本示例以植物大戰僵屍為例, 實現功能為 每1秒讓陽光刷新為 9999.本示例使用的游戲版本為 [植物大戰僵屍2010年度版], 使用的輔助查看內存地址的工具是 CE.
由於每次啟動游戲, 游戲中陽光地址都是變的, 唯一不變的基址1, 我們要通過CE工具找到基址1的地址, 可以算出陽光的地址.
基址2的地址 = 基址1中的值 + 偏移1;
陽光的的地址 = 基址2中的值 + 偏移2;
以下為簡單示例: 窗口界面一個按鈕 和 一個定時器
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Drawing;
using System.Linq;
using System.Text;
using System.Windows.Forms;
using System.Runtime.InteropServices;
using System.Diagnostics;
namespace ZhiWuDaZhanJiangShi
{
public partial class Form1 : Form
{
public Form1()
{
InitializeComponent();
}
#region API
//從指定內存中讀取字節集數據
[DllImportAttribute("kernel32.dll", EntryPoint = "ReadProcessMemory")]
public static extern bool ReadProcessMemory(IntPtr hProcess,IntPtr lpBaseAddress,IntPtr lpBuffer,int nSize,IntPtr lpNumberOfBytesRead);
//從指定內存中寫入字節集數據
[DllImportAttribute("kernel32.dll", EntryPoint = "WriteProcessMemory")]
public static extern bool WriteProcessMemory(IntPtr hProcess,IntPtr lpBaseAddress,int[] lpBuffer,int nSize, IntPtr lpNumberOfBytesWritten );
//打開一個已存在的進程對象,並返回進程的句柄
[DllImportAttribute("kernel32.dll", EntryPoint = "OpenProcess")]
public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
//關閉一個內核對象。其中包括文件、文件映射、進程、線程、安全和同步對象等。
[DllImport("kernel32.dll")]
private static extern void CloseHandle(IntPtr hObject);
#endregion
#region 使用方法
//根據進程名獲取PID
public static int GetPidByProcessName(string processName)
{
Process[] arrayProcess = Process.GetProcessesByName(processName);
foreach (Process p in arrayProcess)
{
return p.Id;
}
return 0;
}
//讀取內存中的值
public static int ReadMemoryValue(int baseAddress, string processName)
{
try
{
byte[] buffer = new byte[4];
//獲取緩沖區地址
IntPtr byteAddress = Marshal.UnsafeAddrOfPinnedArrayElement(buffer, 0);
//打開一個已存在的進程對象 0x1F0FFF 最高權限
IntPtr hProcess = OpenProcess(0x1F0FFF, false, GetPidByProcessName(processName));
//將制定內存中的值讀入緩沖區
ReadProcessMemory(hProcess, (IntPtr)baseAddress, byteAddress, 4, IntPtr.Zero);
//關閉操作
CloseHandle(hProcess);
//從非托管內存中讀取一個 32 位帶符號整數。
return Marshal.ReadInt32(byteAddress);
}
catch
{
return 0;
}
}
//將值寫入指定內存地址中
public static void WriteMemoryValue(int baseAddress, string processName, int value)
{
try
{
//打開一個已存在的進程對象 0x1F0FFF 最高權限
IntPtr hProcess = OpenProcess(0x1F0FFF, false, GetPidByProcessName(processName));
//從指定內存中寫入字節集數據
WriteProcessMemory(hProcess, (IntPtr)baseAddress, new int[] { value }, 4, IntPtr.Zero);
//關閉操作
CloseHandle(hProcess);
}
catch { }
}
#endregion
//游戲內存基址
private int baseAddress = 0x0015E944;
//游戲進程名字
private string processName = "PlantsVsZombies";
//開啟/關閉 功能 的按鈕
private void button1_Click(object sender, EventArgs e)
{
if (GetPidByProcessName(processName) == 0)
{
MessageBox.Show("游戲沒有運行!");
return;
}
if (button1.Text == "開啟")
{
button1.Text = "關閉";
timer1.Enabled = true;
}
else
{
button1.Text = "開啟";
timer1.Enabled = false;
}
}
//定時器
private void timer1_Tick(object sender, EventArgs e)
{
if (GetPidByProcessName(processName) == 0)
{
timer1.Enabled = false;
}
//baseAddress : 游戲內存基址 processName : 游戲進程名
//讀取 基址1 中存放的值
int address = ReadMemoryValue(baseAddress, processName);
//計算 基址2的地址 = 基址1中的值 + 偏移量1
address = address + 0x868;
//讀取 基址2 中存放的值
address = ReadMemoryValue(address, processName);
//計算 陽光的地址 = 基址2中的值 + 偏移量2
address = address + 0x5578;
//給陽光地址中寫入數值,0x378 : 888
WriteMemoryValue(address, processName, 0x378);
}
}
}
下面增加了一個刷新金幣的示例 (注意, 金幣值是界面的金幣輸 除以 10 , 我們刷100 在界面里面顯示為1000)
View Code
今天又增加了無植物無冷卻時間的功能
int count = 0;
private void Form1_Load(object sender, EventArgs e)
{
if (GetPidByProcessName(processName) != 0)
{
int address = ReadMemoryValue(baseAddress, processName);
address = address + 0x868;
address = ReadMemoryValue(address, processName);
address = address + 0x15c;
address = ReadMemoryValue(address, processName);
address = address + 0x24;
address = ReadMemoryValue(address, processName);
count = address;
label3.Text = "植物欄個數: " + address.ToString() + " 個";
}
}
private void timer2_Tick(object sender, EventArgs e)
{
if (GetPidByProcessName(processName) == 0)
{
timer2.Enabled = false;
}
if (count > 0)
{
for (int i = 0; i < count; i++)
{
int address = ReadMemoryValue(baseAddress, processName);
address = address + 0x868;//一級地址
address = ReadMemoryValue(address, processName);
address = address + 0x15c;//二級地址
address = ReadMemoryValue(address, processName);
address = address + 0x4c;//第一欄 植物的地址
// 每后一個植物 地址 偏移 50 (在十進制里是80)
//偏移 0x24 的地址 是標示是否在冷卻中 值 :( 0 : 為冷卻中, 1 為冷卻完成)
address = address + 80 * i + 0x24;
WriteMemoryValue(address, processName, 1);
//如果不偏移 0x24 的地址為冷卻時間地址, 值不確定, 一般最大設為6000 也可以完成此功能
//address = address + 80 * i;
//WriteMemoryValue(address, processName, 6000);
}
}
else
{
int address = ReadMemoryValue(baseAddress, processName);
address = address + 0x868;
address = ReadMemoryValue(address, processName);
address = address + 0x15c;
address = ReadMemoryValue(address, processName);
address = address + 0x24;
address = ReadMemoryValue(address, processName);
count = address;
label3.Text = "植物欄個數: " + address.ToString() + " 個";
}
}
private void button3_Click(object sender, EventArgs e)
{
if (GetPidByProcessName(processName) == 0)
{
MessageBox.Show("游戲沒有運行!");
return;
}
if (button3.Text == "有冷卻")
{
button3.Text = "無冷卻";
timer2.Enabled = true;
}
else
{
button3.Text = "有冷卻";
timer2.Enabled = false;
}
}