;constant native GetUnitY takes unit whichUnit returns real
JNGetUnitY equ 6F3C6090h
;native SetUnitX takes unit whichUnit, real newX returns nothing
JNSetUnitX equ 6F3C64B0h
;constant native IsUnitType takes unit whichUnit, unittype whichUnitType
returns boolean
JNIsUnitType equ 6F3C89D0h
;constant native IsUnitIllusion takes unit whichUnit returns boolean
JNIsUnitIllusion equ 6F3C8690h
;constant native IsUnitVisible takes unit whichUnit, player whichPlayer
returns boolean
JNIsUnitVisible equ 6F3C8630h
;constant native GetOwningPlayer takes unit whichUnit returns player
JNGetOwningPlayer equ 6F3C8CD0h
;native GetPlayerColor takes player whichPlayer returns playercolor
JNGetPlayerColor equ 6F3C1D80h
;constant native GetUnitState takes unit whichUnit, unitstate
whichUnitState returns real
JNGetUnitState equ 6F3C5F40h
;native CreateUnit takes player id, integer unitid, real x, real y, real
face returns unit
JNCreateUnit equ 6F3C5D70h
;native CreateItem takes integer itemid, real x, real y returns item
JNCreateItem equ 6F3BC4E0h
.code
;外挂的入口点
START:
jmp codestart
align 4
hTimer dd 0
hGameDll dd 0
dwStatus dd 0
dwHeroIds dd 20 dup(?)
hookcode db 68h ; PUSH imm32
hookaddr dd 0
db 0c3h ; RET
align 4
dwLastJassEnv dd 0
dwColors dd 0FFFF0202h ; red
dd 0FF0041FFh ; blue
dd 0FF1BE5B8h ; cyan
dd 0FF530080h ; purple
dd 0FFFFFC00h ; yellow
dd 0FFFE890Dh ; orange
dd 0FF1FBF00h ; green
dd 0FFE45AAFh ; pink
dd 0FF949596h ; light gray
dd 0FF7DBEF1h ; light blue
dd 0FF0F6145h ; aqua
dd 0FF4D2903h ; brown
DllFunc macro fn
local l, t
l CATSTR <p>, <fn>
t CATSTR <">, <fn>, <">
l db t, 0
endm
;需要的函数,其实就是自定义的输入表
dllKernel32 db "kernel32.dll", 0
DllFunc CloseHandle
DllFunc GetModuleHandleA
DllFunc GetProcAddress
DllFunc GetThreadContext
DllFunc GetThreadSelectorEntry
DllFunc LoadLibraryA
DllFunc MultiByteToWideChar
DllFunc OpenThread
DllFunc ResumeThread
DllFunc RtlZeroMemory
DllFunc RtlMoveMemory
DllFunc SetThreadContext
DllFunc Sleep
DllFunc SuspendThread
DllFunc WideCharToMultiByte
DllFunc ExitThread
DllFunc VirtualProtect
dd 0
dllUser32 db "user32.dll", 0
DllFunc wsprintfA
DllFunc FindWindowA
DllFunc GetWindowThreadProcessId
DllFunc KillTimer
DllFunc SetTimer
dd 0
codestart:
;外挂的实际入口点,唯一的参数是线程回调要求的,传入GetProcAddress的地址
FirstRun proc pMyGetProcAddress:DWORD
LOCAL stContext:CONTEXT
LOCAL stLdt:LDT_ENTRY
LOCAL hKernel32:DWORD
GetBase
mov eax, pMyGetProcAddress ; 通过搜索’MZ’标志确定kernel32.dll的基址
and eax, not (0FFFh)
.while WORD ptr [eax] != 'ZM'
sub eax, 1000h
.endw
mov ecx, eax
mov hKernel32, eax
lea eax, RLC(T("LoadLibraryA"))
push eax
push ecx
call DWORD ptr pMyGetProcAddress
mov esi, eax
mov edi, pMyGetProcAddress
;解析输入表
lea eax, RLC(dllKernel32)
call resolve_imports
lea eax, RLC(dllUser32)
call resolve_imports
;解析输入表后,就可以使用RLCInvoke宏调用API了
RLCInvoke LoadLibrary, "Game.dll"
mov RLC(hGameDll), eax
;寻找魔兽争霸的主窗口,并且根据这个确定主线程ID
.while 1
RLCInvoke FindWindow, "Warcraft III", NULL
.break .if eax
RLCInvoke Sleep, 500
.endw
push 0
RLCInvoke GetWindowThreadProcessId, eax, esp
pop edx
mov esi, eax
;取得SE_DEBUG_PRIVILEGE权限
RLCInvoke GetModuleHandle, "ntdll.dll"
RLCInvoke GetProcAddress, eax, "RtlAdjustPrivilege"
push 0 ; old enable stor
push esp ; ptr old enable
push 0 ; current thread ? |
