最近复习之余,复盘了一下之前搞的FPS热感透视,通过单机游戏实现成功。

搜索步骤

1.进入观战模式按 X

开启后的效果,可以看到全部人都在发光,并且实现了透视效果

在按一次X就是关闭

这样子啥都看不到了

2.打开CE,开始搜索

步骤:

发光搜1

不发光搜0

重复上述步骤,到最后就会剩下10几条,把它全部添加到代码表,从第一条开始查找访问

就会看到有箭头所指的代码访问,选择这串代码,显示反汇编程序,观察汇编代码。

1
2
3
4
5
6
7
mov [ecx+edx*8+24],bl 这条语句,若bl为1,则开启人物发光,为0则关闭,所以
这里搜索ecx,可以找到指向ecx的指针,我这里就叫做发光基址吧。。
edx是一个人物的类似ID的玩意儿,向上看,可以知道 lea edx,[esi*8+00000000]
sub edx,esi
而esi是在这里赋值的mov esi,[edi+0000a428] ,这个edi其实就是人物基址。
👇
发光地址 = 发光对象地址+[人物基址 + 0xa428]*0x38+0x24

快捷键F5下断,接着点击箭头所指ECX,将其值复制。

搜索框中,选择4字节,勾选十六进制,将ECX的值粘贴进去,点击搜索,会出来两个绿色的基址,就是静态基址,两个选其一,添加到基址表中

dll + xxxx里 的xxx 这个就是发光基址

开关找到了,接下来就是处理颜色

颜色的ARGB分别是这4条代码:

1
2
3
4
5
6
3EC7A0F7 - F3 0F11 44 C8 04      - movss [eax+ecx*8+04],xmm0
3EC7A0FD - F3 0F10 45 D0         - movss xmm0,[ebp-30]
3EC7A102 - F3 0F11 44 C8 08      - movss [eax+ecx*8+08],xmm0
3EC7A108 - F3 0F10 45 D4         - movss xmm0,[ebp-2C]
3EC7A10D - F3 0F11 44 C8 0C      - movss [eax+ecx*8+0C],xmm0
3EC7A1D1 - F3 0F11 44 C8 10      - movss [eax+ecx*8+10],xmm0

xmm0 是float 型

代码编写

1.导入库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# -*- coding:utf-8 -*-
"""
@author: 
@file: ReadCs.py
@time: 2020-05-12 21:07
@desc: KeyboArd
"""
import win32process#进程模块
from win32con import PROCESS_ALL_ACCESS #Opencress 权限
import win32api#调用系统模块
import ctypes#C语言类型
from win32gui import FindWindow#界面

kernel32 = ctypes.windll.LoadLibrary("kernel32.dll")
GetLastError = kernel32.GetLastError

2.封装函数

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
def _GetProcessId(className,windowName):
    hGameWindow = FindWindow(className, windowName)
    pid = win32process.GetWindowThreadProcessId(hGameWindow)[1]
    return pid

def _GetPorcessHandle(pid):
    hGameHandle = win32api.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
    return hGameHandle

def _ReadMemeryInt(hGameHandle,_address,bufflength):
    addr = ctypes.c_ulong()
    ReadProcessInt = kernel32.ReadProcessMemory
    ReadProcessInt(int(hGameHandle), _address, ctypes.byref(addr), bufflength, None)
    return addr.value


def WriteMemeryInt(hGameHandle, _address, Data):
    WriteProcessInt = kernel32.WriteProcessMemory
    WriteProcessInt(int(hGameHandle),_address,ctypes.byref(ctypes.c_ulong(Data)), 4, None)
    return Data

def WriteMemeryFloat(hGameHandle, _address,Data):
    WriteProcessInt = kernel32.WriteProcessMemory
    WriteProcessInt(int(hGameHandle),_address,ctypes.byref(ctypes.c_float(Data)),4,None)
    return Data

详情看前面几章

使用Python读写游戏1

使用Python读写游戏2

3.创建全局变量

1
2
3
4
5
6
7
moduleName = 0x3EF90000 //这是client_panorama.dll是一个动态地址,每次重上游戏或者重启都会变
dwOwnObj = 0xD2FB94	//人物基址
dwEntityList = 0x4D43AC4 //对象基址
dwGlowObjectManager = 0x528B8A0 // 发光基址
m_iGlowIndex = 0xA428 // 发光首部
m_iTeamNum = 0xF4 //阵营偏移
m_Hp = 0x100 //血量偏移

4.先进行读取操作测试

1
2
3
4
5
6
7
8
9
10
11
12
13
14
def _ReadHp(hGameHandle, baseAddr):
    Hp = _ReadMemeryInt(hGameHandle, baseAddr + m_Hp, 4)
    return Hp
def _ReadTemp(hGameHandle, baseAddr):
    Temp =  _ReadMemeryInt(hGameHandle, baseAddr + m_iTeamNum, 4)
    return Temp  

def main():
    ProcessId = _GetProcessId("Valve001", u"****")

    _hGameHandle = _GetPorcessHandle(ProcessId)
    Addr = _ReadMemeryInt(_hGameHandle, moduleName+dwOwnObj, 4)
    Hp = _ReadHp(_hGameHandle,Addr)
    print(Hp)

5.发光代码编写

首先了解下结构体

这是一个关于敌人信息,包含 他的坐标 x y z 信息, id,血量,阵营,姓名等。

1
2
3
4
5
6
7
8
9
10
11
struct Entity
{
        PVOID entityObj;
    	float x;
    	float y;
    	float z;
        int id;
		int Hp;
    	int Temp;
    	char name[10];
};

那么用Python来定义一个结构体,因为Python 好像没有 struct ,所以用类class来代替也可以

1
2
3
4
5
6
7
8
9
10
11
12
13
class Own:
    pass
own = Own()
own.Addr = _ReadMemeryInt(hGameHandle, moduleName+dwOwnObj, 4)
own.Hp = _ReadHp(hGameHandle, own.Addr)
own.Temp = _ReadTemp(hGameHandle, own.Addr)

class Entity:
    pass
Ent = Entity()
Ent.Addr = _ReadMemeryInt(hGameHandle, moduleName + dwEntityList+i*16, 4)
Ent.Hp = _ReadHp(hGameHandle, Ent.Addr)
Ent.Temp = _ReadTemp(hGameHandle, Ent.Addr)

发光地址 = 发光对象地址+[人物基址 + 0xa428]*0x38+0x24

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
def _dwGlowLight(hGameHandle):
   while True:
        GlowObjectManager = _ReadMemeryInt(hGameHandle, moduleName+dwGlowObjectManager, 4)
        own = Own()
        own.Addr = _ReadMemeryInt(hGameHandle, moduleName+dwOwnObj, 4)
        own.Hp = _ReadHp(hGameHandle, own.Addr)
        own.Temp = _ReadTemp(hGameHandle, own.Addr)
        # print("自己阵营:" + str(own.Temp))
        for i in range(32):
            Ent = Entity()
            Ent.Addr = _ReadMemeryInt(hGameHandle, moduleName + dwEntityList+i*16, 4)
            Ent.Hp = _ReadHp(hGameHandle, Ent.Addr)
            Ent.Temp = _ReadTemp(hGameHandle, Ent.Addr)
            glow = _ReadMemeryInt(hGameHandle, Ent.Addr+m_iGlowIndex, 4)
            if(own.Temp != Ent.Temp):
                WriteMemeryFloat(hGameHandle, (GlowObjectManager+((glow * 0x38)+4)), 1)//颜色
                WriteMemeryFloat(hGameHandle, (GlowObjectManager + ((glow * 0x38) + 8)), 250)//颜色
                WriteMemeryFloat(hGameHandle, (GlowObjectManager + ((glow * 0x38) + 12)), 128)//颜色
                WriteMemeryFloat(hGameHandle, (GlowObjectManager + ((glow * 0x38) + 16)), 1)//颜色
                WriteMemeryInt(hGameHandle, (GlowObjectManager + ((glow * 0x38) + 36)), 1)//发光开关

6.效果

7.完整代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
# -*- coding:utf-8 -*-
"""
@author: 
@file: ReadCs.py
@time: 2020-05-12 21:07
@desc: KeyboArd
"""
import win32process#进程模块
from win32con import PROCESS_ALL_ACCESS, PROCESS_VM_READ, PROCESS_VM_WRITE, PROCESS_QUERY_INFORMATION #Opencress 权限
import win32api#调用系统模块
import ctypes#C语言类型
from win32gui import FindWindow#界面

kernel32 = ctypes.windll.LoadLibrary("kernel32.dll")
GetLastError = kernel32.GetLastError
moduleName = 0x3EF90000
dwOwnObj = 0xD2FB94
dwEntityList = 0x4D43AC4
dwGlowObjectManager = 0x528B8A0
m_iGlowIndex = 0xA428
m_iTeamNum = 0xF4
m_Hp = 0x100


def _GetProcessId(className,windowName):
    hGameWindow = FindWindow(className, windowName)
    pid = win32process.GetWindowThreadProcessId(hGameWindow)[1]
    return pid

def _GetPorcessHandle(pid):
    hGameHandle = win32api.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
    return hGameHandle

def _ReadMemeryInt(hGameHandle,_address,bufflength):
    addr = ctypes.c_ulong()
    ReadProcessInt = kernel32.ReadProcessMemory
    ReadProcessInt(int(hGameHandle), _address, ctypes.byref(addr), bufflength, None)
    return addr.value

def _ReadMemeryWchar(hGameHandle,_address,bufflength):
    addr = ctypes.c_wchar_p("0" * bufflength)
    ReadProcessInt = kernel32.ReadProcessMemory
    ReadProcessInt(int(hGameHandle), _address, addr, bufflength, None)
    return addr.value

def WriteMemeryInt(hGameHandle, _address, Data):
    WriteProcessInt = kernel32.WriteProcessMemory
    WriteProcessInt(int(hGameHandle),_address,ctypes.byref(ctypes.c_ulong(Data)), 4, None)
    return Data

def WriteMemeryFloat(hGameHandle, _address,Data):
    WriteProcessInt = kernel32.WriteProcessMemory
    WriteProcessInt(int(hGameHandle),_address,ctypes.byref(ctypes.c_float(Data)),4,None)
    return Data

def _ReadHp(hGameHandle, baseAddr):
    Hp = _ReadMemeryInt(hGameHandle, baseAddr + m_Hp, 4)
    return Hp

def _ReadTemp(hGameHandle, baseAddr):
    Temp =  _ReadMemeryInt(hGameHandle, baseAddr + m_iTeamNum, 4)
    return Temp

class Own:
    pass

class Entity:
    pass


def _dwGlowLight(hGameHandle):
   while True:
        GlowObjectManager = _ReadMemeryInt(hGameHandle, moduleName+dwGlowObjectManager, 4)
        own = Own()
        own.Addr = _ReadMemeryInt(hGameHandle, moduleName+dwOwnObj, 4)
        own.Hp = _ReadHp(hGameHandle, own.Addr)
        own.Temp = _ReadTemp(hGameHandle, own.Addr)
        # print("自己阵营:" + str(own.Temp))
        for i in range(32):
            Ent = Entity()
            Ent.Addr = _ReadMemeryInt(hGameHandle, moduleName + dwEntityList+i*16, 4)
            Ent.Hp = _ReadHp(hGameHandle, Ent.Addr)
            Ent.Temp = _ReadTemp(hGameHandle, Ent.Addr)
            glow = _ReadMemeryInt(hGameHandle, Ent.Addr+m_iGlowIndex, 4)
            if(own.Temp != Ent.Temp):
                WriteMemeryFloat(hGameHandle, (GlowObjectManager+((glow * 0x38)+4)), 1)
                WriteMemeryFloat(hGameHandle, (GlowObjectManager + ((glow * 0x38) + 8)), 250)
                WriteMemeryFloat(hGameHandle, (GlowObjectManager + ((glow * 0x38) + 12)), 128)
                WriteMemeryFloat(hGameHandle, (GlowObjectManager + ((glow * 0x38) + 16)), 1)
                WriteMemeryInt(hGameHandle, (GlowObjectManager + ((glow * 0x38) + 36)), 1)



def main():
    ProcessId = _GetProcessId("Valve001", u"***")

    _hGameHandle = _GetPorcessHandle(ProcessId)

    _dwGlowLight(_hGameHandle)


if __name__ == '__main__':
    main()

结尾

因为每次重启电脑后,模块名字的动态基址都会发生变化,过几天写个通过模块名称获取模块基址就可以完美避免这个问题了。

目前就是因为32位游戏获取基址操作有点难度,告辞

借用一句看到很不错的话:

技术不分对错.人性才分善恶.

学习逆向的人必须身心放正.

身心放正之人手握屠龙刀,也是保家卫民.