打开client.cpp,找到下面这段
----------------------------------
struct cl_enginefuncs_s gEngfuncs;
struct cl_enginefuncs_s gHookedEngfuncs;
struct efx_api_s gHookEfxApi;
engine_studio_api_t IEngineStudio;
engine_studio_api_t* pIEngineStudio=0;
cl_enginefuncs_s *pEngfuncs = (cl_enginefuncs_s*) 0x01EB72D8;
playermove_s *ppmove = (playermove_s*) 0x02D5FE20;
engine_studio_api_s *pstudio = (engine_studio_api_s*) 0x01ED3520;
------------------------------------
替换为
----------------------------------
struct cl_enginefuncs_s gEngfuncs;
struct cl_enginefuncs_s gHookedEngfuncs;
struct efx_api_s gHookEfxApi;
engine_studio_api_t IEngineStudio;
engine_studio_api_t* pIEngineStudio=0;
cl_enginefuncs_s* pEngfuncs;
engine_studio_api_s* pstudio;
playermove_s *ppmove;
-----------------------------------
查找下面这段[offsets不一定相同,直接查找DWORD* slots]
---------------------------------
DWORD* slots = (DWORD*)0x01EB74E8;
------------------------------------
改为
---------------------
DWORD* slots;
------------------------
查找
-----------------------------
void OnlyHook(LARGE_INTEGER *lp, bool force = true)
------------------------------
在这个区间上方加入
----------------------------------
DWORD FindPattern(char *pattern, int len, DWORD dwStart, DWORD dwLen)
{
char *m = (char *)dwStart;
for(; (DWORD)m < (dwStart + dwLen); m++)
if(!memcmp(m, pattern, len))
return (DWORD)m;
return NULL;
}
-----------------------------------
在onlyhook区间内加入
------------------------------------
char engine_sig[] = "\x89\x74\x24\x5C\x89\x74\x24\x60\x89\x74\x24\x64\x89\x74\x24\x68\x89\x74\x24\x6C\x89\x74\x24\x70\x89\x74\x24\x74\x89\x74\x24\x78\x89\x74\x24\x7C\0";
DWORD dwEngine = FindPattern(engine_sig, strlen(engine_sig), 0x01D60000, 0x01000000);
DWORD Slots_sig = (*(DWORD*)(dwEngine - 0x74));
DWORD* slots = (DWORD*)Slots_sig;
static bool NotPatched = true;
if (NotPatched)
{
int a;
for(a=0x01D00000;a<0x01D0FFFF;a++)
{
if(*(PBYTE)(a) == 0x68 && *(PBYTE)(a + 0x05) == 0xE8 &&
*(PBYTE)(a + 0x0A) == 0x6A && *(PBYTE)(a + 0x0B) == 0x07 &&
*(PBYTE)(a + 0x0C) == 0x68 && *(PBYTE)(a + 0x11) == 0xFF &&
*(PBYTE)(a + 0x12) == 0x15 && *(PBYTE)(a + 0x17) == 0x68)
{
pEngfuncs = (cl_enginefunc_t*)*(DWORD*)(a+0x0D);
break;
}
}
int b;
for(b=0x01D00000;b<0x01D0FFFF;b++)
{
if(*(PBYTE)(b) == 0xE8 && *(PBYTE)(b + 0x05) == 0x6A &&
*(PBYTE)(b + 0x06) == 0x07 && *(PBYTE)(b + 0x07) == 0x68 &&
*(PBYTE)(b + 0x0C) == 0xFF && *(PBYTE)(b + 0x0D) == 0x15 &&
*(PBYTE)(b + 0x12) == 0x68 && *(PBYTE)(b + 0x1C) == 0x81)
{
ppmove = (playermove_s*)*(DWORD*)(b+0x13);
break;
}
}
int c;
for(c=0x01D00000;c<0x01D0FFFF;c++)
{
if(*(PBYTE)(c) == 0x68 && *(PBYTE)(c + 0x05) == 0x68 &&
*(PBYTE)(c + 0x0A) == 0x6A && *(PBYTE)(c + 0x0B) == 0x01 &&
*(PBYTE)(c + 0x0C) == 0xFF && *(PBYTE)(c + 0x0D) == 0xD0 &&
*(PBYTE)(c + 0x0E) == 0x83 && *(PBYTE)(c + 0x27) == 0xC3)
{
pstudio = (engine_studio_api_s*)*(DWORD*)(c+0x01);
break;
}
}
NotPatched = false;
}
------------------------------------------------
步骤一完成
Credits: Unknown (Came from somewhere on Game-Deception)
Tutorial: Robert
步骤二
打开main.cpp找到
------------------------
detour_S_DynamicSound
------------------------
在区间上加入
-------------------------------
bool bDataCompare(const BYTE* pData, const BYTE* bMask, const char* szMask)
{
for(;*szMask;++szMask,++pData,++bMask)
if(*szMask=='x' && *pData!=*bMask )
return false;
return (*szMask) == NULL;
}
DWORD dwFindPattern(DWORD dwAddress,DWORD dwLen,BYTE *bMask,char * szMask)
{
for(DWORD i=0; i < dwLen; i++)
if( bDataCompare( (BYTE*)( dwAddress+i ),bMask,szMask) )
return (DWORD)(dwAddress+i);
return 0;
}
---------------------------------
然后在detour_S_DynamicSound区间内找到
----------------------------------
BYTE* offs = (BYTE*)0x01D96920;
------------------------------
替换为
------------------------------
BYTE* offs = (BYTE*) SOUND_ADDR;
----------------------------------
在这一行上方加入
--------------------------
DWORD SOUND_ADDR = dwFindPattern(0x1D90000,0x30000,(BYTE*)"\x83\xEC\x48\xA1\x00\x00\x00\x00","xxxx???");
----------------------------
找到
-------------------------
sound patch applied successfully
------------------------
整行替换为
----------------------------------------------------------------------
OGCmessage( "&gsound patch applied successfully: 0x%X",SOUND_ADDR);
---------------------------------------------------------------
全部完成
保存修改,然后用VC++重新编译生成DLL即可
