KeyboArd's Blog
首页
时间轴
标签
分类
友链
关于
avatar
文章
34
标签
14
分类
8
首页
时间轴
标签
分类
友链
关于
目录
  1. 1. 搜索步骤
    1. 1.0.1. 1.进入观战模式按 X
    2. 1.0.2. 在按一次X就是关闭
  2. 1.1. 2.打开CE,开始搜索
  • 2. 代码编写
    1. 2.0.1. 1.导入库
    2. 2.0.2. 2.封装函数
    3. 2.0.3. 3.创建全局变量
    4. 2.0.4. 4.先进行读取操作测试
    5. 2.0.5. 5.发光代码编写
    6. 2.0.6. 6.效果
    7. 2.0.7. 7.完整代码
  • 3. 结尾
    1. 3.0.1. 借用一句看到很不错的话:
    • 使用Python读写游戏3(CSGO)
    |编程
    字数总计:1.5k|阅读时长: 7 分钟
    |阅读量:

    最近复习之余,复盘了一下之前搞的FPS热感透视,通过单机游戏实现成功。

    搜索步骤

    1.进入观战模式按 X

    开启后的效果,可以看到全部人都在发光,并且实现了透视效果

    在按一次X就是关闭

    这样子啥都看不到了

    2.打开CE,开始搜索

    步骤:

    发光搜1

    不发光搜0

    重复上述步骤,到最后就会剩下10几条,把它全部添加到代码表,从第一条开始查找访问

    就会看到有箭头所指的代码访问,选择这串代码,显示反汇编程序,观察汇编代码。

    python
    1
    2
    3
    4
    5
    6
    7
    mov [ecx+edx*8+24],bl 这条语句,若bl为1,则开启人物发光,为0则关闭,所以
    这里搜索ecx,可以找到指向ecx的指针,我这里就叫做发光基址吧。。
    edx是一个人物的类似ID的玩意儿,向上看,可以知道 lea edx,[esi*8+00000000]
    sub edx,esi
    而esi是在这里赋值的mov esi,[edi+0000a428] ,这个edi其实就是人物基址。
    👇
    发光地址 = 发光对象地址+[人物基址 + 0xa428]*0x38+0x24

    快捷键F5下断,接着点击箭头所指ECX,将其值复制。

    搜索框中,选择4字节,勾选十六进制,将ECX的值粘贴进去,点击搜索,会出来两个绿色的基址,就是静态基址,两个选其一,添加到基址表中

    dll + xxxx里 的xxx 这个就是发光基址

    开关找到了,接下来就是处理颜色

    颜色的ARGB分别是这4条代码:

    Code
    1
    2
    3
    4
    5
    6
    3EC7A0F7 - F3 0F11 44 C8 04      - movss [eax+ecx*8+04],xmm0
    3EC7A0FD - F3 0F10 45 D0         - movss xmm0,[ebp-30]
    3EC7A102 - F3 0F11 44 C8 08      - movss [eax+ecx*8+08],xmm0
    3EC7A108 - F3 0F10 45 D4         - movss xmm0,[ebp-2C]
    3EC7A10D - F3 0F11 44 C8 0C      - movss [eax+ecx*8+0C],xmm0
    3EC7A1D1 - F3 0F11 44 C8 10      - movss [eax+ecx*8+10],xmm0

    xmm0 是float 型

    代码编写

    1.导入库

    python
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    # -*- coding:utf-8 -*-
    """
    @author: 
    @file: ReadCs.py
    @time: 2020-05-12 21:07
    @desc: KeyboArd
    """
    import win32process#进程模块
    from win32con import PROCESS_ALL_ACCESS #Opencress 权限
    import win32api#调用系统模块
    import ctypes#C语言类型
    from win32gui import FindWindow#界面

    kernel32 = ctypes.windll.LoadLibrary("kernel32.dll")
    GetLastError = kernel32.GetLastError

    2.封装函数

    python
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    def _GetProcessId(className,windowName):
        hGameWindow = FindWindow(className, windowName)
        pid = win32process.GetWindowThreadProcessId(hGameWindow)[1]
        return pid

    def _GetPorcessHandle(pid):
        hGameHandle = win32api.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
        return hGameHandle

    def _ReadMemeryInt(hGameHandle,_address,bufflength):
        addr = ctypes.c_ulong()
        ReadProcessInt = kernel32.ReadProcessMemory
        ReadProcessInt(int(hGameHandle), _address, ctypes.byref(addr), bufflength, None)
        return addr.value


    def WriteMemeryInt(hGameHandle, _address, Data):
        WriteProcessInt = kernel32.WriteProcessMemory
        WriteProcessInt(int(hGameHandle),_address,ctypes.byref(ctypes.c_ulong(Data)), 4, None)
        return Data

    def WriteMemeryFloat(hGameHandle, _address,Data):
        WriteProcessInt = kernel32.WriteProcessMemory
        WriteProcessInt(int(hGameHandle),_address,ctypes.byref(ctypes.c_float(Data)),4,None)
        return Data

    详情看前面几章

    使用Python读写游戏1

    使用Python读写游戏2

    3.创建全局变量

    python
    1
    2
    3
    4
    5
    6
    7
    moduleName = 0x3EF90000 //这是client_panorama.dll是一个动态地址,每次重上游戏或者重启都会变
    dwOwnObj = 0xD2FB94	//人物基址
    dwEntityList = 0x4D43AC4 //对象基址
    dwGlowObjectManager = 0x528B8A0 // 发光基址
    m_iGlowIndex = 0xA428 // 发光首部
    m_iTeamNum = 0xF4 //阵营偏移
    m_Hp = 0x100 //血量偏移

    4.先进行读取操作测试

    python
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    def _ReadHp(hGameHandle, baseAddr):
        Hp = _ReadMemeryInt(hGameHandle, baseAddr + m_Hp, 4)
        return Hp
    def _ReadTemp(hGameHandle, baseAddr):
        Temp =  _ReadMemeryInt(hGameHandle, baseAddr + m_iTeamNum, 4)
        return Temp  

    def main():
        ProcessId = _GetProcessId("Valve001", u"****")

        _hGameHandle = _GetPorcessHandle(ProcessId)
        Addr = _ReadMemeryInt(_hGameHandle, moduleName+dwOwnObj, 4)
        Hp = _ReadHp(_hGameHandle,Addr)
        print(Hp)

    5.发光代码编写

    首先了解下结构体

    这是一个关于敌人信息,包含 他的坐标 x y z 信息, id,血量,阵营,姓名等。

    c++
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    struct Entity
    {
            PVOID entityObj;
        	float x;
        	float y;
        	float z;
            int id;
    		int Hp;
        	int Temp;
        	char name[10];
    };

    那么用Python来定义一个结构体,因为Python 好像没有 struct ,所以用类class来代替也可以

    python
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    class Own:
        pass
    own = Own()
    own.Addr = _ReadMemeryInt(hGameHandle, moduleName+dwOwnObj, 4)
    own.Hp = _ReadHp(hGameHandle, own.Addr)
    own.Temp = _ReadTemp(hGameHandle, own.Addr)

    class Entity:
        pass
    Ent = Entity()
    Ent.Addr = _ReadMemeryInt(hGameHandle, moduleName + dwEntityList+i*16, 4)
    Ent.Hp = _ReadHp(hGameHandle, Ent.Addr)
    Ent.Temp = _ReadTemp(hGameHandle, Ent.Addr)

    发光地址 = 发光对象地址+[人物基址 + 0xa428]*0x38+0x24

    python
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    def _dwGlowLight(hGameHandle):
       while True:
            GlowObjectManager = _ReadMemeryInt(hGameHandle, moduleName+dwGlowObjectManager, 4)
            own = Own()
            own.Addr = _ReadMemeryInt(hGameHandle, moduleName+dwOwnObj, 4)
            own.Hp = _ReadHp(hGameHandle, own.Addr)
            own.Temp = _ReadTemp(hGameHandle, own.Addr)
            # print("自己阵营:" + str(own.Temp))
            for i in range(32):
                Ent = Entity()
                Ent.Addr = _ReadMemeryInt(hGameHandle, moduleName + dwEntityList+i*16, 4)
                Ent.Hp = _ReadHp(hGameHandle, Ent.Addr)
                Ent.Temp = _ReadTemp(hGameHandle, Ent.Addr)
                glow = _ReadMemeryInt(hGameHandle, Ent.Addr+m_iGlowIndex, 4)
                if(own.Temp != Ent.Temp):
                    WriteMemeryFloat(hGameHandle, (GlowObjectManager+((glow * 0x38)+4)), 1)//颜色
                    WriteMemeryFloat(hGameHandle, (GlowObjectManager + ((glow * 0x38) + 8)), 250)//颜色
                    WriteMemeryFloat(hGameHandle, (GlowObjectManager + ((glow * 0x38) + 12)), 128)//颜色
                    WriteMemeryFloat(hGameHandle, (GlowObjectManager + ((glow * 0x38) + 16)), 1)//颜色
                    WriteMemeryInt(hGameHandle, (GlowObjectManager + ((glow * 0x38) + 36)), 1)//发光开关

    6.效果

    7.完整代码

    python
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    # -*- coding:utf-8 -*-
    """
    @author: 
    @file: ReadCs.py
    @time: 2020-05-12 21:07
    @desc: KeyboArd
    """
    import win32process#进程模块
    from win32con import PROCESS_ALL_ACCESS, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION #Opencress 权限
    import win32api#调用系统模块
    import ctypes#C语言类型
    from win32gui import FindWindow#界面

    kernel32 = ctypes.windll.LoadLibrary("kernel32.dll")
    GetLastError = kernel32.GetLastError
    moduleName = 0x3EF90000
    dwOwnObj = 0xD2FB94
    dwEntityList = 0x4D43AC4
    dwGlowObjectManager = 0x528B8A0
    m_iGlowIndex = 0xA428
    m_iTeamNum = 0xF4
    m_Hp = 0x100


    def _GetProcessId(className,windowName):
        hGameWindow = FindWindow(className, windowName)
        pid = win32process.GetWindowThreadProcessId(hGameWindow)[1]
        return pid

    def _GetPorcessHandle(pid):
        hGameHandle = win32api.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
        return hGameHandle

    def _ReadMemeryInt(hGameHandle,_address,bufflength):
        addr = ctypes.c_ulong()
        ReadProcessInt = kernel32.ReadProcessMemory
        ReadProcessInt(int(hGameHandle), _address, ctypes.byref(addr), bufflength, None)
        return addr.value

    def _ReadMemeryWchar(hGameHandle,_address,bufflength):
        addr = ctypes.c_wchar_p("0" * bufflength)
        ReadProcessInt = kernel32.ReadProcessMemory
        ReadProcessInt(int(hGameHandle), _address, addr, bufflength, None)
        return addr.value

    def WriteMemeryInt(hGameHandle, _address, Data):
        WriteProcessInt = kernel32.WriteProcessMemory
        WriteProcessInt(int(hGameHandle),_address,ctypes.byref(ctypes.c_ulong(Data)), 4, None)
        return Data

    def WriteMemeryFloat(hGameHandle, _address,Data):
        WriteProcessInt = kernel32.WriteProcessMemory
        WriteProcessInt(int(hGameHandle),_address,ctypes.byref(ctypes.c_float(Data)),4,None)
        return Data

    def _ReadHp(hGameHandle, baseAddr):
        Hp = _ReadMemeryInt(hGameHandle, baseAddr + m_Hp, 4)
        return Hp

    def _ReadTemp(hGameHandle, baseAddr):
        Temp =  _ReadMemeryInt(hGameHandle, baseAddr + m_iTeamNum, 4)
        return Temp

    class Own:
        pass

    class Entity:
        pass


    def _dwGlowLight(hGameHandle):
       while True:
            GlowObjectManager = _ReadMemeryInt(hGameHandle, moduleName+dwGlowObjectManager, 4)
            own = Own()
            own.Addr = _ReadMemeryInt(hGameHandle, moduleName+dwOwnObj, 4)
            own.Hp = _ReadHp(hGameHandle, own.Addr)
            own.Temp = _ReadTemp(hGameHandle, own.Addr)
            # print("自己阵营:" + str(own.Temp))
            for i in range(32):
                Ent = Entity()
                Ent.Addr = _ReadMemeryInt(hGameHandle, moduleName + dwEntityList+i*16, 4)
                Ent.Hp = _ReadHp(hGameHandle, Ent.Addr)
                Ent.Temp = _ReadTemp(hGameHandle, Ent.Addr)
                glow = _ReadMemeryInt(hGameHandle, Ent.Addr+m_iGlowIndex, 4)
                if(own.Temp != Ent.Temp):
                    WriteMemeryFloat(hGameHandle, (GlowObjectManager+((glow * 0x38)+4)), 1)
                    WriteMemeryFloat(hGameHandle, (GlowObjectManager + ((glow * 0x38) + 8)), 250)
                    WriteMemeryFloat(hGameHandle, (GlowObjectManager + ((glow * 0x38) + 12)), 128)
                    WriteMemeryFloat(hGameHandle, (GlowObjectManager + ((glow * 0x38) + 16)), 1)
                    WriteMemeryInt(hGameHandle, (GlowObjectManager + ((glow * 0x38) + 36)), 1)



    def main():
        ProcessId = _GetProcessId("Valve001", u"***")

        _hGameHandle = _GetPorcessHandle(ProcessId)

        _dwGlowLight(_hGameHandle)


    if __name__ == '__main__':
        main()

    结尾

    因为每次重启电脑后,模块名字的动态基址都会发生变化,过几天写个通过模块名称获取模块基址就可以完美避免这个问题了。

    目前就是因为32位游戏获取基址操作有点难度,告辞

    借用一句看到很不错的话:

    技术不分对错.人性才分善恶.

    学习逆向的人必须身心放正.

    身心放正之人手握屠龙刀,也是保家卫民.

    文章作者: KeyboArd
    文章链接: https://www.wrpzkb.cn/PythonFxcsgo/
    版权声明: 本博客所有文章除特别声明外,均采用 CC BY-NC-SA 4.0 许可协议。转载请注明来自 KeyboArd's Blog
    Python 游戏安全逆向
    打赏
    • 微信
      微信
    • 支付寶
      支付寶
    相关推荐
    2019-11-27
    使用Python读写游戏1(口xx游)
    2020-01-24
    使用Python读写游戏2(植物大战僵尸)
    2020-06-21
    使用Python读写游戏4(GTA)
    2019-12-15
    人脸识别+二维数组去重
    2019-11-26
    PythonTextstream
    2020-01-17
    Python 虚拟环境安装Scrapy框架
    评论