# 胆大包天
copymemory = Win32API.new("kernel32", "RtlMoveMemory", "iii", "i")
copymemory_ip = Win32API.new("kernel32", "RtlMoveMemory", "ipi", "i")
# 初始化一个Table
t = Table.new(2,10,10)
for i in 0...2
for j in 0...10
for k in 0...10
t[i, j, k] = 16705 # 0x4141
end
end
end
# 初始化一个1字节缓存和一个4字节缓存
cache = "0"*1
buffer = "0000"
# 邪恶的开始
cache_info = [cache.size].pack("L")+ [cache].pack("p")
buffer_addr = [buffer].pack("p").unpack("L")[0]
copymemory.call(buffer_addr, t.id*2+16, 4)
a = buffer.unpack("L")[0] + 28
copymemory.call(buffer_addr, a, 4)
table_data_addr = buffer.unpack("L")[0]
table_info = [t.xsize * t.ysize * t.zsize * 2].pack("L") + buffer
copymemory_ip.call(cache.id * 2 + 8, table_info, 8)
p cache
# => 输出400个A
# 这里居然可以执行
cache[399] = 255
p t[1, 9, 9]
# => -191
# => -191
# => -191
# 重要的事情说三遍
# 很想知道不擦PP会怎样
copymemory_ip.call(cache.id*2 + 8, cache_info, 8)
exit
# 胆大包天
copymemory = Win32API.new("kernel32", "RtlMoveMemory", "iii", "i")
copymemory_ip = Win32API.new("kernel32", "RtlMoveMemory", "ipi", "i")
# 初始化一个Table
t = Table.new(2,10,10)
for i in 0...2
for j in 0...10
for k in 0...10
t[i, j, k] = 16705 # 0x4141
end
end
end
# 初始化一个1字节缓存和一个4字节缓存
cache = "0"*1
buffer = "0000"
# 邪恶的开始
cache_info = [cache.size].pack("L")+ [cache].pack("p")
buffer_addr = [buffer].pack("p").unpack("L")[0]
copymemory.call(buffer_addr, t.id*2+16, 4)
a = buffer.unpack("L")[0] + 28
copymemory.call(buffer_addr, a, 4)
table_data_addr = buffer.unpack("L")[0]
table_info = [t.xsize * t.ysize * t.zsize * 2].pack("L") + buffer
copymemory_ip.call(cache.id * 2 + 8, table_info, 8)
p cache
# => 输出400个A
# 这里居然可以执行
cache[399] = 255
p t[1, 9, 9]
# => -191
# => -191
# => -191
# 重要的事情说三遍
# 很想知道不擦PP会怎样
copymemory_ip.call(cache.id*2 + 8, cache_info, 8)
exit