很久之前,那时候我还不太会玩(现在也不厉害)扫雷这个游戏,同学总在我面前炫耀自己的技术有多叼。“高级,99颗雷,只需三分钟。。。”,如此这般。也许确实需要天赋,我总要排查个半天才敢点下左键,然后就BOOM!
偶然一天,在网上浏览网页看到了一篇关于“扫雷外挂”的文章,记得那个人是用汇编写的,没记错的话应该是MASM32。文章大概意思是雷的布局是有标志的,雷区内目标值为0x8F的就是雷。要想找到所有雷的坐标,前提是先找到雷区的边界,即起始点、宽度和长度。如果不会反汇编(最起码能看懂二进制码),恐怕很难搞清楚。幸运的是那个高手就是这样的:他提供了雷区的基址。我这样的菜手只好拾人牙慧,拿来改改,用VB6实现了个“扫雷克星”。
注意:雷区的分布应该是在你点击第一下之后才确立的,所以玩的时候先打开扫雷随便点一个,再使用“扫雷克星”。
原理很简单,就不在赘述了,直接上代码:
‘_killboom.bas Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, _ ByVal lpWindowName As String) As Long Private Declare Function GetWindowDC Lib "user32" (ByVal hwnd As Long) As Long Private Declare Function BitBlt Lib "gdi32" (ByVal hDestDC As Long, _ ByVal x As Long, _ ByVal y As Long, _ ByVal nWidth As Long, _ ByVal nHeight As Long, _ ByVal hSrcDC As Long, _ ByVal xSrc As Long, _ ByVal ySrc As Long, _ ByVal dwRop As Long) As Long Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hwnd As Long, _ lpdwProcessId As Long) As Long Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, _ ByVal bInheritHandle As Long, _ ByVal dwProcessId As Long) As Long Private Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, _ lpBaseAddress As Any, _ lpBuffer As Any, _ ByVal nSize As Long, _ lpNumberOfBytesWritten As Long) As Long Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long Private Declare Function ReleaseDC Lib "user32" (ByVal hwnd As Long, _ ByVal hdc As Long) As Long Private Declare Function SetForegroundWindow Lib "user32" (ByVal hwnd As Long) As Long Private Declare Function PostMessage Lib "user32" Alias "PostMessageA" (ByVal hwnd As Long, _ ByVal wMsg As Long, _ ByVal wParam As Long, _ ByVal lParam As Long) As Long Private Const PROCESS_ALL_ACCESS = &H1F0FFF Private Const WM_LBUTTONDOWN = &H201 Private Const WM_LBUTTONUP = &H202 Private Const WM_RBUTTONDOWN = &H204 Private Const WM_RBUTTONUP = &H205 ‘这些既是雷区的基址 Private Const total_addr = &H10056A4 Private Const height_addr = &H10056A8 Private Const width_addr = &H10056AC Private Const area_addr = &H1005361 Public Function KillBoom() As Boolean ‘这个就是驱雷的函数了,废话 o.O!! Dim hwnd As Long hwnd = FindWindow("扫雷", vbNullString) If hwnd = 0 Then KillBoom = False Exit Function End If Dim hdc As Long Dim pid As Long Dim hp As Long hdc = GetWindowDC(hwnd) Call GetWindowThreadProcessId(hwnd, pid) hp = OpenProcess(PROCESS_ALL_ACCESS, 0&, pid) Dim total As Long Dim height As Long Dim width As Long Call ReadProcessMemory(hp, ByVal total_addr, ByVal VarPtr(total), 4&, 0&) Call ReadProcessMemory(hp, ByVal height_addr, ByVal VarPtr(height), 4&, 0&) Call ReadProcessMemory(hp, ByVal width_addr, ByVal VarPtr(width), 4&, 0&) Dim size As Long Dim mem() As Byte size = 32 * height + 16 ReDim mem(size) As Byte Call ReadProcessMemory(hp, ByVal area_addr, ByVal VarPtr(mem(0)), size, 0&) Dim i As Long Dim x As Long Dim y As Long For i = 0 To size - 1 ‘至于为什么这么算,我也忘了,因为写这个代码时候太久远了 ‘应该是一点点测算出来的 ‘比如,16是距离窗体左侧的距离 ‘97是距离窗体上方的距离 x = i Mod 32 y = i \ 32 x = 16 + x * 16 y = 97 + y * 16 - 32 If mem(i) = &H8F Then ‘如是雷,就插小红旗 Call PostMessage(hwnd, WM_RBUTTONDOWN, 0&, MakeParam(x, y)) Call PostMessage(hwnd, WM_RBUTTONUP, 0&, MakeParam(x, y)) Else ‘不是雷,就点开它吧 Call PostMessage(hwnd, WM_LBUTTONDOWN, 0&, MakeParam(x, y)) Call PostMessage(hwnd, WM_LBUTTONUP, 0&, MakeParam(x, y)) End If Next Erase mem Call CloseHandle(hp) Call ReleaseDC(hwnd, hdc) Call SetForegroundWindow(hwnd) KillBoom = True End Function Private Function MakeParam(ByVal LoWord As Long, ByVal HiWord As Long) As Long MakeParam = (HiWord * &H10000) Or (LoWord And &HFFFF&) End Function
为了更优雅些,再加上热键。这样玩的时候,输入快捷键(Alt+Shift+K)就秒杀,哈哈(略邪恶):
‘_hotkey.bas ‘这个模块就是在网上找到,链接如下 ‘@http://www.cnblogs.com/rosesmall/archive/2012/09/19/2693707.html Public Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hwnd As Long, _ ByVal nIndex As Long, _ ByVal dwNewLong As Long) As Long Public Declare Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hwnd As Long, _ ByVal nIndex As Long) As Long Public Declare Function CallWindowProc Lib "user32" Alias "CallWindowProcA" (ByVal lpPrevWndFunc As Long, _ ByVal hwnd As Long, _ ByVal Msg As Long, _ ByVal wParam As Long, _ ByVal lParam As Long) As Long Public Declare Function RegisterHotKey Lib "user32" (ByVal hwnd As Long, _ ByVal id As Long, _ ByVal fskey_Modifiers As Long, _ ByVal vk As Long) As Long Public Declare Function UnregisterHotKey Lib "user32" (ByVal hwnd As Long, ByVal id As Long) As Long Public Const WM_HOTKEY = &H312 Public Const MOD_ALT = &H1 Public Const MOD_CONTROL = &H2 Public Const MOD_SHIFT = &H4 Public Const GWL_WNDPROC = (-4) Private Type taLong ll As Long End Type Private Type t2Int lWord As Integer hword As Integer End Type Public preWinProc As Long Public Modifiers As Long, uVirtKey As Long, idHotKey As Long Public Function CallbackWndproc(ByVal hwnd As Long, _ ByVal Msg As Long, _ ByVal wParam As Long, _ ByVal lParam As Long) As Long If Msg = WM_HOTKEY Then If wParam = idHotKey Then Dim lp As taLong, i2 As t2Int lp.ll = lParam LSet i2 = lp If (i2.lWord = Modifiers) And i2.hword = uVirtKey Then Call KillBoom End If End If End If CallbackWndproc = CallWindowProc(preWinProc, hwnd, Msg, wParam, lParam) End Function
最后是窗体部分,注册热键然后隐藏自己:
Private Sub Form_Load() ‘this code refered from following link ‘@http://www.cnblogs.com/rosesmall/archive/2012/09/19/2693707.html preWinProc = GetWindowLong(Me.hwnd, GWL_WNDPROC) Call SetWindowLong(Me.hwnd, GWL_WNDPROC, AddressOf CallbackWndproc) idHotKey = 1 ‘in the range &h0000 through &hBFFF Modifiers = MOD_ALT + MOD_SHIFT uVirtKey = vbKeyK Call RegisterHotKey(Me.hwnd, idHotKey, Modifiers, uVirtKey) Call Me.Hide End Sub Private Sub Form_Unload(Cancel As Integer) Call SetWindowLong(Me.hwnd, GWL_WNDPROC, preWinProc) Call UnregisterHotKey(Me.hwnd, uVirtKey) End Sub
搞定收工!另外,那个汇编大神请原谅我,因为实在记不清你文章的网址了,这里就没法贴出来了。
贴张图炫耀下:
终于能打败我同学了,可惜我已经毕业了。。。
PS:差点忘了,最好还是另外注册个热键(如Alt+Shift+Q)关闭自己,否则窗体隐藏了你也许会忘掉它的存在。我因为是在调试模式下,所以不需要 Orz
VB6之扫雷克星
时间: 2024-11-02 10:29:00