[發問] 請問函數注入問題

janin0115

janin0115 發表於 2011-1-22 14:31:45 | 只看該作者回帖獎勵

請問大大們用技能call ok 沒問題但是用在走路call 才剛讀取玩遊戲就給我關閉遊戲
            請問要怎麼去寫走路注入函數困擾中.......

procedure InjectFunc2(Func: Pointer; Param: Pointer; ParamSize: DWORD);
var
  hThread: THandle;
  lpNumberOfBytes: DWORD;
begin
  if processid<>0 then
  begin
// ---- 寫入函數位址
WriteProcessMemory(processid, ThreadAdd, Func, 128, lpNumberOfBytes);
// ---- 　寫入參數位址
WriteProcessMemory(processid, ParamAdd, Param, ParamSize, lpNumberOfBytes);
// ---- 建立遠端執行緒
hThread := CreateRemoteThread(processid, nil, 0, ThreadAdd, ParamAdd, 0, lpNumberOfBytes);
// ---- 等待執行緒結束
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
  end;
end;

procedure

收藏0 分享讚0 幹0 分享分享

相關POST

回覆

使用道具舉報

janin0115 2011-1-23 11:22:05

請問大大我不知道是不是作業系統問題我試WIN 64 旗艦版用2010-DELPHI 請問我執行跟隨都會一直發生錯誤會同時關掉遊戲

procedure runCall2(aPParams2:PParams2); Stdcall;
//begin
//ShowMessage('step0->runCall2');
var
  Address1:pointer;
  Address2:pointer;
  Address3:pointer;
  x,y,z:Single;
  r_POSITION1:Integer;
begin
  Address1:=Pointer(W2I_Walk_Call1);
  Address2:=pointer(W2I_Walk_Call2);
  Address3:=pointer(W2I_Walk_Call3);
  x:=aPParams2^.Param3;
  y:=aPParams2^.Param4;
  z:=aPParams2^.Param5;
  ShowMessage('x座標:'+FormatFloat('0' ,x));
  ShowMessage('y座標:'+FormatFloat('0' ,y));
  ShowMessage('z座標:'+FormatFloat('0' ,z));
  asm
pushad
mov eax, dword ptr [$A5BFB0]
mov eax, dword ptr [eax+$1C] <==都一直錯誤在這裡真奇怪
mov ebx, dword ptr [eax+$20]
mov esi, ebx
mov ecx, dword ptr [esi+$FF4]    push 1
call Address1  //调用函数

mov edi, eax //保存上一个函数的返回值
lea eax, dword ptr [esp+18]
push eax
push 0 //这个地方改成1的话就是飞行了或水中
mov ecx, edi  //上一个函数的返回值
call Address2

push 0
push 1
push edi //第一个函数返回值
mov ecx, dword ptr [esi+$FF4]
push 1
call Address3

//修改跑路目的地坐标
mov eax, dword ptr [$A5BFB0]
mov eax, dword ptr [eax+$1C]
mov eax, dword ptr [eax+$20]
mov eax, dword ptr [eax+$FF4]    mov eax, dword ptr [eax+$30]
mov ecx, dword ptr [eax+4]
mov eax, x
mov [ecx+$20], eax
mov eax, z
mov [ecx+$24], eax
mov eax, y
mov [ecx+$28], eax
popad
  end;
end;

回覆

使用道具舉報

RAINTCK 2011-1-23 12:43:36

你試試空間申請,我寫CALL時也發生同樣問題加入空間申請就OK了到底是不是空間問題不敢保證YCT17B
ParamAddr := VirtualAllocEx(GAMES, nil,aParamsSize, MEM_COMMIT, PAGE_READWRITE);//申請函數空間
ThreadAddr := VirtualAllocEx(GAMES, nil, 200, MEM_COMMIT, PAGE_READWRITE);//申請函數空間
// ---- 寫入函數地址
WriteProcessMemory(GAMES,ThreadAddr,Func,256,lpNumberOfBytes);
// ---- 寫入參數地址
WriteProcessMemory(GAMES,ParamAddr,aParams,aParamsSize,lpNumberOfBytes);
// ---- 創建遠程線程
hThread := CreateRemoteThread(GAMES,nil,0,ThreadAddr,ParamAddr, 0, lpNumberOfBytes);
// ---- 等待線程結束
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
VirtualFreeEx(GAMES,ThreadAddr, 0, MEM_RELEASE);
VirtualFreeEx(GAMES,ParamAddr, 0, MEM_RELEASE); //釋放申請的地址

我只是個初學者! 高手正在營幕前微笑

回覆

使用道具舉報

janin0115 2011-1-23 22:05:11

請大大幫我看一下我這樣用走路call 都會關閉遊戲下面是原碼:
請大大們幫忙都用不好感恩

procedure TForm1.getPlayerAddrFunc(Sender: TObject);
var
PLAYER_LIST_ADDR,W2I_ROLE_BASE_ADDR,PLAYER_BASE_ADDR,ENVIRON_BASE_ADDR
,W2I_DYNAMIC_BASE_ADDR,BASE_ADDR,tt,jnnum1,PLAYER_ADDR,ROLE_BASE_ADDR
,ROLE_SN,ujnname6,PLAYER_NAME_ADDR,PLAYER_OBJ,PLAYER_MAXHP,PLAYER_CURHP:DWORD;
PLAYER_NAME: array [0..35] of WideChar;
PLAYER_X,PLAYER_Y,PLAYER_Z:single;
x_coor,x_coorTemp, y_coor, y_coorTemp,z_coor,z_coorTemp: longint;
begin
ReadProcessMemory(ProcessID, Pointer($A5BFB0+$1c),@BASE_ADDR,4,tt); //第一基址
ReadProcessMemory(ProcessID, Pointer(BASE_ADDR+$20),@ROLE_BASE_ADDR,4,tt); //第一基址
ReadProcessMemory(ProcessID, Pointer(BASE_ADDR+$08),@ENVIRON_BASE_ADDR,4,tt); //取得環境基址
ReadProcessMemory(ProcessID, Pointer(ENVIRON_BASE_ADDR+$20),@PLAYER_BASE_ADDR,4,tt); //取得週圍玩家基址
ReadProcessMemory(ProcessID, Pointer(PLAYER_BASE_ADDR+$18),@PLAYER_LIST_ADDR,4,tt); //取得週圍玩家列表基址
ReadProcessMemory(ProcessID, Pointer(PLAYER_BASE_ADDR +$14), @jnnum1, 4, tt);  //玩家現總數
ReadProcessMemory(ProcessID, Pointer(ROLE_BASE_ADDR+$b0c),@ROLE_SN,4,tt); //人物選中sn
ReadProcessMemory(ProcessID, Pointer(PLAYER_LIST_ADDR+((ROLE_SN Mod 769))*4),@PLAYER_ADDR,4,tt );//相應位置玩家基址
ReadProcessMemory(ProcessID, Pointer(PLAYER_ADDR+$4), @PLAYER_OBJ, 4, tt); //相應位置玩家指針
ReadProcessMemory(ProcessID,Pointer(PLAYER_OBJ+$3C),@PLAYER_X,4,TT); //相應位置玩家X座標
ReadProcessMemory(ProcessID,Pointer(PLAYER_OBJ+$44),@PLAYER_Y,4,TT); //相應位置玩家y座標
ReadProcessMemory(ProcessID,Pointer(PLAYER_OBJ+$40),@PLAYER_Z,4,TT); //相應位置玩家Z座標
ReadProcessMemory(ProcessID,Pointer(PLAYER_OBJ+$4B4),@PLAYER_MAXHP,4,TT); //相應位置玩家最大血量
ReadProcessMemory(ProcessID,Pointer(PLAYER_OBJ+$474),@PLAYER_CURHP,4,TT); //相應位置玩家當前血量
ReadProcessMemory(ProcessID, Pointer(PLAYER_OBJ+$618),@PLAYER_NAME_ADDR,4,tt); //'玩家名稱
ReadProcessMemory(ProcessID,pointer(PLAYER_NAME_ADDR),@PLAYER_NAME,SizeOf(PLAYER_NAME), tt);//讀取人物名稱
//label42.caption :=IntToStr(jnnum1);
begin
WideCharToString(PLAYER_NAME);
Label35.Caption := '玩家名稱：' + String(PLAYER_NAME);
x_coor:=(round(PLAYER_X) div 10)+400;
y_coor:=(round(PLAYER_Y) div 10)+550;
z_coor:= round(PLAYER_Z) div 10;
Label36.Caption :='座標：'+Formatfloat('0',x_coor)+','+Formatfloat('0',y_coor)+
                     '#' + Formatfloat('0',z_coor);

//走路call
const
  W2i_Base_ADDR=$A5BFB0;
  W2I_BASE_Call=$A5B90C;
  W2I_SEND_PACK_CALL=$60E310;
  W2I_Walk_Call1=$469F00;
  W2I_Walk_Call2=$46E090;
  W2I_Walk_Call3=$46A340;
  type  // ---- 定義參數指針
  TParams2 = packed record
  x,y,z:Single;
  Param3,Param4,Param5: Single;
  end;
PParams2 = ^TParams2;
procedure runCall2(aPParams2:PParams2); Stdcall;
//begin
//ShowMessage('step0->runCall2');
var
  Address1:pointer;
  Address2:pointer;
  Address3:pointer;
  x,y,z:Single;
  r_POSITION1:Integer;
begin
  Address1:=Pointer(W2I_Walk_Call1);
  Address2:=pointer(W2I_Walk_Call2);
  Address3:=pointer(W2I_Walk_Call3);
  x:=aPParams2^.Param3;
  y:=aPParams2^.Param4;
  z:=aPParams2^.Param5;
  ShowMessage('x座標:'+FormatFloat('0' ,x));
  ShowMessage('y座標:'+FormatFloat('0' ,y));
  ShowMessage('z座標:'+FormatFloat('0' ,z));
  asm
   pushad
   mov    eax, dword ptr W2I_BASE_ADDR
   mov    eax, dword ptr [eax+$1C]
   mov    esi, dword ptr [eax+$20]
   mov    ecx, dword ptr [esi+$FF4]
   push    1
   call    address1
   mov    edi, eax //保存 mouse 點擊的座標
   mov    ecx, dword ptr [esi+$FF4]
   mov    ecx, dword ptr [ecx+$30]
   mov    ecx, dword ptr [ecx+4]
   mov    eax, x
   mov    [ecx+$20], eax
   mov    eax, y
   mov    [ecx+$28], eax
   mov    eax, z
   mov    [ecx+$24], eax
   lea    ecx, [ecx+$20]
   push ecx
   //push IsFly
   push 0
   mov    ecx, edi
   call address2
   push    0
   push    1
   push    edi
   mov    ecx, dword ptr [esi+$FF4]
   push    1
   call    address3
   popad
   end;
end;

procedure InjectFunc2(Func: Pointer; Param: Pointer; ParamSize: DWORD);
var
  hThread: THandle;
  lpNumberOfBytes: DWORD;
begin
  if processid<>0 then
  begin
ThreadAdd := VirtualAllocEx(processid, nil, MemSize, MEM_COMMIT, PAGE_READWRITE);
ParamAdd := VirtualAllocEx(processid, nil, 200, MEM_COMMIT, PAGE_READWRITE);
// ---- 寫入函數位址
WriteProcessMemory(processid, ThreadAdd, Func, 256, lpNumberOfBytes);
// ---- 　寫入參數位址
WriteProcessMemory(processid, ParamAdd, Param, ParamSize, lpNumberOfBytes);
// ---- 建立遠端執行緒
hThread := CreateRemoteThread(processid, nil, 0, ThreadAdd, ParamAdd, 0, lpNumberOfBytes);
// ---- 等待執行緒結束
WaitForSingleObject(hThread, INFINITE);
CloseHandle(hThread);
VirtualFreeEx(processid,ThreadAdd, 0, MEM_RELEASE);
VirtualFreeEx(processid,ParamAdd, 0, MEM_RELEASE); //釋放申請的地址
  end;
end;
procedure TForm1.WalkTo(x, y, z: single);
var
  aParams : TParams2;
  aParamsSize:DWORD;
begin
  aParams.Param3:= x;
  aParams.Param4:= y;
  aParams.Param5:= z;
  aParamsSize:=SizeOf(aParams);
  if ghwnd<>0 then
  begin
injectfunc2(@runCall2, @aParams, aParamsSize);
   runCall2(@aParams);
  end;
end;

procedure TForm1.Timer6Timer(Sender: TObject);
var
x_coor,x_coorTemp, y_coor, y_coorTemp,z_coor,z_coorTemp: longint;
  x, y, z: longint;
  obj: TObject;
begin
  if CheckBox17.Checked then
  Begin
//Timer6.Enabled := true;
getPlayerAddrFunc(obj);
   x_coorTemp := x_coor;
   y_coorTemp := y_coor;
   z_coorTemp := z_coor;
if  (x_coorTemp <> x_coor) AND (y_coorTemp <> y_coor) AND (z_coorTemp <> z_coor) then
Begin
   x := x_coor;
   y := y_coor;
   z := z_coor;
   WalkTo(x, y, z);
End
  End
  else
  Begin
Timer6.Enabled := false;
  End;

procedure TForm1.Button5Click(Sender: TObject);
var
x_coor,x_coorTemp, y_coor, y_coorTemp,z_coor,z_coorTemp: longint;
  x:Single;
  y:Single;
  z:Single;
  begin
if Timer6.Enabled then
  begin
Timer6.Enabled := false;
Button5.Caption := 'Follow';
  end
  else
  begin
Timer6.Enabled := true;
Button5.Caption := 'Stop';
x := x_coor;
y := y_coor;
z := z_coor;
WalkTo(x, y, z);
  end;
end;