原创从来没人公开的秘密 D3D HOOK的捷径.docx
《原创从来没人公开的秘密 D3D HOOK的捷径.docx》由会员分享,可在线阅读,更多相关《原创从来没人公开的秘密 D3D HOOK的捷径.docx(30页珍藏版)》请在冰豆网上搜索。
原创从来没人公开的秘密D3DHOOK的捷径
【原创】从来没人公开的秘密D3DHOOK的捷径
看雪安全论坛>Windows>『编程技术』>【原创】从来没人公开的秘密-----D3DHOOK的捷径
PDA
查看完整版本:
【原创】从来没人公开的秘密-----D3DHOOK的捷径
页:
[1]
2
chengqiyan2014-06-28,22:
46:
23D3DHOOK,googlebaidu一大把的东西,要么是劫持的,要么是硬编码的,我介绍一种通吃各个系统DX版本的方法分为EXE和DLL,DLL采用驱动注入,然后内存重载DLL并且抹PE标志。
EXE通过FileMap与游戏内存中的DLL通信,主要是通信一些D3D偏移部分代码是内存的所以只发关键:
confused:
表达有限看不懂勿喷
EXE层:
cpp
#ifndef_FINDDNF_H
#include
#include//#include"Find.h"
//#include"MyOcr.h"
//#include"GobalStruct.h"//MOMO命令目标
#includetypedefstruct_ImeMessage
{
boolIsSendIme;
charSendStr[102400];
LONGSendImeLenth;
}MyImeStr,*PMyImeStr;
typedefstruct_FindPicdx
{charFindPicDx_Path[1024];
intFindPic_simmin;
intFindPic_simmax;
intFindPic_x1;
intFindPic_x2;
intFindPic_y1;
intFindPic_y2;
intFindPic_RetX;
intFindPic_RetY;
intFindPic_Retsim;}FindPicdx,*PFindPicdx;typedefstruct_SendKey
{
intHasDownKey;
boolIsSendKey;
BYTESendGameDxKeyDate[0xed];
}SendKey,*PSendKey;typedefstruct_SendMouse
{
boolIsSendMouse;
intx;
inty;
}SendMouse,*PSendMouse;
typedefstruct_KuoZan
{
boolIsHookGetSelfWindow;
boolIsHookGetCurSor;}Kuozan,*Pkuozan;
typedefstruct_MyDic
{
charDic1Path[256];
charDic2Path[256];
boolIsloadOk;
}MyDic,*PMyDic;typedefstruct_MyShowDic
{
charStrname[256];
intDicIndex;
boolIsshowDic;
}MyShowDic,*PMyShowDic;
/*
BSTRMOMO:
:
FindStrII(
LONGIndex,
LONGDicIndex
LONGX1,
LONGY1,
LONGX2,LONGY2,
LPCTSTRStrName,
LPCTSTRColorStr,
VARIANT*FindCout)
*/
typedefstruct_MyFindDxStr
{
intDicIndex;
intX1;
intY1;
intX2;
intY2;
charStrnameS[256];
charColors[256];
intRetFindHows;//返回的数据,找到多少字
charRetStr[1024];
boolIsFindOk;}MyFindDxStr,*PMyFindDxStr;typedefstruct_Test_XY
{
intX;
intY;
boolIsOk;}TESTXY,*PTESTXY;
typedefstruct_RENWU_GOTO_XY
{
intX;
intY;
intZ;}RENWU_GOTO_XY,*PRENWU_GOTO_XY;
typedefstruct_Wupinsub
{
WCHARName[50];
intShuLiang;
WCHARLeiXingName1[50];
intLv;
intZhongLiang;
WCHARZhongLeiName[50];//魔法封印此处字符串是"1"未启用崩溃
intNaiJiu;//当前耐久}Wupinsub,*PWupinsub;typedefstruct_WupinAll
{
WupinsubJinBi_FuHuo[3];
WupinsubKuaiJieLan[6];
WupinsubZhuangBeiLan[56];
WupinsubXiaoHaoLan[56];
WupinsubCaiLiaoLan[56];
WupinsubRenWuLan[48];}WupinAll,*PWupinAll;
typedefstruct_SmallCangku
{
WupinsubCangku[6];}SmallCangku,*PSmallCangku;typedefstruct_CurZhuangBei
{
WupinsubWuqi;
WupinsubShangYi;
WupinsubHuJian;
WupinsubXiaZhuang;
WupinsubXieZi;
WupinsubYaoDai;WupinsubHuWan;
WupinsubJieZhi;
WupinsubXiangLian;}CurZhuangBei,*PCurZhuangBei;typedefstruct_GetLv_Name_Info
{
intLevel;
WCHARName[200];
intPilao;
intCurFuzhong;
intMaxFuzhong;
}GetLv_Name_Info;typedefstruct_XiGuai_GOTO_XY
{
intX;
intY;}XiGuai_GOTO_XY,*PXiGuai_GOTO_XY;typedefstruct_3S
{
intBIG;
intSMALL;}SSS3,*P3S;typedefstruct_ZhiYe
{
BOOLIsGetZhiYe;
WCHARZhiye[256];}ZhiYe,*PZhiYe;
typedefstruct_DATA_TO_DX
{intBind_moshi;
intBind_moshi_KEY;
boolNeedWait;
booliscpu;
intcpu_sleepTime;
boolIsScreen;
charScreenPath[1024];
HWNDthisWindow;
HWNDMYWINDOWS;
boolIsFindPic_QuanPing;
charFindPci_Path[1024];
boolBegin_CF;
DWORDD3D_44;//SetTransform偏移量
DWORDD3D_17;//Present偏移量
DWORDD3D_81;
DWORDD3D_82;//DrawIndexedPrimitive偏移量
DWORDD3D_65;//DrawIndexedPrimitive偏移量
boolIs_Bind2_ok;
boolIs_Bind1_ok;
boolIs_Bind_KEY1_ok;
boolIsScreenXY;
intx1;
intx2;
inty1;
inty2;
boolIS_FindPicDX;
FindPicdxfindPicdx_struct;
boolIS_FindPicDX_XY;
FindPicdxfindPicdx_xy_struct;
MyImeStrmyImeMessage;
HWNDImeHwnd;
DWORDD3DKEY_9;
DWORDD3DKEY_10;
DWORDUnacquire_8;
DWORDSetCooperativeLevel_13;
SendKeyDxKeyTogame;
SendMouseDxMouseTogame;
KuozanSuperKuozan;
POINTMOUSE_MOVE_WINDOWS;
MyDicmydic;
MyShowDicmyshowdic;
MyFindDxStrmyDxStr;
BYTEASM_CODE[1024];
intAsm_code_len;
TESTXYTestXY;
intGuaiwuShuliang;
intWUPUN_WULIANG;
BOOLISXIGUAI;
BOOLISXIWU;
RENWU_GOTO_XYRENWU_XY;
WupinAllGameBeiBao;
GetLv_Name_InfoName_Lv;
boolIsChuShou;
CurZhuangBeicurzb;
boolIsXiuli;
boolIsadd_Liliang;
intliliang;
boolIsRetTili;
intRettili;
intTili;
intLv;
boolIsGetName_Lv_Pilao;
boolIsGetJinbi;
intjinbi;
BOOLIsGetBeibao;
BOOLIsGetCurZhuangBei;
BOOLIsEndXiuLiMaiWu;
BOOLIsBeginXiuliMaiWu;
intXiuliMaiwuWat;
BOOLIsGetGuaiwuShuliang;
BOOLIsGetWupinShuLiang;
BOOLIsShunyibefor;
BOOLIsShunyi;
intShunyi_Fangxiang;
BOOLIsSetXiGuaiFangXiang;
intXiGuaiFangXiang;
BOOLIs3S;
XiGuai_GOTO_XYGuai_add_xy;
BOOLISGETFANGXIANG;
intRetGetFangXiang;
boolIsSet3s;
SSS3sss;
boolIsAddDuli;
intDuli_Value;
boolIsAddJingShen;
intJingShen_Value;
boolIsAddZL;
intZL_Value;
boolIsRuoGuai;
boolIsTest;
boolIsSY;
DWORDsdjz;
DWORDfx;
DWORDCallBase;
BOOLIs_GetCangku;
SmallCangkuGameCanuku;
intPrintTest;
BOOLISGOTOXY;
intXIGUAI_TYPE;//吸怪类型1排队2移到怪物那
ZhiYezhiye;}DATA_TO_DX,*PDATA_TO_DX;classMyMOMO
{
public:
MyMOMO();
~MyMOMO();
HANDLEFile_Maping_HANDLE;
PDATA_TO_DXdata;//绑定后就用它来更新控制数据
DATA_TO_DXNewData;//用来存放初始化的不可以是指针哦
LPVOIDFileMapDATA;
HWNDThehwnd;
DWORDProcessid;
charFileName[1024];
boolIsBind;
LONGBindWindow(HWNDhwnd,LONGBIND_MOSHI,LONGBIND_MOSHI_KEYBORD);
voidSendTo_Game(DATA_TO_DX*data);
//MyFindmyfind;
//MyOcrmyocr[2];
//KeyArrayMapKeymap;
voidGetWuPinArray();
voidGetCurZhungbeiArray();
protected:
private:
};classMOMO{public:
MOMO();
//virtual~MOMO();
MyMOMOmomo1[1];
IplImage*imagelistWindow;ULONG_PTRBind_shuliang;
ULONG_PTRBind_index;
LONGMOMO:
:
Ready1(LONGIndex,LONGHwnd,char*show,char*Key_Bord,char*HELP);
LONGLoadDic(LONGIndex,char*DicPath,LONGDicIndex);//由于DNF,所以只在前台加载字库,即本进程加载字库。
LONGShowDic(LONGIndex,LONGDicIndex,char*StrName);//把字库指定文字显示为图片
BOOLScreenShot_DxForce(LPDIRECT3DDEVICE9lpDevice,HWNDhWnd,char*fileName);//DX前台截图HWND=0
IplImage*GetFroceDxPic_Dnf(LPDIRECT3DDEVICE9lpDevice,HWNDhWnd);//DX前台获取图像并返回图像那块内存
LONGFindStrOne_DNF(LONGIndex,char*StrName,char*RGB_STR,int*RetX,int*RetY,LONGDicIndex);
LONGFindStrOne_DNF_XY(LONGIndex,char*StrName,byteR,byteG,byteB,intX1,intY1,intX2,intY2,int*RetX,int*RetY,LONGDicIndex,CAtlString&SaveRet,int*FindCout);
LONGFindStr_DNF_XY_OCR(LONGIndex,byteR,byteG,byteB,intX1,intY1,intX2,intY2,int*RetX,int*RetY,LONGDicIndex,CAtlString&SaveRet,int*FindCout);//ocr功能
LONGMOMO:
:
FindStrOne_DNF_XY_YUZHIHUA(LONGIndex,char*StrName,intThrow,intX1,intY1,intX2,intY2,int*RetX,int*RetY,LONGDicIndex,CAtlString&SaveRet,int*FindCout);
//////////////////////////////////////////////////////////////////////////};//////////////////////////////////////////////////////////////////////////
/************************************************************************/
/*
用于DNF找图写的功能函数,通用
正在完善...
沫D
*/
/************************************************************************//************************************************************************/
/*
提供2张图片,第一张大,第二张小,然后载入内存查找。
可直接屏幕查找
参数1:
第一张图片的内存,
2:
第二图片内存
3:
返回找到的X
4:
返回找到的Y
返回值:
没找到返回0,找到返回1
测试连续查找3次耗时47毫秒
*/
/************************************************************************/
//使用系统截图键一次图,参数,截图保存的地方
boolKeyDownPrint_Screen(char*SavePicPath);#define_FINDDNF_H
#endif.H
#include"stdafx.h"
#include"FindDnf.h"
#include
//#include"Find.h"
//#include"MyMouseKey.h"
//#include"ImeInject.h"
#include
#include
#include
#defineDIRECTINPUT_VERSION0x0800//本来800改700
#include
//#include"OlsApi.h"
//#include"Cdmsoft1.h"
//#include"NTFUNCTION.h"
MyMOMO:
:
~MyMOMO()
{
if(this->data!
=NULL)
{
OutputDebugStringA("unreset");
UnmapViewOfFile(this->data);
}}
MyMOMO:
:
MyMOMO()
{this->data=NULL;
NewData.Is_Bind2_ok=FALSE;
NewData.Is_Bind1_ok=FALSE;
NewData.Is_Bind_KEY1_ok=FALSE;
NewData.NeedWait=false;
NewData.iscpu=FALSE;
this->IsBind=FALSE;
this->NewData.cpu_sleepTime=0;
this->NewData.IsScreen=FALSE;
this->NewData.IsScreenXY=FALSE;
this->NewData.DxKeyTogame.IsSendKey=FALSE;memset(&NewData.DxKeyTogame,0,sizeof(SendKey));
memset(&NewData.SuperKuozan,0,sizeof(Kuozan));
memset(&NewData.DxMouseTogame,0,sizeof(SendMouse));
memset(NewData.ScreenPath,0,1024);
memset(NewData.FindPci_Path,0,1024);
memset(NewData.findPicdx_struct.FindPicDx_Path,0,1024);
memset(NewData.findPicdx_xy_struct.FindPicDx_Path,0,1024);
memset(NewData.myImeMessage.SendStr,0,102400);
NewData.myImeMessage.IsSendIme=FALSE;
NewData.myImeMessage.SendImeLenth=0;
this->NewData.IsFindPic_QuanPing=FALSE;
this->NewData.Begin_CF=FALSE;
this->NewData.IS_FindPicDX=FALSE;/*
this->NewData.IS_FindPicDX_XY=FALSE;
this->NewData.findPicdx_struct.FindPic_Retsim=-1;
this->NewData.findPicdx_struct.FindPic_x1=-1;
this->NewData.findPicdx_xy_struct.FindPic_simmax=-1;
*/}voidMyMOMO:
:
SendTo_Game(DATA_TO_DX*data)
{/*memcpy(this->FileMapDATA,data,sizeof(DATA_TO_DX));*/
FlushViewOfFile(this->FileMapDATA,sizeof(DATA_TO_DX));}LPVOIDGetClassVirtualFnAddress(LPVOIDpthis,intIndex)//Add2010.8.6
{
LPVOIDFnAddress;*(int*)&FnAddress=*(int*)pthis;//lpvtable
*(int*)&FnAddress=*(int*)((int*)FnAddress+Index);
returnFnAddress;
}
LPDIRECT3D9g_pD3D=NULL;//UsedtocreatetheD3DDevice
LPDIRECT3DDEVICE9g_pd3dDevice=NULL;//Ourrenderingdevice
HRESULTInitD3D1(HWNDhWnd)
{
//CreatetheD3Dobject.
if(NULL==(g_pD3D=Direct3DCreate9(D3D_SDK_VERSION)))
returnE_FAIL;//SetupthestructureusedtocreatetheD3DDevice
D3DPRESENT_PARAMETERSd3dpp;
ZeroMemory(&d3dpp,sizeof(d3dpp));
d3dpp.Windowed=TRUE;
d3dpp.SwapEffect=D3DSWAPEFFECT_DISCARD;
d3dpp.BackBufferFormat=D3DFMT_UNKNOWN;//CreatetheD3DDevice
if(FAILED(g_pD3D->CreateDevice(D3DADAPTER_DEFAULT,D3DDEVTYPE_HAL,hWnd,
D3DCREATE_SOFTWARE_VERTEXPROCESSING,
&d3dpp,&g_pd3dDevice)))
{
AfxMessageBox("CreateDeviceerro");
returnE_FAIL;
}returnS_OK;
}LPDIRE
升级会员 