According to previous use using the Python win32 library to learn to read and write memory using Python win32 libraries, for a game of memory reads.
Today to write about the operation of the memory is written
text
To make a 32-bit read and write, first look to use several functions, mostly C / C ++ data found through Baidu.
Fancy a more detailed analysis.
Write function is WriteProcessMemory
此函数能写入某一进程的内存区域(直接写入会出Access Violation错误,故需此函数)。
VC ++ statement
BOOL WriteProcessMemory(
HANDLE hProcess,//要修改的进程内存的句柄。句柄必须具有对进程的进程_vm_写和进程_vm_操作的访问权限
LPVOID lpBaseAddress,//指向写入数据的指定进程中的基地址的指针。在进行数据传输之前,系统将验证指定大小的基址和内存中的所有数据都可用于写访问,如果无法访问,则函数将失败。
LPVOID lpBuffer,//指向缓冲区的指针,其中包含要在指定进程的地址空间中写入的数据
DWORD nSize,//要写入指定进程的字节数。
LPDWORD lpNumberOfBytesWritten//指向接收传输到指定进程的字节数的变量的指针。此参数是可选的。如果lpNumberOfBytesWritten是零,则忽略该参数。
);
return value
If the function succeeds, it returns a nonzero value
if the function fails, a value of 0 (zero) is returned. To get extended error information, call GetLastError, if the requested write operation into the regional processes can not be accessed, the function will fail.
Zombies on a stand-alone read and write operations
Zombies for analysis, see
First reading of the number of sunshine
Sunshine offset base address is:
阳光:PlantsVsZombies.exe+2A9EC0+768+5560
不能直接读PlantsVsZombies.exe+2A9EC0,所以把该值添加到CE中,查看地址栏中的十六进制值 006A9EC0
Read and write operations with similar wording on article
# -*- coding: utf-8 -*-
import win32process#进程模块
from win32con import PROCESS_ALL_ACCESS #Opencress 权限
import win32api#调用系统模块
import ctypes#C语言类型
from win32gui import FindWindow#界面
def GetProcssID(address,bufflength):
pid = ctypes.c_ulong()
kernel32 = ctypes.windll.LoadLibrary("kernel32.dll")
hwnd = FindWindow(None,u"植物大战僵尸中文版")
ReadProcessMemory = kernel32.ReadProcessMemory
hpid, pid = win32process.GetWindowThreadProcessId(hwnd)
hProcess = win32api.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
addr = ctypes.c_ulong()
ReadProcessMemory(int(hProcess), address, ctypes.byref(addr), bufflength, None)
win32api.CloseHandle(hProcess)
return addr.value
def main():
sun = GetProcssID(GetProcssID(GetProcssID(0x006A9EC0, 4)+0x768, 4)+0x5560, 4)
print ("阳光的数量:%d" % sun)
if __name__ == '__main__':
main()
sun decomposition writing:
def main():
ret = GetProcssID(0x006A9EC0,4)
ret2 = GetProcssID(ret+0x768,4)
sun = GetProcssID(ret2+0x5560,4)
print ("阳光的数量:%d" % sun)
#sun = GetProcssID(GetProcssID(GetProcssID(0x006A9EC0, 4)+0x768, 4)+0x5560, 4)
write
According to previous analysis, Zombies can turn on the automatic collection. Specifically address
自动收集:PlantsVsZombies.exe+3158B 初始值:5274496 修改后:22051712
十六进制:0043158B
Declaring a function
def WriteMemeryInt(_address,Data):
hGameHandle = win32api.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
WriteProcessInt = kernel32.WriteProcessMemory // 从kernel32动态链接库中调用这个函数
WriteProcessInt(int(hGameHandle),_address,ctypes.byref(ctypes.c_ulong(Data)),4,None)
return Data
Code analysis:
WriteProcessInt(int(hGameHandle),_address,ctypes.byref(ctypes.c_ulong(Data)),4,None)
BOOL WriteProcessInt(
int(hGameHandle), //传入的句柄
_address, //要写入的地址
ctypes.byref(ctypes.c_ulong(Data)), //要写入的数据
4, //要写入指定进程的字节数。
None //指向接收传输到指定进程的字节数的变量的指针。此参数是可选的。如果lpNumberOfBytesWritten是零,则忽略该参数。
);
Zombies modify the amount of sunlight
def _modifySunshine():
sun = GetProcssID(GetProcssID(GetProcssID(0x006A9EC0, 4)+0x768, 4)+0x5560, 4)
sun_write = WriteMemeryInt(GetProcssID( GetProcssID( 0x006A9EC0, 4) + 0x768,4) + 0x5560, 100)
print("修改前阳光的数量:" , sun)
if sun_write:
print("###################修改阳光数量成功##############################")
sun = GetProcssID(GetProcssID(GetProcssID(0x006A9EC0, 4)+0x768, 4)+0x5560, 4)
print("修改后阳光的数量:" , sun)
else:
print("###################修改阳光数量失败,错误信息:##################",GetLastError)
sun_write decomposition writing:
def _modifySunshine():
ret = GetProcssID(0x006A9EC0, 4)
ret2 = GetProcssID(ret + 0x768, 4)
sun_write = WriteMemeryInt(ret2+0x5560,100)
#ret2+0x5560 要写入的地址,不能在GetProcessID读取,不然写入的地址就不正确
#100 为修改的数量。
if sun_write:
print("###################修改阳光数量成功##############################")
else:
print("###################修改阳光数量失败,错误信息:##################",GetLastError)
Run the code
# -*- coding: utf-8 -*-
import win32process#进程模块
from win32con import PROCESS_ALL_ACCESS #Opencress 权限
import win32api#调用系统模块
import ctypes#C语言类型
from win32gui import FindWindow#界面
def GetProcssID(address,bufflength):
pid = ctypes.c_ulong()
kernel32 = ctypes.windll.LoadLibrary("kernel32.dll")
hwnd = FindWindow(None,u"植物大战僵尸中文版")
ReadProcessMemory = kernel32.ReadProcessMemory
hpid, pid = win32process.GetWindowThreadProcessId(hwnd)
hProcess = win32api.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
addr = ctypes.c_ulong()
ReadProcessMemory(int(hProcess), address, ctypes.byref(addr), bufflength, None)
win32api.CloseHandle(hProcess)
return addr.value
def WriteMemeryInt(_address,Data):
hGameHandle = win32api.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
WriteProcessInt = kernel32.WriteProcessMemory // 从kernel32动态链接库中调用这个函数
WriteProcessInt(int(hGameHandle),_address,ctypes.byref(ctypes.c_ulong(Data)),4,None)
return Data
def _modifySunshine():
sun = GetProcssID(GetProcssID(GetProcssID(0x006A9EC0, 4)+0x768, 4)+0x5560, 4)
sun_write = WriteMemeryInt(GetProcssID(GetProcssID( 0x006A9EC0, 4) + 0x768,4) + 0x5560, 100)
print("修改前阳光的数量:" , sun)
if sun_write:
print("###################修改阳光数量成功##############################")
sun = GetProcssID(GetProcssID(GetProcssID(0x006A9EC0, 4)+0x768, 4)+0x5560, 4)
print("修改后阳光的数量:" , sun)
else:
print("###################修改阳光数量失败,错误信息:##################",GetLastError)
def main():
_modifySunshine()
if __name__ == '__main__':
main()
The basic code for these, I wrote the following in accordance with the format C, the code format to change it, because it looks really quite a mess
First FindWindow function with other basic operations to a package
# -*- coding: utf-8 -*-
import win32process#进程模块
from win32con import PROCESS_ALL_ACCESS #Opencress 权限
import win32api#调用系统模块
import ctypes#C语言类型
from win32gui import FindWindow#界面
kernel32 = ctypes.windll.LoadLibrary("kernel32.dll")
GetLastError = kernel32.GetLastError
def _GetProcessId(className,windowName):
hGameWindow = FindWindow(className, windowName)
pid = win32process.GetWindowThreadProcessId(hGameWindow)[1]
return pid
def _GetPorcessHandle(pid):
hGameHandle = win32api.OpenProcess(PROCESS_ALL_ACCESS, False, pid)
return hGameHandle
def _ReadMemeryInt(hGameHandle,_address,bufflength):
addr = ctypes.c_ulong()
ReadProcessInt = kernel32.ReadProcessMemory
ReadProcessInt(int(hGameHandle), _address, ctypes.byref(addr), bufflength, None)
return addr.value
def WriteMemeryInt(hGameHandle,_address,Data):
WriteProcessInt = kernel32.WriteProcessMemory
WriteProcessInt(int(hGameHandle),_address,ctypes.byref(ctypes.c_ulong(Data)),4,None)
return Data
def main():
ProcessId = _GetProcessId(None,u"植物大战僵尸中文版")
_hGameHandle = _GetPorcessHandle(ProcessId)
win32api.CloseHandle(_hGameHandle)
if __name__ == '__main__':
main()
At the beginning of the write function, first read the amount of sunlight and modify the amount of sunlight:
def _modifySunshine(hGameHandle):
sun = _ReadMemeryInt(hGameHandle,_ReadMemeryInt(hGameHandle,_ReadMemeryInt(hGameHandle,0x006A9EC0, 4) + 0x768, 4) + 0x5560, 4)
sun_write = WriteMemeryInt(hGameHandle,_ReadMemeryInt(hGameHandle, _ReadMemeryInt(hGameHandle, 0x006A9EC0, 4) + 0x768,4) + 0x5560, 100)
print("修改前阳光的数量:" , sun)
if sun_write:
print("###################修改阳光数量成功##############################")
sun = _ReadMemeryInt(hGameHandle,_ReadMemeryInt(hGameHandle, _ReadMemeryInt(hGameHandle, 0x006A9EC0, 4) + 0x768,4) + 0x5560, 4)
print("修改后的阳光数量:", sun)
else:
print("###################修改阳光数量失败,错误信息:##################",GetLastError)
Then, according to the analysis, there is an automatic function to collect sunlight, the base address is:
自动收集:PlantsVsZombies.exe+3158B 初始值:5274496 修改后:22051712
十六进制:0043158B
def _collectSunshine(hGameHandle):
collect = WriteMemeryInt(hGameHandle,0x0043158B,22051712)
if collect:
print("###################启动自动收集功能成功#########################")
else:
print("###################修改自动收集功能失败,错误信息:##################",GetLastError)
Next is the spike function, because does not always defensible
Normal zombie spike base address:
秒杀普通僵尸: PlantsVsZombies.exe+13178A 初始值:1284214911 修改后:1284214928
十六进制:0053178A
def _Seckill(hGameHandle):
seckill = WriteMemeryInt(hGameHandle,0x0053178A,1284214928)
if seckill:
print("###################启动秒杀普通僵尸功能成功#########################")
else:
print("###################修改秒杀功能失败,错误信息:#########################",GetLastError)
In addition to ordinary zombies, and zombies helmet:
Zombie helmet base address:
秒杀带护甲: PlantsVsZombies.exe+13186D 初始值:1347618942 修改后:1347653776
十六进制:0053186D
def _SecKillHelmet(hGameHandle):
seckillHelemet = WriteMemeryInt(hGameHandle,0x53186D ,1347653776)
if seckillHelemet:
print("###################启动秒杀头盔僵尸功能成功#########################")
else:
print("###################修改头盔僵尸秒杀功能失败,错误信息:#################",GetLastError)
** complete code: ** to see the blog, not intentional drainage, you can be spliced together in accordance with the above fact, it wants to, because they do not know can not be made.
Run the code:
end
Tips:
Active protection to protect themselves. Wearing masks, washing hands frequently.
Look hot microblogging search of official information, not free to believe rumors.
To paraphrase see very good words:
Technology, regardless of right or wrong. Caifen human good and evil.
Reverse person must learn to put a positive mind.
Physically and mentally put a positive person holding a Tulong Dao, but also to protect the family Weimin.
Take this time to stay at home to take to learn, hard look at how to live third-party testing.
