C# 操作地址 从内存中读取写入数据(初级)
程序员文章站
2023-11-02 13:54:10
本示例以植物大战僵尸为例, 实现功能为 每1秒让阳光刷新为 9999.本示例使用的游戏版本为 [植物大战僵尸2010年度版], 使用的辅助查看内存地址的工具是 CE. 由于每次启动游戏, 游戏中阳光地址都是变的, 唯一不变的基址1, 我们要通过CE工具找到基址1的地址, 可以算出阳光的地址. 基址2 ......
本示例以植物大战僵尸为例, 实现功能为 每1秒让阳光刷新为 9999.本示例使用的游戏版本为 [植物大战僵尸2010年度版], 使用的辅助查看内存地址的工具是 ce.
由于每次启动游戏, 游戏中阳光地址都是变的, 唯一不变的基址1, 我们要通过ce工具找到基址1的地址, 可以算出阳光的地址.
基址2的地址 = 基址1中的值 + 偏移1;
阳光的的地址 = 基址2中的值 + 偏移2;
以下为简单示例: 窗口界面一个按钮 和 一个定时器
using system;
using system.collections.generic;
using system.componentmodel;
using system.data;
using system.drawing;
using system.linq;
using system.text;
using system.windows.forms;
using system.runtime.interopservices;
using system.diagnostics;
namespace zhiwudazhanjiangshi
{
public partial class form1 : form
{
public form1()
{
initializecomponent();
}
#region api
//从指定内存中读取字节集数据
[dllimportattribute("kernel32.dll", entrypoint = "readprocessmemory")]
public static extern bool readprocessmemory(intptr hprocess,intptr lpbaseaddress,intptr lpbuffer,int nsize,intptr lpnumberofbytesread);
//从指定内存中写入字节集数据
[dllimportattribute("kernel32.dll", entrypoint = "writeprocessmemory")]
public static extern bool writeprocessmemory(intptr hprocess,intptr lpbaseaddress,int[] lpbuffer,int nsize, intptr lpnumberofbyteswritten );
//打开一个已存在的进程对象,并返回进程的句柄
[dllimportattribute("kernel32.dll", entrypoint = "openprocess")]
public static extern intptr openprocess(int dwdesiredaccess, bool binherithandle, int dwprocessid);
//关闭一个内核对象。其中包括文件、文件映射、进程、线程、安全和同步对象等。
[dllimport("kernel32.dll")]
private static extern void closehandle(intptr hobject);
#endregion
#region 使用方法
//根据进程名获取pid
public static int getpidbyprocessname(string processname)
{
process[] arrayprocess = process.getprocessesbyname(processname);
foreach (process p in arrayprocess)
{
return p.id;
}
return 0;
}
//读取内存中的值
public static int readmemoryvalue(int baseaddress, string processname)
{
try
{
byte[] buffer = new byte[4];
//获取缓冲区地址
intptr byteaddress = marshal.unsafeaddrofpinnedarrayelement(buffer, 0);
//打开一个已存在的进程对象 0x1f0fff 最高权限
intptr hprocess = openprocess(0x1f0fff, false, getpidbyprocessname(processname));
//将制定内存中的值读入缓冲区
readprocessmemory(hprocess, (intptr)baseaddress, byteaddress, 4, intptr.zero);
//关闭操作
closehandle(hprocess);
//从非托管内存中读取一个 32 位带符号整数。
return marshal.readint32(byteaddress);
}
catch
{
return 0;
}
}
//将值写入指定内存地址中
public static void writememoryvalue(int baseaddress, string processname, int value)
{
try
{
//打开一个已存在的进程对象 0x1f0fff 最高权限
intptr hprocess = openprocess(0x1f0fff, false, getpidbyprocessname(processname));
//从指定内存中写入字节集数据
writeprocessmemory(hprocess, (intptr)baseaddress, new int[] { value }, 4, intptr.zero);
//关闭操作
closehandle(hprocess);
}
catch { }
}
#endregion
//游戏内存基址
private int baseaddress = 0x0015e944;
//游戏进程名字
private string processname = "plantsvszombies";
//开启/关闭 功能 的按钮
private void button1_click(object sender, eventargs e)
{
if (getpidbyprocessname(processname) == 0)
{
messagebox.show("游戏没有运行!");
return;
}
if (button1.text == "开启")
{
button1.text = "关闭";
timer1.enabled = true;
}
else
{
button1.text = "开启";
timer1.enabled = false;
}
}
//定时器
private void timer1_tick(object sender, eventargs e)
{
if (getpidbyprocessname(processname) == 0)
{
timer1.enabled = false;
}
//baseaddress : 游戏内存基址 processname : 游戏进程名
//读取 基址1 中存放的值
int address = readmemoryvalue(baseaddress, processname);
//计算 基址2的地址 = 基址1中的值 + 偏移量1
address = address + 0x868;
//读取 基址2 中存放的值
address = readmemoryvalue(address, processname);
//计算 阳光的地址 = 基址2中的值 + 偏移量2
address = address + 0x5578;
//给阳光地址中写入数值,0x378 : 888
writememoryvalue(address, processname, 0x378);
}
}
}
下面增加了一个刷新金币的示例 (注意, 金币值是界面的金币输 除以 10 , 我们刷100 在界面里面显示为1000)
private void button2_click(object sender, eventargs e)
{
if (getpidbyprocessname(processname) == 0)
{
messagebox.show("游戏没有运行!");
return;
}
//baseaddress : 游戏内存基址 processname : 游戏进程名
//读取 基址1 中存放的值
int address = readmemoryvalue(baseaddress, processname);
//计算 基址2的地址 = 基址1中的值 + 偏移量1
address = address + 0x950;
//读取 基址2 中存放的值
address = readmemoryvalue(address, processname);
//计算 阳光的地址 = 基址2中的值 + 偏移量2
address = address + 0x50;
//给阳光地址中写入数值,0x378 : 888
writememoryvalue(address, processname, getint(textbox2.text));
}
private int getint(string s)
{
int n = 0;
int.tryparse(s, out n);
if (n <= 0)
{
n = 100;
}
return n;
}
今天又增加了无植物无冷却时间的功能
int count = 0;
private void form1_load(object sender, eventargs e)
{
if (getpidbyprocessname(processname) != 0)
{
int address = readmemoryvalue(baseaddress, processname);
address = address + 0x868;
address = readmemoryvalue(address, processname);
address = address + 0x15c;
address = readmemoryvalue(address, processname);
address = address + 0x24;
address = readmemoryvalue(address, processname);
count = address;
label3.text = "植物栏个数: " + address.tostring() + " 个";
}
}
private void timer2_tick(object sender, eventargs e)
{
if (getpidbyprocessname(processname) == 0)
{
timer2.enabled = false;
}
if (count > 0)
{
for (int i = 0; i < count; i++)
{
int address = readmemoryvalue(baseaddress, processname);
address = address + 0x868;//一级地址
address = readmemoryvalue(address, processname);
address = address + 0x15c;//二级地址
address = readmemoryvalue(address, processname);
address = address + 0x4c;//第一栏 植物的地址
// 每后一个植物 地址 偏移 50 (在十进制里是80)
//偏移 0x24 的地址 是标示是否在冷却中 值 :( 0 : 为冷却中, 1 为冷却完成)
address = address + 80 * i + 0x24;
writememoryvalue(address, processname, 1);
//如果不偏移 0x24 的地址为冷却时间地址, 值不确定, 一般最大设为6000 也可以完成此功能
//address = address + 80 * i;
//writememoryvalue(address, processname, 6000);
}
}
else
{
int address = readmemoryvalue(baseaddress, processname);
address = address + 0x868;
address = readmemoryvalue(address, processname);
address = address + 0x15c;
address = readmemoryvalue(address, processname);
address = address + 0x24;
address = readmemoryvalue(address, processname);
count = address;
label3.text = "植物栏个数: " + address.tostring() + " 个";
}
}
private void button3_click(object sender, eventargs e)
{
if (getpidbyprocessname(processname) == 0)
{
messagebox.show("游戏没有运行!");
return;
}
if (button3.text == "有冷却")
{
button3.text = "无冷却";
timer2.enabled = true;
}
else
{
button3.text = "有冷却";
timer2.enabled = false;
}
}
转自:https://blog.csdn.net/changblade/article/details/82027440
上一篇: python绘制多个曲线的折线图
下一篇: 使goroutine同步的方法总结