日期:2020.12.01
博客期:179
星期二
【温馨提示】:
我现在把资源先放到开头,不想研究学习的就直接取用。如果修改器失效了,你们可以在博客园本页直接评论,也可以给我发邮件告诉我,就是不要到百度云上去说了,百度云我好久不登录一次的!大家给我发邮件的话,记得要注明是哪个游戏,内容当然是越详细越好啦!邮箱地址:nightskysxs@163.com
| 资源下载表 | |||
| 没有博客园账号的网友 |
百度网盘下载链接:https://pan.baidu.com/s/13C0fTDCqb6ipP6XeOjqv1g 提取码:auto Git Hub下载地址:https://github.com/TwoStarsGodNightSky/GameTrainer |
||
| 有博客园账号的网友 | 版本 | CT文件 | 修改器 |
| 1.1.0|0|380 | 点我下载 | 点我下载 | |
博客防爬取部分:https://www.cnblogs.com/onepersonwholive/p/14065841.html
前言
好吧,我直到前几天才知道原来还有 AOB 注入的方法,早知道这么实用就先学这个了(就好像学了很多深入的以后才回去补基础)。这个游戏和在 Steam 里的 《 Rabi - Rabi 》一样有一定的调试器监视,不能使用 Cheat Engine 的 Windows 调试器,可以选用打开设置选择 VEH 调试器。不过,还有20多天考研,我呢也就是兴致来了做一做,给自己开一个新坑。这篇文章估计用于学习的价值很低,也就算一个新的研究实例,可以自行取用 修改器 和 CT 表。
修改内容
1、POWER CONSUMTION UNLIMITED(无限电量消耗)
如上图,“movss [rdi+30],xmm5” 是给 power 赋值的语句。可以活用之前的地址,搜索改写调试。进而找到语句 AOB 注入即可。(电量是单浮点类型的值,可以自行搜索)
PS: 以 "UnityPlayer.dll"+014D6F20 为地址可以找到 +100 +30 +158 +10 +30
1 { Game : Automachef.exe 2 Version: 3 Date : 2020-11-30 4 Author : dell 5 6 This script does blah blah blah 7 } 8 9 [ENABLE] 10 //code from here to '[DISABLE]' will be used to enable the cheat 11 12 13 14 aobscan(POWER_CONSUMPTION,F3 0F 11 6F 30 48 8B) // should be unique 15 alloc(newmem,$1000,2B7859D711B) 16 17 label(code) 18 label(return) 19 20 newmem: 21 jmp return 22 23 code: 24 movss [rdi+30],xmm5 25 jmp return 26 27 POWER_CONSUMPTION: 28 jmp newmem 29 return: 30 registersymbol(POWER_CONSUMPTION) 31 32 [DISABLE] 33 //code from here till the end of the code will be used to disable the cheat 34 POWER_CONSUMPTION: 35 db F3 0F 11 6F 30 36 37 unregistersymbol(POWER_CONSUMPTION) 38 dealloc(newmem) 39 40 { 41 // ORIGINAL CODE - INJECTION POINT: 2B7859D711B 42 43 2B7859D70EE: F3 0F 10 08 - movss xmm1,[rax] 44 2B7859D70F2: F3 0F 5A C9 - cvtss2sd xmm1,xmm1 45 2B7859D70F6: F3 0F 10 55 E8 - movss xmm2,[rbp-18] 46 2B7859D70FB: F3 0F 5A D2 - cvtss2sd xmm2,xmm2 47 2B7859D70FF: F3 0F 10 1D C9 00 00 00 - movss xmm3,[2B7859D71D0] 48 2B7859D7107: F3 0F 5A DB - cvtss2sd xmm3,xmm3 49 2B7859D710B: F2 0F 5E D3 - divsd xmm2,xmm3 50 2B7859D710F: F2 0F 59 CA - mulsd xmm1,xmm2 51 2B7859D7113: F2 0F 58 C1 - addsd xmm0,xmm1 52 2B7859D7117: F2 0F 5A E8 - cvtsd2ss xmm5,xmm0 53 // ---------- INJECTING HERE ---------- 54 2B7859D711B: F3 0F 11 6F 30 - movss [rdi+30],xmm5 55 // ---------- DONE INJECTING ---------- 56 2B7859D7120: 48 8B 47 10 - mov rax,[rdi+10] 57 2B7859D7124: 48 63 4F 38 - movsxd rcx,dword ptr [rdi+38] 58 2B7859D7128: 48 63 C9 - movsxd rcx,ecx 59 2B7859D712B: 39 48 18 - cmp [rax+18],ecx 60 2B7859D712E: 0F 86 7A 00 00 00 - jbe 2B7859D71AE 61 2B7859D7134: 48 8D 44 88 20 - lea rax,[rax+rcx*4+20] 62 2B7859D7139: F3 0F 10 00 - movss xmm0,[rax] 63 2B7859D713D: F3 0F 5A C0 - cvtss2sd xmm0,xmm0 64 2B7859D7141: F3 0F 10 4D E8 - movss xmm1,[rbp-18] 65 2B7859D7146: F3 0F 5A C9 - cvtss2sd xmm1,xmm1 66 }
2、POWER RATE UNLIMITED(无限功率)
功率是一个单浮点类型的值,如果你搜索的话会找到很多值,没有关系,在此搜索两次以后的值基本都可以用,选择改写调试。找到带 addsd xmm0,xmm1 的一句,因为只有这个是引起它变化的原因(增加方面)。
1 { Game : Automachef.exe 2 Version: 3 Date : 2020-11-30 4 Author : dell 5 6 This script does blah blah blah 7 } 8 9 [ENABLE] 10 //code from here to '[DISABLE]' will be used to enable the cheat 11 12 13 14 aobscan(PRESTIGE,F2 0F 58 C1 F2 0F 5A E8 F3 0F 11 28 0F) // should be unique 15 alloc(newmem,$1000,2B7859D714A) 16 17 label(code) 18 label(return) 19 20 newmem: 21 cvtsd2ss xmm5,xmm0 22 jmp return 23 24 code: 25 addsd xmm0,xmm1 26 cvtsd2ss xmm5,xmm0 27 jmp return 28 29 PRESTIGE: 30 jmp newmem 31 nop 32 nop 33 nop 34 return: 35 registersymbol(PRESTIGE) 36 37 [DISABLE] 38 //code from here till the end of the code will be used to disable the cheat 39 PRESTIGE: 40 db F2 0F 58 C1 F2 0F 5A E8 41 42 unregistersymbol(PRESTIGE) 43 dealloc(newmem) 44 45 { 46 // ORIGINAL CODE - INJECTION POINT: 2B7859D714A 47 48 2B7859D7120: 48 8B 47 10 - mov rax,[rdi+10] 49 2B7859D7124: 48 63 4F 38 - movsxd rcx,dword ptr [rdi+38] 50 2B7859D7128: 48 63 C9 - movsxd rcx,ecx 51 2B7859D712B: 39 48 18 - cmp [rax+18],ecx 52 2B7859D712E: 0F 86 7A 00 00 00 - jbe 2B7859D71AE 53 2B7859D7134: 48 8D 44 88 20 - lea rax,[rax+rcx*4+20] 54 2B7859D7139: F3 0F 10 00 - movss xmm0,[rax] 55 2B7859D713D: F3 0F 5A C0 - cvtss2sd xmm0,xmm0 56 2B7859D7141: F3 0F 10 4D E8 - movss xmm1,[rbp-18] 57 2B7859D7146: F3 0F 5A C9 - cvtss2sd xmm1,xmm1 58 // ---------- INJECTING HERE ---------- 59 2B7859D714A: F2 0F 58 C1 - addsd xmm0,xmm1 60 2B7859D714E: F2 0F 5A E8 - cvtsd2ss xmm5,xmm0 61 // ---------- DONE INJECTING ---------- 62 2B7859D7152: F3 0F 11 28 - movss [rax],xmm5 63 2B7859D7156: 0F B6 46 20 - movzx eax,byte ptr [rsi+20] 64 2B7859D715A: 85 C0 - test eax,eax 65 2B7859D715C: 0F 85 25 00 00 00 - jne 2B7859D7187 66 2B7859D7162: 48 8B 47 28 - mov rax,[rdi+28] 67 2B7859D7166: 48 8B C8 - mov rcx,rax 68 2B7859D7169: 48 8B D6 - mov rdx,rsi 69 2B7859D716C: 83 38 00 - cmp dword ptr [rax],00 70 2B7859D716F: 48 8D AD 00 00 00 00 - lea rbp,[rbp+00000000] 71 2B7859D7176: 49 BB 10 CD 11 F1 B7 02 00 00 - mov r11,000002B7F111CD10 72 }
3、PRESTIGE UNLIMITED(无限声望)
声望就是 4字节 的整数,100% 的时候直接搜 100 就行。
1 { Game : Automachef.exe 2 Version: 3 Date : 2020-11-30 4 Author : dell 5 6 This script does blah blah blah 7 } 8 9 [ENABLE] 10 //code from here to '[DISABLE]' will be used to enable the cheat 11 12 13 14 aobscan(FAMAS,41 89 87 94 00 00 00 49 8B) // should be unique 15 alloc(newmem,$1000,2B785FEE694) 16 17 label(code) 18 label(return) 19 20 newmem: 21 jmp return 22 23 code: 24 mov [r15+00000094],eax 25 jmp return 26 27 FAMAS: 28 jmp newmem 29 nop 30 nop 31 return: 32 registersymbol(FAMAS) 33 34 [DISABLE] 35 //code from here till the end of the code will be used to disable the cheat 36 FAMAS: 37 db 41 89 87 94 00 00 00 38 39 unregistersymbol(FAMAS) 40 dealloc(newmem) 41 42 { 43 // ORIGINAL CODE - INJECTION POINT: 2B785FEE694 44 45 2B785FEE669: 41 89 87 94 00 00 00 - mov [r15+00000094],eax 46 2B785FEE670: EB 29 - jmp 2B785FEE69B 47 2B785FEE672: 83 FE 02 - cmp esi,02 48 2B785FEE675: 75 13 - jne 2B785FEE68A 49 2B785FEE677: 49 63 87 94 00 00 00 - movsxd rax,dword ptr [r15+00000094] 50 2B785FEE67E: 83 E8 32 - sub eax,32 51 2B785FEE681: 41 89 87 94 00 00 00 - mov [r15+00000094],eax 52 2B785FEE688: EB 11 - jmp 2B785FEE69B 53 2B785FEE68A: 49 63 87 94 00 00 00 - movsxd rax,dword ptr [r15+00000094] 54 2B785FEE691: 83 E8 14 - sub eax,14 55 // ---------- INJECTING HERE ---------- 56 2B785FEE694: 41 89 87 94 00 00 00 - mov [r15+00000094],eax 57 // ---------- DONE INJECTING ---------- 58 2B785FEE69B: 49 8B CF - mov rcx,r15 59 2B785FEE69E: BA 01 00 00 00 - mov edx,00000001 60 2B785FEE6A3: 4C 8B 45 E0 - mov r8,[rbp-20] 61 2B785FEE6A7: 48 8D AD 00 00 00 00 - lea rbp,[rbp+00000000] 62 2B785FEE6AE: 49 BB 30 E7 FE 85 B7 02 00 00 - mov r11,000002B785FEE730 63 2B785FEE6B8: 41 FF D3 - call r11 64 2B785FEE6BB: 66 66 90 - nop 65 2B785FEE6BE: 49 BB C0 AA 60 8A B7 02 00 00 - mov r11,000002B78A60AAC0 66 2B785FEE6C8: 41 FF D3 - call r11 67 2B785FEE6CB: 48 89 45 D8 - mov [rbp-28],rax 68 }
4、MATERIAL UNLIMITED(无限材料)
材料也是 4字节的整数。
1 { Game : Automachef.exe 2 Version: 3 Date : 2020-11-30 4 Author : dell 5 6 This script does blah blah blah 7 } 8 9 [ENABLE] 10 //code from here to '[DISABLE]' will be used to enable the cheat 11 12 13 14 aobscan(MATERIAL,FF C1 89 48 10 48 8B) // should be unique 15 alloc(newmem,$1000,2B7858A2F65) 16 17 label(code) 18 label(return) 19 20 newmem: 21 mov [rax+10],ecx 22 jmp return 23 24 code: 25 inc ecx 26 mov [rax+10],ecx 27 jmp return 28 29 MATERIAL: 30 jmp newmem 31 return: 32 registersymbol(MATERIAL) 33 34 [DISABLE] 35 //code from here till the end of the code will be used to disable the cheat 36 MATERIAL: 37 db FF C1 89 48 10 38 39 unregistersymbol(MATERIAL) 40 dealloc(newmem) 41 42 { 43 // ORIGINAL CODE - INJECTION POINT: 2B7858A2F65 44 45 2B7858A2F38: 48 8B CE - mov rcx,rsi 46 2B7858A2F3B: 48 8B D7 - mov rdx,rdi 47 2B7858A2F3E: 48 8B 06 - mov rax,[rsi] 48 2B7858A2F41: FF 90 28 02 00 00 - call qword ptr [rax+00000228] 49 2B7858A2F47: 48 8D AD 00 00 00 00 - lea rbp,[rbp+00000000] 50 2B7858A2F4E: 49 BB 50 3B 86 85 B7 02 00 00 - mov r11,000002B785863B50 51 2B7858A2F58: 41 FF D3 - call r11 52 2B7858A2F5B: 48 8B C8 - mov rcx,rax 53 2B7858A2F5E: 83 39 00 - cmp dword ptr [rcx],00 54 2B7858A2F61: 48 63 48 10 - movsxd rcx,dword ptr [rax+10] 55 // ---------- INJECTING HERE ---------- 56 2B7858A2F65: FF C1 - inc ecx 57 2B7858A2F67: 89 48 10 - mov [rax+10],ecx 58 // ---------- DONE INJECTING ---------- 59 2B7858A2F6A: 48 8B 86 C8 00 00 00 - mov rax,[rsi+000000C8] 60 2B7858A2F71: 48 8B C8 - mov rcx,rax 61 2B7858A2F74: 33 D2 - xor edx,edx 62 2B7858A2F76: 83 38 00 - cmp dword ptr [rax],00 63 2B7858A2F79: 48 8D 64 24 00 - lea rsp,[rsp+00] 64 2B7858A2F7E: 49 BB B0 23 9E 85 B7 02 00 00 - mov r11,000002B7859E23B0 65 2B7858A2F88: 41 FF D3 - call r11 66 2B7858A2F8B: 48 63 86 9C 01 00 00 - movsxd rax,dword ptr [rsi+0000019C] 67 2B7858A2F92: FF C0 - inc eax 68 2B7858A2F94: 89 86 9C 01 00 00 - mov [rsi+0000019C],eax 69 }
5、MONEY COST UNLIMITED(无限金钱)
我们搜索 4字节的金钱 cost值,但是找到的值并不是真实的 金钱 cost 。所以,我们先看看是什么改写了这个代码。找到的语句是改写临时值的,所以我们需要向前找。右击“选择函数” ---> 在函数最开始的那一句右击 “转到地址” ---> 复制该地址 ----> 选择菜单栏中 “搜索” 的 “查看汇编码” ,把地址输入到左边的框 ---> 把右边的起始地址的后 5 位改成 0 ,点击搜索 ---> 找到 mov r11, xxxx 的 一句,之后找到这一句 前面 的一句 call r11,这一句的上一句给 r11赋值的跳转地址,我们要跳转到那里,之后向下滑动找到 add r15d,eax 一句,注释掉就可以(现在不知道为什么 变成 sub 也可以实现)。但是这一项修改需要一直使用,就是只要你启用了,就不要关闭。(亲测在当局关闭以后,再次买下新的器械时会报错)
1 { Game : Automachef.exe 2 Version: 3 Date : 2020-11-30 4 Author : dell 5 6 This script does blah blah blah 7 } 8 9 [ENABLE] 10 //code from here to '[DISABLE]' will be used to enable the cheat 11 12 13 14 aobscan(PRICE,44 03 F8 48 8B CD) // should be unique 15 alloc(newmem,$1000,2B78A614699) 16 17 label(code) 18 label(return) 19 20 newmem: 21 mov rcx,rbp 22 jmp return 23 code: 24 add r15d,eax 25 mov rcx,rbp 26 jmp return 27 28 PRICE: 29 jmp newmem 30 nop 31 return: 32 registersymbol(PRICE) 33 34 [DISABLE] 35 //code from here till the end of the code will be used to disable the cheat 36 PRICE: 37 db 44 03 F8 48 8B CD 38 39 unregistersymbol(PRICE) 40 dealloc(newmem) 41 42 { 43 // ORIGINAL CODE - INJECTION POINT: 2B78A614699 44 45 2B78A61466E: 49 BB 80 33 53 8A B7 02 00 00 - mov r11,000002B78A533380 46 2B78A614678: 41 FF D3 - call r11 47 2B78A61467B: EB 1F - jmp 2B78A61469C 48 2B78A61467D: 66 66 90 - nop 49 2B78A614680: 48 8B 7D D0 - mov rdi,[rbp-30] 50 2B78A614684: 48 8B C7 - mov rax,rdi 51 2B78A614687: 0F B6 80 7C 01 00 00 - movzx eax,byte ptr [rax+0000017C] 52 2B78A61468E: 85 C0 - test eax,eax 53 2B78A614690: 75 0A - jne 2B78A61469C 54 2B78A614692: 48 63 87 6C 01 00 00 - movsxd rax,dword ptr [rdi+0000016C] 55 // ---------- INJECTING HERE ---------- 56 2B78A614699: 44 03 F8 - add r15d,eax 57 2B78A61469C: 48 8B CD - mov rcx,rbp 58 // ---------- DONE INJECTING ---------- 59 2B78A61469F: 48 83 C1 C0 - add rcx,-40 60 2B78A6146A3: 49 BA 98 52 45 A1 B7 02 00 00 - mov r10,000002B7A1455298 61 2B78A6146AD: 90 - nop 62 2B78A6146AE: 49 BB A0 34 53 8A B7 02 00 00 - mov r11,000002B78A5334A0 63 2B78A6146B8: 41 FF D3 - call r11 64 2B78A6146BB: 85 C0 - test eax,eax 65 2B78A6146BD: 75 C1 - jne 2B78A614680 66 2B78A6146BF: 48 C7 45 B8 00 00 00 00 - mov qword ptr [rbp-48],00000000 67 2B78A6146C7: 48 83 EC 08 - sub rsp,08 68 2B78A6146CB: E8 1D 00 00 00 - call 2B78A6146ED 69 }
提示:修改器的每一项只有遇到数值变化才可以实现,比如说材料有消耗以后才能实现(原因:执行修改的代码在数值变化以后才可以被找到)