www.pudn.com > 2007071212243513681.rar > CallFun.cpp
#include "stdafx.h"
#include "CallFun.h"
const DWORD g_dwBasePoint = 0x89A258;//0x896ED8;//0x896F58;//0x890C18; // 基对象指针
const DWORD g_dwExpBaseAddr = 0x89E64C;//0x89B2F4;//0x899EFC;//0x893EFC; // 保存下一级所需经验的结构基址
const DWORD g_dwYunQiEP = 0x44F490;//0x44F8D0;//0x44F4F0;//0x44D7A0; // 运气恢复函数入口
const DWORD g_dwNormalAttackEP = 0x44F630;//0x44FA70;//0x44F690;//0x44D940; // 普通攻击函数入口
const DWORD g_dwTabKeyEP = 0x4573C0;//0x457800;//0x4572B0;//0x455550; // TAB键寻怪函数入口
const DWORD g_dwSkillAttackEP = 0x45D910;//0x45DD50;//0x45D730;//0x45B5B0; // 技能攻击函数入口
const DWORD g_dwPlusEP = 0x588200;//0x587B00;//0x586DF0;//0x5830C0; // 加药函数入口
const DWORD g_dwGetResEP = 0x44F870;//0x44FCB0;//0x44F8D0;//0x44DB80; // 拾取函数入口
const DWORD g_dwGoXYEP1 = 0x467810;//0x467D20;//0x4676F0;//0x4654C0; // 移动函数入口1
const DWORD g_dwGoXYEP2 = 0x46B210;//0x46B6D0;//0x46B0F0;//0x468E90; // 移动函数入口2
const DWORD g_dwGoXYEP3 = 0x467C50;//0x468160;//0x467B30;//0x465900; // 移动函数入口3
//未知用途函数入口530DA0(3个参数,带THIS指针,三组调用(100,35,00600001)、(100,34,00500001)、(100,30,00100001))
//以下三个函数调用均来自游戏函数入口0x545DC0,拾取(0.8.5)
const DWORD g_dwGameFunc1Call1EP = 0x5472E0;
const DWORD g_dwGameFunc1Call2EP = 0x6EC6B0;
const DWORD g_dwGameFunc1Call3EP = 0x546E90;
//拾取函数,压入实例ID(0.8.5)
const DWORD g_dwPickupResEP = 0x464030;
//聊天栏输出字符串处理函数入口(0.8.5)
const DWORD g_dwPutInfoEP = 0x533460;
DWORD g_dwSkill_GetTypeEP = 0; // 获取技能类型函数入口
DWORD g_dwSkill_GetNameEP = 0; // 获取技能名称函数入口
DWORD g_dwSkill_GetIconEP = 0; // 获取技能图标函数入口
CHARINFO g_ci = { 0, 0, 0, 0, 0, 0, 0, 0, 0.0, 0.0, 0.0, 0, 0, 0, 0, 0, 0, 0, 0, 0 };
SKILL g_Skill[20] = { 0 };
// 获取人物类对象指针
__declspec(naked) DWORD WINAPI GetPoint()
{
__asm
{
mov eax, dword ptr [g_dwBasePoint]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+0x1C]
mov eax, dword ptr [eax+0x24]
retn
}
}
// 获取人物下一级所需经验
__declspec(naked) int WINAPI GetNextExp(int iCurLvl)
{
__asm
{
push ebp
mov ebp, esp
push ecx
mov eax, dword ptr [g_dwExpBaseAddr]
mov ecx, dword ptr [iCurLvl]
mov eax, dword ptr [ecx*4+eax]
pop ecx
pop ebp
retn 4
}
}
// 是否弹出对话框
BOOL WINAPI EnableDialog()
{
BOOL bRet = FALSE;
DWORD dwInfoBaseAddr;
__try
{
dwInfoBaseAddr = GetPoint();
if ( dwInfoBaseAddr )
if ( *(PDWORD)ULongToPtr(dwInfoBaseAddr + 0x24C) != 0 )
bRet = TRUE;
}
__except ( EXCEPTION_EXECUTE_HANDLER )
{
}
return bRet;
}
// 获取人物的基本信息
VOID WINAPI GetCI()
{
DWORD dwInfoBaseAddr;
__try
{
dwInfoBaseAddr = GetPoint();
if ( dwInfoBaseAddr )
{
g_ci.iLvl = *(PDWORD)ULongToPtr(dwInfoBaseAddr + 0x24C);
g_ci.iCurHP = *(PDWORD)ULongToPtr(dwInfoBaseAddr + 0x254);
g_ci.iMaxHP = *(PDWORD)ULongToPtr(dwInfoBaseAddr + 0x26C);
g_ci.iCurMP = *(PDWORD)ULongToPtr(dwInfoBaseAddr + 0x258);
g_ci.iMaxMP = *(PDWORD)ULongToPtr(dwInfoBaseAddr + 0x270);
g_ci.iCurExp = *(PDWORD)ULongToPtr(dwInfoBaseAddr + 0x25C);
g_ci.iNextExp = GetNextExp(g_ci.iLvl);
g_ci.dwGold = *(PDWORD)ULongToPtr(dwInfoBaseAddr + 0x2D4);
g_ci.fX = *(PFLOAT)ULongToPtr(dwInfoBaseAddr + 0x3E8);
g_ci.fY = *(PFLOAT)ULongToPtr(dwInfoBaseAddr + 0x3F0);
g_ci.fZ = *(PFLOAT)ULongToPtr(dwInfoBaseAddr + 0x3EC);
}
}
__except ( EXCEPTION_EXECUTE_HANDLER )
{
}
}
// CALL 打坐运气恢复生命真气函数
__declspec(naked) VOID WINAPI YunQi(BOOL bEnable)
{
__asm
{
push ebp
mov ebp, esp
push ecx
call GetPoint
push bEnable
mov ecx, eax
call g_dwYunQiEP
pop ecx
mov esp, ebp
pop ebp
retn 4
}
}
// CALL 普通攻击函数
__declspec(naked) VOID WINAPI NormalAttack()
{
__asm
{
push ebp
mov ebp, esp
push ecx
call GetPoint
push -1
push 0
push 0
push 0
mov ecx, eax
call g_dwNormalAttackEP
pop ecx
mov esp, ebp
pop ebp
retn
}
}
// CALL TAB键寻怪函数
__declspec(naked) VOID WINAPI Tab_Key()
{
__asm
{
push ebp
mov ebp, esp
push ecx
call GetPoint
mov ecx, eax
push 0
call g_dwTabKeyEP
pop ecx
mov esp, ebp
pop ebp
retn
}
}
// CALL 技能攻击函数,压入技能的标志代码
__declspec(naked) VOID WINAPI SkillAttack(int iSkillCode)
{
__asm
{
push ebp
mov ebp, esp
push ecx
call GetPoint
mov ecx, eax
push -1
push 0
push 0
push iSkillCode
call g_dwSkillAttackEP
pop ecx
mov esp, ebp
pop ebp
retn 4
}
}
// 获取技能的一些信息,人物当前拥有的技能名称,技能类型,技能图标
BOOL WINAPI GetSkillEP_InitStruct()
{
BOOL bRet = FALSE;
HMODULE hMod = ::GetModuleHandle(_T("elementskill.dll"));
if ( hMod )
{
g_dwSkill_GetTypeEP = PtrToUlong(::GetProcAddress(hMod, "?GetType@ElementSkill@GNET@@SADI@Z"));
if ( g_dwSkill_GetTypeEP )
{
g_dwSkill_GetNameEP = PtrToUlong(::GetProcAddress(hMod, "?GetName@ElementSkill@GNET@@SAPBGI@Z"));
if ( g_dwSkill_GetNameEP )
{
g_dwSkill_GetIconEP = PtrToUlong(::GetProcAddress(hMod, "?GetIcon@ElementSkill@GNET@@SAPBDI@Z"));
if ( g_dwSkill_GetIconEP )
{
DWORD dwPoint = GetPoint();
if ( dwPoint )
{
g_ci.dwMSkillBaseAddr = *(PDWORD)ULongToPtr(dwPoint + 0x8D0);
g_ci.dwMSkillCount = *(PDWORD)ULongToPtr(dwPoint + 0x8D4);
g_ci.dwBSkillBaseAddr = *(PDWORD)ULongToPtr(dwPoint + 0x8E8);
g_ci.dwBSkillCount = *(PDWORD)ULongToPtr(dwPoint + 0x8EC);
g_ci.dwOSkillBaseAddr = *(PDWORD)ULongToPtr(dwPoint + 0x904);
g_ci.dwOSkillCount = *(PDWORD)ULongToPtr(dwPoint + 0x908);
bRet = TRUE;
}
}
}
}
}
return bRet;
}
// CALL 喝药水函数,压入参数为药水ID及在物品栏的格数
__declspec(naked) VOID WINAPI PlusMedicine(int iID, int iPos)
{
__asm
{
push ebp
mov ebp, esp
push 1
push iID
push iPos
push 0
call g_dwPlusEP
add esp, 0x10
pop ebp
retn 8
}
}
// 获取药品在物品栏的格数位置
__declspec(naked) DWORD WINAPI GetResPos(int iID)
{
__asm
{
push ebx
push esi
push edi
push ecx
mov ecx, offset g_ci
mov edi, dword ptr [ecx+0x2C]
or eax, 0xFFFFFFFF
xor edx, edx
test edi, edi
jbe short label4
mov esi, dword ptr [ecx+0x30]
mov ebx, dword ptr [esp+0x14]
label1:
mov ecx, dword ptr [esi]
test ecx, ecx
je short label2
cmp dword ptr [ecx+8], ebx
je short label3
label2:
add esi, 4
inc edx
cmp edx, edi
jb short label1
pop ecx
pop edi
pop esi
pop ebx
retn 4
label3:
mov eax, edx
label4:
pop ecx
pop edi
pop esi
pop ebx
retn 4
}
}
// 判断是否选择了目标
__declspec(naked) BOOL WINAPI IsMon()
{
__asm
{
call GetPoint
test eax, eax
je label
mov eax, [eax+0x798]
label:
retn
}
}
// CALL 拾取物品函数
__declspec(naked) VOID WINAPI GetRes()
{
__asm
{
push ecx
call GetPoint
mov ecx, eax
call g_dwGetResEP
pop ecx
retn
}
}
// CALL 获取技能类型的函数,位于elementskill.dll中
__declspec(naked) DWORD WINAPI GetSkillType(DWORD dwSkillCode)
{
__asm
{
push ebp
mov ebp, esp
sub esp, 8
call GetPoint
mov dword ptr [ebp-8], eax
mov byte ptr [ebp-4], 0
push dword ptr [ebp+8]
mov ecx, dword ptr [ebp-8]
call g_dwSkill_GetTypeEP
add esp, 4
mov byte ptr [ebp-4], al
mov eax, dword ptr [ebp-4]
and eax, 0xFF
mov esp, ebp
pop ebp
retn 4
}
}
// 获取技能名称,返回UNICODE字符串指针
__declspec(naked) wchar_t* WINAPI GetSkillName(DWORD dwSkillCode)
{
__asm
{
push ebp
mov ebp, esp
push dwSkillCode
call g_dwSkill_GetNameEP
add esp, 4
mov esp, ebp
pop ebp
retn 4
}
}
// 获取技能信息,技能类型,技能名称
BOOL WINAPI GetSkillInfo()
{
DWORD dwSkillCode = 0;
DWORD dwAddr = -1;
DWORD dwType = 0;
BOOL bRet = FALSE;
wchar_t *pwstrName = NULL;
if ( GetSkillEP_InitStruct() )
{
if ( g_ci.dwMSkillCount > 0 )
{
for (int i = 0; i < 20; i++)
::RtlZeroMemory(&g_Skill[i], sizeof(SKILL));
for (DWORD i = 0; i < g_ci.dwMSkillCount; i++)
{
dwAddr = ((PDWORD)ULongToPtr(g_ci.dwMSkillBaseAddr))[i];
dwSkillCode = *(PDWORD)ULongToPtr(dwAddr + 8);
dwType = GetSkillType(dwSkillCode);
g_Skill[i].dwBaseAddr = dwAddr;
g_Skill[i].dwType = dwType;
g_Skill[i].dwCode = dwSkillCode;
pwstrName = GetSkillName(dwSkillCode);
::lstrcpynW(g_Skill[i].wstrName, pwstrName, ::lstrlenW(pwstrName) + 1);
}
bRet = TRUE;
}
}
return bRet;
}
// CALL 移动函数移动到目的坐标
__declspec(naked) VOID WINAPI GoXY(float fX, float fY)
{
__asm
{
push ebp
mov ebp, esp
sub esp, 0x10
push esi
push edi
mov ecx, dword ptr [ebp+0xC]
mov al, 0xFC
mov byte ptr [ebp-0xA], al
mov byte ptr [ebp-4], al
mov eax, dword ptr [ebp+8]
mov byte ptr [ebp-0xC], 9
mov byte ptr [ebp-0xB], 0x54
mov byte ptr [ebp-9], 0x41
mov byte ptr [ebp-3], 0xFE
mov byte ptr [ebp-2], 0xF7
mov byte ptr [ebp-1], 0xBD
mov dword ptr [ebp-0x10], eax
mov dword ptr [ebp-8], ecx
call GetPoint
mov dword ptr [ebp+8], eax
mov esi, dword ptr [ebp+8]
mov ecx, dword ptr [esi+0x8A8]
push 1
call g_dwGoXYEP1
mov edi, eax
lea ecx, dword ptr [ebp-0x10]
push ecx
push 0
mov ecx, edi
mov eax, dword ptr [g_dwGoXYEP2]
call eax
push 0
push 1
push edi
mov ecx, dword ptr [esi+0x8A8]
push 1
mov eax, dword ptr [g_dwGoXYEP3]
call eax
pop edi
pop esi
mov esp, ebp
pop ebp
retn 8
}
}
__declspec(naked) VOID WINAPI GameFunc1(int nIndex)
{
__asm
{
sub esp, 0x1C
push ebx
push ebp
push esi
mov esi, ecx
push edi
mov dword ptr [esp+0x10], esi
call g_dwGameFunc1Call1EP
add esi, 0x10
lea ecx, dword ptr [esp+0x14]
push esi
call g_dwGameFunc1Call2EP
mov edi, dword ptr [esp+0x30]
mov ecx, dword ptr [esp+0x18]
label1:
mov eax, dword ptr [esp+0x1C]
mov edx, dword ptr [esp+0x14]
label2:
test edx, edx
je short label3
test esi, esi
je short label3
cmp edx, esi
jnz short label7
label3:
test ecx, ecx
jnz short label8
test eax, eax
je short label11
label4:
xor eax, eax
label5:
mov ecx, dword ptr [eax]
push edi
mov eax, dword ptr [ecx]
call dword ptr [eax+0x48]
mov ecx, dword ptr [esp+0x18]
test ecx, ecx
je short label1
mov edx, dword ptr [esp+0x14]
mov eax, dword ptr [esp+0x1C]
label6:
test eax, eax
jnz short label9
add ecx, 4
mov dword ptr [esp+0x18], ecx
mov ebx, dword ptr [edx+0x14]
mov ebp, dword ptr [edx+8]
lea ebx, dword ptr [ebp+ebx*4]
cmp ecx, ebx
je short label10
mov eax, dword ptr [ecx]
test eax, eax
mov dword ptr [esp+0x1C], eax
jnz short label2
jmp short label6
label7:
test ecx, ecx
je short label4
label8:
add eax, 4
jmp short label5
label9:
mov eax, dword ptr [eax]
test eax, eax
mov dword ptr [esp+0x1C], eax
jnz short label2
jmp short label6
label10:
xor ecx, ecx
mov dword ptr [esp+0x18], ecx
jmp short label2
label11:
mov ecx, dword ptr [esp+0x10]
lea esi, dword ptr [ecx+0x28]
lea ecx, dword ptr [esp+0x20]
push esi
call g_dwGameFunc1Call2EP
mov edx, dword ptr [esp+0x20]
mov ecx, dword ptr [esp+0x24]
mov eax, dword ptr [esp+0x28]
mov dword ptr [esp+0x14], edx
mov dword ptr [esp+0x18], ecx
mov dword ptr [esp+0x1C], eax
jmp short label13
label12:
mov eax, dword ptr [esp+0x1C]
mov edx, dword ptr [esp+0x14]
label13:
test edx, edx
je short label14
test esi, esi
je short label14
cmp edx, esi
jnz short label18
label14:
test ecx, ecx
jnz short label19
test eax, eax
je short label22
label15:
xor eax, eax
label16:
mov ecx, dword ptr [eax]
push edi
mov edx, dword ptr [ecx]
call dword ptr [edx+0x48]
mov ecx, dword ptr [esp+0x18]
test ecx, ecx
je short label12
mov edx, dword ptr [esp+0x14]
mov eax, dword ptr [esp+0x1C]
label17:
test eax, eax
jnz short label20
add ecx, 4
mov dword ptr [esp+0x18], ecx
mov ebx, dword ptr [edx+0x14]
mov ebp, dword ptr [edx+8]
lea ebx, dword ptr [ebp+ebx*4]
cmp ecx, ebx
je short label21
mov eax, dword ptr [ecx]
test eax, eax
mov dword ptr [esp+0x1C], eax
jnz short label13
jmp short label17
label18:
test ecx, ecx
je short label15
label19:
add eax, 4
jmp short label16
label20:
mov eax, dword ptr [eax]
test eax, eax
mov dword ptr [esp+0x1C], eax
jnz short label13
jmp short label17
label21:
xor ecx, ecx
mov dword ptr [esp+0x18], ecx
jmp short label13
label22:
mov ecx, dword ptr [esp+0x10]
push edi
call g_dwGameFunc1Call3EP
pop edi
pop esi
pop ebp
mov al, 1
pop ebx
add esp, 0x1C
retn 4
}
}