很久前就到看雪混了,只是没注册ID,说实话太麻烦了,还要邀请码。
最近想下点高人的附近,可惜没权限。
我的博客:http://hi.baidu.com/xshows1985/blog
简单说就是在魔兽上写字,类似浩方
一番努力终于搞定了哈哈。参考这个:http://dl.dbank.com/c0o50n5ooy
基本原理:
1.Loader inject hfuthack.dll后
hfuthack.dll载入
BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved)
{
switch (fdwReason) {
case DLL_PROCESS_ATTACH:
{
// ------------------------------------------------------------------------
// Load up the antihack for the first time (its a singleton)
// ------------------------------------------------------------------------
try {
CAntiCheat::Get();
}
catch (std::exception e) {
MessageBoxA(0, e.what(), "hfuthack", MB_ICONERROR | MB_OK);
return FALSE;
}
// ------------------------------------------------------------------------
// Hook all the relevant API calls
// ------------------------------------------------------------------------
orig_LoadLibrary = (LoadLibrary_t)DetourFunction((LPBYTE) LoadLibraryA, (LPBYTE) hook_LoadLibrary );
orig_Module32Next = (Module32Next_t)DetourFunction((LPBYTE) Module32Next, (LPBYTE) hook_Module32Next );
break;
}
case DLL_PROCESS_DETACH:
{
break;
}
}
return TRUE;
}
2.由于魔兽基于directX 8所以我们检测d3d8.dll
下面是hook_LoadLibrary的主要代码
std::string sModule = lpFileName;
StripFilePath(sModule);// StripFilePath是对比魔兽载入模块函数
// -------------------------------------------------------------------------------
// 等待d3d8.dll 载入然后 hook Direct3DCreate8
// -------------------------------------------------------------------------------
HMODULE hM = orig_LoadLibrary( lpFileName );
static int hooked = 0;
if (sModule == "d3d8.dll")
{
hooked++;
if (hooked == 3) {
// get address of function to hook
pDirect3DCreate8 = (PBYTE)GetProcAddress(hM, "Direct3DCreate8");
orig_Direct3DCreate8 = (Direct3DCreate8_t)DetourFunction(pDirect3DCreate8, (PBYTE)hook_Direct3DCreate8);
}
}
3.
// -------------------------------------------------------------------------------
// Direct3DCreate8 hook
// 利用IDirect3D接口来hook CreateDevice
// -------------------------------------------------------------------------------
PBYTE pDirect3DCreate8 = 0;
Direct3DCreate8_t orig_Direct3DCreate8;
IDirect3D8* __stdcall hook_Direct3DCreate8(UINT SDKVersion)
{
IDirect3D8* d3d = orig_Direct3DCreate8(SDKVersion);
DetourFunctionWithVtable((void*)d3d, 15, (DWORD&)orig_CreateDevice, (void*)hook_CreateDevice);
return d3d;
}
// -------------------------------------------------------------------------------
// CreateDevice hook
// 用来获取指针来创建IDirect3DDevice8 接口
// 存储屏幕分辨率
// -------------------------------------------------------------------------------
CreateDevice_t orig_CreateDevice;
HRESULT APIENTRY hook_CreateDevice(IDirect3D8* pInterface, UINT Adapter,D3DDEVTYPE DeviceType,HWND hFocusWindow,DWORD BehaviorFlags,D3DPRESENT_PARAMETERS* pPresentationParameters,IDirect3DDevice8** ppReturnedDeviceInterface)
{
HRESULT ret = orig_CreateDevice(pInterface, Adapter, DeviceType, hFocusWindow, BehaviorFlags, pPresentationParameters, ppReturnedDeviceInterface);
DetourFunctionWithVtable((void*)(*ppReturnedDeviceInterface), 35, (DWORD&)orig_EndScene, (void*)hook_EndScene);
DetourFunctionWithVtable((void*)(*ppReturnedDeviceInterface), 14, (DWORD&)orig_Reset, (void*)hook_Reset);
CD3DManager::Get()->SetDevice(*ppReturnedDeviceInterface);
if (pPresentationParameters->Windowed) {
CD3DManager::Get()->SetScreenDimensions(800, 600, false);
} else {
CD3DManager::Get()->SetScreenDimensions(pPresentationParameters->BackBufferWidth, pPresentationParameters->BackBufferHeight, true);
}
return ret;
}
// -------------------------------------------------------------------------------
// Endscene hook
// -------------------------------------------------------------------------------
EndScene_t orig_EndScene;
HRESULT APIENTRY hook_EndScene(IDirect3DDevice8* pInterface)
{
CD3DManager::Get()->Update();
return orig_EndScene(pInterface);
}
4.其他相关函数
void CD3DManager::SetDevice(IDirect3DDevice8* device)
{
pDevice = device;
ReloadFont();
}
int CD3DManager::Update()
{
if (!pDevice) return 0;
ThreadRequestResources();
// ---------------------------------------
// Recalculate FPS
// ---------------------------------------
fps = CalculateFPS();
// ---------------------------------------
// Handle messages
// ---------------------------------------
{
std::list<CMessage> expiredMessages;
std::list<CMessage>::iterator i;
// Draw Current Messages
int yMod = 5;
for (i = messages.begin(); i != messages.end(); ++i) {
if ((*i).HasExpired()) { // Will update the message's alpha value etc asd well
expiredMessages.push_back(*i);
}
TextOut(10, yMod, (*i).msg, (*i).color);
yMod += 20;
}
// kill dead messages
for (i = expiredMessages.begin(); i != expiredMessages.end(); ++i) {
messages.remove(*i);
}
}
// ---------------------------------------
// Handle cvars
// ---------------------------------------
if (printFlags & PF_CVARS) {
std::list<CCvarBase*>::iterator i;
int yMod = screenHeight - cvars.size()*20;
for (i = cvars.begin(); i != cvars.end(); ++i) {
TextOut(10, yMod, (*i)->ToString(), D3DCOLOR_XRGB(0, 191, 255));
yMod += 20;
}
}
ThreadReleaseResources();
return 1;
}
int CD3DManager::ReloadFont()
{
if (!pDevice) return 0;
if (m_font) {
m_font->Release();
m_font = 0;
}
HFONT m_hfont = CreateFont(18, //height
0, //width
0, //escapment
0, //orientation
FW_NORMAL, //weight dontcare maybe bold etc.
false, //itallic
false, //underline
false, //strikeout
DEFAULT_CHARSET, //charset
OUT_DEFAULT_PRECIS, //output precision
CLIP_DEFAULT_PRECIS, // clip precision
ANTIALIASED_QUALITY, //quality
DEFAULT_PITCH | FF_DONTCARE, //pitch
TEXT("MS Sans Serif"));
D3DXCreateFont(pDevice, m_hfont, &m_font );
DeleteObject(m_hfont);
return 1;
}
int CD3DManager::TextOut(int x, int y, std::string text, DWORD color)
{
if (!pDevice || !m_font) return 0;
RECT rect_Text = {x, y, x + text.length()*15, y + 25};
pDevice->SetRenderState(D3DRS_ALPHABLENDENABLE, true);
pDevice->SetRenderState(D3DRS_SRCBLEND,D3DBLEND_SRCALPHA);
pDevice->SetRenderState(D3DRS_DESTBLEND,D3DBLEND_INVSRCALPHA);
m_font->DrawTextA(text.c_str(), -1, &rect_Text, 0, color ); //DT_CENTER was 0
return 1;
}
loader可以inject DLL文件,顺利进入BN.
#include <windows.h>
#include <string>
#include "patch.h"
#include "inject.h"
int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPSTR lpCmdLine, int nShowCmd)
{
PROCESS_INFORMATION pi;
STARTUPINFOA si;
ZeroMemory(&pi, sizeof(pi));
ZeroMemory(&si, sizeof(si));
si.cb = sizeof(si);
// add in something random so the next parameter is the actual switch
std::string sCmd = "hfut-Loader ";
// pass on the parameters to the warcraft exe
sCmd += lpCmdLine;
try {
// ------------------------------------------------------------------------
// Create the process
// ------------------------------------------------------------------------
if (!CreateProcessA("war3.exe",
(LPSTR)sCmd.c_str(),
0,
0,
false,
CREATE_SUSPENDED,
0,
0,
&si,
&pi)) throw std::exception("无法启动 Warcraft III");
// ------------------------------------------------------------------------
// Patch warcraft for pvpgn and inject the hackdll
// ------------------------------------------------------------------------
PatchWarcraft(pi.hProcess);
InjectAntihack(pi.hProcess);
}
catch (std::exception e) {
std::string s = e.what();
char lpMsgBuf[500] = {0};
FormatMessageA(
FORMAT_MESSAGE_FROM_SYSTEM |
FORMAT_MESSAGE_IGNORE_INSERTS,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
lpMsgBuf,
sizeof(lpMsgBuf),
NULL
);
s += " \n\n系统返回错误:\n";
s += (char*)lpMsgBuf;
MessageBoxA(0, s.c_str(), "hfut", MB_ICONERROR | MB_OK);
LocalFree(lpMsgBuf);
TerminateProcess(pi.hProcess, 0);
return 0;
}
if (pi.hThread) {
ResumeThread(pi.hThread);
}
return 0;
}
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法