XP自带扫雷辅助 - C++Builder

原创已于 2024-10-29 13:20:59 修改 · 860 阅读

0 ·

CC 4.0 BY-SA版权

文章标签：

#c++ #java #开发语言

于 2019-02-25 09:22:52 首次发布

C++ Builder 专栏收录该内容

4 篇文章

订阅专栏

本文介绍了一款针对XP系统自带扫雷游戏的辅助工具，使用C++Builder6开发，功能包括停止游戏计时、自动排雷等。通过修改游戏内存地址，实现游戏时间冻结，并利用CE、OD和Spy++等工具定位关键数据位置。

XP自带扫雷辅助
功能:干掉时间,排出雷,秒杀
编写工具: C++Builder6 (Win10 x64)
辅助工具: CE & OD & Spy++
测试系统:Win10 x64 WinXP
时间有限,有不对的地方欢迎指出,感谢!
1 CE找到时间的地址
2 OD附加扫雷游戏进程
3 跳转到该地址,注意NOP 2处了时间才真的不动了
OD 可以Ctrl+F inc dword ptr ds:[0x100579C
4 Spy++ 获取点击时候鼠标座标

源码下载地址：

https://download.youkuaiyun.com/download/weixin_44300440/10973761

效果如下图

头文件代码,包含自定义函数声明.

//---------------------------------------------------------------------------

#ifndef Unit1H
#define Unit1H
//---------------------------------------------------------------------------
#include <Classes.hpp>
#include <Controls.hpp>
#include <StdCtrls.hpp>
#include <Forms.hpp>
#include <TlHelp32.h>
#include <ComCtrls.hpp>
//---------------------------------------------------------------------------
class TForm1 : public TForm
{
    __published:	// IDE-managed Components
        TButton *btn1;
        TLabel *lbl1;
        TMemo *mmo1;
        void __fastcall FormCreate(TObject *Sender);
        void __fastcall btn1Click(TObject *Sender);
        void __fastcall FormCloseQuery(TObject *Sender, bool &CanClose);
private:	// User declarations
public:		// User declarations
        __fastcall TForm1(TComponent* Owner);
        //自定义函数声明
	    bool __fastcall KillTime(void);
	    DWORD __fastcall GetPrcsIDbyName(LPCSTR PrcsName);
};
//---------------------------------------------------------------------------
extern PACKAGE TForm1 *Form1;
//---------------------------------------------------------------------------
#endif

窗口代码

//---------------------------------------------------------------------------
#include <vcl.h>
#pragma hdrstop
#include "Unit1.h"
//---------------------------------------------------------------------------
#pragma package(smart_init)
#pragma resource "*.dfm"
TForm1 *Form1;
DWORD PrcsID; //进程ID
HANDLE hProcess; //进程句柄
HWND Gmhwnd;   //游戏窗口句柄
//---------------------------------------------------------------------------
struct GmInfo //游戏信息 宽度 高度 和 雷数
{
    short iWidth;
    short iHeight;
    short iNum;
}GmIf;
__fastcall TForm1::TForm1(TComponent* Owner)
        : TForm(Owner)
{
}
//---------------------------------------------------------------------------
void __fastcall TForm1::FormCreate(TObject *Sender)
{
    mmo1->Clear();
    PrcsID=GetPrcsIDbyName("winmine.exe");//取进程ID
    if(PrcsID>0)
    {
        hProcess=OpenProcess(PROCESS_ALL_ACCESS,false,PrcsID);//取进程句柄
    }
    if(hProcess<=0)
    {
        ShowMessage("请先运行游戏...");
        Application->Terminate() ;
    }
    if(KillTime())//干掉游戏时间
    {
        Gmhwnd=FindWindowA("扫雷","扫雷");//取游戏窗口句柄
    }
}
//---------------------------------------------------------------------------
//废除时间
bool __fastcall TForm1::KillTime()
{
	byte KT[]={0x90,0x90,0x90,0x90,0x90,0x90};//写字节集数据到
	if(WriteProcessMemory(hProcess,(LPVOID)0x01002FF5,KT,6,0))
	{
		if(WriteProcessMemory(hProcess,(LPVOID)0x01003830,KT,6,0))
		{return True;}
	}
    return False;
   //	01003830 01002FF5     FF05 9C570001 inc dword ptr ds:[0x100579C]
}

//进程名取ID
DWORD __fastcall TForm1::GetPrcsIDbyName(LPCSTR PrcsName)
{
	HANDLE hSnapShot;
	PROCESSENTRY32 PE32;
	ZeroMemory(&PE32,sizeof(PE32));
	PE32.dwSize=sizeof(PE32);
	hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0);
	if (hSnapShot == INVALID_HANDLE_VALUE)
	{return 0;}
	if (!Process32First(hSnapShot,&PE32))
	{return 0;}
	do
	{
		if (lstrcmpi(PE32.szExeFile,PrcsName) == 0)
		{
			CloseHandle(hSnapShot);
			return PE32.th32ProcessID;
		}
	} while (Process32Next(hSnapShot,&PE32));
	CloseHandle(hSnapShot);
	return 0;
}
void __fastcall TForm1::btn1Click(TObject *Sender)
{
    byte bMines[24][32];//通过CE查看雷区一行为32个字节 所以这里宽不能是30
    mmo1->Clear();//清空memo控件内容
    ReadProcessMemory(hProcess,(LPCVOID)0x01005330,&GmIf.iNum ,4,0);
    lbl1->Caption = "雷数: "+IntToStr(GmIf.iNum);
    
    ReadProcessMemory(hProcess,(LPCVOID)0x01005334,&GmIf.iWidth ,4,0);
    lbl1->Caption = lbl1->Caption +"   宽度: "+ IntToStr(GmIf.iWidth);

    ReadProcessMemory(hProcess,(LPCVOID)0x01005338,&GmIf.iHeight ,4,0);
    lbl1->Caption = lbl1->Caption +"   高度: "+ IntToStr(GmIf.iHeight);
    //-------------------------下面读取雷区和秒杀实现------------------------------------
    ReadProcessMemory(hProcess,(LPCVOID)0x01005361,bMines,24*32 ,0);

    for(short i=0;i<GmIf.iHeight;i++)
    {
        for(short x=0;x<GmIf.iWidth;x++)//循环读一排数据
        {
            if(bMines[i][x]!=143) //143十六进制是8F 通过CE知道这是个雷
            {
                mmo1->Text= mmo1->Text+0;//当不为雷的时候则显示出 0
                SendMessageA(Gmhwnd,513,0,20+16*x+(62+16*i)*65536);//按下
                SendMessageA(Gmhwnd,514,0,20+16*x+(62+16*i)*65536);//弹起
            }
            else
            {
                mmo1->Text= mmo1->Text+1;//当为雷的时候显示为 1
            }
        }
        mmo1->Text= mmo1->Text+"\r\n";//换行
    }
}
//---------------------------------------------------------------------------
void __fastcall TForm1::FormCloseQuery(TObject *Sender, bool &CanClose)
{
    CloseHandle(hProcess);  //关闭打开的进程句柄  
}
//---------------------------------------------------------------------------

注意:

C++Builder 2010 开发的时候 OpenProcess(PROCESS_ALL_ACCESS,false,PrcsID)

PROCESS_ALL_ACCESS 换成 2035711 否则XP下失败.