zoukankan      html  css  js  c++  java

  • 植物大战僵尸逆向(秒杀僵尸)

    之前实现了秒杀普通僵尸后就没深入研究了

    先用CE找到扣血的判定函数,这里就不演示了。

    在dbg中查看该地址,下断

     0x566d06把受到攻击前的血量减掉伤害,也就是被攻击后的血量----esi,写入[ebp+C8]。如果把这个sub改成sub esi,esi就能实现秒杀普通僵尸。

    运行一下就知道,普通僵尸受到攻击时会停在该断点,但其他有护具的僵尸(例如路障僵尸),则不会停下来。说明这些僵尸判定的函数不一样

    ctrl+F9h回到上个call

     还是没断

     再次ctrl+F9,下断

    这次路障僵尸受攻击时停下来了,步入查看。

    有一大堆的判定,很有可能是判断僵尸的类型,底部就是普通僵尸受攻击时会断下了的call

     

    这个函数push了三个参数。尝试把最前面的je改成无条件跳转jmp,跳到0x00567211,也就是第一个参数的位置

     修改之后就能无视僵尸的护具

     再配上前面的秒杀普通僵尸就能实现秒杀所有僵尸

    写了个MFC的简单修改器

    这里就贴下核心函数

    void one_shot(bool status){
    DWORD address1 = 0x00566D06;//普通僵尸秒杀
    DWORD address2 = 0x00567170;//修改僵尸类型判断
    int value1=0x9090F62B;//0x2BF69090
    long long int value2=0x900000009CE9;//0xE99C00000090
    int old_value1=0x2024742b;//0x2b742420
    long long int old_value2=0xBE8000000A3840F;//0x0F84A300000080BE  

    DWORD pid;
    CString result;
    HWND hwnd = FindWindow(L"MainWindow", L"Plants vs. Zombies GOTY ");
    if (hwnd != NULL) {
        GetWindowThreadProcessId(hwnd, &pid);
        HANDLE hProcess;
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
        if (NULL == hProcess) { MessageBox(NULL, L"找不到进程", L"error", MB_OK); }
        else {
            if (status == false) {
                DWORD res1 = WriteProcessMemory(hProcess, (LPVOID)(address1), &value1, 4, 0);
                DWORD res2 = WriteProcessMemory(hProcess, (LPVOID)(address2), &value2, 6, 0);
                
            }
            else{
                DWORD res1 = WriteProcessMemory(hProcess, (LPVOID)(address1), &old_value1, 4, 0);
                DWORD res2 = WriteProcessMemory(hProcess, (LPVOID)(address2), &old_value2, 6, 0);
            
            }
            
        }

    }

}
    BOOL infinite_sun(int sun_value){
    DWORD base = 0x007794F8;//base
    DWORD offset1 = 0x868;//offset1
    DWORD offset2 = 0x5578;//offset2
    DWORD temp;
    DWORD pid;
    CString result;
    HWND hwnd = FindWindow(L"MainWindow",L"Plants vs. Zombies GOTY ");
    if (hwnd != NULL) {
        GetWindowThreadProcessId(hwnd, &pid);
        HANDLE hProcess;
        hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,pid);
        if (NULL == hProcess) { MessageBox(NULL, L"找不到进程", L"error", MB_OK); }
        else {
            ReadProcessMemory(hProcess, (LPCVOID)base, &temp, 4, NULL);
            ReadProcessMemory(hProcess, (LPVOID)(temp + offset1), &temp, 4, 0);
            DWORD res = WriteProcessMemory(hProcess, (LPVOID)(temp + offset2), &sun_value, 4, 0);
            if (res == NULL) return 0;
            else return 1;
        }
        
    }
}

    之后也许会随缘加点功能
  • 相关阅读:
    浏览器HTML5支持程度测试
    Unit testing Cmockery 简单使用
    Linux likely unlikely
    Android development tools line_endings hacking
    Linux C enum
    Android 系统内置App JNI
    Android Broadcast Receiver
    Android获取SharedPreferences失败,且App无法启动
    Sublime-text markdown with Vim mode and auto preview
    遍历Map key-value的两种方法
  • 原文地址:https://www.cnblogs.com/remon535/p/14099498.html
Copyright © 2011-2022 走看看