使用de4dot-cex反编译原版的hearthbuddy得到的

链接: https://pan.baidu.com/s/1hT79LpIjbyvODsjnkSe_5A 提取码: iemx

class276里面的指针是通过class247得到的

internal Class276(ExternalProcessMemory memory)

{

    this.externalProcessMemory_0 = memory;

    this.intptr_0 = this.method_18("mono.dll");

    this.intptr_31 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_9;

    this.intptr_28 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_17;

    this.intptr_13 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_22;

    this.intptr_16 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_16;

    this.intptr_6 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_7;

    this.intptr_1 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_15;

    this.intptr_15 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_24;

    this.intptr_14 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_21;

    this.intptr_7 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_5;

    this.intptr_19 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_10;

    this.intptr_29 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_35;

    this.intptr_17 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_1;

    this.intptr_25 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_30;

    this.intptr_24 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_25;

    this.intptr_32 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_31;

    this.intptr_34 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_28;

    this.intptr_36 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_0;

    this.intptr_35 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_29;

    this.intptr_23 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_34;

    this.intptr_33 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_33;

    this.intptr_27 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_32;

    this.intptr_12 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_4;

    this.intptr_10 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_3;

    this.intptr_4 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_6;

    this.intptr_8 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_11;

    this.intptr_21 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_23;

    this.intptr_18 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_8;

    this.intptr_5 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_2;

    this.intptr_30 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_19;

    this.intptr_2 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_12;

    this.intptr_9 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_18;

    this.intptr_3 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_14;

    this.intptr_26 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_27;

    this.intptr_22 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_26;

    this.intptr_20 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_13;

    this.intptr_11 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_20;

    this.method_15<bool>("boolean");

    this.method_15<object>("object");

    this.method_15<sbyte>("sbyte");

    this.method_15<byte>("byte");

    this.method_15<short>("int16");

    this.method_15<ushort>("uint16");

    this.method_15<int>("int32");

    this.method_15<uint>("uint32");

    this.method_15<long>("int64");

    this.method_15<ulong>("uint64");

    this.method_15<float>("single");

    this.method_15<double>("double");

    this.method_15<char>("char");

    this.method_15<string>("string");

    this.method_15<Enum>("enum");

}

赋值处理

try

                {

                    TritonHs.class247_0 = new Class247();

                    TritonHs.class247_0.method_1(array, TritonHs.Memory.ImageBase);

                }

                catch (Exception)

                {

                    string_0 = string.Format("The data required to run the bot is corrupted. Please make sure your key is still valid at the Buddy Auth Portal: http://buddyauth.com/User/Keys {0}{0}For any further assistance, please contact support: https://bosslandgmbh.zendesk.com/home", Environment.NewLine);

                    return false;

                }

                TritonHs.class276_0 = new Class276(TritonHs.externalProcessMemory_0);

                using (TritonHs.AcquireFrame())

                {

                    TritonHs.intptr_1 = TritonHs.Class276_0.method_2();

                }

直接new一个class247的实例对象,然后调用method_1。传递的参数是array和TritonHs.Memory.ImageBase

public static ExternalProcessMemory Memory
        {
            get
            {
                return TritonHs.externalProcessMemory_0;
            }
        }

array参数的获取,delegate6_0貌似是从服务器获取地址数据

byte[] array = delegate6_0(TritonHs.String_0, out string_0);

            if (array == null)

            {

                if (string.IsNullOrEmpty(string_0))

                {

                    string_0 = string.Format("The data required to run the bot was not successfully obtained. Please make sure your key is still valid at the Buddy Auth Portal: http://buddyauth.com/User/Keys {0}{0}For any further assistance, please contact support: https://bosslandgmbh.zendesk.com/home", Environment.NewLine);

                }

                return false;

            }

class247里面的method1方法

// ns25.Class247

// Token: 0x06001990 RID: 6544 RVA: 0x000DAF40 File Offset: 0x000D9140

internal unsafe void method_1(byte[] byte_0, IntPtr intptr_1)

{

    this.intptr_0 = new IntPtr[byte_0.Length / ];

    byte b = ;

    byte* ptr;

    if (byte_0 != null && byte_0.Length != )

    {

        fixed (byte* ptr = &byte_0[])

        {

        }

    }

    else

    {

        ptr = null;

    }

    uint* ptr2 = (uint*)ptr;

    for (int i = ; i < this.intptr_0.Length; i++)

    {

        uint uint_ = ptr2[i];

        IntPtr intPtr = new IntPtr((long)((ulong)Class247.smethod_0(uint_, b)));

        this.intptr_0[i] = intPtr;

        b = ((b + ) ?? );

    }

    ptr = null;

    this.method_0(intptr_1);

}

method0方法在对struct106_0 进行赋值

if (ptr4 != null)

    {

        this.struct106_0 = *(Struct106*)ptr4;

    }
// ns25.Class247

// Token: 0x0600198F RID: 6543 RVA: 0x000DAE44 File Offset: 0x000D9044

internal unsafe void method_0(IntPtr intptr_1)

{

    IntPtr[] array = new IntPtr[this.intptr_0.Length];

    this.intptr_0.CopyTo(array, );

    ArraySegment<IntPtr> arraySegment_;

    ArraySegment<IntPtr> arraySegment_2;

    this.method_4(array, out arraySegment_, out arraySegment_2);

    for (int i = arraySegment_.Offset; i < arraySegment_.Count; i++)

    {

        if (arraySegment_.Array[i].ToInt32() > )

        {

            array[i] = array[i] -  + intptr_1.ToInt32();

        }

    }

    IntPtr[] array2;

    IntPtr* ptr;

    if ((array2 = this.method_2<IntPtr>(arraySegment_)) != null && array2.Length != )

    {

        fixed (IntPtr* ptr = &array2[])

        {

        }

    }

    else

    {

        ptr = null;

    }

    byte* ptr2 = (byte*)ptr;

    if (ptr2 != null)

    {

        this.struct105_0 = *(Struct105*)ptr2;

    }

    ptr = null;

    IntPtr* ptr3;

    if ((array2 = this.method_2<IntPtr>(arraySegment_2)) != null && array2.Length != )

    {

        fixed (IntPtr* ptr3 = &array2[])

        {

        }

    }

    else

    {

        ptr3 = null;

    }

    byte* ptr4 = (byte*)ptr3;

    if (ptr4 != null)

    {

        this.struct106_0 = *(Struct106*)ptr4;

    }

    ptr3 = null;

}

所以之前的工作原理,是从服务器获取mono的偏移地址,然后进行后续操作的。

HearthBuddy的class276以及class247的更多相关文章

  1. hearthbuddy中的Class276

    构造函数 需要注意的是this.intptr_0 = this.method_18("mono.dll"); 所以,这个类里面的操作,最后是和mono.dll相关的 interna ...

  2. HearthBuddy中的class276中的地址对应

    2019年09月的 intptr_0 = method_18("mono.dll"); intptr_31 = intptr_0 + 522030; intptr_28 = int ...

  3. HearthBuddy的plugin加载

    // Hearthbuddy.Windows.MainWindow // Token: 0x060001FF RID: 511 RVA: 0x0008951C File Offset: 0x00087 ...

  4. HearthBuddy炉石兄弟 Method 'CollectionDeckBoxVisual.IsValid' not found.

    [CollectionManagerScene_COLLECTION] An exception occurred when calling CacheCustomDecks: System.Miss ...

  5. HearthBuddy 第一次调试

    HearthBuddy https://www.jiligame.com/70639.html 解压缩包,打开hearthbuddy.exe直接运行就可以:不用替换mono.dll直接可用:不需要校验 ...

  6. HearthBuddy修改系统时间

    将以下代码保存在.bat文件,然后用管理员权限运行 pushd "%~dp0" #下面修改时间,根据操作系统的语言不同,会有不同的格式,比如2019-10-26date 10/26 ...

  7. HearthBuddy Ai调试实战1-->出牌的时候,少召唤了图腾就结束回合

    期望通过ai的调试,来搞明白出牌的逻辑. 55是投火无面者63是恐狼前锋34是风怒36是自动漩涡打击装置13是空灵召唤者, "LocStringZhCn": "<b ...

  8. HearthBuddy 日志模块

    // Triton.Common.LogUtilities.CustomLogger // Token: 0x04000BD8 RID: 3032 private Level level_0 = Le ...

  9. HearthBuddy炉石兄弟 如何调试ai

    Sepefeets's update to botmaker's Silverfish AI This AI is a Custom Class for Hearthranger and Hearth ...

随机推荐

  1. Python学习日记(三) 学习使用dict

    数据按类型可划分为: 不可变数据类型(可哈希):元祖.string.int.bool 可变数据类型(不可哈希):dict.list 集合本身是可变数据类型,元素是不可变数据类型 字典中的key必须是不 ...

  2. Linux下使用shell脚本自动备份和移动数据到大容量存储

    自动备份数据库,并将备份前一天的数据移动拷贝到存储上. 需求来源是因为linux系统层的磁盘存储容量过小,数据库自动备份之后日积月累数据越来越多,而且还不想删除旧数据.那解决方法就是在linux系统主 ...

  3. mysql 优化修复表

    OPTIMIZE TABLE `table_name` 优化表 MyISAM 引擎清理碎片 OPTIMIZE语法: OPTIMIZE [LOCAL | NO_WRITE_TO_BINLOG] TABL ...

  4. 公用表表达式(CTE) with as

    在编写T-SQL代码时,往往需要临时存储某些结果集.前面我们已经广泛使用和介绍了两种临时存储结果集的方法:临时表和表变量.除此之外,还可以使用公用表表达式的方法.公用表表达式(Common Table ...

  5. abp学习(一)

    官网概念 ASP.NET样板是特别设计的新的现代Web应用程序的通用应用框架.它使用已经熟悉的工具并围绕这些工具实现最佳实践,从而为您提供一致的开发体验. 官网地址:https://aspnetboi ...

  6. java获取本机外网ip

    public static String getV4IP(){ String ip = ""; String chinaz = "http://ip.chinaz.com ...

  7. python抽象基类

    抽象基类 抽象基类提了一种方式,用以组织对象的层次结构,做出关于所需方法的断言,以及实现其他一些功能 要定义抽象基类,需要使用abc模块,该模块定义了一个元类(ABCMeta) 和一组装饰器(@abs ...

  8. win10 64下anaconda4.2.0(python3.5)

    python环境:win10 64下anaconda4.2.0(python3.5).安装tensorflow过程是在Anaconda Prompt中进行安装 1:打开Anaconda Prompt ...

  9. 配置比较完善的日志 logger 的使用

    1.配置文件 log_conf.conf ################################################ ###########propagate 是否继承父类的lo ...

  10. c++ templat乱测

    该上机实验环境 linux mint  IDE:qt5.11   代码复制到windows下vs2017报错,提示char* 类型不能直接赋值字符串 在linux mint下可以运行,测试目的:检验复 ...