使用线程调用功能 | 记录游戏逆向学习

# 使用线程调用功能 (opens new window)

[ENABLE]
alloc(callFn,$1000, xxx.exe)
registersymbol(callFn)
CREATETHREAD(callFn) // 功能插入后，创建一个线程去调用，线程只会执行一次

callFn:
  push eax
  push ecx
  mov eax, [0040C038]
  inc eax
  mov [0040C038], eax
  pop ecx
  pop eax
  ret

[DISABLE]
unregistersymbol(callFn)
dealloc(callFn)

# 在线程中循环 x86

[ENABLE]
globalalloc(threadMain,$500)
createThread(threadMain)

label(pHp)
label(bRun)

// hp指针
game2.exe+B3724:
pHp:

threadMain:
  push #20
  call kernel32.sleep

  mov [pHp],#100

  cmp [bRun],0
  jne threadMain

  ret

bRun:
  dd 1

registersymbol(bRun)

[DISABLE]
bRun:
  dd 0
unregistersymbol(bRun)

关于AA脚本的睡眠代码 (opens new window)：

in 32-bit:
push #1000
call kernel32.sleep

in 64-bit:
mov ecx,#1000
call kernel32.sleep

# 在线程中使用其他脚本定义的符号

符号脚本：

[ENABLE]
aobscanmodule(yg_INJECT,PlantsVsZombies.exe,8B 87 78 55 00 00 33)
alloc(newmem,$1000)

globalalloc(pYg, 4)
pYg:
 dd 0

label(return)

newmem:
  mov [pYg], edi
  mov eax,[edi+00005578]
  jmp return

yg_INJECT:
  jmp newmem
  nop
return:
registersymbol(yg_INJECT)

[DISABLE]

yg_INJECT:
  db 8B 87 78 55 00 00
unregistersymbol(pYg)
dealloc(pYg)
unregistersymbol(yg_INJECT)
dealloc(newmem)

线程脚本:

[ENABLE]
alloc(incYg, $1000)
registersymbol(incYg)
createthread(incYg)

label(end)
registersymbol(end)

incYg:
  add [[pYg]+5578], #10
  push #500
  call Sleep
  cmp [end], 0
  je incYg

  // x64
  // mov ecx,incYg
  // sub edx,edx
  // mov r8d,8000

  // x86
  // https://forum.cheatengine.org/viewtopic.php?t=575644
  push 0
  call GetCurrentThread
  push eax
  push 0

  push 8000
  push 0
  push incYg
  push TerminateThread
  jmp VirtualFree

end:
  dd 0

[DISABLE]
end:
  dd 1

unregistersymbol(incYg)
unregistersymbol(end)
// dealloc(incYg)

# x64 线程

[ENABLE]
alloc(incCounter,$1000)
registersymbol(incCounter)
createThread(incCounter)

label(mainLoop)

label(end)
registersymbol(end)
label(counter)
registersymbol(counter)


incCounter:
  sub rsp, 0x20
  jmp mainLoop

mainLoop:
  // 睡眠500毫秒
  mov rcx,#500
  call Sleep

  // counter++
  inc [counter]

  // 是否结束循环
  cmp [end],0
  je mainLoop

  // 清理线程资源
  add rsp, 0x20
  mov rcx,incCounter
  sub rdx,rdx
  mov r8d,8000
  jmp VirtualFree
  ret

end:
  dd 0

counter:
  dd 0

[DISABLE]
end:
  dd 1

unregistersymbol(end)
unregistersymbol(counter)
unregistersymbol(incCounter)

# x64 call MessageBox

[ENABLE]
globalalloc(tmain, $1000)
createThread(tmain)
 
 tmain:
   push rbp
   mov rbp,rsp

   sub rsp,#32

   mov rcx,0
   mov rdx,0
   mov r8,0
   mov r9,0

   mov rax,user32.MessageBoxA
   call rax

   add rsp,#32

   mov rsp,rbp
   pop rbp
   ret
[DISABLE]

← 注册热键自定义符号 →