emmmmmmm,战役模式加上这一次用外挂打通已经是第四次了,开心(๑•̀ㅂ•́)و✧
下面给出我这次使用ce找到的金钱及冷却时间的地址:
金钱:“game.exe”+00635DB4 + 24c
建筑物冷却:
第一个建筑物:“game.exe”+00433A80 + 24
第二个建筑物:“game.exe”+00433AB0 + 24
第三个建筑物:“game.exe”+00433AE0 + 24
。。。
规律就是第一个地址+0x30
一下同理.
防御类冷却:
第一个:“game.exe”+00434914 + 24
。。。
兵类:
第一个:“game.exe”+00435748 + 24
。。。
坦克类:
第一个:“game.exe”+004365AC + 24
下面为***c++代码:
请看懂后根据自己需求修改:
#include <bits/stdc++.h>
#include <iostream>
#include <Windows.h>
#include <Tlhelp32.h>
#include <stdio.h>
#include <time.h>
using namespace std;
void changeMoney();
void enableDebugPriv();
bool init(string gameName);
int FindPID(string ProcessName);
HMODULE fnGetProcessBase(DWORD PID);
DWORD GetLastErrorBox(HWND hWnd, LPSTR lpTitle) ;
uintptr_t FindDMAAddy(uintptr_t ptr, vector<unsigned int> offsets);
HWND hwnd;
//程序的地址,类似于一个int
DWORD procID;
HANDLE handle;
//基地址cstrike.exe
unsigned int BaseAddress;
uintptr_t ReadMemory(uintptr_t addr)
{
uintptr_t t;
bool state = ReadProcessMemory(handle, (LPVOID)addr, &t, sizeof(t), 0);
if(!state)return false;
return t;
}
void changeMoney()
{
int money = 20000;
//"game.exe"+00635DB4
vector<unsigned int> offsets;
offsets.push_back(0x00635DB4);
offsets.push_back(0x24c);
uintptr_t addr = FindDMAAddy(BaseAddress,offsets);
//printf("%x\n",addr);
//写入实际的money
WriteProcessMemory(handle, (LPVOID)addr, &money, sizeof(money), 0);
}
void electric()
{
//1.1
//"game.exe"+00433A80
int complete=53;
vector<unsigned int> offsets;
offsets.push_back(0x00433A80);
offsets.push_back(0x24);
uintptr_t addr = FindDMAAddy(BaseAddress,offsets);
if(addr==BaseAddress)return;
WriteProcessMemory(handle, (LPVOID)addr, &complete, sizeof(complete), 0);
}
void freshBuilding()
{
//1.1 "game.exe"+00433A80
int complete=53;
unsigned int offset1 = 0x00433A80;
for(int i=0;i!=8;i++)
{
vector<unsigned int> offsets;
offsets.push_back(offset1+0x30*i);
offsets.push_back(0x24);
uintptr_t addr = FindDMAAddy(BaseAddress,offsets);
if(addr==BaseAddress)continue;
uintptr_t t = ReadMemory(addr);
if(t<uintptr_t(53))
{
WriteProcessMemory(handle, (LPVOID)addr, &complete, sizeof(complete), 0);
}
}
}
void freshDeffence()
{
//2.1 "game.exe"+00434914
int complete=53;
unsigned int offset1 = 0x00434914;
for(int i=0;i!=8;i++)
{
vector<unsigned int> offsets;
offsets.push_back(offset1+0x30*i);
offsets.push_back(0x24);
uintptr_t addr = FindDMAAddy(BaseAddress,offsets);
if(addr==BaseAddress)continue;
uintptr_t t = ReadMemory(addr);
if(t<uintptr_t(53))
{
WriteProcessMemory(handle, (LPVOID)addr, &complete, sizeof(complete), 0);
}
}
}
void freshSoldier()
{
//3.1 "game.exe"+00435748
int complete=53;
unsigned int offset1 = 0x00435748;
for(int i=0;i!=8;i++)
{
vector<unsigned int> offsets;
offsets.push_back(offset1+0x30*i);
offsets.push_back(0x24);
uintptr_t addr = FindDMAAddy(BaseAddress,offsets);
if(addr==BaseAddress)continue;
uintptr_t t = ReadMemory(addr);
if(t<uintptr_t(53))
{
WriteProcessMemory(handle, (LPVOID)addr, &complete, sizeof(complete), 0);
}
}
}
void freshTank()
{
//4.1 "game.exe"+004365AC
int complete=53;
unsigned int offset1 = 0x004365AC;
for(int i=0;i!=8;i++)
{
vector<unsigned int> offsets;
offsets.push_back(offset1+0x30*i);
offsets.push_back(0x24);
uintptr_t addr = FindDMAAddy(BaseAddress,offsets);
if(addr==BaseAddress)continue;
uintptr_t t = ReadMemory(addr);
if(t<uintptr_t(53))
{
WriteProcessMemory(handle, (LPVOID)addr, &complete, sizeof(complete), 0);
}
}
}
int main()
{
while(1)
{
if(!init("game.exe"))
{
cout<<"修改器初始化失败!"<<endl;
Sleep(10000);
}
else
{
changeMoney();//修改金钱
freshBuilding();
freshDeffence();
freshSoldier();
freshTank();
Sleep(3000);//暂停5秒,实战得提高刷新频率
//break;
}
}
CloseHandle(handle);
return 0;
}
bool init(string gameName)
{
procID=FindPID(gameName);
//cout<<procID<<endl;
//获取进程句柄
handle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, procID);
if (handle == NULL)
{
cout << "There is no such a process!" << endl;
Sleep(3000);
return 0;
}
HMODULE hModule = fnGetProcessBase(procID);
if(hModule==NULL)
{
return 0;
}
BaseAddress = (UINT_PTR)hModule;
return 1;
}
//通过PID获取基地址
HMODULE fnGetProcessBase(DWORD PID)
{
//获取进程基址
HANDLE hSnapShot;
//通过CreateToolhelp32Snapshot和线程ID,获取进程快照
hSnapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, PID);
if (hSnapShot == INVALID_HANDLE_VALUE)
{
GetLastErrorBox(NULL,"can't create Snapshot!");
return NULL;
}
MODULEENTRY32 ModuleEntry32;
ModuleEntry32.dwSize = sizeof(ModuleEntry32);
if (Module32First(hSnapShot, &ModuleEntry32))
{
do
{
TCHAR szExt[5];
strcpy(szExt, ModuleEntry32.szExePath + strlen(ModuleEntry32.szExePath) - 4);
for (int i = 0;i < 4;i++)
{
if ((szExt[i] >= 'a')&&(szExt[i] <= 'z'))
{
szExt[i] = szExt[i] - 0x20;
}
}
if (!strcmp(szExt, ".EXE"))
{
CloseHandle(hSnapShot);
return ModuleEntry32.hModule;
}
} while (Module32Next(hSnapShot, &ModuleEntry32));
}
CloseHandle(hSnapShot);
return NULL;
}
// 显示错误信息
DWORD GetLastErrorBox(HWND hWnd, LPSTR lpTitle)
{
LPVOID lpv;
DWORD dwRv;
if (GetLastError() == 0) return 0;
dwRv = FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_ENGLISH, SUBLANG_ENGLISH_US),
(LPSTR)&lpv,
0,
NULL);
MessageBox(hWnd, (LPCSTR)lpv, lpTitle, MB_OK);
if(dwRv)
LocalFree(lpv);
SetLastError(0);
return dwRv;
}
uintptr_t FindDMAAddy(uintptr_t ptr, vector<unsigned int> offsets)
{
uintptr_t addr = ptr;
uintptr_t t;
for (unsigned int i = 0; i != offsets.size(); i++)
{
//printf("%x %x\n",addr,offsets[i]);
addr += offsets[i];
//printf("%x\n",addr);
if(i<offsets.size()-1)//最后一次只加偏移量,不用读取了
{
bool state = ReadProcessMemory(handle, (LPVOID)addr, &t, sizeof(t), 0);
if(!state)
{
cout<<"error in reading memory!"<<endl;
return ptr;
}
addr = t;
}
}
return addr;
}
int FindPID(string ProcessName)
{
PROCESSENTRY32 pe32;
pe32.dwSize = sizeof(pe32);
HANDLE hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if(hProcessSnap == INVALID_HANDLE_VALUE) {
cout << "CreateToolhelp32Snapshot Error!" << endl;;
return false;
}
BOOL bResult =Process32First(hProcessSnap, &pe32);
int num(0);
while(bResult)
{
if(pe32.szExeFile==ProcessName)
{
return pe32.th32ProcessID;
}
bResult = Process32Next(hProcessSnap,&pe32);
}
CloseHandle(hProcessSnap);
return -1;
}
京公网安备 11010502036488号