1通过CE找出基址和偏移(先通过改变子弹数量找到子弹的动态地址),然后开枪看看谁写入了该地址内存,如果找到ESI和偏移CC,接下来搜索十六进制0590C250,接着重复步骤直至找到绿色基址。
2.接下来通过CE计算出基址+偏移看看是否显示子弹数目。
3.写代码C++
#include <Windows.h>
#include <stdio.h>
int main()
{
DWORD getLastError;
HWND hWinmine = FindWindowW(NULL, L"Counter-Strike");
DWORD dwPID = 0;
DWORD jb= 0;
GetWindowThreadProcessId(hWinmine, &dwPID); //获取进程标识PID
if (dwPID == 0)
{
printf("获取PID失败,请先开启游戏\n");
return -1;
}
DWORD zidanNum=0;
DWORD zidanNum2=100;
SIZE_T dwSize = 0;
HANDLE hProcess = OpenProcess(PROCESS_ALL_ACCESS, false, dwPID);
DWORD dwNum = 0;
DWORD zidanBaseAddress = 0x021754DC; //基址
DWORD zidanOffsetFirst = 0x7C; //一级偏移
DWORD zidaneOffsetSecond = 0x5D8; //二级偏移
DWORD zidaneOffsetThird = 0xCC; //三级偏移
DWORD zidanBaseAddressValue = 0;
DWORD zidanBaseAddressValue1 = 0;
DWORD zidanBaseAddressValue2 = 0;
ReadProcessMemory(hProcess, (LPVOID)(zidanBaseAddress), &zidanBaseAddressValue, sizeof(DWORD), &dwSize);
ReadProcessMemory(hProcess, (LPVOID)(zidanBaseAddressValue+zidanOffsetFirst), &zidanBaseAddressValue1 , sizeof(DWORD), &dwSize);
ReadProcessMemory(hProcess, (LPVOID)(zidanBaseAddressValue1+zidaneOffsetSecond), &zidanBaseAddressValue2, sizeof(DWORD), &dwSize);
ReadProcessMemory(hProcess, (LPVOID)(zidanBaseAddressValue2+zidaneOffsetThird), &zidanNum, sizeof(DWORD), &dwSize);
printf("无限子弹开启成功\n") ;
while(1){
ReadProcessMemory(hProcess, (LPVOID)(zidanBaseAddressValue2+zidaneOffsetThird), &zidanNum, sizeof(DWORD), &dwSize);
if(10>zidanNum )
WriteProcessMemory(hProcess, (LPVOID)(zidanBaseAddressValue2+zidaneOffsetThird), &zidanNum2, sizeof(DWORD), &dwSize);
printf("当前子弹数目:%d\n",zidanNum) ;
Sleep(1000);
}
return 0;
}
运行效果 当子弹书小于10的时候会自动增加变为100(sleep是延迟检测的时间)