-
-
[原创]外挂学习-植物大战僵尸-修改阳光
-
发表于: 2022-1-8 12:03
-
记录一下前段时间学习到的一些用CE确定游戏基址的简单技巧和用WriteProcessMemory/ReadProcessMemory编写相应的外挂。
找到了4个绿色的基址(0x755E0C,0X755EAC,0X755F28,0X755F6C),应该都是可以用的,这里选择 0x755E0C:
总体修改思路就是:从0x755E0C读取一个地址,记为addr1;再从addr1+0x868读取一个地址,记为addr2;addr2保存的就是阳光值,修改这个地址的数据即可。
#include <windows.h>#include <stdio.h>#include <memoryapi.h>#include <tlhelp32.h>/*
* @brief 根据进程名获取进程ID
* @param lpProcessName进程名称
* @from https://blog.csdn.net/zjx_cfbx/article/details/82390064
*/
DWORD __getProcessHandle(LPCTSTR lpProcessName)//根据进程名查找进程PID
{ DWORD dwRet = 0;
HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapShot == INVALID_HANDLE_VALUE)
{
printf("获得进程快照失败,GetLastError() = %d\n", GetLastError());
return dwRet;
}
PROCESSENTRY32 pe32;//声明进程入口对象
pe32.dwSize = sizeof(PROCESSENTRY32);//填充进程入口对象大小
Process32First(hSnapShot, &pe32);//遍历进程列表
do
{
if (!lstrcmp(pe32.szExeFile, lpProcessName))//查找指定进程名的PID
{
dwRet = pe32.th32ProcessID;
break;
}
} while (Process32Next(hSnapShot, &pe32));
CloseHandle(hSnapShot);
return dwRet;//返回
}int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd){
int i;
DWORD ID = __getProcessHandle("PlantsVsZombies.exe");
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, 0, ID);
if(!hProcess){
puts("打开进程失败。");
exit(1);
}
char lpBuffer[10];
LPVOID base = 0x755E0C;
if(!ReadProcessMemory(hProcess, base, lpBuffer, 4, NULL)) {
puts("读取内存失败。");
exit(2);
}
long long addr1 = 0;
for(i = strlen(lpBuffer) - 1; i >= 0; i--){
addr1 = addr1*0x100 + (lpBuffer[i]&0xff);
}
if(!ReadProcessMemory(hProcess, (LPVOID)(addr1+0x868), lpBuffer, 4, NULL)) {
puts("读取内存失败。");
exit(2);
}
long long addr2 = 0;
for(i = strlen(lpBuffer) - 1; i >= 0; i--)
addr2 = addr2*0x100 + (lpBuffer[i]&0xff);
addr2 += 0x5578;
//将阳光值修改为 0x1020 = 4128
char in_data[2] = {0x20, 0x10};
SIZE_T nSize = 2;
WriteProcessMemory(hProcess, (LPVOID)addr2, in_data, nSize, NULL);
return 0;
}#include <windows.h>#include <stdio.h>#include <memoryapi.h>#include <tlhelp32.h>/*
* @brief 根据进程名获取进程ID
* @param lpProcessName进程名称
* @from https://blog.csdn.net/zjx_cfbx/article/details/82390064
*/
DWORD __getProcessHandle(LPCTSTR lpProcessName)//根据进程名查找进程PID
{ DWORD dwRet = 0;
HANDLE hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapShot == INVALID_HANDLE_VALUE)
{
printf("获得进程快照失败,GetLastError() = %d\n", GetLastError());
return dwRet;
}
PROCESSENTRY32 pe32;//声明进程入口对象
pe32.dwSize = sizeof(PROCESSENTRY32);//填充进程入口对象大小
Process32First(hSnapShot, &pe32);//遍历进程列表
do
{
if (!lstrcmp(pe32.szExeFile, lpProcessName))//查找指定进程名的PID
{
dwRet = pe32.th32ProcessID;
break;
}
} while (Process32Next(hSnapShot, &pe32));
CloseHandle(hSnapShot);
return dwRet;//返回
}int WINAPI WinMain(HINSTANCE hInstance,HINSTANCE hPrevInstance,LPSTR lpCmdLine,int nShowCmd){
int i;
DWORD ID = __getProcessHandle("PlantsVsZombies.exe");
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
