通过以前的分析(
http://blog.csdn.net/qq_35519254/article/details/79274739),要想实现无限血量,就要将0x0048C4C0 处的mov eax, [eax+0F4h]修改为mov eax,0x40a00000 其中0x40a00000是浮点数5.000的十六进制表示。该处修改对应的十六进制为:8B80F4000000 -->B80000a04090。
下边代码实现(vs2010):
stdafx.h:
#pragma once #include<iostream> #include "targetver.h" #include <conio.h> #include <stdio.h> #include <tchar.h> #include <windows.h> #include <tlhelp32.h> using namespace std;
main.cpp:
#include "stdafx.h"
DWORD getprocessid(CHAR *process_name)
{
char temp[1024];
DWORD dwPid=0;
HANDLE hProcessSnap;
PROCESSENTRY32 pe32;
hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hProcessSnap == INVALID_HANDLE_VALUE)
{
return(FALSE);
}
pe32.dwSize = sizeof(PROCESSENTRY32);
if (!Process32First(hProcessSnap, &pe32))
{
CloseHandle(hProcessSnap); // clean the snapshot object
return(FALSE);
}
do
{
wsprintf(temp,"%s",pe32.szExeFile);
if (!strcmp(temp,process_name))
{
dwPid = pe32.th32ProcessID;
}
} while (Process32Next(hProcessSnap, &pe32));
CloseHandle(hProcessSnap);
return dwPid;
}
int _tmain(int argc, _TCHAR* argv[])
{
DWORD pid=getprocessid("shanghai.exe");
if(pid==0)
{
printf("Can't find Process\n");
exit(1);
}
HANDLE shanghai=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid);
if (shanghai == NULL) return 1;
DWORD address1=0x0048C4C0;
DWORD address2=0x0048C4C4;
DWORD data1=0xa00000B8;
WORD data2=0x9040;
//if(!VirtualProtectEx(shanghai,(LPVOID)0x0048C4C0,256,PAGE_EXECUTE_READWRITE,&oldProtect)) return 1;
BOOL write_return1=WriteProcessMemory(shanghai,(LPVOID)address1,&data1,4,0);
BOOL write_return2=WriteProcessMemory(shanghai,(LPVOID)address2,&data2,2,0);
if(write_return1!=0 && write_return2!=0) printf("Injection Success!!");
else
{
printf("Injection Error!!");
exit(1);
}
//VirtualProtectEx(shanghai,(LPVOID)0x0048C4C0,256,oldProtect,NULL);
return 0;
}
运行的时候先将游戏运行,再启动外挂程序。游戏的进程必须是shanghai.exe.