通过以前的分析(
http://blog.csdn.net/qq_35519254/article/details/79274739),要想实现无限血量,就要将0x0048C4C0 处的mov eax, [eax+0F4h]修改为mov eax,0x40a00000 其中0x40a00000是浮点数5.000的十六进制表示。该处修改对应的十六进制为:8B80F4000000 -->B80000a04090。
下边代码实现(vs2010):
stdafx.h:
#pragma once #include<iostream> #include "targetver.h" #include <conio.h> #include <stdio.h> #include <tchar.h> #include <windows.h> #include <tlhelp32.h> using namespace std;
main.cpp:
#include "stdafx.h" DWORD getprocessid(CHAR *process_name) { char temp[1024]; DWORD dwPid=0; HANDLE hProcessSnap; PROCESSENTRY32 pe32; hProcessSnap = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0); if (hProcessSnap == INVALID_HANDLE_VALUE) { return(FALSE); } pe32.dwSize = sizeof(PROCESSENTRY32); if (!Process32First(hProcessSnap, &pe32)) { CloseHandle(hProcessSnap); // clean the snapshot object return(FALSE); } do { wsprintf(temp,"%s",pe32.szExeFile); if (!strcmp(temp,process_name)) { dwPid = pe32.th32ProcessID; } } while (Process32Next(hProcessSnap, &pe32)); CloseHandle(hProcessSnap); return dwPid; } int _tmain(int argc, _TCHAR* argv[]) { DWORD pid=getprocessid("shanghai.exe"); if(pid==0) { printf("Can't find Process\n"); exit(1); } HANDLE shanghai=OpenProcess(PROCESS_ALL_ACCESS, FALSE, pid); if (shanghai == NULL) return 1; DWORD address1=0x0048C4C0; DWORD address2=0x0048C4C4; DWORD data1=0xa00000B8; WORD data2=0x9040; //if(!VirtualProtectEx(shanghai,(LPVOID)0x0048C4C0,256,PAGE_EXECUTE_READWRITE,&oldProtect)) return 1; BOOL write_return1=WriteProcessMemory(shanghai,(LPVOID)address1,&data1,4,0); BOOL write_return2=WriteProcessMemory(shanghai,(LPVOID)address2,&data2,2,0); if(write_return1!=0 && write_return2!=0) printf("Injection Success!!"); else { printf("Injection Error!!"); exit(1); } //VirtualProtectEx(shanghai,(LPVOID)0x0048C4C0,256,oldProtect,NULL); return 0; }
运行的时候先将游戏运行,再启动外挂程序。游戏的进程必须是shanghai.exe.