首先看看这个"口语无优"是个杂东西
啊是个只能使用5分钟的限制
不说如何去爆破。也不是追码,这次是
直接的内存补丁解除限制
好了进入程序.要找到开始计时的东西.就是那个练习模式与考试模式了
现在打开练习模式,再开个CE搜索一把
搜索模糊搜索未知值,然后搜索增加值(参见CE说明书哈)
图中我们可以看到00474E34那个地址是固定的..不难猜想到的那就是个时间计算的地址
再验证一下让他到300看看有啥
很明显到300后自动弹出那个退出的东西
好了.只要更改00474E34这里的值就可以了.把他改到1..永远不要到300 -_-你还杂样.
下面给出一份VB的源码
@@@@@@@@@@@@@无敌分割线@@@@@@@@@@@@@@@@@
'form文件
Public BaseAddr As Long
Private Sub Form_Load()
Timer1.Enabled = True
End Sub
Private Sub Timer1_Timer()
Call FindGame
If FindGame = True Then
Timer2.Enabled = True
End If
End Sub
Private Sub Timer2_Timer()
WriteProcessMemory hProcess, &H474E34, 1#, 4, 0
ReadProcessMemory hProcess, &H474E34, BaseAddr, 4, 0
Label1.Caption = BaseAddr
End Sub
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
'bas文件
Option Explicit
Public Const GWL_WNDPROC = (-4)
Public Const WM_USER = &H400
Declare Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As Long, ByVal nIndex As Long) As Long
Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Public prevWndProc As Long
Dim IsCtrlDown As Boolean
'1.查找窗口
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
'2.取得进程ID
Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
'3.打开进程
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
'4.把数值写入内存
Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
'5.从内存中读取数值
Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
'6.关闭打开的线程句柄
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
'7.一个操作内存的权力常数
Private Const PROCESS_ALL_ACCESS = &H1F0FFF
Public hProcess As Long
'下面的函数用于查找Function FindGame() As Boolean
Dim PID As Long, Gamehwnd As Long
Gamehwnd = FindWindow("#32770", "口语无忧") '查找句柄
If (Gamehwnd = 0) Then Exit Function '如果找不到就退出函数
GetWindowThreadProcessId Gamehwnd, PID '取得进程ID
hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, PID) '以全部权力打开进程
If (hProcess = 0) Then Exit Function '打开进程失败
FindGame = True '成功!!
End Function
@@@@@@@@@@@@@@
看看最后的结果
跑到7分钟还没退出。.证明成功了..下面给一下那个编译的EXE地址
http://www.freeupload.cn/download.php?file=662414
68元的东西就免费用着了
啊是个只能使用5分钟的限制
不说如何去爆破。也不是追码,这次是
直接的内存补丁解除限制
好了进入程序.要找到开始计时的东西.就是那个练习模式与考试模式了
现在打开练习模式,再开个CE搜索一把
搜索模糊搜索未知值,然后搜索增加值(参见CE说明书哈)
图中我们可以看到00474E34那个地址是固定的..不难猜想到的那就是个时间计算的地址
再验证一下让他到300看看有啥
很明显到300后自动弹出那个退出的东西
好了.只要更改00474E34这里的值就可以了.把他改到1..永远不要到300 -_-你还杂样.
下面给出一份VB的源码
@@@@@@@@@@@@@无敌分割线@@@@@@@@@@@@@@@@@
'form文件
Public BaseAddr As Long
Private Sub Form_Load()
Timer1.Enabled = True
End Sub
Private Sub Timer1_Timer()
Call FindGame
If FindGame = True Then
Timer2.Enabled = True
End If
End Sub
Private Sub Timer2_Timer()
WriteProcessMemory hProcess, &H474E34, 1#, 4, 0
ReadProcessMemory hProcess, &H474E34, BaseAddr, 4, 0
Label1.Caption = BaseAddr
End Sub
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
'bas文件
Option Explicit
Public Const GWL_WNDPROC = (-4)
Public Const WM_USER = &H400
Declare Function GetWindowLong Lib "user32" Alias "GetWindowLongA" (ByVal hWnd As Long, ByVal nIndex As Long) As Long
Declare Function SetWindowLong Lib "user32" Alias "SetWindowLongA" (ByVal hWnd As Long, ByVal nIndex As Long, ByVal dwNewLong As Long) As Long
Public prevWndProc As Long
Dim IsCtrlDown As Boolean
'1.查找窗口
Private Declare Function FindWindow Lib "user32" Alias "FindWindowA" (ByVal lpClassName As String, ByVal lpWindowName As String) As Long
'2.取得进程ID
Private Declare Function GetWindowThreadProcessId Lib "user32" (ByVal hWnd As Long, lpdwProcessId As Long) As Long
'3.打开进程
Private Declare Function OpenProcess Lib "kernel32" (ByVal dwDesiredAccess As Long, ByVal bInheritHandle As Long, ByVal dwProcessId As Long) As Long
'4.把数值写入内存
Declare Function WriteProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
'5.从内存中读取数值
Declare Function ReadProcessMemory Lib "kernel32" (ByVal hProcess As Long, ByVal lpBaseAddress As Any, lpBuffer As Any, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long
'6.关闭打开的线程句柄
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As Long
'7.一个操作内存的权力常数
Private Const PROCESS_ALL_ACCESS = &H1F0FFF
Public hProcess As Long
'下面的函数用于查找Function FindGame() As Boolean
Dim PID As Long, Gamehwnd As Long
Gamehwnd = FindWindow("#32770", "口语无忧") '查找句柄
If (Gamehwnd = 0) Then Exit Function '如果找不到就退出函数
GetWindowThreadProcessId Gamehwnd, PID '取得进程ID
hProcess = OpenProcess(PROCESS_ALL_ACCESS, False, PID) '以全部权力打开进程
If (hProcess = 0) Then Exit Function '打开进程失败
FindGame = True '成功!!
End Function
@@@@@@@@@@@@@@
看看最后的结果
跑到7分钟还没退出。.证明成功了..下面给一下那个编译的EXE地址
http://www.freeupload.cn/download.php?file=662414
68元的东西就免费用着了
扫一扫
94
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
