3DMGAME 3DM首页 新闻中心 前瞻 | 评测 游戏库 热门 | 最新 攻略中心 攻略 | 秘籍 下载中心 游戏 | 汉化 购买正版 论坛

注册 登录

QQ登录

只需一步,快速开始

3DMGAME论坛»论坛 经典游戏 《无主之地》全系列 《无主之地3》 [coding]适用所有随机事件(老虎机,金箱子,爆率)—— ...
返回列表 发新帖
查看: 11854|回复: 43
打印 上一主题 下一主题

[原创] [coding]适用所有随机事件(老虎机,金箱子,爆率)——申请加精

  [复制链接]
zyc3136

2

主题

8

帖子

209

积分

中级玩家

Rank: 3Rank: 3

贡献度
45
金元
292
积分
209
精华
0
注册时间
2019-9-14
跳转到指定楼层
主题
发表于 2019-9-19 11:54 | 只看该作者 回帖奖励 |倒序浏览 |阅读模式
1.看到有人发ct了就忍不住出来ZB了,发程序太便宜伸手党,大佬轻喷。
2.原理就是修改rand返回值,使随机数恒定,游戏是多随机数判定爆率,所以出现一直一个物品的情况。如果需要指定物品,请自行修改shellcode。
3.之前ct脚本崩溃解答: 游戏是64位程序,jmp后面只能跟32位偏移,当申请内存相对于hook偏移大于32位,就会崩溃,应采用决对跳转。

代码:
#include <iostream>
#include <Windows.h>
#include <TlHelp32.h>
#include <vector>
namespace ChangeRand
{
typedef struct _Info
{
  DWORD pid;
  DWORD64 address;
  byte* eable;
  byte* disable;
  LPVOID dlladdr;
}Info;
std::vector<Info> infolist;
void inline findcodeaddr(HANDLE hprocess, DWORD64 begain, SIZE_T size, char* par, size_t parsize, std::vector<DWORD64>& addrlist)
{
  MEMORY_BASIC_INFORMATION mbi;
  DWORD64 bbgain = begain;
  DWORD64 endaddr = begain + size;
  while (begain <= endaddr)
  {
   memset(&mbi, 0, sizeof(MEMORY_BASIC_INFORMATION));
   if (VirtualQueryEx(hprocess, (LPCVOID)begain, &mbi, sizeof(MEMORY_BASIC_INFORMATION)) == 0)
   {
    begain += 0x1000;
    continue;
   }
   if (mbi.State == MEM_COMMIT && (mbi.Protect & PAGE_READONLY))
   {
    begain += mbi.RegionSize;
    continue;
   }
   SIZE_T readed = 0;
   byte* tmp = (byte*)malloc(mbi.RegionSize);
   if (!tmp)
   {
    begain += mbi.RegionSize;
    continue;
   }
   ReadProcessMemory(hprocess, (LPVOID)begain, tmp, mbi.RegionSize, &readed);
   for (int i = 0; i < readed - parsize; i++)
   {
    if (memcmp((void*)(tmp + i), par, parsize) != 0)
     continue;
    addrlist.push_back(begain + i - bbgain);
   }
   free(tmp);
   begain += readed;
  }
}
BOOL GetModuleAddr(std::vector<MODULEENTRY32>& module, DWORD pid)
{
  HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
  MODULEENTRY32 me32 = { sizeof(MODULEENTRY32) };
  hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
  if (hModuleSnap == INVALID_HANDLE_VALUE)
  {
   return FALSE;
  }
  if (!Module32FirstW(hModuleSnap, &me32))
  {
   CloseHandle(hModuleSnap);
   return FALSE;
  }
  do {
   module.push_back(me32);
  } while (Module32NextW(hModuleSnap, &me32));
  CloseHandle(hModuleSnap);
  return TRUE;
}
BOOL FindProcess(std::vector<PROCESSENTRY32>& process, const wchar_t* pProcess)
{
  HANDLE hSnapshot;
  DWORD hprocess = 0;
  PROCESSENTRY32W lppe;
  hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
  if (hSnapshot == NULL)
   return FALSE;
  lppe.dwSize = sizeof(lppe);
  if (!Process32FirstW(hSnapshot, &lppe))
   return FALSE;
  do
  {
   if (_wcsicmp(lppe.szExeFile, pProcess) == 0)
   {
    process.push_back(lppe);
   }
  } while (Process32NextW(hSnapshot, &lppe));
  if (!CloseHandle(hSnapshot))
   return FALSE;
  return TRUE;
}
byte eable[] =
{
  0x48,0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
  0xff,0xe0
};
void Eable()
{
  for (int i = 0; i < infolist.size(); i++)
  {
   SIZE_T readed = 0;
   HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS, false, infolist[i].pid);
   WriteProcessMemory(hprocess, (LPVOID)(infolist[i].address), (LPVOID)infolist[i].eable, 12, &readed);
   CloseHandle(hprocess);
  }
}
void Disable()
{
  for (int i = 0; i < infolist.size(); i++)
  {
   SIZE_T readed = 0;
   HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS, false, infolist[i].pid);
   WriteProcessMemory(hprocess, (LPVOID)(infolist[i].address), (LPVOID)infolist[i].disable, 16, &readed);
   CloseHandle(hprocess);
   int m = 0;
  }
}
void SetValue(unsigned short value)
{
  for (int i = 0; i < infolist.size(); i++)
  {
   SIZE_T readed = 0;
   HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS, false, infolist[i].pid);
   WriteProcessMemory(hprocess, (LPVOID)((DWORD64)infolist[i].dlladdr + 1), &value, 2, &readed);
   CloseHandle(hprocess);
  }
}
int Init(const wchar_t* name)
{
  std::vector<PROCESSENTRY32> process;
  FindProcess(process, name);
  for (int i = 0; i < process.size(); i++)
  {
   std::vector<MODULEENTRY32> module;
   GetModuleAddr(module, process[i].th32ProcessID);
   for (int j = 0; j < module.size(); j++)
   {
    if (_wcsicmp(module[j].szModule, L"ucrtbase.dll") == 0)
    {
     HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS, false, process[i].th32ProcessID);
     byte mark[] = { 0x89 ,0x48 ,0x28 ,0xc1 ,0xe9 ,0x10 ,0x81 ,0xe1 ,0xff ,0x7f ,0x00 ,0x00 };
     std::vector<DWORD64> addrlist;
     findcodeaddr(hprocess, (DWORD64)module[j].hModule, 0x15000, (char*)mark, 12, addrlist);
     if (addrlist.size())
     {
      byte shellcode[] =
      {
       0xb8,0xff,0x7f,0x00,0x00,
       0xc3,
      };
      DWORD64 offset = addrlist[0] - 0x16;
      SIZE_T readed = 0;
      Info info;
      info.pid = process[i].th32ProcessID;
      info.disable = (byte*)malloc(16);
      info.eable = (byte*)malloc(12);
      info.address = (DWORD64)module[j].hModule + offset;
      memcpy(info.eable, eable, 12);
      ReadProcessMemory(hprocess, (LPVOID)((DWORD64)module[j].hModule + offset), info.disable, 16, &readed);
      info.dlladdr = VirtualAllocEx(hprocess, NULL, 20, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
      WriteProcessMemory(hprocess, info.dlladdr, (LPVOID)shellcode, 6, &readed);
      *(DWORD64*)(info.eable + 2) = (DWORD64)info.dlladdr;
      WriteProcessMemory(hprocess, (LPVOID)((DWORD64)module[j].hModule + offset), (LPVOID)info.eable, 12, &readed);
      infolist.push_back(info);
     }
     CloseHandle(hprocess);
     break;
    }
   }
  }
  return 0;
}
}

评分

4

查看全部评分

回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

Archiver|手机版|3DMGAME ( 京ICP备14006952号-1  沪公网安备 31011202006753号

GMT+8, 2026-4-11 18:05 , Processed in 0.028595 second(s), 17 queries , Memcached On.

Powered by Discuz! X3.2

© 2001-2013 Comsenz Inc.

快速回复 返回顶部 返回列表