冒险岛2游戏中有一个开放性功能冒险岛2diy,许多玩家朋友都不知道冒险岛2怎么diy,还不知道冒险岛2怎么diy的朋友可以点击查看冒险岛2diy教程,了解了冒险岛2diy方法后来设计属于自己的时装,一起来看看冒险岛2diy时装详细教程吧。
上篇我讲述了如何修改中游军棋的求和显示到右边的riched框, 这次我教大家如何在上面增加一个按钮,然后如何捕捉这个按钮的事件,当点击这个增加的按钮干一点我们自己想干的事情,好废话少说,突入正题。 首先用观察军棋的右边有四个按钮,分别是帮助、设置、大厅、退出,好现在我们增加一个按钮叫欢迎(在我自己做的补丁里面这个按钮是作弊,专门用来解散棋局用的,但是限于中游的公平,我不能教大家如何作弊只能教大家如何diy pe了)。首先用资源编辑器(我用的是资源黑客)打开 junqi.exe观察到这四个按钮如下: 104 DIALOGEX 0, 0, 213, 364 STYLE WS_CHILD CAPTION " LANGUAGE LANG_CHINESE, 0x2 FONT 9, 宋体" { CONTROL ", 1008, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 0, 338, 181, 13 CONTROL 帮助(&H)", 1014, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 13, 170, 35, 15 CONTROL 设置(&S)", 1013, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 67, 170, 35, 15 CONTROL 大厅(&P)", 1001, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 13, 190, 35, 15 CONTROL 退出(&X)", 1000, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 67, 190, 35, 15 CONTROL ", 1016, RICHEDIT", ES_LEFT | ES_MULTILINE | ES_AUTOVSCROLL | ES_WANTRETURN | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_VSCROLL | WS_TABSTOP, 0, 213, 213, 106 , 0x00000200 CONTROL 颜色", 1015, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 181, 322, 25, 13 CONTROL ", 1005, {8856F961-340A-11D0-A96B-00C04FD705A2}", 0x50010000, 0, 0, 213, 60 CONTROL List1", 1006, SysListView32", LVS_REPORT | LVS_SINGLESEL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 0, 60, 213, 103 CONTROL ", 1002, COMBOBOX, CBS_DROPDOWN | CBS_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_VSCROLL, 0, 322, 120, 166 CONTROL ", 1003, COMBOBOX, CBS_DROPDOWNLIST | WS_CHILD | WS_VISIBLE | WS_VSCROLL | WS_TABSTOP, 123, 322, 53, 81 CONTROL 发送", 1004, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 182, 338, 25, 14 } 好我们现在就增加一个按钮,增加以后的资源如下: 104 DIALOGEX 0, 0, 213, 364 STYLE WS_CHILD CAPTION " LANGUAGE LANG_CHINESE, 0x2 FONT 9, 宋体", FW_DONTCARE, FALSE, 0 { CONTROL ", 1008, EDIT, ES_LEFT | ES_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 0, 338, 181, 13 CONTROL 帮助(&H)", 1014, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 13, 171, 35, 15 CONTROL 欢迎(&L)", 1011, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 115, 170, 35, 15 CONTROL 设置(&S)", 1013, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 67, 170, 35, 15 CONTROL 大厅(&P)", 1001, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 13, 190, 35, 15 CONTROL 退出(&X)", 1000, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 67, 190, 35, 15 CONTROL ", 1016, RICHEDIT", ES_LEFT | ES_MULTILINE | ES_AUTOVSCROLL | ES_WANTRETURN | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_VSCROLL | WS_TABSTOP, 0, 213, 213, 106 , 0x00000200 CONTROL 颜色", 1015, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 181, 322, 25, 13 CONTROL ", 1005, {8856F961-340A-11D0-A96B-00C04FD705A2}", 0x50010000, 0, 0, 213, 60 CONTROL List1", 1006, SysListView32", LVS_REPORT | LVS_SINGLESEL | WS_CHILD | WS_VISIBLE | WS_BORDER | WS_TABSTOP, 0, 60, 213, 103 CONTROL ", 1002, COMBOBOX, CBS_DROPDOWN | CBS_AUTOHSCROLL | WS_CHILD | WS_VISIBLE | WS_VSCROLL, 0, 322, 120, 166 CONTROL ", 1003, COMBOBOX, CBS_DROPDOWNLIST | WS_CHILD | WS_VISIBLE | WS_VSCROLL | WS_TABSTOP, 123, 322, 53, 81 CONTROL 发送", 1004, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 182, 338, 25, 14 } 这里和上面不同的是多了下面这句, CONTROL 欢迎(&L)", 1011 BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 115, 170, 35, 15 记住增加按钮要更改其control id,否则有重复的id的话,搞得几个按钮的功能会一样,这是因为windows是靠id来判别点击的是那个按钮 我这里把id改为1015,换成16进制就是3f3,用资源黑客编译一下(你用别的资源编辑器如c++的,都行),运行一下,看看旁边多了一个 名叫欢迎的按钮,点击这个按钮,怎么没有反应,不要急你还没有给这个按钮加入事件呢,怎么会有反应呢?下一步就是给这个按钮加入 事件,首先我们要了解windows的机制,点击这个按钮后,windows会sendmessage 一个command消息给应用程序查api手册就知道。command 消息带有wParam参数,这个参数就是你的按钮id,那么我们现在的任务就是找到应用程序判断消息的地方。。我们下断点bpx seedmessage 点击,那个帮助的按钮,然后仔细观察程序的走向,你会发现消息判别在这个地方: :004391AB B8D8A24400 mov eax, 0044A2D8 :004391B0 E853EDFEFF call 00427F08 :004391B5 83EC54 sub esp, 00000054 :004391B8 8365F000 and dword ptr [ebp-10], 00000000 :004391BC 53 push ebx :004391BD 8B5D08 mov ebx, dword ptr [ebp+08] :004391C0 56 push esi :004391C1 57 push edi :004391C2 81FB11010000 cmp ebx, 00000111===》比较消息是否是111(wm_command) :004391C8 8BF9 mov edi, ecx :004391CA 7518 jne 004391E4 :004391CC FF7510 push [ebp+10] :004391CF 8B07 mov eax, dword ptr [edi] :004391D1 FF750C push [ebp+0C]======>这里传递按钮的id(也就是wParam参数)点击帮助按钮,这里我们可以看到id为3f6(1014)正好是帮助的control id :004391D4 FF5078 call [eax+78] :004391D7 85C0 test eax, eax :004391D9 0F8455010000 je 00439334 :004391DF E91D040000 jmp 00439601 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004391CA(C) | :004391E4 83FB4E cmp ebx, 0000004E 跟踪进call [eax+78]到下面(现在你就要牢牢的抓住这个3f6看看程序是如何判断和传递3f6的id的)我这里call 【eax+78】是到达 :00439747 55 push ebp :00439748 8BEC mov ebp, esp :0043974A 83EC2C sub esp, 0000002C :0043974D 8B4508 mov eax, dword ptr [ebp+08] :00439750 53 push ebx :00439751 56 push esi :00439752 57 push edi :00439753 0FB7F8 movzx edi, ax :00439756 33DB xor ebx, ebx :00439758 8BF1 mov esi, ecx :0043975A C1E810 shr eax, 10 :0043975D 395D0C cmp dword ptr [ebp+0C], ebx :00439760 894508 mov dword ptr [ebp+08], eax :00439763 753A jne 0043979F :00439765 3BFB cmp edi, ebx :00439767 7466 je 004397CF :00439769 8D4DD4 lea ecx, dword ptr [ebp-2C] :0043976C E8ACFFFFFF call 0043971D :00439771 8B06 mov eax, dword ptr [esi] :00439773 8D4DD4 lea ecx, dword ptr [ebp-2C] :00439776 53 push ebx :00439777 51 push ecx :00439778 6AFF push FFFFFFFF :0043977A 57 push edi :0043977B 8BCE mov ecx, esi :0043977D 897DD8 mov dword ptr [ebp-28], edi :00439780 FF500C call [eax+0C] :00439783 395DFC cmp dword ptr [ebp-04], ebx :00439786 743E je 004397C6 :00439788 895D08 mov dword ptr [ebp+08], ebx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004397CD(C) | :0043978B 8B06 mov eax, dword ptr [esi] :0043978D 53 push ebx :0043978E 53 push ebx :0043978F 8BCE mov ecx, esi :00439791 FF7508 push [ebp+08] :00439794 57 push edi :00439795 FF500C call [eax+0C]==》这里就会call那个帮助的ie哦好我们再这个call里面去一趟 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004397C9(U), :004397D1(U) | :00439798 5F pop edi :00439799 5E pop esi :0043979A 5B pop ebx :0043979B C9 leave :0043979C C20800 ret 0008 call [eax+0C]会到达下面 :0043E4D6 B85CA34400 mov eax, 0044A35C :0043E4DB E8289AFEFF call 00427F08 :0043E4E0 51 push ecx :0043E4E1 51 push ecx :0043E4E2 57 push edi :0043E4E3 8BF9 mov edi, ecx :0043E4E5 FF7514 push [ebp+14] :0043E4E8 FF7510 push [ebp+10] :0043E4EB FF750C push [ebp+0C] :0043E4EE FF7508 push [ebp+08]==>这里又看到老朋友3f6了 :0043E4F1 E8D0CAFFFF call 0043AFC6==》看来进这个call吧 :0043E4F6 85C0 test eax, eax :0043E4F8 7405 je 0043E4FF call 0043AFC6 里面继续跟踪,会发现比较消息的id是在下面这段 :0043B09B FF7508 push [ebp+08]==》这里能看到老朋友3f6 :0043B09E FF750C push [ebp+0C] :0043B0A1 53 push ebx :0043B0A2 FF7604 push [esi+04] :0043B0A5 E87DE0FFFF call 00439127 :0043B0AA 85C0 test eax, eax :0043B0AC 7504 jne 0043B0B2 call 00439127里面如下 :00439127 55 push ebp :00439128 8BEC mov ebp, esp :0043912A 53 push ebx :0043912B 8B5D08 mov ebx, dword ptr [ebp+08] :0043912E 8B450C mov eax, dword ptr [ebp+0C] :00439131 8B5510 mov edx, dword ptr [ebp+10] :00439134 8B4D14 mov ecx, dword ptr [ebp+14] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00439144(U) | :00439137 837B1000 cmp dword ptr [ebx+10], 00000000 :0043913B 741D je 0043915A :0043913D 3B03 cmp eax, dword ptr [ebx] :0043913F 7405 je 00439146 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00439149(C), :0043914E(C), :00439153(C) | :00439141 83C318 add ebx, 00000018 :00439144 EBF1 jmp 00439137 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0043913F(C) | :00439146 3B5304 cmp edx, dword ptr [ebx+04] :00439149 75F6 jne 00439141 :0043914B 3B4B08 cmp ecx, dword ptr [ebx+08]=》cx是老朋友3f6 这里就是比较id的地方了,你能看到ebx+08是3e9(退出)等按钮的比较 :0043914E 72F1 jb 00439141 :00439150 3B4B0C cmp ecx, dword ptr [ebx+0C] :00439153 77EC ja 00439141 :00439155 895D08 mov dword ptr [ebp+08], ebx :00439158 EB05 jmp 0043915F * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0043913B(C) | :0043915A 33C0 xor eax, eax :0043915C 894508 mov dword ptr [ebp+08], eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00439158(U) | :0043915F 8B4508 mov eax, dword ptr [ebp+08] :00439162 5B pop ebx :00439163 5D pop ebp :00439164 C21000 ret 0010 好了知道比较的地方就可以更改了,首先找一段空白的地址,放自己的代码,然后修改上面的比较代码jmp 到自己代码地址,加入我们自己的id比较3f3 cmp ecx,3f3 jz 自己想干的事情的地方,你可以参照我上篇文章,做个在riched输出文本的代码段 下面就是恢复原程序的动作 然后跳回原程序 需要注意的事项:不要把堆栈搞乱了,否则你看到的就是非法操作了。而不是你想看到的东西:) 这样你可以加好多个按钮,每个按钮做不同的事情。把程序玩弄于鼓掌之间,达到了diy pe的目的 如果感觉我的diy pe还可以的话,我就再写篇diy pe之三,写教学很累,比看程序,和写程序都累,劳动需要得到肯定,谢谢大家支持!