之前实现了秒杀普通僵尸后就没深入研究了
先用CE找到扣血的判定函数,这里就不演示了。
在dbg中查看该地址,下断
0x566d06把受到攻击前的血量减掉伤害,也就是被攻击后的血量----esi,写入[ebp+C8]。如果把这个sub改成sub esi,esi就能实现秒杀普通僵尸。
运行一下就知道,普通僵尸受到攻击时会停在该断点,但其他有护具的僵尸(例如路障僵尸),则不会停下来。说明这些僵尸判定的函数不一样
ctrl+F9h回到上个call
还是没断
再次ctrl+F9,下断
这次路障僵尸受攻击时停下来了,步入查看。
有一大堆的判定,很有可能是判断僵尸的类型,底部就是普通僵尸受攻击时会断下了的call
这个函数push了三个参数。尝试把最前面的je改成无条件跳转jmp,跳到0x00567211,也就是第一个参数的位置
修改之后就能无视僵尸的护具
再配上前面的秒杀普通僵尸就能实现秒杀所有僵尸
写了个MFC的简单修改器
这里就贴下核心函数
void one_shot(bool status){ DWORD address1 = 0x00566D06;//普通僵尸秒杀 DWORD address2 = 0x00567170;//修改僵尸类型判断 int value1=0x9090F62B;//0x2BF69090 long long int value2=0x900000009CE9;//0xE99C00000090 int old_value1=0x2024742b;//0x2b742420 long long int old_value2=0xBE8000000A3840F;//0x0F84A300000080BE DWORD pid; CString result; HWND hwnd = FindWindow(L"MainWindow", L"Plants vs. Zombies GOTY "); if (hwnd != NULL) { GetWindowThreadProcessId(hwnd, &pid); HANDLE hProcess; hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); if (NULL == hProcess) { MessageBox(NULL, L"找不到进程", L"error", MB_OK); } else { if (status == false) { DWORD res1 = WriteProcessMemory(hProcess, (LPVOID)(address1), &value1, 4, 0); DWORD res2 = WriteProcessMemory(hProcess, (LPVOID)(address2), &value2, 6, 0); } else{ DWORD res1 = WriteProcessMemory(hProcess, (LPVOID)(address1), &old_value1, 4, 0); DWORD res2 = WriteProcessMemory(hProcess, (LPVOID)(address2), &old_value2, 6, 0); } } } }
BOOL infinite_sun(int sun_value){ DWORD base = 0x007794F8;//base DWORD offset1 = 0x868;//offset1 DWORD offset2 = 0x5578;//offset2 DWORD temp; DWORD pid; CString result; HWND hwnd = FindWindow(L"MainWindow",L"Plants vs. Zombies GOTY "); if (hwnd != NULL) { GetWindowThreadProcessId(hwnd, &pid); HANDLE hProcess; hProcess = OpenProcess(PROCESS_ALL_ACCESS, FALSE,pid); if (NULL == hProcess) { MessageBox(NULL, L"找不到进程", L"error", MB_OK); } else { ReadProcessMemory(hProcess, (LPCVOID)base, &temp, 4, NULL); ReadProcessMemory(hProcess, (LPVOID)(temp + offset1), &temp, 4, 0); DWORD res = WriteProcessMemory(hProcess, (LPVOID)(temp + offset2), &sun_value, 4, 0); if (res == NULL) return 0; else return 1; } } }
之后也许会随缘加点功能