使用de4dot-cex反编译原版的hearthbuddy得到的

链接: https://pan.baidu.com/s/1hT79LpIjbyvODsjnkSe_5A 提取码: iemx

class276里面的指针是通过class247得到的

internal Class276(ExternalProcessMemory memory)

{

    this.externalProcessMemory_0 = memory;

    this.intptr_0 = this.method_18("mono.dll");

    this.intptr_31 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_9;

    this.intptr_28 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_17;

    this.intptr_13 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_22;

    this.intptr_16 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_16;

    this.intptr_6 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_7;

    this.intptr_1 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_15;

    this.intptr_15 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_24;

    this.intptr_14 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_21;

    this.intptr_7 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_5;

    this.intptr_19 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_10;

    this.intptr_29 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_35;

    this.intptr_17 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_1;

    this.intptr_25 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_30;

    this.intptr_24 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_25;

    this.intptr_32 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_31;

    this.intptr_34 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_28;

    this.intptr_36 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_0;

    this.intptr_35 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_29;

    this.intptr_23 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_34;

    this.intptr_33 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_33;

    this.intptr_27 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_32;

    this.intptr_12 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_4;

    this.intptr_10 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_3;

    this.intptr_4 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_6;

    this.intptr_8 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_11;

    this.intptr_21 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_23;

    this.intptr_18 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_8;

    this.intptr_5 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_2;

    this.intptr_30 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_19;

    this.intptr_2 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_12;

    this.intptr_9 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_18;

    this.intptr_3 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_14;

    this.intptr_26 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_27;

    this.intptr_22 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_26;

    this.intptr_20 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_13;

    this.intptr_11 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_20;

    this.method_15<bool>("boolean");

    this.method_15<object>("object");

    this.method_15<sbyte>("sbyte");

    this.method_15<byte>("byte");

    this.method_15<short>("int16");

    this.method_15<ushort>("uint16");

    this.method_15<int>("int32");

    this.method_15<uint>("uint32");

    this.method_15<long>("int64");

    this.method_15<ulong>("uint64");

    this.method_15<float>("single");

    this.method_15<double>("double");

    this.method_15<char>("char");

    this.method_15<string>("string");

    this.method_15<Enum>("enum");

}

赋值处理

try

                {

                    TritonHs.class247_0 = new Class247();

                    TritonHs.class247_0.method_1(array, TritonHs.Memory.ImageBase);

                }

                catch (Exception)

                {

                    string_0 = string.Format("The data required to run the bot is corrupted. Please make sure your key is still valid at the Buddy Auth Portal: http://buddyauth.com/User/Keys {0}{0}For any further assistance, please contact support: https://bosslandgmbh.zendesk.com/home", Environment.NewLine);

                    return false;

                }

                TritonHs.class276_0 = new Class276(TritonHs.externalProcessMemory_0);

                using (TritonHs.AcquireFrame())

                {

                    TritonHs.intptr_1 = TritonHs.Class276_0.method_2();

                }

直接new一个class247的实例对象,然后调用method_1。传递的参数是array和TritonHs.Memory.ImageBase

public static ExternalProcessMemory Memory
        {
            get
            {
                return TritonHs.externalProcessMemory_0;
            }
        }

array参数的获取,delegate6_0貌似是从服务器获取地址数据

byte[] array = delegate6_0(TritonHs.String_0, out string_0);

            if (array == null)

            {

                if (string.IsNullOrEmpty(string_0))

                {

                    string_0 = string.Format("The data required to run the bot was not successfully obtained. Please make sure your key is still valid at the Buddy Auth Portal: http://buddyauth.com/User/Keys {0}{0}For any further assistance, please contact support: https://bosslandgmbh.zendesk.com/home", Environment.NewLine);

                }

                return false;

            }

class247里面的method1方法

// ns25.Class247

// Token: 0x06001990 RID: 6544 RVA: 0x000DAF40 File Offset: 0x000D9140

internal unsafe void method_1(byte[] byte_0, IntPtr intptr_1)

{

    this.intptr_0 = new IntPtr[byte_0.Length / ];

    byte b = ;

    byte* ptr;

    if (byte_0 != null && byte_0.Length != )

    {

        fixed (byte* ptr = &byte_0[])

        {

        }

    }

    else

    {

        ptr = null;

    }

    uint* ptr2 = (uint*)ptr;

    for (int i = ; i < this.intptr_0.Length; i++)

    {

        uint uint_ = ptr2[i];

        IntPtr intPtr = new IntPtr((long)((ulong)Class247.smethod_0(uint_, b)));

        this.intptr_0[i] = intPtr;

        b = ((b + ) ?? );

    }

    ptr = null;

    this.method_0(intptr_1);

}

method0方法在对struct106_0 进行赋值

if (ptr4 != null)

    {

        this.struct106_0 = *(Struct106*)ptr4;

    }
// ns25.Class247

// Token: 0x0600198F RID: 6543 RVA: 0x000DAE44 File Offset: 0x000D9044

internal unsafe void method_0(IntPtr intptr_1)

{

    IntPtr[] array = new IntPtr[this.intptr_0.Length];

    this.intptr_0.CopyTo(array, );

    ArraySegment<IntPtr> arraySegment_;

    ArraySegment<IntPtr> arraySegment_2;

    this.method_4(array, out arraySegment_, out arraySegment_2);

    for (int i = arraySegment_.Offset; i < arraySegment_.Count; i++)

    {

        if (arraySegment_.Array[i].ToInt32() > )

        {

            array[i] = array[i] -  + intptr_1.ToInt32();

        }

    }

    IntPtr[] array2;

    IntPtr* ptr;

    if ((array2 = this.method_2<IntPtr>(arraySegment_)) != null && array2.Length != )

    {

        fixed (IntPtr* ptr = &array2[])

        {

        }

    }

    else

    {

        ptr = null;

    }

    byte* ptr2 = (byte*)ptr;

    if (ptr2 != null)

    {

        this.struct105_0 = *(Struct105*)ptr2;

    }

    ptr = null;

    IntPtr* ptr3;

    if ((array2 = this.method_2<IntPtr>(arraySegment_2)) != null && array2.Length != )

    {

        fixed (IntPtr* ptr3 = &array2[])

        {

        }

    }

    else

    {

        ptr3 = null;

    }

    byte* ptr4 = (byte*)ptr3;

    if (ptr4 != null)

    {

        this.struct106_0 = *(Struct106*)ptr4;

    }

    ptr3 = null;

}

所以之前的工作原理,是从服务器获取mono的偏移地址,然后进行后续操作的。

HearthBuddy的class276以及class247的更多相关文章

  1. hearthbuddy中的Class276

    构造函数 需要注意的是this.intptr_0 = this.method_18("mono.dll"); 所以,这个类里面的操作,最后是和mono.dll相关的 interna ...

  2. HearthBuddy中的class276中的地址对应

    2019年09月的 intptr_0 = method_18("mono.dll"); intptr_31 = intptr_0 + 522030; intptr_28 = int ...

  3. HearthBuddy的plugin加载

    // Hearthbuddy.Windows.MainWindow // Token: 0x060001FF RID: 511 RVA: 0x0008951C File Offset: 0x00087 ...

  4. HearthBuddy炉石兄弟 Method 'CollectionDeckBoxVisual.IsValid' not found.

    [CollectionManagerScene_COLLECTION] An exception occurred when calling CacheCustomDecks: System.Miss ...

  5. HearthBuddy 第一次调试

    HearthBuddy https://www.jiligame.com/70639.html 解压缩包,打开hearthbuddy.exe直接运行就可以:不用替换mono.dll直接可用:不需要校验 ...

  6. HearthBuddy修改系统时间

    将以下代码保存在.bat文件,然后用管理员权限运行 pushd "%~dp0" #下面修改时间,根据操作系统的语言不同,会有不同的格式,比如2019-10-26date 10/26 ...

  7. HearthBuddy Ai调试实战1-->出牌的时候,少召唤了图腾就结束回合

    期望通过ai的调试,来搞明白出牌的逻辑. 55是投火无面者63是恐狼前锋34是风怒36是自动漩涡打击装置13是空灵召唤者, "LocStringZhCn": "<b ...

  8. HearthBuddy 日志模块

    // Triton.Common.LogUtilities.CustomLogger // Token: 0x04000BD8 RID: 3032 private Level level_0 = Le ...

  9. HearthBuddy炉石兄弟 如何调试ai

    Sepefeets's update to botmaker's Silverfish AI This AI is a Custom Class for Hearthranger and Hearth ...

随机推荐

  1. 如何通过Restful API的方式读取SAP Commerce Cloud的Product Reference

    从SAP官网上找到api的说明: https://api.sap.com/api/commerce_services/resource api endpoint: /rest/v2/electroni ...

  2. 空指针异常:解决 RequestContextHolder.getRequestAttributes()为空的问题

    现象:实现Feign请求拦截器时,执行如下代码,报空指针异常 ServletRequestAttributes attributes = (ServletRequestAttributes) Requ ...

  3. MyBatis 多表连接查询

    多表连接的两种方式(数据库逻辑模型): 1.一对一关系 2.一对多关系 一.通过 resultMap 和 association 实现一对一关系 在 mapper.xml 文件里面的代码: <r ...

  4. 【转】IP报文格式详解

    下图为常见的IP报文格式表: 上面是IP的报文格式,接下来我们先说明各个字段的意义.然后,用Etheral软件转包分析IP的报文格式. 1.版本:ip报文中,版本占了4位,用来表示该协议采用的是那一个 ...

  5. redis哨兵配置 总结

    本文内容涵盖 windows下单机部署redis多实例(docker.linux下的配置也可参考本文) redis主从配置 redis哨兵配置 以spring boot redis demo下一个存a ...

  6. vue-cli3.0 脚手架搭建项目的过程详解

    1.安装vue-cli 3.0 ? 1 2 3 npm install -g @vue/cli # or yarn global add @vue/cli 安装成功后查看版本:vue -V(大写的V) ...

  7. Springboot中自已测试

    签到的测试,需要传入日期,签到7天可获得更多的积分, 构造7天前的签到记录,重写签到方法,进行构造数据 import cn.com.acxiom.coty.api.ws.bean.dto.PointD ...

  8. Oracle SQL developer客户端 如何连接已经安装完毕的Oracle服务器端

    对于刚刚安装完毕Oracle数据库后不知道如何链接使用,可参考以下解决方案. Part 1 首先说服务: 如果正确安装Oracle 11g客户端的朋友们注意了,想要Oracle数据库正常启动有如下三个 ...

  9. JDK源码那些事儿之ConcurrentLinkedQueue

    阻塞队列的实现前面已经讲解完毕,今天我们继续了解源码中非阻塞队列的实现,接下来就看一看ConcurrentLinkedQueue非阻塞队列是怎么完成操作的 前言 JDK版本号:1.8.0_171 Co ...

  10. 四.Protobuf3 缺省值

    解析消息时,如果编码消息不包含特定的单数元素,则解析对象中的相应字段将设置为该字段的默认值.这些默认值是特定于类型的: 对于字符串,默认值为空字符串. 对于字节,默认值为空字节. 对于布尔,默认值为f ...