植物大战僵尸修改器-MFC

创建项目

创建mfc应用

基于对话框

打开资源视图下的 IDD_MFCAPPLICTION2_DIALOG

限制对话框大小将属性中Border的值改为对话框外框

删除对话框中原有的控件

属性-外观-Caption 设置对话框标题

工具箱中拖放一个按钮

修改按钮名称

将按钮ID改为IDC_COURSE

在MFCApplication2Dlg.h中添加void CMFCApplication2Dlg::OnBtnClickedCourse();

// 实现
protected:
HICON m_hIcon;// 生成的消息映射函数
virtual BOOL OnInitDialog();
afx_msg void OnSysCommand(UINT nID, LPARAM lParam);
afx_msg void OnPaint();
afx_msg HCURSOR OnQueryDragIcon();
DECLARE_MESSAGE_MAP()
void CMFCApplication2Dlg::OnBtnClickedCourse();
};

MFCApplication2Dlg.cpp: 实现文件中添加

void CMFCApplication2Dlg::OnBtnClickedCourse() {}

MFCApplication2Dlg.cpp中将按钮与函数绑定添加ON_BN_CLICKED(IDC_COURSE, CMFCApplication2Dlg::OnBtnClickedCourse)

BEGIN_MESSAGE_MAP(CMFCApplication2Dlg, CDialogEx)ON_WM_SYSCOMMAND()ON_WM_PAINT()ON_WM_QUERYDRAGICON()ON_BN_CLICKED(IDC_COURSE, CMFCApplication2Dlg::OnBtnClickedCourse)
END_MESSAGE_MAP()

打印调试

TRACE函数：类似于C语言的printf，只能在DEBUG调试模式下看到打印信息（F5启动）

TRACE("age is %d\n",20);

AfxMessageBox函数

CString str;
c

MessageBox函数：只在CWnd的子类中使用，功能比AfxMessageBox多

CString str;
str.Format(CString("age is %d"),20);
MessageBox(str, CString("错误"), MB_YESNO | MB_ICONERROR);

MFC-打开网页

void CMFCApplication2Dlg::OnBtnClickedCourse() {ShellExecute(NULL,CString("open"),CString("https://blog.csdn.net/weixin_42403632"),NULL, NULL,SW_SHOWNORMAL);
}

checkbox

拖一个Check Box 文字改为秒杀僵尸 ID改为 IDC_KILL

鼠标右击-添加事件处理程序

程序自动在头文件中添加了afx_msg void OnBnClickedKill();

声明了函数并绑定了操作

单选框的状态读取和修改

void CMFCApplication2Dlg::OnBnClickedKill()
{BOOL checked = IsDlgButtonChecked(IDC_KILL);if (checked) {//勾选了}else {//没有勾选}}

方法二绑定变量

说明变量

绑定变量DDX_Control(pDX, IDC_KILL, m_bnKill);

自动绑定

鼠标右键添加变量

秒杀僵尸思路

通过CE搜索未知的初始值

通过僵尸的血量减少/未减少

扫描减少的数值/未变动的数值

找到僵尸血量的内存地址

找出是什么改写了这个地址

查看汇编代码

使用OD打开植物大战僵尸

搜索内存地址 00531319

往上看有一条

0053130F 2B7C24 20 sub edi,dword ptr ss:[esp+0x20]

分析出是植物打一下血量减少的值

将汇编代码改为

sub edi,edi

不管哪种植物攻击都一次血量-血量

实现僵尸秒杀

监控游戏

打开spy++工具

点击望远镜图标

将准星拖到植物大战僵尸窗口

添加线程

添加代码

// TODO: 在此添加额外的初始化代码// 创建一条子线程，监控游戏的打开或关闭CreateThread(NULL, NULL, monitorThreadFunc, NULL, NULL, NULL);// 保存对话框g_dlg = this;

全：


// CMFCApplication2Dlg 消息处理程序BOOL CMFCApplication2Dlg::OnInitDialog()
{CDialogEx::OnInitDialog();// 将“关于...”菜单项添加到系统菜单中。// IDM_ABOUTBOX 必须在系统命令范围内。ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);ASSERT(IDM_ABOUTBOX < 0xF000);CMenu* pSysMenu = GetSystemMenu(FALSE);if (pSysMenu != nullptr){BOOL bNameValid;CString strAboutMenu;bNameValid = strAboutMenu.LoadString(IDS_ABOUTBOX);ASSERT(bNameValid);if (!strAboutMenu.IsEmpty()){pSysMenu->AppendMenu(MF_SEPARATOR);pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);}}// 设置此对话框的图标。  当应用程序主窗口不是对话框时，框架将自动//  执行此操作SetIcon(m_hIcon, TRUE);			// 设置大图标SetIcon(m_hIcon, FALSE);		// 设置小图标// TODO: 在此添加额外的初始化代码// 创建一条子线程，监控游戏的打开或关闭CreateThread(NULL, NULL, monitorThreadFunc, NULL, NULL, NULL);// 保存对话框g_dlg = this;return TRUE;  // 除非将焦点设置到控件，否则返回 TRUE
}

监听方法

CMFCApplication2Dlg *g_dlg;//用来监控游戏的线程
DWORD monitorThreadFunc(LPVOID lpThreadParameter) {while (1) {// 获得植物大战僵尸窗口的句柄HWND windowHandle = FindWindow(CString("MainWindow"), CString("植物大战僵尸中文版"));if (windowHandle == NULL) {g_dlg->m_bnKill.SetCheck(FALSE);g_dlg->m_bnSun.SetCheck(FALSE);g_dlg->m_bnKill.EnableWindow(FALSE);g_dlg->m_bnSun.EnableWindow(FALSE);}else {g_dlg->m_bnKill.EnableWindow(TRUE);g_dlg->m_bnSun.EnableWindow(TRUE);}Sleep(1000);}return NULL;
}

头文件中声明

friend DWORD monitorThreadFunc(LPVOID);
//子线程句柄
HANDLE m_monitorThread;

游戏打开时修改器才能使用

功能实现

封装写内存代码

HANDLE g_processHandle;// 将某个值写入植物大战僵尸内存（后面的可变参数是地址链，要以-1结尾）
void WriteMemory(void *value, DWORD valueSize, ...) {if (value == NULL || valueSize == 0 || g_processHandle == NULL) return;DWORD tempValue = 0;va_list addresses;va_start(addresses, valueSize);DWORD offset = 0;DWORD lastAddress = 0;while ((offset = va_arg(addresses, DWORD)) != -1) {lastAddress = tempValue + offset;::ReadProcessMemory(g_processHandle, (LPCVOID)lastAddress, &tempValue, sizeof(DWORD), NULL);}va_end(addresses);::WriteProcessMemory(g_processHandle, (LPVOID)lastAddress, value, valueSize, NULL);
}void WriteMemory(void *value, DWORD valueSize, DWORD address) {WriteMemory(value, valueSize, address, -1);
}

僵尸秒杀

void CMFCApplication2Dlg::OnBnClickedKill()
{if (m_bnKill.GetCheck()) { // 需要秒杀僵尸BYTE data[] = { 0xFF, 0x90, 0x90 };WriteMemory(data, sizeof(data), 0x00531310);}else { // 不需要秒杀僵尸BYTE data[] = { 0x7c, 0x24, 0x20 };WriteMemory(data, sizeof(data), 0x00531310);}}

无限阳光

if (g_dlg->m_sunshine.GetCheck())
{ // 如果需要无限阳光DWORD value = 9990;WriteMemory(&value, sizeof(value), 0x6A9EC0, 0x320, 0x8, 0x0, 0x8, 0x144, 0x2c, 0x5560, -1);
}::Sleep(MONITOR_REFRESH_TIME_INTERVAL);

完整代码


// MFCApplication2Dlg.cpp: 实现文件
//#include "pch.h"
#include "framework.h"
#include "MFCApplication2.h"
#include "MFCApplication2Dlg.h"
#include "afxdialogex.h"#ifdef _DEBUG
#define new DEBUG_NEW
#endifCMFCApplication2Dlg *g_dlg;
HANDLE g_processHandle;// 将某个值写入植物大战僵尸内存（后面的可变参数是地址链，要以-1结尾）
void WriteMemory(void *value, DWORD valueSize, ...) {if (value == NULL || valueSize == 0 || g_processHandle == NULL) return;DWORD tempValue = 0;va_list addresses;va_start(addresses, valueSize);DWORD offset = 0;DWORD lastAddress = 0;while ((offset = va_arg(addresses, DWORD)) != -1) {lastAddress = tempValue + offset;::ReadProcessMemory(g_processHandle, (LPCVOID)lastAddress, &tempValue, sizeof(DWORD), NULL);}va_end(addresses);::WriteProcessMemory(g_processHandle, (LPVOID)lastAddress, value, valueSize, NULL);
}void WriteMemory(void *value, DWORD valueSize, DWORD address) {WriteMemory(value, valueSize, address, -1);
}//用来监控游戏的线程
DWORD monitorThreadFunc(LPVOID lpThreadParameter) {while (1) {// 获得植物大战僵尸窗口的句柄HWND windowHandle = FindWindow(CString("MainWindow"), CString("植物大战僵尸中文版"));if (windowHandle == NULL) {g_dlg->m_bnKill.SetCheck(FALSE);g_dlg->m_bnSun.SetCheck(FALSE);g_dlg->m_bnKill.EnableWindow(FALSE);g_dlg->m_bnSun.EnableWindow(FALSE);}else {g_dlg->m_bnKill.EnableWindow(TRUE);g_dlg->m_bnSun.EnableWindow(TRUE);// 获得植物大战僵尸的进程IDDWORD processPid;GetWindowThreadProcessId(windowHandle, &processPid);// 获得植物大战僵尸的进程句柄g_processHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, processPid);}if (g_dlg->m_bnSun.GetCheck()){ // 如果需要无限阳光DWORD value = 9990;WriteMemory(&value, sizeof(value), 0x6A9EC0, 0x320, 0x8, 0x0, 0x8, 0x144, 0x2c, 0x5560, -1);}Sleep(1000);}return NULL;
}// 用于应用程序“关于”菜单项的 CAboutDlg 对话框class CAboutDlg : public CDialogEx
{
public:CAboutDlg();// 对话框数据
#ifdef AFX_DESIGN_TIMEenum { IDD = IDD_ABOUTBOX };
#endifprotected:virtual void DoDataExchange(CDataExchange* pDX);    // DDX/DDV 支持// 实现
protected:DECLARE_MESSAGE_MAP()
};CAboutDlg::CAboutDlg() : CDialogEx(IDD_ABOUTBOX)
{
}void CAboutDlg::DoDataExchange(CDataExchange* pDX)
{CDialogEx::DoDataExchange(pDX);
}BEGIN_MESSAGE_MAP(CAboutDlg, CDialogEx)
END_MESSAGE_MAP()// CMFCApplication2Dlg 对话框CMFCApplication2Dlg::CMFCApplication2Dlg(CWnd* pParent /*=nullptr*/): CDialogEx(IDD_MFCAPPLICATION2_DIALOG, pParent)
{m_hIcon = AfxGetApp()->LoadIcon(IDR_MAINFRAME);
}void CMFCApplication2Dlg::DoDataExchange(CDataExchange* pDX)
{CDialogEx::DoDataExchange(pDX);DDX_Control(pDX, IDC_KILL, m_bnKill);DDX_Control(pDX, IDC_SUN, m_bnSun);
}BEGIN_MESSAGE_MAP(CMFCApplication2Dlg, CDialogEx)ON_WM_SYSCOMMAND()ON_WM_PAINT()ON_WM_QUERYDRAGICON()ON_BN_CLICKED(IDC_COURSE, CMFCApplication2Dlg::OnBtnClickedCourse)ON_BN_CLICKED(IDC_KILL, &CMFCApplication2Dlg::OnBnClickedKill)ON_BN_CLICKED(IDC_SUN, &CMFCApplication2Dlg::OnBnClickedSun)
END_MESSAGE_MAP()// CMFCApplication2Dlg 消息处理程序BOOL CMFCApplication2Dlg::OnInitDialog()
{CDialogEx::OnInitDialog();// 将“关于...”菜单项添加到系统菜单中。// IDM_ABOUTBOX 必须在系统命令范围内。ASSERT((IDM_ABOUTBOX & 0xFFF0) == IDM_ABOUTBOX);ASSERT(IDM_ABOUTBOX < 0xF000);CMenu* pSysMenu = GetSystemMenu(FALSE);if (pSysMenu != nullptr){BOOL bNameValid;CString strAboutMenu;bNameValid = strAboutMenu.LoadString(IDS_ABOUTBOX);ASSERT(bNameValid);if (!strAboutMenu.IsEmpty()){pSysMenu->AppendMenu(MF_SEPARATOR);pSysMenu->AppendMenu(MF_STRING, IDM_ABOUTBOX, strAboutMenu);}}// 设置此对话框的图标。  当应用程序主窗口不是对话框时，框架将自动//  执行此操作SetIcon(m_hIcon, TRUE);			// 设置大图标SetIcon(m_hIcon, FALSE);		// 设置小图标// TODO: 在此添加额外的初始化代码// 创建一条子线程，监控游戏的打开或关闭CreateThread(NULL, NULL, monitorThreadFunc, NULL, NULL, NULL);// 保存对话框g_dlg = this;return TRUE;  // 除非将焦点设置到控件，否则返回 TRUE
}void CMFCApplication2Dlg::OnSysCommand(UINT nID, LPARAM lParam)
{if ((nID & 0xFFF0) == IDM_ABOUTBOX){CAboutDlg dlgAbout;dlgAbout.DoModal();}else{CDialogEx::OnSysCommand(nID, lParam);}
}// 如果向对话框添加最小化按钮，则需要下面的代码
//  来绘制该图标。  对于使用文档/视图模型的 MFC 应用程序，
//  这将由框架自动完成。void CMFCApplication2Dlg::OnPaint()
{if (IsIconic()){CPaintDC dc(this); // 用于绘制的设备上下文SendMessage(WM_ICONERASEBKGND, reinterpret_cast<WPARAM>(dc.GetSafeHdc()), 0);// 使图标在工作区矩形中居中int cxIcon = GetSystemMetrics(SM_CXICON);int cyIcon = GetSystemMetrics(SM_CYICON);CRect rect;GetClientRect(&rect);int x = (rect.Width() - cxIcon + 1) / 2;int y = (rect.Height() - cyIcon + 1) / 2;// 绘制图标dc.DrawIcon(x, y, m_hIcon);}else{CDialogEx::OnPaint();}
}//当用户拖动最小化窗口时系统调用此函数取得光标
//显示。
HCURSOR CMFCApplication2Dlg::OnQueryDragIcon()
{return static_cast<HCURSOR>(m_hIcon);
}void CMFCApplication2Dlg::OnBtnClickedCourse() {ShellExecute(NULL,CString("open"),CString("https://blog.csdn.net/weixin_42403632"),NULL, NULL,SW_SHOWNORMAL);
}void CMFCApplication2Dlg::OnBnClickedKill()
{if (m_bnKill.GetCheck()) { // 需要秒杀僵尸BYTE data[] = { 0xFF, 0x90, 0x90 };WriteMemory(data, sizeof(data), 0x00531310);}else { // 不需要秒杀僵尸BYTE data[] = { 0x7c, 0x24, 0x20 };WriteMemory(data, sizeof(data), 0x00531310);}}void CMFCApplication2Dlg::OnBnClickedSun()
{// TODO: 在此添加控件通知处理程序代码
}