辅助实现了 秒杀僵尸 ,
阳光修改 ,种植植物无cd ,植物攻击无cd时间
秒杀僵尸 可以通过修改植物攻击属性和修改僵尸血量,这里通过 修改僵尸血量
思路:僵尸分成有装备和无装备的僵尸,僵尸的血量分成僵尸血量和僵尸装备的血量
伪代码可以写成
struct{
bool 僵尸装备标识;
int 僵尸当前血量;
int 僵尸血量上限;
int 僵尸装备当前血量;
int 僵尸装备上限;
}
先找到普通僵尸血量,然后找僵尸装备血量
当植物攻击僵尸先比较装备标识,然后比较装备血量,最后比较僵尸血量
1.指定一个僵尸
2.使用ce查找未知初始值
3.使用植物攻击僵尸
4.使用ce 查找变化或者减少的值
5.重复3-4 步骤筛选到可疑的数据进行分析
使用ce 查找到僵尸装备地址
00566890 - 2B C8 - sub ecx,eax
00566892 - 89 74 24 10 - mov [esp+10],esi
00566896 - 89 8F D0000000 - mov [edi+000000D0],ecx <<
0056689C - F6 C3 04 - test bl,04
0056689F - 74 4F - je PlantsVsZombies.exe+1668F0
EAX=00000014
EBX=00000000
ECX=000001B8
EDX=00000000
ESI=00000000
EDI=284CCB60
ESP=0012F990
EBP=00000000
EIP=0056689C
使用od下断
00566896 - 89 8F D0000000 - mov [edi+000000D0],ecx <<
返回上一层函数
00567160 /$ 51 push ecx
00567161 |. 8B4E 28 mov ecx,dword ptr ds:[esi+0x28]
00567164 |. 53 push ebx
00567165 |. 55 push ebp
00567166 |. 8B6C24 10 mov ebp,dword ptr ss:[esp+0x10] ; PlantsVs.00493022
0056716A |. 57 push edi
0056716B |. 8BD8 mov ebx,eax
0056716D |. 83F9 10 cmp ecx,0x10
00567170 |. 0F84 A3000000 je PlantsVs.00567219
00567176 |. 80BE EC000000>cmp byte ptr ds:[esi+0xEC],0x0
0056717D |. 0F85 96000000 jnz PlantsVs.00567219
00567183 |. 83F9 01 cmp ecx,0x1
00567186 |. 0F84 8D000000 je PlantsVs.00567219
0056718C |. 83F9 02 cmp ecx,0x2
0056718F |. 0F84 84000000 je PlantsVs.00567219
00567195 |. 83F9 03 cmp ecx,0x3
00567198 |. 74 7F je short PlantsVs.00567219
0056719A |. 8BC5 mov eax,ebp
0056719C |. 83F9 49 cmp ecx,0x49
0056719F |. 74 05 je short PlantsVs.005671A6
005671A1 |. 83F9 4A cmp ecx,0x4A
005671A4 |. 75 2E jnz short PlantsVs.005671D4
005671A6 |> F6C3 08 test bl,0x8
005671A9 |. 75 07 jnz short PlantsVs.005671B2
005671AB |. C746 54 19000>mov dword ptr ds:[esi+0x54],0x19
005671B2 |> 8B86 E4000000 mov eax,dword ptr ds:[esi+0xE4]
005671B8 |. 3BC5 cmp eax,ebp
005671BA |. 7C 02 jl short PlantsVs.005671BE
005671BC |. 8BC5 mov eax,ebp
005671BE |> 8BFD mov edi,ebp
005671C0 |. 2BF8 sub edi,eax
005671C2 |. 2986 E4000000 sub dword ptr ds:[esi+0xE4],eax
005671C8 |. 75 08 jnz short PlantsVs.005671D2
005671CA |. 53 push ebx
005671CB |. 8BC6 mov eax,esi
005671CD |. E8 BE44FFFF call PlantsVs.0055B690
005671D2 |> 8BC7 mov eax,edi
005671D4 |> 85C0 test eax,eax
005671D6 |. 7E 41 jle short PlantsVs.00567219
005671D8 |. 83BE D8000000>cmp dword ptr ds:[esi+0xD8],0x0
005671DF |. 74 16 je short PlantsVs.005671F7
005671E1 |. F6C3 01 test bl,0x1
005671E4 |. 75 11 jnz short PlantsVs.005671F7
005671E6 |. 53 push ebx
005671E7 |. 8BC5 mov eax,ebp
005671E9 |. 8BCE mov ecx,esi
005671EB |. E8 60F1FFFF call PlantsVs.00566350
005671F0 |. F6C3 02 test bl,0x2
005671F3 |. 74 02 je short PlantsVs.005671F7
005671F5 |. 8BC5 mov eax,ebp
005671F7 |> 85C0 test eax,eax
005671F9 |. 7E 1E jle short PlantsVs.00567219
005671FB |. 83BE C4000000>cmp dword ptr ds:[esi+0xC4],0x0 装备状态比较 ,这一断代码全部使用nop 指令实现
00567202 |. 74 09 je short PlantsVs.0056720D
00567204 |. 8BC5 mov eax,ebp
00567206 |. 8BCE mov ecx,esi
00567208 |. E8 23F6FFFF call PlantsVs.00566830 僵尸装备检查函数
0056720D |> 85C0 test eax,eax
0056720F |. 7E 08 jle short PlantsVs.00567219
00567211 |. 53 push ebx
00567212 |. 50 push eax
00567213 |. 56 push esi
00567214 |. E8 67FAFFFF call PlantsVs.00566C80 僵尸血量检查函数
00567219 |> 5F pop edi ; 28660238
0056721A |. 5D pop ebp ; 28660238
0056721B |. 5B pop ebx ; 28660238
0056721C |. 59 pop ecx ; 28660238
0056721D \. C2 0400 retn 0x4
进入僵尸血量检查函数
//普通僵尸死亡比较
0056712E |> \83BD C8000000>cmp dword ptr ss:[ebp+0xC8],0x0
00567135 |. 7F 1C jg short PlantsVs.00567153 ;这里不要然代码进行跳转就可以实现普通僵尸秒杀,直接使用nop指令替换
00567137 |. 8B4424 24 mov eax,dword ptr ss:[esp+0x24]
0056713B |. 50 push eax
0056713C |. 55 push ebp
0056713D |. C785 C8000000>mov dword ptr ss:[ebp+0xC8],0x0
00567147 |. E8 F41B0000 call PlantsVs.00568D40
0056714C |. 8BC5 mov eax,ebp
0056714E |. E8 1DE8FFFF call PlantsVs.00565970
00567153 |> 5F pop edi ; 28660238
使用c++代码进行修改
/*
添加时间:20180405
功能:秒杀僵尸
*/
void HookFunction::HookZombieTakeDown(){
PROC phookaddr = (PROC)HOOK_ADDRESS_ZOMBIE_TAKEDOWN_03;//hook 地址
bool ret = true;
DWORD dwNum = 0;
//僵尸血量hook
m_pfnOrig_3 = phookaddr;
ReadProcessMemory(GetCurrentProcess(),
m_pfnOrig_3,
m_bOldZombietakeDown_03,
2,
&dwNum);
m_bNewZombietakeDown_03[0] = '\x90'; //jmp opcode
m_bNewZombietakeDown_03[1] = 0x90;
WriteProcessMemory(GetCurrentProcess(),
m_pfnOrig_3,
m_bNewZombietakeDown_03,
2,
&dwNum);
dwNum = 0;
//装备比较地址
phookaddr = (PROC)HOOK_ADDRESS_ZOMBIE_TAKEDOWN_01;
m_pfnOrig_1 = phookaddr;
ReadProcessMemory(GetCurrentProcess(),
m_pfnOrig_1,
m_bOldZombietakeDown_01,
13,
&dwNum);
for (int i = 0; i < 13; i++){
m_bNewZombietakeDown_01[i]=0x90;
}
WriteProcessMemory(GetCurrentProcess(),
m_pfnOrig_1,
m_bNewZombietakeDown_01,
13,
&dwNum);
dwNum = 0;
//装备血量比较地址
phookaddr = (PROC)HOOK_ADDRESS_ZOMBIE_TAKEDOWN_02;
m_pfnOrig_2 = phookaddr;
ReadProcessMemory(GetCurrentProcess(),
m_pfnOrig_2,
m_bOldZombietakeDown_02,
2,
&dwNum);
m_bNewZombietakeDown_02[0]=0x33;
m_bNewZombietakeDown_02[1] = 0xC9;
WriteProcessMemory(GetCurrentProcess(),
m_pfnOrig_2,
m_bNewZombietakeDown_02,
2,
&dwNum);
}
/*
添加时间:20180405
功能:卸载秒杀僵尸
*/
void HookFunction::UnHookZombieTakeDown(){
DWORD dwNum = 0;
WriteProcessMemory(GetCurrentProcess(),
m_pfnOrig_3,
m_bOldZombietakeDown_03,
2,
&dwNum);
WriteProcessMemory(GetCurrentProcess(),
m_pfnOrig_1,
m_bOldZombietakeDown_01,
13,
&dwNum);
WriteProcessMemory(GetCurrentProcess(),
m_pfnOrig_2,
m_bOldZombietakeDown_02,
2,
&dwNum);
}
种植植物无cd
使用ce 扫描未知初始值
1.指定需要种植的植物
2.扫描变动值
3.重复2步骤,植物cd时间1-2000范围内
004B2FE5 - 38 5F 49 - cmp [edi+49],bl
004B2FE8 - 74 1D - je PlantsVsZombies.exe+B3007
004B2FEA - FF 47 24 - inc [edi+24] <<
004B2FED - 8B 47 24 - mov eax,[edi+24]
004B2FF0 - 3B 47 28 - cmp eax,[edi+28]
EAX=010A9A58
EBX=00000000
ECX=28278FC0
EDX=0000013A
ESI=00000003
EDI=27BE4988
ESP=0012FA30
EBP=0012FAAC
EIP=004B2FED
004B2FED . 8B47 24 mov eax,dword ptr ds:[edi+0x24] ; PlantsVs.00500051
004B2FF0 . 3B47 28 cmp eax,dword ptr ds:[edi+0x28] ; PlantsVs.006E0069
004B2FF3 . 7E 12 jle short PlantsVs.004B3007 屏蔽这条指令就可以实现种植植物无cd
004B2FF5 . 8BC7 mov eax,edi ; QQPinyin.1036ECCC
004B2FF7 . 895F 24 mov dword ptr ds:[edi+0x24],ebx ; ntdll.RtlNtStatusToDosError
004B2FFA . 885F 49 mov byte ptr ds:[edi+0x49],bl
004B2FFD . E8 EE1C0000 call PlantsVs.004B4CF0
004B3002 . E8 99FEFFFF call PlantsVs.004B2EA0
004B3007 > 8B47 3C mov eax,dword ptr ds:[edi+0x3C] ; PlantsVs.0055006E
004B300A . 3BC3 cmp eax,ebx
/*
添加时间:20180405
功能:植物种植CD
*/
void HookFunction::PlantCDHook(){
PROC phookaddr = (PROC)HOOK_ADDRESS_PLANT_CD;//hook 地址
bool ret = true;
DWORD dwNum = 0;
m_pfnOrig = phookaddr;
ReadProcessMemory(GetCurrentProcess(),
m_pfnOrig,
m_bOldBytes,
2,
&dwNum);
m_bNewBytes[0] = '\x90'; //jmp opcode
m_bNewBytes[1] = 0x90;
WriteProcessMemory(GetCurrentProcess(),
m_pfnOrig,
m_bNewBytes,
2,
&dwNum);
//return ret;
}
/*
添加时间:20180405
功能:卸载植物种植CD
*/
void HookFunction::UnPlantCDHook(){
if (m_pfnOrig != 0){
DWORD dwNum = 0;
WriteProcessMemory(GetCurrentProcess(),
m_pfnOrig,
m_bOldBytes,
2,
&dwNum);
}
}
劫持dll 实现 辅助运行
使用工具 AheadLib
代码和工具地址
https://github.com/Yonsm/AheadLib
程序运行时候会加载bass.dll
使用aheadlib 生成 bass.cpp
HMODULE m_hModule = NULL; // 原始模块句柄
HMODULE m_hModule2 = NULL; // 辅助dll
DWORD m_dwReturn[95] = { 0 }; // 原始函数返回地址
// Czwdzjs_DLLApp theApp;
//Czwdzjs_DLLApp *theApp;
// 加载原始模块
inline BOOL WINAPI Load()
{
TCHAR tzPath[MAX_PATH];
TCHAR tzTemp[MAX_PATH * 2];
lstrcpy(tzPath, TEXT("bassOrg"));
m_hModule = LoadLibrary(tzPath);
if (m_hModule == NULL)
{
wsprintf(tzTemp, TEXT("无法加载 %s,程序无法正常运行。"), tzPath);
MessageBox(NULL, tzTemp, TEXT("AheadLib"), MB_ICONSTOP);
}
//加载辅助dll
lstrcpy(tzPath, TEXT("zwdzjs_DLL"));
m_hModule2 = LoadLibrary(tzPath);
if (m_hModule2 == NULL)
{
wsprintf(tzTemp, TEXT("无法加载 %s,程序无法正常运行。"), tzPath);
MessageBox(NULL, tzTemp, TEXT("AheadLib"), MB_ICONSTOP);
}
return (m_hModule != NULL);
}
// 释放原始模块
inline VOID WINAPI Free()
{
if (m_hModule)
{
FreeLibrary(m_hModule);
}
if (m_hModule2){
FreeLibrary(m_hModule2);
}
}
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2018-4-6 19:08
被kkkxcy编辑
,原因: