大家一致为使用辅助器担心中毒而烦恼,今天老宝哥用程序代码来教大家实现一个红警2辅助器,关键是无毒。
一、效果
(一)无限金钱(怎么花都是100000)
(二)1秒冷确值 秒建,秒产,(开局就能秒建任何工兵厂,防御塔,秒产一切战车,士兵)
二、Go源码和运行如下:
(一)运行下载GO第三方库go get github.com/TheTitanrain/w32
(二)运行以下源码即可
package main
import (
"fmt"
"github.com/TheTitanrain/w32"
"strings"
"syscall"
"time"
"unsafe"
)
var (
kernel32DLL = syscall.MustLoadDLL("kernel32.dll")
ReadProcessMemory = kernel32DLL.MustFindProc("ReadProcessMemory")
procWriteProcessMemory = kernel32DLL.MustFindProc("WriteProcessMemory")
Psapi = syscall.MustLoadDLL("Psapi.dll")
EnumProcessModules = Psapi.MustFindProc("EnumProcessModules")
GetModuleBaseNameA = Psapi.MustFindProc("GetModuleBaseNameA")
)
func main() {
programName := "Red Alert 2"
//获取进程id
klint64, _ := syscall.UTF16PtrFromString(programName)
hwnd := w32.FindWindowW(nil, klint64)
_, pid := w32.GetWindowThreadProcessId(hwnd)
//打开进程
handle, err := syscall.OpenProcess(w32.PROCESS_ALL_ACCESS, false, uint32(pid))
if err != nil {
fmt.Println("OpenProcess error:", err)
return
}
defer syscall.CloseHandle(handle)
//获取程序基址
BaseAddress := GetProcessMoudleBase(uintptr(handle), "game.exe")
处理无线金钱
go func() {
Addr := []int64{0x635DB4, 0x24c}
for {
targetAdd, value := readXue(uintptr(handle), BaseAddress, Addr)
if value > 0 {
Money := 100000
w32.WriteProcessMemory(w32.HANDLE(handle), uintptr(targetAdd), uintptr(unsafe.Pointer(&Money)), unsafe.Sizeof(Money))
}
time.Sleep(time.Second * 5)
}
}()
处理建筑物
go func() {
var targetAdd int64
var value int
var BuildingAddr int64 = 0x433A50
for {
for i := 1; i <= 25; i++ {
BuildingAddrArr := []int64{}
BuildingAddrArr = append(BuildingAddrArr, BuildingAddr+int64(0x30)*int64(i))
BuildingAddrArr = append(BuildingAddrArr, 0x24)
targetAdd, value = readXue(uintptr(handle), BaseAddress, BuildingAddrArr)
if value > 0 && value < 52 {
m := 52
w32.WriteProcessMemory(w32.HANDLE(handle), uintptr(targetAdd), uintptr(unsafe.Pointer(&m)), unsafe.Sizeof(m))
}
}
time.Sleep(time.Second)
}
}()
防御
go func() {
var targetAdd int64
var value int
var BuildingAddr int64 = 0x4348E4
for {
for i := 1; i <= 25; i++ {
BuildingAddrArr := []int64{}
BuildingAddrArr = append(BuildingAddrArr, BuildingAddr+int64(0x30)*int64(i))
BuildingAddrArr = append(BuildingAddrArr, 0x24)
targetAdd, value = readXue(uintptr(handle), BaseAddress, BuildingAddrArr)
if value > 0 && value < 52 {
m := 52
w32.WriteProcessMemory(w32.HANDLE(handle), uintptr(targetAdd), uintptr(unsafe.Pointer(&m)), unsafe.Sizeof(m))
}
}
time.Sleep(time.Second)
}
}()
兵营
go func() {
var targetAdd int64
var value int
var Soldiers int64 = 0x435748
for {
for i := 0; i <= 25; i++ {
BuildingAddrArr := []int64{}
BuildingAddrArr = append(BuildingAddrArr, Soldiers+int64(0x30)*int64(i))
BuildingAddrArr = append(BuildingAddrArr, 0x24)
targetAdd, value = readXue(uintptr(handle), BaseAddress, BuildingAddrArr)
if value > 0 && value < 52 {
m := 52
w32.WriteProcessMemory(w32.HANDLE(handle), uintptr(targetAdd), uintptr(unsafe.Pointer(&m)), unsafe.Sizeof(m))
}
}
time.Sleep(time.Second)
}
}()
战车工厂
go func() {
var targetAdd int64
var value int
var Chariot int64 = 0x4365AC
for {
for i := 0; i < 30; i++ {
BuildingAddrArr := []int64{}
BuildingAddrArr = append(BuildingAddrArr, Chariot+int64(0x30)*int64(i))
BuildingAddrArr = append(BuildingAddrArr, 0x24)
targetAdd, value = readXue(uintptr(handle), BaseAddress, BuildingAddrArr)
fmt.Println("战车", i, ":", value)
if value > 0 && value < 52 {
m := 52
w32.WriteProcessMemory(w32.HANDLE(handle), uintptr(targetAdd), uintptr(unsafe.Pointer(&m)), unsafe.Sizeof(m))
}
}
time.Sleep(time.Second)
}
}()
for {
time.Sleep(time.Second)
}
}
func GetProcessMoudleBase(hProcess uintptr, moduleName string) int64 {
//异常处理
defer func() {
//捕获异常
err := recover()
if err != nil {
fmt.Println("[!]发生异常")
}
}()
// 遍历进程模块,
var hModel = [10000]int64{0}
var lpcbNeeded int = 0 //将所有模块句柄存储在 lphModule 数组中所需的字节数
var cb = int(unsafe.Sizeof(hModel)) //lphModule 数组的大小,以字节为单位。
isok, _, _ := EnumProcessModules.Call(hProcess, uintptr(unsafe.Pointer(&hModel)), uintptr(cb), uintptr(unsafe.Pointer(&lpcbNeeded)))
num := lpcbNeeded / int(unsafe.Sizeof(hModel[0]))
//fmt.Println("----------lpcbNeeded所需字节",lpcbNeeded,"当前",cb,"需要长度",num)
if isok <= 0 {
fmt.Println("[!] 枚举模块失败")
}
fmt.Printf("[+] 枚举进程模块成功,共%d个\n", num) //,hModel)
tmp := [50]byte{}
a := ""
for i := 0; i < num; i++ {
GetModuleBaseNameA.Call(hProcess, uintptr(hModel[i]), uintptr(unsafe.Pointer(&tmp)), 50)
for _, v := range tmp {
if v == 0 {
continue
} else {
a += string(v)
}
}
if strings.EqualFold(moduleName, a) {
fmt.Printf("[+] find! 模块名字%s 地址:0x%X\n", a, hModel[i])
return int64(hModel[i])
}
fmt.Printf(" > %s \t--->: 0x%X", a, hModel[i])
fmt.Printf(" \n ")
a = ""
tmp = [50]byte{}
}
return 0
}
func readXue(handle uintptr, BaseAddress int64, RVA2 []int64) (int64, int) {
//fmt.Printf("\n************************************************\n")
var CurrentAddress int64
//fmt.Println("模块名",modelName)
//fmt.Printf("[*] 使用的RVA偏移量链 -》%X\n", RVA2)
CurrentAddress = BaseAddress
var value int32
var tmp64 int64
var length int
for _, x := range RVA2 {
value = 0
tmp64 = CurrentAddress + x
ReadProcessMemory.Call(handle, uintptr(tmp64), uintptr(unsafe.Pointer(&value)), unsafe.Sizeof(value), uintptr(unsafe.Pointer(&length)))
//fmt.Printf("访问0x%X >> (RVA) %X -> (0x%X) %X\n", CurrentAddress, x, tmp64, value)
CurrentAddress = int64(value) //把偏移后获取到的实际地址值放入下一次循环计算的基地址
}
return tmp64, int(value)
}
源码与程序下载地址:百度网盘 请输入提取码
提取码:laob