[分享]诛仙飞天外挂。。源码公布 VB-付费问答-看雪-安全社区|安全招聘|kanxue.com

[旧帖] [分享]诛仙飞天外挂。。源码公布 VB 0.00雪花

发表于: 2007-11-5 16:38 18285

[旧帖] [分享]诛仙飞天外挂。。源码公布 VB 0.00雪花

寒悠儿

2007-11-5 16:38

18285

Option Explicit
Private Declare Function ReleaseCapture Lib "user32" () As Long
Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hWnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long
Private Declare Function SetLayeredWindowAttributes Lib "user32" (ByVal hWnd As Long, ByVal crKey As Long, ByVal bAlpha As Byte, ByVal dwFlags As Long) As Long
Private Const WM_SYSCOMMAND = &H112
Private Const SC_MOVE = &HF010&
Private Const WM_NCLBUTTONDOWN = &HA1
Private Const HTCAPTION = 2
Const LWA_ALPHA = &H2 '注释：表示把窗体设置成半透明样式
Const LWA_COLORKEY = &H1 '注释：表示不显示窗体中的透明色
Dim base As Long
Const WS_EX_LAYERED = &H80000
Const GWL_EXSTYLE = (-20)
Private Declare Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As Long, ByVal nIndex As Long) As Long
Private Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Private Declare Function SetWindowPos Lib "user32" (ByVal hWnd As Long, _
ByVal hWndInsertAfter As Long, ByVal X As Long, ByVal Y As Long, ByVal cx As Long, _
ByVal cy As Long, ByVal wFlags As Long) As Long
'常量声明
Const SWP_NOMOVE = &H2    '保持当前位置（x和y设定将被忽略）
Const SWP_NOSIZE = &H1 '保持当前大小（cx和cy会被忽略）
Const HWND_TOPMOST = -1
Const Flags = SWP_NOMOVE Or SWP_NOSIZE
Dim pid As Long
Dim hProcess As Long

Private Sub Form_Load()
Dim rtn As Long
   rtn = GetWindowLong(Me.hWnd, GWL_EXSTYLE) '注释：取的窗口原先的样式
      rtn = rtn Or WS_EX_LAYERED '注释：使窗体添加上新的样式WS_EX_LAYERED
      SetWindowLong Me.hWnd, GWL_EXSTYLE, rtn '注释：把新的样式赋给窗体

      SetLayeredWindowAttributes Me.hWnd, 0, 170, LWA_ALPHA
End Sub

Private Sub Frame1_MouseDown(Button As Integer, Shift As Integer, X As Single, Y As Single)
ReleaseCapture
SendMessage Me.hWnd, WM_SYSCOMMAND, SC_MOVE + HTCAPTION, 0
'SendMessage hwnd, WM_NCLBUTTONDOWN, HTCAPTION, 0&
'上述两种方法都能实现该功能。
End Sub

Private Sub Picture1_MouseDown(Button As Integer, Shift As Integer, X As Single, Y As Single)
ReleaseCapture
SendMessage Me.hWnd, WM_SYSCOMMAND, SC_MOVE + HTCAPTION, 0
'SendMessage hwnd, WM_NCLBUTTONDOWN, HTCAPTION, 0&
'上述两种方法都能实现该功能。
End Sub

Function IsRun() As Boolean

IsRun = False
Dim gameupdatetitle As String
Dim hwd As Long ' 储存 FindWindow 函数返回的句柄
hwd = FindWindow(vbNullString, "Element Client")
GetWindowThreadProcessId hwd, pid
hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, pid)

If hProcess = 0 Then
IsRun = False
Else
IsRun = True
End If
CloseHandle hProcess
End Function

Private Sub a1_Timer()
   hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
   If hProcess Then
      WriteProcessMemory hProcess, ByVal &H403E33, 1099547353, 4, 0& '写入内存1099547353这个值实现穿墙功能。
   End If
   CloseHandle hProcess
End Sub

Private Sub Command1_Click()
   If IsRun = True Then
      If Command1.Caption = "飞天(开)" Then
         Command1.Caption = " 飞天(关)"
         feitian.Enabled = True
      ElseIf Command1.Caption = "飞天(关)" Then
         Command1.Caption = "飞天(开)"
         feitian.Enabled = False
      End If
   Else
      MsgBox "游戏未开启", 16
      Exit Sub
   End If
End Sub

Private Sub Command2_Click()
      If IsRun = True Then
      If Command2.Caption = "穿墙(开)" Then
         Command2.Caption = " 穿墙(关)"
         a1.Enabled = True
      ElseIf Command2.Caption = "穿墙(关)" Then
         Command2.Caption = "穿墙(开)"
         a1.Enabled = False
      End If
   Else
      MsgBox "游戏未开启", 16
      Exit Sub
   End If
End Sub

Private Sub feitian_Timer()
   hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, pid)
   If hProcess Then
   WriteProcessMemory hProcess, ByVal &H45E019, -846528150, 4, 0& '写入内存846528150这个值实现飞天功能。
   End If
   CloseHandle hProcess
End Sub

Private Sub Label1_Click()
   End
End Sub

Private Sub Label3_Click()
   Me.WindowState = 1
End Sub

Private Sub Picture2_MouseDown(Button As Integer, Shift As Integer, X As Single, Y As Single)
ReleaseCapture
SendMessage Me.hWnd, WM_SYSCOMMAND, SC_MOVE + HTCAPTION, 0
'SendMessage hwnd, WM_NCLBUTTONDOWN, HTCAPTION, 0&
'上述两种方法都能实现该功能。
End Sub

[招生]科锐逆向工程师培训(2024年11月15日实地，远程教学同时开班, 第51期)

收藏・13

免费・0

支持

最新回复 (39) 1 2 ▶
寒悠儿雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 15 粉丝 0 关注私信	寒悠儿 2 楼以下是CALL查找 Option Explicit '---------------声明函数----------------------- '得到窗体句柄的函数,FindWindow函数用来返回符合指定的类名( ClassName )和窗口名( WindowTitle )的窗口句柄 Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long '得到窗体控件句柄的函数 Public Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long '得到进程标识符的函数 Public Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long '得到目标进程句柄的函数 Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long '关闭句柄的函数 Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long '读取进程内存的函数 Public Declare Function ReadProcessMemory Lib "kernel32.dll" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByRef lpBuffer As Any, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long '-----------发送信息的函数 Public Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long Public Declare Function PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long Declare Sub keybd_event Lib "user32" (ByVal bVk As Byte, ByVal bScan As Byte, ByVal dwFlags As Long, ByVal dwExtraInfo As Long) '延迟函数 Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long) '读取配置文件的函数 Public Declare Function GetPrivateProfileString Lib "kernel32" Alias "GetPrivateProfileStringA" (ByVal lpApplicationName As String, ByVal lpKeyName As Any, ByVal lpDefault As String, ByVal lpReturnedString As String, ByVal nSize As Long, ByVal lpFileName As String) As Long '隐藏游戏窗口用 Public Declare Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long Public Const PROCESS_ALL_ACCESS = &H1F0FFF Public Const SW_HIDE = 0 Public Const SW_SHOW = 5 'Public Const SW_SHOWDEFAULT = 10'--------------------------------------------分割线----------------------------------------------------------'以下是程序FORM源码 Dim hwd As Long ' 储存 FindWindow 函数返回的句柄 Dim pid As Long Dim hProcess As Long '存放进程句柄 Dim base As Long '存放人物基地址 Dim hp As Long '存储生命值 Dim hpmax As Long '存储生命最大值 Dim mp As Long '存储真气值 Dim mpmax As Long '存储真气最大值 Dim dengji As Long '等级 Dim jingli As Long '精力 Dim jlmax As Long '精力最大值--- Dim money As Long '钱包 Dim bank As Long '银行的钱 Dim exp As Double '经验 Dim expbk As Double '判断经验 Dim maxexp As Double 'MAX exp Dim map As Long '地图 Dim zhuangtai As Long '玩家状态 Dim job As Long '职业 Dim wpid As Long '物品ID Dim wpxtid As Long '物品系统ID '--------选取人物NPC怪的血等 Dim BHP As Long Dim BHPmax As Long Dim Bdj As Long Dim bx1 As Single Dim by1 As Single '------------ Dim MBid As Long '目标ID Dim BB As Long ' 星星报警 Dim xuejn As Long '技能格 Dim x1 As Single 'X坐标 Dim y1 As Single 'Y坐标 Dim QQ As Long '调用 Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long) Private Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal X As Long, ByVal Y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As Long Function Float2Int(Ans As Single) As Long '浮点转整形 CopyMemory Float2Int, Ans, 4 End Function Private Sub Command1_Click() '测试 'If hProcess Then ' ReadProcessMemory hProcess, ByVal &H9077CC, QQ, 4, 0& 'ReadProcessMemory hProcess, ByVal QQ + &H28, QQ, 4, 0& ' ReadProcessMemory hProcess, ByVal QQ + &H13C, QQ, 4, 0& '写入内存-846528150这个值实现飞天功能。 'WriteProcessMemory hProcess, ByVal QQ, 1, 4, 0& 'ReadProcessMemory hProcess, ByVal QQ + &H140, QQ, 4, 0& 'Me.Label26.Caption = QQ 'End If Call_jw End Sub Private Sub Command7_Click() If Command7.Caption = "隐藏游戏" Then i = ShowWindow(hwd, SW_HIDE) Command7.Caption = "显示游戏" ElseIf Command7.Caption = "显示游戏" Then i = ShowWindow(hwd, SW_SHOW) Command7.Caption = "隐藏游戏" End If End Sub Private Sub Form_Load() a = 0 hwd = FindWindow(vbNullString, "Element Client") GetWindowThreadProcessId hwd, pid hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pid) retValue = SetWindowPos(Me.hwnd, hwd, 750, 20, 265, 400, SWP_SHOWWINDOW) CloseHandle hProcess End Sub Private Sub Form_Unload(Cancel As Integer) CloseHandle hProcess End Sub Private Sub Timer1_Timer() Dim Name(31) As Byte '存储人物名称 Dim name_temp As Long Dim id As Long '------------ Dim bname(31) As Byte '存储选取人物名称 Dim bname_temp As Long Dim juli As Long hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pid) If hProcess Then ReadProcessMemory hProcess, ByVal &H12F830, base, 4, 0& '一级基址 ReadProcessMemory hProcess, ByVal base + &H8, map, 4, 0& ReadProcessMemory hProcess, ByVal map + &H88, map, 4, 0& '地图ID ReadProcessMemory hProcess, ByVal base + &H28, base, 4, 0& '得到为人物基地址，方便以后使用 ReadProcessMemory hProcess, ByVal base + &H240, id, 4, 0& '玩家ID ReadProcessMemory hProcess, ByVal base + &H254, hp, 4, 0& '得到生命值 ReadProcessMemory hProcess, ByVal base + &H26C, hpmax, 4, 0& '得到生命最大值 ReadProcessMemory hProcess, ByVal base + &H258, mp, 4, 0& '得到真气值 ReadProcessMemory hProcess, ByVal base + &H270, mpmax, 4, 0& '得到真气最大值 ReadProcessMemory hProcess, ByVal base + &H24C, dengji, 4, 0& ReadProcessMemory hProcess, ByVal base + &H25C, jingli, 4, 0& '精力值 ReadProcessMemory hProcess, ByVal base + &H270, jlmax, 4, 0& '精力最大值 ReadProcessMemory hProcess, ByVal base + &H2D4, money, 4, 0& ReadProcessMemory hProcess, ByVal base + &H864, bank, 4, 0& ReadProcessMemory hProcess, ByVal base + &H260, exp, 16, 0& '经验 ReadProcessMemory hProcess, ByVal base + &H248, job, 16, 0& '职业 ReadProcessMemory hProcess, ByVal base + &H3A4, name_temp, 4, 0& ReadProcessMemory hProcess, ByVal name_temp, Name(0), 32, 0& '得到人物名称 ReadProcessMemory hProcess, ByVal base + &H910, xuejn, 4, 0& '技能个数 ReadProcessMemory hProcess, ByVal base + &H3D8, x1, 4, 0& '人物X坐标 ReadProcessMemory hProcess, ByVal base + &H3E0, y1, 4, 0& '人物Y坐标 '------------------选取目标内容 ReadProcessMemory hProcess, ByVal base + &H7B8, MBid, 4, 0& '目标ID 'ReadProcessMemory hProcess, ByVal MBid + &H24, MBid, 4, 0& ReadProcessMemory hProcess, ByVal MBid + &H128, Bdj, 4, 0& '目标等级 ReadProcessMemory hProcess, ByVal MBid + &H130, BHP, 4, 0& '目标HP ReadProcessMemory hProcess, ByVal MBid + &H148, BHPmax, 4, 0& '目标HP上限 ReadProcessMemory hProcess, ByVal MBid + &H148, BHPmax, 4, 0& '目标HP上限 ReadProcessMemory hProcess, ByVal &H91331C, BB, 4, 0& '提问星星 ReadProcessMemory hProcess, ByVal &H913908, zhuangtai, 4, 0& '玩家状态 End If '---------地图 Select Case map Case 1 Label28.Caption = "河阳城" Case 2 Label28.Caption = "青云城" Case 3 Label28.Caption = "天音城" Case 4 Label28.Caption = "流波城" End Select '--------玩家状态 Select Case zhuangtai Case 1 Label31.Caption = "在线" Case 0 Label31.Caption = "离线" End Select '----------门派 Select Case job Case 0 Me.Label32.Caption = "江湖少侠" Case 1 Me.Label32.Caption = "青云门" Case 2 Me.Label32.Caption = "天音寺" Case 3 Me.Label32.Caption = "鬼王宗" Case 4 Me.Label32.Caption = "合欢派" End Select '----答题报警 If BB = 1 Then Beep MsgBox "请手工回答问题！~", vbOKOnly, "答题警报" End If '-显示血条和当前坐标，身上钱，仓库钱，经验显示 Me.Shape1.Width = 3000 * (hp / hpmax) Me.Shape2.Width = 3000 * (mp / mpmax) Me.hptxt.Caption = hp Me.mptxt.Caption = mp Frame1.Caption = Name Me.Label1.Caption = id Me.exptxt.Caption = "当前经验： " & exp Me.maxexptxt.Caption = "升级经验： " & maxexp Me.Label2.Caption = "等级 " & dengji Me.Label3.Caption = "血量： " & hp & "/" & hpmax Me.Label4.Caption = "真气： " & mp & "/" & mpmax 'Me.moneytxt.Caption = "身上钱： " & money moneytxt.Caption = "身上钱： " & Int(money / 10000) & " " & "金" & " " & Int((money Mod 10000) / 100) & " " & "银" & " " & (money Mod 100) & " " & "铜" Me.Label8.Caption = "仓库钱： " & Int(bank / 10000) & " " & "金" & " " & Int((bank Mod 10000) / 100) & " " & "银" & " " & (bank Mod 100) & " " & "铜" Me.Label5.Caption = "当前座标： " & Int(x1) & "," & Int(y1) Me.Label6.Caption = "精力： " & jingli & "/" & jlmax Me.Label30.Caption = "目标ID:" & MBid '-----攻击打勾判断 expbk = exp If Me.Check1.Value = 1 Then Me.Timer6.Enabled = True ElseIf Me.Check1.Value = 0 Then Me.Timer6.Enabled = False End If '-------------试行CALL CloseHandle hProcess End Sub Private Sub Timer10_Timer() Call_dazuo End Sub Private Sub Timer5_Timer() If hp = hpmax Then Call_NOdazuo Me.Timer6.Enabled = True Me.Check1.Value = 1 Me.Timer5.Enabled = False End If End Sub Private Sub Timer6_Timer() Call_Attack If MBid > -1 Then a = 0 ElseIf MBid < 0 Then a = 1 End If Sleep 500 '延迟text2中的数值，用val()取数值 If hp < Me.Text1.Text & a = 0 Then Call_dazuo Me.Timer5.Enabled = True Me.Check1.Value = 0 Me.Timer6.Enabled = False End If If MBid > -1 Then Call_TAB Sleep 300 '延迟text2中的数值，用val()取数值 End If End Sub '------------------以下是CALL--------- Sub Call_Move(dx As Single, dy As Single, dz As Single, dm As Long) Dim asm As New clsASM '自动寻路 With asm ' asm .Pushad ' pushad .Mov_EAX_DWORD_Ptr &H910F4C ' mov eax,[&H910F4C] .Mov_EAX_DWORD_Ptr_EAX_Add &H8 ' mov eax,[eax+&H8] .Mov_EAX_DWORD_Ptr_EAX_Add &H88 ' mov eax,[eax+&H88] .Push dm ' mov eax,[base] .Mov_EAX Float2Int(dx) ' mov eax, x .Mov_DWORD_Ptr_EAX &H909BC8 ' mov [&H909BC8], eax .Mov_EAX Float2Int(dz) ' mov eax, z .Mov_DWORD_Ptr_EAX &H909BCC ' mov [&H909BCC], eax .Mov_EAX Float2Int(dy) ' mov eax, y .Mov_DWORD_Ptr_EAX &H909BD0 ' mov [&H909BD0], eax .Mov_EAX_DWORD_Ptr &H90778C ' mov eax, dword ptr [&H90778C] .Mov_EAX_DWORD_Ptr_EAX_Add &H28 ' mov eax, dword ptr [eax+&H28] .Lea_EAX_DWORD_Ptr_EAX_Add &H3C ' lea eax, dword ptr [eax+&H3c] .Push &H909BC8 ' push &H909BC8 .Push_EAX ' PUSH eax .Mov_ECX &H90D43C ' mov ecx, &H903C30 .Mov_EBX &H42AA70 ' mov eax, &H42ABB0 .Call_EBX ' Call eax .Popad ' popad .Ret End With ' end asm.Run_ASM pid End Sub Sub Call_TAB() Dim asm As New clsASM 'TAB With asm ' asm .Pushad ' pushad .Mov_EAX_DWORD_Ptr &H90D43C ' mov eax,dword ptr ds:[&H90D43C] .Mov_EAX_DWORD_Ptr_EAX_Add &H1C ' mov eax,dword ptr ds:[eax+&H1c] .Mov_EAX_DWORD_Ptr_EAX_Add &H28 ' mov eax,dword ptr ds:[eax+&H28] .Mov_ECX_EAX ' mov ecx, eax; .Push 0 ' push 0 .Mov_EBX &H45F460 ' mov ebx,&H45F460 .Call_EBX ' call EBX .Popad ' popad .Ret End With ' end asm.Run_ASM pid End Sub Sub Call_Attack() Dim asm As New clsASM '普通攻击 With asm ' asm .Pushad ' pushad .Mov_EAX &H5A4400 ' Mov EAX,&H5A3200 .Call_EAX ' call pointer(eax) .Popad ' popad .Ret End With ' end asm.Run_ASM pid End Sub Sub Call_UseItem(UseItemid As Long, UseItemnum As Long) Dim asm As New clsASM '使用物品 With asm .Pushad 'pushad .Mov_EDX UseItemid 'mov edx,dwid .Mov_EAX UseItemnum 'mov eax,dwwz .Push 1 'push 1 .Push_EDX 'push edx .Push_EAX 'push eda .Push 0 'push 0 .Mov_ESI_DWORD_Ptr &H90D43C 'mov esi,dword ptr &H90D43C .Lea_ECX_DWORD_Ptr_ESI_Add &HD4 'lea ecx,dword ptr (esi+&H4) .Mov_EAX &H579DA0 'mov eax &H579410 .Call_EAX .Popad .Ret End With asm.Run_ASM pid End Sub Sub Call_huichen() Dim asm As New clsASM '死亡回城 With asm ' asm .Pushad ' pushad .Mov_EAX &H5A4820 ' Mov EAX,&H5a3620 .Call_EAX ' call pointer(eax) .Popad ' popad .Ret End With ' end asm.Run_ASM pid End Sub Sub Call_dazuo() Dim asm As New clsASM '打坐 With asm ' asm .Pushad ' pushad .Mov_EAX &H5A4A80 ' Mov EAX,&H5a3620 .Call_EAX ' call pointer(eax) .Popad ' popad .Ret End With ' end asm.Run_ASM pid End Sub Sub Call_NOdazuo() Dim asm As New clsASM '停止打坐 With asm ' asm .Pushad ' pushad .Mov_EAX &H5A4A40 ' Mov EAX,&H5A4A40 .Call_EAX ' call pointer(eax) .Popad ' popad .Ret End With ' end asm.Run_ASM pid End Sub Sub Call_jw() Dim asm As New clsASM '自动拣物 With asm .Pushad .Mov_ECX_DWORD_Ptr &H90D43C .Mov_EDX_DWORD_Ptr_EDI_Add &H110 .Mov_EAX_DWORD_Ptr_ESI_Add &H20 .Push_EDX .Mov_ECX_DWORD_Ptr_ECX_Add &H20 .Push_EAX .Add_ECX &HD4 .Mov_EAX &H579F70 .Call_EAX .Popad .Ret End With asm.Run_ASM pid End Sub Sub Call_KJ() Dim asm As New clsASM '快捷键 With asm .Pushad .Mov_EAX_DWORD_Ptr base '基址 .Mov_EAX_DWORD_Ptr_EAX_Add &H28 '.MOV_EAX_EAX_add &H8D8 '这里是数字键偏移，Fn键偏移是&H8CC？没测试 '.MOV_EAX_EAX_add &HC '.MOV_EAX_EAX_add &H4 * id 'ID=将键位*4后写入地址键1-9=值0-8 '.Mov_ECX , EAX ' .Mov_EDX , [ECX] '.Mov_EAX_DWORD_Ptr_EDX_Add &H8 ' Call_EAX ' .Popad ' .Ret End With End Sub 2007-11-5 16:42 0
寒悠儿雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 15 粉丝 0 关注私信	寒悠儿 3 楼 OD开诛仙，bp send下断，然后按Ctrl+F9，OK，这些会了，你就能找到下面的CALL了。下面的地址虽然不是最新版的，但层次结构都对。关闭NPC是不发包的，没法BP SEND找。 ============================================================================== 1.打坐CALL________在第五层 at 005A4A80(打坐CALL) \| ---->at 0057F7F0(发包CALL) \| ---->at 0057D070(????) \| ---->at 00584EF0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 2.停止打坐Call地址_______在第五层 at 005A3710(打坐CALL) \| ---->at 0057edf0(发包CALL) \| ---->at 0057c690(????) \| ---->at 005842f0(????) \| ---->at 71a2428a(系统领空) ============================================================================== 3.Tab Call____________在第七层 at 0045F460(Tab CALL) \| ---->at 00579FE0(????) \| ---->at 005A43C0(????) \| ---->at 0057F7F0(发包CALL) \| ---->at 0057D070(????) \| ---->at 00584EF0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 4.普通攻击CALL________在第五层 at 005A30D0(普通攻击CALL) \| ---->at 0057edf0(发包CALL) \| ---->at 0057c690(????) \| ---->at 005842f0(????) \| ---->at 71a2428a(系统领空) ============================================================================== 5.死亡回城CALL________在第五层 at 005A34F0(死亡回城CALL) \| ---->at 0057edf0(发包CALL) \| ---->at 0057c690(????) \| ---->at 005842f0(????) \| ---->at 71a2428a(系统领空) ============================================================================== 6.捡物CALL________在第六层 at 00579640(捡物CALL) \| ---->at 005A3110(????) \| ---->at 0057EDF0(发包CALL) \| ---->at 0057C690(????) \| ---->at 005842F0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 7.技能攻击CALL________在第九层 at 00465890(技能攻击CALL) \| ---->at 0045F3F0(???) \| ---->at 0046BDE0(????) \| ---->at 005797C0(????) \| ---->at 005A3910(????) \| ---->at 0057EDF0(发包CALL) \| ---->at 0057C690(????) \| ---->at 005842F0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 8.目标ID选怪CALL____________在第六层 at 00579FE0(目标ID选怪CALL) \| ---->at 005A43C0(????) \| ---->at 0057F7F0(发包CALL) \| ---->at 0057D070(????) \| ---->at 00584EF0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 9.使用物品CALL____________在第六层 at 00579DA0(使用物品CALL) \| ---->at 005A4480(????) \| ---->at 0057F7F0(发包CALL) \| ---->at 0057D070(????) \| ---->at 00584EF0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 10.打开NPC CALL____________在第六层 at 0057A2A0(打开NPC CALL) \| ---->at 005A5D10(????) \| ---->at 0057F7F0(发包CALL) \| ---->at 0057D070(????) \| ---->at 00584EF0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 11.关闭NPC CALL____________不发包CALL的找法，借助CE NPC状态地址:[[[基址]+28]+7d5]，CE显示关闭的地址是:46b218 at 0046b218 在OD里内容如下： 0046B210 /$ 33C0 XOR EAX,EAX 0046B212 \|. 8981 C8070000 MOV DWORD PTR DS:[ECX+7C8],EAX 0046B218 \|. 8881 D5070000 MOV BYTE PTR DS:[ECX+7D5],AL 0046B21E \|. 8981 60030000 MOV DWORD PTR DS:[ECX+360],EAX 0046B224 \. C3 RETN 点击0046B210后显示: 本地调用/跳转来自 0046B8B4, 004DF9D7, 0051100B, 00514538, 0051ACB7, 0054AD8C, 0054D805 下断点，一个一个的试，最后关闭NPC和0054D805这个有关，接着 at 0054D805 在OD里内容如下： 0054D7F0 $ C781 30060000>MOV DWORD PTR DS:[ECX+630],0 0054D7FA . A1 3CD49000 MOV EAX,DWORD PTR DS:[90D43C] 0054D7FF . 8B48 1C MOV ECX,DWORD PTR DS:[EAX+1C] 0054D802 . 8B49 28 MOV ECX,DWORD PTR DS:[ECX+28] 0054D805 .^ E9 06DAF1FF JMP elementc.0046B210 点击0054D7F0后显示: 本地调用来自 004A8F17, 004AFC92, 004AFCCA, 004B0232, 004B3971, 004C31D3, 004C79D7, 004C8887, 004C8919, 004CF5FF, 004D2027, 004D6736, 004D675E, 004DAF77, 004E0BAB, 004E395A, 004F5616, 004F58E9, 004F7BC1, 004F7CDE, 004F8139, 004F823C, 004F82F7, M) 下断点，一个一个的试，最后关闭NPC和004F5616这个有关，发现004F5616位于一个call里面地址是： 004F5500 /$ 64:A1 0000000>MOV EAX,DWORD PTR FS:[0] 好了，到此为止，就可以用Ctrl+F9了。从下向上看。 at 006B99E0(这就是取消NPC CALL) \| ---->at 0054653B(????) \| ---->at 006C0520(发包CALL) \| ---->at 006BDBBB(????) \| ---->at 006BDBD0(????) \| ---->at 004F5500(????) ============================================================================== 12.卖物CALL____________在第五层 at 005A5DD0(卖物CALL) \| ---->at 0057F7F0(发包CALL) \| ---->at 0057D070(????) \| ---->at 00584EF0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 13.买物CALL____________在第五层 at 005A5D50(买物CALL) \| ---->at 0057F7F0(发包CALL) \| ---->at 0057D070(????) \| ---->at 00584EF0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 2007-11-5 16:43 0
爱琴海雪币： 1355 活跃值： (339) 能力值： ( LV13，RANK：920 ) 在线值：发帖 74 回帖 660 粉丝 7 关注私信	爱琴海 13 4 楼好文，顶。。。。。。学习了 2007-11-5 18:59 0
十三少雪币： 226 活跃值： (15) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 402 粉丝 1 关注私信	十三少 2 5 楼你写出这个东西出来应该让它产生效益，发出来就完全没意义了。 2007-11-5 19:21 0
没有风雪币： 486 活跃值： (13) 能力值： ( LV9，RANK：430 ) 在线值：发帖 24 回帖 152 粉丝 0 关注私信	没有风 10 6 楼黑客精神啊！！！！！！！！！！严重支持。 2007-11-5 19:48 0
风间仁雪币： 29200 活跃值： (7699) 能力值： ( LV15，RANK：3306 ) 在线值：发帖 111 回帖 591 粉丝 83 关注私信	风间仁 19 7 楼可执行文件＋SRC就好了 2007-11-5 20:10 0
yingyue 雪币： 1844 活跃值： (35) 能力值： ( LV3，RANK：30 ) 在线值：发帖 16 回帖 2595 粉丝 3 关注私信	yingyue 8 楼很想学一下 VB ，太强大了 2007-11-5 23:40 0
wofan[OCN] 雪币： 2943 活跃值： (1788) 能力值： ( LV9，RANK：850 ) 在线值：发帖 55 回帖 808 粉丝 8 关注私信	wofan[OCN] 21 9 楼同感！就这样，如果不亲自玩一下这个Game，就无法编译这个程序了。看这份源码，可以了解一下外挂的写法。 2007-11-6 00:05 0
神滴眷恋雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 11 粉丝 0 关注私信	神滴眷恋 10 楼 2007-11-6 00:16 0
SilenceLi 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 10 粉丝 0 关注私信	SilenceLi 11 楼 MM很厉害..学习学习 2007-11-6 02:10 0
寒悠儿雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 15 粉丝 0 关注私信	寒悠儿 12 楼额。。偶现在就玩诛仙。。西西！~ 2007-11-6 18:08 0
ylwtiancai 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 10 粉丝 0 关注私信	ylwtiancai 13 楼太强了，好好看一下 2007-11-6 19:51 0
ylwtiancai 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 10 粉丝 0 关注私信	ylwtiancai 14 楼太强大了吧，这个可要好好看一下 2007-11-6 19:53 0
magicwolf 雪币： 269 活跃值： (38) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 65 粉丝 2 关注私信	magicwolf 15 楼我也在玩诛仙哈....电信一幻月的~~~~ 2007-11-23 17:46 0
pheonix 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 9 粉丝 0 关注私信	pheonix 16 楼学习了楼主。。。。。 2007-11-23 22:48 0
kagayaki 雪币： 1205 活跃值： (5094) 能力值： ( LV3，RANK：20 ) 在线值：发帖 174 回帖 1252 粉丝 25 关注私信	kagayaki 17 楼收藏!!!!!!!!!!!!!! 2007-11-24 12:00 0
Ttsee 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 8 粉丝 0 关注私信	Ttsee 18 楼支持，先收藏。 2007-11-24 20:23 0
happykitty 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 18 粉丝 0 关注私信	happykitty 19 楼十分感谢，值得研究。 2008-1-4 22:33 0
落魄江湖一书生雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	落魄江湖一书生 20 楼牛逼...暗暗暗暗暗暗暗暗暗暗 2008-1-4 23:40 0
canaris 雪币： 238 活跃值： (103) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 13 粉丝 0 关注私信	canaris 21 楼好东西啊~！ 2008-1-5 00:59 0
softboys 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 19 粉丝 0 关注私信	softboys 22 楼使用PEID 0.94直接检测是：ASProtect V2.X Registered -> Alexey Solodovnikov * 插件VerA 0.15检测是：ASProtect 2.3 SKE build 05.14 Beta [2]! 麻烦各位哥哥，大侠，帮帮小弟~~~试了N种办法都不行啊。。。。本人QQ： 4133623 2008-1-5 01:39 0
cnkq 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 70 粉丝 0 关注私信	cnkq 23 楼支持开源，感谢提供！ 2008-1-5 08:10 0
pathletboy 雪币： 184 活跃值： (65) 能力值： ( LV6，RANK：90 ) 在线值：发帖 25 回帖 376 粉丝 1 关注私信	pathletboy 2 24 楼这种东西时效性要求很高，建议把对应的游戏主程序一并发出。 2008-1-5 09:01 0
studykkjs 雪币： 243 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 29 回帖 222 粉丝 0 关注私信	studykkjs 25 楼恩。。。。不过最最关键的还是分析过程。。其实源码不是那么重要。 2008-1-5 09:22 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复

寒悠儿

发帖

回帖

RANK

关注

私信

他的文章

关于我们

联系我们

企业服务

看雪公众号

最新回复 (39) 1 2 ▶
寒悠儿雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 15 粉丝 0 关注私信	寒悠儿 2 楼以下是CALL查找 Option Explicit '---------------声明函数----------------------- '得到窗体句柄的函数,FindWindow函数用来返回符合指定的类名( ClassName )和窗口名( WindowTitle )的窗口句柄 Public Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long '得到窗体控件句柄的函数 Public Declare Function FindWindowEx Lib "user32" Alias "FindWindowExA" (ByVal hWnd1 As Long, ByVal hWnd2 As Long, ByVal lpsz1 As String, ByVal lpsz2 As String) As Long '得到进程标识符的函数 Public Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long '得到目标进程句柄的函数 Public Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long '关闭句柄的函数 Public Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long '读取进程内存的函数 Public Declare Function ReadProcessMemory Lib "kernel32.dll" (ByVal hProcess As Long, ByVal lpBaseAddress As Long, ByRef lpBuffer As Any, ByVal nSize As Long, ByRef lpNumberOfBytesWritten As Long) As Long Public Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long '-----------发送信息的函数 Public Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long Public Declare Function PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, ByVal lParam As Long) As Long Declare Sub keybd_event Lib "user32" (ByVal bVk As Byte, ByVal bScan As Byte, ByVal dwFlags As Long, ByVal dwExtraInfo As Long) '延迟函数 Public Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long) '读取配置文件的函数 Public Declare Function GetPrivateProfileString Lib "kernel32" Alias "GetPrivateProfileStringA" (ByVal lpApplicationName As String, ByVal lpKeyName As Any, ByVal lpDefault As String, ByVal lpReturnedString As String, ByVal nSize As Long, ByVal lpFileName As String) As Long '隐藏游戏窗口用 Public Declare Function ShowWindow Lib "user32" (ByVal hwnd As Long, ByVal nCmdShow As Long) As Long Public Const PROCESS_ALL_ACCESS = &H1F0FFF Public Const SW_HIDE = 0 Public Const SW_SHOW = 5 'Public Const SW_SHOWDEFAULT = 10'--------------------------------------------分割线----------------------------------------------------------'以下是程序FORM源码 Dim hwd As Long ' 储存 FindWindow 函数返回的句柄 Dim pid As Long Dim hProcess As Long '存放进程句柄 Dim base As Long '存放人物基地址 Dim hp As Long '存储生命值 Dim hpmax As Long '存储生命最大值 Dim mp As Long '存储真气值 Dim mpmax As Long '存储真气最大值 Dim dengji As Long '等级 Dim jingli As Long '精力 Dim jlmax As Long '精力最大值--- Dim money As Long '钱包 Dim bank As Long '银行的钱 Dim exp As Double '经验 Dim expbk As Double '判断经验 Dim maxexp As Double 'MAX exp Dim map As Long '地图 Dim zhuangtai As Long '玩家状态 Dim job As Long '职业 Dim wpid As Long '物品ID Dim wpxtid As Long '物品系统ID '--------选取人物NPC怪的血等 Dim BHP As Long Dim BHPmax As Long Dim Bdj As Long Dim bx1 As Single Dim by1 As Single '------------ Dim MBid As Long '目标ID Dim BB As Long ' 星星报警 Dim xuejn As Long '技能格 Dim x1 As Single 'X坐标 Dim y1 As Single 'Y坐标 Dim QQ As Long '调用 Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long) Private Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long, ByVal hWndInsertAfter As Long, ByVal X As Long, ByVal Y As Long, ByVal cx As Long, ByVal cy As Long, ByVal wFlags As Long) As Long Function Float2Int(Ans As Single) As Long '浮点转整形 CopyMemory Float2Int, Ans, 4 End Function Private Sub Command1_Click() '测试 'If hProcess Then ' ReadProcessMemory hProcess, ByVal &H9077CC, QQ, 4, 0& 'ReadProcessMemory hProcess, ByVal QQ + &H28, QQ, 4, 0& ' ReadProcessMemory hProcess, ByVal QQ + &H13C, QQ, 4, 0& '写入内存-846528150这个值实现飞天功能。 'WriteProcessMemory hProcess, ByVal QQ, 1, 4, 0& 'ReadProcessMemory hProcess, ByVal QQ + &H140, QQ, 4, 0& 'Me.Label26.Caption = QQ 'End If Call_jw End Sub Private Sub Command7_Click() If Command7.Caption = "隐藏游戏" Then i = ShowWindow(hwd, SW_HIDE) Command7.Caption = "显示游戏" ElseIf Command7.Caption = "显示游戏" Then i = ShowWindow(hwd, SW_SHOW) Command7.Caption = "隐藏游戏" End If End Sub Private Sub Form_Load() a = 0 hwd = FindWindow(vbNullString, "Element Client") GetWindowThreadProcessId hwd, pid hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pid) retValue = SetWindowPos(Me.hwnd, hwd, 750, 20, 265, 400, SWP_SHOWWINDOW) CloseHandle hProcess End Sub Private Sub Form_Unload(Cancel As Integer) CloseHandle hProcess End Sub Private Sub Timer1_Timer() Dim Name(31) As Byte '存储人物名称 Dim name_temp As Long Dim id As Long '------------ Dim bname(31) As Byte '存储选取人物名称 Dim bname_temp As Long Dim juli As Long hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pid) If hProcess Then ReadProcessMemory hProcess, ByVal &H12F830, base, 4, 0& '一级基址 ReadProcessMemory hProcess, ByVal base + &H8, map, 4, 0& ReadProcessMemory hProcess, ByVal map + &H88, map, 4, 0& '地图ID ReadProcessMemory hProcess, ByVal base + &H28, base, 4, 0& '得到为人物基地址，方便以后使用 ReadProcessMemory hProcess, ByVal base + &H240, id, 4, 0& '玩家ID ReadProcessMemory hProcess, ByVal base + &H254, hp, 4, 0& '得到生命值 ReadProcessMemory hProcess, ByVal base + &H26C, hpmax, 4, 0& '得到生命最大值 ReadProcessMemory hProcess, ByVal base + &H258, mp, 4, 0& '得到真气值 ReadProcessMemory hProcess, ByVal base + &H270, mpmax, 4, 0& '得到真气最大值 ReadProcessMemory hProcess, ByVal base + &H24C, dengji, 4, 0& ReadProcessMemory hProcess, ByVal base + &H25C, jingli, 4, 0& '精力值 ReadProcessMemory hProcess, ByVal base + &H270, jlmax, 4, 0& '精力最大值 ReadProcessMemory hProcess, ByVal base + &H2D4, money, 4, 0& ReadProcessMemory hProcess, ByVal base + &H864, bank, 4, 0& ReadProcessMemory hProcess, ByVal base + &H260, exp, 16, 0& '经验 ReadProcessMemory hProcess, ByVal base + &H248, job, 16, 0& '职业 ReadProcessMemory hProcess, ByVal base + &H3A4, name_temp, 4, 0& ReadProcessMemory hProcess, ByVal name_temp, Name(0), 32, 0& '得到人物名称 ReadProcessMemory hProcess, ByVal base + &H910, xuejn, 4, 0& '技能个数 ReadProcessMemory hProcess, ByVal base + &H3D8, x1, 4, 0& '人物X坐标 ReadProcessMemory hProcess, ByVal base + &H3E0, y1, 4, 0& '人物Y坐标 '------------------选取目标内容 ReadProcessMemory hProcess, ByVal base + &H7B8, MBid, 4, 0& '目标ID 'ReadProcessMemory hProcess, ByVal MBid + &H24, MBid, 4, 0& ReadProcessMemory hProcess, ByVal MBid + &H128, Bdj, 4, 0& '目标等级 ReadProcessMemory hProcess, ByVal MBid + &H130, BHP, 4, 0& '目标HP ReadProcessMemory hProcess, ByVal MBid + &H148, BHPmax, 4, 0& '目标HP上限 ReadProcessMemory hProcess, ByVal MBid + &H148, BHPmax, 4, 0& '目标HP上限 ReadProcessMemory hProcess, ByVal &H91331C, BB, 4, 0& '提问星星 ReadProcessMemory hProcess, ByVal &H913908, zhuangtai, 4, 0& '玩家状态 End If '---------地图 Select Case map Case 1 Label28.Caption = "河阳城" Case 2 Label28.Caption = "青云城" Case 3 Label28.Caption = "天音城" Case 4 Label28.Caption = "流波城" End Select '--------玩家状态 Select Case zhuangtai Case 1 Label31.Caption = "在线" Case 0 Label31.Caption = "离线" End Select '----------门派 Select Case job Case 0 Me.Label32.Caption = "江湖少侠" Case 1 Me.Label32.Caption = "青云门" Case 2 Me.Label32.Caption = "天音寺" Case 3 Me.Label32.Caption = "鬼王宗" Case 4 Me.Label32.Caption = "合欢派" End Select '----答题报警 If BB = 1 Then Beep MsgBox "请手工回答问题！~", vbOKOnly, "答题警报" End If '-显示血条和当前坐标，身上钱，仓库钱，经验显示 Me.Shape1.Width = 3000 * (hp / hpmax) Me.Shape2.Width = 3000 * (mp / mpmax) Me.hptxt.Caption = hp Me.mptxt.Caption = mp Frame1.Caption = Name Me.Label1.Caption = id Me.exptxt.Caption = "当前经验： " & exp Me.maxexptxt.Caption = "升级经验： " & maxexp Me.Label2.Caption = "等级 " & dengji Me.Label3.Caption = "血量： " & hp & "/" & hpmax Me.Label4.Caption = "真气： " & mp & "/" & mpmax 'Me.moneytxt.Caption = "身上钱： " & money moneytxt.Caption = "身上钱： " & Int(money / 10000) & " " & "金" & " " & Int((money Mod 10000) / 100) & " " & "银" & " " & (money Mod 100) & " " & "铜" Me.Label8.Caption = "仓库钱： " & Int(bank / 10000) & " " & "金" & " " & Int((bank Mod 10000) / 100) & " " & "银" & " " & (bank Mod 100) & " " & "铜" Me.Label5.Caption = "当前座标： " & Int(x1) & "," & Int(y1) Me.Label6.Caption = "精力： " & jingli & "/" & jlmax Me.Label30.Caption = "目标ID:" & MBid '-----攻击打勾判断 expbk = exp If Me.Check1.Value = 1 Then Me.Timer6.Enabled = True ElseIf Me.Check1.Value = 0 Then Me.Timer6.Enabled = False End If '-------------试行CALL CloseHandle hProcess End Sub Private Sub Timer10_Timer() Call_dazuo End Sub Private Sub Timer5_Timer() If hp = hpmax Then Call_NOdazuo Me.Timer6.Enabled = True Me.Check1.Value = 1 Me.Timer5.Enabled = False End If End Sub Private Sub Timer6_Timer() Call_Attack If MBid > -1 Then a = 0 ElseIf MBid < 0 Then a = 1 End If Sleep 500 '延迟text2中的数值，用val()取数值 If hp < Me.Text1.Text & a = 0 Then Call_dazuo Me.Timer5.Enabled = True Me.Check1.Value = 0 Me.Timer6.Enabled = False End If If MBid > -1 Then Call_TAB Sleep 300 '延迟text2中的数值，用val()取数值 End If End Sub '------------------以下是CALL--------- Sub Call_Move(dx As Single, dy As Single, dz As Single, dm As Long) Dim asm As New clsASM '自动寻路 With asm ' asm .Pushad ' pushad .Mov_EAX_DWORD_Ptr &H910F4C ' mov eax,[&H910F4C] .Mov_EAX_DWORD_Ptr_EAX_Add &H8 ' mov eax,[eax+&H8] .Mov_EAX_DWORD_Ptr_EAX_Add &H88 ' mov eax,[eax+&H88] .Push dm ' mov eax,[base] .Mov_EAX Float2Int(dx) ' mov eax, x .Mov_DWORD_Ptr_EAX &H909BC8 ' mov [&H909BC8], eax .Mov_EAX Float2Int(dz) ' mov eax, z .Mov_DWORD_Ptr_EAX &H909BCC ' mov [&H909BCC], eax .Mov_EAX Float2Int(dy) ' mov eax, y .Mov_DWORD_Ptr_EAX &H909BD0 ' mov [&H909BD0], eax .Mov_EAX_DWORD_Ptr &H90778C ' mov eax, dword ptr [&H90778C] .Mov_EAX_DWORD_Ptr_EAX_Add &H28 ' mov eax, dword ptr [eax+&H28] .Lea_EAX_DWORD_Ptr_EAX_Add &H3C ' lea eax, dword ptr [eax+&H3c] .Push &H909BC8 ' push &H909BC8 .Push_EAX ' PUSH eax .Mov_ECX &H90D43C ' mov ecx, &H903C30 .Mov_EBX &H42AA70 ' mov eax, &H42ABB0 .Call_EBX ' Call eax .Popad ' popad .Ret End With ' end asm.Run_ASM pid End Sub Sub Call_TAB() Dim asm As New clsASM 'TAB With asm ' asm .Pushad ' pushad .Mov_EAX_DWORD_Ptr &H90D43C ' mov eax,dword ptr ds:[&H90D43C] .Mov_EAX_DWORD_Ptr_EAX_Add &H1C ' mov eax,dword ptr ds:[eax+&H1c] .Mov_EAX_DWORD_Ptr_EAX_Add &H28 ' mov eax,dword ptr ds:[eax+&H28] .Mov_ECX_EAX ' mov ecx, eax; .Push 0 ' push 0 .Mov_EBX &H45F460 ' mov ebx,&H45F460 .Call_EBX ' call EBX .Popad ' popad .Ret End With ' end asm.Run_ASM pid End Sub Sub Call_Attack() Dim asm As New clsASM '普通攻击 With asm ' asm .Pushad ' pushad .Mov_EAX &H5A4400 ' Mov EAX,&H5A3200 .Call_EAX ' call pointer(eax) .Popad ' popad .Ret End With ' end asm.Run_ASM pid End Sub Sub Call_UseItem(UseItemid As Long, UseItemnum As Long) Dim asm As New clsASM '使用物品 With asm .Pushad 'pushad .Mov_EDX UseItemid 'mov edx,dwid .Mov_EAX UseItemnum 'mov eax,dwwz .Push 1 'push 1 .Push_EDX 'push edx .Push_EAX 'push eda .Push 0 'push 0 .Mov_ESI_DWORD_Ptr &H90D43C 'mov esi,dword ptr &H90D43C .Lea_ECX_DWORD_Ptr_ESI_Add &HD4 'lea ecx,dword ptr (esi+&H4) .Mov_EAX &H579DA0 'mov eax &H579410 .Call_EAX .Popad .Ret End With asm.Run_ASM pid End Sub Sub Call_huichen() Dim asm As New clsASM '死亡回城 With asm ' asm .Pushad ' pushad .Mov_EAX &H5A4820 ' Mov EAX,&H5a3620 .Call_EAX ' call pointer(eax) .Popad ' popad .Ret End With ' end asm.Run_ASM pid End Sub Sub Call_dazuo() Dim asm As New clsASM '打坐 With asm ' asm .Pushad ' pushad .Mov_EAX &H5A4A80 ' Mov EAX,&H5a3620 .Call_EAX ' call pointer(eax) .Popad ' popad .Ret End With ' end asm.Run_ASM pid End Sub Sub Call_NOdazuo() Dim asm As New clsASM '停止打坐 With asm ' asm .Pushad ' pushad .Mov_EAX &H5A4A40 ' Mov EAX,&H5A4A40 .Call_EAX ' call pointer(eax) .Popad ' popad .Ret End With ' end asm.Run_ASM pid End Sub Sub Call_jw() Dim asm As New clsASM '自动拣物 With asm .Pushad .Mov_ECX_DWORD_Ptr &H90D43C .Mov_EDX_DWORD_Ptr_EDI_Add &H110 .Mov_EAX_DWORD_Ptr_ESI_Add &H20 .Push_EDX .Mov_ECX_DWORD_Ptr_ECX_Add &H20 .Push_EAX .Add_ECX &HD4 .Mov_EAX &H579F70 .Call_EAX .Popad .Ret End With asm.Run_ASM pid End Sub Sub Call_KJ() Dim asm As New clsASM '快捷键 With asm .Pushad .Mov_EAX_DWORD_Ptr base '基址 .Mov_EAX_DWORD_Ptr_EAX_Add &H28 '.MOV_EAX_EAX_add &H8D8 '这里是数字键偏移，Fn键偏移是&H8CC？没测试 '.MOV_EAX_EAX_add &HC '.MOV_EAX_EAX_add &H4 * id 'ID=将键位*4后写入地址键1-9=值0-8 '.Mov_ECX , EAX ' .Mov_EDX , [ECX] '.Mov_EAX_DWORD_Ptr_EDX_Add &H8 ' Call_EAX ' .Popad ' .Ret End With End Sub 2007-11-5 16:42 0
寒悠儿雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 15 粉丝 0 关注私信	寒悠儿 3 楼 OD开诛仙，bp send下断，然后按Ctrl+F9，OK，这些会了，你就能找到下面的CALL了。下面的地址虽然不是最新版的，但层次结构都对。关闭NPC是不发包的，没法BP SEND找。 ============================================================================== 1.打坐CALL________在第五层 at 005A4A80(打坐CALL) \| ---->at 0057F7F0(发包CALL) \| ---->at 0057D070(????) \| ---->at 00584EF0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 2.停止打坐Call地址_______在第五层 at 005A3710(打坐CALL) \| ---->at 0057edf0(发包CALL) \| ---->at 0057c690(????) \| ---->at 005842f0(????) \| ---->at 71a2428a(系统领空) ============================================================================== 3.Tab Call____________在第七层 at 0045F460(Tab CALL) \| ---->at 00579FE0(????) \| ---->at 005A43C0(????) \| ---->at 0057F7F0(发包CALL) \| ---->at 0057D070(????) \| ---->at 00584EF0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 4.普通攻击CALL________在第五层 at 005A30D0(普通攻击CALL) \| ---->at 0057edf0(发包CALL) \| ---->at 0057c690(????) \| ---->at 005842f0(????) \| ---->at 71a2428a(系统领空) ============================================================================== 5.死亡回城CALL________在第五层 at 005A34F0(死亡回城CALL) \| ---->at 0057edf0(发包CALL) \| ---->at 0057c690(????) \| ---->at 005842f0(????) \| ---->at 71a2428a(系统领空) ============================================================================== 6.捡物CALL________在第六层 at 00579640(捡物CALL) \| ---->at 005A3110(????) \| ---->at 0057EDF0(发包CALL) \| ---->at 0057C690(????) \| ---->at 005842F0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 7.技能攻击CALL________在第九层 at 00465890(技能攻击CALL) \| ---->at 0045F3F0(???) \| ---->at 0046BDE0(????) \| ---->at 005797C0(????) \| ---->at 005A3910(????) \| ---->at 0057EDF0(发包CALL) \| ---->at 0057C690(????) \| ---->at 005842F0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 8.目标ID选怪CALL____________在第六层 at 00579FE0(目标ID选怪CALL) \| ---->at 005A43C0(????) \| ---->at 0057F7F0(发包CALL) \| ---->at 0057D070(????) \| ---->at 00584EF0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 9.使用物品CALL____________在第六层 at 00579DA0(使用物品CALL) \| ---->at 005A4480(????) \| ---->at 0057F7F0(发包CALL) \| ---->at 0057D070(????) \| ---->at 00584EF0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 10.打开NPC CALL____________在第六层 at 0057A2A0(打开NPC CALL) \| ---->at 005A5D10(????) \| ---->at 0057F7F0(发包CALL) \| ---->at 0057D070(????) \| ---->at 00584EF0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 11.关闭NPC CALL____________不发包CALL的找法，借助CE NPC状态地址:[[[基址]+28]+7d5]，CE显示关闭的地址是:46b218 at 0046b218 在OD里内容如下： 0046B210 /$ 33C0 XOR EAX,EAX 0046B212 \|. 8981 C8070000 MOV DWORD PTR DS:[ECX+7C8],EAX 0046B218 \|. 8881 D5070000 MOV BYTE PTR DS:[ECX+7D5],AL 0046B21E \|. 8981 60030000 MOV DWORD PTR DS:[ECX+360],EAX 0046B224 \. C3 RETN 点击0046B210后显示: 本地调用/跳转来自 0046B8B4, 004DF9D7, 0051100B, 00514538, 0051ACB7, 0054AD8C, 0054D805 下断点，一个一个的试，最后关闭NPC和0054D805这个有关，接着 at 0054D805 在OD里内容如下： 0054D7F0 $ C781 30060000>MOV DWORD PTR DS:[ECX+630],0 0054D7FA . A1 3CD49000 MOV EAX,DWORD PTR DS:[90D43C] 0054D7FF . 8B48 1C MOV ECX,DWORD PTR DS:[EAX+1C] 0054D802 . 8B49 28 MOV ECX,DWORD PTR DS:[ECX+28] 0054D805 .^ E9 06DAF1FF JMP elementc.0046B210 点击0054D7F0后显示: 本地调用来自 004A8F17, 004AFC92, 004AFCCA, 004B0232, 004B3971, 004C31D3, 004C79D7, 004C8887, 004C8919, 004CF5FF, 004D2027, 004D6736, 004D675E, 004DAF77, 004E0BAB, 004E395A, 004F5616, 004F58E9, 004F7BC1, 004F7CDE, 004F8139, 004F823C, 004F82F7, M) 下断点，一个一个的试，最后关闭NPC和004F5616这个有关，发现004F5616位于一个call里面地址是： 004F5500 /$ 64:A1 0000000>MOV EAX,DWORD PTR FS:[0] 好了，到此为止，就可以用Ctrl+F9了。从下向上看。 at 006B99E0(这就是取消NPC CALL) \| ---->at 0054653B(????) \| ---->at 006C0520(发包CALL) \| ---->at 006BDBBB(????) \| ---->at 006BDBD0(????) \| ---->at 004F5500(????) ============================================================================== 12.卖物CALL____________在第五层 at 005A5DD0(卖物CALL) \| ---->at 0057F7F0(发包CALL) \| ---->at 0057D070(????) \| ---->at 00584EF0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 13.买物CALL____________在第五层 at 005A5D50(买物CALL) \| ---->at 0057F7F0(发包CALL) \| ---->at 0057D070(????) \| ---->at 00584EF0(????) \| ---->at 71A2428A(系统领空) ============================================================================== 2007-11-5 16:43 0
爱琴海雪币： 1355 活跃值： (339) 能力值： ( LV13，RANK：920 ) 在线值：发帖 74 回帖 660 粉丝 7 关注私信	爱琴海 13 4 楼好文，顶。。。。。。学习了 2007-11-5 18:59 0
十三少雪币： 226 活跃值： (15) 能力值： ( LV6，RANK：90 ) 在线值：发帖 10 回帖 402 粉丝 1 关注私信	十三少 2 5 楼你写出这个东西出来应该让它产生效益，发出来就完全没意义了。 2007-11-5 19:21 0
没有风雪币： 486 活跃值： (13) 能力值： ( LV9，RANK：430 ) 在线值：发帖 24 回帖 152 粉丝 0 关注私信	没有风 10 6 楼黑客精神啊！！！！！！！！！！严重支持。 2007-11-5 19:48 0
风间仁雪币： 29200 活跃值： (7699) 能力值： ( LV15，RANK：3306 ) 在线值：发帖 111 回帖 591 粉丝 83 关注私信	风间仁 19 7 楼可执行文件＋SRC就好了 2007-11-5 20:10 0
yingyue 雪币： 1844 活跃值： (35) 能力值： ( LV3，RANK：30 ) 在线值：发帖 16 回帖 2595 粉丝 3 关注私信	yingyue 8 楼很想学一下 VB ，太强大了 2007-11-5 23:40 0
wofan[OCN] 雪币： 2943 活跃值： (1788) 能力值： ( LV9，RANK：850 ) 在线值：发帖 55 回帖 808 粉丝 8 关注私信	wofan[OCN] 21 9 楼同感！就这样，如果不亲自玩一下这个Game，就无法编译这个程序了。看这份源码，可以了解一下外挂的写法。 2007-11-6 00:05 0
神滴眷恋雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 11 粉丝 0 关注私信	神滴眷恋 10 楼 2007-11-6 00:16 0
SilenceLi 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 10 粉丝 0 关注私信	SilenceLi 11 楼 MM很厉害..学习学习 2007-11-6 02:10 0
寒悠儿雪币： 204 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 5 回帖 15 粉丝 0 关注私信	寒悠儿 12 楼额。。偶现在就玩诛仙。。西西！~ 2007-11-6 18:08 0
ylwtiancai 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 10 粉丝 0 关注私信	ylwtiancai 13 楼太强了，好好看一下 2007-11-6 19:51 0
ylwtiancai 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 10 粉丝 0 关注私信	ylwtiancai 14 楼太强大了吧，这个可要好好看一下 2007-11-6 19:53 0
magicwolf 雪币： 269 活跃值： (38) 能力值： ( LV2，RANK：10 ) 在线值：发帖 14 回帖 65 粉丝 2 关注私信	magicwolf 15 楼我也在玩诛仙哈....电信一幻月的~~~~ 2007-11-23 17:46 0
pheonix 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 9 粉丝 0 关注私信	pheonix 16 楼学习了楼主。。。。。 2007-11-23 22:48 0
kagayaki 雪币： 1205 活跃值： (5094) 能力值： ( LV3，RANK：20 ) 在线值：发帖 174 回帖 1252 粉丝 25 关注私信	kagayaki 17 楼收藏!!!!!!!!!!!!!! 2007-11-24 12:00 0
Ttsee 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 8 粉丝 0 关注私信	Ttsee 18 楼支持，先收藏。 2007-11-24 20:23 0
happykitty 雪币： 201 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 3 回帖 18 粉丝 0 关注私信	happykitty 19 楼十分感谢，值得研究。 2008-1-4 22:33 0
落魄江湖一书生雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 2 粉丝 0 关注私信	落魄江湖一书生 20 楼牛逼...暗暗暗暗暗暗暗暗暗暗 2008-1-4 23:40 0
canaris 雪币： 238 活跃值： (103) 能力值： ( LV2，RANK：10 ) 在线值：发帖 0 回帖 13 粉丝 0 关注私信	canaris 21 楼好东西啊~！ 2008-1-5 00:59 0
softboys 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 1 回帖 19 粉丝 0 关注私信	softboys 22 楼使用PEID 0.94直接检测是：ASProtect V2.X Registered -> Alexey Solodovnikov * 插件VerA 0.15检测是：ASProtect 2.3 SKE build 05.14 Beta [2]! 麻烦各位哥哥，大侠，帮帮小弟~~~试了N种办法都不行啊。。。。本人QQ： 4133623 2008-1-5 01:39 0
cnkq 雪币： 200 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 4 回帖 70 粉丝 0 关注私信	cnkq 23 楼支持开源，感谢提供！ 2008-1-5 08:10 0
pathletboy 雪币： 184 活跃值： (65) 能力值： ( LV6，RANK：90 ) 在线值：发帖 25 回帖 376 粉丝 1 关注私信	pathletboy 2 24 楼这种东西时效性要求很高，建议把对应的游戏主程序一并发出。 2008-1-5 09:01 0
studykkjs 雪币： 243 活跃值： (10) 能力值： ( LV2，RANK：10 ) 在线值：发帖 29 回帖 222 粉丝 0 关注私信	studykkjs 25 楼恩。。。。不过最最关键的还是分析过程。。其实源码不是那么重要。 2008-1-5 09:22 0
	游客登录 \| 注册方可回帖回帖表情雪币赚取及消费高级回复