Warcraft maphack is actually very simple

Source: Internet
Author: User

Sorry, there is no such title. It's just a pure title. I hope to understand it...

I wrote this article to sort out the results of maphack and lancraft these days.

I have read the previous articles about maphack and found that maphack is really simple. Just a few functions, enabledebugpriv (), then findwindow (), OpenProcess (), then we need to modify writeprocessmemory (). What is difficult? But it's hard to enable the memory address of some options! As described by our predecessors, CE is used to find them one by one. I want to say that everyone will cry. (Those predecessors who are the first maphack can only express their admiration )......

Speaking of this, I have to shout again "trigger to shadow French". The Open Source spirit of foreigners is really not true. Although the MH of shadow French is not directly open-source, however, the programs released by people are naked, unencrypted, and still use native encoding. Unlike those experts in China, they have added several shells ~ Of course, people's copyright!

Sorry, I am confused. For the vbprogram of native code, use smart check to track and you will find the world so beautiful!

Visual BASIC program debugger smartcheck http://www.pediy.com/tools/Debuggers.htm

The onclick event bool writeprocessmemory (
Handle hprocess,
Lpvoid lpbaseaddress,
Lpvoid lpbuffer,
DWORD nsize,
Lpdword lpnumberofbyteswritten
);
Let's take a look at the C language prototype of this operation.
  1.  ByteData [] = {0xbf, 0x0f, 0x00 };
  2.  BoolSuccess = writeprocessmemory (hopen ,(Lpvoid) 0x6f2a3b92, & Data, 3, null );

The content in lpbuffer is crucial. To find the content in 0x0013f2a0, only useOllydbgNow

Ollydbg DebuggerOllydbg [2008.1.1] http://www.pediy.com/tools/Debuggers.htm From the window on the right of smart check, you can find the offset address of writeprocessmemory (hprocess: 000006b4, DWORD: 6f406b30, PTR: 0013f2a0, DWORD: 00000001, PTR: 0013f29c) for ipvf609. OllydbgOpen maphack, and find 0040f609. If you do not want to debug it, the content of lpbuffer will come out... 0040f5dd. 8b4d 0C mov ECx, dword ptr [EBP + C]
0040f5e0. 8d95 2 cffffff Lea edX, dword ptr [ebp-D4]
0040f5e6. 52 push edX
0040f5e7. 8d85 30 ffffff Lea eax, dword ptr [ebp-D0]
0040f5ed. 8b51 08 mov edX, dword ptr [ECx + 8]
0040f5f0. 6a 01 Push 1
0040f5f2. 50 push eax
0040f5f3. 52 push edX
0040f5f4. 56 push ESI
0040f5f5. c785 2 cffffff 00000000 mov dword ptr [ebp-D4], 0
0040f5ff. c785 30 ffffff 74000000 mov dword ptr [ebp-D0], 74
0040f609. E8 a23cffff call 004032b0mov dword ptr [ebp-D0], 74 lpbuffer points to the content is 0x74 and then based on the gourd painting, to find out all the addresses is not difficult! Here are the addresses of some features required by the samples I have written in MH. //////////////////////////////////////// ///////////////// <Br/> // open and press Ctrl to give money <br/> byte val = 0 x 40; <br/> int LRET = writeprocessmemory (hopen, lpvoid (0x6f0000b35), & Val, 1, 0); <br/> val = 0xb8; <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f0000b36), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f0000b37 ), & num_dclick, 4, 0 ); <br/> //////////////////////////////////// /////////////////////// //////////< Br/> // open and click "give money" <br/> val = 0x40; <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f0000b3d), & Val, 1, 0); <br/> val = 0xb8; <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f0000b3e), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f0000b3f ), & num_click, 4, 0 ); <br/> //////////////////////////////////// /// // <br />// hide the Map <br/> val = 0x39; <br/> LRET = wri Teprocessmemory (hopen, lpvoid (0x6f1494e0), & Val, 1, 0); <br/> val = 0x85; <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f1494e3), & Val, 1, 0 ); <br/> //////////////////////////////////// /// // <br // map to view stealth <br/> val = 0x90; <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f17d4e8), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f17d4e9 ), & Val, 1, 0); <br/> L Ret = writeprocessmemory (hopen, lpvoid (0x6f17d4ea), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f17d4eb), & Val, 1, 0); <br/> val = 0xb8; <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f17d4ec), & Val, 1, 0 ); <br/> val = 0x1; <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f17d4ed), & Val, 1, 0 ); <br/> val = 0x0; <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f17d4ee), & Val, 1, 0); <br/> LRE T = writeprocessmemory (hopen, lpvoid (0x6f17d4ef), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f17d4f0), & Val, 1, 0 ); <br/> //////////////////////////////////// /// // <br/> // Display Unit ??? <Br/> val = 0x66; <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f2a08b1), & Val, 1, 0 ); <br/> val = 0xbf; <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f2a08b2), & Val, 1, 0); <br/> val = 0xf; <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f2a08b3), & Val, 1, 0); <br/> val = 0x0; <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f2a08b4), & Val, 1, 0 ); <br/> //////////////////////////////////// /// // <br/> // View character skills <br/> val = 0x90; <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f12dc1a), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f12dc1b ), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f12dc5a), & Val, 1, 0 ); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f12dc5b), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f5573fe ), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f5573ff), & Val, 1, 0 ); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f557400), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f557401 ), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f557402), & Val, 1, 0 ); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f557403), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f54c0bf ), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f54c0c0), & Val, 1, 0 ); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f54c0c1), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f54c0c2 ), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f54c0c3), & Val, 1, 0 ); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f54c0c4), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f55e15c ), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f55e15d), & Val, 1, 0 ); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f4a11a1), & Val, 1, 0); <br/> LRET = writeprocessmemory (hopen, lpvoid (0x6f4a11a0 ), & Val, 1, 0 ); <br/> //////////////////////////////////// ////////////////////////////////// The example maphack I wrote is attached. I only added some features to facilitate the use of Xianzhi Xiaodao. (prepare and add the analog buttons. Haha, my ghost will be invincible !), It was easy to give money in the early days. This was my initial motivation to write MH. The 10 yuan and 10 yuan were too troublesome, and my hands hurt! The online cross-network segment function is also added (the principle is shown in the next blog), =! Program writing is messy, laugh... http://download.csdn.net/source/1819854

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.