类人猿学院
课程推荐

按键2014汇编库开发作品3.3(人猿开发)2019.6.10

319
发表时间:2018-04-12 00:00

Declare Function Asm Lib   "ToAsm" Alias   "Asm"(ByVal code As String,ByVal 长度 As Long) As Long

Declare Function SetRec Lib   "user32" Alias   "SetRect"(ByVal 矩形 As Any,ByVal 左边 As Long,ByVal 顶边 As Long,ByVal 右边 As Long,ByVal 底边 As Long) As Long

Declare Function LocalAlloc   Lib "kernel32" Alias "LocalAlloc" (ByVal wOemChar As Long,ByVal wOmChar As Long) As Long

Declare Function LocalFree Lib "kernel32" Alias "LocalFree" (ByVal hMem As Long) As Long

Declare Function LocalSize Lib "kernel32" (ByVal hMem As Long) As Long

Declare Function RtlMoveMemory Lib "kernel32" Alias "RtlMoveMemory" (ByVal h As Any, ByRef f As Any, ByVal Length As Long)

Declare Function CallWindowProcA Lib   "user32.dll" Alias   "CallWindowProcA"(ByVal 前1窗口函数地址 As Long,byref 窗口句柄 As Long,ByVal 消息值 As Long,ByVal 附加参数1 As Long,ByVal 附加参数2 As Long) As Long

Declare Function RtlFillMemory Lib   "kernel32.dll" Alias   "RtlFillMemory"(ByVal 目的内存 As String,ByVal 长度 As Long,ByVal 填充内容 As Any) As Long

Declare Function LoadLibraryA Lib   "kernel32.dll" Alias   "LoadLibraryA"(ByVal 动态链接库名称 As String) As Long

Declare Function FreeLibrary Lib "kernel32" Alias "FreeLibrary" (ByVal hLibModule As Long) As Long

Declare Function GetProcAddress Lib   "kernel32.dll" Alias   "GetProcAddress"(ByVal 模块句柄 As Long,ByVal 进程名称 As String) As Long

Declare Function GetModuleHandleA Lib   "kernel32.dll" Alias   "GetModuleHandleA"(ByVal 模块名 As String) As Long

Declare Function SetWindowsHook Lib   "user32.dll" Alias   "SetWindowsHookExA"(ByVal 钩子类型 As Long,ByVal 回调函数地址 As Long,ByVal 实例句柄 As Long,ByVal 线程ID As Long) As Long

Declare Function UnhookWindowsHookEx Lib   "user32.dll" Alias   "UnhookWindowsHookEx"(ByVal 钩子句柄 As Long) As Long

Declare Function RtlZeroMemory Lib   "kernel32.dll" Alias   "RtlZeroMemory"(ByVal 目的内存 As String,ByVal 长度 As Long) As Long

Declare Function MultiByteToWideChar Lib   "kernel32.dll" Alias   "MultiByteToWideChar"(ByVal CodePage As Long,ByVal dwFlags As Long,ByVal lpMultiByteStr As Long,ByVal cchMultiByte As Long,ByVal lpWideCharStr As Long,ByVal lpWideCharStr As Long) As Long

Declare Function CreateThread Lib "kernel32" (lpThreadAttributes As Any, ByVal dwStackSize As Long, ByVal lpStartAddress As Long, ByVal lpParameter As Long, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long

Declare Function   OpenProcess Lib "kernel32" Alias "OpenProcess" (ByVal dwDesiredAccess As Long, ByVal   bInheritHandle As Long, ByVal dwProcessId As Long) As Long

Declare Function   WriteProcessMemory Lib "kernel32" Alias "WriteProcessMemory" ( Handle_Process As Long, lpBaseAddress As long,date As long,   nSize As Long, lpNumberOfBytesWritten As Long) As Long

Declare Function   CloseHandle Lib "kernel32" Alias "CloseHandle" (ByVal hObject As Long) As Long

Declare Function GetCurrentProcessId Lib "kernel32" Alias "GetCurrentProcessId" () As Long

Declare Function ReadProcessMemory Lib "kernel32" Alias "ReadProcessMemory" (ByVal hProcess As Long,ByVal lpBaseAddress As Long, ByRef lpBuffer As Long, ByVal nSize As Long, lpNumberOfBytesWritten As Long) As Long

Private Declare Function CallAsmCode Lib "user32" Alias "CallWindowProcA" ( lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, lParam As Long) As Long

Private Declare Function VirtualFreeEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal dwFreeType As Long) As Long

Private Declare Function VirtualAllocEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, ByVal dwSize As Long, ByVal flAllocationType As Long, ByVal flProtect As Long) As Long

Private Declare Function CreateRemoteThread Lib "kernel32" (ByVal hProcess As Long, lpThreadAttributes As Any, ByVal dwStackSize As Long, lpStartAddress As Long, lpParameter As Any, ByVal dwCreationFlags As Long, lpThreadId As Long) As Long  

Private Declare Function htonl Lib "Wsock32.dll" (ByVal hostlong As Long) As Long //4字节高低位互转 //32位有符号整数 不支持无符号整数   FFFF FFFF

Private Declare Function htons Lib "Wsock32.dll" (ByVal hostshort As Long) As Long //2字节

Private Declare Function SetWindowsHookExA Lib "user32" Alias "SetWindowsHookExW" (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long

Private Declare Function GetWindowThreadProcessId Lib "user32" Alias "GetWindowThreadProcessId" (ByVal hwnd As Long, lpdwProcessId As Long) As Long   

Public   Declare Function CallNextHookEx Lib "user32" Alias "CallNextHookEx" (ByVal hHook As Long, ByVal ncode As Long,ByVal wParam As WindowsMessages,lParam As MSLLHOOKSTRUCT) As Long   

Private Declare Function RegisterWindowMessage Lib "user32" Alias "RegisterWindowMessageA" (ByVal lpString As String) As Long

Private Declare Function SendMessage Lib "user32" Alias "SendMessageA" (ByVal hwnd As Long, ByVal wMsg As Long, ByVal wParam As Long, lParam As Any) As Long

Public Declare Function VirtualProtectEx Lib "kernel32 " (ByVal hProcess As Integer, ByVal lpAddress As Integer, ByVal dwSize As Integer, ByVal flNewProtect As Integer, ByRef lpflOldProtect As Integer) As Integer

Public Declare Function VirtualQueryEx Lib "kernel32" (ByVal hProcess As Long, lpAddress As Any, lpBuffer As MEMORY_BASIC_INFORMATION, ByVal dwLength As Long) As Long

//call Lib.AsmCode.创建进程S(GetCurrentProcessId(), "E:\MOYU\soul.exe blacknull wqo65m a6981723", "E:\\MOYU")

//call 创建进程S(GetCurrentProcessId(), "G:\xunleimoyu\soul.exe blacknull wqo65m a6981723", "G:\xunleimoyu")

//Hwnd = Plugin.Window.Find(0, "【魔域】")

//ProcessId= Plugin.SysEx.GetProcessID (Hwnd)

//TracePrint ProcessId

//Call Plugin.SysEx.Speed(hwnd, 4)

Function 内存保护属性修改(ProcessId,Addr,AddrSize) //VirtualQueryEx,调用改成可读可写可执行

    Dim issuscce,oldVal

    issuscce = VirtualProtectEx(ProcessId, Addr, AddrSize, 64, oldVal)

    VirtualQueryEx=issuscce

End Function

Function 枚举系统进程名()

    Dim WMI,objs

    Set WMI = GetObject("WinMgmts:")

    Set objs = WMI.InstancesOf("Win32_Process")

    For Each obj In objs

        Enum1 = Enum1 + obj.Description + Chr(13) + Chr(10)

    Next

    //   msgbox Enum1

    枚举系统进程名=Enum1

End function

Function 获取系统全部进程和ID()//获取进程ID和进程名字

    Dim Pro_And_Name

    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")

    Set ps = objWMIService.ExecQuery("select * from Win32_Process")

    For Each p In ps

        Pro_And_Name = Pro_And_Name & vbCrLf & p.ProcessId & " " & p.Name

    Next

    //    MessageBox   Pro_And_Name

    Pro_Name_Array = split(Pro_And_Name, vbcrlf)

    获取系统全部进程和ID=Pro_And_Name

End Function

Function 根据进程名字枚举进程ID(进程名)//获取进程ID和进程名字

    Dim Pro_And_Name   //进程名字和id字符串

    Dim Name_Array

    Set objWMIService = GetObject("winmgmts:\\.\root\cimv2")

    Set ps = objWMIService.ExecQuery("select * from Win32_Process")

    For Each p In ps

        Pro_And_Name = Pro_And_Name & vbCrLf & p.ProcessId & " " & p.Name

    Next

    //        MessageBox   Pro_And_Name

    Pro_Name_Array = split(Pro_And_Name, vbcrlf)

    i=1

    For   UBound (Pro_Name_Array)

        //        TracePrint Pro_Name_Array(i)

        Name_Array = split(Pro_Name_Array(i), " ")

        If Name_Array(1) = 进程名 Then

            根据进程名字枚举进程ID = int(Name_Array(0))

            //            TracePrint   Name_Array(1)

            Exit for

            //            end if

        End if

        i=i+1

    Next

End Function

//Hwnd = Plugin.Window.Find(0, "【魔域】")

//ProcessId= Plugin.SysEx.GetProcessID (Hwnd)

//TracePrint ProcessId

//怪物对象地址= 跨进程获取函数名地址S(ProcessId,"3DRole.dll","?g_objPlayerSet@@3VCGamePlayerSet@@A")

// TracePrint Hex(怪物对象地址)

Function 跨进程获取函数名地址S(ProcessId,模块名字,函数名字)//Call 跨进程获取函数名地址(ProcessId,"kernel32","CreateRemoteThread",有保护无法突破参数)

    Dim 远程参数地址

    Dim 返回值地址

    返回值地址 = 申请指定进程空间(ProcessId, 4)

    远程参数地址 = 申请指定进程空间(ProcessId, len(模块名字) + 4)

    Call 写入字符集ASCII(ProcessId, 远程参数地址, 模块名字)//二进制字符串写入

    远程名字参数地址=申请指定进程空间(ProcessId, len(函数名字)+4)

    Call 写入字符集ASCII(ProcessId, 远程名字参数地址, 函数名字)//二进制字符串写入

    //TracePrint   Hex(远程参数地址)

    GetModuleHandleA = 获取函数地址API("kernel32.dll", "GetModuleHandleA")//==这个是固定的,模块基地址

    Addr_GetProcAddress = 获取函数地址API("kernel32.dll", "GetProcAddress")//==这个是固定的,获取获取函数的基地址

    //TracePrint Hex(GetModuleHandleA)

    Call AsmClear()

    call Pushad()

    Call PUSH(远程参数地址)   //,先写入完整call 再调用 这个是基地址不过要保持平衡,PK模式call

    Call Mov_EDX_Value(GetModuleHandleA)

    Call Call_EDX()

    Call Push(远程名字参数地址)

    Call Push_EAX

    Call Mov_EDX_Value(Addr_GetProcAddress)

    Call Call_EDX()

    Call Mov_DWORD_Ptr_Addr_EAX(返回值地址)

    Call Popad()

    Call ret()   //这个和上面5个push 是对应关系的

    Call RunAsmCode(ProcessId, 1)//核心代码

    Delay 100

    获取函数地址= 读取四字节整数(ProcessId,返回值地址)

    //    TracePrint "模块地址===" & Hex(模块地址)

    跨进程获取函数名地址S=获取函数地址

End Function

Function 主线程切入口注入(ProcessId, 函数字节集,主线程入口地址)//最好先暂停线程再执行线程

    Dim NewAddr //这个函数是用来储存的。

    Dim JMP_Value//跳转数值

    NewAddr = 申请指定进程空间(ProcessId, len(函数字节集) + 4)

    Call 写入字节集(ProcessId, NewAddr, 函数字节集)//这个是写入Fake_HOOK函数

    TracePrint Hex(NewAddr)

    JMP_Value = HEX(htonl(NewAddr - 主线程入口地址 - 5)) //公式计算

    TracePrint JMP_Value

    JMP_Value= 进制_字节集标准化(JMP_Value)

    call 写入单字节整数(ProcessId, 主线程入口地址, &He9)

    Call 写入字节集(ProcessID, 主线程入口地址+1, JMP_Value) //这个是jmp

End Function

Function 进制_单浮点转十六(浮点数值)

    If 浮点数值 > -1 and 浮点数值 < 1 Then

        进制_单浮点转十六 = "00000000"

        TracePrint 进制_单浮点转十六

    Else

        Dim Hex_Value

        Dim Zhishu_Bin

        Dim Str_Bin //二进制字符串

        Dim IntVal

        Dim float_val

        If Left(浮点数值, 1) = "-" Then //==================1.标记正负数   +和-

            Hex_Value = "1"

            浮点数值 = Replace(浮点数值, "-", "")

        Else

            Hex_Value = "0"

        End If

        If Hex_Value = "1" Then   //负数   //=================2.指数运算

            IntVal=   Left(浮点数值,   Instr(浮点数值, ".")-1)

            IntVal = 进制_十转二(IntVal)

            Zhishu_Bin=Len(IntVal)+127-1

            Zhishu_Bin = 进制_十转二(Zhishu_Bin)

        Elseif Hex_Value ="0" then//正数

            IntVal=   Left(浮点数值,   Instr(浮点数值, ".")-1)

            IntVal = 进制_十转二(IntVal)

            TracePrint " 整数的值:"   & IntVal

            Zhishu_Bin=Len(IntVal)+127-1

            Zhishu_Bin=进制_十转二(Zhishu_Bin)

        End If

        Str_Bin = Left(浮点数值, Instr(浮点数值, ".") - 1)//=================3.整数部分转换

        Str_Bin = 进制_十转二(Str_Bin)

        TracePrint Str_Bin

        Str_Bin = mid(Str_Bin, 2, len(Str_Bin))//去掉浮点数1.1111的整数位   mid字符去掉整数第一位

        For 23 - Len(Str_Bin)   //4.小数暂时缺省

            float_val=float_val & "0"

        Next

        进制_单浮点转十六 = Hex_Value & Zhishu_Bin & Str_Bin   & float_val

        TracePrint   进制_单浮点转十六

        进制_单浮点转十六 = 进制_二转十六(cstr(进制_单浮点转十六))

        TracePrint 进制_单浮点转十六

    End if

End Function

Function 进制_双浮点转十六(浮点数值)

    If 浮点数值 > -1 and 浮点数值 < 1 Then

        进制_双浮点转十六 = "0000000000000000"

        TracePrint 进制_双浮点转十六

    Else

        Dim Hex_Value

        Dim Zhishu_Bin

        Dim Str_Bin //二进制字符串

        Dim IntVal

        Dim float_val

        If Left(浮点数值, 1) = "-" Then //==================1.标记正负数   +和-

            Hex_Value = "1"

            浮点数值 = Replace(浮点数值, "-", "")

        Else

            Hex_Value = "0"

        End If

        If Hex_Value = "1" Then   //负数   //=================2.指数运算

            IntVal=   Left(浮点数值,   Instr(浮点数值, ".")-1)

            IntVal = 进制_十转二(IntVal)

            Zhishu_Bin=Len(IntVal)+1023-1

            Zhishu_Bin = 进制_十转二(Zhishu_Bin)

        Elseif Hex_Value ="0" then//正数

            IntVal=   Left(浮点数值,   Instr(浮点数值, ".")-1)

            IntVal = 进制_十转二(IntVal)

            TracePrint " 整数的值:"   & IntVal

            Zhishu_Bin=Len(IntVal)+1023-1

            Zhishu_Bin=进制_十转二(Zhishu_Bin)

        End If

        Str_Bin = Left(浮点数值, Instr(浮点数值, ".") - 1)//=================3.整数部分转换

        Str_Bin = 进制_十转二(Str_Bin)

        Str_Bin = mid(Str_Bin, 2, len(Str_Bin))//去掉浮点数1.1111的整数位   mid字符去掉整数第一位

        For 52 - Len(Str_Bin)   //4.小数暂时缺省

            float_val=float_val & "0"

        Next

        进制_双浮点转十六 = Hex_Value & Zhishu_Bin & Str_Bin   & float_val

        //    TracePrint   进制_单浮点转十六

        进制_双浮点转十六 = 进制_二转十六(cstr(进制_双浮点转十六))

        TracePrint 进制_双浮点转十六

    End if

End Function

//用途:十转二

Public Function 进制_十转二(Dec )

    进制_十转二 = ""

    Do While Dec > 0

        进制_十转二 = Dec Mod 2 & 进制_十转二

        Dec = Dec \ 2

    Loop

End Function

//TracePrint "将二进制转化为十六进制"   & B2H("111111111111111111111111111111111111")

' 用途:将二进制转化为十六进制

' 输入:Bin(二进制数)

' 输入数据类型:String

' 输出:B2H(十六进制数)

' 输出数据类型:String

' 输入的最大数为2147483647个字符




Public Function 进制_二转十六( Bin)

    Dim i

    Dim H

    If Len(Bin) Mod 4 <> 0 Then

        Bin = String(4 - Len(Bin) Mod 4, "0") & Bin

    End If

    For i = 1 To Len(Bin) Step 4

        Select Case Mid(Bin, i, 4)

        Case "0000": H = H & "0"

        Case "0001": H = H & "1"

        Case "0010": H = H & "2"

        Case "0011": H = H & "3"

        Case "0100": H = H & "4"

        Case "0101": H = H & "5"

        Case "0110": H = H & "6"

        Case "0111": H = H & "7"

        Case "1000": H = H & "8"

        Case "1001": H = H & "9"

        Case "1010": H = H & "A"

        Case "1011": H = H & "B"

        Case "1100": H = H & "C"

        Case "1101": H = H & "D"

        Case "1110": H = H & "E"

        Case "1111": H = H & "F"

        End Select

    Next

    While Left(H, 1) = "0"

        H = Right(H, Len(H) - 1)

    Wend

    进制_二转十六 = H

End Function

//TracePrint   "将十六进制转化为十进制"   &   H2D("ffffffff")

' 用途:将十六进制转化为十进制

' 输入:Hex(十六进制数)

' 输入数据类型:String

' 输出:H2D(十进制数)

' 输出数据类型:Long

' 输入的最大数为7FFFFFFF,输出的最大数为2147483647

//TracePrint 进制_十六转十("FFFFFFFFFFFF")





Function 进制_十六转有十(HexVal) //只支持有符号整数

进制_十六转有符号十= CLng("&H" & HexVal)

End Function


Function 进制_十转十六(IntVal)   //内存专用 支持无符号4字节整数

If   IntVal>2147483647   Then

IntVal=4294967295-IntVal-1

End If

进制_十转十六=Hex(IntVal)

End Function



Function Hexs(IntVal)   //内存专用 支持无符号4字节整数

If   IntVal>2147483647   Then

IntVal=IntVal-4294967295-1

End If

Hexs=Hex(IntVal)

End Function



Public Function 进制_十六转十(Hex)//支持长整数地址,主要用来搞内存

    Dim i

    Dim b

    Hex = UCase(Hex)

    For i = 1 To Len(Hex)

        Select Case Mid(Hex, Len(Hex) - i + 1, 1)

        Case "0": b = b + 16 ^ (i - 1) * 0

        Case "1": b = b + 16 ^ (i - 1) * 1

        Case "2": b = b + 16 ^ (i - 1) * 2

        Case "3": b = b + 16 ^ (i - 1) * 3

        Case "4": b = b + 16 ^ (i - 1) * 4

        Case "5": b = b + 16 ^ (i - 1) * 5

        Case "6": b = b + 16 ^ (i - 1) * 6

        Case "7": b = b + 16 ^ (i - 1) * 7

        Case "8": b = b + 16 ^ (i - 1) * 8

        Case "9": b = b + 16 ^ (i - 1) * 9

        Case "A": b = b + 16 ^ (i - 1) * 10

        Case "B": b = b + 16 ^ (i - 1) * 11

        Case "C": b = b + 16 ^ (i - 1) * 12

        Case "D": b = b + 16 ^ (i - 1) * 13

        Case "E": b = b + 16 ^ (i - 1) * 14

        Case "F": b = b + 16 ^ (i - 1) * 15

        End Select

    Next

    进制_十六转十 = b

End Function

Public Function 进制_十六转二( Hex )

    Dim i

    Dim b

    Hex = UCase(Hex)

    For i = 1 To Len(Hex)

        Select Case Mid(Hex, i, 1)

        Case "0": b = b & "0000"

        Case "1": b = b & "0001"

        Case "2": b = b & "0010"

        Case "3": b = b & "0011"

        Case "4": b = b & "0100"

        Case "5": b = b & "0101"

        Case "6": b = b & "0110"

        Case "7": b = b & "0111"

        Case "8": b = b & "1000"

        Case "9": b = b & "1001"

        Case "A": b = b & "1010"

        Case "B": b = b & "1011"

        Case "C": b = b & "1100"

        Case "D": b = b & "1101"

        Case "E": b = b & "1110"

        Case "F": b = b & "1111"

        End Select

    Next

    While Left(b, 1) = "0"

        b = Right(b, Len(b) - 1)

    Wend

    进制_十六转二 = b

End Function

Function 进制_十六转十进制(十六进制字符串)

    //例子:Msgbox lib.算法.十六进制转十进制("FFFFFF")

    Dim D,H,i,Ia

    D = 0

    H = UCase(十六进制字符串)

    For i = 1 To Len(H)

        Ia = Asc(Mid(H, i, 1)) - 48

        If Ia > 9 Then Ia = Ia - 7

        D = D * 16 + Ia

    Next

    进制_十六转十进制 = D

End Function

Function 进制_字节集标准化(十六字节集)

    Dim i

    dim   PublicCode_1                       

    For i = 0 To Len(十六字节集) / 2 - 1

        PublicCode_1 = PublicCode_1 &(" " & Mid(十六字节集, i * 2 + 1, 2)) //======里是字符集转换空格隔开======

    Next

    十六字节集 = LTrim(PublicCode_1)//重新赋值

    进制_字节集标准化=十六字节集

End function   

Function 创建进程S(ParentProPid, WholePathAndParam, WorkPath)//发神经了,为什么不直接用API,为什么要用shellcode

    Dim 参数2,参数8,参数9,参数10

    Addr_CreateProcessA = 获取函数地址API("kernel32.dll", "CreateProcessA")

    //    TracePrint Hex(Addr_CreateProcessA)

    参数2 =   申请指定进程空间(ParentProPid,len(WholePathAndParam)+8) //获取文件路径大小,根据居停情况分配空间

    //    TracePrint Hex(参数2)

    Call 写入字符集ASCII(ParentProPid, 参数2, WholePathAndParam)   //完整路径和参数

    参数8 =   申请指定进程空间(ParentProPid,50)

    //    TracePrint Hex(参数8)

    Call 写入字符集ASCII(ParentProPid, 参数8, WorkPath)   //工作路径   E:\\moyu"

    参数10 = 申请指定进程空间(ParentProPid, 20) //这个结构太小了,根据具体情况,200

    参数9 =   申请指定进程空间(ParentProPid,500)   //这个结构太小了,根据具体情况,200

    call AsmClear()

    Call Push_EBP()

    Call mov_ebp_esp()

    Call PUSH(参数10) //这个是结构

    Call PUSH(参数9)   //这个是结构

    Call PUSH(参数8)   //不包括文件名字路径

    Call PUSH(0)

    Call PUSH(0)

    Call PUSH(0)

    Call PUSH(0)

    Call PUSH(0)

    Call PUSH(参数2)

    Call PUSH(0)

    Call Mov_EAX_Value(Addr_CreateProcessA)

    Call Call_EAX

    Call Mov_ESP_EBP()

    Call pop_ebp()

    Call Ret()

    //TracePrint W_GetCode()

    Call RunAsmCode(ParentProPid, 0)

    Delay 100

    Call 释放进程分配空间(ParentProPid,参数8)

    Call 释放进程分配空间(ParentProPid,参数2)

    Call 释放进程分配空间(ParentProPid,参数9)

    Call 释放进程分配空间(ParentProPid,参数10)

End function

//call 钩子HOOK实例()

Function 钩子HOOK实例(ProcessId)//==============================//HWND = Plugin.Window.Find(0, "【魔域】")   ProcessId = Plugin.SysEx.GetProcessID(Hwnd)

    申请回调函数地址 = 申请指定进程空间(ProcessId, 120)//最长代码是100

    Call 写入四字节内存整数(ProcessId, 申请回调函数地址 + 100, 0)

    call AsmClear()

    Call Push_EBP()

    Call mov_ebp_esp()

    call Mov_EAX_DWORD_Ptr_Addr(&H12C447C)

    Call Push (1)

    Call Push(3)

    Call Mov_ECX_DWORD_Ptr_EAX

    Call Mov_ESI_DWORD_Ptr_Addr(&H12C51D4)

    Call Call_ESI

    Call Mov_EAX_Value(1)

    call Mov_DWORD_Ptr_Addr_EAX(申请回调函数地址+100)

    Call Mov_ESP_EBP()

    Call pop_ebp()

    Call ret   //这个和上面5个push 是对应关系的

    Call RunAsmCodetoMainThread(ProcessId, 申请回调函数地址)

End function

Function RunAsmCodetoMainThread(ProcessId, 申请回调函数地址) //============================注入核心代码========================

    Dim i

    dim   PublicCode_1                       

    For i = 0 To Len(PublicCode) / 2 - 1

        PublicCode_1 = PublicCode_1 &(" " & Mid(PublicCode, i * 2 + 1, 2)) //======里是字符集转换空格隔开======

    Next

    PublicCode=LTrim(PublicCode_1)   //重新赋值

    //TracePrint   PublicCode

    call 写入字节集(ProcessId, 申请回调函数地址, PublicCode)

    Dim 函数是否执行

    q=0

    For 300

        q=q+1

        TracePrint   q

        Call 钩子HOOK注入执行(HWND, 申请回调函数地址, ProcessId)

        函数是否执行 = 读取四字节整数(ProcessId, 申请回调函数地址 + 100)

        TracePrint   Hex(函数是否执行)

        If 函数是否执行 = 1 Then

            Exit For

        End if

    Next

End Function

Function 钩子Hook注入二进制代码(ProcessId, 申请回调函数地址,二进制字节集)//==========================================================

    Dim i

    Dim PublicCode_1

    Dim PublicCode

    PublicCode=二进制字节集

    For i = 0 To Len(PublicCode) / 2 - 1

        PublicCode_1 = PublicCode_1 &(" " & Mid(PublicCode, i * 2 + 1, 2)) //======里是字符集转换空格隔开======

    Next

    PublicCode=LTrim(PublicCode_1)   //重新赋值

    TracePrint   PublicCode

    call 写入字节集(ProcessId, 申请回调函数地址, PublicCode)

    //call 写入字节集(ProcessId, 申请回调函数地址, "8B 0D 7C 24 2C 01 6A 01 6A 03 8B 09 FF 15 D4 31 2C 01 C3")

    Dim 函数是否执行

    q=0

    For 300

        q=q+1

        //TracePrint   q

        Call 钩子HOOK注入执行(HWND, 申请回调函数地址, ProcessId)

        函数是否执行 = 读取四字节整数(ProcessId, 申请回调函数地址 + 100)

        //TracePrint   Hex(函数是否执行)

        If 函数是否执行 = 1 Then

            Exit For

        End if

    Next

End Function

//=======================================钩子处理================

Function 钩子HOOK注入执行(HWND, 函数地址, ProcessId)

    Dim 存放返回值的地址

    Dim ThreadPid

    存放返回值的地址= 申请指定进程空间(ProcessId, 4)

    //TracePrint   Hex(存放返回值的地址)

    ThreadPid=GetWindowThreadProcessId(HWND,0)

    Addr_SetWindowsHookEx = 获取函数地址API("user32.dll", "SetWindowsHookExA")

    //TracePrint "Addr_SetWindowsHookEx函数地址 === " & Hex(Addr_SetWindowsHookEx)

    call AsmClear()

    Call Push_EBP()

    Call mov_ebp_esp()

    Call PUSH(ThreadPid)

    Call PUSH(GetModuleHandleA(0)) //窗口句柄基地址 4000000

    Call PUSH(函数地址)

    Call PUSH(4)   //,先写入完整call 再调用 这个是基地址不过要保持平衡,PK模式call

    Call Mov_EDX_Value(Addr_SetWindowsHookEx)

    Call Call_EDX()

    Call Mov_DWORD_Ptr_Addr_EAX(存放返回值的地址)

    Call Mov_ESP_EBP()

    Call pop_ebp()

    Call ret   //这个和上面5个push 是对应关系的

    //TracePrint   PublicCode

    Call RunAsmCode(ProcessId, 1)//核心代码

    //Delay 100 //============================读取内存一定要延迟,因为HOOK消息要排队的。

    //TracePrint "存放返回值的地址 =="&   Hex(存放返回值的地址)

    钩子类型= 读取四字节整数(ProcessId,存放返回值的地址)

    //TracePrint "钩子类型==" & Hex(钩子类型)

    钩子HOOK注入执行= 钩子类型

End Function

//call AsmClear()//========================================================================本地执行汇编运算例子

//Addr_SendMessageA = 获取函数地址API("user32.dll", "SendMessageA")

//TracePrint Addr_SendMessageA

//call AsmClear()

//Call Push_EBP()

//Call mov_ebp_esp()

//Call PUSH(0)

//Call PUSH(0)

//Call PUSH(0)

//Call PUSH(hwnd)

//Call Mov_EAX_Value(Addr_SendMessageA)

//Call Call_EAX

//Call Mov_ESP_EBP()

//Call pop_ebp()

//Call Ret()

//TracePrint W_GetCode()

//Call RunAsmCode(ProcessId, 1)//核心代码

Function 钩子HOOK卸载(钩子句柄)

    CALL   UnhookWindowsHookEx(钩子句柄)//释放钩子

End Function

//=======================================钩子处理===================

EndScript

Function 钩子HOOK消息注册(消息字符串)

    钩子HOOK消息注册=RegisterWindowMessage(消息字符串)

End Function

Function RunCurAsmCode()//本地执行汇编运算

    Dim i                         //==========================================================

    dim AsmCode1

    AsmCode1=""

    ReDim AsmCode(Len(PublicCode) / 2 - 1)

    For i = 0 To UBound(AsmCode)

        AsmCode1 = AsmCode1 &(" " & Mid(PublicCode, i * 2 + 1, 2)) //======里是字符集转换空格隔开======

    Next

    PublicCode = LTrim(AsmCode1)

    TracePrint PublicCode

    CodeSize = UBound(split(PublicCode, " "))+10 //加10避免空间不够用." "这个是十六进制字符分隔符

    //TracePrint   CodeSize

    NewWriteCodeAddr = 申请指定进程空间(GetCurrentProcessId(), CodeSize)//申请空

    TracePrint Hex(NewWriteCodeAddr )

    call 写入字节集(GetCurrentProcessId(), NewWriteCodeAddr, PublicCode)

    Call CallWindowProcA(NewWriteCodeAddr,0,0,0,0)

End Function

//call 远程注入汇编代码(ProcessId, "8B 0D 7C 24 2C 01 6A 00 68 38 7C 91 8B 8B 09 A1 E8 29 2C 01 FF D0 C3")   //记住要加上ret

//call 远程注入汇编代码(ProcessId, "8B 0D 7C 24 2C 01 6A 00 68 38 7C 91 8B 8B 09 A1 E8 29 2C 01 FF D0 C3")   //记住要加上ret

Function AsmClear()

    PublicCode=""

End Function

Function 窗口的创建者ThreadPId(Hwnd,lpdwProcessId)

    窗口的创建者ThreadPId=GetWindowThreadProcessId(Hwnd,lpdwProcessId)

End Function

Function 跨进程模块通讯链接(ProcessId,SendData)

    TracePrint "该功能暂停使用!"

end Function  

Function 汇编执行代码(ByteData,Size)//完成,获取返回值暂时还没有办法

    WriteAddr= 申请指定进程空间(GetCurrentProcessId(),Size) //这个是存放汇编代码地址的

    //TracePrint Hex(WriteAddr)

    ByteData = ByteData + " C2 14 00"   //这里是retn 14

    //TracePrint ByteData

    call 写入字节集(GetCurrentProcessId(), WriteAddr, ByteData)   //retn   14,个参数 。这里是写入汇编代码

    call CallWindowProcA(WriteAddr, Hwnd, 0, 0, 0)

End function

Function 读任意整数A(ProcessId, Addr, Size)

    Handle_Process = OpenProcess(2035711, false, ProcessId)

    Dim i

    char = space(2)

    For i = 0 To Size-1

        Call ReadProcessMemory(Handle_Process, Addr+i, char, 1, 0)   //读取每个字节的值

        读任意整数A = 读任意整数A + AscB(char) * 256 ^ i

        //        TracePrint   读任意整数A

    Next

    call   CloseHandle (Handle_Process)//关闭进程对象句柄

End Function

//TracePrint 读取八字节整数(Handle_Process,   &H01259F8)

Function 读取单字节整数(ProcessId, Addr)

    Handle_Process = OpenProcess(2035711, false, ProcessId)

    Dim i

    char = space(2)

    For i = 0 To 1-1   //一个字节

        Call ReadProcessMemory(Handle_Process, Addr+i, char, 1, 0)   //读取每个字节的值

        读取单字节整数= 读取单字节整数+ AscB(char) * 256 ^ i

        //        TracePrint 读取单字节整数

    Next

    call   CloseHandle (Handle_Process)//关闭进程对象句柄

End Function

Function 读取双字节整数(ProcessId, Addr)

    Handle_Process = OpenProcess(2035711, false, ProcessId)

    Dim i

    char = space(2)

    For i = 0 To 2-1   //2个字节

        Call ReadProcessMemory(Handle_Process, Addr+i, char, 1, 0)   //读取每个字节的值

        读取双字节整数= 读取双字节整数+ AscB(char) * 256 ^ i

    Next

    call   CloseHandle (Handle_Process)//关闭进程对象句柄

End Function

Function 读取四字节整数(ProcessId, Addr)

    Handle_Process = OpenProcess(2035711, false, ProcessId)

    Dim i

    char = space(2) //这里不知道出不出bug

    For i = 0 To (4 - 1)//4个字节

        Call ReadProcessMemory(Handle_Process, Addr+i, char, 1, 0)   //读取每个字节的值

        读取四字节整数= 读取四字节整数+ AscB(char) * 256 ^ i

        //        TracePrint 读取四字节整数

    Next

    call   CloseHandle (Handle_Process)//关闭进程对象句柄

End Function

Function 读取八字节整数(ProcessId, Addr)

    Handle_Process = OpenProcess(2035711, false, ProcessId)

    Dim i

    char = space(2)

    For i = 0 To 8-1   //4个字节

        Call ReadProcessMemory(Handle_Process, Addr+i, char, 1, 0)   //读取每个字节的值

        读取八字节整数= 读取八字节整数+ AscB(char) * 256 ^ i

        //        TracePrint 读取八字节整数

    Next

    call   CloseHandle (Handle_Process)//关闭进程对象句柄

End Function

//TracePrint   读取地址二进制字节集(Handle_Process,   &H00290E9C,10)

Function 读取地址二进制字节集(ProcessId, Addr, Size)

    Dim i

    For i = 0 To (size - 1)

        读取地址二进制字节集 =读取地址二进制字节集+" "+ Hex(读取单字节整数(ProcessId, Addr+i))

    Next

    读取地址二进制字节集=LTrim(读取地址二进制字节集) //这个是去掉左边空格

End Function

//Function 读取指定长度字符串Unicode(ProcessId, Addr, Size)

//    Dim i

//    For i = 0 To (size - 1)

//        读取指定长度字符串Unicode =读取指定长度字符串Unicode+" "+ chrw(读取双字节整数(ProcessId, Addr+i))

//    Next

//    读取指定长度字符串Unicode=LTrim(读取指定长度字符串Unicode) //这个是去掉左边空格

//End Function

Function 读取指定长度字符串Unicode(ProcessId, Addr, Size)

    Size=Size*2

    Dim i

    i=0

    For   Size/2

        读取指定长度字符串Unicode = 读取指定长度字符串Unicode + "" + chrw(读取双字节整数(ProcessId, Addr + i)) //chrw是宽字节,编码默认是unicode

        i=i+2

    Next

    读取指定长度字符串Unicode=LTrim(读取指定长度字符串Unicode) //这个是去掉左边空格

End Function

//TracePrint   读取指定长度字符串ASCII(Handle_Process,   &H00290E9C,10)

Function 读取指定长度字符串ASCII(ProcessId, Addr, Size)//unicode编码长度2个字节,这里一个汉字只是按照2个字节。 size   1表示2字节

    Dim i

    For i = 0 To (size - 1)

        读取指定长度字符串ASCII=读取指定长度字符串ASCII+chr(读取单字节整数(ProcessId, Addr+i))

    Next

    读取指定长度字符串ASCII=LTrim(读取指定长度字符串ASCII) //这个是去掉左边空格

End Function

Function 构造汇编代码(字节集)

    Dim HeadCode

    Dim EndCode

    HeadCode="85,139,236,22,21,45,44,45,65"

    EndCode="93,194,20,0"  

    构造汇编代码=HeadCode&字节集&EndCode

End Function

Function 创建线程(lpStartAddress) //参数就是汇编函数头文件,可以用API函数测试

    创建线程=CreateThread(0, 0,返回值 , 0,4, 0) //4这个参数是挂起线程,先不搞这个

End function

//Call 远程卸载dll(iPID,返回值,"dm.dll")

// TracePrint 获取动态链接库句柄("kernel32.dll")

Function 获取动态链接库句柄(动态链接库函数名)

    获取动态链接库句柄=GetModuleHandleA(动态链接库函数名)

End Function

Function 远程卸载dll(ProcessId, LoadLibraryA_Addr,字符串)

    CodeSize = len(字符串)+10 //加10避免空间不够用

    //TracePrint CodeSize

    NewWriteCodeAddr = 申请指定进程空间(ProcessId, CodeSize)//申请空

    CALL 写入字符集ASCII(ProcessId, NewWriteCodeAddr, 字符串)

    Handle_Process = OpenProcess(2035711, False, ProcessId)

    RThwnd = CreateRemoteThread(Handle_Process, 0, 0, LoadLibraryA_Addr, NewWriteCodeAddr, 0, 0)

End Function

Function 远程获取函数地址(ProcessId, LoadLibraryA_Addr,字符串)//========这个还没有完成的=============

    CodeSize = len(字符串)+10 //加10避免空间不够用

    //TracePrint   CodeSize

    NewWriteCodeAddr = 申请指定进程空间(ProcessId, CodeSize)//申请空

    CALL 写入字符集ASCII(ProcessId, NewWriteCodeAddr, 字符串)

    Handle_Process = OpenProcess(2035711, False, ProcessId)

    RThwnd = CreateRemoteThread(Handle_Process, 0, 0, LoadLibraryA_Addr, NewWriteCodeAddr, 0, 0)

End Function

Function RunAsmCode(ProcessId, AsmType)//核心代码

    Dim i                         //==========================================================

    dim AsmCode1

    AsmCode1=""

    ReDim AsmCode(Len(PublicCode) / 2 - 1)

    For i = 0 To UBound(AsmCode)

        AsmCode1 = AsmCode1 &(" " & Mid(PublicCode, i * 2 + 1, 2)) //======里是字符集转换空格隔开======

    Next

    PublicCode = LTrim(AsmCode1)

    //TracePrint PublicCode

    十六进制字节集=PublicCode           //=========================================================

    CodeSize = UBound(split(十六进制字节集, " "))+10 //加10避免空间不够用." "这个是十六进制字符分隔符

    //TracePrint   CodeSize

    NewWriteCodeAddr = 申请指定进程空间(ProcessId, CodeSize)//申请空

    //TracePrint NewWriteCodeAddr

    call 写入字节集(ProcessId, NewWriteCodeAddr, 十六进制字节集)

    Handle_Process = OpenProcess(2035711, False, ProcessId)

    RThwnd = CreateRemoteThread(Handle_Process, 0, 0, NewWriteCodeAddr, 0, 0, 0)

End Function

Function 远程注入汇编代码(ProcessId, 十六进制字节集)

    CodeSize = UBound(split(十六进制字节集, " "))+10 //加10避免空间不够用." "这个是十六进制字符分隔符

    //MessageBox   CodeSize

    NewWriteCodeAddr = 申请指定进程空间(ProcessId, CodeSize)//申请空

    call 写入字节集(ProcessId, NewWriteCodeAddr, 十六进制字节集)

    Handle_Process = OpenProcess(2035711, False, ProcessId)

    RThwnd = CreateRemoteThread(Handle_Process, 0, 0, NewWriteCodeAddr, 0, 0, 0)

End function

//Call 十六进制字节集转化成十进制字节集("55 8B EC A1 7C 24 2C 01 6A 00 8B 08 A1 78 3E 2C 01 8B C0 FF D0 5D C3")

Function 十六进制字节集转化成十进制字节集(HexByteStr)//这个功能是将十六进制字节集转化成十进制字符数组

    HexByteStr=Replace(HexByteStr," ","")

    Dim i

    ReDim HexByteArr(Len(HexByteStr) / 2 - 1)

    For i = 0 To UBound(HexByteArr)

        HexByteArr(i) = CByte("&H" & Mid(HexByteStr, i * 2 + 1, 2))

        十六进制字节集转化成十进制字节集=十六进制字节集转化成十进制字节集&" "& HexByteArr(i)

    Next

    //TracePrint 十六进制字节集转化成十进制字节集

    //Get_Result = CallWindowProc(AsmCode(0), 0, 0, 0, 0)

    //Get_Result = CallWindowProc(AsmCode(0),0,0,0,0)//=================================================================不懂这里为什么参数会出错

End Function

Function 获取函数地址API(Module, Name_Api)//这个是有缺陷的

    //Name_Api=Name_Api &"0000"

    Dim Module_Handle,String_Addr,Function_Addr

    //Do

    Module_Handle = GetModuleHandleA(Module)//获取句柄

    //    TracePrint "dll模块的地址="& Hex(Module_Handle)

    String_Addr = 字符集ASCII变量指针(Name_Api)//获取名字指针变量

    //TracePrint "函数名字变量指针(存数据)="&String_Addr

    Function_Addr = GetProcAddress(Module_Handle, String_Addr)//第二个参数是指针变量

    //Loop Until Function_Addr <> 0

    获取函数地址API = Function_Addr

End Function

Function 远程注入dll(ProcessId, LoadLibraryA_Addr,dll路径字符串)

    CodeSize = len(dll路径字符串)+10 //加10避免空间不够用

    //TracePrint   CodeSize

    NewWriteCodeAddr = 申请指定进程空间(ProcessId, CodeSize)//申请空

    CALL 写入字符集ASCII(ProcessId, NewWriteCodeAddr, dll路径字符串)

    Handle_Process = OpenProcess(2035711, False, ProcessId)

    RThwnd = CreateRemoteThread(Handle_Process, 0, 0, LoadLibraryA_Addr, NewWriteCodeAddr, 0, 0)

End Function

Function 申请指定进程空间(ProcessId,size)

    Handle_Process = OpenProcess(2035711, False, ProcessId)

    tmp_Addr = VirtualAllocEx(Handle_Process, 0, size, 4096, 64)

    //TracePrint tmp_Addr

    申请指定进程空间=tmp_Addr

End Function

Function 释放进程分配空间(ProcessId,Addr)

    Handle_Process = OpenProcess(2035711, False, ProcessId)

    tmp_Addr = VirtualFreeEx(Handle_Process, Addr, 0,32768)   //第三个参数设置大小,直接用0,应该是全部清除

    //TracePrint Hex(tmp_Addr)

End Function

Function 写入字符集ASCII(ProcessId, lpBaseAddress, 字符串)

    i=1

    For len(字符串)

        //TracePrint mid(字符串, i, 1)

        //TracePrint Asc(mid(字符串, i, 1))

        字符代码数值 = Asc(mid(字符串, i, 1))

        Call 写入单字符ASCII(ProcessId, (lpBaseAddress-1+i), 字符代码数值)

        i=i+1

    Next

End Function

Function 字符集ASCII变量指针(字符串)

    Dim 内存大小

    Dim NewAddr

    Dim i

    内存大小 = Len(字符串)

    //TracePrint 内存大小

    NewAddr = (LocalAlloc(0, 内存大小 + 2))//这个-1是为了适应下面的代码   /0是表示空字符00000000

    //    TracePrint   NewAddr

    //TracePrint "申请存放汇编字节集" & Hex(NewAddr)

    i=1

    For len(字符串)

        //TracePrint mid(字符串, i, 1)

        //TracePrint Asc(mid(字符串, i, 1))

        字符代码数值 = Asc(mid(字符串, i, 1))

        //        TracePrint 字符代码数值

        Call 写入单字符ASCII(GetCurrentProcessId(), (NewAddr - 1 + i), 字符代码数值)

        //        TracePrint NewAddr-1+i

        i=i+1

    Next

    call 写入双字节内存整数(GetCurrentProcessId(),(NewAddr - 1 + i),0)

    //    TracePrint "最后一个整" & NewAddr-1+i

    字符集ASCII变量指针=NewAddr

End Function

Function 写入单字符ASCII(ProcessId, lpBaseAddress, WriteValue)

    Dim Handle_Process//进程句柄

    Handle_Process = OpenProcess(2035711, false, ProcessId)//获取进程句柄

    //TracePrint "Handle_Process=" & Handle_Process//要写入的地址

    Addr_Low = chrw(WriteValue)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/

    Call WriteProcessMemory(Handle_Process, lpBaseAddress, Addr_Low, 1, 0)   //   lpBaseAddress是存放数据的地址

    call   CloseHandle (Handle_Process)//关闭进程对象句柄

End Function

Function 写入字节集(ProcessId, WriteAddr, 十六进制字节集)

    NewAddr = WriteAddr //写入头地址

    //TracePrint "申请存放汇编字节集地址" & Hex(NewAddr)

    字节数组=Split(十六进制字节集," ")

    i=0

    For UBound(字节数组)+1

        //TracePrint 字节数组(i)

        call 写入单字节整数(ProcessId, NewAddr+i,"&H"&字节数组(i)) //这里我统一加上&H,可以进行运

        i=i+1

    Next

End Function

Function 字节集变量指针(十六进制字节集)

    NewAddr = LocalAlloc(0, 200)

    //TracePrint "申请存放汇编字节集" & Hex(NewAddr)

    字节数组=Split(十六进制字节集," ")

    i=0

    For UBound(字节数组)+1

        //TracePrint 字节数组(i)

        call 写入单字节整数(GetCurrentProcessId(), NewAddr+i,int(字节数组(i)))

        i=i+1

    Next

    字节集变量指针=NewAddr

End Function

Function 写入单字节整数(ProcessId, lpBaseAddress, WriteValue) //第二个是WriteAddr

    Dim Handle_Process//进程句柄

    Handle_Process = OpenProcess(2035711, false, ProcessId)//获取进程句柄

    //TracePrint "Handle_Process=" & Handle_Process//要写入的地址

    Addr_Low = chrw(WriteValue mod 256)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/

    //Addr_High = chrw(int(WriteValue / 65536))//读取WriteAddr原来的值//用这个测试的时候,我们检测下2字节的最大值和4字节的最大值,注意数据溢出

    Call WriteProcessMemory(Handle_Process, lpBaseAddress, Addr_Low, 1, 0)   //   lpBaseAddress是存放数据的地址

    //Call Write(Handle_Process, lpBaseAddress + 2, Addr_High, 2, 0)//读取WriteAddr现在的值

    call   CloseHandle (Handle_Process)//关闭进程对象句柄

End Function

Function 写入双字节内存整数(ProcessId, lpBaseAddress, WriteValue) //第二个是WriteAddr

    Dim Handle_Process//进程句柄

    Handle_Process = OpenProcess(2035711, false, ProcessId)//获取进程句柄

    //TracePrint "Handle_Process=" & Handle_Process//要写入的地址

    Addr_Low = Chrw(WriteValue)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/

    Call WriteProcessMemory(Handle_Process, lpBaseAddress, Addr_Low, 2, 0)   //   lpBaseAddress是存放数据的地址

    call   CloseHandle (Handle_Process)//关闭进程对象句柄

End Function

Function 双字节整数变量指针(WriteValue)//第二个是WriteAddr=======================

    NewAddr = LocalAlloc(0, 2)

    //TracePrint "申请存放汇编字节集" & Hex(NewAddr)

    Dim Handle_Process//进程句柄

    Handle_Process = OpenProcess(2035711, false, GetCurrentProcessId())//获取进程句柄

    //TracePrint "Handle_Process=" & Handle_Process//要写入的地址

    Addr_Low = Chrw(WriteValue)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/

    Call WriteProcessMemory(Handle_Process, NewAddr, Addr_Low, 2, 0)   //   lpBaseAddress是存放数据的地址

    Call CloseHandle(Handle_Process)//关闭进程对象句柄

    双字节整数变量指针=NewAddr

End Function

Function 写入四字节内存整数(ProcessId, lpBaseAddress, WriteValue) //第二个是WriteAddr

    Dim Handle_Process//进程句柄

    Handle_Process = OpenProcess(2035711, false, ProcessId)//获取进程句柄

    //TracePrint "Handle_Process=" & Handle_Process//要写入的地址

    Addr_Low = Chrw(WriteValue mod 65536)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/

    Addr_High = Chrw(int(WriteValue / 65536))//读取WriteAddr原来的值//用这个测试的时候,我们检测下2字节的最大值和4字节的最大值,注意数据溢出

    Call WriteProcessMemory(Handle_Process, lpBaseAddress, Addr_Low, 2, 0)   //   lpBaseAddress是存放数据的地址

    Call WriteProcessMemory(Handle_Process, lpBaseAddress + 2, Addr_High, 2, 0)//读取WriteAddr现在的值

    call   CloseHandle (Handle_Process)//关闭进程对象句柄

End Function

Function 四字节整数变量指针(WriteValue)//第二个是WriteAddr

    NewAddr = LocalAlloc(0, 4)

    //TracePrint "申请存放汇编字节集" & Hex(NewAddr)

    Dim Handle_Process//进程句柄

    Handle_Process = OpenProcess(2035711, false, GetCurrentProcessId())//获取进程句柄

    //TracePrint "Handle_Process=" & Handle_Process//要写入的地址

    Addr_Low = Chrw(WriteValue mod 65536)/*由于写入内存又要传址,所以不能直接以Long型写入,将要写入的数值分割成低字和高字,以Unicode码形式分别存放在两个变量里, 一个Uniclde字符能放两字节,两个才是4字节*/

    Addr_High = Chrw(int(WriteValue / 65536))//读取WriteAddr原来的值//用这个测试的时候,我们检测下2字节的最大值和4字节的最大值,注意数据溢出

    Call WriteProcessMemory(Handle_Process, NewAddr, Addr_Low, 2, 0)   //   lpBaseAddress是存放数据的地址

    Call WriteProcessMemory(Handle_Process, NewAddr + 2, Addr_High, 2, 0)//读取WriteAddr现在的值

    call   CloseHandle (Handle_Process)//关闭进程对象句柄

End Function

Function 获取变量数据类型(变量)

    获取变量数据类型=TypeName(变量)

End Function

//Private Declare Function CallAsmCode Lib "user32" Alias "CallWindowProcA" ( lpPrevWndFunc As Long, ByVal hWnd As Long, ByVal Msg As Long, ByVal wParam As Long, lParam As Long) As Long

// CallAnyFunc = CallAsmCode(NewAddr, 0, 0, 0, 0)

//======================================================================================这里是常用区

//=======================================================================================常用命令

Function W_GetCode()

    W_GetCode = PublicCode

End Function

Function W_HighAndLow(Value , n) '高低位互换

    Dim tmp1 , tmp2 , i

    tmp1 = Right("0000000" + Hex(Value), n)

    For i = 0 To Len(tmp1) / 2 - 1

        tmp2 = tmp2 + Mid(tmp1, Len(tmp1) - 1 - 2 * i, 2)

    Next    //=======================================这里出错

    W_HighAndLow = tmp2

End Function

//Function W_HighAndLow(Value, n)'高低位互换,这个是更新版本,n是多余的参数,还有bug 0000

//    If Value <255 and Value >16 Then

//        W_HighAndLow = Hex(Value)

//    ElseIf Value < 16 and Value >=0 Then

//       

//            W_HighAndLow = "0" + Hex(Value)

//       

//    Else

//        W_HighAndLow = Hex(htonl(Value))

//    End If

//End Function

//

Function Leave()

    PublicCode = PublicCode + "C9"

End Function

Function Pushad()

    PublicCode = PublicCode + "60"

End Function

Function Popad()

    PublicCode = PublicCode + "61"

End Function

Function Nop()

    PublicCode = PublicCode + "90"

End Function

Function Ret()

    PublicCode = PublicCode + "C3"

End Function

Function Retn(i)   //这个是新加的

    PublicCode = PublicCode + "C2"+ W_HighAndLow(i, 4)

End Function

Function RetA(i )

    PublicCode = PublicCode + W_HighAndLow(i, 4)

End Function

Function IN_AL_DX()

    PublicCode = PublicCode + "EC"

End Function

Function TEST_EAX_EAX()

    PublicCode = PublicCode + "85C0"

End Function

'Add

'+++++++++++++++++++++++++++++++++++

Function Add_EAX_EDX()

    PublicCode = PublicCode + "03C2"

End Function

Function Add_EBX_EAX()

    PublicCode = PublicCode + "03D8"

End Function

Function Add_EAX_DWORD_Ptr(i )

    PublicCode = PublicCode + "0305" + W_HighAndLow(i, 8)

End Function

Function Add_EBX_DWORD_Ptr(i )

    PublicCode = PublicCode + "031D" + W_HighAndLow(i, 8)

End Function

Function Add_EBP_DWORD_Ptr(i )

    PublicCode = PublicCode + "032D" + W_HighAndLow(i, 8)

End Function

Function Add_EAX(i )

    PublicCode = PublicCode + "05" + W_HighAndLow(i, 8)

End Function

Function Add_EBX(i )

    PublicCode = PublicCode + "83C3" + W_HighAndLow(i, 8)

End Function

Function Add_ECX(i )

    PublicCode = PublicCode + "83C1" + W_HighAndLow(i, 8)

End Function

Function Add_EDX(i )

    PublicCode = PublicCode + "83C2" + W_HighAndLow(i, 8)

End Function

Function Add_ESI(i )

    PublicCode = PublicCode + "83C6" + W_HighAndLow(i, 8)

End Function

Function Add_ESP(i )

    PublicCode = PublicCode + "83C4" + W_HighAndLow(i, 8)

End Function

'Call

'+++++++++++++++++++++++++++++++++++

Function Call_EAX()

    PublicCode = PublicCode + "FFD0"

End Function

Function Call_EBX()

    PublicCode = PublicCode + "FFD3"

End Function

Function Call_ECX()

    PublicCode = PublicCode + "FFD1"

End Function

Function Call_EDX()

    PublicCode = PublicCode + "FFD2"

End Function

Function Call_ESI()

    PublicCode = PublicCode + "FFD6"

End Function

Function Call_ESP()

    PublicCode = PublicCode + "FFD4"

End Function

Function Call_EBP()

    PublicCode = PublicCode + "FFD5"

End Function

Function Call_EDI()

    PublicCode = PublicCode + "FFD7"

End Function

Function Call_DWORD_Ptr_Addr(i )

    PublicCode = PublicCode + "FF15" + W_HighAndLow(i, 8)

End Function

//Function Call_DWORD_Ptr_Value(i ) //这个是新加进去的,这个时候错误的

//PublicCode = PublicCode + "E8" + W_HighAndLow(i, 8)

//End Function

Function Call_DWORD_Ptr_EAX()

    PublicCode = PublicCode + "FF10"

End Function

Function Call_DWORD_Ptr_EBX()

    PublicCode = PublicCode + "FF13"

End Function

'Cmp

'+++++++++++++++++++++++++++++++++++

Function Cmp_EAX(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "83F8" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "3D" + W_HighAndLow(i, 8)

    End If

End Function

Function Cmp_EAX_EDX()

    PublicCode = PublicCode + "3BC2"

End Function

Function Cmp_EAX_DWORD_Ptr(i )

    PublicCode = PublicCode + "3B05" + W_HighAndLow(i, 8)

End Function

Function Cmp_DWORD_Ptr_EAX(i )

    PublicCode = PublicCode + "3905" + W_HighAndLow(i, 8)

End Function

'DEC

'+++++++++++++++++++++++++++++++++++

Function Dec_EAX()

    PublicCode = PublicCode + "48"

End Function

Function Dec_EBX()

    PublicCode = PublicCode + "4B"

End Function

Function Dec_ECX()

    PublicCode = PublicCode + "49"

End Function

Function Dec_EDX()

    PublicCode = PublicCode + "4A"

End Function

'Idiv

'+++++++++++++++++++++++++++++++++++

Function Idiv_EAX()

    PublicCode = PublicCode + "F7F8"

End Function

Function Idiv_EBX()

    PublicCode = PublicCode + "F7FB"

End Function

Function Idiv_ECX()

    PublicCode = PublicCode + "F7F9"

End Function

Function Idiv_EDX()

    PublicCode = PublicCode + "F7FA"

End Function

'Imul

'+++++++

//++++++++++++++++++++++++++++

Function Imul_EAX_EDX()

    PublicCode = PublicCode + "0FAFC2"

End Function

Function Imul_EAX(i )

    PublicCode = PublicCode + "6BC0" + W_HighAndLow(i, 2)

End Function

Function ImulB_EAX(i )

    PublicCode = PublicCode + "69C0" + W_HighAndLow(i, 8)

End Function

'INC

'+++++++++++++++++++++++++++++++++++

Function Inc_EAX()

    PublicCode = PublicCode + "40"

End Function

Function Inc_EBX()

    PublicCode = PublicCode + "43"

End Function

Function Inc_ECX()

    PublicCode = PublicCode + "41"

End Function

Function Inc_EDX()

    PublicCode = PublicCode + "42"

End Function

Function Inc_EDI()

    PublicCode = PublicCode + "47"

End Function

Function Inc_ESI()

    PublicCode = PublicCode + "46"

End Function

Function Inc_DWORD_Ptr_EAX()

    PublicCode = PublicCode + "FF00"

End Function

Function Inc_DWORD_Ptr_EBX()

    PublicCode = PublicCode + "FF03"

End Function

Function Inc_DWORD_Ptr_ECX()

    PublicCode = PublicCode + "FF01"

End Function

Function Inc_DWORD_Ptr_EDX()

    PublicCode = PublicCode + "FF02"

End Function

'JMP/JE/JNE

'+++++++++++++++++++++++++++++++++++

Function JMP_EAX()

    PublicCode = PublicCode + "FFE0"

End Function

'Mov

Function Mov_DWORD_Ptr_Addr_EAX(i)       

    PublicCode = PublicCode + "A3" + W_HighAndLow(i, 8)

End Function

Function Mov_DWORD_Ptr_Addr_AL(i)       

    PublicCode = PublicCode + "A2" + W_HighAndLow(i, 8)

End Function

Function Mov_DWORD_Ptr_Addr_AH(i)       

    PublicCode = PublicCode + "8825" + W_HighAndLow(i, 8)

End Function

Function Mov_EAX_Value(i )

    PublicCode = PublicCode + "B8" + W_HighAndLow(i, 8)

End Function

Function Mov_EBX_Value(i )

    PublicCode = PublicCode + "BB" + W_HighAndLow(i, 8)

End Function

Function Mov_ECX_Value(i )

    PublicCode = PublicCode + "B9" + W_HighAndLow(i, 8)

End Function

Function Mov_EDX_Value(i )

    PublicCode = PublicCode + "BA" + W_HighAndLow(i, 8)

End Function

Function Mov_ESI_Value(i )

    PublicCode = PublicCode + "BE" + W_HighAndLow(i, 8)

End Function

Function Mov_ESP_Value(i )

    PublicCode = PublicCode + "BC" + W_HighAndLow(i, 8)

End Function

Function Mov_EBP_Value(i )

    PublicCode = PublicCode + "BD" + W_HighAndLow(i, 8)

End Function

Function Mov_EDI_Value(i )

    PublicCode = PublicCode + "BF" + W_HighAndLow(i, 8)

End Function

Function Mov_EBX_DWORD_Ptr(i )

    PublicCode = PublicCode + "8B1D" + W_HighAndLow(i, 8)

End Function

Function Mov_ECX_DWORD_Ptr_Addr(i )

    PublicCode = PublicCode + "8B0D" + W_HighAndLow(i, 8)

End Function

Function Mov_EAX_DWORD_Ptr_Addr(i )

    PublicCode = PublicCode + "A1" + W_HighAndLow(i, 8)

End Function

Function Mov_EDX_DWORD_Ptr_Addr(i )

    PublicCode = PublicCode + "8B15" + W_HighAndLow(i, 8)

End Function

Function Mov_ESI_DWORD_Ptr_Addr(i )

    PublicCode = PublicCode + "8B35" + W_HighAndLow(i, 8)

End Function

Function Mov_ESP_DWORD_Ptr_Addr(i )

    PublicCode = PublicCode + "8B25" + W_HighAndLow(i, 8)

End Function

Function Mov_EBP_DWORD_Ptr_Addr(i )

    PublicCode = PublicCode + "8B2D" + W_HighAndLow(i, 8)

End Function

Function Mov_EAX_DWORD_Ptr_EAX()

    PublicCode = PublicCode + "8B00"

End Function

Function Mov_EAX_DWORD_Ptr_EBP()

    PublicCode = PublicCode + "8B4500"

End Function

Function Mov_EAX_DWORD_Ptr_EBX()

    PublicCode = PublicCode + "8B03"

End Function

Function Mov_EAX_DWORD_Ptr_ECX()

    PublicCode = PublicCode + "8B01"

End Function

Function Mov_EAX_DWORD_Ptr_EDX()

    PublicCode = PublicCode + "8B02"

End Function

Function Mov_EAX_DWORD_Ptr_EDI()

    PublicCode = PublicCode + "8B07"

End Function

Function Mov_EAX_DWORD_Ptr_ESP()

    PublicCode = PublicCode + "8B0424"

End Function

Function Mov_EAX_DWORD_Ptr_ESI()

    PublicCode = PublicCode + "8B06"

End Function

Function Mov_EAX_DWORD_Ptr_EAX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B40" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B80" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EAX_DWORD_Ptr_ESP_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B4424" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B8424" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EAX_DWORD_Ptr_EBX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B43" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B83" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EAX_DWORD_Ptr_ECX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B41" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B81" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EAX_DWORD_Ptr_EDX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B42" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B82" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EAX_DWORD_Ptr_EDI_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B47" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B87" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EAX_DWORD_Ptr_EBP_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B45" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B85" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EAX_DWORD_Ptr_ESI_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B46" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B86" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EBX_DWORD_Ptr_EAX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B58" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B98" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EBX_DWORD_Ptr_ESP_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B5C24" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B9C24" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EBX_DWORD_Ptr_EBX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B5B" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B9B" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EBX_DWORD_Ptr_ECX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B59" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B99" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EBX_DWORD_Ptr_EDX_Add(i )

    If i <= 255   and i >= 0   Then

        PublicCode = PublicCode + "8B5A" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B9A" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EBX_DWORD_Ptr_EDI_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B5F" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B9F" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EBX_DWORD_Ptr_EBP_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B5D" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B9D" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EBX_DWORD_Ptr_ESI_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B5E" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B9E" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_ECX_DWORD_Ptr_EAX_Add(i)   //这里出错过

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B48" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B88" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_ECX_DWORD_Ptr_ESP_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B4C24" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B8C24" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_ECX_DWORD_Ptr_EBX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B4B" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B8B" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_ECX_DWORD_Ptr_ECX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B49" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B89" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_ECX_DWORD_Ptr_EDX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B4A" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B8A" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_ECX_DWORD_Ptr_EDI_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B4F" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B8F" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_ECX_DWORD_Ptr_EBP_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B4D" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B8D" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_ECX_DWORD_Ptr_ESI_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B4E" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B8E" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EDX_DWORD_Ptr_EAX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B50" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B90" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EDX_DWORD_Ptr_ESP_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B5424" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B9424" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EDX_DWORD_Ptr_EBX_Add(i)

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B53" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B93" + W_HighAndLow(i, 8 ) //这里出错过

    End If

End Function

Function Mov_EDX_DWORD_Ptr_ECX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B51" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B91" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EDX_DWORD_Ptr_EDX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B52" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B92" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EDX_DWORD_Ptr_EDI_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B57" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B97" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EDX_DWORD_Ptr_EBP_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B55" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B95" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EDX_DWORD_Ptr_ESI_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8B56" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8B96" + W_HighAndLow(i, 8)

    End If

End Function

Function Mov_EBX_DWORD_Ptr_EAX()

    PublicCode = PublicCode + "8B18"

End Function

Function Mov_EBX_DWORD_Ptr_EBP()

    PublicCode = PublicCode + "8B5D00"

End Function

Function Mov_EBX_DWORD_Ptr_EBX()

    PublicCode = PublicCode + "8B1B"

End Function

Function Mov_EBX_DWORD_Ptr_ECX()

    PublicCode = PublicCode + "8B19"

End Function

Function Mov_EBX_DWORD_Ptr_EDX()

    PublicCode = PublicCode + "8B1A"

End Function

Function Mov_EBX_DWORD_Ptr_EDI()

    PublicCode = PublicCode + "8B1F"

End Function

Function Mov_EBX_DWORD_Ptr_ESP()

    PublicCode = PublicCode + "8B1C24"

End Function

Function Mov_EBX_DWORD_Ptr_ESI()

    PublicCode = PublicCode + "8B1E"

End Function

Function Mov_ECX_DWORD_Ptr_EAX()

    PublicCode = PublicCode + "8B08"

End Function

Function Mov_ECX_DWORD_Ptr_EBP()

    PublicCode = PublicCode + "8B4D00"

End Function

Function Mov_ECX_DWORD_Ptr_EBX()

    PublicCode = PublicCode + "8B0B"

End Function

Function Mov_ECX_DWORD_Ptr_ECX()

    PublicCode = PublicCode + "8B09"

End Function

Function Mov_ECX_DWORD_Ptr_EDX()

    PublicCode = PublicCode + "8B0A"

End Function

Function Mov_ECX_DWORD_Ptr_EDI()

    PublicCode = PublicCode + "8B0F"

End Function

Function Mov_ECX_DWORD_Ptr_ESP()

    PublicCode = PublicCode + "8B0C24"

End Function

Function Mov_ECX_DWORD_Ptr_ESI()

    PublicCode = PublicCode + "8B0E"

End Function

Function Mov_EDX_DWORD_Ptr_EAX()

    PublicCode = PublicCode + "8B10"

End Function

Function Mov_EDX_DWORD_Ptr_EBP()

    PublicCode = PublicCode + "8B5500"

End Function

Function Mov_EDX_DWORD_Ptr_EBX()

    PublicCode = PublicCode + "8B13"

End Function

Function Mov_EDX_DWORD_Ptr_ECX()

    PublicCode = PublicCode + "8B11"

End Function

Function Mov_EDX_DWORD_Ptr_EDX()

    PublicCode = PublicCode + "8B12"

End Function

Function Mov_EDX_DWORD_Ptr_EDI()

    PublicCode = PublicCode + "8B17"

End Function

Function Mov_EDX_DWORD_Ptr_ESI()

    PublicCode = PublicCode + "8B16"

End Function

Function Mov_EDX_DWORD_Ptr_ESP()

    PublicCode = PublicCode + "8B1424"

End Function

Function Mov_EAX_EBP()

    PublicCode = PublicCode + "8BC5"

End Function

Function Mov_EAX_EBX()

    PublicCode = PublicCode + "8BC3"

End Function

Function Mov_EAX_ECX()

    PublicCode = PublicCode + "8BC1"

End Function

Function Mov_EAX_EDI()

    PublicCode = PublicCode + "8BC7"

End Function

Function Mov_EAX_EDX()

    PublicCode = PublicCode + "8BC2"

End Function

Function Mov_EAX_ESI()

    PublicCode = PublicCode + "8BC6"

End Function

Function Mov_EAX_ESP()

    PublicCode = PublicCode + "8BC4"

End Function

Function Mov_EBX_EBP()

    PublicCode = PublicCode + "8BDD"

End Function

Function Mov_EBX_EAX()

    PublicCode = PublicCode + "8BD8"

End Function

Function Mov_EBX_ECX()

    PublicCode = PublicCode + "8BD9"

End Function

Function Mov_EBX_EDI()

    PublicCode = PublicCode + "8BDF"

End Function

Function Mov_EBX_EDX()

    PublicCode = PublicCode + "8BDA"

End Function

Function Mov_EBX_ESI()

    PublicCode = PublicCode + "8BDE"

End Function

Function Mov_EBX_ESP()

    PublicCode = PublicCode + "8BDC"

End Function

Function Mov_ECX_EBP()

    PublicCode = PublicCode + "8BCD"

End Function

Function Mov_ECX_EAX()

    PublicCode = PublicCode + "8BC8"

End Function

Function Mov_ECX_EBX()

    PublicCode = PublicCode + "8BCB"

End Function

Function Mov_ECX_EDI()

    PublicCode = PublicCode + "8BCF"

End Function

Function Mov_ECX_EDX()

    PublicCode = PublicCode + "8BCA"

End Function

Function Mov_ECX_ESI()

    PublicCode = PublicCode + "8BCE"

End Function

Function Mov_ECX_ESP()

    PublicCode = PublicCode + "8BCC"

End Function

Function Mov_EDX_EBP()

    PublicCode = PublicCode + "8BD5"

End Function

Function Mov_EDX_EBX()

    PublicCode = PublicCode + "8BD3"

End Function

Function Mov_EDX_ECX()

    PublicCode = PublicCode + "8BD1"

End Function

Function Mov_EDX_EDI()

    PublicCode = PublicCode + "8BD7"

End Function

Function Mov_EDX_EAX()

    PublicCode = PublicCode + "8BD0"

End Function

Function Mov_EDX_ESI()

    PublicCode = PublicCode + "8BD6"

End Function

Function Mov_EDX_ESP()

    PublicCode = PublicCode + "8BD4"

End Function

Function Mov_ESI_EBP()

    PublicCode = PublicCode + "8BF5"

End Function

Function Mov_ESI_EBX()

    PublicCode = PublicCode + "8BF3"

End Function

Function Mov_ESI_ECX()

    PublicCode = PublicCode + "8BF1"

End Function

Function Mov_ESI_EDI()

    PublicCode = PublicCode + "8BF7"

End Function

Function Mov_ESI_EAX()

    PublicCode = PublicCode + "8BF0"

End Function

Function Mov_ESI_EDX()

    PublicCode = PublicCode + "8BF2"

End Function

Function Mov_ESI_ESP()

    PublicCode = PublicCode + "8BF4"

End Function

Function Mov_ESP_EBP()

    PublicCode = PublicCode + "8BE5"

End Function

Function Mov_ESP_EBX()

    PublicCode = PublicCode + "8BE3"

End Function

Function Mov_ESP_ECX()

    PublicCode = PublicCode + "8BE1"

End Function

Function Mov_ESP_EDI()

    PublicCode = PublicCode + "8BE7"

End Function

Function Mov_ESP_EAX()

    PublicCode = PublicCode + "8BE0"

End Function

Function Mov_ESP_EDX()

    PublicCode = PublicCode + "8BE2"

End Function

Function Mov_ESP_ESI()

    PublicCode = PublicCode + "8BE6"

End Function

Function Mov_EDI_EBP()

    PublicCode = PublicCode + "8BFD"

End Function

Function Mov_EDI_EAX()

    PublicCode = PublicCode + "8BF8"

End Function

Function Mov_EDI_EBX()

    PublicCode = PublicCode + "8BFB"

End Function

Function Mov_EDI_ECX()

    PublicCode = PublicCode + "8BF9"

End Function

Function Mov_EDI_EDX()

    PublicCode = PublicCode + "8BFA"

End Function

Function Mov_EDI_ESI()

    PublicCode = PublicCode + "8BFE"

End Function

Function Mov_EDI_ESP()

    PublicCode = PublicCode + "8BFC"

End Function

Function Mov_EBP_EDI()

    PublicCode = PublicCode + "8BDF"

End Function

Function Mov_EBP_EAX()

    PublicCode = PublicCode + "8BE8"

End Function

Function Mov_EBP_EBX()

    PublicCode = PublicCode + "8BEB"

End Function

Function Mov_EBP_ECX()

    PublicCode = PublicCode + "8BE9"

End Function

Function Mov_EBP_EDX()

    PublicCode = PublicCode + "8BEA"

End Function

Function Mov_EBP_ESI()

    PublicCode = PublicCode + "8BEE"

End Function

Function Mov_EBP_ESP()

    PublicCode = PublicCode + "8BEC"

End Function

'Push

'+++++++++++++++++++++++++++++++++++

Function Push(i)

    If i <= 127   and i >= 0 Then

        PublicCode = PublicCode + "6A" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "68" + W_HighAndLow(i, 8)

    End If

End Function

Function Push_DWORD_Ptr_Addr(i )

    PublicCode = PublicCode + "FF35" + W_HighAndLow(i, 8)

End Function

Function Push_EAX()

    PublicCode = PublicCode + "50"

End Function

Function Push_ECX()

    PublicCode = PublicCode + "51"

End Function

Function Push_EDX()

    PublicCode = PublicCode + "52"

End Function

Function Push_EBX()

    PublicCode = PublicCode + "53"

End Function

Function Push_ESP()

    PublicCode = PublicCode + "54"

End Function

Function Push_EBP()

    PublicCode = PublicCode + "55"

End Function

Function Push_ESI()

    PublicCode = PublicCode + "56"

End Function

Function Push_EDI()

    PublicCode = PublicCode + "57"

End Function

'LEA

Function Lea_EAX_DWORD_Ptr_EAX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D40" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D80" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EAX_DWORD_Ptr_EBX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D43" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D83" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EAX_DWORD_Ptr_ECX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D41" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D81" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EAX_DWORD_Ptr_EDX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D42" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D82" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EAX_DWORD_Ptr_ESI_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D46" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D86" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EAX_DWORD_Ptr_ESP_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D40" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D80" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EAX_DWORD_Ptr_EBP_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D4424" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D8424" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EAX_DWORD_Ptr_EDI_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D47" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D87" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EBX_DWORD_Ptr_EAX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D58" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D98" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EBX_DWORD_Ptr_ESP_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D5C24" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D9C24" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EBX_DWORD_Ptr_EBX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D5B" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D9B" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EBX_DWORD_Ptr_ECX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D59" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D99" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EBX_DWORD_Ptr_EDX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D5A" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D9A" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EBX_DWORD_Ptr_EDI_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D5F" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D9F" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EBX_DWORD_Ptr_EBP_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D5D" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D9D" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EBX_DWORD_Ptr_ESI_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D5E" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D9E" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_ECX_DWORD_Ptr_EAX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D48" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D88" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_ECX_DWORD_Ptr_ESP_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D4C24" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D8C24" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_ECX_DWORD_Ptr_EBX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D4B" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D8B" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_ECX_DWORD_Ptr_ECX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D49" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D89" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_ECX_DWORD_Ptr_EDX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D4A" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D8A" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_ECX_DWORD_Ptr_EDI_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D4F" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D8F" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_ECX_DWORD_Ptr_EBP_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D4D" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D8D" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_ECX_DWORD_Ptr_ESI_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D4E" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D8E" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EDX_DWORD_Ptr_EAX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D50" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D90" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EDX_DWORD_Ptr_ESP_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D5424" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D9424" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EDX_DWORD_Ptr_EBX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D53" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D93" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EDX_DWORD_Ptr_ECX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D51" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D91" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EDX_DWORD_Ptr_EDX_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D52" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D92" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EDX_DWORD_Ptr_EDI_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D57" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D97" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EDX_DWORD_Ptr_EBP_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D55" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D95" + W_HighAndLow(i, 8)

    End If

End Function

Function Lea_EDX_DWORD_Ptr_ESI_Add(i )

    If i <= 255   and i >= 0 Then

        PublicCode = PublicCode + "8D56" + W_HighAndLow(i, 2)

    Else

        PublicCode = PublicCode + "8D96" + W_HighAndLow(i, 8)

    End If

End Function

Function Pop_EAX()

    PublicCode = PublicCode + "58"

End Function

Function Pop_EBX()

    PublicCode = PublicCode + "5B"

End Function

Function Pop_ECX()

    PublicCode = PublicCode + "59"

End Function

Function Pop_EDX()

    PublicCode = PublicCode + "5A"

End Function

Function Pop_ESI()

    PublicCode = PublicCode + "5E"

End Function

Function Pop_ESP()

    PublicCode = PublicCode + "5C"

End Function

Function Pop_EDI()

    PublicCode = PublicCode + "5F"

End Function

Function Pop_EBP()

    PublicCode = PublicCode + "5D"

End Function

//==================================这一部分十依赖按键自带库 memory.dll==================================

//Val = Plugin.Memory.FindBinary(WinmineHwnd, "2E7465", 3, &h400000, &h6000000, 2)  

//

//Function 搜索内存地址(hwnd,MuduleName,Size)

//MuduleName=

//搜索内存地址 = Plugin.Memory.FindBinary(hwnd, "2E7465", 3, &h400000, &h6000000, 2)  

//End Function

Function ABC交流_类人猿技术群_526897608() //这个功能是将字节集转化成空格形式55 8B EC A1 7C 24

    TracePrint "技术联系类人猿Q: 578052137"

End Function

Function ABC交流_类人猿技术Q_578052137() //这个功能是将字节集转化成空格形式55 8B EC A1 7C 24

    TracePrint "技术联系类人猿Q: 578052137"

End Function

Function ABC说明_结束按键精灵不能内联汇编历史(希望大家喜欢按键) //这个功能是将字节集转化成空格形式55 8B EC A1 7C 24

    TracePrint "技术联系类人猿Q: 578052137"

End Function

Function ABC说明_该版本是更新4版本(具体说明咨询群主,期望大神们给我指导建议完善) //这个功能是将字节集转化成空格形式55 8B EC A1 7C 24

    TracePrint "技术联系类人猿Q: 578052137"

End Function

Function ABC说明_休息(暂停工作两周) //这个功能是将字节集转化成空格形式55 8B EC A1 7C 24

    TracePrint "技术联系类人猿Q: 578052137"

End Function

Function ABC感谢_大神们技术上支持和建议完成本库()//这个功能是将字节集转化成空格形式55 8B EC A1 7C 24

    TracePrint "技术联系类人猿Q: 578052137"

End Function

Function ABC说明下面是代码库()//这个功能是将字节集转化成空格形式55 8B EC A1 7C 24

    TracePrint "技术联系类人猿Q: 578052137"

End Function

//=======================================================测试阶段=======================


分享到: