1. 首頁
  2. 問答
  3. 快速調用函數崩潰

快速調用函數崩潰

2017-08-09 92 views
-2

試圖從我的程序中使用fastcall約定來調用進程函數,但每次嘗試時都會崩潰。過去了就這麼多時間和不能解決......需要一些幫助,請... 這裏的所有需要​​的信息,並嘗試我:快速調用函數崩潰

enter image description here

圖爲斷點後的指令上下文該函數的程序運行時...

這是我的代碼源:提前:)

typedef void (__fastcall * MyFoo)(void * client,DWORD trash, DWORD ConstantD, DWORD objBattid, DWORD zeroParam, DWORD thousParam, float fVal,DWORD targetID); 
MyFoo launchMe; 

DWORD getProcessBaseAdress(DWORD ProcessID); 

char *flyffServer = "insanity flyff\0"; 

HWND neuzWindow = NULL; 
DWORD neuzProcessID = NULL; 
DWORD neuzRamAdress = NULL; 
HANDLE neuzHandle = NULL; 
DWORD clientAdr = NULL; 

int main(){ 
neuzWindow = FindWindowA(0,flyffServer); 
//-------------------------------------- 
if(neuzWindow){ 
    GetWindowThreadProcessId(neuzWindow,&neuzProcessID); 

    if(neuzProcessID){ 
     neuzHandle = OpenProcess(PROCESS_ALL_ACCESS,false,neuzProcessID); 

     if(neuzHandle){ 
      neuzRamAdress = getProcessBaseAdress(neuzProcessID); // Extracting Neuz's base address 

      if(neuzRamAdress){ 
       launchMe = (MyFoo)((DWORD)neuzRamAdress + 0x5C400); 
       clientAdr = (DWORD)neuzRamAdress + 0x8D0DC0; 

       printf("Instruction: 0x%08X\n",launchMe); 
       printf("Client ADR: 0x%08X\n",clientAdr); 

       for(;;Sleep(100)){ 
        //------------ init params ------------ 
        void * client = (void*)clientAdr; 
        DWORD trashDX = (DWORD)0x0000000B; 
        DWORD msge = (DWORD)0x0000001D; 
        DWORD selectedBattID = 0x04D4A929; 
        DWORD zeroParam = (DWORD) 0x00000000; 
        DWORD milleParam = 0x00010000; 
        float speedAtt = 0.07f; 
        DWORD targetID = 0x0089B964; 

        printf("0x%08X\n0x%08X\n0x%08X\n0x%08X\n0x%08X\n0x%08X\n%f\n0x%08X\n", 
         client, 
         trashDX, 
         msge, 
         selectedBattID, 
         zeroParam, 
         thousParam, 
         speedAtt, 
         targetID 
        ); 

         launchMe(client,trashDX,msge,selectedBattID,zeroParam,milleParam,speedAtt,targetID); // -> Error 
         scanf("%d",&trashDX); // for blocking the program 
         return 0; 
       } 
      } 
      else printf("Unable to access to Neuz's Ram Adress\n"); 
     } 
     else printf("Unable to obtain neuz's handle\n"); 
    } 
    else printf("Unable to detect neuz's process ID\n"); 
} 
else printf("Unable to detect neuz's window\n"); 
return 0; 
} 

DWORD getProcessBaseAdress(DWORD ProcessID){ 
    HANDLE hModuleSnap = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, ProcessID); 
    MODULEENTRY32 me32; 
    me32.dwSize = sizeof(MODULEENTRY32); 
    Module32First(hModuleSnap,&me32); 
    return (DWORD) me32.modBaseAddr; 
}

謝謝...

來源

2017-08-09 Mouley

+1

這個問題不能回答,給出的信息(我沒有點擊圖像鏈接到一個隨機圖像託管網站)。我們無法知道,偏移量爲0x5C400的函數需要什麼調用約定,但是如果導致*「崩潰」*,那麼它就不是您指定的那個。 – IInspectable

+0

如果你查看圖片,你會看到一張圖片,上面有cheatengine的debbugging過程,以獲得帶有完整堆棧元素的指令地址來檢查參數,並且我的地址/參數與debbuger中顯示的值相同。 。 我應該提供哪些東西以便能回答我? – Mouley

+0

偏移量爲0x5C400的函數的** true **簽名。到目前爲止,我們只看到你最好的猜測。 – IInspectable

回答

0

正如在他的評論中可以看到的那樣,問題來自訪問另一個進程的虛擬空間。 檢查Windows內存管理和DLL注入將爲我解決這個問題......也許任何人都會面對未來。

來源

2017-08-11 10:44:55 Mouley

相關問題

 相關問題