植物大战僵尸整蛊器

想写的是植物大战僵尸阳光值修改器，但是俺把阳光值设定恒为200，囧……

 

用delphi实现，主要用到的API函数是：CreateToolhelp32Snapshot，Process32First，Process32Next；OpenProcess，ReadProcessMemory，WriteProcessMemory。

 

思路如下：

 

先用CreateToolhelp32Snapshot函数获取系统当前进程列表，然后逐一比较，取得‘游戏进程.exe’的pid，然后用此pid调用OpenProcess函数，获取进程句柄，得到句柄后就能通过ReadProcessMemory，WriteProcessMemory对进程内存进行读写了。

 

附上全部代码：

 

unit PvZ;interfaceuses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, ExtCtrls, StdCtrls,TlHelp32;type TForm1 = class(TForm) Button1: TButton; Button2: TButton; Timer1: TTimer; Button3: TButton; Label1: TLabel; function ProcessEum(gamename:string):THandle; procedure Button1Click(Sender: TObject); function readmemory(gamehandle:THandle;pAddr:DWORD):DWORD; procedure writememory(gamehandle:THandle;pAddr:DWORD;cNum:DWORD); procedure Timer1Timer(Sender: TObject); procedure Button2Click(Sender: TObject); private { Private declarations } public { Public declarations } end;var Form1: TForm1;implementation{$R *.dfm}function TForm1.ProcessEum(gamename:string):THandle; //获取程序pidvar processlist:THandle; pe:Tprocessentry32;begin Result := 0; processlist:=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS,0); pe.dwSize:=SizeOf(tprocessentry32); if Process32First(processlist,pe) then begin if pe.szExeFile = gamename then begin Result:= OpenProcess(PROCESS_ALL_ACCESS,False,pe.th32ProcessID); //Result := pe.th32ProcessID; end; while Process32Next(processlist,pe) do begin if pe.szExeFile = gamename then begin Result := OpenProcess(PROCESS_ALL_ACCESS,False,pe.th32ProcessID); exit; //Result := pe.th32ProcessID; end; end; end else Result:= 0; CloseHandle(processlist);end;function TForm1.readmemory(gamehandle:THandle;pAddr:DWORD):DWORD;var sNum,mnum:DWORD;begin if ReadProcessMemory(gamehandle,Pointer(pAddr),Pointer(@sNum),SizeOf(sNum),mnum) then begin result:= snum; end else Result:= 0;end;procedure TForm1.writememory(gamehandle:THandle;pAddr:DWORD;cNum:DWORD);var mnum:DWORD;begin if not WriteProcessMemory(gamehandle,Pointer(pAddr),Pointer(@cnum),SizeOf(cnum),mNum) then begin Timer1.Enabled:=False; Button1.Enabled:=True; Button2.Enabled:=False; ShowMessage('内存写入失败！'+inttostr(GetLastError)); end; {else begin ShowMessage('写入内存成功！') end;}end;procedure TForm1.Button1Click(Sender: TObject);begin Timer1.Enabled:=True; Button1.Enabled:=False; Button2.Enabled:=True;end;procedure TForm1.Timer1Timer(Sender: TObject);var //s:string; gamehandle:THandle; paddr,addrvalue:DWORD; cnum:Integer;begin //s:= IntToStr(ProcessEum('avalue.exe')); //ShowMessage(s); cNum:= 200; paddr:= $6A9EC0; gamehandle:= 0; gamehandle := ProcessEum('PlantsVsZombies.exe'); if gamehandle <> 0 then begin addrvalue:= readmemory(gamehandle,paddr); //ShowMessage(IntToStr(addrvalue)); addrvalue:= addrvalue + $768; //ShowMessage(IntToStr(addrvalue)); addrvalue:= readmemory(gamehandle,addrvalue); //ShowMessage(IntToStr(addrvalue)); addrvalue:= addrvalue + $5560; //ShowMessage(IntToStr(addrvalue)); writememory(gamehandle,addrvalue,cNum); end else begin Timer1.Enabled:=False; Button1.Enabled:=True; Button2.Enabled:=False; ShowMessage('游戏未启动！'); end; CloseHandle(gamehandle);end;procedure TForm1.Button2Click(Sender: TObject);begin Timer1.Enabled:= False; Button2.Enabled:=False; Button1.Enabled:=True;end;end. 

 

写内存修改器的重点在于要知道游戏中相关数值的内存地址，我没有自己用CE去分析（因为俺不懂得分析），我参考了这个帖子中提供的地址：http://topic.csdn.net/u/20100225/14/DCA02E6C-2A96-431A-8F42-AA2A540A96BA.html

 

最后要强调的一点是：Windows为每一个进程提供了4G的内存空间——虚拟的独立空间，所以，对每一个程序而言，其内部同一数据在不同电脑上的内存地址是相同的，而不管所使用的电脑内存条有多大。

 

但是当游戏数据采用动态内存存储时，即使在同一台机器上不同次运行，数据所在的内存地址也不一样，但是还是有方法可以找到数据地址的，具体请参考此介绍：http://www.zuowg.com/wg/wg2/24.html

 

两天完成，暂时不做修改了，歇歇先！