module1.bas

风色幻想5修改器源码 用VB6 SP6打可打开哦

Attribute VB_Name = "Module1"
Option Compare Text

Private Type PROCESSENTRY32
    dwSize As Long
    cntUsage As Long
    th32ProcessID As Long
    th32DefaultHeapID As Long
    th32ModuleID As Long
    cntThreads As Long
    th32ParentProcessID As Long
    pcPriClassBase As Long
    dwFlags As Long
    szexeFile As String * 260
End Type

Private Type MEMORY_BASIC_INFORMATION
    BaseAddress As Long
    AllocationBase As Long
    AllocationProtect As Long
    RegionSize As Long
    State As Long
    Protect As Long
    Type As Long
End Type

Private Type SYSTEM_INFO
    dwOemID As Long
    dwPageSize As Long
    lpMinimumApplicationAddress As Long
    lpMaximumApplicationAddress As Long
    dwActiveProcessorMask As Long
    dwNumberOrfProcessors As Long
    dwProcessorType As Long
    dwAllocationGranularity As Long
    dwReserved As Long
End Type

Declare Sub InitCommonControls Lib "comctl32.dll" ()
Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, lpdwProcessId As Long) As Long
Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesRead) As Long
Declare Sub GetSystemInfo Lib "kernel32" (lpSystemInfo As SYSTEM_INFO)
Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
Declare Function ProcessFirst Lib "kernel32" Alias "Process32First" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Declare Function ProcessNext Lib "kernel32" Alias "Process32Next" (ByVal hSnapshot As Long, uProcess As PROCESSENTRY32) As Long
Declare Function CreateToolhelpSnapshot Lib "kernel32" Alias "CreateToolhelp32Snapshot" (ByVal lFlags As Long, lProcessID As Long) As Long
Declare Function VirtualQueryEx Lib "kernel32" (ByVal hProcess As Long, ByVal lpAddress As Long, lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long) As Long

'Declare Function VarPtr Lib "MSVBVM60" (var As Any) As Long
'Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)

Private Const TH32CS_SNAPPROCESS As Long = 2&
Private Const PAGE_READWRITE = &H4
Private Const MEM_COMMIT = &H1000

Public Const PROCESSNAME = "Wind5.exe"

Public RolesAddr(512) As Long
Public lNumOfRoles As Long
Public lCodeTable(256) As Long

'得到进程句柄-------------------------------------------------------------------------------------
Public Function GetProcessHandle() As Long

    Dim myProcess As PROCESSENTRY32
    myProcess.dwSize = Len(myProcess)
    
    Dim mySnapshot As Long
    mySnapshot = CreateToolhelpSnapshot(TH32CS_SNAPPROCESS, 0&)
    
    ProcessFirst mySnapshot, myProcess
    If Left(myProcess.szexeFile, 9) = PROCESSNAME Then
        GetProcessHandle = OpenProcess(&H1F0FFF, False, myProcess.th32ProcessID)
        Exit Function
    End If
    
    While ProcessNext(mySnapshot, myProcess)
        If Left(myProcess.szexeFile, 9) = PROCESSNAME Then
            GetProcessHandle = OpenProcess(&H1F0FFF, False, myProcess.th32ProcessID)
            Exit Function
        End If
    Wend
    
    GetProcessHandle = 0
    
End Function


'得到人物地址与密码表-------------------------------------------------------------------------------------
Public Function GetRolesAddr(ByVal hProcess As Long) As Integer
    Dim lpBuffer() As Byte



    Dim mbi As MEMORY_BASIC_INFORMATION
    Dim mbilen As Long
    mbilen = Len(mbi)
    
    Dim Sinfo As SYSTEM_INFO
    GetSystemInfo Sinfo
    
    Dim lBaseAddr As Long
    lBaseAddr = &H680000
    
    Dim ret As Long
    ret = VirtualQueryEx(hProcess, lBaseAddr, mbi, mbilen)
    
    Dim lRegionCount As Long, lMaxSize As Long
    Dim lRegionAddr(1 To 1500) As Long, lRegionSize(1 To 1500) As Long
    lRegionCount = 0: lMaxSize = 0: lNumOfRoles = 0
    
    Do While (lBaseAddr < Sinfo.lpMaximumApplicationAddress)
        If mbi.State = MEM_COMMIT And mbi.Protect = PAGE_READWRITE Then
            lRegionCount = lRegionCount + 1
            lRegionAddr(lRegionCount) = lBaseAddr
            lRegionSize(lRegionCount) = mbi.RegionSize
            If mbi.RegionSize > lMaxSize Then lMaxSize = mbi.RegionSize
        End If
        'CopyMemory VarPtr(lBaseAddr), mbi.BaseAddress, 4
        lBaseAddr = lBaseAddr + mbi.RegionSize
        ret = VirtualQueryEx(hProcess, lBaseAddr, mbi, mbilen)
    Loop
    
    If lRegionCount > 0 Then
        ReDim lpBuffer(lMaxSize)
        Dim i As Long
        For i = 1 To lRegionCount
            If ReadProcessMemory(hProcess, lRegionAddr(i), lpBuffer(0), lRegionSize(i), 0) Then
                Call FindEig(lRegionAddr(i), lpBuffer(0), lRegionSize(i), RolesAddr(0), lNumOfRoles)
            End If
        Next i
    
        Call ReadProcessMemory(hProcess, &H6711C8, lCodeTable(0), 256 * 4, 0)
    
    End If
        
End Function



'查找特征值-------------------------------------------------------------------------------------
Private Sub FindEig(ByVal lBaseAdrr As Long, lpBuffer As Byte, ByVal lBytesRead As Long, lpRolesAddr As Long, lNumOfRoles As Long)
'_asm{overall}
'_asm{
'            lBaseAddr    EQU dword ptr[esp+04]
'            lpBuffer     EQU dword ptr[esp+08]
'            lBytesRead   EQU dword ptr[esp+12]
'            lpRolesAddr  EQU dword ptr[esp+16]
'            lNumOfRoles  EQU dword ptr[esp+20]
'            xor ecx,ecx
'            mov edx,lNumOfRoles
'            mov edx,dword ptr [edx]
'            mov esi,lpBuffer
'            mov edi,esi
'            add edi,lBytesRead
'            sub edi,1024
'        LOOP1:
'            cmp esi,edi
'            jge ENDLOOP
'            mov al, byte ptr [esi]
'            cmp al,0
'            jnz STEP1
'            inc ecx
'            inc esi
'            jmp LOOP1
'        STEP1:
'            cmp ecx,20
'            jge STEP2
'            inc esi
'            xor ecx,ecx
'            jmp LOOP1
'        STEP2:
'            mov eax,dword ptr [esi]
'            cmp eax,3452816845
'            je  STEP3
'            inc esi
'            xor ecx,ecx
'            jmp LOOP1
'        STEP3:
'            mov eax,dword ptr [esi+36]
'            cmp eax,3452816845
'            je  STEP4
'            add esi,4
'            xor ecx,ecx
'            jmp LOOP1
'        STEP4:
'            add esi,40
'            xor ebx,ebx
'        LOOP2:
'            cmp ebx,56
'            jz  STEP5
'            mov al, byte ptr [esi+ebx]
'            inc ebx
'            cmp al,0
'            jz  LOOP2
'            add esi,ebx
'            xor ecx,ecx
'            jmp LOOP1
'        STEP5:
'            add esi,56
'            mov al, byte ptr [esi]
'            cmp al,100
'            jz  STEP6
'            inc esi
'            xor ecx,ecx
'            jmp LOOP1
'        STEP6:
'            mov eax,lpRolesAddr
'            mov ebx,esi
'            add ebx,lBaseAddr
'            sub ebx,lpBuffer
'            mov dword ptr [eax+edx*4],ebx
'            inc edx
'            inc esi
'            xor ecx,ecx
'            jmp LOOP1
'        ENDLOOP:
'            mov eax,lNumOfRoles
'            mov dword ptr [eax],edx
'            ret     5*4
'}
End Sub