游戏内直接注册账号的lua

muscipular

直接根据输入的用户名、密码注册新账号并登录，无需开网页注册，只支持cmgsv 21.2a windows版本

accountRegister.zip (1.99 KB, 下载次数: 1)

2021-7-23 17:49 上传

点击文件名下载附件

local ffi = require "ffi";
local FFI = ffi;
--HOOKS
local hook = { hooks = {} }
ffi.cdef [[
    int VirtualProtect(void* lpAddress, unsigned long dwSize, unsigned long flNewProtect, unsigned long* lpflOldProtect);
]]
function hook.new(cast, callback, hook_addr, size)
  local _size = size or 5
  local new_hook = {}
  local detour_addr = tonumber(ffi.cast('intptr_t', ffi.cast('void*', ffi.cast(cast, callback))))
  local hookFnPtr = ffi.cast('void*', hook_addr)
  local old_prot = ffi.new('unsigned long[1]')
  local old_prot2 = ffi.new('unsigned long[1]')
  local org_bytes = ffi.new('uint8_t[?]', _size + 10)
  ffi.copy(org_bytes, hookFnPtr, _size)
  org_bytes[_size] = 0xE9;
  ffi.cast('uint32_t*', org_bytes + _size + 1)[0] = hook_addr - (ffi.cast('uint32_t', org_bytes) + _size);
  local hook_bytes = ffi.new('uint8_t[?]', _size, 0x90)
  hook_bytes[0] = 0xE9
  ffi.cast('uint32_t*', hook_bytes + 1)[0] = detour_addr - hook_addr - 5
  ffi.C.VirtualProtect(hookFnPtr, _size, 0x40, old_prot)
  ffi.copy(hookFnPtr, hook_bytes, _size)
  ffi.C.VirtualProtect(hookFnPtr, _size, old_prot[0], old_prot2)
  --local orgHookedPtr = ffi.cast(cast, ffi.cast('void*', ffi.cast('uint32_t', org_bytes)));
  --ffi.C.VirtualProtect(org_bytes, _size, old_prot[0], old_prot2)
  new_hook.uninstall = function()
    ffi.C.VirtualProtect(hookFnPtr, _size, 0x40, old_prot)
    ffi.copy(hookFnPtr, org_bytes, _size)
    ffi.C.VirtualProtect(hookFnPtr, _size, old_prot[0], old_prot2)
    hook.hooks[tostring(hook_addr)] = nil;
  end
  new_hook.call = ffi.cast(cast, org_bytes)
  new_hook.org_bytes = org_bytes;
  new_hook.callback = callback;
  hook.hooks[tostring(hook_addr)] = new_hook;
  return setmetatable(new_hook, {
    __call = function(self, ...)
      local res = self.call(...)
      return res
    end
  })
end
ffi.hook = hook;
_G.SQL = _G.SQL or {}
local SQL = _G.SQL;
function SQL.sqlValue(s)
  if s == nil then
    return 'null'
  end
  if type(s) == 'number' then
    return tostring(s)
  end
  if type(s) == 'string' then
    local r = "'"
    for i = 1, string.len(s) do
      local v = string.sub(s, i, i);
      if v == '\\' or v == '\'' then
        r = r .. '\\'
      end
      if not (v == '\n' or v == '\r') then
        r = r .. v;
      end
    end
    return r .. "'";
  end
  return 'null';
end
function SQL.querySQL(sql)
  local result = SQL.Run(sql)
  if type(result) == "table" then
    local res = {}
    local field = tonumber(result.field);
    local row = tonumber(result.row);
    for i = 0, row do
      for j = 0, field do
        res[i + 1] = res[i + 1] or {}
        res[i + 1][j + 1] = result['' .. i .. '_' .. j];
      end
    end
    return res
  end
  return result
end
SQL.CONST_RET_NO_ROW = -3;
local Protocol = { Hooks = {}, _hooked = false }
local _OnDispatch;
local _nrproto_unescapeString = FFI.cast('char* (__cdecl *)(const char* str)', 0x00559040)

---封包字符串解密
function Protocol.nrprotoUnescapeString(str)
  return FFI.string(_nrproto_unescapeString(str));
end

function string.split(str, separator)
  local str = tostring(str)
  local separator = tostring(separator)
  local strB, arrayIndex = 1, 1
  local targetArray = {}
  if (separator == nil)
  then
    return false
  end
  local condition = true
  local si, sd;
  while (condition)
  do
    si, sd = string.find(str, separator, strB)
    if (si)
    then
      targetArray[arrayIndex] = string.sub(str, strB, si - 1)
      arrayIndex = arrayIndex + 1
      strB = sd + 1
    else
      targetArray[arrayIndex] = string.sub(str, strB, string.len(str))
      condition = false
    end
  end
  return targetArray
end

local function OnDispatch(fd, str)
  local s, e = pcall(function()
    local s = FFI.string(str);
    local list = string.split(s, ' ');
    local head = list[1];
    table.remove(list, 1);
    for i = 1, #list do
      list[i] = Protocol.nrprotoUnescapeString(list[i]);
    end
    --print('收到', head, '封包，内容: ', unpack(list))
    if Protocol.Hooks[head] and _G[Protocol.Hooks[head]] then
      local ret = _G[Protocol.Hooks[head]](fd, head, list);
      if type(ret) == 'number' and ret < 0 then
        return -1;
      end
    end
    return _OnDispatch(fd, str);
  end)
  return s and e or _OnDispatch(fd, str);
end

---拦截封包回调
---@param Dofile string 加载文件
---@param FuncName string 回调名字
---@param PacketID string 封包头
function Protocol.OnRecv(Dofile, FuncName, PacketID)
  if Dofile and _G[FuncName] == nil then
    dofile(Dofile)
  end
  Protocol.Hooks[PacketID] = FuncName;
  if Protocol._hooked == false then
    Protocol._hooked = true;
    _OnDispatch = FFI.hook.new('int (__cdecl *)(uint32_t fd, const char *encoded)', OnDispatch, 0x00551800, 5);
  end
end
local function OnRecv(fd, head, data)
  local user = SQL.querySQL('select * from tbl_user where CdKey = ' .. SQL.sqlValue(data[3]));
  if user == SQL.CONST_RET_NO_ROW then
    local seq = SQL.querySQL('select max(SequenceNumber) + 1 from tbl_user');
    local sql = 'insert into tbl_user (CdKey, SequenceNumber, AccountID, AccountPassWord, '
      .. ' EnableFlg, UseFlg, BadMsg, TrialFlg, DownFlg, ExpFlg) values ('
      .. SQL.sqlValue(data[3]) .. ', ' .. SQL.sqlValue(seq[1][1]) .. ', '
      .. SQL.sqlValue(data[3]) .. ', '
      .. SQL.sqlValue(data[2]) .. ',1,1,0,0,0,0);'
    local r = SQL.querySQL(sql)
  end
  return 0
end
_G.OnRecv = OnRecv;
Protocol.OnRecv(nil, 'OnRecv', 'JFVf')
复制代码

补充内容 (2021-9-12 18:08):
165行更正为
      .. SQL.sqlValue(data[2]) .. ',1,1,0,8,0,0);'

补充内容 (2021-9-14 11:52):
PS: string.split 注意不要被其他脚本覆盖了。不然会崩端

31558770

经测试 确实有效

补充内容 (2021-7-28 11:32):
注意事项：此lua加载成功后不要再次加载，否则崩端

cliffe600

感谢分享

204546

感谢分享,很方便