逆向 | 逃离鸭科夫锁血hook
赶时间,随便用frida搓了一个,原理是先通过hook找血量地址,再导出函数进行使用。
python端:
from __future__ import print_function # 这里__future__的目的是引入新版本特性
import frida
import sys
import threadingimport timesession = frida.attach('Duckov.exe')# 读取js脚本
with open('hook.js', 'r', encoding='utf-8') as f:js_hook = f.read()script = session.create_script(js_hook)def add_hp(args):while 1:time.sleep(5)print('call add hp')script.exports.addhp()t1 = threading.Thread(target=add_hp, args=(0,))
def on_message(message,data):print(message)
script.on('message', on_message)
script.load()
t1.start()
sys.stdin.read()
js:(一定要取消hook,不然程序会崩)
const ImageBase = Module.findBaseAddress("UnityPlayer.dll");
console.log("ImageBase: " + ImageBase)const full_hp = 40.0
var found_hp = false
var hp_addr = null// const rva = 0xACB720;
// var Fish__generate = parseInt(ImageBase, 16) + Fish__generate_RVA;
rpc.exports = {// 函数名gethelloaddhp: function(){if (found_hp){let now_hp = hp_addr.readFloat()hp_addr.writeFloat(full_hp)console.log(`【${hp_addr} 回血: ${now_hp} -> ${full_hp}】`)}else{console.log('no hp_addr')}}
};Interceptor.attach(ptr(ImageBase.add(0x77ff27)), {onEnter(args) {if (found_hp == false){let p = this.context.rdiconsole.log(this.context.rdi)let tmp = this.context.rdi.add(0x28).readPointer()console.log(` > ${tmp}`)tmp = tmp.add(0x90).readPointer()console.log(` > ${tmp}`)let hp = tmp.add(0x68).readFloat()console.log(` > ${hp}`)if (hp == full_hp){found_hp = truehp_addr = tmp.add(0x68)console.log(`hp_addr: ${hp_addr}`)Interceptor.detachAll() // 注销hook}console.log('----------------------------------')}}
});