这篇博客揭示了冒险岛无敌外挂的工作方式,通过定时器和检查点控制,使用API函数查找游戏进程,修改内存地址实现无敌状态。外挂通过监听F11和F12键激活,对内存特定地址写入特定数值以达到无敌效果。
外挂是怎么执行和实现冒险岛无敌状态的.
下面外挂源程序的主窗口代码:
窗口区有两个Timer和两个Check,两个Timer的Interval = 100
1000/1秒.这是主要的控件.
第一个Timer的代码,因为Timer的Interval 取值是 100 ,所以每100毫秒执行一次Timer代码.
先看这段:
Private Sub Timer1_Timer()
'用if判断语句判断是否按下了键盘F11
If MyHotKey(vbKeyF11) Then
'If Check1.Value Then '再次用if判断Check1是否已经选取.Value取值有0 , 1 , 2;
Check1被选取成立就执行wudi的代码
If Check1.Value Then
'这里是wudi代码,作者把它放到Module1模块里 ,作者把执行wudi的代码简单化了.其实也可以这么写,便于理解[Aall wudi()], 函数Aall调用wudi()
wudi
End if
'如果if判断成立,也就是按下了F12就执行下一段代码.
ElseIf MyHotKey(vbKeyF12) Then
If Check2.Value Then
gongji
End If
Else
End If
End Sub
第二个Timer的代码,Interval 取值同样是 100 .
Private Sub Timer2_Timer()
'定义ID , Gamehwnd1
Dim ID As Long, Gamehwnd1 As Long
'查找冒险岛游戏的句柄,赋值给Gamehwnd1
Gamehwnd1 = FindWindow(vbNullString, "Maplestory")
'用GetWindowThreadProcessId获取冒险岛游戏的进程ID
GetWindowThreadProcessId Gamehwnd1, ID
'以全部权力打开进程
hProces1 = OpenProcess(PROCESS_ALL_ACCESS, False, ID)
'这里又用到了if , (hProces1 = 0) 就是没有冒险岛的句柄,反之游戏已加载.
If (hProces1 = 0) Then
'游戏未启动通过Label1标题来显示证明 "游戏未启动" ,然后关闭Timer1
Label1.Caption = "游戏未启动"
'其实程序在制作初期就设定Timer1的Enabled为无效 False , 写不写这段代码无所谓
Timer1.Enabled = False
Else
'游戏未启动通过Label1标题来显示证明 "游戏已启动" ,然后打开Timer1
Label1.Caption = "游戏已启动"
Timer1. Enabled = True
End If
结束Timer2代码
End Sub
模块代码:
'FindWindow :查找指定窗体的API函数
Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
'GetWindowThreadProcessId : 取得指定窗体的进程ID函数
Public Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
'OpenProcess : 打开指定的进程用到的函数
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
'WriteProcessMemory :写进程内存用到的函数
Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
'ReadProcessMemory :写进程内存用到的函数
Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
'CloseHandle :关闭进程用到的函数
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
' GetAsyncKeyState : 虚拟键表判断按键的类型的函数
Public Declare Function GetAsyncKeyState Lib "user32" (ByVal vkey As Long) As Integer
'定义hProces1
Public hProces1 As Long
下面定义的wudi代码
Public Sub wudi()
'if判断冒险岛游戏是否存在
If (hProces1 = 0) Then
'向目标地址写入数值, 把内存地址585D55替换成F26B07,这里有用吗?
WriteProcessMemory hProces1, ByVal &H585D55, &HF2, 1, 0&
WriteProcessMemory hProces1, ByVal &H585D56, &H6B, 1, 0&
WriteProcessMemory hProces1, ByVal &H585D57, &H0, 1, 0&
WriteProcessMemory hProces1, ByVal &H585D58, &H7, 1, 0&
Else
''向目标地址写入数值, 把内存地址585D55替换成E91F60.这才是重点外挂执行无敌代码
WriteProcessMemory hProces1, ByVal &H585D55, &HE9, 1, 0&
WriteProcessMemory hProces1, ByVal &H585D56, &H1F, 1, 0&
WriteProcessMemory hProces1, ByVal &H585D57, &H6, 1, 0&
WriteProcessMemory hProces1, ByVal &H585D58, &H0, 1, 0&
End If
'关闭进程
CloseHandle hProces1
End Sub
下面代码解释同上
Public Sub gongji()
If (hProces1 = 0) Then
WriteProcessMemory hProces1, ByVal &H574F9B, &H14, 1, 0&
WriteProcessMemory hProces1, ByVal &H574FA0, &H13, 1, 0&
WriteProcessMemory hProces1, ByVal &H574FA0, &H0, 1, 0&
WriteProcessMemory hProces1, ByVal &H574FA0, &H1 ,1, 0&
Else
WriteProcessMemory hProces1, ByVal &H574F9B, &H1C, 1, 0&
WriteProcessMemory hProces1, ByVal &H574F9F, &H4, 1, 0&
WriteProcessMemory hProces1, ByVal &H574FA0, &H0, 1, 0&
WriteProcessMemory hProces1, ByVal &H574FA0, &H0, 1, 0&
End If
CloseHandle hProces1
End Sub
下面外挂源程序的主窗口代码:
窗口区有两个Timer和两个Check,两个Timer的Interval = 100
1000/1秒.这是主要的控件.
第一个Timer的代码,因为Timer的Interval 取值是 100 ,所以每100毫秒执行一次Timer代码.
先看这段:
Private Sub Timer1_Timer()
'用if判断语句判断是否按下了键盘F11
If MyHotKey(vbKeyF11) Then
'If Check1.Value Then '再次用if判断Check1是否已经选取.Value取值有0 , 1 , 2;
Check1被选取成立就执行wudi的代码
If Check1.Value Then
'这里是wudi代码,作者把它放到Module1模块里 ,作者把执行wudi的代码简单化了.其实也可以这么写,便于理解[Aall wudi()], 函数Aall调用wudi()
wudi
End if
'如果if判断成立,也就是按下了F12就执行下一段代码.
ElseIf MyHotKey(vbKeyF12) Then
If Check2.Value Then
gongji
End If
Else
End If
End Sub
第二个Timer的代码,Interval 取值同样是 100 .
Private Sub Timer2_Timer()
'定义ID , Gamehwnd1
Dim ID As Long, Gamehwnd1 As Long
'查找冒险岛游戏的句柄,赋值给Gamehwnd1
Gamehwnd1 = FindWindow(vbNullString, "Maplestory")
'用GetWindowThreadProcessId获取冒险岛游戏的进程ID
GetWindowThreadProcessId Gamehwnd1, ID
'以全部权力打开进程
hProces1 = OpenProcess(PROCESS_ALL_ACCESS, False, ID)
'这里又用到了if , (hProces1 = 0) 就是没有冒险岛的句柄,反之游戏已加载.
If (hProces1 = 0) Then
'游戏未启动通过Label1标题来显示证明 "游戏未启动" ,然后关闭Timer1
Label1.Caption = "游戏未启动"
'其实程序在制作初期就设定Timer1的Enabled为无效 False , 写不写这段代码无所谓
Timer1.Enabled = False
Else
'游戏未启动通过Label1标题来显示证明 "游戏已启动" ,然后打开Timer1
Label1.Caption = "游戏已启动"
Timer1. Enabled = True
End If
结束Timer2代码
End Sub
模块代码:
'FindWindow :查找指定窗体的API函数
Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
'GetWindowThreadProcessId : 取得指定窗体的进程ID函数
Public Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
'OpenProcess : 打开指定的进程用到的函数
Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
'WriteProcessMemory :写进程内存用到的函数
Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
'ReadProcessMemory :写进程内存用到的函数
Public Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
'CloseHandle :关闭进程用到的函数
Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
' GetAsyncKeyState : 虚拟键表判断按键的类型的函数
Public Declare Function GetAsyncKeyState Lib "user32" (ByVal vkey As Long) As Integer
'定义hProces1
Public hProces1 As Long
下面定义的wudi代码
Public Sub wudi()
'if判断冒险岛游戏是否存在
If (hProces1 = 0) Then
'向目标地址写入数值, 把内存地址585D55替换成F26B07,这里有用吗?
WriteProcessMemory hProces1, ByVal &H585D55, &HF2, 1, 0&
WriteProcessMemory hProces1, ByVal &H585D56, &H6B, 1, 0&
WriteProcessMemory hProces1, ByVal &H585D57, &H0, 1, 0&
WriteProcessMemory hProces1, ByVal &H585D58, &H7, 1, 0&
Else
''向目标地址写入数值, 把内存地址585D55替换成E91F60.这才是重点外挂执行无敌代码
WriteProcessMemory hProces1, ByVal &H585D55, &HE9, 1, 0&
WriteProcessMemory hProces1, ByVal &H585D56, &H1F, 1, 0&
WriteProcessMemory hProces1, ByVal &H585D57, &H6, 1, 0&
WriteProcessMemory hProces1, ByVal &H585D58, &H0, 1, 0&
End If
'关闭进程
CloseHandle hProces1
End Sub
下面代码解释同上
Public Sub gongji()
If (hProces1 = 0) Then
WriteProcessMemory hProces1, ByVal &H574F9B, &H14, 1, 0&
WriteProcessMemory hProces1, ByVal &H574FA0, &H13, 1, 0&
WriteProcessMemory hProces1, ByVal &H574FA0, &H0, 1, 0&
WriteProcessMemory hProces1, ByVal &H574FA0, &H1 ,1, 0&
Else
WriteProcessMemory hProces1, ByVal &H574F9B, &H1C, 1, 0&
WriteProcessMemory hProces1, ByVal &H574F9F, &H4, 1, 0&
WriteProcessMemory hProces1, ByVal &H574FA0, &H0, 1, 0&
WriteProcessMemory hProces1, ByVal &H574FA0, &H0, 1, 0&
End If
CloseHandle hProces1
End Sub
扫一扫
8313
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
