Posted 2024-03-12Updated 2024-10-21实践5 minutes read (About 706 words)

植物大战僵尸杂交版辅助制作

外挂思路很简单，就是在CE里找有关数据和代码地址，通过修改进程数据和代码实现相关功能，这里简单记录一下我的外挂实现方法

效果图：

cbf0daa9-bbe6-4890-b9bf-328cb2e0652f

小富一手（阳光加1000）

在CE中找到阳光的地址，进行读取和写入操作即可

BOOL GetRich(HANDLE hProcess)
{
        static int count = 0;
        uint32_t addr = getAddr(hProcess, SunBaseAddr, OFFSET_NUM1, sunOffset);
        if (addr)
        {
                int NowSun = 0;
                if (ReadProcessMemory(hProcess, (LPVOID)addr, &NowSun, 4, NULL))
                {
                        int Buffer = AddSun + NowSun;//读取后进行加1000操作后写入
                        if (WriteProcessMemory(hProcess, (LPVOID)addr, &Buffer, 4, NULL))
                        {
                                return true;
                        }
                }
                
        }
        return false;
}

免费种植

根据阳光地址，在CE中找到改写该地址的代码，分析汇编代码找到扣除阳光的逻辑，nop掉即可

/*免费终止代码实现过程
* [edi+5560]处是当前阳光值,cmp ebx,eax中ebx是要种植植物所需的阳光,eax是当前阳光值
* 
0041BA60  | 56                              | push esi                                     |
0041BA61  | 8BB7 60550000                   | mov esi,dword ptr ds:[edi+5560]              | edi+5560:L"ē"
0041BA67  | 8BD7                            | mov edx,edi                                  | edx:"╨e", edi:"╨e"
0041BA69  | E8 12FFFFFF                     | call plantsvszombies.41B980                  |
0041BA6E  | 03C6                            | add eax,esi                                  |
0041BA70  | 3BD8                            | cmp ebx,eax                                  |
0041BA72  | 7F 0C                           | jg plantsvszombies.41BA80                    |
0041BA74  | 2BF3                            | sub esi,ebx                                  |
0041BA76  | E9 253C4300                     | jmp plantsvszombies.84F6A0                   |


0x0041BA74
{
0x2B, 0xF3
};
替换成
{
0x90, 0x90
};
0041BA60  | 56                          | push esi                                     |
0041BA61  | 8BB7 60550000               | mov esi,dword ptr ds:[edi+5560]              |
0041BA67  | 8BD7                        | mov edx,edi                                  |
0041BA69  | E8 12FFFFFF                 | call plantsvszombies.41B980                  |
0041BA6E  | 03C6                        | add eax,esi                                  |
0041BA70  | 3BD8                        | cmp ebx,eax                                  |
0041BA72  | 7F 0C                       | jg plantsvszombies.41BA80                    |
0041BA74  | 90                          | nop                                          |
0041BA75  | 90                          | nop                                          |
0041BA76  | E9 253C4300                 | jmp plantsvszombies.84F6A0                   |
*/

BOOL Unlimited_SunShine(HANDLE hProcess)
{
        uint8_t shellcode[] = {
0x90, 0x90
        };//nop指令填充扣除阳光的逻辑代码
        size_t size = sizeof(shellcode) / sizeof(shellcode[0]);
        VirtualProtectEx(hProcess, (LPVOID)TextSubSun, size, PAGE_EXECUTE_READWRITE, NULL);
        if (WriteProcessMemory(hProcess, (LPVOID)TextSubSun, (LPCVOID)shellcode, size, NULL))
        {

                return true;
        }
        return false;
}

零冷却

同理，找到CD的内存地址，在CE中寻找改写该地址的汇编代码，里面含有CD是否冷却完成的条件跳转，转成绝对跳转即可

/*零CD代码实现过程
* 植物种下后[ebp+24]地址的双浮点数作为计数器逐渐增加
00488E71  | 33C0                            | xor eax,eax                                  |
00488E73  | C645 48 00                      | mov byte ptr ss:[ebp+48],0                   |
00488E77  | 8945 24                         | mov dword ptr ss:[ebp+24],eax                |
00488E7A  | 8945 28                         | mov dword ptr ss:[ebp+28],eax                | [ebp+28]:L"2"
00488E7D  | 8845 49                         | mov byte ptr ss:[ebp+49],al                  |
*/

/*
* [edi+24]处为计数器,值增加,[edi+28]为植物属性CD
0048728C  | 8347 24 01                      | add dword ptr ds:[edi+24],1                  |
00487290  | 8B47 24                         | mov eax,dword ptr ds:[edi+24]                |
00487293  | 3B47 28                         | cmp eax,dword ptr ds:[edi+28]                |
00487296  | 7E 14                           | jle plantsvszombies.4872AC                   |

0x0048728C
{
0x83, 0x47, 0x24, 0x01, 0x8B, 0x47, 0x24
};

替换成
{
0x8B, 0x47, 0x28, 0x90, 0x83, 0xC0, 0x01, 0x3B, 0x47, 0x28
};
修改目的:计数器始终比CD大1,实现绝对跳转0 CD
0048728C  | 8B47 28                         | mov eax,dword ptr ds:[edi+28]                |
0048728F  | 90                              | nop                                          |
00487290  | 83C0 01                         | add eax,1                                    |
00487293  | 3B47 28                         | cmp eax,dword ptr ds:[edi+28]                |
*/


BOOL zeroCD(HANDLE hProcess)
{
        uint8_t shellcode[] = {
0x8B, 0x47, 0x28, 0x90, 0x83, 0xC0, 0x01, 0x3B, 0x47, 0x28
        };
        size_t size = sizeof(shellcode) / sizeof(shellcode[0]);
        VirtualProtectEx(hProcess, (LPVOID)TextZeroCD, size, PAGE_EXECUTE_READWRITE, NULL);
        
        if (WriteProcessMemory(hProcess, (LPVOID)TextZeroCD, (LPCVOID)shellcode, size, NULL))
        {
                return true;
        }
        return false;
}

#破解逆向游戏安全

植物大战僵尸杂交版辅助制作

小富一手（阳光加1000）

免费种植

零冷却

Catalogue

Links

Categories

Recents

Archives

Tags