https://github.com/januwA/GameCheat

#include "pch.h"
#include
#include
#include "GameCheat.h"

using namespace std;

void __stdcall myHook()
{
printf("触发钩子了\n");
}

DWORD WINAPI MyThread(HMODULE hModule)
{

#ifdef _WIN64
GameCheat gc{ "Tutorial-x86_64.exe" };
#else
GameCheat gc{ "Tutorial-i386.exe" };
#endif // _WIN64

FILE* f;
gc.openConsole(&f);
printf("INJECT OK\n");

// 钩住这里
//x64 Tutorial-x86_64.exe+2B08C - 29 83 F0070000 - sub [rbx+000007F0],eax
//x86 Tutorial-i386.exe+2578F - 29 83 AC040000 - sub [ebx+000004AC],eax

#ifdef _WIN64
BYTE* addr = (BYTE)gc.mi.lpBaseOfDll + 0x2B08C; vector copyBytes = GameCheat::byteStr2Bytes("29 83 F0 07 00 00"); BYTE lpAddress = (BYTE)gc.mi.lpBaseOfDll - 0x10000; #else BYTE addr = (BYTE)gc.mi.lpBaseOfDll + 0x2578F; vector copyBytes = GameCheat::byteStr2Bytes("29 83 AC 04 00 00"); BYTE lpAddress = 0;
#endif // _WIN64

BYTE* newHook = (BYTE*)VirtualAlloc(lpAddress, 500, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);
size_t position = 0;

// push eax
*(newHook + position) = 0x50;
position += sizeof(BYTE);

#ifdef _WIN64
// mov rax,myHook
// sub rsp,0x20
// call rax
// add rsp,0x20

// mov rax,myHook
(WORD)(newHook + position) = 0xB848; // mov
position += sizeof(WORD);

(uintptr_t)(newHook + position) = (uintptr_t)myHook; // myHook
position += sizeof(uintptr_t);

// sub rsp,0x20
(DWORD)(newHook + position) = 0x20EC8348;
position += sizeof(DWORD);

// call rax
(WORD)(newHook + position) = 0xD0FF;
position += sizeof(WORD);

// add rsp,0x20
(DWORD)(newHook + position) = 0x20C48348;
position += sizeof(DWORD);

#else

// call myHook
DWORD callMyHookBytes = (BYTE*)myHook - (newHook + position) - 5;
*(newHook + position) = 0xE8;
position += sizeof(BYTE);
(DWORD)(newHook + position) = callMyHookBytes;
position += sizeof(DWORD);

#endif // _win64

// pop eax

• (newHook + position) = 0x58;
  position += sizeof(BYTE);

  // 拷贝盗取的字节，看情况也可以不要
  memcpy_s(newHook + position, copyBytes.size(), copyBytes.data(), copyBytes.size());
  position += copyBytes.size();

  // return
  DWORD jmpReturnBytes = (addr + copyBytes.size()) - (newHook + position) - 5;
  *(newHook + position) = 0xE9;
  position += sizeof(BYTE);
  *(DWORD*)(newHook + position) = jmpReturnBytes;

  DWORD jmpHookBytes = newHook - addr - 5;
  bool bEnable = false;
  printf(" F4 开启/关闭\n");
  while (!GetAsyncKeyState(VK_F12))
  {
  if ( GetAsyncKeyState(VK_F4) & 1 )
  {
  bEnable = !bEnable;
  if (bEnable)
  {
  printf("挂钩\n");
  // Tutorial-x86_64.exe+2B08C >> jmp newHook
  DWORD oldProc;
  VirtualProtect(addr, copyBytes.size(), PAGE_EXECUTE_READWRITE, &oldProc);
  memset(addr, 0x90, copyBytes.size());
  *addr = 0xE9;
  *(DWORD*)(addr + 1) = jmpHookBytes;
  VirtualProtect(addr, copyBytes.size(), oldProc, 0);
  }
  else
  {
  printf("脱钩\n");
  DWORD oldProc;
  VirtualProtect(addr, copyBytes.size(), PAGE_EXECUTE_READWRITE, &oldProc);
  memcpy_s(addr, copyBytes.size(), copyBytes.data(), copyBytes.size());
  VirtualProtect(addr, copyBytes.size(), oldProc, 0);
  }
  }
  Sleep(10);
  }

  VirtualFree(newHook, 0, MEM_RELEASE);
  gc.closeConsole(f);
  FreeLibraryAndExitThread(hModule, 0);
  return 0;
  }

BOOL APIENTRY DllMain(HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
CloseHandle(CreateThread(0, 0, (LPTHREAD_START_ROUTINE)MyThread, hModule, 0, 0));
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}