[coding]适用所有随机事件(老虎机,金箱子,爆率)——申请加精
1.看到有人发ct了就忍不住出来ZB了,发程序太便宜伸手党,大佬轻喷。2.原理就是修改rand返回值,使随机数恒定,游戏是多随机数判定爆率,所以出现一直一个物品的情况。如果需要指定物品,请自行修改shellcode。
3.之前ct脚本崩溃解答: 游戏是64位程序,jmp后面只能跟32位偏移,当申请内存相对于hook偏移大于32位,就会崩溃,应采用决对跳转。
代码:
#include <iostream>
#include <Windows.h>
#include <TlHelp32.h>
#include <vector>
namespace ChangeRand
{
typedef struct _Info
{
DWORD pid;
DWORD64 address;
byte* eable;
byte* disable;
LPVOID dlladdr;
}Info;
std::vector<Info> infolist;
void inline findcodeaddr(HANDLE hprocess, DWORD64 begain, SIZE_T size, char* par, size_t parsize, std::vector<DWORD64>& addrlist)
{
MEMORY_BASIC_INFORMATION mbi;
DWORD64 bbgain = begain;
DWORD64 endaddr = begain + size;
while (begain <= endaddr)
{
memset(&mbi, 0, sizeof(MEMORY_BASIC_INFORMATION));
if (VirtualQueryEx(hprocess, (LPCVOID)begain, &mbi, sizeof(MEMORY_BASIC_INFORMATION)) == 0)
{
begain += 0x1000;
continue;
}
if (mbi.State == MEM_COMMIT && (mbi.Protect & PAGE_READONLY))
{
begain += mbi.RegionSize;
continue;
}
SIZE_T readed = 0;
byte* tmp = (byte*)malloc(mbi.RegionSize);
if (!tmp)
{
begain += mbi.RegionSize;
continue;
}
ReadProcessMemory(hprocess, (LPVOID)begain, tmp, mbi.RegionSize, &readed);
for (int i = 0; i < readed - parsize; i++)
{
if (memcmp((void*)(tmp + i), par, parsize) != 0)
continue;
addrlist.push_back(begain + i - bbgain);
}
free(tmp);
begain += readed;
}
}
BOOL GetModuleAddr(std::vector<MODULEENTRY32>& module, DWORD pid)
{
HANDLE hModuleSnap = INVALID_HANDLE_VALUE;
MODULEENTRY32 me32 = { sizeof(MODULEENTRY32) };
hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
if (hModuleSnap == INVALID_HANDLE_VALUE)
{
return FALSE;
}
if (!Module32FirstW(hModuleSnap, &me32))
{
CloseHandle(hModuleSnap);
return FALSE;
}
do {
module.push_back(me32);
} while (Module32NextW(hModuleSnap, &me32));
CloseHandle(hModuleSnap);
return TRUE;
}
BOOL FindProcess(std::vector<PROCESSENTRY32>& process, const wchar_t* pProcess)
{
HANDLE hSnapshot;
DWORD hprocess = 0;
PROCESSENTRY32W lppe;
hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL);
if (hSnapshot == NULL)
return FALSE;
lppe.dwSize = sizeof(lppe);
if (!Process32FirstW(hSnapshot, &lppe))
return FALSE;
do
{
if (_wcsicmp(lppe.szExeFile, pProcess) == 0)
{
process.push_back(lppe);
}
} while (Process32NextW(hSnapshot, &lppe));
if (!CloseHandle(hSnapshot))
return FALSE;
return TRUE;
}
byte eable[] =
{
0x48,0xb8,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0xff,0xe0
};
void Eable()
{
for (int i = 0; i < infolist.size(); i++)
{
SIZE_T readed = 0;
HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS, false, infolist.pid);
WriteProcessMemory(hprocess, (LPVOID)(infolist.address), (LPVOID)infolist.eable, 12, &readed);
CloseHandle(hprocess);
}
}
void Disable()
{
for (int i = 0; i < infolist.size(); i++)
{
SIZE_T readed = 0;
HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS, false, infolist.pid);
WriteProcessMemory(hprocess, (LPVOID)(infolist.address), (LPVOID)infolist.disable, 16, &readed);
CloseHandle(hprocess);
int m = 0;
}
}
void SetValue(unsigned short value)
{
for (int i = 0; i < infolist.size(); i++)
{
SIZE_T readed = 0;
HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS, false, infolist.pid);
WriteProcessMemory(hprocess, (LPVOID)((DWORD64)infolist.dlladdr + 1), &value, 2, &readed);
CloseHandle(hprocess);
}
}
int Init(const wchar_t* name)
{
std::vector<PROCESSENTRY32> process;
FindProcess(process, name);
for (int i = 0; i < process.size(); i++)
{
std::vector<MODULEENTRY32> module;
GetModuleAddr(module, process.th32ProcessID);
for (int j = 0; j < module.size(); j++)
{
if (_wcsicmp(module.szModule, L"ucrtbase.dll") == 0)
{
HANDLE hprocess = OpenProcess(PROCESS_ALL_ACCESS, false, process.th32ProcessID);
byte mark[] = { 0x89 ,0x48 ,0x28 ,0xc1 ,0xe9 ,0x10 ,0x81 ,0xe1 ,0xff ,0x7f ,0x00 ,0x00 };
std::vector<DWORD64> addrlist;
findcodeaddr(hprocess, (DWORD64)module.hModule, 0x15000, (char*)mark, 12, addrlist);
if (addrlist.size())
{
byte shellcode[] =
{
0xb8,0xff,0x7f,0x00,0x00,
0xc3,
};
DWORD64 offset = addrlist - 0x16;
SIZE_T readed = 0;
Info info;
info.pid = process.th32ProcessID;
info.disable = (byte*)malloc(16);
info.eable = (byte*)malloc(12);
info.address = (DWORD64)module.hModule + offset;
memcpy(info.eable, eable, 12);
ReadProcessMemory(hprocess, (LPVOID)((DWORD64)module.hModule + offset), info.disable, 16, &readed);
info.dlladdr = VirtualAllocEx(hprocess, NULL, 20, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
WriteProcessMemory(hprocess, info.dlladdr, (LPVOID)shellcode, 6, &readed);
*(DWORD64*)(info.eable + 2) = (DWORD64)info.dlladdr;
WriteProcessMemory(hprocess, (LPVOID)((DWORD64)module.hModule + offset), (LPVOID)info.eable, 12, &readed);
infolist.push_back(info);
}
CloseHandle(hprocess);
break;
}
}
}
return 0;
}
}
不明觉厉,你可以设置金元啊什么的就相当于防止伸手了 :lol太硬核了还是等成品把 其实可以从混乱模式3的加成文件入手吧改成爆率+5000%应该就行了 lihai!!!!:):):) 很牛逼的样子 没啥用
不知道三大妈里有多少用户不是伸手党?
把这当52了吧 未加密都没这么大派头 不发程序 也没多少人明白,
。。。。。。。。。。。。。 不知道LZ发帖子为什么,把头都秀秃了也没几个人看得懂 所以你发这些有多少人看得懂?孤芳自赏罢了 不明觉厉 支持 等成品 典型的知识分子坏习惯,爱显摆又不想让别人用 EMMMM 看不懂 楼主真秀{:3_181:} 装了个好逼{:3_103:} 这种发出来ZB的玩意有什么资格求加精可笑 要秀就去52,在这里秀个鸡毛? 一大半人估计看到这一大条就跑了
发这个出来 估计和你一样了解原理的人才知道怎么用,其他不懂得还是不会用 我还能拳打南山敬老院,脚踢北海幼儿园呢,那我去了吗,没有,因为我知道这没什么可骄傲的 C++ Code(?) 不過懶的研究 厉害了
这都敢申精了?自己满足自己呗 哎呀 厉害厉害 您懂得真多呢 这东西有啥加精的 你不也是搬运的而已 代码怎么使用啊?
您这是准备把沙子水泥砖头堆在那儿就准备当房子卖了? 发这个你还不如直接发到CT论坛去........ 看楼上某几个人的回复,我反而理解了楼主为什么这么发 求版主删帖
页:
[1]
2