开始我们将进入实战环节,我们将手动分析植物大战僵尸的一些功能的实现并编写辅助,并根据章节的深入一步一步的完善我们的辅助!
这关我们将完成植物大战僵尸里面的阳光值的修改,以下内容使用了CE基础篇的第1关与第4关的搜索技巧,如果你不是很熟的话,可以去看一下这两关,本关是最简单也是最重要的一关!
寻找游戏内存的地址(找到基地址与偏移)
1.打开游戏进程,并打开CE 选择电脑图标,选择进程,并点击打开。
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/1Snipaste_2023-05-23_19-44-57.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3Daa8eb745b4a2625a81dc51bbc7f392dce5ee769e&)
2.此时我们来搜索这个太阳值150,使用4字节搜索即可。
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/2Snipaste_2023-05-23_22-39-33.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3D77c82c26d29dc079ff49693e25d788cf6f10a06c&)
3.让阳光发生变化,并快速的找到阳光地址,将其加入到最下方的内存地址栏中。(种植一个豌豆射手)
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/3Snipaste_2023-05-23_22-40-04.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3D93b4e16ee2b461931b93564f0bc8195daa292a0f&)
观察下面图片中的这个地址,会发现这是一个动态地址,即每次游戏重新载入则这个地址都会发生变化,所以我们要继续寻找。
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/4Snipaste_2023-05-23_22-40-29.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3D4912dbac0586e25df6e386bb0b9ad4931f63149f&)
4.继续在这个地址上面,右键选择查找改写的地址,当我们选择查找改写地址的时候,CE就为我们在这个地址上下了一个内存写入断点。
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/Snipaste_2023-05-23_23-16-45.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3Da99da393925e3b45cc9f7d9184fd721310367ee0&)
5.选择了后,CE并没有出现任何指令,此时我们回到游戏,等待增加阳光,增加后会出现一条汇编指令。
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/Snipaste_2023-05-23_23-19-11.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3D41138d27be301c11272a8af1cdce9ddb3969a24e&)
点开这条汇编代码,add eax,[edx+00005578] 这条指令很明显,就是将ecx的数值,赋值给[eax+5578],一级偏移找到了【5578】,那么我们继续记下EAX=24362DC0,并再次完成搜索!
6.我们关闭上面的那两个窗口,然后在CE中勾选十六进制搜索,继续搜索24362DC0这个内存地址。搜索完后会发现一堆地址,我们并不确定那一个是,所以CE会为我们将最靠谱的地址放在最前面,也就是我们标红的这几个。尽量去寻找前缀不重复的,成功率会大一些,这个要靠经验自己摸索了。
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/Snipaste_2023-05-23_23-21-55.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3Df858cf32c24a148444494c23f97db92d8a5406f5&)
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/Snipaste_2023-05-23_23-23-34.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3De9fb7b27b02a6e20110e165d2a1ceb0bfb6092a3&)
将上面的前4个地址,加入到下方的地址栏中,依次分析。
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/Snipaste_2023-05-23_23-24-33.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3Df08d20cda623e1caa51b1b713361eaaad342201d&)
先来搞第一个,00199168这个内存地址,右键选择内存访问,可以看到很多地址,我们尽量排除,尽量看是不是有给[eax]赋值的指令,且后面有数字的。这里没有
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/Snipaste_2023-05-23_23-25-15.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3D68f0e60cefd2aa15001bdbcfedc5984142a9ba4a&)
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/Snipaste_2023-05-23_23-25-52.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3Dc130267810225400ca501aaf2a5f3531413262b6&)
如果不是,就接着找剩余的地址!!
再第三个发现了一个,我们把mov eax,[ecx+00000868],我们把868记下来!!
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/Snipaste_2023-05-23_23-30-30.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3Daa06c36543729d191f446813e0828771b0220256&)
然后,打开这个地址,并记录下ECX的地址。此处是 ECX=027EB1F8
继续使用CE工具,搜索027EB1F8这个内存地址,好了,我们看到了几个绿色的地址,在CE中,绿色的就是全局地址,也就是基地址,我们下面就来添加这个指针,看一下是不是这几个绿色地址里面的其中一个,这种情况下,只能一个一个的尝试
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/Snipaste_2023-05-23_23-33-04.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3D1a99bff6c30446a6977dbb4c988d88dc0f031bf4&)
选择第一个绿色的地址,并将其加入到下方地址栏中,右键查看访问地址。
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/Snipaste_2023-05-23_23-35-03.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3Dec72f6f0b17935907f7f391c5fe41fd8cbb2e161&)
通过显示反汇编看到。这好像是一个正确地址。那么我们套用公式计算一下是否正确呢?
公式:007794F8+868+5578=是否等于阳光值
CE添加一个指针确认一下,这里读取到了数据,等于50,回到游戏发现阳光是50说明查找正确了。
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/Snipaste_2023-05-23_23-38-36.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3D0d3c2a17e32231a24524f50d0344087f72cec629&)
恭喜你成功找到了静态地址。接下来我们使用【易语言】来制作一个辅助
打开易语言制作辅助
1.打开易语言创建一个窗口应用,然后添加内存读写模块,内存读写模块已给大家整理好了,下载地址会放在文章末尾处。
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/Snipaste_2023-05-23_23-42-54.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3Dc7176a8eeda586a3c468243f8c3f4524fb3b37e4&)
2.绘制以下界面,并点击启动窗口。
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/Snipaste_2023-05-23_23-46-36.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3Dfdc2823f24d50322bb2db2231769aafb149a1152&)
3.写入以下代码。
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/Snipaste_2023-05-23_23-58-21.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3De7ba33c5de0a6849157cb8a67068de2ab3d493bb&)
4点击读取,与修改依次测试(F5运行)
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/Snipaste_2023-05-23_23-59-40.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3Dd680a331bf5dc3fa5c733d788f3ae580172ef085&)
![](https://lb5-1318274915.cos.ap-shanghai.myqcloud.com//up/img/Snipaste_2023-05-24_00-00-15.jpg?sign=q-sign-algorithm%3Dsha1%26q-ak%3DAKIDYEtIenIh2OgroaBbnlidSDpMjrnvthMo%26q-sign-time%3D1722048814%3B1722049474%26q-key-time%3D1722048814%3B1722049474%26q-header-list%3Dhost%26q-url-param-list%3D%26q-signature%3Dd107c8df2f102ea308f19dd6c8d76698fa136c62&)
5.通过测试后,生成exe程序即可!
易语言很强大,后期的所有实战教程都会与易语言和CE打交道。当然用VC++也是可以的,但是没有这个来的方便!
部分代码:
♾️ shell 代码:.版本 2
写偏移整数型 (pid, “007794F8”, 到整数 (编辑框1.内容), 到文本 (“868”), 到文本 (“5578”))
本篇教程使用到的【模块】【易语言】【游戏】均打包在群里可以自行下载
QQ群:FTP-交流