unit Unit_Pop;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls, ExtCtrls;

type
  TFrm_Pop = class(TForm)
    Button1: TButton;
    Memo1: TMemo;
    Timer1: TTimer;
    Label1: TLabel;
    Button2: TButton;
    procedure FormCreate(Sender: TObject);
    procedure FormHide(Sender: TObject);
    procedure FormShow(Sender: TObject);
    procedure Button1Click(Sender: TObject);
    procedure Timer1Timer(Sender: TObject);
    procedure Button2Click(Sender: TObject);
  private
    { Private declarations }
  public
    { Public declarations }
  end;

  procedure InjectJmpCode(ADDRS,ADDRD:DWORD);
  procedure GetStorage(PMyadd,PackLong,AAddrP:DWORD);stdcall;
  procedure JmpStorage;
var
  Frm_Pop: TFrm_Pop;
  ItemBag:TList;
  kg:boolean;
  OnAuto:boolean;
  BIAOTI: pchar;
  PName:PWideChar;
  aproc:dword;//窗口ID
  Base:dword;//內存基址
  strStorage:String='';//倉庫密碼
  Pdaima,LenBao:dword;
  PBao:array[0..255] of Byte;
  const CONST_JMP=$005B7510 ;         //發包函數
  const CONST_GET_CKPASS_JMP:Integer=$005B7515;     //發包函數+$5

implementation

{$R *.dfm}

procedure TFrm_Pop.Button1Click(Sender: TObject);
begin
InjectJmpCode(CONST_JMP, DWORD(@JmpStorage));
end;

procedure TFrm_Pop.FormCreate(Sender: TObject);  //窗體創建時
begin
//GetWindowThreadProcessId(Hwnd,aproc);  //得到窗口ID
Pdaima:=0;
LenBao:=0;
end;

procedure TFrm_Pop.FormHide(Sender: TObject);
begin
 kg:=False;      //這個刪了不會交替彈出了
end;

procedure TFrm_Pop.FormShow(Sender: TObject);
var
  AppRect:TRect;
begin
  GetWindowRect(FindWindow(nil,'口袋西游'),AppRect);
  kg:=True;
end;

procedure TFrm_Pop.Timer1Timer(Sender: TObject);
var
strTEMP:string;
i:dword;
a1,a2,a3:dword;
begin
  if LenBao>1 then
  begin
    Label1.Caption:=strStorage;
    a1:= Pdaima;
    a2:= LenBao;
    a3:= dword(@PBao);
    LenBao:=0;
    Memo1.Lines.Add('---------------------------------');
    Memo1.Lines.Add('包長：$'+inttostr(a2)+'字節');
    Memo1.Lines.Add('調用地址：$'+inttohex(a1,8));
    strTEMP:='';
    for i:=0 to a2-1 do
      strTEMP:=strTEMP+' '+inttohex((pbyte(a3+i))^,2);
    Memo1.Lines.Add(strTEMP);
    Memo1.Lines.Add('---------------------------------');
  end;
end;

procedure InjectJmpCode(ADDRS,ADDRD:DWORD);
var
  tOldPoint:Cardinal;
begin
  VirtualProtect(Pointer(ADDRS), $7, PAGE_READWRITE, tOldPoint);

  PByte(ADDRS)^:=$E9;  //匯編的JMP就是機器碼的E9
  PDWORD(ADDRS+$1)^:=ADDRD-ADDRS-$5; //jmp 后面跟著的地址，也就是自己的函數地址
  pword(ADDRS+5)^:=$9090;
end;

procedure JmpStorage;//00442031      F3:A5         REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
{var
  pchStorage: PChar; }
begin
  asm
    PUSH -1

    PUSHAD
    MOV EAX,dword ptr [esp+$2C]
    MOV ESI,dword ptr [esp+$28]
    MOV EBX,dword ptr [esp+$24]
    PUSH ESI
    PUSH EAX
    push ebx
    call GetStorage
 {   POP EAX
    POP ESI    }
    POPAD

    PUSH $8144E8                   //  SE 處理程序安裝
    MOV EAX,DWORD PTR FS:[0]
    JMP  CONST_GET_CKPASS_JMP
  end;//asm
end;


{procedure JmpStorageB;
begin
  asm
    PUSH -1
    PUSH $8144E8                   //  SE 處理程序安裝
    MOV EAX,DWORD PTR FS:[0]
  end;//asm
end;             }


procedure GetStorage(PMyadd,PackLong,AAddrP:DWORD);stdcall;
{var
PHND: THandle;
Num: cardinal;
bReadSucceed: LongBool;

tmpck:array of Byte;
L:Integer;  }
begin
  //getmem(tmpck,32);

  //SetLength(tmpck,PackLong);
  //copymemory(@tmpck,pointer(aaddr),PackLong);
  //PHND := OpenProcess(PROCESS_VM_READ, False,aproc);
  //bReadSucceed :=ReadProcessMemory(PHND, Pointer(AAddr), @tmpck, PackLong-1, Num);
  //CloseHandle(PHND);
  //DuMemB(AAddr,PackLong,tmpck);
  strStorage:='$'+IntTohex(AAddrP,8)+'|'+IntToStr(PackLong);
  CopyMemory(@PBao,pointer(AAddrP),PackLong);
  Pdaima:=PMyadd;
  LenBao:=PackLong;
  {   }
  //strStorage:=IntToHex(tmpck[0],2);
  //strStorage:='';
  //for i := 0 to PackLong - 1 do
  //strStorage := strStorage + IntToHex(tmpck[i], 2) + ' ';
  //Frm_Pop.memo1.lines.add(IntToStr(AAddrP)+'|'+IntToStr(PackLong));
  //strStorage:=inttostr(PackLong)+'|'+strTEMP;
  end;

procedure TFrm_Pop.Button2Click(Sender: TObject);
begin
Memo1.Clear 
end;

end.