📄 unit_pop.pas
字号:
unit Unit_Pop;
interface
uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, StdCtrls, ExtCtrls;
type
TFrm_Pop = class(TForm)
Button1: TButton;
Memo1: TMemo;
Timer1: TTimer;
Label1: TLabel;
Button2: TButton;
procedure FormCreate(Sender: TObject);
procedure FormHide(Sender: TObject);
procedure FormShow(Sender: TObject);
procedure Button1Click(Sender: TObject);
procedure Timer1Timer(Sender: TObject);
procedure Button2Click(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;
procedure InjectJmpCode(ADDRS,ADDRD:DWORD);
procedure GetStorage(PMyadd,PackLong,AAddrP:DWORD);stdcall;
procedure JmpStorage;
var
Frm_Pop: TFrm_Pop;
ItemBag:TList;
kg:boolean;
OnAuto:boolean;
BIAOTI: pchar;
PName:PWideChar;
aproc:dword;//窗口ID
Base:dword;//内存基址
strStorage:String='';//仓库密码
Pdaima,LenBao:dword;
PBao:array[0..255] of Byte;
const CONST_JMP=$005B7510 ; //发包函数
const CONST_GET_CKPASS_JMP:Integer=$005B7515; //发包函数+$5
implementation
{$R *.dfm}
procedure TFrm_Pop.Button1Click(Sender: TObject);
begin
InjectJmpCode(CONST_JMP, DWORD(@JmpStorage));
end;
procedure TFrm_Pop.FormCreate(Sender: TObject); //窗体创建时
begin
//GetWindowThreadProcessId(Hwnd,aproc); //得到窗口ID
Pdaima:=0;
LenBao:=0;
end;
procedure TFrm_Pop.FormHide(Sender: TObject);
begin
kg:=False; //这个删了不会交替弹出了
end;
procedure TFrm_Pop.FormShow(Sender: TObject);
var
AppRect:TRect;
begin
GetWindowRect(FindWindow(nil,'口袋西游'),AppRect);
kg:=True;
end;
procedure TFrm_Pop.Timer1Timer(Sender: TObject);
var
strTEMP:string;
i:dword;
a1,a2,a3:dword;
begin
if LenBao>1 then
begin
Label1.Caption:=strStorage;
a1:= Pdaima;
a2:= LenBao;
a3:= dword(@PBao);
LenBao:=0;
Memo1.Lines.Add('---------------------------------');
Memo1.Lines.Add('包长:$'+inttostr(a2)+'字节');
Memo1.Lines.Add('调用地址:$'+inttohex(a1,8));
strTEMP:='';
for i:=0 to a2-1 do
strTEMP:=strTEMP+' '+inttohex((pbyte(a3+i))^,2);
Memo1.Lines.Add(strTEMP);
Memo1.Lines.Add('---------------------------------');
end;
end;
procedure InjectJmpCode(ADDRS,ADDRD:DWORD);
var
tOldPoint:Cardinal;
begin
VirtualProtect(Pointer(ADDRS), $7, PAGE_READWRITE, tOldPoint);
PByte(ADDRS)^:=$E9; //汇编的JMP就是机器码的E9
PDWORD(ADDRS+$1)^:=ADDRD-ADDRS-$5; //jmp 后面跟着的地址,也就是自己的函数地址
pword(ADDRS+5)^:=$9090;
end;
procedure JmpStorage;//00442031 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
{var
pchStorage: PChar; }
begin
asm
PUSH -1
PUSHAD
MOV EAX,dword ptr [esp+$2C]
MOV ESI,dword ptr [esp+$28]
MOV EBX,dword ptr [esp+$24]
PUSH ESI
PUSH EAX
push ebx
call GetStorage
{ POP EAX
POP ESI }
POPAD
PUSH $8144E8 // SE 处理程序安装
MOV EAX,DWORD PTR FS:[0]
JMP CONST_GET_CKPASS_JMP
end;//asm
end;
{procedure JmpStorageB;
begin
asm
PUSH -1
PUSH $8144E8 // SE 处理程序安装
MOV EAX,DWORD PTR FS:[0]
end;//asm
end; }
procedure GetStorage(PMyadd,PackLong,AAddrP:DWORD);stdcall;
{var
PHND: THandle;
Num: cardinal;
bReadSucceed: LongBool;
tmpck:array of Byte;
L:Integer; }
begin
//getmem(tmpck,32);
//SetLength(tmpck,PackLong);
//copymemory(@tmpck,pointer(aaddr),PackLong);
//PHND := OpenProcess(PROCESS_VM_READ, False,aproc);
//bReadSucceed :=ReadProcessMemory(PHND, Pointer(AAddr), @tmpck, PackLong-1, Num);
//CloseHandle(PHND);
//DuMemB(AAddr,PackLong,tmpck);
strStorage:='$'+IntTohex(AAddrP,8)+'|'+IntToStr(PackLong);
CopyMemory(@PBao,pointer(AAddrP),PackLong);
Pdaima:=PMyadd;
LenBao:=PackLong;
{ }
//strStorage:=IntToHex(tmpck[0],2);
//strStorage:='';
//for i := 0 to PackLong - 1 do
//strStorage := strStorage + IntToHex(tmpck[i], 2) + ' ';
//Frm_Pop.memo1.lines.add(IntToStr(AAddrP)+'|'+IntToStr(PackLong));
//strStorage:=inttostr(PackLong)+'|'+strTEMP;
end;
procedure TFrm_Pop.Button2Click(Sender: TObject);
begin
Memo1.Clear
end;
end.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -