A. Automatically collect sunlight
General idea, I guess there is a sun click function, when we click on the sun, it will call to complete a series of operations to increase sunlight. But only when we clicked when the sun, it will be called, so click the sun should have a judge determine whether clicked the sun, find the judge should be able to automatically collect sunlight.
Analysis
we can find by clicking sunlight function, go looking for judgment to achieve our objective. Click sun will increase the amount of sunlight, then we can go to the store looking for sunshine address. After using CE, to find an address stored in the sun, the additional game, the sun changes whenever the value in the game, the precise numerical values used in CE searches, searches current value of the sun, an address is determined, which will modify the value 999, found the game also changes the amount of sunlight, this is stored in sunlight address.
Right-click on the address, select find out what writes to this address, back in the game, waiting for a drop of sunlight, click Add sun, this window has changed, remember this address 0x43C0AF, use this address to analyze OD search (Stop driving CE, OD in order to use the additional program).
Use this address into the OD analyzed here off increments when the sun will break down, change the value of the sun is the sun itself, plus the value of the value of ecx, ecx see the current value is 0x19 (25) which is a large value of the sun.
Execution returns to the floor, according to the analysis inside the code, we have just come out of this function is that when we click on the sun, the sun increases the number of functions. Click the sun is not here to judge, this function simply increase the amount of sunlight it when the sun reaches the upper left corner.
Position to continue to go out, then returned at the top of this function off, back in the game, when we click the sun will break down after F9, click Continue to return to the game or the game will break down, but found that the occurrence of sunshine change, constantly moving in to the top left corner, then this is to click on the function of the sun.
Click above to determine the function of a number of jumps, which has a crucial jump to decide whether to enter this function. Guess this is probably a sign of the judge, we judge what is clicked, if you click the sun, then it enters this function, you will not enter this function. We can go to see this address compliance with our guess.
找到与0x0比较的这个地址,下一个内存断点
回到游戏中,点击一个阳光,程序断了下来,可以看到给这个地址赋值1,与0作比较是会跳转的。
当我们点击一个植物时,程序断了下来,可以看到赋值0,JNZ是不会跳转的。这里应该就是一个点击标志的判断,只有当我们点击阳光的时候才会赋值1,调用函数。但是有一个问题是,有的时候点击植物的时候并不会断下来,在后续的调试中发现,这里并不是判断植物的,产生阳光的时候才会赋值0,这里后续会提到。
修改就很简单,只要让这里无条件跳转即可,改为JMP。
二.自动点击金币
有了阳光的经验,金币就好办多了,还是寻找金币的存储地址。但是没有通过精确搜索找到金币的存储地址,没办法只能用别的办法。
通过寻找当前减少的数值,来寻找。不断的寻找减少的数值和未改变的数值,寻找,最终筛选剩下4个,尝试修改其中一个,发现游戏中金币数值改变。看到实际中存储的数据,比游戏中显示的少了一个0,之后再搜索寻找,发现金币数值除以10即可精确的找到地址,金币的数值在内存中应该是少了一个0进行存储的。
还是老方法,右键,选择find out what writes to this address,增加一个金币之后,记下这个地址回到OD中搜索。收集一个金币,看到给地址中的数值加了1,但是一个小金币的数值应该是10,说明金币的存储在内存中是少一个0的。
执行出去,可以发现居然是刚才阳光的函数,说明点击增加阳光和金币是同一个函数,那么修改同一个条件就可以实现自动收集阳光和金币。
回到刚才增加金币的那里,向上查看就能看到阳光的增加函数。分析一下是如何判断金币和阳光的。看到是通过eax的值来判断的,动态调试看到,eax=4或5时,代表阳光的增加,1和2的时候代表金币的增加。eax=4的时候,代表的是大阳光,赋值0x19,eax=5的时候代表的是小阳光(夜晚关卡,小蘑菇产生的小阳光,一个增加15阳光值,43C09B处的eax+0xA,让ecx中值=0xF),赋值0xF
对于金币来讲eax=1时,代表小金币,eax=2时,代表大金币(43C109处,eax+0x3,让edx=5,大金币一个增加50),eax=3,代表钻石(43C116,43C117两处会让edx=0x64,一个钻石增加1000)。