逆向第一課,找個單機遊戲,改數據玩玩。
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# File : 植物大戰殭屍修改器.py
# Author: DaShenHan&道長-----先苦後甜,任憑晚風拂柳顏------
# Date : 2019/12/28
import win32gui
import win32process
import win32api
import ctypes
handle = win32gui.FindWindow(None,"植物大戰殭屍中文版")
print(handle)
pid = win32process.GetWindowThreadProcessId(handle)[1]
print(pid)
phwnd = win32api.OpenProcess(0x1F0FFF,False,pid)
print(phwnd)
kernerl32 = ctypes.windll.LoadLibrary(r"C:\Windows\System32\kernel32.dll")
print(kernerl32)
data1 = ctypes.c_long()
kernerl32.ReadProcessMemory(int(phwnd),0x006A9EC0,ctypes.byref(data1),4,None)
print(hex(data1.value))
data2 = ctypes.c_long()
kernerl32.ReadProcessMemory(int(phwnd),data1.value+0x768,ctypes.byref(data2),4,None)
print(hex(data2.value))
data3 = ctypes.c_long()
kernerl32.ReadProcessMemory(int(phwnd),data2.value+0x5560,ctypes.byref(data3),4,None)
print(data3.value)
sun = int(input("請輸入你要的陽光值:"))
kernerl32.WriteProcessMemory(int(phwnd),data2.value+0x5560,ctypes.byref(ctypes.c_long(sun)),4,None)
優化增強版功能,支持熱鍵啓用,無限陽光,無cd;
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# File : 植物大戰殭屍無敵.py
# Author: DaShenHan&道長-----先苦後甜,任憑晚風拂柳顏------
# Date : 2019/12/28
import win32gui
import win32process
import win32api
import ctypes
from time import sleep
import ctypes.wintypes
from threading import Thread,activeCount, enumerate
import win32con
kernerl32 = ctypes.windll.LoadLibrary(r"C:\Windows\System32\kernel32.dll")
flag_lock = {
"sun_lock":False,
"cd_lock":False
}
h_ids = [i for i in range(2)] # 創建兩個熱鍵序列
h_keys = {i: False for i in h_ids} # 初始化所有熱鍵序列的標誌符爲False
h_dict = {} # 初始化一個空的字典,記錄id與func
def thread_it(func, *args):
t = Thread(target=func, args=args)
t.setDaemon(True)
t.start()
class Hotkey(Thread): # 創建一個Thread的擴展類
user32 = ctypes.windll.user32 # 加載user32.dll
def regiskey(self, hwnd=None, flagid=0, fnkey=win32con.MOD_ALT, vkey=win32con.VK_F9): # 註冊熱鍵,默認一個alt+F9
return self.user32.RegisterHotKey(hwnd, flagid, fnkey, vkey)
def callback(self, id, func):
h_dict[id] = func # 這個id對應這個func,沒有就是新增,有就是修改
def inner():
for key, value in h_dict.items():
print(f'總的熱鍵池:{h_ids},當前熱鍵序號:{key}, 當前熱鍵功能:{value},當前熱鍵狀態:{h_keys[h_ids[key]]}')
while True:
for key, value in h_dict.items():
if h_keys[h_ids[key]]:
thread_it(value) # 另外開線程執行value
h_keys[h_ids[key]] = False
return inner
def run(self):
if not self.regiskey(None, h_ids[0], win32con.MOD_ALT, win32con.VK_F9): # 註冊快捷鍵alt+F9並判斷是否成功,該熱鍵用於執行一次需要執行的內容。
print(f"熱鍵註冊失敗! id{h_ids[0]}") # 返回一個錯誤信息
if not self.regiskey(None, h_ids[1], 0, win32con.VK_F10): # 註冊快捷鍵F10並判斷是否成功,該熱鍵用於結束程序,且最好這麼結束,否則影響下一次註冊熱鍵。
print(f"熱鍵註冊失敗! id{h_ids[1]}")
# 以下爲檢測熱鍵是否被按下,並在最後釋放快捷鍵
try:
msg = ctypes.wintypes.MSG()
while True:
if self.user32.GetMessageA(ctypes.byref(msg), None, 0, 0) != 0:
if msg.message == win32con.WM_HOTKEY:
if msg.wParam in h_ids:
h_keys[msg.wParam] = True
self.user32.TranslateMessage(ctypes.byref(msg))
self.user32.DispatchMessageA(ctypes.byref(msg))
finally:
for i in h_ids:
self.user32.UnregisterHotKey(None, i)
# 必須得釋放熱鍵,否則下次就會註冊失敗,所以當程序異常退出,沒有釋放熱鍵,
# 那麼下次很可能就沒辦法註冊成功了,這時可以換一個熱鍵測試
def modSwitch(flag,msg):
global flag_lock
if flag_lock[flag] == True:
flag_lock[flag] = False
print(f"{msg}已關閉")
else:
flag_lock[flag] = True
print(f"{msg}已開啓")
def sunSwith():
modSwitch("sun_lock","鎖陽光")
def cdSwith():
modSwitch("cd_lock","無CD")
def hotkey_init():
hotkey = Hotkey()
hotkey.start()
hotkey.callback(0, sunSwith)
fn = hotkey.callback(1, cdSwith)
thread_it(fn)
sleep(0.5)
count = activeCount()
print(f"當前總線程數量:{count}")
print('當前線程列表:', enumerate())
print('熱鍵註冊初始化完畢,組合鍵alt+F9 無限陽光開關 F10 無CD開關')
def main():
hotkey_init()
while True:
handle = win32gui.FindWindow(None,"植物大戰殭屍中文版") #找到窗口句柄
if handle:
pid = win32process.GetWindowThreadProcessId(handle)[1] #找到進程id
phwnd = win32api.OpenProcess(0x1F0FFF,False,pid) #找到進程句柄
if flag_lock["sun_lock"]:
sunMod(phwnd)
if flag_lock["cd_lock"]:
cdMod(phwnd)
sleep(0.1)
def sunMod(phwnd,sun_num=9999):
data1 = ctypes.c_long()
kernerl32.ReadProcessMemory(int(phwnd), 0x006A9EC0, ctypes.byref(data1), 4, None)
data2 = ctypes.c_long()
kernerl32.ReadProcessMemory(int(phwnd), data1.value + 0x768, ctypes.byref(data2), 4, None)
data3 = ctypes.c_long()
kernerl32.ReadProcessMemory(int(phwnd), data2.value + 0x5560, ctypes.byref(data3), 4, None)
print(f"\r陽光值:{data3.value}",end="")
kernerl32.WriteProcessMemory(int(phwnd), data2.value + 0x5560, ctypes.byref(ctypes.c_long(int(sun_num))), 4, None)
def cdMod(phwnd):
data1 = ctypes.c_long()
kernerl32.ReadProcessMemory(int(phwnd), 0x6A9EC0, ctypes.byref(data1), 4, None)
data2 = ctypes.c_long()
kernerl32.ReadProcessMemory(int(phwnd), data1.value + 0x768, ctypes.byref(data2), 4, None)
data3 = ctypes.c_long()
kernerl32.ReadProcessMemory(int(phwnd), data2.value + 0x144, ctypes.byref(data3), 4, None)
for i in range(10):
#0到10格,全部冷卻改爲1
kernerl32.WriteProcessMemory(int(phwnd), data3.value + 0x70+0X50*i, ctypes.byref(ctypes.c_long(1)), 2, None)
if __name__ == '__main__':
main()