这个东西是我自己研究出来的,可以说是费劲千辛万苦啊. using System; using System.Collections.Generic; using System.Text; using SWSoft.Api; using HookAPI.Bll; using System.Diagnostics; namespace HookAPI { /// <summary> /// /// </summary> public class Call { private IntPtr handel; public uint address; byte[] asm; /// <summary> /// 初始化选怪Call /// </summary> public bool InstallCall() { try { handel = Kernel32.OpenProcess(Kernel32.PROCESS_ALL_ACCESS, true, Util.Process.Id); if (handel != IntPtr.Zero) { address = Kernel32.VirtualAllocEx(handel, 0, 4096, 4096, 64); if (address != 0) { asm = new byte[] { 0xB9, 0x00, 0x00, 0x00, 0x00, 0x51, 0x8B, 0x0D, 0xDC, 0xAC, 0xF6, 0x00, 0xB8, 0xB0, 0x40, 0x6A, 0x00, 0xFF, 0xD0, 0xC2, 0x04, 0x00 }; return true; } } } catch (NullReferenceException) { } return false; } /// <summary> /// 执行选怪Call /// </summary> /// <param name="id">怪物ID</param> public void CallMonster(uint id) { BitConverter.GetBytes(id).CopyTo(asm, 1);//修改怪物ID Kernel32.WriteByte(handel, address, asm);//写入汇编代码 IntPtr thread = Kernel32.CreateRemoteThread(handel, 0, 0, address, 0, 0, 0);//创建远程线程 uint temp = Kernel32.WaitForSingleObject(thread, 10);//等待线程执行完成 if (temp == 0) { Kernel32.CloseHandle(thread); } } /// <summary> /// 选择对象 /// </summary> /// <param name="id">对象编号</param> public void BaseCall(uint id, Process process) { uint baseadd = Kernel32.ReadUInt(process.Handle, 0x00F6ACDC); Kernel32.WriteByte(process.Handle, baseadd + 0x628, BitConverter.GetBytes(id)); } /// <summary> /// 卸载选怪Call /// </summary> public bool UnInstall() { if (Kernel32.VirtualFreeEx(handel, address, 4096, 16384)) { return Kernel32.CloseHandle(handel); } else { return false; } } public void WriteAsm() { Kernel32.WriteByte(address, asm); } } }