物品call
alloc(new,100)
new:
pushad
mov ecx,[1AB7CDC]//人物机制
mov edx,[ecx]
mov eax,#2600052//吃药的壳
{
飓风博尔赫`
name2_2600052`
使用后, 可以召唤出飓风博尔赫协助召唤者攻击敌人, 飓风博尔赫存在15分钟。`}
push eax
mov edx,[edx+5E4]
call edx
popad
ret
[ENABLE]
createthread(new)
[DISABLE]
人偶无限 天谴飓风
define(address,"DNF.exe"+433E7F)
define(bytes,8B 06 8B BA CC 1E 00 00)
[ENABLE]
assert(address,bytes)
alloc(newmem,$1000)
label(SHEN_QIANG_NAN)
label(SHENG_ZHI_ZHE)
label(code)
label(return)
newmem:
mov eax,[esi]
mov edi,[edx+00001ECC]
CMP [esi+644],#100
je return
//鬼剑士=0,格斗女=1,神枪男=2,法师女=3,圣职者=4,神枪女=5,刺客=6,格斗男=7,法师男=8,
CMP [esi+3C08],#2//跳转神枪男=2
JE SHEN_QIANG_NAN//
CMP [esi+3C08],#4//跳转圣职者=4
JE SHENG_ZHI_ZHE
jmp return
SHEN_QIANG_NAN://神枪男=2
pushad
mov eax,[esi]
mov edx,[eax+0000030C]
push 00
push 00
push 00
push 00
push #34//34 男机械之拳
mov ecx,esi
call edx
Popad
jmp return
SHENG_ZHI_ZHE://圣职者=4
pushad
mov eax,[esi]
mov edx,[eax+0000030C]
push 00
push 00
push 00
push 00
push #34//34天谴旋风
mov ecx,esi
call edx
Popad
jmp return
code:
address:
jmp newmem
nop 3
return:
[DISABLE]
address:
db bytes
// mov eax,[esi]
// mov edi,[edx+00001ECC]
dealloc(newmem)
{
// ORIGINAL CODE - INJECTION POINT: 00833E7F
00833E56: E8 E5 58 0A 00 - call 008D9740
00833E5B: 8B 8E BC 58 00 00 - mov ecx,[esi+000058BC]
00833E61: 6A 01 - push 01
00833E63: E8 C8 6A 0A 00 - call 008DA930
00833E68: 83 F8 24 - cmp eax,24
00833E6B: 77 27 - ja 00833E94
00833E6D: 8B 8E BC 58 00 00 - mov ecx,[esi+000058BC]
00833E73: 50 - push eax
00833E74: E8 17 73 0A 00 - call 008DB190
00833E79: 8B 96 64 56 00 00 - mov edx,[esi+00005664]
// ---------- INJECTING HERE ----------
00833E7F: 8B 06 - mov eax,[esi]
// ---------- DONE INJECTING ----------
00833E81: 8B BA CC 1E 00 00 - mov edi,[edx+00001ECC]
00833E87: 8B 90 14 09 00 00 - mov edx,[eax+00000914]
00833E8D: 8B CE - mov ecx,esi
00833E8F: FF D2 - call edx
00833E91: 89 78 7C - mov [eax+7C],edi
00833E94: 8B 06 - mov eax,[esi]
00833E96: 8B 90 14 09 00 00 - mov edx,[eax+00000914]
00833E9C: 8B CE - mov ecx,esi
00833E9E: FF D2 - call edx
00833EA0: 85 C0 - test eax,eax
}
