【Frida】 06_分析扫雷游戏的数据，显示地雷位置

【Frida】 07_让系统重新绘制指定窗口

【Frida】 06_分析扫雷游戏的数据，显示地雷位置
【Frida】 07_让系统重新绘制指定窗口
d082be9c · Knine · 990b0012 · d082be9c · d082be9c · d082be9c
5 changed file
--- a/course/frida/05_读取棋盘数据/index.ts
+++ b/course/frida/05_读取棋盘数据/index.ts
-class L07 {
+class L05 {
    private module_name_winmine = "winmine.exe";
    private module_winmine: Module;
    private offset地雷数量: number = 0x56A4;
@@ -37,5 +37,5 @@ class L07 {
    }
 }

-let l07 = new L07();
-l07.board_info();
\ No newline at end of file
+let l05 = new L05();
+l05.board_info();
\ No newline at end of file
--- a/course/frida/06_分析扫雷游戏的数据，显示地雷位置/index.ts
+++ b/course/frida/06_分析扫雷游戏的数据，显示地雷位置/index.ts
+class L06 {
+  private module_name_winmine = "winmine.exe";
+  private module_winmine: Module;
+  private offset地雷数量: number = 0x56a4;
+  private offset棋盘高度: number = 0x56a8;
+  private offset棋盘宽度: number = 0x56ac;
+  private height: number = 0;
+  private width: number = 0;
+  private mine_count: number = 0;
+  private head: NativePointer = ptr(0);
+
+  constructor() {
+    console.log(
+      "======================",
+      new Date().toISOString(),
+      "=========================="
+    );
+    console.log("Frida.version", Frida.version);
+    //获取模块基址
+    this.module_winmine = Process.getModuleByName(this.module_name_winmine);
+
+    // 初始化游戏相关数据
+    this.height = this.module_winmine.base.add(this.offset棋盘高度).readU32();
+    this.width = this.module_winmine.base.add(this.offset棋盘宽度).readU32();
+    this.mine_count = this.module_winmine.base.add(this.offset地雷数量).readU32();
+    this.head = this.module_winmine.base.add(0x5340);
+  }
+
+  run() {
+    //遍历棋盘，按行遍历
+    for (let i = 0; i < this.height + 2; i++) {
+      //按列遍历
+      let data = [];
+      for (let j = 0; j < this.width + 2; j++) {
+        let byte_data = this.head.add(j + 0x20 * i).readU8();
+        data.push(byte_data.toString(16).padStart(2, "0"));
+
+        // 如果是地雷，将其状态改为标记
+        if  (byte_data == 0x8F) {
+          this.head.add(j + 0x20 * i).writeU8(0x8E);
+        }
+      }
+      console.log(data.join(" "));
+    }
+  }
+}
+
+let l06 = new L06();
+l06.run();
--- a/course/frida/07_让系统重新绘制指定窗口/index.ts
+++ b/course/frida/07_让系统重新绘制指定窗口/index.ts
+import User32 from '../winapi/user32'
+
+class L07 {
+  private module_name_winmine = "winmine.exe";
+  private module_winmine: Module;
+  private offset地雷数量: number = 0x56a4;
+  private offset棋盘高度: number = 0x56a8;
+  private offset棋盘宽度: number = 0x56ac;
+  private height: number = 0;
+  private width: number = 0;
+  private mine_count: number = 0;
+  private head: NativePointer = ptr(0);
+  private hWnd: NativePointer = ptr(0);
+
+  constructor() {
+    console.log(
+      "======================",
+      new Date().toISOString(),
+      "=========================="
+    );
+    console.log("Frida.version", Frida.version);
+    //获取模块基址
+    this.module_winmine = Process.getModuleByName(this.module_name_winmine);
+
+    // 初始化游戏相关数据
+    this.height = this.module_winmine.base.add(this.offset棋盘高度).readU32();
+    this.width = this.module_winmine.base.add(this.offset棋盘宽度).readU32();
+    this.mine_count = this.module_winmine.base.add(this.offset地雷数量).readU32();
+    this.head = this.module_winmine.base.add(0x5340);
+    this.hWnd = this.module_winmine.base.add(0x5B24).readPointer();
+  }
+
+  board_repaint() {
+    const lpRect = Memory.alloc(4 * 4);
+    User32.GetClientRect(this.hWnd, lpRect);
+     
+    User32.InvalidateRect(this.hWnd, lpRect, 1);
+  }
+
+  run() {
+    //遍历棋盘，按行遍历
+    for (let i = 0; i < this.height + 2; i++) {
+      //按列遍历
+      let data = [];
+      for (let j = 0; j < this.width + 2; j++) {
+        let byte_data = this.head.add(j + 0x20 * i).readU8();
+        data.push(byte_data.toString(16).padStart(2, "0"));
+
+        // 如果是地雷，将其状态改为标记
+        if  (byte_data == 0x8F) {
+          this.head.add(j + 0x20 * i).writeU8(0x8E);
+        }
+      }
+      console.log(data.join(" "));
+    }
+
+    // 重绘窗口区域
+    this.board_repaint()
+  }
+}
+
+let l07 = new L07();
+l07.run();
--- a/course/frida/package.json
+++ b/course/frida/package.json
@@ -7,7 +7,9 @@
    "build": "frida-compile 04_frida_with_typescript/src/index.ts -o build/04.js -c",
    "watch04": "frida-compile 04_frida_with_typescript/src/index.ts -o build/04.js -w",
    "watch05": "frida-compile ./05_读取棋盘数据/index.ts -o ./build/05.js -w",
-    "runx": "D:/Python/Python371/Scripts/frida.exe -n winmine.exe -l ./build/05.js"
+    "watch06": "frida-compile ./06_分析扫雷游戏的数据，显示地雷位置/index.ts -o ./build/06.js -w",
+    "watch07": "frida-compile ./07_让系统重新绘制指定窗口/index.ts -o ./build/07.js -w",
+    "runx": "D:/Python/Python371/Scripts/frida.exe -n winmine.exe -l ./build/07.js -q"
  },
  "keywords": [],
  "author": "",

--- a/course/frida/winapi/user32.ts
+++ b/course/frida/winapi/user32.ts
+export default class User32 {
+  // BOOL GetClientRect(
+  //     [in]  HWND   hWnd,
+  //     [out] LPRECT lpRect
+  // );
+  private static address_GetClientRect: NativePointerValue | null;
+  static GetClientRect(hWnd: NativePointerValue, lpRect: NativePointerValue): number {
+    if (this.address_GetClientRect == null) {
+      this.address_GetClientRect = Module.findExportByName("User32.dll", "GetClientRect");
+    }
+    return new NativeFunction(this.address_GetClientRect!, "bool", ["pointer", "pointer"])(hWnd, lpRect);
+  }
+
+  // BOOL InvalidateRect(
+  //     [in] HWND       hWnd,
+  //     [in] const RECT * lpRect,
+  //     [in] BOOL       bErase
+  // );
+  private static address_InvalidateRect: NativePointerValue | null;
+  static InvalidateRect(hWnd: NativePointerValue, lpRect: NativePointerValue, bErase: number): number {
+    if (this.address_InvalidateRect == null) {
+      this.address_InvalidateRect = Module.findExportByName("User32.dll", "InvalidateRect");
+    }
+    return new NativeFunction(this.address_InvalidateRect!, "bool", ["pointer", "pointer", 'bool'])(hWnd, lpRect, bErase);
+  }
+}
\ No newline at end of file