逆向 | Win7扫雷x64版本内存雷区读取
逆向 | Win7扫雷x64版本内存雷区读取
继续写书,这是我为书中实验编写的测试代码。
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <string.h>
int main() {
// 获取pid
HWND hWnd = FindWindow(NULL, L"扫雷");
DWORD pid = NULL;
GetWindowThreadProcessId(hWnd, &pid);
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, pid);
if (hProcess == NULL) {
return -1;
}
printf("hProcess: %p \n", hProcess);
// 获取模块地址
DWORD64 modaddr = NULL;
MODULEENTRY32 modentry;
memset(&modentry, 0, sizeof(modentry));
HANDLE hSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, pid);
modentry.dwSize = sizeof(MODULEENTRY32);
Module32First(hSnapshot, &modentry);
do {
if (wcscmp(modentry.szModule, L"MineSweeper.exe") == 0)
{
wprintf(L"module: %s \n", modentry.szModule);
modaddr = (DWORD64)modentry.hModule;
CloseHandle(hSnapshot);
break;
}
} while (Module32Next(hSnapshot, &modentry));
printf("modaddr: %p \n", modaddr);
// 获取Game结构体变量
DWORD game_offset = 0xaaa38;
BYTE* Game = NULL;
ReadProcessMemory(hProcess, (LPCVOID)(modaddr + game_offset), &Game, 8, 0);
printf(" > Game: %p \n", Game);
// 获取GameBoard
BYTE* GameBoard = NULL;
ReadProcessMemory(hProcess, (LPCVOID)(Game + 0x18), &GameBoard, 8, 0);
printf(" > GameBoard: %p \n", GameBoard);
// 获取难度/宽高/雷数量
DWORD height, width;
DWORD difficulty;
DWORD mine_num;
ReadProcessMemory(hProcess, (LPCVOID)(GameBoard + 0x24), &difficulty, 4, 0);
ReadProcessMemory(hProcess, (LPCVOID)(GameBoard + 0x10), &width, 4, 0);
ReadProcessMemory(hProcess, (LPCVOID)(GameBoard + 0xc), &height, 4, 0);
ReadProcessMemory(hProcess, (LPCVOID)(GameBoard + 0x8), &mine_num, 4, 0);
printf(" > [%d] (%d, %d): %d个雷\n", difficulty, width, height, mine_num);
// 获取雷区数据
BYTE* MineMap = NULL;
ReadProcessMemory(hProcess, (LPCVOID)(GameBoard + 0x58), &MineMap, 8, 0);
ReadProcessMemory(hProcess, (LPCVOID)(MineMap + 0x10), &MineMap, 8, 0);
printf(" > MineMap: %p \n", MineMap); // 获取到雷区列表起始位置
// 获取雷区真实数据
DWORD map_length = width * height;
BYTE* map = (BYTE*)malloc(map_length);
BYTE* tmp_line = (BYTE*)malloc(height);
int i, j;
for (i = 0; i < width; i++) {
BYTE* arr = NULL;
ReadProcessMemory(hProcess, (LPCVOID)(MineMap+i*8), &arr, 8, 0);
// printf(" > line%d: %p \n", i, arr);
ReadProcessMemory(hProcess, (LPCVOID)(arr + 0x10), &arr, 8, 0);
ReadProcessMemory(hProcess, (LPCVOID)(arr), tmp_line, height, 0);
for (j = 0; j < height; j++) {
printf("%d ", tmp_line[j]); // 输出临时数据
// 存入map
*(map+j*width+i) = (BYTE)tmp_line[j];
}
printf("\n");
}
printf("\n");
// 输出地图
for (i = 0; i < height; i++) {
for (j = 0; j < width; j++) {
printf("%d ", map[i * width + j]);
}
printf("\n");
}
// 清理资源
free(tmp_line);
free(map);
CloseHandle(hProcess);
return 0;
}
本文来自博客园,作者:Mz1,转载请注明原文链接:https://www.cnblogs.com/Mz1-rc/p/18220065
如果有问题可以在下方评论或者email:mzi_mzi@163.com