【转】菜鸟也来打造全自动QQ大家来找茬外挂

本文介绍了一种利用特定代码实现QQ游戏“大家来找茬”全自动外挂的方法。通过对游戏内核代码的分析与修改,实现了对外挂中鼠标点击功能的模拟,确保玩家能在游戏中自动寻找差异并点击正确位置。

摘要生成于 C知道 ,由 DeepSeek-R1 满血版支持, 前往体验 >

菜鸟也来打造全自动QQ大家来找茬外挂

转载请注明:www.UNPACK.cn by y3y3y3
定位关键代码 zSound\\ClickRight.wav

.text:0042DB40 loc_42DB40:                             ; CODE XREF: sub_42D984:loc_42DD27j
.text:0042DB40                 mov     ecx, [ebp+var_20]
.text:0042DB43                 add     ecx, 1
.text:0042DB46                 mov     [ebp+var_20], ecx
.text:0042DB46
.text:0042DB49
.text:0042DB49 loc_42DB49:                             ; CODE XREF: sub_42D984+1BAj
.text:0042DB49                 mov     edx, [ebp+var_20]
.text:0042DB4C                 cmp     edx, dword_494BF5
.text:0042DB52                 jge     loc_42DD2C
.text:0042DB52
.text:0042DB58                 mov     eax, [ebp+var_20] ; 计数器
.text:0042DB5B                 mov     ecx, [ebp+var_1C] ; 动态茬指针
.text:0042DB5E                 movsx   edx, word ptr [ecx+eax*2+16h] ; 指向茬的X坐标的最小值
.text:0042DB63                 cmp     [ebp+arg_0], edx ; 和鼠标点的X坐标比较,小于就挂!
.text:0042DB63                                         ;
.text:0042DB63                                         ; 所以修改为 mov [ebp+arg_0], edx
.text:0042DB63                                         ;
.text:0042DB63                                         ; 即把正确的X坐标最小值覆盖鼠标点击的X坐标
.text:0042DB66                 jl      loc_42DD27      ; NOP
.text:0042DB66
.text:0042DB6C                 mov     eax, [ebp+var_20]
.text:0042DB6F                 mov     ecx, [ebp+var_1C]
.text:0042DB72                 movsx   esi, word ptr [ecx+eax*2+16h]
.text:0042DB77                 push    0
.text:0042DB79                 mov     edx, [ebp+var_20]
.text:0042DB7C                 shl     edx, 5
.text:0042DB7F                 mov     eax, [ebp+var_44]
.text:0042DB82                 lea     ecx, [eax+edx+1FCh]
.text:0042DB89                 call    sub_445EE3
.text:0042DB89
.text:0042DB8E                 add     esi, eax
.text:0042DB90                 cmp     [ebp+arg_0], esi ; X坐标最大值比较,因为前面已经覆盖了正确的X坐标最小值
.text:0042DB90                                         ; 所以这路过
.text:0042DB93                 ja      loc_42DD27
.text:0042DB93
.text:0042DB99                 mov     ecx, [ebp+var_20]
.text:0042DB9C                 mov     edx, [ebp+var_1C]
.text:0042DB9F                 movsx   eax, word ptr [edx+ecx*2+2Ah]
.text:0042DBA4                 cmp     [ebp+arg_4], eax ; 这里是Y的坐标,和X一样修改
.text:0042DBA7                 jl      loc_42DD27
.text:0042DBA7
.text:0042DBAD                 mov     ecx, [ebp+var_20]
.text:0042DBB0                 mov     edx, [ebp+var_1C]
.text:0042DBB3                 movsx   esi, word ptr [edx+ecx*2+2Ah]
.text:0042DBB8                 push    0
.text:0042DBBA                 mov     eax, [ebp+var_20]
.text:0042DBBD                 shl     eax, 5
.text:0042DBC0                 mov     ecx, [ebp+var_44]
.text:0042DBC3                 lea     ecx, [ecx+eax+1FCh]
.text:0042DBCA                 call    sub_445F51
.text:0042DBCA
.text:0042DBCF                 add     esi, eax
.text:0042DBD1                 cmp     [ebp+arg_4], esi
.text:0042DBD4                 ja      loc_42DD27
.text:0042DBD4
.text:0042DBDA                 mov     edx, [ebp+var_1C]
.text:0042DBDD                 add     edx, [ebp+var_20]
.text:0042DBE0                 xor     eax, eax
.text:0042DBE2                 mov     al, [edx+3Eh]
.text:0042DBE5                 test    eax, eax
.text:0042DBE7                 jnz     loc_42DD27
.text:0042DBE7
.text:0042DBED                 mov     ecx, [ebp+var_1C]
.text:0042DBF0                 add     ecx, [ebp+var_20]
.text:0042DBF3                 mov     byte ptr [ecx+3Eh], 1
.text:0042DBF7                 push    2
.text:0042DBF9                 mov     ecx, offset unk_48F120
.text:0042DBFE                 call    sub_40175D
.text:0042DBFE
.text:0042DC03                 cmp     eax, 1
.text:0042DC06                 jnz     short loc_42DC2B
.text:0042DC06
.text:0042DC08                 mov     edx, [ebp+var_44]
.text:0042DC0B                 add     edx, 33Ch
.text:0042DC11                 push    edx
.text:0042DC12                 push    190h
.text:0042DC17                 mov     eax, [ebp+var_20]
.text:0042DC1A                 imul    eax, 0Ch
.text:0042DC1D                 mov     ecx, [ebp+var_1C]
.text:0042DC20                 lea     ecx, [ecx+eax+48h]
.text:0042DC24                 call    sub_40190B
.text:0042DC24
.text:0042DC29                 jmp     short loc_42DC49
.text:0042DC29
.text:0042DC2B ; ---------------------------------------------------------------------------
.text:0042DC2B
.text:0042DC2B loc_42DC2B:                             ; CODE XREF: sub_42D984+282j
.text:0042DC2B                 mov     edx, [ebp+var_44]
.text:0042DC2E                 add     edx, 33Ch
.text:0042DC34                 push    edx
.text:0042DC35                 push    1
.text:0042DC37                 mov     eax, [ebp+var_20]
.text:0042DC3A                 imul    eax, 0Ch
.text:0042DC3D                 mov     ecx, [ebp+var_1C]
.text:0042DC40                 lea     ecx, [ecx+eax+48h]
.text:0042DC44                 call    sub_40190B
.text:0042DC44
.text:0042DC49
.text:0042DC49 loc_42DC49:                             ; CODE XREF: sub_42D984+2A5j
.text:0042DC49                 push    0
.text:0042DC4B                 mov     edx, [ebp+var_20]
.text:0042DC4E                 shl     edx, 5
.text:0042DC51                 mov     eax, [ebp+var_44]
.text:0042DC54                 lea     ecx, [eax+edx+1FCh]
.text:0042DC5B                 call    sub_445F51
.text:0042DC5B
.text:0042DC60                 push    eax
.text:0042DC61                 mov     ecx, [ebp+var_20]
.text:0042DC64                 mov     edx, [ebp+var_1C]
.text:0042DC67                 movsx   eax, word ptr [edx+ecx*2+2Ah]
.text:0042DC6C                 push    eax
.text:0042DC6D                 mov     ecx, [ebp+var_20]
.text:0042DC70                 mov     edx, [ebp+var_1C]
.text:0042DC73                 movsx   esi, word ptr [edx+ecx*2+16h]
.text:0042DC78                 push    0
.text:0042DC7A                 mov     eax, [ebp+var_20]
.text:0042DC7D                 shl     eax, 5
.text:0042DC80                 mov     ecx, [ebp+var_44]
.text:0042DC83                 lea     ecx, [ecx+eax+1FCh]
.text:0042DC8A                 call    sub_445EE3
.text:0042DC8A
.text:0042DC8F                 shr     eax, 1
.text:0042DC91                 add     esi, eax
.text:0042DC93                 push    esi
.text:0042DC94                 mov     ecx, [ebp+var_44]
.text:0042DC97                 call    sub_402342
.text:0042DC97
.text:0042DC9C                 mov     edx, [ebp+var_44]
.text:0042DC9F                 cmp     dword ptr [edx+10h], 1
.text:0042DCA3                 jnz     short loc_42DCD1
.text:0042DCA3
.text:0042DCA5                 lea     ecx, [ebp+var_30]
.text:0042DCA8                 call    sub_401D25
.text:0042DCA8
.text:0042DCAD                 mov     eax, [ebp+arg_0]
.text:0042DCB0                 mov     [ebp+var_2F], eax
.text:0042DCB3                 mov     ecx, [ebp+arg_4]
.text:0042DCB6                 mov     [ebp+var_2B], ecx
.text:0042DCB9                 mov     edx, [ebp+var_20]
.text:0042DCBC                 mov     [ebp+var_27], edx
.text:0042DCBF                 lea     eax, [ebp+var_30]
.text:0042DCC2                 push    eax
.text:0042DCC3                 push    0Dh
.text:0042DCC5                 mov     ecx, offset unk_46D868
.text:0042DCCA                 call    sub_401690
.text:0042DCCA
.text:0042DCCF                 jmp     short loc_42DD09
.text:0042DCCF
.text:0042DCD1 ; ---------------------------------------------------------------------------
.text:0042DCD1
.text:0042DCD1 loc_42DCD1:                             ; CODE XREF: sub_42D984+31Fj
.text:0042DCD1                 mov     ecx, [ebp+var_44]
.text:0042DCD4                 cmp     dword ptr [ecx+10h], 2
.text:0042DCD8                 jnz     short loc_42DD09
.text:0042DCD8
.text:0042DCDA                 push    1
.text:0042DCDC                 movsx   edx, byte ptr [ebp+var_8]
.text:0042DCE0                 mov     eax, [ebp+var_44]
.text:0042DCE3                 lea     ecx, [eax+edx*8+0A20h]
.text:0042DCEA                 call    sub_4022E8
.text:0042DCEA
.text:0042DCEF                 mov     ecx, [ebp+var_44]
.text:0042DCF2                 cmp     dword ptr [ecx+97Ch], 1
.text:0042DCF9                 jnz     short loc_42DD09
.text:0042DCF9
.text:0042DCFB                 push    0FFFFFFFFh
.text:0042DCFD                 mov     dl, byte ptr [ebp+var_8]
.text:0042DD00                 push    edx
.text:0042DD01                 mov     ecx, [ebp+var_44]
.text:0042DD04                 call    sub_40248C
.text:0042DD04
.text:0042DD09
.text:0042DD09 loc_42DD09:                             ; CODE XREF: sub_42D984+34Bj
.text:0042DD09                                         ; sub_42D984+354j
.text:0042DD09                                         ; sub_42D984+375j
.text:0042DD09                 mov     eax, [ebp+var_44]
.text:0042DD0C                 mov     dword ptr [eax+97Ch], 1
.text:0042DD16                 push    offset s->ZsoundClickright_wav ; "zSound\\ClickRight.wav"
.text:0042DD1B                 mov     ecx, offset unk_46D868
.text:0042DD20                 call    sub_4029C8
.text:0042DD20
.text:0042DD25                 jmp     short loc_42DD2C
.text:0042DD25
.text:0042DD27 ; ---------------------------------------------------------------------------
.text:0042DD27
.text:0042DD27 loc_42DD27:                             ; CODE XREF: sub_42D984+1E2j
.text:0042DD27                                         ; sub_42D984+20Fj
.text:0042DD27                                         ; sub_42D984+223j
.text:0042DD27                                         ; sub_42D984+250j
.text:0042DD27                                         ; sub_42D984+263j
.text:0042DD27                 jmp     loc_42DB40

到这,你就可以打造乱点外挂了,这样太累了
继续打造,找这段调用

ext:0042D22C                 push    ebp             ; 这就是消息过程了,我们来写补丁代码
.text:0042D22C                                         ; jmp XXXXXXXX
.text:0042D22C                                         ;
.text:0042D22C                                         ; XXXXXXXX:
.text:0042D22C                                         ;
.text:0042D22C                                         ;         MOV DWORD PTR SS:[ESP+4],201h // 这4句怎么来,就是用 随便点个,OD下断,看堆栈
.text:0042D22C                                         ;         MOV DWORD PTR SS:[ESP+8],1
.text:0042D22C                                         ;         MOV DWORD PTR SS:[ESP+0CH],14700C9h
.text:0042D22C                                         ;         MOV DWORD PTR SS:[ESP+10H],0
.text:0042D22C                                         ;         PUSH EBP //模拟被覆盖代码
.text:0042D22C                                         ;         MOV EBP,ESP
                                                                 sub     esp, 8Ch
.text:0042D22C                                         ;         PUSH 0042D235H // JMP
.text:0042D22C                                         ;         RET
.text:0042D22C                                         ;
.text:0042D22D                 mov     ebp, esp
.text:0042D22F                 sub     esp, 8Ch
.text:0042D235                 push    edi
.text:0042D236                 mov     [ebp+var_8C], ecx
.text:0042D23C                 cmp     [ebp+arg_C], 2
.text:0042D240                 jz      loc_42D37B
.text:0042D240
.text:0042D246                 cmp     [ebp+arg_0], 201h ; 比较是不是鼠标左键按下了
.text:0042D24D                 jnz     loc_42D37B
.text:0042D24D
.text:0042D253                 mov     eax, [ebp+arg_8]
.text:0042D256                 and     eax, 0FFFFh
.text:0042D25B                 mov     [ebp+var_4], eax
.text:0042D25E                 mov     ecx, [ebp+arg_8]
.text:0042D261                 shr     ecx, 10h
.text:0042D264                 and     ecx, 0FFFFh
.text:0042D26A                 and     ecx, 0FFFFh
.text:0042D270                 mov     [ebp+var_8], ecx
.text:0042D273                 mov     edx, [ebp+var_8]
.text:0042D276                 push    edx             ; Y
.text:0042D277                 mov     eax, [ebp+var_4]
.text:0042D27A                 push    eax             ; X
.text:0042D27B                 mov     ecx, [ebp+var_8C]
.text:0042D281                 call    sub_401541      ; 这调用,这CALL就是判断是不是点对的!

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值