-
Notifications
You must be signed in to change notification settings - Fork 64
/
CS1.6透视_自瞄.c
437 lines (399 loc) · 15.9 KB
/
CS1.6透视_自瞄.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
// 用gcc直接用如下命令编译该脚本即可,会有大量警告,忽略即可
// gcc ./CS1.6透视_自瞄.c -lgdi32 -ldwmapi
// 开发环境 win10 64。
// 生成exe双击执行即可,鼠标左键自瞄,带有红色透视窗,
// 由于用的GDI所以为了效果好一点,目前透视只显示一个人
// 透视窗距离你鼠标最近的一个就会显示。这样会比按照距离显示会好很多。
// 自瞄同理,左键开枪会自动瞄准距离鼠标坐标最近的透视窗的人。
// 附带简单的无后坐力,无限子弹
#ifndef UNICODE
#define UNICODE
#endif
#define _USE_MATH_DEFINES
#include "time.h"
#include "math.h"
#include <windows.h>
#include <stdio.h>
#include <tlhelp32.h>
#include <dwmapi.h>
#define YSUCCESS 0
#define YERROR -1
#define _In_
#define _In_opt_
#define _Out_opt_
typedef struct _LSA_UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} LSA_UNICODE_STRING, *PLSA_UNICODE_STRING, UNICODE_STRING, *PUNICODE_STRING;
typedef enum _MEMORY_INFORMATION_CLASS {
MemoryBasicInformation,
MemoryWorkingSetList,
MemorySectionName
} MEMORY_INFORMATION_CLASS;
typedef NTSTATUS (WINAPI *ZwQueryVirtualMemoryfn) (
_In_ HANDLE ProcessHandle,
_In_opt_ PVOID BaseAddress,
_In_ MEMORY_INFORMATION_CLASS MemoryInformationClass,
_Out_ PVOID MemoryInformation,
_In_ SIZE_T MemoryInformationLength,
_Out_opt_ PSIZE_T ReturnLength
);
typedef struct {
UNICODE_STRING SectionFileName;
WCHAR NameBuffer[MAX_PATH * 2 + 2];
} MEMORY_SECTION_NAME, *PMEMORY_SECTION_NAME;
static ZwQueryVirtualMemoryfn g_ZwQueryVirtualMemoryPtr = NULL;
static int WINAPI YZwQueryVirtualMemory(HANDLE ProcessHandle, PVOID BaseAddress, MEMORY_INFORMATION_CLASS MemoryInformationClass, PVOID MemoryInformation, ULONG MemoryInformationLength){
NTSTATUS status = 0;
if(g_ZwQueryVirtualMemoryPtr == NULL) {
g_ZwQueryVirtualMemoryPtr = (ZwQueryVirtualMemoryfn)GetProcAddress(GetModuleHandleA("ntdll.dll"), "ZwQueryVirtualMemory");
if(g_ZwQueryVirtualMemoryPtr == NULL) {
return YERROR;
}
}
status = g_ZwQueryVirtualMemoryPtr(ProcessHandle, BaseAddress, MemoryInformationClass, MemoryInformation, MemoryInformationLength, NULL);
if(status >= 0) return YSUCCESS;
return YERROR;
}
static wchar_t *tofilename(wchar_t *path) {
wchar_t *p = wcsrchr(path, L'\\');
if(p) return ++ p;
else return path;
}
static unsigned long enum_process_module(unsigned int pid, wchar_t *modulename) {
HANDLE hProcess;
unsigned long queryaddr = 0;
MEMORY_BASIC_INFORMATION mbi;
MEMORY_SECTION_NAME SectionName;
hProcess = OpenProcess(PROCESS_QUERY_INFORMATION+PROCESS_VM_READ, TRUE, pid);
if(hProcess == NULL) {
wprintf(L"[-]OpenProcess %d with error %u\n", pid, GetLastError());
return 0;
}
while(queryaddr < 0x80000000) {
if(YZwQueryVirtualMemory(hProcess, (PVOID)queryaddr, MemoryBasicInformation, &mbi, sizeof(mbi)) == YSUCCESS) {
if(mbi.Type == MEM_IMAGE) {
if(YZwQueryVirtualMemory(hProcess, (PVOID)queryaddr, MemorySectionName, &SectionName, sizeof(SectionName) - 2) == YSUCCESS) {
SectionName.SectionFileName.Buffer[SectionName.SectionFileName.Length] = L'\0';
if(wcsicmp(tofilename(SectionName.SectionFileName.Buffer), modulename) == 0) {
CloseHandle(hProcess);
return queryaddr;
}
}
}
queryaddr += mbi.RegionSize;
} else {
queryaddr += 0x1000;
}
}
CloseHandle(hProcess);
return 0;
}
unsigned long enum_process(wchar_t *processname, wchar_t *modulename, int* pid)
{
HANDLE hSnap;
PROCESSENTRY32 pe32 = {0};
unsigned long addr = 0;
hSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hSnap == INVALID_HANDLE_VALUE) {
wprintf(L"[-]CreateToolhelp32Snapshot with error %u\n", GetLastError());
return 0;
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if(Process32First(hSnap, &pe32)) {
do {
if(wcsicmp(tofilename(pe32.szExeFile), processname) == 0) {
addr = enum_process_module(pe32.th32ProcessID, modulename);
if(addr != 0) {
if (pid != NULL){
*pid = pe32.th32ProcessID;
}
// wprintf(L"%u:%s:0x%.8x\n", pe32.th32ProcessID, modulename, addr);
return addr;
}
}
} while(Process32Next(hSnap, &pe32));
}
CloseHandle(hSnap);
}
static int enable_debug_priv() {
HANDLE hToken;
TOKEN_PRIVILEGES tkp;
LUID Luid;
if(!OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) {
wprintf(L"[-] OpenProcessToken error with %u\n", GetLastError());
return YERROR;
}
if(!LookupPrivilegeValue(NULL, SE_DEBUG_NAME, &Luid )) {
wprintf(L"[-] LookupPrivilegeValue error with %u\n", GetLastError());
CloseHandle(hToken);
return YERROR;
}
tkp.PrivilegeCount = 1;
tkp.Privileges[0].Luid = Luid;
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
if(!AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(tkp), NULL, NULL)) {
wprintf(L"[-] AdjustTokenPrivileges error with %u\n", GetLastError());
CloseHandle(hToken);
return YERROR;
}
return YSUCCESS;
}
HANDLE getWindowHandleByPid(int pid){
HWND curr;
HANDLE top = GetTopWindow(NULL);
int toggle;
while (top){
if (GetWindowThreadProcessId(top, &curr) != 0 && pid == (int)curr)
if (!GetParent(top) && IsWindowVisible(top)) break;
top = GetWindow(top, GW_HWNDNEXT);
}
return top;
}
LPCVOID getAddressPointer(HANDLE handle, LPCVOID addr){
LPCVOID point;
ReadProcessMemory(handle, addr, &point, sizeof(point), NULL);
return point;
}
float getFloatByPoint(HANDLE handle, LPCVOID addr){
float f;
ReadProcessMemory(handle, addr, &f, sizeof(f), NULL);
return f;
}
float getIntByPoint(HANDLE handle, LPCVOID addr){
int i;
ReadProcessMemory(handle, addr, &i, sizeof(i), NULL);
return i;
}
float getByteByPoint(HANDLE handle, LPCVOID addr){
byte i;
ReadProcessMemory(handle, addr, &i, sizeof(i), NULL);
return i;
}
int initMatrixByPoint_4x4(HANDLE handle, LPCVOID addr, float* M){
return ReadProcessMemory(handle, addr, M, sizeof(float)*4*4, NULL);
}
int drawRect(HDC windc, RECT *rect, int pen){
FrameRect(windc, rect, GetStockObject(pen));
return 0;
}
int drawRedRect(HDC windc, RECT *rect, HBRUSH brush){
FrameRect(windc, rect, brush);
return 0;
}
void getRect(HANDLE windc, RECT *rect){
DwmGetWindowAttribute((HWND)windc, 9, rect, sizeof(RECT));
// GetWindowRect(windc, rect);
}
// 太抽象了,常量一定要用常量的方式定义,否则不能用。
const int gapif = 0x324;
const int gapsd = 0x68;
const int baseif = 0x011544A0;
const int basesd = 0x0054BC5C;
HDC windc;
RECT rect;
RECT drawrect;
float L, T, R, B, Gx, Gy, Bx, By, By2, Px, Py, Pz, H, head, feet, wid, VieW;
struct Player {
float x;
float y;
float z;
float hp;
float dis;
float dis_arrow;
int x1;
int y1;
int x2;
int y2;
int side;
} ;
int PLAYER_NUMBER = 16;
void focusEnemy(HANDLE handle, int idx, struct Player* P, LPCVOID point_xangle, LPCVOID point_yangle){
float xangle, yangle;
xangle = atan2((P[0].y - P[idx].y), (P[0].x - P[idx].x)) * (180/M_PI) + 180;
yangle = atan2((P[0].z - P[idx].z), sqrt(pow((P[0].y - P[idx].y), 2) + pow((P[0].x - P[idx].x), 2))) * (180/M_PI);
WriteProcessMemory(handle, (LPCVOID)((int)point_xangle), &xangle, 4, NULL);
WriteProcessMemory(handle, (LPCVOID)((int)point_yangle), &yangle, 4, NULL);
}
int main(int argc, char const *argv[]) {
if(enable_debug_priv() != YSUCCESS) {
printf("error.\n");
return 0;
}
int *pid;
HANDLE handle,basead,whandle;
basead = (HANDLE)enum_process(L"cstrike.exe", L"cstrike.exe", &pid);
// 使用 enum_process 比一般的处理的好处是能够获取其内部的函数 dll。
// camera = (HANDLE)enum_process(L"cstrike.exe", L"particleman.dll", NULL);
whandle = getWindowHandleByPid(pid);
handle = OpenProcess(PROCESS_ALL_ACCESS,FALSE,pid);
windc = GetDC(NULL);
printf("pid: %d\n", pid);
printf("handle: %d\n", handle);
printf("handle_window: %d\n", whandle);
printf("base_cstrike.exe: %x\n", basead);
LPCVOID point_matrix;
point_matrix = getAddressPointer(handle, (LPCVOID)(basead+0x00946830));
printf("Matrix addr: %x\n", point_matrix);
int i, j;
float M[4][4];
if (initMatrixByPoint_4x4(handle, (LPCVOID)((int)point_matrix), (float*)&M) != 0){
printf("read Matrix ok. first Matrix:\n");
for (i = 0; i < 4; ++i) {
for (j = 0; j < 4; ++j){
printf("%12.7f ", M[i][j]);
}
printf("\n");
}
}
LPCVOID point_xangle;
LPCVOID point_yangle;
point_xangle = getAddressPointer(handle, (LPCVOID)(basead+0x0090E86C))+4;
point_yangle = getAddressPointer(handle, (LPCVOID)(basead+0x0090E86C));
int recoil;
int bullets;
LPCVOID point_recoil, point_bullets;
point_recoil = getAddressPointer(handle, (LPCVOID)(basead+0x11069BC));
point_recoil = getAddressPointer(handle, (LPCVOID)((int)point_recoil+0x7C));
point_recoil = getAddressPointer(handle, (LPCVOID)((int)point_recoil+0x5EC));
point_bullets = (LPCVOID)((int)point_recoil+0xCC);
point_recoil = (LPCVOID)((int)point_recoil+0x100);
bullets = getIntByPoint(handle, point_bullets);
printf("bullets addr: %x bullets: %d\n", point_bullets, bullets);
printf("recoil addr: %x recoil: %d\n", point_recoil, getIntByPoint(handle, point_recoil));
// 读取目标地址的坐标
LPCVOID point_info, point_side;
LPCVOID i_point, s_point;
int infos[4] = { 0x3ac, 0x3ac+0x4, 0x3ac+0x8, 0x3ac+0x158 };
int sides[1] = { 0x4e };
int s;
int myside;
float f;
point_info = getAddressPointer(handle, (LPCVOID)(basead+baseif));
point_side = getAddressPointer(handle, (LPCVOID)(basead+basesd));
struct Player P[16];
int number;
head = 25;
feet = -30;
H = 15;
// 获取所有人物坐标信息,hp信息,身份信息
number = 0;
printf("first get players.\n");
for (int i = 0; i < PLAYER_NUMBER; ++i) {
printf("player %2d ", i);
for (int j = 0; j < 5; ++j) {
if (j < 4) {
i_point = (int)(point_info + infos[j] + gapif*i);
f = getFloatByPoint(handle, (LPCVOID)i_point);
printf("%12.5f ", f);
if (j == 0){ P[i].x = f; };
if (j == 1){ P[i].y = f; };
if (j == 2){ P[i].z = f; };
if (j == 3){ P[i].hp = f; };
} else {
s_point = (int)(point_side + sides[j-4] + gapsd*i);
s = getByteByPoint(handle, (LPCVOID)s_point);
P[i].dis = i == 0 ? 0.0 : sqrt(pow(P[i].x-P[0].x,2) + pow(P[i].y-P[0].y,2) + pow(P[i].y-P[0].y,2));
printf("side: %4d distance: %8.2f\n", s, P[i].dis);
if (s != 1 && s != 2){ break; };
if (j == 4){ P[i].side = s; };
if (i == 0 && j == 4){ myside = s; };
}
}
number += 1;
}
POINT currpos = { 0, 0 };
HBRUSH brush = CreateSolidBrush(RGB(200, 0, 0));
while(1){
// 不断获取窗口大小以兼容窗口移动
getRect(whandle, &rect);
L = (float)rect.left;
T = (float)rect.top;
R = (float)rect.right;
B = (float)rect.bottom;
Gx = (R-L)/2;
Gy = (B-T)/2;
// 获取所有人坐标信息,hp信息,以及警匪分边的信息
number = 0;
for (int i = 0; i < PLAYER_NUMBER; ++i) {
for (int j = 0; j < 5; ++j) {
if (j < 4) {
i_point = (int)(point_info + infos[j] + gapif*i);
f = getFloatByPoint(handle, (LPCVOID)i_point);
if (j == 0){ P[i].x = f; };
if (j == 1){ P[i].y = f; };
if (j == 2){ P[i].z = f; };
if (j == 3){ P[i].hp = f; };
} else {
s_point = (int)(point_side + sides[j-4] + gapsd*i);
P[i].dis = i == 0 ? 0.0 : sqrt(pow(P[i].x-P[0].x,2) + pow(P[i].y-P[0].y,2) + pow(P[i].y-P[0].y,2));
s = getByteByPoint(handle, (LPCVOID)s_point);
if (s != 1 && s != 2){ break; };
if (j == 4){ P[i].side = s; };
if (i == 0 && j == 4){ myside = s; };
}
}
number += 1;
}
GetCursorPos(&currpos);
// 获取镜头矩阵,用人物参数计算需要画的部分,计算出所有敌人的方框位置并存储
initMatrixByPoint_4x4(handle, (LPCVOID)((int)point_matrix), (float*)&M);
for (i = 1; i < PLAYER_NUMBER; ++i) {
Px = P[i].x;
Py = P[i].y;
Pz = P[i].z;
VieW = Px*M[0][3] + Py*M[1][3] + Pz*M[2][3] + M[3][3];
VieW = 1 / VieW;
Bx = Gx + (Px*M[0][0] + Py*M[1][0] + Pz *M[2][0] + M[3][0])*VieW*Gx;
By = Gy - (Px*M[0][1] + Py*M[1][1] + (Pz+head)*M[2][1] + M[3][1])*VieW*Gy;
By2 = Gy - (Px*M[0][1] + Py*M[1][1] + (Pz+feet)*M[2][1] + M[3][1])*VieW*Gy;
wid = abs(By - By2)*.25;
P[i].x1 = (int)(Bx-wid+L);
P[i].y1 = (int)(By+T+H);
P[i].x2 = (int)(Bx+wid+L);
P[i].y2 = (int)(By2+T+H);
if (P[i].side == 1 || P[i].side == 2){
P[i].dis_arrow = sqrt(pow(currpos.x-(P[i].x1+P[i].x2)/2, 2) + pow(currpos.y-(P[i].y1+P[i].y2)/2, 2));
}
}
// 找到仍有hp的,透视方框与当前鼠标最接近的人的ID,用在后面绘制与自瞄
int min_arrow_dis_index = 0;
float min_arrow_dis_curr = INT_MAX;
for (i = 1; i < PLAYER_NUMBER; ++i) {
if (P[i].hp > 1){
if (P[i].side == myside){
//
}else if(P[i].side == 1 || P[i].side == 2){
if (P[i].dis_arrow < min_arrow_dis_curr){
min_arrow_dis_curr = P[i].dis_arrow;
min_arrow_dis_index = i;
}
}
}
}
// 只画距离鼠标最近的一个,只自动瞄准鼠标最近的一个,这样对控制的人更加友好,也节约点资源。
if(min_arrow_dis_index){
drawrect.left = P[min_arrow_dis_index].x1;
drawrect.top = P[min_arrow_dis_index].y1;
drawrect.right = P[min_arrow_dis_index].x2;
drawrect.bottom = P[min_arrow_dis_index].y2;
drawRedRect(windc, &drawrect, brush);
// 最简单的一种键盘检测,左键自瞄
if (0x8000 & GetKeyState(VK_LBUTTON)){
focusEnemy(handle, min_arrow_dis_index, &P, point_xangle, point_yangle);
}
}
// 后坐力调整为0,虽然游戏中枪口仍然会浮动,但是浮动会变很小。
// 枪械子弹固定为 30,无限子弹
recoil = 0;
bullets = 30;
point_recoil = getAddressPointer(handle, (LPCVOID)(basead+0x11069BC));
point_recoil = getAddressPointer(handle, (LPCVOID)((int)point_recoil+0x7C));
point_recoil = getAddressPointer(handle, (LPCVOID)((int)point_recoil+0x5EC));
point_bullets = (LPCVOID)((int)point_recoil+0xCC);
point_recoil = (LPCVOID)((int)point_recoil+0x100);
WriteProcessMemory(handle, (LPCVOID)((int)point_recoil), &recoil, sizeof(int), NULL);
WriteProcessMemory(handle, (LPCVOID)((int)point_bullets), &bullets, sizeof(int), NULL);
}
}