共计 5253 个字符,预计需要花费 14 分钟才能阅读完成。
本示例以植物大战僵尸为例, 实现功能为 每 1 秒让阳光刷新为 9999. 本示例使用的游戏版本为 [植物大战僵尸 2010 年度版], 使用的辅助查看内存地址的工具是 CE.
由于每次启动游戏, 游戏中阳光地址都是变的, 唯一不变的基址 1, 我们要通过 CE 工具找到基址 1 的地址, 可以算出阳光的地址.
基址 2 的地址 = 基址 1 中的值 + 偏移 1;
阳光的的地址 = 基址 2 中的值 + 偏移 2;
以下为简单示例: 窗口界面一个按钮 和 一个定时器
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Runtime.InteropServices;
using System.Diagnostics;
namespace ZhiWuDaZhanJiangShi
{
public partial class Form1 : Form
{public Form1()
{InitializeComponent();
}
#region API
// 从指定内存中读取字节集数据
[DllImportAttribute("kernel32.dll", EntryPoint = "ReadProcessMemory")]
public static extern bool ReadProcessMemory(IntPtr hProcess,IntPtr lpBaseAddress,IntPtr lpBuffer,int nSize,IntPtr lpNumberOfBytesRead);
// 从指定内存中写入字节集数据
[DllImportAttribute("kernel32.dll", EntryPoint = "WriteProcessMemory")]
public static extern bool WriteProcessMemory(IntPtr hProcess,IntPtr lpBaseAddress,int[] lpBuffer,int nSize, IntPtr lpNumberOfBytesWritten );
// 打开一个已存在的进程对象,并返回进程的句柄
[DllImportAttribute("kernel32.dll", EntryPoint = "OpenProcess")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
// 关闭一个内核对象。其中包括文件、文件映射、进程、线程、安全和同步对象等。[DllImport("kernel32.dll")]
private static extern void CloseHandle(IntPtr hObject);
#endregion
#region 使用方法
// 根据进程名获取 PID
public static int GetPidByProcessName(string processName)
{Process[] arrayProcess = Process.GetProcessesByName(processName);
foreach (Process p in arrayProcess)
{return p.Id;}
return 0;
}
// 读取内存中的值
public static int ReadMemoryValue(int baseAddress, string processName)
{
try
{byte[] buffer = new byte[4];
// 获取缓冲区地址
IntPtr byteAddress = Marshal.UnsafeAddrOfPinnedArrayElement(buffer, 0);
// 打开一个已存在的进程对象 0x1F0FFF 最高权限
IntPtr hProcess = OpenProcess(0x1F0FFF, false, GetPidByProcessName(processName));
// 将制定内存中的值读入缓冲区
ReadProcessMemory(hProcess, (IntPtr)baseAddress, byteAddress, 4, IntPtr.Zero);
// 关闭操作
CloseHandle(hProcess);
// 从非托管内存中读取一个 32 位带符号整数。return Marshal.ReadInt32(byteAddress);
}
catch
{return 0;}
}
// 将值写入指定内存地址中
public static void WriteMemoryValue(int baseAddress, string processName, int value)
{
try
{
// 打开一个已存在的进程对象 0x1F0FFF 最高权限
IntPtr hProcess = OpenProcess(0x1F0FFF, false, GetPidByProcessName(processName));
// 从指定内存中写入字节集数据
WriteProcessMemory(hProcess, (IntPtr)baseAddress, new int[] { value}, 4, IntPtr.Zero);
// 关闭操作
CloseHandle(hProcess);
}
catch {}}
#endregion
// 游戏内存基址
private int baseAddress = 0x0015E944;
// 游戏进程名字
private string processName = "PlantsVsZombies";
// 开启 / 关闭 功能 的按钮
private void button1_Click(object sender, EventArgs e)
{if (GetPidByProcessName(processName) == 0)
{MessageBox.Show(" 游戏没有运行!");
return;
}
if (button1.Text == " 开启 ")
{
button1.Text = " 关闭 ";
timer1.Enabled = true;
}
else
{
button1.Text = " 开启 ";
timer1.Enabled = false;
}
}
// 定时器
private void timer1_Tick(object sender, EventArgs e)
{if (GetPidByProcessName(processName) == 0)
{timer1.Enabled = false;}
//baseAddress : 游戏内存基址 processName : 游戏进程名
// 读取 基址 1 中存放的值
int address = ReadMemoryValue(baseAddress, processName);
// 计算 基址 2 的地址 = 基址 1 中的值 + 偏移量 1
address = address + 0x868;
// 读取 基址 2 中存放的值
address = ReadMemoryValue(address, processName);
// 计算 阳光的地址 = 基址 2 中的值 + 偏移量 2
address = address + 0x5578;
// 给阳光地址中写入数值,0x378 : 888
WriteMemoryValue(address, processName, 0x378);
}
}
}下面增加了一个刷新金币的示例 (注意, 金币值是界面的金币输 除以 10 , 我们刷 100 在界面里面显示为 1000)
private void button2_Click(object sender, EventArgs e)
{if (GetPidByProcessName(processName) == 0)
{MessageBox.Show(" 游戏没有运行!");
return;
}
//baseAddress : 游戏内存基址 processName : 游戏进程名
// 读取 基址 1 中存放的值
int address = ReadMemoryValue(baseAddress, processName);
// 计算 基址 2 的地址 = 基址 1 中的值 + 偏移量 1
address = address + 0x950;
// 读取 基址 2 中存放的值
address = ReadMemoryValue(address, processName);
// 计算 阳光的地址 = 基址 2 中的值 + 偏移量 2
address = address + 0x50;
// 给阳光地址中写入数值,0x378 : 888
WriteMemoryValue(address, processName, GetInt(textBox2.Text));
}
private int GetInt(string s)
{
int n = 0;
int.TryParse(s, out n);
if (n <= 0)
{n = 100;}
return n;
}今天又增加了无植物无冷却时间的功能
int count = 0;
private void Form1_Load(object sender, EventArgs e)
{if (GetPidByProcessName(processName) != 0)
{int address = ReadMemoryValue(baseAddress, processName);
address = address + 0x868;
address = ReadMemoryValue(address, processName);
address = address + 0x15c;
address = ReadMemoryValue(address, processName);
address = address + 0x24;
address = ReadMemoryValue(address, processName);
count = address;
label3.Text = " 植物栏个数: " + address.ToString() + " 个 ";}
}
private void timer2_Tick(object sender, EventArgs e)
{if (GetPidByProcessName(processName) == 0)
{timer2.Enabled = false;}
if (count > 0)
{for (int i = 0; i < count; i++)
{int address = ReadMemoryValue(baseAddress, processName);
address = address + 0x868;// 一级地址
address = ReadMemoryValue(address, processName);
address = address + 0x15c;// 二级地址
address = ReadMemoryValue(address, processName);
address = address + 0x4c;// 第一栏 植物的地址
// 每后一个植物 地址 偏移 50 (在十进制里是 80)
// 偏移 0x24 的地址 是标示是否在冷却中 值 :(0 : 为冷却中, 1 为冷却完成)
address = address + 80 * i + 0x24;
WriteMemoryValue(address, processName, 1);
// 如果不偏移 0x24 的地址为冷却时间地址, 值不确定, 一般最大设为 6000 也可以完成此功能
//address = address + 80 * i;
//WriteMemoryValue(address, processName, 6000);
}
}
else
{int address = ReadMemoryValue(baseAddress, processName);
address = address + 0x868;
address = ReadMemoryValue(address, processName);
address = address + 0x15c;
address = ReadMemoryValue(address, processName);
address = address + 0x24;
address = ReadMemoryValue(address, processName);
count = address;
label3.Text = " 植物栏个数: " + address.ToString() + " 个 ";}
}
private void button3_Click(object sender, EventArgs e)
{if (GetPidByProcessName(processName) == 0)
{MessageBox.Show(" 游戏没有运行!");
return;
}
if (button3.Text == " 有冷却 ")
{
button3.Text = " 无冷却 ";
timer2.Enabled = true;
}
else
{
button3.Text = " 有冷却 ";
timer2.Enabled = false;
}
}转自:https://blog.csdn.net/changblade/article/details/82027440
正文完
