xmm5,xmm0 |
$-B3 | 0F28C5 | movaps xmm0,xmm5 |
$-B0 | 0F28CD | movaps xmm1,xmm5 |
$-AD | F3:0F59CD | mulss xmm1,xmm5 |
$-A9 | F3:0F59D9 | mulss xmm3,xmm1 |
$-A5 | F3:0F5CE3 | subss xmm4,xmm3 |
$-A1 | F3:0F59C4 | mulss xmm0,xmm4 |
$-9D | F3:0F58E8 | addss xmm5,xmm0 |
$-99 | 0F28C5 | movaps xmm0,xmm5 |
$-96 | F3:0F59EE | mulss xmm5,xmm6 |
$-92 | F3:0F59C7 | mulss xmm0,xmm7 |
$-8E | F3:0F116D EB | movss dword ptr ss:[rbp-15],xmm5 |
$-89 | F3:0F1145 E7 | movss dword ptr ss:[rbp-19],xmm0 |
$-84 | 0F57C0 | xorps xmm0,xmm0 |
$-81 | F3:0F1145 EF | movss dword ptr ss:[rbp-11],xmm0 |
$-7C | 4C:8B43 08 | mov r8,qword ptr ds:[rbx+8] |
$-78 | F2:0F1045 E7 | movsd xmm0,qword ptr ss:[rbp-19] |
$-73 | 8B45 EF | mov eax,dword ptr ss:[rbp-11] |
$-70 | F2:0F1183 68280000 | movsd qword ptr ds:[rbx+2868],xmm0 |
$-68 | 8983 70280000 | mov dword ptr ds:[rbx+2870],eax |
$-62 | 4D:8B88 A0000000 | mov r9,qword ptr ds:[r8+A0] |
$-5B | 4D:85C9 | test r9,r9 |
$-58 | 74 09 | je tl.7FF674BD15B6 |
$-56 | 4D:8B89 38030000 | mov r9,qword ptr ds:[r9+338] |
$-4F | EB 07 | jmp tl.7FF674BD15BD |
$-4D | 4D:8B88 00010000 | mov r9,qword ptr ds:[r8+100] |
$-46 | 48:8BCB | mov rcx,rbx |
$-43 | E8 CB610000 | call tl.7FF674BD7790 |
$-3E | 84C0 | test al,al |
$-3C | 74 2C | je tl.7FF674BD15F5 |
$-3A | 80BB 6E3B0000 00 | cmp byte ptr ds:[rbx+3B6E],0 |
$-33 | 75 23 | jne tl.7FF674BD15F5 | jmp
$-31 | C683 6E3B0000 01 | mov byte ptr ds:[rbx+3B6E],1 |
$-2A | 49:8D89 20080000 | lea rcx,qword ptr ds:[r9+820] |
$-23 | 49:8B80 28010000 | mov rax,qword ptr ds:[r8+128] |
$-1C | B2 01 | mov dl,1 |
$-1A | 48:8983 783B0000 | mov qword ptr ds:[rbx+3B78],rax |
$-13 | E8 0B57DEFF | call tl.7FF6749B6D00 | 没经过这里
$-E | 44:0FB6CE | movzx r9d,sil |
$-A | 48:8D55 F7 | lea rdx,qword ptr ss:[rbp-9] | 目的地坐标?
$-6 | 44:8BC7 | mov r8d,edi |
$-3 | 48:8BCB | mov rcx,rbx |
$ ==> | E8 78000000 | call tl.7FF674BD1680 | 寻路移动CALL
$+5 | B0 01 | mov al,1 |
$+7 | EB 02 | jmp tl.7FF674BD160E |
$+9 | 32C0 | xor al,al |
$+B | 0F287C24 70 | movaps xmm7,xmmword ptr ss:[rsp+70] |
$+10 | 4C:8D9C24 90000000 | lea r11,qword ptr ss:[rsp+90] |
$+18 | 49:8B5B 28 | mov rbx,qword ptr ds:[r11+28] |
$+1C | 41:0F2873 F0 | movaps xmm6,xmmword ptr ds:[r11-10] |
$+21 | 45:0F2843 D0 | movaps xmm8,xmmword ptr ds:[r11-30] |
$+26 | 49:8BE3 | mov rsp,r11 |
$+29 | 5F | pop rdi |
$+2A | 5E | pop rsi |
$+2B | 5D | pop rbp |
$+2C | C3 | ret |
$+2D | 48:8D0D B9DB7107 | lea rcx,qword ptr ds:[7FF67C2EF1F0] |
$+34 | E8 3C579704 | call tl.7FF679546D78 |
$+39 | 833D ADDB7107 FF | cmp dword ptr ds:[7FF67C2EF1F0],FFFFFFFF |
$+40 | 0F85 B7FDFFFF | jne tl.7FF674BD1400 |
$+46 | 41:B8 01000000 | mov r8d,1 |
$+4C | 48:8D15 42AEDF05 | lea rdx,qword ptr ds:[7FF67A9CC498] |00007FF67A9CC498:"移动CALL"
$+53 | 48:8D0D FBDA7107 | lea rcx,qword ptr ds:[7FF67C2EF158] |
$+5A | E8 3E56FE01 | call tl.7FF676BB6CA0 |
$+5F | 48:8D0D 87DB7107 | lea rcx,qword ptr ds:[7FF67C2EF1F0] |
$+66 | E8 AA569704 | call tl.7FF679546D18 |
$+6B | E9 8DFDFFFF | jmp tl.7FF674BD1400 |
$+70 | CC | int3 |
$+71 | CC | int3 |
$-13 | E8 0B57DEFF | call tl.7FF6749B6D00 |
$-E | 44:0FB6CE | movzx r9d,sil | r9d=1
$-A | 48:8D55 F7 | lea rdx,qword ptr ss:[rbp-9] | rdx= float <x,y,z>
$-6 | 44:8BC7 | mov r8d,edi | r8d=0
$-3 | 48:8BCB | mov rcx,rbx | rcx = TlMyPc
$ ==> | E8 78000000 | call tl.7FF674BD1680 // 寻路移动CALL = TL.exe+1941680 // 移动CALL
$ ==> -1097.78 3500.52 -47870.8 4.59037e-041
$+10 -1097.78 3500.52 -47870.8 5.87144e-043
$+20 0.0166659 0 0 0
$+30 0.0166659 0 0 0
//测试成功
#include"pch.h"
#include<Windows.h>
#include"BaseGame.h"
#include"memApi.h"
/*
$-13 | E8 0B57DEFF | call tl.7FF6749B6D00 |
$-E | 44:0FB6CE | movzx r9d,sil | r9d=1
$-A | 48:8D55 F7 | lea rdx,qword ptr ss:[rbp-9] | rdx= float <x,y,z>
$-6 | 44:8BC7 | mov r8d,edi | r8d=0
$-3 | 48:8BCB | mov rcx,rbx | rcx = TlMyPc
$ ==> | E8 78000000 | call tl.7FF674BD1680 // 寻路移动CALL = TL.exe+1941680 // 移动CALL
$ ==> -1097.78 3500.52 -47870.8 4.59037e-041
$+10 -1097.78 3500.52 -47870.8 5.87144e-043
$+20 0.0166659 0 0 0
$+30 0.0166659 0 0 0
tlmypc+0x26B8 //角色当前坐标
*/
typedef UINT64(*TPCALL04)(UINT64 vrcx, UINT_PTR vrdx, UINT64 v_r8d, UINT64 v_r9d);
void 寻路移动(float x, float y, float z)
{
__try
{ // MessageBeep(1);
UINT_PTR tlmypc = Get_TLMyPc();
//当前坐标x TLMyPc+26B8
DebugPrintf("yjx:寻路移动 TLMyPc =%p 当前(%f,%f,%f) 目的地(%f,%f,%f)++++++++++++ \r\n",
tlmypc,
R4F(tlmypc+0x26B8), R4F(tlmypc + 0x26BC), R4F(tlmypc + 0x26C0),
x,y,z
);
TPCALL04 移动CALL = (TPCALL04)(GetExeBase() + 0x1970C60); //1970C60
float pos[16] = { x,y,z,0};
移动CALL(tlmypc,(UINT_PTR)pos, 0, 1);
DebugPrintf("yjx:移动CALL() ok line=%d \r\n", __LINE__);
}
__except (1)
{
//MessageBoxA(0, "移动CALL", "Error", MB_OK);
OutputDebugStringA("yjx:Error 移动CALL");
}
return;
}
// SetTimer //SetWindowLong // SetWindowsHookEx
HWND 创建主线窗口()
{
HWND hgame = GetGameHwnd();
WORD atom = 0;
//MSG msg = { 0 };
//HWND hWnd=NULL;
TCHAR szTitle2[256] = _T("标题名");//The title bar text
//生成通信用的窗口标题
_stprintf_s(szTitle2, __T("150abc%zdabc150"), (UINT_PTR)hgame);
TCHAR szWindowClass[] = _T("PH13996362600");//The title bar text
WNDCLASSEX wcex = { 0 }; //定义窗口类的结构 WNDCLASSEXW WNDCLASSEXA
//填充窗口类结构数据
wcex.cbSize = sizeof(WNDCLASSEX);//WNDCLASSEX结构体大小
wcex.style = CS_HREDRAW | CS_VREDRAW;//位置改变时重绘
wcex.lpfnWndProc = MyProc;//消息处理函数
wcex.hInstance = 0;//当前实例句柄
wcex.hbrBackground = (HBRUSH)COLOR_WINDOWFRAME;//背景色
wcex.lpszClassName = szWindowClass;//参窗口字符串类名
wcex.hIcon = 0;//图标
wcex.hCursor = LoadCursor(NULL, IDC_ARROW);//光标
wcex.lpszMenuName = 0;//菜单名称
wcex.hIconSm = 0;//最小化图标
atom = RegisterClassEx(&wcex);//注册窗口类 返回这个窗口类型的标识号
DWORD dwExtyle = 0;
HWND h1 = CreateWindowA(
szWindowClass,
szTitle2,
WS_OVERLAPPEDWINDOW,// | WS_HSCROLL | WS_VSCROLL, // | 上两参数即可
CW_USEDEFAULT,//x
CW_USEDEFAULT,//y
CW_USEDEFAULT,//宽
CW_USEDEFAULT,//高
NULL,
NULL,
GetModuleHandleA(NULL),
NULL);
MoveWindow(h1, 323, 323, 500, 500, true);
ShowWindow(h1, SW_HIDE);
char buf[1024];
sprintf_s(buf,"yjx:DLL:CreateWindow hwnd=%p by QQ150330575 at 2022.11.8\r\n", h1);
OutputDebugStringA(buf);
return h1;
}
官方网址 www.yjxsoft.com
郁金香老师:
QQ 150330575
QQ 391990139
手机 139 9636 2600
QQ交流群 29817979 9569245 158280115
|
游戏安全课程 学员办理咨询联系QQ150330575 手机 139 9636 2600 免费课程 在 www.bilibili.com 搜 郁金香灬老师
|
|