文章目錄
- 前言
- 準備工作:基地址與偏移
- UI界面設計和綁定
- 項目模板
- 總覽圖
- 生成與實現
- 信號處理
- 1、陽光值更新:BTN1
- 2、三種錢幣值更新:BTN2-BTN4
- 3、冷卻刷新:BTN5
- 4、鎖定陽光:check1
- 5、無冷卻:check2
- 6、OnTimer()和OnClose()處理函數
- 7、其余未描述部分參考
前言
最近出來的PVZ雜交版又掀起一波熱潮,在各大短視頻平臺也有一席之地,借助工具Cheat Engine,寫了個簡單的植物大戰僵尸雜交版破解程序,話不多說,我們來看如何實現的。
工具:Cheat Engine、visual studio (MFC支持)、植物大戰僵尸雜交版
準備工作:基地址與偏移
通過CE尋找基地址的工作可以參考其他人的博客:
通過CE尋找游戲基址1
通過CE尋找游戲基址2
這里直接給出對應內容:【基址+偏移】
陽光值:0x006A9EC0 + 0x00000768 + 0x00005560
銀幣值:0x006A9EC0 + 0x0000082C + 0x00000208
金幣值:0x006A9EC0 + 0x0000082C + 0x0000020C
鉆石值:0x006A9EC0 + 0x0000082C + 0x00000210
冷卻值:0x006A9EC0 + 0x00000768 + 0x00000144 +{
0x00000070, 0x000000C0, 0x00000110, 0x00000160,
0x000001B0, 0x00000200, 0x00000250, 0x000002A0,
0x000002F0, 0x00000340, 0x00000390, 0x000003E0,
0x00000430, 0x00000480, 0x000004D0, 0x00000520
對應卡牌欄目第幾章卡牌,索引就是幾,實際上卡牌不會超過14張,只要給出14個就行了,找到前幾個偏移量之后可以按照規律往后推測。
}
UI界面設計和綁定
項目模板
使用MFC應用程序,選擇基于對話框選項
總覽圖
生成與實現
1、依此雙擊按鈕、單選框,studio會自動建立信號與函數的映射。
2、Dlg.h中添加成員變量:
public:
UINT sunvalue; //陽光
UINT money_a; //銀幣
UINT money_b; //金幣
UINT money_c; //鉆石
int check1; //鎖定陽光 check 的狀態
int check2; //無冷卻 check 的狀態
3、Dlg.cpp中進行內容綁定:
void CPVZCrackerDlg::DoDataExchange(CDataExchange* pDX){CDialogEx::DoDataExchange(pDX);DDX_Text(pDX, IDC_EDIT1, sunvalue); //將edit1的內容與sunvalue綁定,以下同理DDX_Text(pDX, IDC_EDIT2, money_a); DDX_Text(pDX, IDC_EDIT3, money_b); DDX_Text(pDX, IDC_EDIT4, money_c); DDX_Check(pDX, CHECK1, check1);DDX_Check(pDX, CHECK2, check2);
}
4、如何讓check選擇時,實現陽光鎖定和刷新冷卻呢?
可以在check勾選時,開啟定時器,每隔0.5s進行模擬點擊刷新事件來達到效果
因此需要引入定時器模塊,給出相關博客(主要參考2)
MFC中如何使用定時器:1
MFC中如何使用定時器:2
創建出void XXXXXDlg::OnTimer(UINT_PTR nIDEvent)。
當勾選狀態時,打開計時器,未勾選狀態時,關閉計時器即可
5、經過上面的操作后,Dlg.h內容大致如下:
// PVZCrackerDlg.h: 頭文件
//#pragma once// CPVZCrackerDlg 對話框
class CPVZCrackerDlg : public CDialogEx
{
// 構造
public:CPVZCrackerDlg(CWnd* pParent = nullptr); // 標準構造函數UINT sunvalue; //陽光UINT money_a; //銀幣UINT money_b; //金幣UINT money_c; //鉆石int check1; //鎖定陽光 check 的狀態int check2; //無冷卻 check 的狀態
// 對話框數據
#ifdef AFX_DESIGN_TIMEenum { IDD = IDD_PVZCRACKER_DIALOG };
#endifprotected:virtual void DoDataExchange(CDataExchange* pDX); // DDX/DDV 支持// 實現
protected:HICON m_hIcon;// 生成的消息映射函數virtual BOOL OnInitDialog();afx_msg void OnPaint();afx_msg HCURSOR OnQueryDragIcon();DECLARE_MESSAGE_MAP()
public:afx_msg void OnBnClickedButton1();afx_msg void OnBnClickedButton2();afx_msg void OnBnClickedButton3();afx_msg void OnBnClickedButton4();afx_msg void OnBnClickedButton5();afx_msg void OnBnClickedCheck1();afx_msg void OnBnClickedCheck2();afx_msg void OnTimer(UINT_PTR nIDEvent);int TIM_X ;afx_msg void OnClose();
};信號處理
1、陽光值更新:BTN1
void CPVZCrackerDlg::OnBnClickedButton1(){// 修改陽光UpdateData(TRUE); //先進行數據更新HWND PVZ; //獲取窗口句柄PVZ = ::FindWindow(L"MAINWINDOW", L"植物大戰僵尸雜交版v2.0");//這里需要對應游戲窗口名。DWORD pid = 0;GetWindowThreadProcessId(PVZ, &pid); //獲取進程idHANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);//打開進程,獲取所有權SIZE_T ipread = 0; //下面要用的參數,實際上往往忽略,但不寫又不行DWORD base = 0x006A9EC0; //數據基地址偏移量等由CE給出。DWORD offset1 = 0x00000768;DWORD offset2 = 0x00005560;//[A]->B 表示將A地址里的值拿到B中,不加[]代表立即數下文同理,如有錯誤歡迎指正//[base]->sunbaseDWORD sunbase = 0;ReadProcessMemory(handle, LPCVOID(base), &sunbase, sizeof(DWORD), &ipread);//[sunbase+offset1]->sunoffset1DWORD sunoffset1 = 0;ReadProcessMemory(handle, LPCVOID(sunbase + offset1), &sunoffset1, sizeof(DWORD), &ipread);//sunvalue -> [sunoffset1+offset2]DWORD svalue = sunvalue;WriteProcessMemory(handle, LPVOID(sunoffset1 + offset2), &svalue, sizeof(DWORD), &ipread);
}
2、三種錢幣值更新:BTN2-BTN4
void CPVZCrackerDlg::OnBnClickedButton2(){// TODO: 在此添加控件通知處理程序代碼// 修改銀幣UpdateData(TRUE);HWND PVZ;PVZ = ::FindWindow(L"MAINWINDOW", L"植物大戰僵尸雜交版v2.0");DWORD pid = 0;GetWindowThreadProcessId(PVZ, &pid);HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);SIZE_T ipread = 0; //下面要用的參數DWORD base = 0x006A9EC0; //數據基地址偏移量等由CE給出。DWORD offset1 = 0x0000082C;DWORD offset2 = 0x00000208;//[base]->moneybaseDWORD moneybase = 0;ReadProcessMemory(handle, LPCVOID(base), &moneybase, sizeof(DWORD), &ipread);//[moneybase+offset1]->moneyoffset1DWORD moneyoffset1 = 0;ReadProcessMemory(handle, LPCVOID(moneybase + offset1), &moneyoffset1, sizeof(DWORD), &ipread);//money_a -> [moneyoffset1+offset2]DWORD svalue = money_a;WriteProcessMemory(handle, LPVOID(moneyoffset1 + offset2), &svalue, sizeof(DWORD), &ipread);
}
void CPVZCrackerDlg::OnBnClickedButton3(){// TODO: 在此添加控件通知處理程序代碼// 修改金幣UpdateData(TRUE);HWND PVZ;PVZ = ::FindWindow(L"MAINWINDOW", L"植物大戰僵尸雜交版v2.0");DWORD pid = 0;GetWindowThreadProcessId(PVZ, &pid);HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);SIZE_T ipread = 0; //下面要用的參數DWORD base = 0x006A9EC0; //數據基地址偏移量等由CE給出。DWORD offset1 = 0x0000082C;DWORD offset2 = 0x0000020C;//[base]->moneybaseDWORD moneybase = 0;ReadProcessMemory(handle, LPCVOID(base), &moneybase, sizeof(DWORD), &ipread);//[moneybase+offset1]->moneyoffset1DWORD moneyoffset1 = 0;ReadProcessMemory(handle, LPCVOID(moneybase + offset1), &moneyoffset1, sizeof(DWORD), &ipread);//money_b -> [moneyoffset1+offset2]DWORD svalue = money_b;WriteProcessMemory(handle, LPVOID(moneyoffset1 + offset2), &svalue, sizeof(DWORD), &ipread);
}void CPVZCrackerDlg::OnBnClickedButton4(){// TODO: 在此添加控件通知處理程序代碼// 修改鉆石UpdateData(TRUE);HWND PVZ;PVZ = ::FindWindow(L"MAINWINDOW", L"植物大戰僵尸雜交版v2.0");DWORD pid = 0;GetWindowThreadProcessId(PVZ, &pid);HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);SIZE_T ipread = 0; //下面要用的參數DWORD base = 0x006A9EC0; //數據基地址偏移量等由CE給出。DWORD offset1 = 0x0000082C;DWORD offset2 = 0x00000210;//[base]->moneybaseDWORD moneybase = 0;ReadProcessMemory(handle, LPCVOID(base), &moneybase, sizeof(DWORD), &ipread);//[moneybase+offset1]->moneyoffset1DWORD moneyoffset1 = 0;ReadProcessMemory(handle, LPCVOID(moneybase + offset1), &moneyoffset1, sizeof(DWORD), &ipread);//money_a -> [moneyoffset1+offset2]DWORD svalue = money_c;WriteProcessMemory(handle, LPVOID(moneyoffset1 + offset2), &svalue, sizeof(DWORD), &ipread);
}
3、冷卻刷新:BTN5
void CPVZCrackerDlg::OnBnClickedButton5(){// 修改冷卻UpdateData(TRUE);HWND PVZ;PVZ = ::FindWindow(L"MAINWINDOW", L"植物大戰僵尸雜交版v2.0");DWORD pid = 0;GetWindowThreadProcessId(PVZ, &pid);HANDLE handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);SIZE_T ipread = 0; //下面要用的參數DWORD base = 0x006A9EC0; //數據基地址偏移量等由CE給出。DWORD offset1 = 0x00000768;DWORD offset2 = 0x00000144;DWORD offset3[16] = {0x00000070, 0x000000C0, 0x00000110, 0x00000160,0x000001B0, 0x00000200, 0x00000250, 0x000002A0,0x000002F0, 0x00000340, 0x00000390, 0x000003E0,0x00000430, 0x00000480, 0x000004D0, 0x00000520};//[base]->freshbaseDWORD freshbase = 0;ReadProcessMemory(handle, LPCVOID(base), &freshbase, sizeof(DWORD), &ipread);//[freshbase+offset1]->freshoffset1DWORD freshoffset1 = 0;ReadProcessMemory(handle, LPCVOID(freshbase + offset1), &freshoffset1, sizeof(DWORD), &ipread);//[freshoffset1+offset2]->freshoffset2DWORD freshoffset2 = 0;ReadProcessMemory(handle, LPVOID(freshoffset1 + offset2), &freshoffset2, sizeof(DWORD), &ipread);//1 ->[freshoffset2+offset3]DWORD freshvalue = 1; //1代表冷卻完畢 其他代表正在冷卻for (int i = 0; i < 16; ++i)WriteProcessMemory(handle, LPVOID(freshoffset2 + offset3[i]), &freshvalue, sizeof(DWORD), &ipread);
}
4、鎖定陽光:check1
void CPVZCrackerDlg::OnBnClickedCheck1(){// TODO: 在此添加控件通知處理程序代碼CButton* pBtn = (CButton*)GetDlgItem(CHECK1);int checked = pBtn->GetCheck(); //獲取check狀態//實際上可以直接check1switch (checked){case 1: {SetTimer(1, 500, NULL); //設置500ms為周期的定時器,標簽為1,并開啟break;}case 0: {KillTimer(1); //關閉標簽為1的定時器break;}default:break;}
}
5、無冷卻:check2
void CPVZCrackerDlg::OnBnClickedCheck2(){// TODO: 在此添加控件通知處理程序代碼CButton* pBtn = (CButton*)GetDlgItem(CHECK2);int checked = pBtn->GetCheck();switch (checked) {case 1: {SetTimer(2, 500, NULL);break;}case 0: {KillTimer(2);break;}default:break;}
}
6、OnTimer()和OnClose()處理函數
void CPVZCrackerDlg::OnTimer(UINT_PTR nIDEvent)
{// TODO: 在此添加消息處理程序代碼和/或調用默認值switch (nIDEvent){case 1: OnBnClickedButton1(); break;case 2: OnBnClickedButton5(); break;default:break;}CDialogEx::OnTimer(nIDEvent);
}void CPVZCrackerDlg::OnClose()
{// TODO: 在此添加消息處理程序代碼和/或調用默認值KillTimer(1);KillTimer(2);CDialogEx::OnClose();
}
7、其余未描述部分參考
// PVZCrackerDlg.cpp: 實現文件
#include "pch.h"
#include "framework.h"
#include "PVZCracker.h"
#include "PVZCrackerDlg.h"
#include "afxdialogex.h"#ifdef _DEBUG
#define new DEBUG_NEW
#endif// CPVZCrackerDlg 對話框
CPVZCrackerDlg::CPVZCrackerDlg(CWnd* pParent /*=nullptr*/): CDialogEx(IDD_PVZCRACKER_DIALOG, pParent){m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);check1 = 0;check2 = 0;sunvalue = 5000;money_a = 10000;money_b = 10000;money_c = 10000;TIM_X = 0;
}void CPVZCrackerDlg::DoDataExchange(CDataExchange* pDX){CDialogEx::DoDataExchange(pDX);DDX_Text(pDX, IDC_EDIT1, sunvalue); //將edit1的內容與sunvalue綁定,以下同理DDX_Text(pDX, IDC_EDIT2, money_a); DDX_Text(pDX, IDC_EDIT3, money_b); DDX_Text(pDX, IDC_EDIT4, money_c); DDX_Check(pDX, CHECK1, check1);DDX_Check(pDX, CHECK2, check2);
}BEGIN_MESSAGE_MAP(CPVZCrackerDlg, CDialogEx)ON_WM_PAINT()ON_WM_QUERYDRAGICON()ON_BN_CLICKED(IDC_BUTTON1, &CPVZCrackerDlg::OnBnClickedButton1)ON_BN_CLICKED(IDC_BUTTON2, &CPVZCrackerDlg::OnBnClickedButton2)ON_BN_CLICKED(IDC_BUTTON3, &CPVZCrackerDlg::OnBnClickedButton3)ON_BN_CLICKED(IDC_BUTTON4, &CPVZCrackerDlg::OnBnClickedButton4)ON_BN_CLICKED(IDC_BUTTON5, &CPVZCrackerDlg::OnBnClickedButton5)ON_BN_CLICKED(CHECK1, &CPVZCrackerDlg::OnBnClickedCheck1)ON_BN_CLICKED(CHECK2, &CPVZCrackerDlg::OnBnClickedCheck2)ON_WM_TIMER()ON_WM_CLOSE()
END_MESSAGE_MAP()// CPVZCrackerDlg 消息處理程序BOOL CPVZCrackerDlg::OnInitDialog()
{CDialogEx::OnInitDialog();// 設置此對話框的圖標。 當應用程序主窗口不是對話框時,框架將自動// 執行此操作SetIcon(m_hIcon, TRUE); // 設置大圖標SetIcon(m_hIcon, FALSE); // 設置小圖標// TODO: 在此添加額外的初始化代碼this->SetWindowTextW(L"植物大戰僵尸雜交版破解 by 和八哥的環球探險");return TRUE; // 除非將焦點設置到控件,否則返回 TRUE
}// 如果向對話框添加最小化按鈕,則需要下面的代碼來繪制該圖標。對于使用文檔/視圖模型的 MFC 應用程序,這將由框架自動完成。void CPVZCrackerDlg::OnPaint()
{if (IsIconic()){CPaintDC dc(this); // 用于繪制的設備上下文SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), 0);// 使圖標在工作區矩形中居中int cxIcon = GetSystemMetrics(SM_CXICON);int cyIcon = GetSystemMetrics(SM_CYICON);CRect rect;GetClientRect(&rect);int x = (rect.Width() - cxIcon + 1) / 2;int y = (rect.Height() - cyIcon + 1) / 2;// 繪制圖標dc.DrawIcon(x, y, m_hIcon);}else{CDialogEx::OnPaint();}
}//當用戶拖動最小化窗口時系統調用此函數取得光標
//顯示。
HCURSOR CPVZCrackerDlg::OnQueryDragIcon()
{return static_cast<HCURSOR>(m_hIcon);
}
)
部署YOLOv5-YOLOv7步驟詳解)
)
