逆向 | Win7扫雷x64版本内存雷区读取

逆向 | Win7扫雷x64版本内存雷区读取

继续写书，这是我为书中实验编写的测试代码。

#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <string.h>
int main() {
	// 获取pid
	HWND hWnd = FindWindow(NULL, L"扫雷");
	DWORD pid = NULL;
	GetWindowThreadProcessId(hWnd, &pid);
	HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
	if (hProcess == NULL) {
		return -1;
	}
	printf("hProcess: %p \n", hProcess);

	// 获取模块地址
	DWORD64 modaddr = NULL;
	MODULEENTRY32 modentry;
	memset(&modentry, 0, sizeof(modentry));
	HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
	modentry.dwSize = sizeof(MODULEENTRY32);
	Module32First(hSnapshot, &modentry);
	do {
		if (wcscmp(modentry.szModule, L"MineSweeper.exe") == 0)
		{
			wprintf(L"module: %s \n", modentry.szModule);
			modaddr = (DWORD64)modentry.hModule;
			CloseHandle(hSnapshot);
			break;
		}
	} while (Module32Next(hSnapshot, &modentry));
	printf("modaddr: %p \n", modaddr);

	// 获取Game结构体变量
	DWORD game_offset = 0xaaa38;
	BYTE* Game = NULL;
	ReadProcessMemory(hProcess, (LPCVOID)(modaddr + game_offset), &Game, 8, 0);      
	printf("  > Game: %p \n", Game);

	// 获取GameBoard
	BYTE* GameBoard = NULL;
	ReadProcessMemory(hProcess, (LPCVOID)(Game + 0x18), &GameBoard, 8, 0);
	printf("    > GameBoard: %p \n", GameBoard);
	// 获取难度/宽高/雷数量
	DWORD height, width;
	DWORD difficulty;
	DWORD mine_num;
	ReadProcessMemory(hProcess, (LPCVOID)(GameBoard + 0x24), &difficulty, 4, 0);
	ReadProcessMemory(hProcess, (LPCVOID)(GameBoard + 0x10), &width, 4, 0);
	ReadProcessMemory(hProcess, (LPCVOID)(GameBoard + 0xc), &height, 4, 0);
	ReadProcessMemory(hProcess, (LPCVOID)(GameBoard + 0x8), &mine_num, 4, 0);
	printf("    > [%d] (%d, %d): %d个雷\n", difficulty, width, height, mine_num);

	// 获取雷区数据
	BYTE* MineMap = NULL;
	ReadProcessMemory(hProcess, (LPCVOID)(GameBoard + 0x58), &MineMap, 8, 0);
	ReadProcessMemory(hProcess, (LPCVOID)(MineMap + 0x10), &MineMap, 8, 0);
	printf("    > MineMap: %p \n", MineMap);    // 获取到雷区列表起始位置

	// 获取雷区真实数据
	DWORD map_length = width * height;
	BYTE* map = (BYTE*)malloc(map_length);
	BYTE* tmp_line = (BYTE*)malloc(height);
	int i, j;
	for (i = 0; i < width; i++) {
		BYTE* arr = NULL;
		ReadProcessMemory(hProcess, (LPCVOID)(MineMap+i*8), &arr, 8, 0);
		// printf("       > line%d: %p \n", i, arr);
		ReadProcessMemory(hProcess, (LPCVOID)(arr + 0x10), &arr, 8, 0);
		ReadProcessMemory(hProcess, (LPCVOID)(arr), tmp_line, height, 0);
		for (j = 0; j < height; j++) {
			printf("%d ", tmp_line[j]);   // 输出临时数据
			// 存入map
			*(map+j*width+i) = (BYTE)tmp_line[j];
		}
		printf("\n");
	}
	printf("\n");
	// 输出地图
	for (i = 0; i < height; i++) {
		for (j = 0; j < width; j++) {
			printf("%d ", map[i * width + j]);
		}
		printf("\n");
	}

	// 清理资源
	free(tmp_line);
	free(map);
	CloseHandle(hProcess);

	return 0;
}