Steam游戲《Automachef(自動化廚房)》修改器制作
日期:2020.12.01
博客期:179
星期二
【溫馨提示】:
我現在把資源先放到開頭,不想研究學習的就直接取用。如果修改器失效了,你們可以在博客園本頁直接評論,也可以給我發郵件告訴我,就是不要到百度云上去說了,百度云我好久不登錄一次的!大家給我發郵件的話,記得要注明是哪個游戲,內容當然是越詳細越好啦!郵箱地址:nightskysxs@163.com
| 資源下載表 | |||
| 沒有博客園賬號的網友 |
百度網盤下載鏈接:https://pan.baidu.com/s/13C0fTDCqb6ipP6XeOjqv1g 提取碼:auto
Git Hub下載地址:https://github.com/TwoStarsGodNightSky/GameTrainer |
||
| 有博客園賬號的網友 | 版本 | CT文件 | 修改器 |
| 1.1.0|0|380 | 點我下載 | 點我下載 | |
博客防爬取部分:https://www.rzrgm.cn/onepersonwholive/p/14065841.html
前言
好吧,我直到前幾天才知道原來還有 AOB 注入的方法,早知道這么實用就先學這個了(就好像學了很多深入的以后才回去補基礎)。這個游戲和在 Steam 里的 《 Rabi - Rabi 》一樣有一定的調試器監視,不能使用 Cheat Engine 的 Windows 調試器,可以選用打開設置選擇 VEH 調試器。不過,還有20多天考研,我呢也就是興致來了做一做,給自己開一個新坑。這篇文章估計用于學習的價值很低,也就算一個新的研究實例,可以自行取用 修改器 和 CT 表。
修改內容
1、POWER CONSUMTION UNLIMITED(無限電量消耗)
如上圖,“movss [rdi+30],xmm5” 是給 power 賦值的語句。可以活用之前的地址,搜索改寫調試。進而找到語句 AOB 注入即可。(電量是單浮點類型的值,可以自行搜索)
PS: 以 "UnityPlayer.dll"+014D6F20 為地址可以找到 +100 +30 +158 +10 +30
1 { Game : Automachef.exe 2 Version: 3 Date : 2020-11-30 4 Author : dell 5 6 This script does blah blah blah 7 } 8 9 [ENABLE] 10 //code from here to '[DISABLE]' will be used to enable the cheat 11 12 13 14 aobscan(POWER_CONSUMPTION,F3 0F 11 6F 30 48 8B) // should be unique 15 alloc(newmem,$1000,2B7859D711B) 16 17 label(code) 18 label(return) 19 20 newmem: 21 jmp return 22 23 code: 24 movss [rdi+30],xmm5 25 jmp return 26 27 POWER_CONSUMPTION: 28 jmp newmem 29 return: 30 registersymbol(POWER_CONSUMPTION) 31 32 [DISABLE] 33 //code from here till the end of the code will be used to disable the cheat 34 POWER_CONSUMPTION: 35 db F3 0F 11 6F 30 36 37 unregistersymbol(POWER_CONSUMPTION) 38 dealloc(newmem) 39 40 { 41 // ORIGINAL CODE - INJECTION POINT: 2B7859D711B 42 43 2B7859D70EE: F3 0F 10 08 - movss xmm1,[rax] 44 2B7859D70F2: F3 0F 5A C9 - cvtss2sd xmm1,xmm1 45 2B7859D70F6: F3 0F 10 55 E8 - movss xmm2,[rbp-18] 46 2B7859D70FB: F3 0F 5A D2 - cvtss2sd xmm2,xmm2 47 2B7859D70FF: F3 0F 10 1D C9 00 00 00 - movss xmm3,[2B7859D71D0] 48 2B7859D7107: F3 0F 5A DB - cvtss2sd xmm3,xmm3 49 2B7859D710B: F2 0F 5E D3 - divsd xmm2,xmm3 50 2B7859D710F: F2 0F 59 CA - mulsd xmm1,xmm2 51 2B7859D7113: F2 0F 58 C1 - addsd xmm0,xmm1 52 2B7859D7117: F2 0F 5A E8 - cvtsd2ss xmm5,xmm0 53 // ---------- INJECTING HERE ---------- 54 2B7859D711B: F3 0F 11 6F 30 - movss [rdi+30],xmm5 55 // ---------- DONE INJECTING ---------- 56 2B7859D7120: 48 8B 47 10 - mov rax,[rdi+10] 57 2B7859D7124: 48 63 4F 38 - movsxd rcx,dword ptr [rdi+38] 58 2B7859D7128: 48 63 C9 - movsxd rcx,ecx 59 2B7859D712B: 39 48 18 - cmp [rax+18],ecx 60 2B7859D712E: 0F 86 7A 00 00 00 - jbe 2B7859D71AE 61 2B7859D7134: 48 8D 44 88 20 - lea rax,[rax+rcx*4+20] 62 2B7859D7139: F3 0F 10 00 - movss xmm0,[rax] 63 2B7859D713D: F3 0F 5A C0 - cvtss2sd xmm0,xmm0 64 2B7859D7141: F3 0F 10 4D E8 - movss xmm1,[rbp-18] 65 2B7859D7146: F3 0F 5A C9 - cvtss2sd xmm1,xmm1 66 }
2、POWER RATE UNLIMITED(無限功率)
功率是一個單浮點類型的值,如果你搜索的話會找到很多值,沒有關系,在此搜索兩次以后的值基本都可以用,選擇改寫調試。找到帶 addsd xmm0,xmm1 的一句,因為只有這個是引起它變化的原因(增加方面)。
1 { Game : Automachef.exe 2 Version: 3 Date : 2020-11-30 4 Author : dell 5 6 This script does blah blah blah 7 } 8 9 [ENABLE] 10 //code from here to '[DISABLE]' will be used to enable the cheat 11 12 13 14 aobscan(PRESTIGE,F2 0F 58 C1 F2 0F 5A E8 F3 0F 11 28 0F) // should be unique 15 alloc(newmem,$1000,2B7859D714A) 16 17 label(code) 18 label(return) 19 20 newmem: 21 cvtsd2ss xmm5,xmm0 22 jmp return 23 24 code: 25 addsd xmm0,xmm1 26 cvtsd2ss xmm5,xmm0 27 jmp return 28 29 PRESTIGE: 30 jmp newmem 31 nop 32 nop 33 nop 34 return: 35 registersymbol(PRESTIGE) 36 37 [DISABLE] 38 //code from here till the end of the code will be used to disable the cheat 39 PRESTIGE: 40 db F2 0F 58 C1 F2 0F 5A E8 41 42 unregistersymbol(PRESTIGE) 43 dealloc(newmem) 44 45 { 46 // ORIGINAL CODE - INJECTION POINT: 2B7859D714A 47 48 2B7859D7120: 48 8B 47 10 - mov rax,[rdi+10] 49 2B7859D7124: 48 63 4F 38 - movsxd rcx,dword ptr [rdi+38] 50 2B7859D7128: 48 63 C9 - movsxd rcx,ecx 51 2B7859D712B: 39 48 18 - cmp [rax+18],ecx 52 2B7859D712E: 0F 86 7A 00 00 00 - jbe 2B7859D71AE 53 2B7859D7134: 48 8D 44 88 20 - lea rax,[rax+rcx*4+20] 54 2B7859D7139: F3 0F 10 00 - movss xmm0,[rax] 55 2B7859D713D: F3 0F 5A C0 - cvtss2sd xmm0,xmm0 56 2B7859D7141: F3 0F 10 4D E8 - movss xmm1,[rbp-18] 57 2B7859D7146: F3 0F 5A C9 - cvtss2sd xmm1,xmm1 58 // ---------- INJECTING HERE ---------- 59 2B7859D714A: F2 0F 58 C1 - addsd xmm0,xmm1 60 2B7859D714E: F2 0F 5A E8 - cvtsd2ss xmm5,xmm0 61 // ---------- DONE INJECTING ---------- 62 2B7859D7152: F3 0F 11 28 - movss [rax],xmm5 63 2B7859D7156: 0F B6 46 20 - movzx eax,byte ptr [rsi+20] 64 2B7859D715A: 85 C0 - test eax,eax 65 2B7859D715C: 0F 85 25 00 00 00 - jne 2B7859D7187 66 2B7859D7162: 48 8B 47 28 - mov rax,[rdi+28] 67 2B7859D7166: 48 8B C8 - mov rcx,rax 68 2B7859D7169: 48 8B D6 - mov rdx,rsi 69 2B7859D716C: 83 38 00 - cmp dword ptr [rax],00 70 2B7859D716F: 48 8D AD 00 00 00 00 - lea rbp,[rbp+00000000] 71 2B7859D7176: 49 BB 10 CD 11 F1 B7 02 00 00 - mov r11,000002B7F111CD10 72 }
3、PRESTIGE UNLIMITED(無限聲望)
聲望就是 4字節 的整數,100% 的時候直接搜 100 就行。
1 { Game : Automachef.exe 2 Version: 3 Date : 2020-11-30 4 Author : dell 5 6 This script does blah blah blah 7 } 8 9 [ENABLE] 10 //code from here to '[DISABLE]' will be used to enable the cheat 11 12 13 14 aobscan(FAMAS,41 89 87 94 00 00 00 49 8B) // should be unique 15 alloc(newmem,$1000,2B785FEE694) 16 17 label(code) 18 label(return) 19 20 newmem: 21 jmp return 22 23 code: 24 mov [r15+00000094],eax 25 jmp return 26 27 FAMAS: 28 jmp newmem 29 nop 30 nop 31 return: 32 registersymbol(FAMAS) 33 34 [DISABLE] 35 //code from here till the end of the code will be used to disable the cheat 36 FAMAS: 37 db 41 89 87 94 00 00 00 38 39 unregistersymbol(FAMAS) 40 dealloc(newmem) 41 42 { 43 // ORIGINAL CODE - INJECTION POINT: 2B785FEE694 44 45 2B785FEE669: 41 89 87 94 00 00 00 - mov [r15+00000094],eax 46 2B785FEE670: EB 29 - jmp 2B785FEE69B 47 2B785FEE672: 83 FE 02 - cmp esi,02 48 2B785FEE675: 75 13 - jne 2B785FEE68A 49 2B785FEE677: 49 63 87 94 00 00 00 - movsxd rax,dword ptr [r15+00000094] 50 2B785FEE67E: 83 E8 32 - sub eax,32 51 2B785FEE681: 41 89 87 94 00 00 00 - mov [r15+00000094],eax 52 2B785FEE688: EB 11 - jmp 2B785FEE69B 53 2B785FEE68A: 49 63 87 94 00 00 00 - movsxd rax,dword ptr [r15+00000094] 54 2B785FEE691: 83 E8 14 - sub eax,14 55 // ---------- INJECTING HERE ---------- 56 2B785FEE694: 41 89 87 94 00 00 00 - mov [r15+00000094],eax 57 // ---------- DONE INJECTING ---------- 58 2B785FEE69B: 49 8B CF - mov rcx,r15 59 2B785FEE69E: BA 01 00 00 00 - mov edx,00000001 60 2B785FEE6A3: 4C 8B 45 E0 - mov r8,[rbp-20] 61 2B785FEE6A7: 48 8D AD 00 00 00 00 - lea rbp,[rbp+00000000] 62 2B785FEE6AE: 49 BB 30 E7 FE 85 B7 02 00 00 - mov r11,000002B785FEE730 63 2B785FEE6B8: 41 FF D3 - call r11 64 2B785FEE6BB: 66 66 90 - nop 65 2B785FEE6BE: 49 BB C0 AA 60 8A B7 02 00 00 - mov r11,000002B78A60AAC0 66 2B785FEE6C8: 41 FF D3 - call r11 67 2B785FEE6CB: 48 89 45 D8 - mov [rbp-28],rax 68 }
4、MATERIAL UNLIMITED(無限材料)
材料也是 4字節的整數。
1 { Game : Automachef.exe 2 Version: 3 Date : 2020-11-30 4 Author : dell 5 6 This script does blah blah blah 7 } 8 9 [ENABLE] 10 //code from here to '[DISABLE]' will be used to enable the cheat 11 12 13 14 aobscan(MATERIAL,FF C1 89 48 10 48 8B) // should be unique 15 alloc(newmem,$1000,2B7858A2F65) 16 17 label(code) 18 label(return) 19 20 newmem: 21 mov [rax+10],ecx 22 jmp return 23 24 code: 25 inc ecx 26 mov [rax+10],ecx 27 jmp return 28 29 MATERIAL: 30 jmp newmem 31 return: 32 registersymbol(MATERIAL) 33 34 [DISABLE] 35 //code from here till the end of the code will be used to disable the cheat 36 MATERIAL: 37 db FF C1 89 48 10 38 39 unregistersymbol(MATERIAL) 40 dealloc(newmem) 41 42 { 43 // ORIGINAL CODE - INJECTION POINT: 2B7858A2F65 44 45 2B7858A2F38: 48 8B CE - mov rcx,rsi 46 2B7858A2F3B: 48 8B D7 - mov rdx,rdi 47 2B7858A2F3E: 48 8B 06 - mov rax,[rsi] 48 2B7858A2F41: FF 90 28 02 00 00 - call qword ptr [rax+00000228] 49 2B7858A2F47: 48 8D AD 00 00 00 00 - lea rbp,[rbp+00000000] 50 2B7858A2F4E: 49 BB 50 3B 86 85 B7 02 00 00 - mov r11,000002B785863B50 51 2B7858A2F58: 41 FF D3 - call r11 52 2B7858A2F5B: 48 8B C8 - mov rcx,rax 53 2B7858A2F5E: 83 39 00 - cmp dword ptr [rcx],00 54 2B7858A2F61: 48 63 48 10 - movsxd rcx,dword ptr [rax+10] 55 // ---------- INJECTING HERE ---------- 56 2B7858A2F65: FF C1 - inc ecx 57 2B7858A2F67: 89 48 10 - mov [rax+10],ecx 58 // ---------- DONE INJECTING ---------- 59 2B7858A2F6A: 48 8B 86 C8 00 00 00 - mov rax,[rsi+000000C8] 60 2B7858A2F71: 48 8B C8 - mov rcx,rax 61 2B7858A2F74: 33 D2 - xor edx,edx 62 2B7858A2F76: 83 38 00 - cmp dword ptr [rax],00 63 2B7858A2F79: 48 8D 64 24 00 - lea rsp,[rsp+00] 64 2B7858A2F7E: 49 BB B0 23 9E 85 B7 02 00 00 - mov r11,000002B7859E23B0 65 2B7858A2F88: 41 FF D3 - call r11 66 2B7858A2F8B: 48 63 86 9C 01 00 00 - movsxd rax,dword ptr [rsi+0000019C] 67 2B7858A2F92: FF C0 - inc eax 68 2B7858A2F94: 89 86 9C 01 00 00 - mov [rsi+0000019C],eax 69 }
5、MONEY COST UNLIMITED(無限金錢)
我們搜索 4字節的金錢 cost值,但是找到的值并不是真實的 金錢 cost 。所以,我們先看看是什么改寫了這個代碼。找到的語句是改寫臨時值的,所以我們需要向前找。右擊“選擇函數” ---> 在函數最開始的那一句右擊 “轉到地址” ---> 復制該地址 ----> 選擇菜單欄中 “搜索” 的 “查看匯編碼” ,把地址輸入到左邊的框 ---> 把右邊的起始地址的后 5 位改成 0 ,點擊搜索 ---> 找到 mov r11, xxxx 的 一句,之后找到這一句 前面 的一句 call r11,這一句的上一句給 r11 賦值的跳轉地址,我們要跳轉到那里,之后向下滑動找到 add r15d,eax 一句,注釋掉就可以(現在不知道為什么 變成 sub 也可以實現)。但是這一項修改需要一直使用,就是只要你啟用了,就不要關閉。(親測在當局關閉以后,再次買下新的器械時會報錯)
1 { Game : Automachef.exe 2 Version: 3 Date : 2020-11-30 4 Author : dell 5 6 This script does blah blah blah 7 } 8 9 [ENABLE] 10 //code from here to '[DISABLE]' will be used to enable the cheat 11 12 13 14 aobscan(PRICE,44 03 F8 48 8B CD) // should be unique 15 alloc(newmem,$1000,2B78A614699) 16 17 label(code) 18 label(return) 19 20 newmem: 21 mov rcx,rbp 22 jmp return 23 code: 24 add r15d,eax 25 mov rcx,rbp 26 jmp return 27 28 PRICE: 29 jmp newmem 30 nop 31 return: 32 registersymbol(PRICE) 33 34 [DISABLE] 35 //code from here till the end of the code will be used to disable the cheat 36 PRICE: 37 db 44 03 F8 48 8B CD 38 39 unregistersymbol(PRICE) 40 dealloc(newmem) 41 42 { 43 // ORIGINAL CODE - INJECTION POINT: 2B78A614699 44 45 2B78A61466E: 49 BB 80 33 53 8A B7 02 00 00 - mov r11,000002B78A533380 46 2B78A614678: 41 FF D3 - call r11 47 2B78A61467B: EB 1F - jmp 2B78A61469C 48 2B78A61467D: 66 66 90 - nop 49 2B78A614680: 48 8B 7D D0 - mov rdi,[rbp-30] 50 2B78A614684: 48 8B C7 - mov rax,rdi 51 2B78A614687: 0F B6 80 7C 01 00 00 - movzx eax,byte ptr [rax+0000017C] 52 2B78A61468E: 85 C0 - test eax,eax 53 2B78A614690: 75 0A - jne 2B78A61469C 54 2B78A614692: 48 63 87 6C 01 00 00 - movsxd rax,dword ptr [rdi+0000016C] 55 // ---------- INJECTING HERE ---------- 56 2B78A614699: 44 03 F8 - add r15d,eax 57 2B78A61469C: 48 8B CD - mov rcx,rbp 58 // ---------- DONE INJECTING ---------- 59 2B78A61469F: 48 83 C1 C0 - add rcx,-40 60 2B78A6146A3: 49 BA 98 52 45 A1 B7 02 00 00 - mov r10,000002B7A1455298 61 2B78A6146AD: 90 - nop 62 2B78A6146AE: 49 BB A0 34 53 8A B7 02 00 00 - mov r11,000002B78A5334A0 63 2B78A6146B8: 41 FF D3 - call r11 64 2B78A6146BB: 85 C0 - test eax,eax 65 2B78A6146BD: 75 C1 - jne 2B78A614680 66 2B78A6146BF: 48 C7 45 B8 00 00 00 00 - mov qword ptr [rbp-48],00000000 67 2B78A6146C7: 48 83 EC 08 - sub rsp,08 68 2B78A6146CB: E8 1D 00 00 00 - call 2B78A6146ED 69 }
提示:修改器的每一項只有遇到數值變化才可以實現,比如說材料有消耗以后才能實現(原因:執行修改的代碼在數值變化以后才可以被找到)
浙公網安備 33010602011771號