[C] 纯文本查看 复制代码
// ConsoleApplication_GetBaseAddress.cpp : 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include<stdio.h>
#include<windows.h>
#include<psapi.h>
#include<direct.h>
#include <string.h>
int _tmain(int argc, _TCHAR* argv[])
{
//获取当前目录
char path[100];
getcwd(path, 100);
//printf("current work path:%s\n", path);
char *zifu = getcwd(path, 100);
//printf("current work path:%s\n", zifu);
char *zifu2 = "\\cadconvert_win.exe";//修改该值即可
char *zifu3 = strcat(zifu, zifu2);
printf("启动全能王CAD转换器:%s\n", zifu3);
//运行外部的程序
WinExec(zifu3, SW_SHOW);
//延时
int a;
a = 15000;
Sleep(a);
//获取窗口句柄
HWND hWnd = FindWindow(NULL, "全能王CAD转换器");
if (hWnd == NULL){ //如果无法获取句柄则报错
printf("无法获取窗口句柄,请检查进程是否存在!\n");
system("pause");
return -1;
}
DWORD pro_id;
GetWindowThreadProcessId(hWnd, &pro_id); //获取进程ID
if (pro_id == 0){
printf("无法获取进程ID\n");
system("pause");
return 0;
}
printf("进程id: %d\n", pro_id);
HANDLE hpro = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, pro_id);
if (hpro == 0){
printf("无法获取进程句柄");
}
printf("进程句柄id: %d\n", hpro);
// 获取每一个模块加载基址
DWORD pro_base = NULL;
DWORD prodll_base = NULL;
HMODULE hModule[100] = { 0 };
DWORD dwRet = 0;
int num = 0;
int bRet = EnumProcessModulesEx(hpro, (HMODULE *)(hModule), sizeof(hModule), &dwRet, NULL);
if (bRet == 0){
printf("EnumProcessModules");
}
// 总模块个数
num = dwRet / sizeof(HMODULE);
printf("总模块个数: %d\n", num);
// 打印每一个模块加载基址
char lpBaseName[100]; int ii;
for (int i = 0; i < num; i++){
GetModuleBaseNameA(hpro, hModule, lpBaseName, sizeof(lpBaseName));
printf("%-2d %-25s基址: 0x%p\n", i, lpBaseName, hModule);
char str2[100] = "QCommonUI.dll";
if (strcmp(lpBaseName, str2) == 0)//留着后面解决吧 输入了 == 号 就运行正常了 优化了这里,根据名字得到序号
{
printf("//////////////////////%-2d %-25s基址: 0x%p\n///////////////////", i, lpBaseName, hModule);
ii = i;
}
}
pro_base = (DWORD)hModule[0]; prodll_base = (DWORD)hModule[ii];//根据序号得到基地址
printf("程序基址: 0x%p\n", pro_base); printf("QCommonUI.dll基址: 0x%p\n", prodll_base);
/////////////////////////////////////////////////////////////////////////////
DWORD tounaofenbao = prodll_base + 0xF875A;
printf("需要修改的基地址: 0x%p\n", tounaofenbao);
//ReadProcessMemory(hpro, (PVOID)tounaofenbao, &tounaofenbao, 4, 0); 为什么注释掉,因为把eb95的值7C 79 FA 83 转换成了地址
//tounaofenbao = tounaofenbao + 0x0;
char Tnfb_value[5] = {0xE9,0x87,0xD8,0x00,0x00 };//OD显示的二进制顺序是 83 FA 79 7C 在换算的时候要倒着念 7C 79 FA 83 把7C 79 FA 83换成十进制就得到2088368771
WriteProcessMemory(hpro, (LPVOID)tounaofenbao, Tnfb_value, 5, 0);//是修改成功了 但程序确自动退出了 找到原因了 加上7C后就正确了 保持4个字节
DWORD gantetu = prodll_base + 0x105FE6;
printf("基地址2: 0x%p\n", gantetu);
char GTU_value[4] = {0xC6,0x40,0x08,0x01};
WriteProcessMemory(hpro, (LPVOID)gantetu, GTU_value, 4, 0);
DWORD gantetu2 = prodll_base + 0x105FEA;
printf("基地址3: 0x%p\n", gantetu2);
char GTU_value2[3] = { 0x8A,0x40,0x08 };
WriteProcessMemory(hpro, (LPVOID)gantetu2, GTU_value2, 3, 0);
DWORD zhutifengge = prodll_base + 0x105FED;
printf("基地址4: 0x%p\n", zhutifengge);
char zhutifengge_value[2] = { 0x8B, 0xE5 };
WriteProcessMemory(hpro, (LPVOID)zhutifengge, zhutifengge_value, sizeof(zhutifengge_value), 0);
DWORD zhutifengge2 = prodll_base + 0x105FEF;
printf("基地址5: 0x%p\n", zhutifengge2);
char zhutifengge_value2[1] = { 0x5D };
WriteProcessMemory(hpro, (LPVOID)zhutifengge2, zhutifengge_value2, sizeof(zhutifengge_value2), 0);
DWORD tup = prodll_base + 0x105FF0;
printf("基地址6: 0x%p\n", tup);
char tup_value[5] = { 0xE9, 0x6B, 0x27, 0xFF, 0xFF };
WriteProcessMemory(hpro, (LPVOID)tup, tup_value, sizeof(tup_value), 0);
return 0;
}
发表于 2023-10-15 13:17
