function S_Pointer(t_So, t_Offset, _bit) local function getRanges() local ranges = {} local t = gg.getRangesList('^/data/*.so*$') for i, v in pairs(t) do if v.type:sub(2, 2) == 'w' then table.insert(ranges, v) end end return ranges end local function Get_Address(N_So, Offset, ti_bit) local ti = gg.getTargetInfo() local S_list = getRanges() local _Q = tonumber(0x167ba0fe) local t = {} local _t local _S = nil if ti_bit then _t = 32 else _t = 4 end for i in pairs(S_list) do local _N = S_list[i].internalName:gsub('^.*/', '') if N_So[1] == _N and N_So[2] == S_list[i].state then _S = S_list[i] break end end if _S then t[#t + 1] = {} t[#t].address = _S.start + Offset[1] t[#t].flags = _t if #Offset ~= 1 then for i = 2, #Offset do local S = gg.getValues(t) t = {} for _ in pairs(S) do if not ti.x64 then S[_].value = S[_].value & 0xFFFFFFFF end t[#t + 1] = {} t[#t].address = S[_].value + Offset[i] t[#t].flags = _t end end end _S = t[#t].address print(string.char(231,190,164,58).._Q) end return _S end local _A = string.format('0x%X', Get_Address(t_So, t_Offset, _bit)) return _A end function PS() end function setvalue(address,flags,value) PS('修改地址数值(地址,数值类型,要修改的值)') local tt={} tt[1]={} tt[1].address=address tt[1].flags=flags tt[1].value=value gg.setValues(tt) end ---静态基址写法配置 function LSQ_Chain(so, offset, format, value, type, Function)--模块设置, 偏移量, 功能参数, 修改值, 类型, 功能 getRanges = getRanges or (function() local ranges = {} local t = gg.getRangesList('^/data/*.so*$') for i, v in pairs(t) do if v["type"]:sub(2, 2) == 'w' then--判断so是否可读可写 ranges[#ranges+1] = v end end return ranges end) local rest, ranges, sostart, valtype = {}, getRanges(), nil , gg.TYPE_DWORD if gg.getTargetInfo()["x64"] then--判断应用程序是否为64位 valtype = gg.TYPE_QWORD end for i in pairs(ranges) do local _name = ranges[i]["internalName"]:gsub('^.*/', '') if so[1] == _name and so[2] == ranges[i]["state"] then sostart = ranges[i]["start"] break end end if sostart then if offset[1] then for i = 1, #offset do rest = {{flags = valtype,address = sostart + offset[i]}} rest = gg.getValues(rest) if i == #offset then break end if valtype == gg.TYPE_DWORD then sostart = rest[1].value & 0xFFFFFFFF--对值进行补位操作 else sostart = rest[1].value end end end if #rest == 1 then end return Format(rest, format, value, type, Function) end gg.toast("功能:" .. Function .. "开启失败") print("功能开启失败原因: 未找到基址头") return os.exit() end function Format(tab, format, value, type, Function) if format == "查看" then tab[1]["flags"] = type return print(gg.getValues(tab)) elseif format == "修改" then tab[1]["flags"] = type tab[1]["value"] = value return gg.setValues(tab) elseif format == "冻结" then tab[1]["flags"] = type tab[1]["freeze"] = true tab[1]["value"] = value tab[1]["name"] = Function or "功能" return gg.addListItems(tab) elseif format == "加载" then tab[1]["flags"] = type return gg.loadResults(tab) end end function Unfreeze() --获取保存列表 local t = gg.getListItems() for k, v in pairs(t) do t[k]["freeze"] = false end return gg.addListItems(t) end function setvalue(address,flags,value) local tt={} tt[1]={} tt[1].address=address tt[1].flags=flags tt[1].value=value gg.setValues(tt) end function getvalue(addr,flags) local asbd={} asbd[1]={} asbd[1].address=addr asbd[1].flags=flags tmp=gg.getValues(asbd) return tmp[1].value end function GotoPointer(start, offset) local flags = {[true] = 32, [false] = 4} local ti64 = gg.getTargetInfo().x64 local type = flags[ti64] local addr = 0 if start then addr = start + offset[1] for index = 2, #offset do local pointer = gg.getValues({{address = addr, flags = type}}) if not ti64 then pointer[1].value = pointer[1].value & 0xFFFFFFFF end addr = pointer[1].value + offset[index] end end return addr end local function setvalue(address,flags,value,freeze) local t={} t[1]={} t[1].address=address t[1].flags=flags t[1].value=value t[1].freeze=freeze gg.setValues(t) gg.addListItems(t) end D=gg.TYPE_DWORD F=gg.TYPE_FLOAT local function readD(a) return gg.getValues({{ address=a, flags=gg.TYPE_DWORD }})[1].value end local function readF(a) return gg.getValues({{ address=a, flags=gg.TYPE_FLOAT }})[1].value end function getZZ(address) return gg.getValues({{address = address, flags = 32}})[1].value end function getDword(address) return gg.getValues({{address = address, flags = 4}})[1].value end function getFloat(address) return gg.getValues({{address = address, flags = 16}})[1].value end function WriteFloat(address, value) gg.setValues({{address = address, flags = 16, value = value}}) end function WriteDword(address, value) gg.setValues({{address = address, flags = 4, value = value}}) end function getCode(address) return gg.getValues({{address = address, flags = gg.TYPE_QWORD}})[1].value end function getvalue(address, flags) return gg.getValues({{address = address, flags = flags}})[1].value end function callcode(addr, types, i, freeze) if i then gg.setValues({{address = addr, flags = types, value = i}}) end if freeze then gg.addListItems({{ address = addr, flags = types, value = i or getvalue(addr, types), -- 没有i就用当前地址的值 freeze = true }}) elseif freeze == false then gg.addListItems({{address = addr, flags = types, freeze = false}}) end end so=gg.getRangesList('libgcloud.so')[1].start py=0x487128 setvalue(so+py,4,-698416192) py=0x506EB8 setvalue(so+py,4,-698416192) py=0x487CC4 setvalue(so+py,4,-698416192) py=0x507A54 setvalue(so+py,4,-698416192) so=gg.getRangesList('libUE4.so')[1].start py=0xCAC92C4 setvalue(so+py,4,-721215457) so=gg.getRangesList('libUE4.so')[1].start py=0xCAC92C4 setvalue(so+py,4,-721215457) so=gg.getRangesList('libUE4.so')[1].start py=0x37a7548 setvalue(so+py,16,2.5) LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x518,0x214},"冻结","5",16,"重力") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x518,0x218},"冻结","120",16,"45") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x518,0x218+0x4},"冻结","4000",16,"443") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x518,0x218+0x50},"冻结","400000",16,"8192") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x518,0x28C},"修改","9",16,"0.05") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x518,0x218+0xa70},"冻结","1.0e10",16,"670") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x1168},"冻结","12",16,"1wjs") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x518,0x610},"冻结","0",16,"240") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x518,0x268},"冻结","40000",16,"8192") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x2D08},"冻结","34",16,"50") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x20,0x400,0x75C},"冻结","90",16,"变速") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x20,0x400,0x770},"冻结","0.0001",16,"减速") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x518,0x2B8},"冻结","0",4,"13680") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x518,0x448},"冻结","54148",4,"防卡脚") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x518,0x260},"冻结","0",16,"60000") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x518,0x2E4},"冻结","0",16,"7500") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x518,0x27C},"冻结","999999",16,"2048") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x64},"冻结","0.00001",16,"趴下后摇") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x68},"冻结","0.00001",16,"趴下后摇") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0x4B8,0x1990},"冻结","0.00001",16,"秒趴") LSQ_Chain({'libUE4.so:bss','Cb'},{0x558CF0,0x30,0xE4},"冻结","999",16,"流畅落地")