发表评论
◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。
RSS订阅优然探索
C# 红色警戒2无限金钱+电力负载 外挂源码示例
如有转载请注明出处:http://www.cnblogs.com/flydoos/archive/2012/01/19/2326149.html
C# 红色警戒2无限金钱+电力负载 外挂源码示例
背景说明:
这几天放假,在家闲着没事做(有正事但是也不想做),于是乎,就玩起了多年前的游戏——红色警戒2!但是不知为啥,几年没玩,现在如此生疏~~和电脑对战 1 VS 7 居然打不赢,蛋疼了。刚把基地建好,7个国家就同时进攻,一下子把我K掉了。
“我不服”,所以就想动手写一个辅助工具了。其实,现在说这个教程没啥意义。因为多年前我也写过这个小工具,只是当初不是用C#写的,反正闲着没事,今天就用C#写一个吧。写得不好的地方,希望大家指出来,谢谢。
存在问题:
不知道为啥修改了电力之后,在游戏中也显示被修改了,但是实际上依然会提示“电力不足”。修改后的电力,只对“爱国者飞弹、光稜塔”之类的有效,但是对于其他建筑物是无效的。
有人说是没有找对基址。但是我对CE也不太熟悉,搞了很久没解决。希望有人能解释下,为什么无法改电力(不是负载)。
2012-01-21 14:22 更新
今天,又花了几个小时去研究上次的“电力负载”问题,嘻嘻,皇天不负有心人。这次已经搞定了,现在已经可以实现 无限电力+无限金钱。 上次的那个基址也是正确的,但是不能直接写内存去修改,而是要NOP,大家只要在上次的基础上,增加以下代码就行:
Helper.WriteMemoryValue(0x004F2D9B, ProcessName, -1869574000);
Helper.WriteMemoryValue(0x004F2D9C, ProcessName, -1869574000);
Helper.WriteMemoryValue(0x004F2D9D, ProcessName, -1869574000);
Helper.WriteMemoryValue(0x004F2D9E, ProcessName, -1953460080);
Helper.WriteMemoryValue(0x004F2DA0, ProcessName, -1743418480);
Helper.WriteMemoryValue(0x004F2D9C, ProcessName, -1869574000);
Helper.WriteMemoryValue(0x004F2D9D, ProcessName, -1869574000);
Helper.WriteMemoryValue(0x004F2D9E, ProcessName, -1953460080);
Helper.WriteMemoryValue(0x004F2DA0, ProcessName, -1743418480);
完整源码:
// Program.cs
using System;
using System.Threading;
/*
*
* 作者:牛A与牛C之间
* Q Q:1046559384 C#/Java技术交流群:96020642
* 微博:http://weibo.com/flydoos
* 博客:http://www.cnblogs.com/flydoos
* 日期:2012-01-19
*
* 金钱:0x00A35DB4 + 0x24C
* 负载:0x00A35DB4 + 0x52D4
*
*/
namespace RedAlert2
{
class Program
{
private const int BaseAddress = 0x00A35DB4;
private const string ProcessName = "GAME";
static void Main()
{
while (true)
{
if (Helper.GetPidByProcessName(ProcessName) == 0)
{
Console.WriteLine("对不起,您还没有启动红色警戒Ⅱ游戏!");
Console.Read();
return;
}
var moneyAddress = Helper.ReadMemoryValue(BaseAddress, ProcessName) + 0x24C;
Helper.WriteMemoryValue(moneyAddress, ProcessName, 999999999);
Console.WriteLine(DateTime.Now + ":" + Helper.ReadMemoryValue(moneyAddress, ProcessName));
Thread.Sleep(1000);
}
}
}
}
// Helper.cs
using System;
using System.Diagnostics;
using System.Runtime.InteropServices;
{
public abstract class Helper
{
#region API
[DllImport("kernel32.dll")]
public static extern bool ReadProcessMemory
(
IntPtr hProcess,
IntPtr lpBaseAddress,
IntPtr lpBuffer,
int nSize,
IntPtr lpNumberOfBytesRead
);
[DllImportAttribute("kernel32.dll")]
public static extern bool WriteProcessMemory
(
IntPtr hProcess,
IntPtr lpBaseAddress,
int[] lpBuffer,
int nSize,
IntPtr lpNumberOfBytesWritten
);
[DllImportAttribute("kernel32.dll")]
public static extern IntPtr OpenProcess
(
int dwDesiredAccess,
bool bInheritHandle,
int dwProcessId
);
[DllImport("kernel32.dll")]
private static extern void CloseHandle
(
IntPtr hObject
);
#endregion
#region 方法
/// <summary>
/// 根据窗口标题获取PID
/// </summary>
/// <param name="windowTitle">窗口标题</param>
/// <returns></returns>
public static int GetPidByTitle(string windowTitle)
{
int rs = 0;
Process[] arrayProcess = Process.GetProcesses();
foreach (Process p in arrayProcess)
{
if (p.MainWindowTitle.IndexOf(windowTitle) != -1)
{
rs = p.Id;
break;
}
}
return rs;
}
/// <summary>
/// 根据进程名获取PID
/// </summary>
/// <param name="processName">进程名字</param>
/// <returns></returns>
public static int GetPidByProcessName(string processName)
{
Process[] arrayProcess = Process.GetProcessesByName(processName);
foreach (Process p in arrayProcess)
{
return p.Id;
}
return 0;
}
/// <summary>
/// 根据窗口标题查找窗口句柄
/// </summary>
/// <param name="title">窗口标题</param>
/// <returns></returns>
public static IntPtr FindWindow(string title)
{
Process[] ps = Process.GetProcesses();
foreach (Process p in ps)
{
if (p.MainWindowTitle.IndexOf(title) != -1)
{
return p.MainWindowHandle;
}
}
return IntPtr.Zero;
}
/// <summary>
/// 读取内存中的值
/// </summary>
/// <param name="baseAddress">地址</param>
/// <param name="processName">进程名</param>
/// <returns></returns>
public static int ReadMemoryValue(int baseAddress, string processName)
{
try
{
var buffer = new byte[4];
IntPtr byteAddress = Marshal.UnsafeAddrOfPinnedArrayElement(buffer, 0); //获取缓冲区地址
IntPtr hProcess = OpenProcess(0x1F0FFF, false, GetPidByProcessName(processName));
ReadProcessMemory(hProcess, (IntPtr) baseAddress, byteAddress, 4, IntPtr.Zero); //将制定内存中的值读入缓冲区
CloseHandle(hProcess);
return Marshal.ReadInt32(byteAddress);
}
catch
{
return 0;
}
}
/// <summary>
/// 将值写入指定内存地址中
/// </summary>
/// <param name="baseAddress">地址</param>
/// <param name="processName">进程名</param>
/// <param name="value"></param>
public static void WriteMemoryValue(int baseAddress, string processName, int value)
{
IntPtr hProcess = OpenProcess(0x1F0FFF, false, GetPidByProcessName(processName)); //0x1F0FFF 最高权限
WriteProcessMemory(hProcess, (IntPtr) baseAddress, new[] {value}, 4, IntPtr.Zero);
CloseHandle(hProcess);
}
#endregion
}
}
运行界面:
