private void FrmEnhanceTest_Load(object sender, EventArgs e)
{
//开启控制台输出
LoadDll.AllocConsole();
mhxy.MHKernel mk = new mhxy.MHKernel();
mk.Init();
}
public void reSetMouse()
{
int x = Convert.ToInt32(txt_exit_x.Text.Trim());
int y = Convert.ToInt32(txt_exit_y.Text.Trim());
int c_x = LoadDll.ReadHwndMemoryOffsetValue((IntPtr)hwnd, Global.addr.MapAddr, 0xCC);
int c_y = LoadDll.ReadHwndMemoryOffsetValue((IntPtr)hwnd, Global.addr.MapAddr, 0xD0);
//屏幕宽高
int[] scr = Global.addr.GetMhxyScreen(hwnd);
//目的地址坐标
int s_x = x * 20 + 10;
int s_y = Global.addr.GetMapY(hwnd) - ((y * 20) + 10);
int x_min = c_x - scr[0] / 2;
int x_max = c_x + scr[0] / 2;
int y_min = c_y - scr[1] / 2;
int y_max = c_y + scr[1] / 2;
x = s_x - x_min;
y = s_y - y_min;
LoadDll.WriteMemoryHwndValue((IntPtr)hwnd, Global.addr.bX, BitConverter.GetBytes(x));
LoadDll.WriteMemoryHwndValue((IntPtr)hwnd, new IntPtr(Global.addr.bX + 4).ToInt32(), BitConverter.GetBytes(y));
}
/// <summary>
/// 读取窗口句柄中的值
/// </summary>
/// <param name="hwnd"></param>
/// <param name="offset"></param>
/// <returns></returns>
public static int ReadHwndMemoryOffsetValue(IntPtr hwnd, params int[] offset)
{
IntPtr pid = IntPtr.Zero;
//获取窗口句柄
LoadDll.GetWindowThreadProcessId(hwnd, out pid);
int ret = ReadMemoryOffsetValue(pid.ToInt32(), offset);
return(ret);
}
/// <summary>
/// 读取句柄中内存的值
/// </summary>
/// <param name="hwnd"></param>
/// <param name="baseAddress"></param>
/// <returns></returns>
public static int ReadHwndMemoryValue(IntPtr hwnd, int baseAddress)
{
IntPtr pid = IntPtr.Zero;
//获取窗口句柄
LoadDll.GetWindowThreadProcessId(hwnd, out pid);
int ret = LoadDll.ReadMemoryValue(pid.ToInt32(), baseAddress);
return(ret);
}
/// <summary>
/// 内存申请
/// </summary>
/// <param name="hwnd">窗口句柄</param>
/// <param name="addr">地址</param>
/// <param name="size">区域大小</param>
/// <param name="attr">设置为PAGE_EXECUTE_READWRITE(0x40)时该内存页为可读可写可执行。</param>
/// <param name="prevValue">内存原始属性类型保存地址</param>
/// <returns></returns>
public static int MemoryAlloc(IntPtr hwnd, int addr, int size, int attr, int prevValue)
{
IntPtr pid = IntPtr.Zero;
//获取窗口句柄
GetWindowThreadProcessId(hwnd, out pid);
IntPtr hWnd = LoadDll.OpenProcess(0x1F0FFF, false, pid.ToInt32()); //获取进程句柄
return(VirtualProtectEx(hwnd, addr, 4096, 64, ref prevValue)); //执行VirtualProtectEx函数
}
/// <summary>
/// 获取句柄进程,记得关闭
/// </summary>
/// <param name="hwnd"></param>
/// <returns></returns>
public static IntPtr GetHwndProcess(IntPtr hwnd)
{
IntPtr pid = IntPtr.Zero;
//获取窗口句柄
LoadDll.GetWindowThreadProcessId(hwnd, out pid);
IntPtr hProcess = OpenProcess(0xFFFFF, false, pid.ToInt32());
return(hProcess);
}
private void btnQh_Click(object sender, EventArgs e)
{
string selectValue = ((util.ComboxItem)cbxWin.SelectedItem).Values;
//设置默认窗口
current_mh = new IntPtr(Convert.ToInt32(selectValue));
//切换到截获全部
//bug 需要两次
LoadDll.subPkg(0, current_mh);
LoadDll.subPkg(1, current_mh);
btn_data_type.Text = "截获指定";
lab_mh_win.Text = "梦幻窗口句柄:" + selectValue;
}
/// <summary>
/// 初始化游戏
/// </summary>
/// <param name="hwnd"></param>
public void initMhSystem(IntPtr hwnd)
{
// string path = "E:\\mh_code\\mh\\mh\\bin\\x86\\Debug\\mhxy_kernel.dll";
string path = Path.GetFullPath("mhxy_kernel.dll");
//获取远程进程的函数地址
mhMsgCallBack = new LoadDll.ResvMhMsg(CallBackHandle);
//远程调用初始化
//LoadDll.InitSystemRemoteThread(path, hwnd, this.Handle, mhMsgCallBack);
//本地初始化
LoadDll.InitSystemMhxy(path, hwnd, this.Handle, mhMsgCallBack);
//跳过已经载入的窗口
if (mh_excute.ContainsKey(hwnd) == false)
{
//启动任务处理
mh_excute[hwnd] = new biz.Execute(hwnd);
}
IntPtr pid = IntPtr.Zero;
//获取窗口句柄
LoadDll.GetWindowThreadProcessId(hwnd, out pid);
//放置修改前的保护方式
Int32 prev = 0;
//获取进程句柄
IntPtr hWnd = LoadDll.OpenProcess(0x1F0FFF, false, pid.ToInt32());
//执行VirtualProtectEx函数
LoadDll.VirtualProtectEx(hWnd, 0x11000900, 4096, 64, ref prev);
LoadDll.CloseHandle(hWnd);
//更新基址
if (Global.addr == null)
{
Global.addr = new mhxy.AddrManager().loadAddr(hwnd.ToInt32());
}
//加载用户配置
string wName = mhxy.Common.GetMHName(hwnd.ToInt32());
if (wName != "mh")
{
//读取用户ID加载配置
int peopleID = Global.addr.GetPeopleID(hwnd.ToInt32());
Global.mh_cfg[hwnd] = model.MhxyConfig.GetID(peopleID);
Log.WriteLine("配置加载:{0}", peopleID);
}
}
private void btn_data_type_Click(object sender, EventArgs e)
{
if (btn_data_type.Text == "截获全部")
{
int ret = LoadDll.subPkg(1, current_mh);
btn_data_type.Text = "截获指定";
}
else
{
int ret = LoadDll.subPkg(0, current_mh);
btn_data_type.Text = "截获全部";
}
}
private void btn_send_Click(object sender, EventArgs e)
{
//Thread rt = new Thread(tt);
//rt.Start();
////mhxy.CallFunc.ReadDialog(current_mh.ToInt32());
//IntPtr hwnd = LoadDll.FindWindow("WSGAME", null);
//initMhSystem(hwnd);
//return;
string txt = txtSend.Text.Trim();
if (txt == "" || current_mh == IntPtr.Zero)
{
return;
}
LoadDll.sendMsg(current_mh, txt);
}
/// <summary>
/// 初始化游戏
/// </summary>
/// <param name="hwnd"></param>
public void initMhxy(IntPtr hwnd)
{
//获取梦幻西游句柄
btn_send.Enabled = true;
//初始化基本信息
LoadDll.initmhDll(hwnd.ToInt32(), this.Handle.ToInt32());
//bug 需要两次
LoadDll.subPkg(0, hwnd);
LoadDll.subPkg(1, hwnd);
//跳过已经载入的窗口
if (mh_excute.ContainsKey(hwnd) == false)
{
//启动任务处理
mh_excute[hwnd] = new biz.Execute(hwnd);
}
IntPtr pid = IntPtr.Zero;
//获取窗口句柄
LoadDll.GetWindowThreadProcessId(hwnd, out pid);
//放置修改前的保护方式
Int32 prev = 0;
//获取进程句柄
IntPtr hWnd = LoadDll.OpenProcess(0x1F0FFF, false, pid.ToInt32());
//执行VirtualProtectEx函数
LoadDll.VirtualProtectEx(hWnd, 0x11000900, 4096, 64, ref prev);
LoadDll.CloseHandle(hWnd);
//更新基址
if (Global.addr == null)
{
Global.addr = new mhxy.AddrManager().loadAddr(hwnd.ToInt32());
}
//加载用户配置
string wName = mhxy.Common.GetMHName(hwnd.ToInt32());
if (wName != "mh")
{
//读取用户ID加载配置
int peopleID = Global.addr.GetPeopleID(hwnd.ToInt32());
Global.mh_cfg[hwnd] = model.MhxyConfig.GetID(peopleID);
Log.WriteLine("配置加载:{0}", peopleID);
}
}
public static void InitSystemRemoteThread(string path, IntPtr hwnd, IntPtr myHwnd, ResvMhMsg mhMsgCallBack)
{
//注入dll
bool ret = util.WinApi.DoInjection(path, hwnd);
if (!ret)
{
return;
}
//读取内存共享区函数基址
util.ShareMemory recvHwnd = new util.ShareMemory("mh_" + hwnd.ToInt32().ToString(), 4096);
byte[] funcBytes = recvHwnd.Read(recvHwnd.lpBase.ToInt32(), Marshal.SizeOf(typeof(MhFuncAddrs)));
MhFuncAddrs mf = (MhFuncAddrs)StringUtil.BytesToStruct(funcBytes, typeof(MhFuncAddrs));
//获取远程进程的函数地址
ProCallback pro = new ProCallback();
pro.hwnd = myHwnd;
pro.callBack = mhMsgCallBack;
int size = Marshal.SizeOf(typeof(LoadDll.ProCallback));
IntPtr process = LoadDll.GetHwndProcess(hwnd);
IntPtr AllocAddr = util.WinApi.VirtualAllocEx(process, 0, size, util.WinApi.AllocationType.MEM_COMMIT, 0x04);
byte[] data = StringUtil.StructToBytes(pro, size);
LoadDll.WriteProcessMemory(process, AllocAddr, data, size, IntPtr.Zero);
IntPtr hRemoteThread = util.WinApi.CreateRemoteThread(process, 0, 0, mf.InitSystemRemoteThread, AllocAddr, 0, 0);
util.WinApi.WaitForSingleObject(hRemoteThread, 0xFFFFFFFF); //等待线程结束
int remoteModule = 0;
util.WinApi.GetExitCodeThread(hRemoteThread, ref remoteModule);
LoadDll.Free(process, hRemoteThread, AllocAddr);
Global.mh_func[hwnd] = mf;
}
private void FrmMain_Load(object sender, EventArgs e)
{
loopMsg = new Thread(loopReadMsg);
Control.CheckForIllegalCrossThreadCalls = true;
//开启控制台输出
LoadDll.AllocConsole();
loadType();
lv_pkg.AutoResizeColumns(ColumnHeaderAutoResizeStyle.HeaderSize);
//获得当前窗口句柄
IntPtr hwnd = this.Handle;
lab_current_win.Text += hwnd.ToString();
loopMsg.Start();
}
/// <summary>
/// 读取浮点数据
/// </summary>
/// <param name="hwnd"></param>
/// <param name="baseAddress"></param>
/// <returns></returns>
public static float ReadHwndMemoryFloatValue(IntPtr hwnd, int baseAddress)
{
IntPtr pid = IntPtr.Zero;
//获取窗口句柄
LoadDll.GetWindowThreadProcessId(hwnd, out pid);
byte[] buffer = new byte[4];
IntPtr byteAddress = Marshal.UnsafeAddrOfPinnedArrayElement(buffer, 0);
IntPtr hProcess = LoadDll.OpenProcess(0x1F0FFF, false, pid.ToInt32());
LoadDll.ReadProcessMemory(hProcess, (IntPtr)baseAddress, byteAddress, 4, IntPtr.Zero);
float ret = BitConverter.ToSingle(buffer, 0);
//关闭操作
CloseHandle(hProcess);
return(ret);
}
//将值写入指定内存地址中
public static bool WriteMemoryHwndValue(IntPtr hwnd, int baseAddress, byte[] value)
{
bool ret = false;
IntPtr pid = IntPtr.Zero;
//获取窗口句柄
LoadDll.GetWindowThreadProcessId(hwnd, out pid);
try
{
//打开一个已存在的进程对象 0x1F0FFF 最高权限
IntPtr hProcess = OpenProcess(0x1F0FFF, false, pid.ToInt32());
//从指定内存中写入字节集数据
ret = WriteProcessMemory(hProcess, (IntPtr)baseAddress, value, value.Length, IntPtr.Zero);
//关闭操作
CloseHandle(hProcess);
}
catch { }
return(ret);
}