红警2共和国之辉 ce 金钱 冷却地址 等级 血量 以及c++修改器源码
稍简单一点的版本1
一定记得用管理员权限运行代码!!!
一定记得用管理员权限运行代码!!!
一定记得用管理员权限运行代码!!!
emmmmmmm,战役模式加上这一次用外挂打通已经是第四次了,开心(๑•̀ㅂ•́)و✧
下面给出我这次使用ce找到的金钱及冷却时间的地址:
金钱:“game.exe”+00635DB4 + 24c
建筑物冷却:
第一个建筑物:“game.exe”+00433A80 + 24
第二个建筑物:“game.exe”+00433AB0 + 24
第三个建筑物:“game.exe”+00433AE0 + 24
。。。
规律就是第一个地址+0x30
一下同理.
防御类冷却:
第一个:“game.exe”+00434914 + 24
。。。
兵类:
第一个:“game.exe”+00435748 + 24
。。。
坦克类:
第一个:“game.exe”+004365AC + 24
第二次我又换了一个版本的红警,发现基地址与之前的不一致。
金钱自己找吧
冷却是0-54的4字节int值
54是完成,但是估计有逻辑判断,直接改成54就会卡在那里不动。
每一秒把正在冷却的那个的冷却时间设置为53,让他自己变到54,这样正确出发状态转换
先搜索一个小兵的血量,然后再搜索一个小兵
对比结构体
可以发现 等级是double的数值0-2
血量是有符号int
等级的偏移是+118
血量的偏移是+6c
游戏开始的时候,对象需要初始化很多东西,比如基地车的等级血量等等。
红警的基地车可以从车变成建筑,我猜从基地车变成建筑的时候,会把车的内存删除,重新创建建筑的一个对象,这时如果你恰好在基地车的时候存储了这个基地车的地址,当基地车变成基地建筑的时候去修改基地车的血量和等级,有可能会导致访问到非法内存,以至于红警崩溃。
emmmmm,我就没搞,交给读者了。
所选中的对象是由一个指针数组存放的,还有一个数值存放了当前选中了多少对象。
建议先找到一个对象的血量,比如坦克1的血量,然后再找坦克2的血量,找谁改写了他们的血量,然后找到那个关键的减血量的代码,找这个代码访问了哪些地址,然后分析结构体,你就可以得到这两辆坦克的基地址,0x6c是血量,0x1b4是队伍id。
然后你只选中坦克1,搜坦克1的基地址,然后只选中坦克2,搜坦克2的基地址。这样就能确定下来,当前选中的第一个物品的基地址,保存这个指针,然后再拿过来一个坦克3,这次我们来确定当前选中第二个坦克的基地址存在了哪里,两个两个的选,找到一种选法,使第一个选中的物品的指针指到的对象不变,例如,同时选中坦克1,坦克2,此时选中的第一个物品的那个指针指向了坦克1,然后同时选中了坦克1和坦克3,此时指针假如还指向坦克1,那么说明当前选中的第二个物品的指针的内存从之前的坦克2变到了现在的坦克3。
总之确定下来指针的偏移规律和当前选中对象的个数,你就可以找到当前选中的所有对象了。
所以,基地址,请根据自己的实际情况搞
下面为c++代码:
请看懂后根据自己需求修改:
#include <bits/stdc++.h>
#include <iostream>
#include <Windows.h>
#include <Tlhelp32.h>
#include <stdio.h>
#include <time.h>
using namespace std;
void changeMoney();
void enableDebugPriv();
bool init(string gameName);
int FindPID(string ProcessName);
HMODULE fnGetProcessBase(DWORD PID);
DWORD GetLastErrorBox(HWND hWnd, LPSTR lpTitle) ;
uintptr_t FindDMAAddy(uintptr_t ptr, vector<uintptr_t> offsets);
HWND hwnd;
//程序的地址,类似于一个int
DWORD procID;
HANDLE handle;
//基地址cstrike.exe
unsigned int BaseAddress;
uintptr_t first_build_offsets=0x0041BDA0;
uintptr_t first_deffence_offsets=0x0041CC34;
uintptr_t first_soldier_offsets=0x0041DA68;
uintptr_t first_tank_offsets=0x0041E8CC;
int fresh_number=10;
uintptr_t ReadMemory(uintptr_t addr)
{
uintptr_t t;
bool state = ReadProcessMemory(handle, (LPVOID)addr, &t, sizeof(t), 0);
if(!state)return 0;
return t;
}
void changeMoney()
{
int money = 20000;
vector<uintptr_t> money_offsets;
money_offsets.push_back(0x0061E0C4);
money_offsets.push_back(0x24c);
uintptr_t addr = FindDMAAddy(BaseAddress,money_offsets);
if(addr!=0)
{
WriteProcessMemory(handle, (LPVOID)addr, &money, sizeof(money), 0);
}
}
uintptr_t get_myself_team_id()
{
uintptr_t myid=0;
//获取自己的队伍id指针
//game.exe+61E0C4
vector<uintptr_t> team_offsets;
team_offsets.push_back(0x61E0C4);
uintptr_t myidaddr = FindDMAAddy(BaseAddress, team_offsets);
if(myidaddr!=0)
{
myid=ReadMemory(myidaddr);
}
return myid;
}
vector<uintptr_t> get_select_team_id()
{
vector<uintptr_t> select_team_id;
vector<uintptr_t> grade_offsets;
int max_select_number=100;
for(int i=0;i!=max_select_number;i++)
{
grade_offsets.clear();
grade_offsets.push_back(0x00628884);
grade_offsets.push_back(i*4);
grade_offsets.push_back(0x1B4);
uintptr_t addr = FindDMAAddy(BaseAddress,grade_offsets);
if(addr==0)
{
break;
}
uintptr_t team_id=ReadMemory(addr);
//当返回的team_id为0时,表示没有选中更多了,访问到了未分配的内存
if(team_id==0)
{
// printf("%d\n", i);
break;
}
select_team_id.push_back(team_id);
}
return select_team_id;
}
void unlimted_blood()
{
//判断当前选择的对象的队伍id是不是自己的队伍id
uintptr_t myid = get_myself_team_id();
vector<uintptr_t> select_id = get_select_team_id();
for(int i=0;i!=select_id.size();i++)
{
if(myid==select_id[i])
{
//"game.exe"+00628884
//0
//6c
int blood=20000;
vector<uintptr_t> grade_offsets;
grade_offsets.push_back(0x00628884);
grade_offsets.push_back(i*4);
grade_offsets.push_back(0x6c);
uintptr_t addr = FindDMAAddy(BaseAddress,grade_offsets);
if(addr==0)
{
break;
}
else
{
WriteProcessMemory(handle, (LPVOID)addr, &blood, sizeof(blood), 0);
}
}
else
{
//"game.exe"+00628884
//0
//6c
int blood=1;
vector<uintptr_t> grade_offsets;
grade_offsets.push_back(0x00628884);
grade_offsets.push_back(i*4);
grade_offsets.push_back(0x6c);
uintptr_t addr = FindDMAAddy(BaseAddress,grade_offsets);
if(addr==0)
{
break;
}
else
{
WriteProcessMemory(handle, (LPVOID)addr, &blood, sizeof(blood), 0);
}
}
}
}
void upgrade()
{
//判断当前选择的对象的队伍id是不是自己的队伍id
uintptr_t myid = get_myself_team_id();
vector<uintptr_t> select_id = get_select_team_id();
for(int i=0;i!=select_id.size();i++)
{
if(myid==select_id[i])
{
//"game.exe"+00628884
//0
//118
double grade=2;
vector<uintptr_t> grade_offsets;
grade_offsets.push_back(0x00628884);
grade_offsets.push_back(i*4);
grade_offsets.push_back(0x118);
uintptr_t addr = FindDMAAddy(BaseAddress,grade_offsets);
if(addr==0)
{
break;
}
else
{
WriteProcessMemory(handle, (LPVOID)addr, &grade, sizeof(grade), 0);
}
}
}
}
void rebellion()
{
uintptr_t myid=get_myself_team_id();
//修改当前选中的对象的队伍id指针为自己的id指针
vector<uintptr_t> grade_offsets;
grade_offsets.push_back(0x00628884);
grade_offsets.push_back(0x0);
grade_offsets.push_back(0x1B4);
uintptr_t addr = FindDMAAddy(BaseAddress,grade_offsets);
WriteProcessMemory(handle, (LPVOID)addr, &myid, sizeof(myid), 0);
}
void freshBuilding()
{
//1.1 "game.exe"+0041BDA0
int complete=53;
for(int i=0;i!=fresh_number;i++)
{
vector<uintptr_t> offsets;
offsets.push_back(first_build_offsets+0x30*i);
offsets.push_back(0x24);
uintptr_t addr = FindDMAAddy(BaseAddress,offsets);
if(addr==0)
{
break;
}
else
{
uintptr_t t = ReadMemory(addr);
if(t<uintptr_t(53))
{
WriteProcessMemory(handle, (LPVOID)addr, &complete, sizeof(complete), 0);
}
}
}
}
void freshDeffence()
{
//2.1 "game.exe"+0041CC34
int complete=53;
for(int i=0;i!=fresh_number;i++)
{
vector<uintptr_t> offsets;
offsets.push_back(first_deffence_offsets+0x30*i);
offsets.push_back(0x24);
uintptr_t addr = FindDMAAddy(BaseAddress,offsets);
if(addr==0)
{
break;
}
else
{
uintptr_t t = ReadMemory(addr);
if(t<uintptr_t(53))
{
WriteProcessMemory(handle, (LPVOID)addr, &complete, sizeof(complete), 0);
}
}
}
}
void freshSoldier()
{
//3.1 "game.exe"+0041DA68
int complete=53;
for(int i=0;i!=fresh_number;i++)
{
vector<uintptr_t> offsets;
offsets.push_back(first_soldier_offsets+0x30*i);
offsets.push_back(0x24);
uintptr_t addr = FindDMAAddy(BaseAddress,offsets);
if(addr==0)
{
break;
}
else
{
uintptr_t t = ReadMemory(addr);
if(t<uintptr_t(53))
{
WriteProcessMemory(handle, (LPVOID)addr, &complete, sizeof(complete), 0);
}
}
}
}
void freshTank()
{
//4.1 "game.exe"+0041E8CC
int complete=53;
for(int i=0;i!=fresh_number;i++)
{
vector<uintptr_t> offsets;
offsets.push_back(first_tank_offsets+0x30*i);
offsets.push_back(0x24);
uintptr_t addr = FindDMAAddy(BaseAddress,offsets);
if(addr==0)
{
break;
}
else
{
uintptr_t t = ReadMemory(addr);
if(t<uintptr_t(53))
{
WriteProcessMemory(handle, (LPVOID)addr, &complete, sizeof(complete), 0);
}
}
}
}
int main()
{
while(1)
{
if(!init("Game.exe"))
{
cout<<"修改器初始化失败!"<<endl;
Sleep(4000);
}
else
{
changeMoney();//修改金钱
freshBuilding();
freshDeffence();
freshSoldier();
freshTank();
upgrade();
unlimted_blood();
// rebellion();
Sleep(1000);//暂停5秒,实战得提高刷新频率
//break;
}
}
CloseHandle(handle);
return 0;
}
bool init(string gameName)
{
procID=FindPID(gameName);
//cout<<procID<<endl;
//获取进程句柄
handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
if (handle == NULL)
{
cout << "There is no such a process!" << endl;
Sleep(3000);
return 0;
}
HMODULE hModule = fnGetProcessBase(procID);
if(hModule==NULL)
{
return 0;
}
BaseAddress = (UINT_PTR)hModule;
return 1;
}
//通过PID获取基地址
HMODULE fnGetProcessBase(DWORD PID)
{
//获取进程基址
HANDLE hSnapShot;
//通过CreateToolhelp32Snapshot和线程ID,获取进程快照
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID);
if (hSnapShot == INVALID_HANDLE_VALUE)
{
GetLastErrorBox(NULL,"can't create Snapshot!");
return NULL;
}
MODULEENTRY32 ModuleEntry32;
ModuleEntry32.dwSize = sizeof(ModuleEntry32);
if (Module32First(hSnapShot, &ModuleEntry32))
{
do
{
TCHAR szExt[5];
strcpy(szExt, ModuleEntry32.szExePath + strlen(ModuleEntry32.szExePath) - 4);
for (int i = 0;i < 4;i++)
{
if ((szExt[i] >= 'a')&&(szExt[i] <= 'z'))
{
szExt[i] = szExt[i] - 0x20;
}
}
if (!strcmp(szExt, ".EXE"))
{
CloseHandle(hSnapShot);
return ModuleEntry32.hModule;
}
} while (Module32Next(hSnapShot, &ModuleEntry32));
}
CloseHandle(hSnapShot);
return NULL;
}
// 显示错误信息
DWORD GetLastErrorBox(HWND hWnd, LPSTR lpTitle)
{
LPVOID lpv;
DWORD dwRv;
if (GetLastError() == 0) return 0;
dwRv = FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US),
(LPSTR)&lpv,
0,
NULL);
MessageBox(hWnd, (LPCSTR)lpv, lpTitle, MB_OK);
if(dwRv)
LocalFree(lpv);
SetLastError(0);
return dwRv;
}
uintptr_t FindDMAAddy(uintptr_t ptr, vector<uintptr_t> offsets)
{
uintptr_t addr = ptr;
uintptr_t t;
for (unsigned int i = 0; i != offsets.size(); i++)
{
// printf("%x %x\n",addr,offsets[i]);
addr += offsets[i];
// printf("%x\n",addr);
if(i<offsets.size()-1)//最后一次只加偏移量,不用读取了
{
bool state = ReadProcessMemory(handle, (LPVOID)addr, &t, sizeof(t), 0);
if(!state)
{
// cout<<"error in reading memory!"<<endl;
addr=0;
break;
}
addr = t;
}
}
return addr;
}
int FindPID(string ProcessName)
{
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap == INVALID_HANDLE_VALUE) {
cout << "CreateToolhelp32Snapshot Error!" << endl;;
return false;
}
BOOL bResult =Process32First(hProcessSnap, &pe32);
int num(0);
while(bResult)
{
if(pe32.szExeFile==ProcessName)
{
return pe32.th32ProcessID;
}
bResult = Process32Next(hProcessSnap,&pe32);
}
CloseHandle(hProcessSnap);
return -1;
}
代码注入版本的
ce 写好汇编代码,复制16进制过来
ce_red2.cpp
// ce_red2.cpp : 此文件包含 "main" 函数。程序执行将在此处开始并结束。
//
#include "functions.h"
#include "red2_functions.h"
string process_name = "game.exe";
int pid;
void init()
{
pid = FindPID(process_name);
while (pid == -1)
{
pid = FindPID(process_name);
printf("未检测到 game.exe\n");
Sleep(5000);//暂停5秒
}
}
void code_inject_function()
{
inject_money_decrease(pid);
zero_cooldown_time(pid);
}
void invoke_function()
{
unlimted_blood(pid);
upgrade(pid);
rebellion(pid);
}
int main()
{
init();
//code_inject_function();
while (1)
{
invoke_function();
Sleep(1000);//暂停1秒
}
return 0;
}
red2_functions.h
#pragma once
#include "functions.h"
bool inject_money_decrease(DWORD pid);
void zero_cooldown_time(DWORD pid);
uintptr_t get_myself_team_id(DWORD pid);
vector<uintptr_t> get_selected_items_base_address(DWORD pid);
void unlimted_blood(DWORD pid);
void upgrade(DWORD pid);
void rebellion(DWORD pid);
red2_functions.cpp
#include "red2_functions.h"
bool inject_money_decrease(DWORD pid)
{
uintptr_t code_address;
uintptr_t new_memory_address;
string inject_module_name = "game.exe";
HMODULE inject_module_base_address = get_inject_module_base_address(pid, inject_module_name);
code_address = (uintptr_t)inject_module_base_address + 0xE53AF;
// 注入跳转到新内存的jmp
uintptr_t offset = 0;
string offset_string = "";
string inject_code_string = "E9 4C AC 77 00 90";
string new_code_string = "89 83 4C 02 00 00 C7 83 4C 02 00 00 40 42 0F 00 E9 A0 53 88 FF";
unsigned int inject_code_size = inject_code_string.size() / 3 + !(inject_code_string.size() % 3 == 0);
unsigned int new_code_size = new_code_string.size() / 3 + !(new_code_string.size() % 3 == 0);
// 申请新的内存
new_memory_address = (uintptr_t)process_alloc(pid, new_code_size);
//printf("new_memory_address is: %x\n", new_memory_address);
// 向新内存区写入新代码
offset = (code_address + inject_code_size) - (new_memory_address + new_code_size);
offset_string = offset2String(offset);
new_code_string = "89 83 4C 02 00 00 C7 83 4C 02 00 00 40 42 0F 00 E9 " + offset_string;
uint8_t* new_code_data = HexCodeString2uint8t(new_code_string);
write_memory(pid, new_memory_address, (char*)new_code_data, new_code_size);
free(new_code_data);
// 注入跳转到新内存的jmp
offset = new_memory_address - (code_address + 5);
offset_string = offset2String(offset);
inject_code_string = "E9 " + offset_string + " 90";
uint8_t* inject_code_data = HexCodeString2uint8t(inject_code_string);
write_memory(pid, code_address, (char*)inject_code_data, inject_code_size);
free(inject_code_data);
return TRUE;
}
void zero_cooldown_time(DWORD pid)
{
uintptr_t code_address;
uintptr_t new_memory_address;
string inject_module_name = "game.exe";
HMODULE inject_module_base_address = get_inject_module_base_address(pid, inject_module_name);
code_address = (uintptr_t)inject_module_base_address + 0xB9367;
// 注入跳转到新内存的jmp
uintptr_t offset = 0;
string offset_string = "";
string inject_code_string = "E9 94 6C 79 00 0F 1F 00";
string new_code_string = "89 56 24 C7 46 24 36 00 00 00 A1 2C 0D A4 00 E9 5B 93 86 FF";
unsigned int inject_code_size = inject_code_string.size() / 3 + !(inject_code_string.size() % 3 == 0);
unsigned int new_code_size = new_code_string.size() / 3 + !(new_code_string.size() % 3 == 0);
// 申请新的内存
new_memory_address = (uintptr_t)process_alloc(pid, new_code_size);
// 向新内存区写入新代码
offset = (code_address + inject_code_size) - (new_memory_address + new_code_size);
offset_string = offset2String(offset);
new_code_string = "89 56 24 C7 46 24 36 00 00 00 A1 2C 0D A4 00 E9 " + offset_string;
uint8_t* new_code_data = HexCodeString2uint8t(new_code_string);
write_memory(pid, new_memory_address, (char*)new_code_data, new_code_size);
free(new_code_data);
// 注入跳转到新内存的jmp
offset = new_memory_address - (code_address + 5);
offset_string = offset2String(offset);
inject_code_string = "E9 " + offset_string + " 0F 1F 00";
uint8_t* inject_code_data = HexCodeString2uint8t(inject_code_string);
write_memory(pid, code_address, (char*)inject_code_data, inject_code_size);
free(inject_code_data);
}
unsigned int get_selected_item_number(DWORD pid)
{
unsigned int selected_item_number = 0;
string inject_module_name = "game.exe";
HMODULE inject_module_base_address = get_inject_module_base_address(pid, inject_module_name);
uintptr_t selected_item_number_address = (uintptr_t)inject_module_base_address + 0x640C70;
uintptr_t* selected_item_number_data = (uintptr_t*)read_memory(pid, selected_item_number_address, 4);
if(selected_item_number_data!=NULL)selected_item_number = *selected_item_number_data;
free(selected_item_number_data);
return selected_item_number;
}
uintptr_t get_myself_team_id(DWORD pid)
{
uintptr_t myid = -1;
//获取自己的队伍id指针
//game.exe+635DB4
string inject_module_name = "game.exe";
HMODULE inject_module_base_address = get_inject_module_base_address(pid, inject_module_name);
uintptr_t myidaddr = (uintptr_t)inject_module_base_address + 0x635DB4;
uintptr_t *my_id_data = (uintptr_t*)read_memory(pid, myidaddr, 4);
if (my_id_data == NULL)printf("read myself_team_id failed!\n");
else myid = *my_id_data;
free(my_id_data);
return myid;
}
vector<uintptr_t> get_selected_items_base_address(DWORD pid)
{
vector<uintptr_t> selected_items_base_address;
// 指针指向的第一个对象的地址"game.exe"+00640C64 +0x0
string inject_module_name = "game.exe";
HMODULE inject_module_base_address = get_inject_module_base_address(pid, inject_module_name);
const int max_select_items = 500;
unsigned int selected_item_number = get_selected_item_number(pid);
for (int i = 0; i != selected_item_number; i++)
{
vector<uintptr_t> offsets;
offsets.push_back(0x00640C64);
offsets.push_back(4*i);
uintptr_t pointer_to_item_base_address = calc_offsets(pid, (uintptr_t)inject_module_base_address, offsets);
if (pointer_to_item_base_address == -1)break;
uintptr_t *pointer_data = (uintptr_t*)read_memory(pid, pointer_to_item_base_address, 4);
if (pointer_data == NULL)break;
uintptr_t item_base_address = *pointer_data;
free(pointer_data);
selected_items_base_address.push_back(item_base_address);
}
return selected_items_base_address;
}
void unlimted_blood(DWORD pid)
{
uintptr_t myid = get_myself_team_id(pid);
if (myid == -1)return;
vector<uintptr_t> selected_items_base_address = get_selected_items_base_address(pid);
for (int i = 0; i != selected_items_base_address.size(); i++)
{
//判断当前选择的对象的队伍id是不是自己的队伍id
uintptr_t item_id_address = selected_items_base_address[i] + 0x1B4;
uintptr_t *item_id_data = (uintptr_t*)read_memory(pid, item_id_address, 4);
uintptr_t item_id = *item_id_data;
free(item_id_data);
// 如果是自己人,那么就增加血量
if (myid == item_id)
{
int blood = 20000;
uintptr_t blood_address = selected_items_base_address[i] + 0x6C;
write_memory(pid, blood_address, (char*)&blood, 4);
}
else
{
// 如果不是自己人,那么可以减少他的血量,但是没有必要
int blood = 1;
/* uintptr_t blood_address = selected_items_base_address[i] + 0x6C;
write_memory(pid, blood_address, (char*)&blood, 4);*/
}
}
}
void upgrade(DWORD pid)
{
uintptr_t myid = get_myself_team_id(pid);
if (myid == -1)return;
vector<uintptr_t> selected_items_base_address = get_selected_items_base_address(pid);
for (int i = 0; i != selected_items_base_address.size(); i++)
{
//判断当前选择的对象的队伍id是不是自己的队伍id
uintptr_t item_id_address = selected_items_base_address[i] + 0x1B4;
uintptr_t* item_id_data = (uintptr_t*)read_memory(pid, item_id_address, 4);
uintptr_t item_id = *item_id_data;
free(item_id_data);
// 如果是自己人,那么就升级
if (myid == item_id)
{
double grade = 2;
uintptr_t blood_address = selected_items_base_address[i] + 0x118;
write_memory(pid, blood_address, (char*)&grade, sizeof(double));
}
else
{
// 如果不是自己人,那么可以减低他的级别,但是没有必要
double grade = 0;
/*uintptr_t blood_address = selected_items_base_address[i] + 0x118;
write_memory(pid, blood_address, (char*)&grade, sizeof(double));*/
}
}
}
void rebellion(DWORD pid)
{
uintptr_t myid = get_myself_team_id(pid);
if (myid == -1)return;
vector<uintptr_t> selected_items_base_address = get_selected_items_base_address(pid);
//修改当前选中的对象的队伍id指针为自己的id指针
for (int i = 0; i != selected_items_base_address.size(); i++)
{
//判断当前选择的对象的队伍id是不是自己的队伍id
uintptr_t item_id_address = selected_items_base_address[i] + 0x1B4;
uintptr_t* item_id_data = (uintptr_t*)read_memory(pid, item_id_address, 4);
uintptr_t item_id = *item_id_data;
free(item_id_data);
if (item_id != myid)
{
write_memory(pid, item_id_address, (char*)&myid, 4);
}
}
}
functions.h
#pragma once
//
// Created by Amazing on 2021/12/2.
//
#ifndef CE_INJECT_FUNCTIONS_H
#define CE_INJECT_FUNCTIONS_H
#include <iostream>
#include <Windows.h>
#include <Tlhelp32.h>
#include <stdio.h>
#include <time.h>
#include <tchar.h>
#include <psapi.h>
#include <vector>
#include <map>
#include <conio.h>
#include <process.h>
using namespace std;
wstring string2wstring(string str);
string wstring2string(wstring wstr);
HANDLE get_handle(int pid);
unsigned int get_base_address(int pid);
int FindPID(string ProcessName);
uintptr_t calc_offsets(DWORD pid, uintptr_t ptr, vector<uintptr_t> offsets);
LPVOID process_alloc(DWORD pid, unsigned int bytes);
bool get_all_module_base_address(DWORD pid, map<string, HMODULE>& module_base_address_map);
HMODULE get_inject_module_base_address(DWORD pid, string inject_module_name);
int* read_memory(DWORD pid, uintptr_t addr, unsigned int bytes);
bool write_memory(DWORD pid, uintptr_t addr, char* data, int bytes);
inline int Hexchar2int(char c);
inline char Hexint2char(int t);
uint8_t* HexCodeString2uint8t(string HexCodeString);
string offset2String(uintptr_t offset);
#endif //CE_INJECT_FUNCTIONS_H
functions.cpp
//
// Created by Amazing on 2021/12/2.
//
#include "functions.h"
#include <Windows.h>
//将string转换成wstring
wstring string2wstring(string str)
{
wstring result;
//获取缓冲区大小,并申请空间,缓冲区大小按字符计算
int len = MultiByteToWideChar(CP_ACP, 0, str.c_str(), str.size(), NULL, 0);
TCHAR* buffer = new TCHAR[len + 1];
//多字节编码转换成宽字节编码
MultiByteToWideChar(CP_ACP, 0, str.c_str(), str.size(), buffer, len);
buffer[len] = '\0'; //添加字符串结尾
//删除缓冲区并返回值
result.append(buffer);
delete[] buffer;
return result;
}
//将wstring转换成string
string wstring2string(wstring wstr)
{
string result;
//获取缓冲区大小,并申请空间,缓冲区大小事按字节计算的
int len = WideCharToMultiByte(CP_ACP, 0, wstr.c_str(), wstr.size(), NULL, 0, NULL, NULL);
char* buffer = new char[len + 1];
//宽字节编码转换成多字节编码
WideCharToMultiByte(CP_ACP, 0, wstr.c_str(), wstr.size(), buffer, len, NULL, NULL);
buffer[len] = '\0';
//删除缓冲区并返回值
result.append(buffer);
delete[] buffer;
return result;
}
inline int Hexchar2int(char c)
{
int ans = 0;
if (c >= '0' && c <= '9')ans = c - '0';
else ans = c - 'A' + 10;
if (ans > 32)ans -= 32;
return ans;
}
inline char Hexint2char(int t)
{
char c = '0';
if (t >= 0 && t <= 9)c = t + '0';
else c = t - 10 + 'A';
return c;
}
uint8_t* HexCodeString2uint8t(string HexCodeString)
{
int t = 0;
int cnt = 0;
int size = HexCodeString.size() / 3 + !(HexCodeString.size() % 3 == 0);
uint8_t* data = (uint8_t*)malloc(size);
for (int i = 0; i != HexCodeString.size(); i++)
{
if (HexCodeString[i] == ' ')
{
data[cnt] = t; t = 0; cnt++;
}
else
{
t <<= 4;
t += Hexchar2int(HexCodeString[i]);
}
}
data[cnt] = t;
return data;
}
string offset2String(uintptr_t offset)
{
string ans = "";
for (int i = 0; i != 4; i++)
{
int t = offset & 0xFF;
if (i != 0)ans += " ";
ans += Hexint2char(t >> 4);
ans += Hexint2char(t & 0xF);
offset >>= 8;
}
return ans;
}
int FindPID(string ProcessName)
{
int pid = -1;
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE) {
cout << "CreateToolhelp32Snapshot Error!" << endl;;
return false;
}
BOOL bResult = Process32First(hProcessSnap, &pe32);
int num(0);
while (bResult)
{
if (wstring2string(wstring(pe32.szExeFile)) == ProcessName)
{
pid = pe32.th32ProcessID;
break;
}
bResult = Process32Next(hProcessSnap, &pe32);
}
CloseHandle(hProcessSnap);
return pid;
}
HANDLE get_handle(int pid)
{
HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
return handle;
}
uintptr_t calc_offsets(DWORD pid, uintptr_t ptr, vector<uintptr_t> offsets)
{
uintptr_t addr = ptr;
uintptr_t t;
HANDLE handle = get_handle(pid);
for (unsigned int i = 0; i != offsets.size(); i++)
{
addr += offsets[i];
if (i < offsets.size() - 1)//最后一次只加偏移量,不用读取了
{
bool state = ReadProcessMemory(handle, (LPVOID)addr, &t, sizeof(t), 0);
if (!state)
{
// cout<<"error in reading memory!"<<endl;
addr = -1;
break;
}
addr = t;
}
}
CloseHandle(handle);
return addr;
}
LPVOID process_alloc(DWORD pid, unsigned int bytes)
{
LPVOID virAddr = NULL;
HANDLE handle = get_handle(pid);
virAddr = VirtualAllocEx(handle, NULL, bytes, MEM_COMMIT, PAGE_EXECUTE_READWRITE);
CloseHandle(handle);
return virAddr;
}
bool get_all_module_base_address(DWORD pid, map<string, HMODULE>& module_base_address_map)
{
module_base_address_map.clear();
bool flag = TRUE;
const int max_module_number = 1024;
HMODULE hMods[max_module_number];
HANDLE handle;
DWORD cbNeeded;
unsigned int i;
// Get a handle to the process.
handle = OpenProcess(PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, FALSE, pid);
if (handle == NULL)flag = false;
if (flag != false)
{
// Get a list of all the modules in this process.
//if (EnumProcessModules(handle, hMods, sizeof(hMods), &cbNeeded))
//if (EnumProcessModulesEx(handle, hMods, sizeof(hMods), &cbNeeded, LIST_MODULES_32BIT))
//if (EnumProcessModulesEx(handle, hMods, sizeof(hMods), &cbNeeded, LIST_MODULES_64BIT))
//if (EnumProcessModulesEx(handle, hMods, sizeof(hMods), &cbNeeded, LIST_MODULES_ALL)!=0)
if (EnumProcessModulesEx(handle, hMods, sizeof(hMods), &cbNeeded, (DWORD)(0x01 | 0x02)) != 0)
// if (EnumProcessModulesEx(handle, hMods, sizeof(hMods), &cbNeeded, LIST_MODULES_32BIT)!=0)
{
for (i = 0; i < (cbNeeded / sizeof(HMODULE)); i++)
{
TCHAR szModName[MAX_PATH];
// Get the full path to the module's file.
if (GetModuleFileNameEx(handle, hMods[i], szModName, sizeof(szModName) / sizeof(TCHAR)))
{
// Print the module name and handle value.
module_base_address_map[wstring2string(wstring(szModName))] = hMods[i];
}
}
}
// Release the handle to the process.
CloseHandle(handle);
}
return flag;
}
HMODULE get_inject_module_base_address(DWORD pid, string inject_module_name)
{
HMODULE inject_module_base_address = NULL;
map<string, HMODULE> module_base_address_map;
bool flag = get_all_module_base_address(pid, module_base_address_map);
if (flag == FALSE)return inject_module_base_address;
for (auto it = module_base_address_map.begin(); it != module_base_address_map.end(); it++)
{
int module_name_start = it->first.rfind("\\") + 1;
string module_name = it->first.substr(module_name_start, it->first.size() - module_name_start);
if (module_name == inject_module_name)
{
inject_module_base_address = it->second;
break;
}
}
return inject_module_base_address;
}
int* read_memory(DWORD pid, uintptr_t addr, unsigned int bytes)
{
HANDLE handle = get_handle(pid);
int* t = (int*)malloc(bytes);
bool state = ReadProcessMemory(handle, (LPVOID)addr, t, bytes, NULL);
if (!state)
{
free(t);
t = NULL;
}
CloseHandle(handle);
return t;
}
bool write_memory(DWORD pid, uintptr_t addr, char* data, int bytes)
{
HANDLE handle = get_handle(pid);
bool flag = WriteProcessMemory(handle, (LPVOID)addr, data, bytes, NULL);
CloseHandle(handle);
return flag;
}