標籤:符號 attr com lin mod isp 整數 open 返回
本樣本以植物大戰殭屍為例, 實現功能為 每1秒讓陽光重新整理為 9999.本樣本使用的遊戲版本為 [植物大戰殭屍2010年度版], 使用的輔助查看記憶體位址的工具是 CE.
由於每次啟動遊戲, 遊戲中陽光地址都是變的, 唯一不變的基址1, 我們要通過CE工具找到基址1的地址, 可以算出陽光的地址.
基址2的地址 = 基址1中的值 + 位移1;
陽光的的地址 = 基址2中的值 + 位移2;
以下為簡單樣本: 視窗介面一個按鈕 和 一個定時器
using System;using System.Collections.Generic;using System.ComponentModel;using System.Data;using System.Drawing;using System.Linq;using System.Text;using System.Windows.Forms;using System.Runtime.InteropServices;using System.Diagnostics;namespace ZhiWuDaZhanJiangShi{ public partial class Form1 : Form { public Form1() { InitializeComponent(); } #region API //從指定記憶體中讀取位元組集資料 [DllImportAttribute("kernel32.dll", EntryPoint = "ReadProcessMemory")] public static extern bool ReadProcessMemory(IntPtr hProcess,IntPtr lpBaseAddress,IntPtr lpBuffer,int nSize,IntPtr lpNumberOfBytesRead); //從指定記憶體中寫入位元組集資料 [DllImportAttribute("kernel32.dll", EntryPoint = "WriteProcessMemory")] public static extern bool WriteProcessMemory(IntPtr hProcess,IntPtr lpBaseAddress,int[] lpBuffer,int nSize, IntPtr lpNumberOfBytesWritten ); //開啟一個已存在的進程對象,並返回進程的控制代碼 [DllImportAttribute("kernel32.dll", EntryPoint = "OpenProcess")] public static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId); //關閉一個核心對象。其中包括檔案、檔案對應、進程、線程、安全和同步對象等。 [DllImport("kernel32.dll")] private static extern void CloseHandle(IntPtr hObject); #endregion #region 使用方法 //根據進程名擷取PID public static int GetPidByProcessName(string processName) { Process[] arrayProcess = Process.GetProcessesByName(processName); foreach (Process p in arrayProcess) { return p.Id; } return 0; } //讀取記憶體中的值 public static int ReadMemoryValue(int baseAddress, string processName) { try { byte[] buffer = new byte[4]; //擷取緩衝區地址 IntPtr byteAddress = Marshal.UnsafeAddrOfPinnedArrayElement(buffer, 0); //開啟一個已存在的進程對象 0x1F0FFF 最高許可權 IntPtr hProcess = OpenProcess(0x1F0FFF, false, GetPidByProcessName(processName)); //將制定記憶體中的值讀入緩衝區 ReadProcessMemory(hProcess, (IntPtr)baseAddress, byteAddress, 4, IntPtr.Zero); //關閉操作 CloseHandle(hProcess); //從非託管記憶體中讀取一個 32 位帶正負號的整數。 return Marshal.ReadInt32(byteAddress); } catch { return 0; } } //將值寫入指定記憶體位址中 public static void WriteMemoryValue(int baseAddress, string processName, int value) { try { //開啟一個已存在的進程對象 0x1F0FFF 最高許可權 IntPtr hProcess = OpenProcess(0x1F0FFF, false, GetPidByProcessName(processName)); //從指定記憶體中寫入位元組集資料 WriteProcessMemory(hProcess, (IntPtr)baseAddress, new int[] { value }, 4, IntPtr.Zero); //關閉操作 CloseHandle(hProcess); } catch { } } #endregion //遊戲記憶體基址 private int baseAddress = 0x0015E944; //遊戲進程名字 private string processName = "PlantsVsZombies"; //開啟/關閉 功能 的按鈕 private void button1_Click(object sender, EventArgs e) { if (GetPidByProcessName(processName) == 0) { MessageBox.Show("遊戲沒有運行!"); return; } if (button1.Text == "開啟") { button1.Text = "關閉"; timer1.Enabled = true; } else { button1.Text = "開啟"; timer1.Enabled = false; } } //定時器 private void timer1_Tick(object sender, EventArgs e) { if (GetPidByProcessName(processName) == 0) { timer1.Enabled = false; } //baseAddress : 遊戲記憶體基址 processName : 遊戲進程名 //讀取 基址1 中存放的值 int address = ReadMemoryValue(baseAddress, processName); //計算 基址2的地址 = 基址1中的值 + 位移量1 address = address + 0x868; //讀取 基址2 中存放的值 address = ReadMemoryValue(address, processName); //計算 陽光的地址 = 基址2中的值 + 位移量2 address = address + 0x5578; //給陽光地址中寫入數值,0x378 : 888 WriteMemoryValue(address, processName, 0x378); } }}View Code
C# 操作地址 從記憶體中讀取寫入資料(初級)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
