8 Star 76 Fork 14

FrostBlade / PVZHybrid_Editor

加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
克隆/下载
PVZ_Hybrid.py 197.55 KB
一键复制 编辑 原始数据 按行查看 历史
FrostBlade 提交于 2024-06-14 09:42 . 0.31
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114311531163117311831193120312131223123312431253126312731283129313031313132313331343135313631373138313931403141314231433144314531463147314831493150315131523153315431553156315731583159316031613162316331643165316631673168316931703171317231733174317531763177317831793180318131823183318431853186318731883189319031913192319331943195319631973198319932003201320232033204320532063207320832093210321132123213321432153216321732183219322032213222322332243225322632273228322932303231323232333234323532363237323832393240324132423243324432453246324732483249325032513252325332543255325632573258325932603261326232633264326532663267326832693270327132723273327432753276327732783279328032813282328332843285328632873288328932903291329232933294329532963297329832993300330133023303330433053306330733083309331033113312331333143315331633173318331933203321332233233324332533263327332833293330333133323333333433353336333733383339334033413342334333443345334633473348334933503351335233533354335533563357335833593360336133623363336433653366336733683369337033713372337333743375337633773378337933803381338233833384338533863387338833893390339133923393339433953396339733983399340034013402340334043405340634073408340934103411341234133414341534163417341834193420342134223423342434253426342734283429343034313432343334343435343634373438343934403441344234433444344534463447344834493450345134523453345434553456345734583459346034613462346334643465346634673468346934703471347234733474347534763477347834793480348134823483348434853486348734883489349034913492349334943495349634973498349935003501350235033504350535063507350835093510351135123513351435153516351735183519352035213522352335243525352635273528352935303531353235333534353535363537353835393540354135423543354435453546354735483549355035513552355335543555355635573558355935603561356235633564356535663567356835693570357135723573357435753576357735783579358035813582358335843585358635873588358935903591359235933594359535963597359835993600360136023603360436053606360736083609361036113612361336143615361636173618361936203621362236233624362536263627362836293630363136323633363436353636363736383639364036413642364336443645364636473648364936503651365236533654365536563657365836593660366136623663366436653666366736683669367036713672367336743675367636773678367936803681368236833684368536863687368836893690369136923693369436953696369736983699370037013702370337043705370637073708370937103711371237133714371537163717371837193720372137223723372437253726372737283729373037313732373337343735373637373738373937403741374237433744374537463747374837493750375137523753375437553756375737583759376037613762376337643765376637673768376937703771377237733774377537763777377837793780378137823783378437853786378737883789379037913792379337943795379637973798379938003801380238033804380538063807380838093810381138123813381438153816381738183819382038213822382338243825382638273828382938303831383238333834383538363837383838393840384138423843384438453846384738483849385038513852385338543855385638573858385938603861386238633864386538663867386838693870387138723873387438753876387738783879388038813882388338843885388638873888388938903891389238933894389538963897389838993900390139023903390439053906390739083909391039113912391339143915391639173918391939203921392239233924392539263927392839293930393139323933393439353936393739383939394039413942394339443945394639473948394939503951395239533954395539563957395839593960396139623963396439653966396739683969397039713972397339743975397639773978397939803981398239833984398539863987398839893990399139923993399439953996399739983999400040014002400340044005400640074008400940104011401240134014401540164017401840194020402140224023402440254026402740284029403040314032403340344035403640374038403940404041404240434044404540464047404840494050405140524053405440554056405740584059406040614062406340644065406640674068406940704071407240734074407540764077407840794080408140824083408440854086408740884089409040914092409340944095409640974098409941004101410241034104410541064107410841094110411141124113411441154116411741184119412041214122412341244125412641274128412941304131413241334134413541364137413841394140414141424143414441454146414741484149415041514152415341544155415641574158415941604161416241634164416541664167416841694170417141724173417441754176417741784179418041814182418341844185418641874188418941904191419241934194419541964197419841994200420142024203420442054206420742084209421042114212421342144215421642174218421942204221422242234224422542264227422842294230423142324233423442354236423742384239424042414242424342444245424642474248424942504251425242534254425542564257425842594260426142624263426442654266426742684269427042714272427342744275427642774278427942804281428242834284428542864287428842894290429142924293429442954296429742984299430043014302430343044305430643074308430943104311431243134314431543164317431843194320432143224323432443254326432743284329433043314332433343344335433643374338433943404341434243434344434543464347434843494350435143524353435443554356435743584359436043614362436343644365436643674368436943704371437243734374437543764377437843794380438143824383438443854386438743884389439043914392439343944395439643974398439944004401440244034404440544064407440844094410441144124413441444154416441744184419442044214422442344244425442644274428442944304431443244334434443544364437443844394440444144424443444444454446444744484449445044514452445344544455445644574458445944604461446244634464446544664467446844694470447144724473447444754476447744784479448044814482448344844485448644874488448944904491449244934494449544964497449844994500450145024503450445054506450745084509451045114512451345144515451645174518451945204521452245234524452545264527452845294530453145324533453445354536453745384539454045414542454345444545454645474548454945504551455245534554455545564557455845594560456145624563456445654566456745684569457045714572457345744575457645774578457945804581458245834584458545864587458845894590459145924593459445954596459745984599460046014602460346044605460646074608460946104611461246134614461546164617461846194620462146224623462446254626462746284629463046314632463346344635463646374638463946404641464246434644464546464647464846494650465146524653465446554656465746584659466046614662466346644665466646674668466946704671467246734674467546764677467846794680468146824683468446854686468746884689469046914692469346944695469646974698469947004701470247034704470547064707470847094710471147124713471447154716471747184719472047214722472347244725472647274728472947304731473247334734473547364737473847394740474147424743474447454746474747484749475047514752475347544755475647574758475947604761476247634764476547664767476847694770477147724773477447754776477747784779478047814782478347844785478647874788478947904791479247934794479547964797479847994800480148024803480448054806480748084809481048114812481348144815481648174818481948204821482248234824482548264827482848294830483148324833483448354836483748384839484048414842484348444845484648474848484948504851485248534854485548564857485848594860486148624863486448654866486748684869487048714872487348744875487648774878487948804881488248834884488548864887488848894890489148924893489448954896489748984899490049014902490349044905490649074908490949104911491249134914491549164917491849194920492149224923492449254926492749284929493049314932493349344935493649374938493949404941494249434944494549464947494849494950495149524953495449554956495749584959496049614962496349644965496649674968496949704971497249734974497549764977497849794980498149824983498449854986498749884989499049914992499349944995499649974998499950005001500250035004500550065007500850095010501150125013501450155016501750185019502050215022502350245025502650275028502950305031503250335034503550365037503850395040504150425043504450455046504750485049505050515052505350545055505650575058505950605061506250635064506550665067506850695070507150725073507450755076507750785079508050815082508350845085508650875088508950905091509250935094509550965097509850995100510151025103510451055106510751085109511051115112511351145115511651175118511951205121512251235124512551265127512851295130513151325133513451355136513751385139514051415142514351445145514651475148514951505151515251535154515551565157515851595160516151625163516451655166516751685169517051715172517351745175517651775178517951805181518251835184518551865187518851895190519151925193519451955196519751985199520052015202520352045205520652075208520952105211521252135214521552165217521852195220522152225223522452255226522752285229523052315232523352345235523652375238523952405241524252435244524552465247524852495250525152525253525452555256525752585259526052615262526352645265526652675268526952705271527252735274527552765277527852795280528152825283528452855286528752885289529052915292529352945295529652975298529953005301530253035304530553065307530853095310531153125313531453155316531753185319532053215322532353245325532653275328532953305331533253335334533553365337533853395340534153425343534453455346534753485349535053515352535353545355535653575358535953605361536253635364536553665367536853695370537153725373537453755376537753785379538053815382538353845385538653875388538953905391539253935394539553965397539853995400540154025403540454055406540754085409541054115412541354145415541654175418541954205421542254235424542554265427542854295430543154325433543454355436543754385439544054415442544354445445544654475448544954505451545254535454545554565457545854595460546154625463
# ruff: noqa: F401,F403,F405,E402,F541,E722
import ctypes
import PVZ_data as data
import pymem.ressources.kernel32
import pymem.ressources.structure
import pymem.thread
import pymem.memory
from threading import Thread, Event
import random
import time
import PVZ_asm as asm
import os
import struct
column1addr = None
column2addr = None
newmem_shovelpro = None
newmem_spoils = None
newmem_spoils2 = None
newmem_slotKey = None
newmem_setAllBullet = None
newmem_endlessCar = None
newmem_noHole = None
newmem_zombiebeanHpynotized1 = None
newmem_zombiebeanHpynotized = None
newmem_autoCar = None
newmem_pauseProKey = None
newmem_drawTime = None
newmem_pause = None
newmem_draw = None
newmem_pauseFlag = None
newmem_setBulletSize = None
newmem_setBulletPosition = None
newmem_setPlantBullet = None
newmem_caption = None
newmem_setOneBullet = None
newmem_setBulletDamage = None
newmem_globalSpawModify = None
newmem_changeZombieHead = None
newmem_changeZombieDeadHead = None
newmem_deathrattleCallZombie = None
newmem_reserveMaterialDropAllCard = None
newmem_modifySpawNum = None
newmem_lockLevel = None
newmem_divzero = None
newmem_modifySpawMultiplier = None
newmem_spawisModified = None
newmem_bungeeTipFix = None
newmem_bungeePutFix = None
def calculate_call_address(ctypes_obj):
"""S
计算函数调用地址
"""
c_uint_obj = ctypes.c_uint(ctypes_obj)
return ctypes.string_at(ctypes.addressof(c_uint_obj), ctypes.sizeof(c_uint_obj))
def getMap():
try:
map = data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x768)
+ 0x554C
)
if (
map == 0
or map == 1
or map == 10
or map == 13
or map == 15
or map == 16
or map == 18
or map == 19
or map == 21
or map == 24
):
return 5
elif (
map == 2
or map == 11
or map == 3
or map == 12
or map == 14
or map == 17
or map == 20
or map == 22
or map == 23
or map == 25
or map == 26
):
return 6
else:
return False
except:
return False
def getDifficult():
difficultAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x82C)
+ 0x428
)
difficultValue = data.PVZ_memory.read_int(difficultAddr)
if difficultValue == -1:
return 1
if difficultValue == 0:
return 2
if difficultValue == 1:
return 3
def setDifficult(difficult):
difficultAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x82C)
+ 0x428
)
if difficult == 1:
data.PVZ_memory.write_int(difficultAddr, 4294967295)
if difficult == 2:
data.PVZ_memory.write_int(difficultAddr, 0)
if difficult == 3:
data.PVZ_memory.write_int(difficultAddr, 1)
def getState():
try:
game_state = data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.baseAddress) + 0x7FC
)
return game_state # 1主菜单 2选局内 5帮助 7关卡选择
except:
return False
def getNowFlag():
try:
nowFlag = data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x768)
+ 0x557C
)
return nowFlag
except:
return False
def backGround(f):
if f:
data.PVZ_memory.write_bytes(0x0054EBEF, b"\xc3", 1)
else:
data.PVZ_memory.write_bytes(0x0054EBEF, b"\x57", 1)
def overPlant(f):
addr = (
int.from_bytes(
data.PVZ_memory.read_bytes(0x40E2C2, 1)
+ data.PVZ_memory.read_bytes(0x40E2C1, 1)
+ data.PVZ_memory.read_bytes(0x40E2C0, 1)
+ data.PVZ_memory.read_bytes(0x40E2BF, 1)
)
+ 0x40E2C3
)
if f:
data.PVZ_memory.write_bytes(0x00425634, b"\xeb\x1b\x0f\x1f\x00", 5)
data.PVZ_memory.write_bytes(0x0040E3C6, b"\xe9\x94\x00\x00\x00\x0f\x1f\x00", 8)
data.PVZ_memory.write_bytes(0x0040FE2D, b"\xe9\x22\x09\x00\x00\x0f\x1f", 7)
data.PVZ_memory.write_bytes(0x0042A2D6, b"\xe9\xe2\x00\x00\x00\x0f\x1f\x00", 8)
data.PVZ_memory.write_bytes(0x00438E3E, b"\xeb\x34\x66\x90", 4)
data.PVZ_memory.write_bytes(
0x0040E263, b"\x8b\x5c\x24\x24\xeb\x2a\x0f\x1f\x00", 9
)
data.PVZ_memory.write_bytes(
addr, b"\x0f\x1f\x00\x8b\x4c\x24\x2c\x66\x0f\x1f\x44\x00\x00", 13
)
# data.PVZ_memory.write_bytes(
# 0x00843D50, b"\xeb\x6a\x90\x90\x90\x90\x90\x90\x90", 9
# )
data.PVZ_memory.write_bytes(0x00410908, b"\xeb\x12\x90\x90\x90", 5)
# data.PVZ_memory.write_bytes(0x00843DEE, b"\xe9\xe1\xcb\xbc\xff\x0f\x1f\x00", 8)
# data.PVZ_memory.write_bytes(0x00843E23, b"\xe9\xac\xcb\xbc\xff\x0f\x1f\x00", 8)
# data.PVZ_memory.write_bytes(0x00843E58, b"\xe9\x77\xcb\xbc\xff\x0f\x1f\x00", 8)
data.PVZ_memory.write_bytes(0x00410958, b"\xeb\x7a\x90\x90", 4)
data.PVZ_memory.write_bytes(0x00410960, b"\xeb\x72", 2)
data.PVZ_memory.write_bytes(0x00410B11, b"\x90\x90", 2)
data.PVZ_memory.write_bytes(0x00410B16, b"\xeb\x47", 2)
# data.PVZ_memory.write_bytes(0x0084A3EB, b"\xe9\x6a\x3f\xbc\xff\x90", 6)
data.PVZ_memory.write_bytes(0x00410BA2, b"\xeb\x06", 2)
data.PVZ_memory.write_bytes(0x00410967, b"\xeb\x39", 2)
data.PVZ_memory.write_bytes(0x004109A5, b"\xeb\x2d", 2)
else:
data.PVZ_memory.write_bytes(0x00425634, b"\x83\xf8\xff\x74\x18", 5)
data.PVZ_memory.write_bytes(0x0040FE2D, b"\x85\xc0\x0f\x84\x1f\x09\x00", 7)
data.PVZ_memory.write_bytes(0x0040E3C6, b"\x85\xdb\x0f\x84\x91\x00\x00\x00", 8)
data.PVZ_memory.write_bytes(0x0042A2D6, b"\x85\xc0\x0f\x84\xdf\x00\x00\x00", 8)
data.PVZ_memory.write_bytes(0x00438E3E, b"\x85\xc0\x74\x32", 4)
data.PVZ_memory.write_bytes(
0x0040E263, b"\x83\xf9\x03\x8b\x5c\x24\x24\x75\x27", 9
)
data.PVZ_memory.write_bytes(
addr,
b"\x83\xf9\x02\x8b\x4c\x24\x2c\x0f\x84"
+ calculate_call_address(0x0040E2CD - addr - 0xD),
13,
)
# data.PVZ_memory.write_bytes(
# 0x00843D50, b"\x83\xfb\x4c\x0f\x84\xb4\xcb\xbc\xff", 9
# )
data.PVZ_memory.write_bytes(0x00410908, b"\x83\xfb\x17\x75\x0f", 5)
# data.PVZ_memory.write_bytes(0x00843DEE, b"\x85\xc0\x0f\x84\xde\xcb\xbc\xff", 8)
# data.PVZ_memory.write_bytes(0x00843E23, b"\x85\xc0\x0f\x84\xa9\xcb\xbc\xff", 8)
# data.PVZ_memory.write_bytes(0x00843E58, b"\x85\xc0\x0f\x84\x74\xcb\xbc\xff", 8)
data.PVZ_memory.write_bytes(0x00410958, b"\x85\xc0\x73\x78", 4)
data.PVZ_memory.write_bytes(0x00410960, b"\x75\x72", 2)
data.PVZ_memory.write_bytes(0x00410B11, b"\x74\x05", 2)
data.PVZ_memory.write_bytes(0x00410B16, b"\x75\x47", 2)
# data.PVZ_memory.write_bytes(0x0084A3EB, b"\x0f\x85\x69\x3f\xbc\xff", 6)
data.PVZ_memory.write_bytes(0x00410BA2, b"\x75\x06", 2)
data.PVZ_memory.write_bytes(0x00410967, b"\x75\x39", 2)
data.PVZ_memory.write_bytes(0x004109A5, b"\x75\x2d", 2)
def getSun():
sunAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x768)
+ 0x5560
)
sunNow = data.PVZ_memory.read_int(sunAddr)
return sunNow
def addSun(sunIncrement):
sunAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x768)
+ 0x5560
)
sunNow = data.PVZ_memory.read_int(sunAddr)
data.PVZ_memory.write_int(sunAddr, sunNow + int(sunIncrement))
def subSun(sunDecrement):
sunAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x768)
+ 0x5560
)
sunNow = data.PVZ_memory.read_int(sunAddr)
sun = sunNow - int(sunDecrement)
data.PVZ_memory.write_int(sunAddr, sun)
def setSun(sun):
sunAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x768)
+ 0x5560
)
data.PVZ_memory.write_int(sunAddr, int(sun))
def cancalSunFall(f):
if f:
data.PVZ_memory.write_bytes(0x00413B7C, b"\x90\x90\x90\x90\x90\x90\x90", 7)
else:
data.PVZ_memory.write_bytes(0x00413B7C, b"\x83\x86\x38\x55\x00\x00\xff", 7)
def getSilver():
silverAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x82C)
+ 0x208
)
silverNow = data.PVZ_memory.read_int(silverAddr)
return silverNow
def addSilver(silverIncrement):
silverAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x82C)
+ 0x208
)
silverNow = data.PVZ_memory.read_int(silverAddr)
data.PVZ_memory.write_int(silverAddr, silverNow + int(silverIncrement))
def setSilver(silver):
silverAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x82C)
+ 0x208
)
data.PVZ_memory.write_int(silverAddr, int(silver))
def getGold():
goldAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x82C)
+ 0x20C
)
goldNow = data.PVZ_memory.read_int(goldAddr)
return goldNow
def addGold(goldIncrement):
goldAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x82C)
+ 0x20C
)
goldNow = data.PVZ_memory.read_int(goldAddr)
data.PVZ_memory.write_int(goldAddr, goldNow + int(goldIncrement))
def setGold(gold):
goldAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x82C)
+ 0x20C
)
data.PVZ_memory.write_int(goldAddr, int(gold))
def getDiamond():
diamondAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x82C)
+ 0x210
)
diamondNow = data.PVZ_memory.read_int(diamondAddr)
return diamondNow
def addDiamond(diamondIncrement):
diamondAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x82C)
+ 0x210
)
diamondNow = data.PVZ_memory.read_int(diamondAddr)
data.PVZ_memory.write_int(diamondAddr, diamondNow + int(diamondIncrement))
def setDiamond(diamond):
diamondAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x82C)
+ 0x210
)
data.PVZ_memory.write_int(diamondAddr, int(diamond))
def upperLimit(f):
if f:
data.PVZ_memory.write_bytes(0x00430A23, b"\xeb", 1)
data.PVZ_memory.write_bytes(0x00430A78, b"\xeb", 1)
data.PVZ_memory.write_bytes(0x0048CAB0, b"\xeb", 1)
else:
data.PVZ_memory.write_bytes(0x00430A23, b"\x7e", 1)
data.PVZ_memory.write_bytes(0x00430A78, b"\x7e", 1)
data.PVZ_memory.write_bytes(0x0048CAB0, b"\x7e", 1)
def pausePro(f):
if f:
data.PVZ_memory.write_bytes(
0x415DF0, b"\x0f\x1f\x80\x00\x00\x00\x00\x66\x90", 9
)
else:
data.PVZ_memory.write_bytes(
0x415DF0, b"\x80\xbd\x64\x01\x00\x00\x00\x74\x35", 9
)
def ignoreSun(f):
if f:
data.PVZ_memory.write_bytes(0x0041BA70, b"\x90\x90\x90\x90\x90\x90", 6)
data.PVZ_memory.write_bytes(0x0048881B, b"\xe9\x97\x01\x00\x00\x0f\x1f\x00", 8)
data.PVZ_memory.write_bytes(0x0048847F, b"\xeb", 1)
data.PVZ_memory.write_bytes(0x0040F8A2, b"\xeb", 1)
data.PVZ_memory.write_bytes(0x00488565, b"\xeb\x0e\x90\x90", 4)
else:
data.PVZ_memory.write_bytes(0x0041BA70, b"\x39\xc3\x7f\x0c\x29\xde", 6)
data.PVZ_memory.write_bytes(0x0048881B, b"\x84\xc0\x0f\x85\x94\x01\x00\x00", 8)
data.PVZ_memory.write_bytes(0x0048847F, b"\x75", 1)
data.PVZ_memory.write_bytes(0x0040F8A2, b"\x75", 1)
data.PVZ_memory.write_bytes(0x00488565, b"\x84\xc0\x75\x0c", 4)
def cancelCd(f):
# if f:
# data.PVZ_memory.write_bytes(0x487293, b'\x3b\x47\x28\x90\x90', 5)
# else:
# data.PVZ_memory.write_bytes(0x487296, b'\x7e\x14', 2)
if f:
data.PVZ_memory.write_bytes(0x487296, b"\x70", 1)
data.PVZ_memory.write_bytes(0x00488250, b"\xeb", 1)
data.PVZ_memory.write_bytes(0x00488E73, b"\xc6\x45\x48\x01", 4)
else:
data.PVZ_memory.write_bytes(0x487296, b"\x7e", 1)
data.PVZ_memory.write_bytes(0x00488250, b"\x75", 1)
data.PVZ_memory.write_bytes(0x00488E73, b"\xc6\x45\x48\x00", 4)
def zombieInvisible(f):
if f:
data.PVZ_memory.write_bytes(0x0052E357, b"\x70", 1)
data.PVZ_memory.write_bytes(0x0053402B, b"\x70", 1)
else:
data.PVZ_memory.write_bytes(0x0052E357, b"\x75", 1)
data.PVZ_memory.write_bytes(0x0053402B, b"\x75", 1)
def killAllZombies():
zomNum = data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x768)
+ 0xA0
)
i = 0
j = 0
while i < zomNum:
zomAddresss = (
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.baseAddress) + 0x768
)
+ 0x90
)
+ 0x204 * j
)
zomExist = data.PVZ_memory.read_bytes(zomAddresss + 0xEC, 1)
if zomExist == b"\x00":
data.PVZ_memory.write_int(zomAddresss + 0x28, 3)
i = i + 1
j = j + 1
def autoCollect(f):
if f:
data.PVZ_memory.write_bytes(0x43158B, b"\x80\x7b\x50\x00\xeb\x08", 6)
else:
data.PVZ_memory.write_bytes(0x43158B, b"\x80\x7b\x50\x00\x75\x08", 6)
def changeSlot(n, type):
slotAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x768)
+ 0x144
)
data.PVZ_memory.write_int(
data.PVZ_memory.read_int(slotAddr) + 0x5C + 0x50 * (n - 1), type
)
def win():
winAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x768)
+ 0x55FC
)
data.PVZ_memory.write_int(winAddr, 1)
def advacedPause(f):
if f:
data.PVZ_memory.write_bytes(
0x415DF0, b"\x0f\x1f\x80\x00\x00\x00\x00\x66\x90", 9
)
else:
data.PVZ_memory.write_bytes(
0x415DF0, b"\x80\xbd\x64\x01\x00\x00\x00\x74\x35", 9
)
def column(f):
global column1addr
global column2addr
if f:
column1addr = data.PVZ_memory.read_bytes(0x00410ADF, 5)
column2addr = data.PVZ_memory.read_bytes(0x00439035, 5)
data.PVZ_memory.write_bytes(0x00410ADF, b"\xeb\x0b\x90\x90\x90", 5)
data.PVZ_memory.write_bytes(0x00439035, b"\xeb\x0b\x90\x90\x90", 5)
else:
data.PVZ_memory.write_bytes(0x00410ADF, column1addr, 5)
data.PVZ_memory.write_bytes(0x00439035, column2addr, 5)
def unlock():
# [ENABLE]
# //code from here to '[DISABLE]' will be used to enable the cheat
# alloc(newmem,2048)
# label(returnhere)
# label(originalcode)
# label(exit)
# newmem: //this is allocated memory, you have read,write,execute access
# //place your code here
# mov al,1
# ret
# originalcode:
# jmp 87AE00
# exit:
# jmp returnhere
# "PlantsVsZombies.exe"+53B20:
# jmp newmem
# returnhere:
# [DISABLE]
# //code from here till the end of the code will be used to disable the cheat
# dealloc(newmem)
# "PlantsVsZombies.exe"+53B20:
# jmp 87AE00
# //Alt: db E9 4B CF 3E 00
newmem_unlock = pymem.memory.allocate_memory(data.PVZ_memory.process_handle, 64)
shellcode = asm.Asm(newmem_unlock)
shellcode.mov_e(asm.AL, 1)
shellcode.ret()
data.PVZ_memory.write_bytes(
newmem_unlock,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x00453B20, b"\xe9" + calculate_call_address(newmem_unlock - 0x00453B25), 5
)
def shovelpro(f):
global newmem_shovelpro
if data.PVZ_version == 2.0:
addr = (
int.from_bytes(
data.PVZ_memory.read_bytes(0x411141, 1)
+ data.PVZ_memory.read_bytes(0x411140, 1)
+ data.PVZ_memory.read_bytes(0x41113F, 1)
+ data.PVZ_memory.read_bytes(0x41113E, 1)
)
+ 0x411142
)
if f:
data.PVZ_memory.write_bytes(addr + 0x15, b"\xeb\x6a\x90", 3)
newmem_shovelpro = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 100
)
print(hex(newmem_shovelpro))
byte_data = (
b"\x60\x8b\x45\x24\x8b\x7d\x04\xba\xff\xff\xff\xff\xe8"
+ calculate_call_address(0x0041DAE0 - newmem_shovelpro - 0x11)
+ b"\x01\x85\x2c\x01\x00\x00\x61\x83\xbd\x2c\x01\x00\x00\x32\x7c\x1d\x83\xad\x2c\x01\x00\x00\x32"
b"\x60\x8b\x4d\x04\x6a\x02\x6a\x06\xff\x75\x0c\xff\x75\x08\xe8"
+ calculate_call_address(0x0040CB10 - newmem_shovelpro - 0x3B)
+ b"\x61\xeb\xda\x83\xbd\x2c\x01\x00\x00\x19\x7c\x1d\x83\xad\x2c\x01\x00\x00\x19\x60\x8b\x4d\x04"
b"\x6a\x02\x6a\x04\xff\x75\x0c\xff\x75\x08\xe8"
+ calculate_call_address(0x0040CB10 - newmem_shovelpro - 0x61)
+ b"\x61\xeb\xb4\x83\xbd\x2c\x01\x00\x00\x0f\x7c\x1d\x83\xad\x2c\x01\x00\x00\x0f\x60\x8b\x4d\x04"
b"\x6a\x02\x6a\x05\xff\x75\x0c\xff\x75\x08\xe8"
+ calculate_call_address(0x0040CB10 - newmem_shovelpro - 0x87)
+ b"\x61\xeb\x8e\x01\x9f\x9c\x57\x00\x00\xe9"
+ calculate_call_address(0x004111DE - newmem_shovelpro - 0x95)
)
data.PVZ_memory.write_bytes(newmem_shovelpro, byte_data, 149)
data.PVZ_memory.write_bytes(
0x004111D8,
b"\xe9"
+ calculate_call_address(newmem_shovelpro - 0x004111DD)
+ b"\x90",
6,
)
else:
data.PVZ_memory.write_bytes(addr + 0x15, b"\x83\xf8\x17", 3)
data.PVZ_memory.write_bytes(0x004111D8, b"\x01\x9f\x9c\x57\x00\x00", 6)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_shovelpro)
elif data.PVZ_version == 2.1:
if f:
data.PVZ_memory.write_bytes(0x008E0460, b"\xe9\x7f\x00\x00\x00\x90", 6)
newmem_shovelpro = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 100
)
print(hex(newmem_shovelpro))
byte_data = (
b"\x60\x8b\x45\x24\x8b\x7d\x04\xba\xff\xff\xff\xff\xe8"
+ calculate_call_address(0x0041DAE0 - newmem_shovelpro - 0x11)
+ b"\x01\x85\x2c\x01\x00\x00\x61\x83\xbd\x2c\x01\x00\x00\x32\x7c\x1d\x83\xad\x2c\x01\x00\x00\x32"
b"\x60\x8b\x4d\x04\x6a\x02\x6a\x06\xff\x75\x0c\xff\x75\x08\xe8"
+ calculate_call_address(0x0040CB10 - newmem_shovelpro - 0x3B)
+ b"\x61\xeb\xda\x83\xbd\x2c\x01\x00\x00\x19\x7c\x1d\x83\xad\x2c\x01\x00\x00\x19\x60\x8b\x4d\x04"
b"\x6a\x02\x6a\x04\xff\x75\x0c\xff\x75\x08\xe8"
+ calculate_call_address(0x0040CB10 - newmem_shovelpro - 0x61)
+ b"\x61\xeb\xb4\x83\xbd\x2c\x01\x00\x00\x0f\x7c\x1d\x83\xad\x2c\x01\x00\x00\x0f\x60\x8b\x4d\x04"
b"\x6a\x02\x6a\x05\xff\x75\x0c\xff\x75\x08\xe8"
+ calculate_call_address(0x0040CB10 - newmem_shovelpro - 0x87)
+ b"\x61\xeb\x8e\x01\x9f\x9c\x57\x00\x00\xe9"
+ calculate_call_address(0x004111DE - newmem_shovelpro - 0x95)
)
data.PVZ_memory.write_bytes(newmem_shovelpro, byte_data, 149)
data.PVZ_memory.write_bytes(
0x004111D8,
b"\xe9"
+ calculate_call_address(newmem_shovelpro - 0x004111DD)
+ b"\x90",
6,
)
else:
data.PVZ_memory.write_bytes(0x008E0460, b"\x0f\x84\x88\x00\x00\x00", 6)
data.PVZ_memory.write_bytes(0x004111D8, b"\x01\x9f\x9c\x57\x00\x00", 6)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_shovelpro)
def randomSlots_operstion(randomSlots_event, haszombie):
while not randomSlots_event.is_set():
plant1addr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x768)
+ 0x144
)
for i in range(0, 14):
if haszombie is False:
if data.PVZ_version == 2.1:
plant = random.randint(0, 102)
elif data.PVZ_version == 2.0:
plant = random.randint(0, 96)
if plant >= 48:
plant = plant + 27
else:
if data.PVZ_version == 2.0:
plant = random.randint(257, 297)
elif data.PVZ_version == 2.1:
plant = random.randint(257, 300)
data.PVZ_memory.write_int(
data.PVZ_memory.read_int(plant1addr) + 0x5C + 0x50 * i, plant
)
randomSlots_event = Event()
randomSlots_thread = None
def randomSlots(f, haszombie):
global randomSlots_thread
if f:
if not randomSlots_thread or not randomSlots_thread.is_alive():
randomSlots_event.clear()
randomSlots_thread = Thread(
target=randomSlots_operstion, args=(randomSlots_event, haszombie)
)
randomSlots_thread.start()
else:
# 设置事件标志,通知线程停止
randomSlots_event.set()
randomSlots_thread.join() # 等待线程结束
def ignoreZombies(f):
if f:
data.PVZ_memory.write_bytes(0x413431, b"\xe9\x7f\x04\x00\x00\x90", 6)
else:
data.PVZ_memory.write_bytes(0x413431, b"\x0f\x84\x7f\x04\x00\x00", 6)
def pauseSpawn(f):
if f:
data.PVZ_memory.write_bytes(0x004265DC, b"\xeb", 1)
else:
data.PVZ_memory.write_bytes(0x004265DC, b"\x74", 1)
def changeGameSpeed(s):
FrameDurationAddr = data.PVZ_memory.read_int(data.baseAddress) + 0x454
if s == 0:
data.PVZ_memory.write_int(FrameDurationAddr, 10)
data.PVZ_memory.write_bytes(0x6A9EAA, b"\x01", 1)
data.PVZ_memory.write_bytes(0x6A9EAB, b"\x00", 1)
elif s == 1:
data.PVZ_memory.write_int(FrameDurationAddr, 20)
data.PVZ_memory.write_bytes(0x6A9EAA, b"\x00", 1)
data.PVZ_memory.write_bytes(0x6A9EAB, b"\x00", 1)
elif s == 2:
data.PVZ_memory.write_int(FrameDurationAddr, 10)
data.PVZ_memory.write_bytes(0x6A9EAA, b"\x00", 1)
data.PVZ_memory.write_bytes(0x6A9EAB, b"\x00", 1)
elif s == 3:
data.PVZ_memory.write_int(FrameDurationAddr, 5)
data.PVZ_memory.write_bytes(0x6A9EAA, b"\x00", 1)
data.PVZ_memory.write_bytes(0x6A9EAB, b"\x00", 1)
elif s == 4:
data.PVZ_memory.write_int(FrameDurationAddr, 2)
data.PVZ_memory.write_bytes(0x6A9EAA, b"\x00", 1)
data.PVZ_memory.write_bytes(0x6A9EAB, b"\x00", 1)
elif s == 5:
data.PVZ_memory.write_int(FrameDurationAddr, 1)
data.PVZ_memory.write_bytes(0x6A9EAA, b"\x00", 1)
data.PVZ_memory.write_bytes(0x6A9EAB, b"\x00", 1)
elif s == 6:
data.PVZ_memory.write_int(FrameDurationAddr, 10)
data.PVZ_memory.write_bytes(0x6A9EAA, b"\x00", 1)
data.PVZ_memory.write_bytes(0x6A9EAB, b"\x01", 1)
def completeAdvanture(level):
advantureAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x82C)
+ 0x42C
)
data.PVZ_memory.write_int(advantureAddr + level * 4, 1)
def lockAdvanture(level):
advantureAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x82C)
+ 0x42C
)
data.PVZ_memory.write_int(advantureAddr + level * 4, 0)
def completeChallenge(level):
challengeAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x82C)
+ 0x82C
)
data.PVZ_memory.write_int(challengeAddr + level * 4, 1)
def lockChallenge(level):
challengeAddr = (
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x82C)
+ 0x82C
)
data.PVZ_memory.write_int(challengeAddr + level * 4, 0)
def noHole(d, t, b):
global newmem_noHole
if d and not b and not t:
data.PVZ_memory.write_bytes(0x00466668, b"\x90\x90\xeb\x2e", 4)
newmem_noHole = pymem.memory.allocate_memory(data.PVZ_memory.process_handle, 64)
shellcode = asm.Asm(newmem_noHole)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x18, 0)
shellcode.jng(0x0041D79E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x50, 0)
shellcode.jne_short_offset(7)
shellcode.mov_ptr_exx_add_byte_dword(asm.ESI, 0x20, 1)
shellcode.add_dword_ptr_exx_add_byte_byte(asm.ESI, 0x18, 0xFF)
shellcode.jmp(0x0041D79A)
data.PVZ_memory.write_bytes(
newmem_noHole, bytes(shellcode.code[: shellcode.index]), shellcode.index
)
data.PVZ_memory.write_bytes(
0x0041D790,
b"\xe9"
+ calculate_call_address(newmem_noHole - 0x0041D795)
+ b"\x90\x90\x90\x90\x90",
10,
)
if d and b and not t:
data.PVZ_memory.write_bytes(0x00466668, b"\x90\x90\xeb\x2e", 4)
newmem_noHole = pymem.memory.allocate_memory(data.PVZ_memory.process_handle, 64)
shellcode = asm.Asm(newmem_noHole)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x18, 0)
shellcode.jng(0x0041D79E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x50, 2)
shellcode.je_offset(7)
shellcode.mov_ptr_exx_add_byte_dword(asm.ESI, 0x20, 1)
shellcode.add_dword_ptr_exx_add_byte_byte(asm.ESI, 0x18, 0xFF)
shellcode.jmp(0x0041D79A)
data.PVZ_memory.write_bytes(
newmem_noHole, bytes(shellcode.code[: shellcode.index]), shellcode.index
)
data.PVZ_memory.write_bytes(
0x0041D790,
b"\xe9"
+ calculate_call_address(newmem_noHole - 0x0041D795)
+ b"\x90\x90\x90\x90\x90",
10,
)
if d and b and t:
data.PVZ_memory.write_bytes(0x00466668, b"\x90\x90\xeb\x2e", 4)
newmem_noHole = pymem.memory.allocate_memory(data.PVZ_memory.process_handle, 64)
shellcode = asm.Asm(newmem_noHole)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x18, 0)
shellcode.jng(0x0041D79E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x50, 0)
shellcode.add_byte(0x90)
shellcode.add_byte(0x90)
shellcode.mov_ptr_exx_add_byte_dword(asm.ESI, 0x20, 1)
shellcode.add_dword_ptr_exx_add_byte_byte(asm.ESI, 0x18, 0xFF)
shellcode.jmp(0x0041D79A)
data.PVZ_memory.write_bytes(
newmem_noHole, bytes(shellcode.code[: shellcode.index]), shellcode.index
)
data.PVZ_memory.write_bytes(
0x0041D790,
b"\xe9"
+ calculate_call_address(newmem_noHole - 0x0041D795)
+ b"\x90\x90\x90\x90\x90",
10,
)
if not d and b and not t:
data.PVZ_memory.write_bytes(0x00466668, b"\x90\x90\xeb\x2e", 4)
newmem_noHole = pymem.memory.allocate_memory(data.PVZ_memory.process_handle, 64)
shellcode = asm.Asm(newmem_noHole)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x18, 0)
shellcode.jng(0x0041D79E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x50, 1)
shellcode.jne_short_offset(7)
shellcode.mov_ptr_exx_add_byte_dword(asm.ESI, 0x20, 1)
shellcode.add_dword_ptr_exx_add_byte_byte(asm.ESI, 0x18, 0xFF)
shellcode.jmp(0x0041D79A)
data.PVZ_memory.write_bytes(
newmem_noHole, bytes(shellcode.code[: shellcode.index]), shellcode.index
)
data.PVZ_memory.write_bytes(
0x0041D790,
b"\xe9"
+ calculate_call_address(newmem_noHole - 0x0041D795)
+ b"\x90\x90\x90\x90\x90",
10,
)
if not d and b and t:
data.PVZ_memory.write_bytes(0x00466668, b"\x90\x90\xeb\x2e", 4)
newmem_noHole = pymem.memory.allocate_memory(data.PVZ_memory.process_handle, 64)
shellcode = asm.Asm(newmem_noHole)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x18, 0)
shellcode.jng(0x0041D79E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x50, 0)
shellcode.je_offset(7)
shellcode.mov_ptr_exx_add_byte_dword(asm.ESI, 0x20, 1)
shellcode.add_dword_ptr_exx_add_byte_byte(asm.ESI, 0x18, 0xFF)
shellcode.jmp(0x0041D79A)
data.PVZ_memory.write_bytes(
newmem_noHole, bytes(shellcode.code[: shellcode.index]), shellcode.index
)
data.PVZ_memory.write_bytes(
0x0041D790,
b"\xe9"
+ calculate_call_address(newmem_noHole - 0x0041D795)
+ b"\x90\x90\x90\x90\x90",
10,
)
if not d and not b and t:
data.PVZ_memory.write_bytes(0x00466668, b"\x90\x90\xeb\x2e", 4)
newmem_noHole = pymem.memory.allocate_memory(data.PVZ_memory.process_handle, 64)
shellcode = asm.Asm(newmem_noHole)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x18, 0)
shellcode.jng(0x0041D79E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x50, 2)
shellcode.jne_short_offset(7)
shellcode.mov_ptr_exx_add_byte_dword(asm.ESI, 0x20, 1)
shellcode.add_dword_ptr_exx_add_byte_byte(asm.ESI, 0x18, 0xFF)
shellcode.jmp(0x0041D79A)
data.PVZ_memory.write_bytes(
newmem_noHole, bytes(shellcode.code[: shellcode.index]), shellcode.index
)
data.PVZ_memory.write_bytes(
0x0041D790,
b"\xe9"
+ calculate_call_address(newmem_noHole - 0x0041D795)
+ b"\x90\x90\x90\x90\x90",
10,
)
if d and not b and t:
data.PVZ_memory.write_bytes(0x00466668, b"\x90\x90\xeb\x2e", 4)
newmem_noHole = pymem.memory.allocate_memory(data.PVZ_memory.process_handle, 64)
shellcode = asm.Asm(newmem_noHole)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x18, 0)
shellcode.jng(0x0041D79E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x50, 1)
shellcode.je_offset(7)
shellcode.mov_ptr_exx_add_byte_dword(asm.ESI, 0x20, 1)
shellcode.add_dword_ptr_exx_add_byte_byte(asm.ESI, 0x18, 0xFF)
shellcode.jmp(0x0041D79A)
data.PVZ_memory.write_bytes(
newmem_noHole, bytes(shellcode.code[: shellcode.index]), shellcode.index
)
data.PVZ_memory.write_bytes(
0x0041D790,
b"\xe9"
+ calculate_call_address(newmem_noHole - 0x0041D795)
+ b"\x90\x90\x90\x90\x90",
10,
)
if not d and not b and not t:
data.PVZ_memory.write_bytes(0x00466668, b"\x84\xc0\x74\x2e", 4)
data.PVZ_memory.write_bytes(
0x0041D790, b"\x83\x7e\x18\x00\x7e\x08\x83\x46\x18\xff", 10
)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_noHole)
def zombiebeanHpynotized(f):
global newmem_zombiebeanHpynotized1
global newmem_zombiebeanHpynotized
if data.PVZ_version == 2.0:
if f:
newmem_zombiebeanHpynotized1 = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 64
)
newmem_zombiebeanHpynotized = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 64
)
shellcode = asm.Asm(newmem_zombiebeanHpynotized)
shellcode.jmp(0x0086E267)
data.PVZ_memory.write_bytes(
newmem_zombiebeanHpynotized,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x0086E243,
b"\xe9"
+ calculate_call_address(newmem_zombiebeanHpynotized - 0x0086E248)
+ b"\x90",
6,
)
shellcode1 = asm.Asm(newmem_zombiebeanHpynotized1)
shellcode1.mov_exx_dword_ptr_eyy_add_byte(asm.EAX, asm.ESI, 4)
shellcode1.call(0x0040DDC0)
shellcode1.mov_byte_ptr_exx_add_dword_byte(asm.EAX, 0xB8, 1)
shellcode1.jmp(0x0084F687)
data.PVZ_memory.write_bytes(
newmem_zombiebeanHpynotized1,
bytes(shellcode1.code[: shellcode1.index]),
shellcode1.index,
)
data.PVZ_memory.write_bytes(
0x0084F684,
b"\xe9"
+ calculate_call_address(newmem_zombiebeanHpynotized1 - 0x0084F689)
+ b"\x90\x90\x90",
8,
)
else:
data.PVZ_memory.write_bytes(
0x084F684, b"\x8b\x46\x04\xe8\x34\xe7\xbb\xff", 8
)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_zombiebeanHpynotized
)
data.PVZ_memory.write_bytes(0x0086E243, b"\x0f\x84\x1e\x00\x00\x00", 6)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_zombiebeanHpynotized1
)
elif data.PVZ_version == 2.1:
if f:
newmem_zombiebeanHpynotized1 = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 64
)
data.PVZ_memory.write_bytes(0x008AF243, b"\xeb\x22\x90\x90\x90\x90", 6)
shellcode1 = asm.Asm(newmem_zombiebeanHpynotized1)
shellcode1.mov_exx_dword_ptr_eyy_add_byte(asm.EAX, asm.ESI, 4)
shellcode1.call(0x0040DDC0)
shellcode1.mov_byte_ptr_exx_add_dword_byte(asm.EAX, 0xB8, 1)
shellcode1.jmp(0x008AF43C)
data.PVZ_memory.write_bytes(
newmem_zombiebeanHpynotized1,
bytes(shellcode1.code[: shellcode1.index]),
shellcode1.index,
)
data.PVZ_memory.write_bytes(
0x008AF434,
b"\xe9"
+ calculate_call_address(newmem_zombiebeanHpynotized1 - 0x008AF439)
+ b"\x90\x90\x90",
8,
)
else:
data.PVZ_memory.write_bytes(
0x008AF434, b"\x8b\x46\x04\xe8\x34\xe7\xbb\xff", 8
)
data.PVZ_memory.write_bytes(0x008AF243, b"\x0f\x84\x1e\x00\x00\x00", 6)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_zombiebeanHpynotized1
)
def scrapHelmetControlled(f):
if data.PVZ_version == 2.0:
if f:
data.PVZ_memory.write_bytes(0x0084AB3F, b"\x90\xe9", 2)
else:
data.PVZ_memory.write_bytes(0x0084AB3F, b"\x0f\x85", 2)
elif data.PVZ_version == 2.1:
if f:
data.PVZ_memory.write_bytes(0x0089A03F, b"\x90\xe9", 2)
else:
data.PVZ_memory.write_bytes(0x0089A03F, b"\x0f\x85", 2)
def conveyorBeltFull(f):
if f:
data.PVZ_memory.write_bytes(0x00422D1F, b"\x0f\x80", 2)
data.PVZ_memory.write_bytes(0x00489CA1, b"\x33\xc0", 2)
else:
data.PVZ_memory.write_bytes(0x00422D1F, b"\x0f\x8f", 2)
data.PVZ_memory.write_bytes(0x00489CA1, b"\x85\xc0", 2)
def getEndlessRound():
try:
endlessRoundAddr = (
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.baseAddress) + 0x768
)
+ 0x160
)
+ 0x6C
)
return data.PVZ_memory.read_int(endlessRoundAddr)
except:
return "未知"
def setEndlessRound(endlessRound):
try:
endlessRoundAddr = (
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.baseAddress) + 0x768
)
+ 0x160
)
+ 0x6C
)
data.PVZ_memory.write_int(endlessRoundAddr, endlessRound)
except:
return
def putLadder(row, col):
class ladder:
def __init__(self, row, col):
self.row = row
self.col = col
def creat_asm(self, startAddress):
ladder_asm = asm.Asm(startAddress)
ladder_asm.mov_exx_dword_ptr(asm.EAX, 0x006A9EC0)
ladder_asm.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x768)
ladder_asm.mov_exx(asm.EDI, self.row)
ladder_asm.push_byte(self.col)
ladder_asm.call(0x00408F40)
return ladder_asm
asm.runThread(ladder(row, col))
def putZombie(row, col, type):
class zombiePut:
def __init__(self, row, col, type):
self.row = row
self.col = col
self.type = type
def creat_asm(self, startAddress):
zombiePut_asm = asm.Asm(startAddress)
zombiePut_asm.push_byte(self.col)
zombiePut_asm.push_byte(self.type)
zombiePut_asm.mov_exx(asm.EAX, self.row)
zombiePut_asm.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
zombiePut_asm.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x768)
zombiePut_asm.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x160)
zombiePut_asm.call(0x0042A0F0)
return zombiePut_asm
asm.runThread(zombiePut(row, col, type))
def putBoss():
class bossPut:
def __init__(self):
pass
def creat_asm(self, startAddress):
bossPut_asm = asm.Asm(startAddress)
bossPut_asm.mov_exx_dword_ptr(asm.EAX, 0x006A9EC0)
bossPut_asm.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x768)
bossPut_asm.push_byte(0)
bossPut_asm.push_byte(25)
bossPut_asm.call(0x0040DDC0)
return bossPut_asm
print("boss")
asm.runThread(bossPut())
def putPlant(row, col, type):
class plautPut:
def __init__(self, row, col, type):
self.row = row
self.col = col
self.type = type
def creat_asm(self, startAddress):
plantPut_asm = asm.Asm(startAddress)
plantPut_asm.push_byte(255)
plantPut_asm.push_dword(self.type)
plantPut_asm.mov_exx(asm.EAX, self.row)
plantPut_asm.push_byte(self.col)
plantPut_asm.mov_exx_dword_ptr(asm.EBP, 0x006A9EC0)
plantPut_asm.mov_exx_dword_ptr_eyy_add_dword(asm.EBP, asm.EBP, 0x768)
plantPut_asm.push_exx(asm.EBP)
plantPut_asm.call(0x0040D120)
return plantPut_asm
asm.runThread(plautPut(row, col, type))
def putcard(row, col, type):
address = pymem.memory.allocate_memory(data.PVZ_memory.process_handle, 100)
shellcode = (
b"\x60"
b"\xb9\xc0\x9e\x6a\x00\x8b\x09\x8b\x89\x68\x07\x00\x00"
b"\x6a\x02\x6a\x10"
b"\x68"
+ (0x50 + 0x64 * row).to_bytes(
length=4, byteorder="little", signed=False
) # 行坐标
+ b"\x68"
+ (0x28 + 0x50 * col).to_bytes(
length=4, byteorder="little", signed=False
) # 列坐标
+ b"\xba\x10\xcb\x40\x00\xff\xd2"
b"\xc7\x40\x68"
+ type.to_bytes(length=4, byteorder="little", signed=False) # 类型
+ b"\x61\xc3"
)
print("卡片", row, col, type)
data.PVZ_memory.write_bytes(address, shellcode, 44)
data.PVZ_memory.write_bytes(0x00552014, b"\xfe", 1)
thread_h = pymem.ressources.kernel32.CreateRemoteThread(
data.PVZ_memory.process_handle,
ctypes.cast(0, pymem.ressources.structure.LPSECURITY_ATTRIBUTES),
0,
address,
0,
0,
ctypes.byref(ctypes.c_ulong(0)),
)
exit_code = ctypes.c_ulong()
while 1:
pymem.ressources.kernel32.GetExitCodeThread(thread_h, ctypes.byref(exit_code))
if exit_code.value == 259:
pass
else:
data.PVZ_memory.write_bytes(0x00552014, b"\xdb", 1)
break
time.sleep(0.005)
pymem.memory.free_memory(data.PVZ_memory.process_handle, address)
def creatCaption(str, time, type):
global newmem_caption
newmem_caption = pymem.memory.allocate_memory(data.PVZ_memory.process_handle, 1024)
byte_array = str.encode("gbk")
data.PVZ_memory.write_bytes(
newmem_caption, byte_array + b"\x00", len(byte_array) + 1
)
class captionCreat:
def __init__(self, time, type):
self.time = time
self.type = type
def creat_asm(self, startAddress):
captionCreat_asm = asm.Asm(startAddress)
captionCreat_asm.push_dword(newmem_caption)
captionCreat_asm.lea_exx_ptr_eyy_add_byte(asm.ECX, asm.ESP, 0x30)
captionCreat_asm.call(0x00404450)
captionCreat_asm.mov_exx_dword_ptr(asm.EDI, 0x006A9EC0)
captionCreat_asm.mov_exx_dword_ptr_eyy_add_dword(
asm.EDI, asm.EDI, 0x00000768
)
captionCreat_asm.mov_exx_dword_ptr_eyy_add_dword(
asm.ESI, asm.EDI, 0x00000140
)
captionCreat_asm.mov_exx(asm.ECX, 6)
captionCreat_asm.lea_exx_ptr_eyy_add_byte(asm.EDX, asm.ESP, 0x2C)
captionCreat_asm.call(0x00459010)
captionCreat_asm.mov_ptr_exx_add_dword_dword(asm.ESI, 0x88, self.time)
captionCreat_asm.mov_ptr_exx_add_dword_dword(
asm.ESI, 0x8C, self.type
) # 1 下端 较宽 3 最下端 较窄 6 最下端 窄 9 最下端 宽 12 中端 宽 14 下端 白色字体 15 红色中间字体 16 黄色顶端字体
return captionCreat_asm
asm.runThread(captionCreat(time, type))
def selectCard(type):
class cardSelect:
def __init__(self, type):
self.type = type
def creat_asm(self, startAddress):
cardSelect_asm = asm.Asm(startAddress)
cardSelect_asm.mov_exx_dword_ptr(asm.EAX, 0x006A9EC0)
cardSelect_asm.mov_exx_dword_ptr_eyy_add_dword(asm.ESI, asm.EAX, 0x00000774)
cardSelect_asm.mov_exx(asm.EBX, self.type)
cardSelect_asm.imul_exx_eyy_byte(asm.EDX, asm.EBX, 0xF)
cardSelect_asm.lea_exx_byte_dword(asm.EAX, 0x96, 0xA4)
cardSelect_asm.push_exx(asm.EAX)
cardSelect_asm.mov_exx_eyy(asm.EAX, asm.ESI)
cardSelect_asm.call(0x00486030)
return cardSelect_asm
asm.runThread(cardSelect(type))
def deselectCard(type):
global newmem_endlessCar
class cardDeselect:
def __init__(self, type):
self.type = type
def creat_asm(self, startAddress):
cardDeselect_asm = asm.Asm(startAddress)
cardDeselect_asm.mov_exx_dword_ptr(asm.EAX, 0x006A9EC0)
cardDeselect_asm.mov_exx_dword_ptr_eyy_add_dword(
asm.ESI, asm.EAX, 0x00000774
)
cardDeselect_asm.mov_exx(asm.EBX, self.type)
cardDeselect_asm.imul_exx_eyy_byte(asm.EDX, asm.EBX, 0xF)
cardDeselect_asm.lea_exx_byte_dword(asm.EAX, 0x96, 0xA4)
cardDeselect_asm.push_exx(asm.EAX)
cardDeselect_asm.mov_exx_eyy(asm.EAX, asm.ESI)
cardDeselect_asm.call(0x00485E90)
return cardDeselect_asm
asm.runThread(cardDeselect(type))
def defeat():
class Defeat:
def __init__(self) -> None:
pass
def creat_asm(self, startAddress):
Defeat_asm = asm.Asm(startAddress)
Defeat_asm.mov_exx_dword_ptr(asm.EAX, 0x006A9EC0)
Defeat_asm.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x768)
Defeat_asm.mov_exx_dword_ptr_eyy_add_dword(asm.ESI, asm.EAX, 0x90)
Defeat_asm.mov_exx_dword_ptr_eyy(asm.EBX, asm.ESI)
Defeat_asm.mov_exx(asm.EDX, 0x2D)
Defeat_asm.mov_exx_eyy(asm.ECX, asm.ESI)
Defeat_asm.mov_exx(asm.EDI, 0xFFFFFF9C)
Defeat_asm.mov_exx_dword_ptr_eyy_add_byte(asm.EAX, asm.ESI, 0x04)
Defeat_asm.push_exx(asm.ESI)
Defeat_asm.push_exx(asm.EAX)
Defeat_asm.call(0x413400)
return Defeat_asm
asm.justRunThread(Defeat())
def noSlot_operstion(noSlot_event):
while not noSlot_event.is_set():
try:
start = data.PVZ_memory.read_bool(
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.baseAddress) + 0x774
)
+ 0x88
)
+ 0x1A
)
if start is True:
data.PVZ_memory.write_bool(
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.baseAddress) + 0x774
)
+ 0x88
)
+ 0x1A,
False,
)
except:
pass
time.sleep(1)
noSlot_event = Event()
noSlot_thread = None
def noSolt(f):
global noSlot_thread
if f:
if not noSlot_thread or not noSlot_thread.is_alive():
noSlot_event.clear()
noSlot_thread = Thread(target=noSlot_operstion, args=(noSlot_event,))
noSlot_thread.start()
else:
# 设置事件标志,通知线程停止
noSlot_event.set()
noSlot_thread.join() # 等待线程结束
def save():
class Save:
def __init__(self) -> None:
pass
def creat_asm(self, startAddress):
Save_asm = asm.Asm(startAddress)
Save_asm.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
Save_asm.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x768)
Save_asm.push_exx(asm.ECX)
Save_asm.call(0x408C30)
return Save_asm
asm.runThread(Save())
def load():
class Load:
def __init__(self) -> None:
pass
def creat_asm(self, startAddress):
Load_asm = asm.Asm(startAddress)
Load_asm.mov_exx_dword_ptr(asm.ESI, 0x006A9EC0)
Load_asm.push_exx(asm.ESI)
Load_asm.call(0x44F7A0)
return Load_asm
asm.runThread(Load())
def spoils(spoils_config):
global newmem_spoils
global newmem_spoils2
print(spoils_config)
if spoils_config is not False:
data.PVZ_memory.write_bytes(0x00530275, b"\x70", 1)
newmem_spoils = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
newmem_spoils2 = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 32
)
print(hex(newmem_spoils))
print(hex(newmem_spoils2))
shellcode = asm.Asm(newmem_spoils)
shellcode.mov_exx_dword_ptr_eyy(asm.EAX, asm.EBX)
shellcode.mov_exx(asm.ESI, 4)
shellcode.call(0x00453630)
if len(spoils_config) > 0:
shellcode.random(100)
shellcode.cmp_exx_byte(asm.EDX, spoils_config[0]["percent"])
shellcode.add_byte(0x72) # jb
shellcode.add_byte(0x05) # 小于则后移5位
shellcode.add_byte(0xE9) # 大于则jmp
shellcode.add_dword(0x1F)
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.ESI, asm.ESP, 0x0C)
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.ECX, asm.EBX, 0x04)
shellcode.push_byte(0x03)
if spoils_config[0]["type"] <= 6:
shellcode.push_byte(spoils_config[0]["type"])
elif spoils_config[0]["type"] == 7:
shellcode.push_byte(0x8)
elif spoils_config[0]["type"] == 8:
shellcode.push_byte(0xF)
elif spoils_config[0]["type"] == 9:
shellcode.push_byte(0x10)
elif spoils_config[0]["type"] == 10:
shellcode.push_byte(0x12)
if spoils_config[0]["card"] == -1:
shellcode.mov_dword_ptr_dword(0x00751EC0, 0)
else:
shellcode.mov_dword_ptr_dword(0x00751EC0, spoils_config[0]["card"])
shellcode.push_exx(asm.ESI)
shellcode.lea_exy_byte(0x47, 0xEC)
shellcode.push_exx(asm.EAX)
shellcode.call(0x0040CB10)
if len(spoils_config) > 1:
shellcode.random(100)
shellcode.cmp_exx_byte(asm.EDX, spoils_config[1]["percent"])
shellcode.add_byte(0x72) # jb
shellcode.add_byte(0x05) # 小于则后移5位
shellcode.add_byte(0xE9) # 大于则jmp
shellcode.add_dword(0x1B)
shellcode.push_byte(0x03)
if spoils_config[1]["type"] <= 6:
shellcode.push_byte(spoils_config[1]["type"])
elif spoils_config[1]["type"] == 7:
shellcode.push_byte(0x8)
elif spoils_config[1]["type"] == 8:
shellcode.push_byte(0xF)
elif spoils_config[1]["type"] == 9:
shellcode.push_byte(0x10)
elif spoils_config[1]["type"] == 10:
shellcode.push_byte(0x12)
if spoils_config[1]["card"] == -1:
shellcode.mov_dword_ptr_dword(0x00751EC0, 0)
else:
shellcode.mov_dword_ptr_dword(0x00751EC0, spoils_config[1]["card"])
shellcode.push_exx(asm.ESI)
shellcode.lea_exy_byte(0x4F, 0xE2)
shellcode.push_exx(asm.ECX)
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.ECX, asm.EBX, 0x04)
shellcode.call(0x0040CB10)
if len(spoils_config) > 2:
shellcode.random(100)
shellcode.cmp_exx_byte(asm.EDX, spoils_config[2]["percent"])
shellcode.add_byte(0x72) # jb
shellcode.add_byte(0x05) # 小于则后移5位
shellcode.add_byte(0xE9) # 大于则jmp
shellcode.add_dword(0x1B)
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.ECX, asm.EBX, 0x04)
shellcode.push_byte(0x03)
if spoils_config[2]["type"] <= 6:
shellcode.push_byte(spoils_config[2]["type"])
elif spoils_config[2]["type"] == 7:
shellcode.push_byte(0x8)
elif spoils_config[2]["type"] == 8:
shellcode.push_byte(0xF)
elif spoils_config[2]["type"] == 9:
shellcode.push_byte(0x10)
elif spoils_config[2]["type"] == 10:
shellcode.push_byte(0x12)
if spoils_config[2]["card"] == -1:
shellcode.mov_dword_ptr_dword(0x00751EC0, 0)
else:
shellcode.mov_dword_ptr_dword(
0x00751EC0, spoils_config[2]["card"]
)
shellcode.push_exx(asm.ESI)
shellcode.lea_exy_byte(0x57, 0xD8)
shellcode.push_exx(asm.EDX)
shellcode.call(0x0040CB10)
if len(spoils_config) > 3:
shellcode.random(100)
shellcode.cmp_exx_byte(asm.EDX, spoils_config[3]["percent"])
shellcode.add_byte(0x72) # jb
shellcode.add_byte(0x05) # 小于则后移5位
shellcode.add_byte(0xE9) # 大于则jmp
shellcode.add_dword(0x1B)
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.ECX, asm.EBX, 0x04)
shellcode.push_byte(0x03)
if spoils_config[3]["type"] <= 6:
shellcode.push_byte(spoils_config[2]["type"])
elif spoils_config[3]["type"] == 7:
shellcode.push_byte(0x8)
elif spoils_config[3]["type"] == 8:
shellcode.push_byte(0xF)
elif spoils_config[3]["type"] == 9:
shellcode.push_byte(0x10)
elif spoils_config[3]["type"] == 10:
shellcode.push_byte(0x12)
if spoils_config[3]["card"] == -1:
shellcode.mov_dword_ptr_dword(0x00751EC0, 0)
else:
shellcode.mov_dword_ptr_dword(
0x00751EC0, spoils_config[3]["card"]
)
shellcode.push_exx(asm.ESI)
shellcode.add_exx_byte(asm.EDI, 0xCE)
shellcode.push_exx(asm.EDI)
shellcode.call(0x0040CB10)
shellcode.pop_exx(asm.EDI)
shellcode.pop_exx(asm.ESI)
shellcode.pop_exx(asm.EBX)
shellcode.mov_exx_eyy(asm.ESP, asm.EBP)
shellcode.pop_exx(asm.EBP)
shellcode.ret()
shellcode.jmp(0x005302D2)
tempcode = asm.Asm(newmem_spoils2)
tempcode.mov_exx_dword_ptr(asm.EAX, 0x00751EC0)
tempcode.add_byte(0x89)
tempcode.add_byte(0x45)
tempcode.add_byte(0x68)
tempcode.jmp(0x0042FFBD)
data.PVZ_memory.write_bytes(
newmem_spoils2, bytes(tempcode.code[: tempcode.index]), tempcode.index
)
data.PVZ_memory.write_bytes(
0x42FFB6,
b"\xe9" + calculate_call_address(newmem_spoils2 - 0x0042FFBB) + b"\x66\x90",
7,
)
data.PVZ_memory.write_bytes(
newmem_spoils, bytes(shellcode.code[: shellcode.index]), shellcode.index
)
data.PVZ_memory.write_bytes(
0x00530277, b"\xe9" + calculate_call_address(newmem_spoils - 0x0053027C), 5
)
else:
data.PVZ_memory.write_bytes(0x00530275, b"\x75", 1)
data.PVZ_memory.write_bytes(0x42FFB6, b"\xc7\x45\x68\x00\x00\x00\x00", 7)
data.PVZ_memory.write_bytes(0x00530277, b"\x8b\x03\xbe\x04\x00", 5)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_spoils)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_spoils2)
def slotKey(slot_key_list):
if slot_key_list is not False:
global newmem_slotKey
print(slot_key_list)
newmem_slotKey = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 2048
)
print(hex(newmem_slotKey))
shellcode = asm.Asm(newmem_slotKey)
shellcode.pushad()
if slot_key_list["1"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["1"]])
shellcode.je_offset(0x150)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["2"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["2"]])
shellcode.je_offset(0x150 + 0x56)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["3"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["3"]])
shellcode.je_offset(0x150 + 0x56 * 2)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["4"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["4"]])
shellcode.je_offset(0x150 + 0x56 * 3)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["5"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["5"]])
shellcode.je_offset(0x150 + 0x56 * 4)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["6"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["6"]])
shellcode.je_offset(0x150 + 0x56 * 5)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["7"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["7"]])
shellcode.je_offset(0x150 + 0x56 * 6)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["8"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["8"]])
shellcode.je_offset(0x150 + 0x56 * 7)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["9"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["9"]])
shellcode.je_offset(0x150 + 0x56 * 8)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["10"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["10"]])
shellcode.je_offset(0x150 + 0x56 * 9)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["11"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["11"]])
shellcode.je_offset(0x150 + 0x56 * 10)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["12"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["12"]])
shellcode.je_offset(0x150 + 0x56 * 11)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["13"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["13"]])
shellcode.je_offset(0x150 + 0x56 * 12)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["14"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["14"]])
shellcode.je_offset(0x150 + 0x56 * 13)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["shovel"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["shovel"]])
shellcode.je_offset(0x150 + 0x56 * 14)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["zombie_hp"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["zombie_hp"]])
shellcode.je_offset(0x624)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["top"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["top"]])
shellcode.je_offset(0x657)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["plant_hp"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["plant_hp"]])
shellcode.je_offset(0x686)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["speed"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["speed"]])
shellcode.je_offset(0x6B9)
else:
shellcode.nop_6()
shellcode.nop_6()
if slot_key_list["bag"] > 0:
shellcode.cmp_exx_dword(asm.EDI, data.keyCode[slot_key_list["bag"]])
shellcode.je_offset(0x6EC)
else:
shellcode.nop_6()
shellcode.nop_6()
# 预留快捷键
shellcode.nop_6()
shellcode.nop_6()
shellcode.nop_6()
shellcode.nop_6()
shellcode.nop_6()
shellcode.nop_6()
shellcode.nop_6()
shellcode.nop_6()
shellcode.nop_6()
shellcode.nop_6()
shellcode.nop_6()
shellcode.nop_6()
shellcode.nop_6()
shellcode.nop_6()
shellcode.nop_6()
shellcode.nop_6()
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx(asm.EDX, 0)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDI, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x144)
shellcode.cmp_ptr_exx_add_byte_eyy(asm.EBX, 0x24, asm.EDX)
shellcode.jl_offset(0x3A)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x138)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x28, 0xFF)
shellcode.jne_short_offset(0x2E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x2C, 0xFF)
shellcode.jne_short_offset(0x28)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x30, 0x00)
shellcode.jne_short_offset(0x22)
shellcode.imul_exx_eyy_dword(asm.EDX, asm.EDX, 0x50)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x144)
shellcode.add_exx_eyy(asm.EAX, asm.EDX)
shellcode.lea_exy_byte(0x40, 0x28)
shellcode.push_exx(asm.EAX)
shellcode.call(0x00488590)
shellcode.call(0x0040E520)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx(asm.EDX, 1)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDI, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x144)
shellcode.cmp_ptr_exx_add_byte_eyy(asm.EBX, 0x24, asm.EDX)
shellcode.jl_offset(0x3A)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x138)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x28, 0xFF)
shellcode.jne_short_offset(0x2E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x2C, 0xFF)
shellcode.jne_short_offset(0x28)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x30, 0x00)
shellcode.jne_short_offset(0x22)
shellcode.imul_exx_eyy_dword(asm.EDX, asm.EDX, 0x50)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x144)
shellcode.add_exx_eyy(asm.EAX, asm.EDX)
shellcode.lea_exy_byte(0x40, 0x28)
shellcode.push_exx(asm.EAX)
shellcode.call(0x00488590)
shellcode.call(0x0040E520)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx(asm.EDX, 2)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDI, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x144)
shellcode.cmp_ptr_exx_add_byte_eyy(asm.EBX, 0x24, asm.EDX)
shellcode.jl_offset(0x3A)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x138)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x28, 0xFF)
shellcode.jne_short_offset(0x2E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x2C, 0xFF)
shellcode.jne_short_offset(0x28)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x30, 0x00)
shellcode.jne_short_offset(0x22)
shellcode.imul_exx_eyy_dword(asm.EDX, asm.EDX, 0x50)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x144)
shellcode.add_exx_eyy(asm.EAX, asm.EDX)
shellcode.lea_exy_byte(0x40, 0x28)
shellcode.push_exx(asm.EAX)
shellcode.call(0x00488590)
shellcode.call(0x0040E520)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx(asm.EDX, 3)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDI, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x144)
shellcode.cmp_ptr_exx_add_byte_eyy(asm.EBX, 0x24, asm.EDX)
shellcode.jl_offset(0x3A)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x138)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x28, 0xFF)
shellcode.jne_short_offset(0x2E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x2C, 0xFF)
shellcode.jne_short_offset(0x28)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x30, 0x00)
shellcode.jne_short_offset(0x22)
shellcode.imul_exx_eyy_dword(asm.EDX, asm.EDX, 0x50)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x144)
shellcode.add_exx_eyy(asm.EAX, asm.EDX)
shellcode.lea_exy_byte(0x40, 0x28)
shellcode.push_exx(asm.EAX)
shellcode.call(0x00488590)
shellcode.call(0x0040E520)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx(asm.EDX, 4)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDI, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x144)
shellcode.cmp_ptr_exx_add_byte_eyy(asm.EBX, 0x24, asm.EDX)
shellcode.jl_offset(0x3A)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x138)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x28, 0xFF)
shellcode.jne_short_offset(0x2E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x2C, 0xFF)
shellcode.jne_short_offset(0x28)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x30, 0x00)
shellcode.jne_short_offset(0x22)
shellcode.imul_exx_eyy_dword(asm.EDX, asm.EDX, 0x50)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x144)
shellcode.add_exx_eyy(asm.EAX, asm.EDX)
shellcode.lea_exy_byte(0x40, 0x28)
shellcode.push_exx(asm.EAX)
shellcode.call(0x00488590)
shellcode.call(0x0040E520)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx(asm.EDX, 5)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDI, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x144)
shellcode.cmp_ptr_exx_add_byte_eyy(asm.EBX, 0x24, asm.EDX)
shellcode.jl_offset(0x3A)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x138)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x28, 0xFF)
shellcode.jne_short_offset(0x2E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x2C, 0xFF)
shellcode.jne_short_offset(0x28)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x30, 0x00)
shellcode.jne_short_offset(0x22)
shellcode.imul_exx_eyy_dword(asm.EDX, asm.EDX, 0x50)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x144)
shellcode.add_exx_eyy(asm.EAX, asm.EDX)
shellcode.lea_exy_byte(0x40, 0x28)
shellcode.push_exx(asm.EAX)
shellcode.call(0x00488590)
shellcode.call(0x0040E520)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx(asm.EDX, 6)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDI, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x144)
shellcode.cmp_ptr_exx_add_byte_eyy(asm.EBX, 0x24, asm.EDX)
shellcode.jl_offset(0x3A)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x138)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x28, 0xFF)
shellcode.jne_short_offset(0x2E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x2C, 0xFF)
shellcode.jne_short_offset(0x28)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x30, 0x00)
shellcode.jne_short_offset(0x22)
shellcode.imul_exx_eyy_dword(asm.EDX, asm.EDX, 0x50)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x144)
shellcode.add_exx_eyy(asm.EAX, asm.EDX)
shellcode.lea_exy_byte(0x40, 0x28)
shellcode.push_exx(asm.EAX)
shellcode.call(0x00488590)
shellcode.call(0x0040E520)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx(asm.EDX, 7)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDI, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x144)
shellcode.cmp_ptr_exx_add_byte_eyy(asm.EBX, 0x24, asm.EDX)
shellcode.jl_offset(0x3A)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x138)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x28, 0xFF)
shellcode.jne_short_offset(0x2E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x2C, 0xFF)
shellcode.jne_short_offset(0x28)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x30, 0x00)
shellcode.jne_short_offset(0x22)
shellcode.imul_exx_eyy_dword(asm.EDX, asm.EDX, 0x50)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x144)
shellcode.add_exx_eyy(asm.EAX, asm.EDX)
shellcode.lea_exy_byte(0x40, 0x28)
shellcode.push_exx(asm.EAX)
shellcode.call(0x00488590)
shellcode.call(0x0040E520)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx(asm.EDX, 8)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDI, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x144)
shellcode.cmp_ptr_exx_add_byte_eyy(asm.EBX, 0x24, asm.EDX)
shellcode.jl_offset(0x3A)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x138)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x28, 0xFF)
shellcode.jne_short_offset(0x2E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x2C, 0xFF)
shellcode.jne_short_offset(0x28)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x30, 0x00)
shellcode.jne_short_offset(0x22)
shellcode.imul_exx_eyy_dword(asm.EDX, asm.EDX, 0x50)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x144)
shellcode.add_exx_eyy(asm.EAX, asm.EDX)
shellcode.lea_exy_byte(0x40, 0x28)
shellcode.push_exx(asm.EAX)
shellcode.call(0x00488590)
shellcode.call(0x0040E520)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx(asm.EDX, 9)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDI, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x144)
shellcode.cmp_ptr_exx_add_byte_eyy(asm.EBX, 0x24, asm.EDX)
shellcode.jl_offset(0x3A)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x138)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x28, 0xFF)
shellcode.jne_short_offset(0x2E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x2C, 0xFF)
shellcode.jne_short_offset(0x28)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x30, 0x00)
shellcode.jne_short_offset(0x22)
shellcode.imul_exx_eyy_dword(asm.EDX, asm.EDX, 0x50)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x144)
shellcode.add_exx_eyy(asm.EAX, asm.EDX)
shellcode.lea_exy_byte(0x40, 0x28)
shellcode.push_exx(asm.EAX)
shellcode.call(0x00488590)
shellcode.call(0x0040E520)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx(asm.EDX, 10)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDI, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x144)
shellcode.cmp_ptr_exx_add_byte_eyy(asm.EBX, 0x24, asm.EDX)
shellcode.jl_offset(0x3A)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x138)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x28, 0xFF)
shellcode.jne_short_offset(0x2E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x2C, 0xFF)
shellcode.jne_short_offset(0x28)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x30, 0x00)
shellcode.jne_short_offset(0x22)
shellcode.imul_exx_eyy_dword(asm.EDX, asm.EDX, 0x50)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x144)
shellcode.add_exx_eyy(asm.EAX, asm.EDX)
shellcode.lea_exy_byte(0x40, 0x28)
shellcode.push_exx(asm.EAX)
shellcode.call(0x00488590)
shellcode.call(0x0040E520)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx(asm.EDX, 11)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDI, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x144)
shellcode.cmp_ptr_exx_add_byte_eyy(asm.EBX, 0x24, asm.EDX)
shellcode.jl_offset(0x3A)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x138)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x28, 0xFF)
shellcode.jne_short_offset(0x2E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x2C, 0xFF)
shellcode.jne_short_offset(0x28)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x30, 0x00)
shellcode.jne_short_offset(0x22)
shellcode.imul_exx_eyy_dword(asm.EDX, asm.EDX, 0x50)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x144)
shellcode.add_exx_eyy(asm.EAX, asm.EDX)
shellcode.lea_exy_byte(0x40, 0x28)
shellcode.push_exx(asm.EAX)
shellcode.call(0x00488590)
shellcode.call(0x0040E520)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx(asm.EDX, 12)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDI, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x144)
shellcode.cmp_ptr_exx_add_byte_eyy(asm.EBX, 0x24, asm.EDX)
shellcode.jl_offset(0x3A)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x138)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x28, 0xFF)
shellcode.jne_short_offset(0x2E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x2C, 0xFF)
shellcode.jne_short_offset(0x28)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x30, 0x00)
shellcode.jne_short_offset(0x22)
shellcode.imul_exx_eyy_dword(asm.EDX, asm.EDX, 0x50)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x144)
shellcode.add_exx_eyy(asm.EAX, asm.EDX)
shellcode.lea_exy_byte(0x40, 0x28)
shellcode.push_exx(asm.EAX)
shellcode.call(0x00488590)
shellcode.call(0x0040E520)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx(asm.EDX, 13)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDI, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x144)
shellcode.cmp_ptr_exx_add_byte_eyy(asm.EBX, 0x24, asm.EDX)
shellcode.jl_offset(0x3A)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EDI, 0x138)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x28, 0xFF)
shellcode.jne_short_offset(0x2E)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x2C, 0xFF)
shellcode.jne_short_offset(0x28)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x30, 0x00)
shellcode.jne_short_offset(0x22)
shellcode.imul_exx_eyy_dword(asm.EDX, asm.EDX, 0x50)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ECX, 0x768)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x144)
shellcode.add_exx_eyy(asm.EAX, asm.EDX)
shellcode.lea_exy_byte(0x40, 0x28)
shellcode.push_exx(asm.EAX)
shellcode.call(0x00488590)
shellcode.call(0x0040E520)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx_dword_ptr(asm.EBX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EBX, 0x768)
shellcode.mov_exx_eyy(asm.EAX, asm.EBX)
shellcode.call(0x0040CD80)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EBX, asm.EBX, 0x138)
shellcode.mov_ptr_exx_add_byte_dword(asm.EBX, 0x30, 0x6)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx_dword_ptr(asm.EDX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.EDX, 0x82C)
shellcode.cmp_dword_ptr_exx_add_dword_byte(asm.EDX, 0x1CA0, 0x1)
shellcode.je_offset(0x10)
shellcode.mov_ptr_exx_add_dword_dword(asm.EDX, 0x1CA0, 0x1)
shellcode.popad()
shellcode.jmp_dword_offset(0xB)
shellcode.mov_ptr_exx_add_dword_dword(asm.EDX, 0x1CA0, 0x0)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx_dword_ptr(asm.EDX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.EDX, 0x768)
shellcode.cmp_dword_ptr_exx_add_dword_byte(asm.EDX, 0x57BC, 0x1)
shellcode.je_offset(0xC)
shellcode.mov_ptr_exx_add_dword_dword(asm.EDX, 0x57BC, 0x1)
shellcode.jmp_short_offset(0x0A)
shellcode.mov_ptr_exx_add_dword_dword(asm.EDX, 0x57BC, 0x0)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.mov_exx_dword_ptr(asm.EDX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.EDX, 0x82C)
shellcode.cmp_dword_ptr_exx_add_dword_byte(asm.EDX, 0x1CA4, 0x1)
shellcode.je_offset(0x10)
shellcode.mov_ptr_exx_add_dword_dword(asm.EDX, 0x1CA4, 0x1)
shellcode.popad()
shellcode.jmp_dword_offset(0xB)
shellcode.mov_ptr_exx_add_dword_dword(asm.EDX, 0x1CA4, 0x0)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
# mov edx,[006A9EC0]
# mov edx,[edx+0000082C]
# cmp dword ptr [edx+00001C9C],01
# je 0089F347
# mov [edx+00001C9C],00000001
# popad
# jmp 0089F352
# mov [edx+00001C9C],00000000
# popad
shellcode.mov_exx_dword_ptr(asm.EDX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.EDX, 0x82C)
shellcode.cmp_dword_ptr_exx_add_dword_byte(asm.EDX, 0x1C9C, 0x1)
shellcode.je_offset(0x10)
shellcode.mov_ptr_exx_add_dword_dword(asm.EDX, 0x1C9C, 0x1)
shellcode.popad()
shellcode.jmp_dword_offset(0xB)
shellcode.mov_ptr_exx_add_dword_dword(asm.EDX, 0x1C9C, 0x0)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
# mov ecx,[006A9EC0]
# cmp dword ptr [ecx+000007FC],03
# jne 0089F3B9
# call 0044F410
# test al,al
# je 0089F3B9
# mov edi,[006A9EC0]
# mov ebx,FFFFFFFF
# call 00450180
# mov ebx,eax
# mov ecx,eax
# mov eax,0000000A
# call 00401BE0
# mov edx,[ebx]
# mov ecx,ebx
# mov eax,[edx+0000012C]
# push 01
# call eax
# mov eax,[006A9EC0]
# mov eax,[eax+0000083C]
# call 0045B770
# popad
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.cmp_dword_ptr_exx_add_dword_byte(asm.ECX, 0x7FC, 0x3)
shellcode.jne_long_offset(0x4A)
shellcode.call(0x0044F410)
shellcode.test_8(asm.AL, asm.AL)
shellcode.je_offset(0x3D)
shellcode.mov_exx_dword_ptr(asm.EDI, 0x006A9EC0)
shellcode.mov_exx(asm.EBX, 0xFFFFFFFF)
shellcode.call(0x00450180)
shellcode.mov_exx_eyy(asm.EBX, asm.EAX)
shellcode.mov_exx_eyy(asm.ECX, asm.EAX)
shellcode.mov_exx(asm.EAX, 0xA)
shellcode.call(0x00401BE0)
shellcode.mov_exx_dword_ptr_eyy(asm.EDX, asm.EBX)
shellcode.mov_exx_eyy(asm.ECX, asm.EBX)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EDX, 0x12C)
shellcode.push_byte(0x1)
shellcode.call_exx(asm.EAX)
shellcode.mov_exx_dword_ptr(asm.EAX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x83C)
shellcode.call(0x0045B770)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
# 预留快捷键
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.ESI, 0x8C)
shellcode.jmp(0x0041B278)
data.PVZ_memory.write_bytes(
newmem_slotKey, bytes(shellcode.code[: shellcode.index]), shellcode.index
)
data.PVZ_memory.write_bytes(
0x0041B272,
b"\xe9" + calculate_call_address(newmem_slotKey - 0x0041B277) + b"\x90",
6,
)
data.PVZ_memory.write_bytes(0x00539660, b"\x90\x90\x90\x90\x90\x90", 6)
else:
data.PVZ_memory.write_bytes(0x0041B272, b"\x8b\x96\x8c\x00\x00\x00", 6)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_slotKey)
if data.PVZ_version == 2.0:
data.PVZ_memory.write_bytes(0x00539660, b"\xe9\x9b\x5c\x33\x00\x90", 6)
elif data.PVZ_version == 2.1:
data.PVZ_memory.write_bytes(0x00539660, b"\xe9\x9b\x5b\x36\x00\x90", 6)
def setAllBullet(f, type):
global newmem_setAllBullet
if f:
print(type)
newmem_setAllBullet = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 64
)
shellcode = (
b"\xc7\x46\x5c"
+ type.to_bytes(4, byteorder="little")
+ b"\xda\x64\x24\x18\x57\xe9"
+ calculate_call_address(0x0046E8E1 - newmem_setAllBullet - 0x11)
)
data.PVZ_memory.write_bytes(newmem_setAllBullet, shellcode, 17)
data.PVZ_memory.write_bytes(
0x0046E8DC,
b"\xe9" + calculate_call_address(newmem_setAllBullet - 0x0046E8E1),
5,
)
else:
data.PVZ_memory.write_bytes(0x0046E8DC, b"\xda\x64\x24\x18\x57", 5)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_setAllBullet)
def setOneBullet(f, type1, type2):
global newmem_setOneBullet
if f:
newmem_setOneBullet = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 64
)
shellcode = asm.Asm(newmem_setOneBullet)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x5C, type1)
shellcode.jne_long_offset(7)
shellcode.mov_ptr_exx_add_byte_dword(asm.ESI, 0x5C, type2)
shellcode.add_byte(0xDA)
shellcode.add_byte(0x64)
shellcode.add_byte(0x24)
shellcode.add_byte(0x18)
shellcode.add_byte(0x57)
shellcode.jmp(0x0046E8E1)
data.PVZ_memory.write_bytes(
newmem_setOneBullet,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x0046E8DC,
b"\xe9" + calculate_call_address(newmem_setOneBullet - 0x0046E8E1),
5,
)
else:
data.PVZ_memory.write_bytes(0x0046E8DC, b"\xda\x64\x24\x18\x57", 5)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_setOneBullet)
def randomBullet(f, hasDoom, hasMine, hasPepper):
global newmem_randomBullet
if f:
newmem_randomBullet = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 64
)
shellcode = asm.Asm(newmem_randomBullet)
shellcode.random(25)
shellcode.cmp_exx_dword(asm.EDX, 13)
shellcode.je_offset(0x29)
if hasDoom:
shellcode.nop_6()
shellcode.nop_6()
else:
shellcode.cmp_exx_dword(asm.EDX, 11)
shellcode.je_offset(0x1D)
if hasMine:
shellcode.nop_6()
shellcode.nop_6()
else:
shellcode.cmp_exx_dword(asm.EDX, 22)
shellcode.je_offset(0x11)
if hasPepper:
shellcode.nop_6()
shellcode.nop_6()
else:
shellcode.cmp_exx_dword(asm.EDX, 24)
shellcode.je_offset(0x3)
shellcode.mov_ptr_exx_add_byte_eyy(asm.ESI, 0x5C, asm.EDX)
shellcode.add_byte(0xDA)
shellcode.add_byte(0x64)
shellcode.add_byte(0x24)
shellcode.add_byte(0x18)
shellcode.add_byte(0x57)
shellcode.jmp(0x0046E8E1)
data.PVZ_memory.write_bytes(
newmem_randomBullet,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x0046E8DC,
b"\xe9" + calculate_call_address(newmem_randomBullet - 0x0046E8E1),
5,
)
else:
data.PVZ_memory.write_bytes(0x0046E8DC, b"\xda\x64\x24\x18\x57", 5)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_randomBullet)
def setAttackSpeed(multiple):
data.PVZ_memory.write_uchar(0x045F8AC, 256 - 1 * multiple)
def cancelAttackAnimation(f):
if f:
data.PVZ_memory.write_bytes(0x00464A96, b"\x90\x90\x90\x90\x90\x90", 6)
data.PVZ_memory.write_bytes(0x00464A62, b"\x90\x90\x90\x90\x90\x90\x90", 7)
else:
data.PVZ_memory.write_bytes(0x00464A96, b"\x0f\x85\x98\xfe\xff\xff", 6)
data.PVZ_memory.write_bytes(0x00464A62, b"\x83\xbf\x90\x00\x00\x00\x13", 7)
def setBulletSize(f, size):
global newmem_setBulletSize
global newmem_setBulletPosition
if f:
newmem_setBulletSize = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 64
)
setBulletSizeCode = asm.Asm(newmem_setBulletSize)
setBulletSizeCode.imul_exx_eyy_byte(asm.EBX, asm.EBX, size)
setBulletSizeCode.mov_ptr_exx_add_byte_eyy(asm.ESP, 0x44, asm.EBX)
setBulletSizeCode.mov_exx(asm.EBX, size)
setBulletSizeCode.imul_exx_eyy(asm.EBX, asm.EDI)
setBulletSizeCode.mov_ptr_exx_add_byte_eyy(asm.ESP, 0x40, asm.EBX)
setBulletSizeCode.jmp(0x0046E77A)
data.PVZ_memory.write_bytes(
newmem_setBulletSize,
bytes(setBulletSizeCode.code[: setBulletSizeCode.index]),
setBulletSizeCode.index,
)
data.PVZ_memory.write_bytes(
0x0046E772,
b"\xe9"
+ calculate_call_address(newmem_setBulletSize - 0x0046E777)
+ b"\x90\x90\x90",
8,
)
newmem_setBulletPosition = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 64
)
movement = int(size / 2)
setBulletPositionCode = asm.Asm(newmem_setBulletPosition)
setBulletPositionCode.mov_exx(asm.EAX, movement)
setBulletPositionCode.imul_exx_eyy(asm.EAX, asm.EDI)
setBulletPositionCode.neg_exx(asm.EAX)
setBulletPositionCode.mov_ptr_exx_add_byte_eyy(asm.ESP, 0x34, asm.EAX)
setBulletPositionCode.mov_exx(asm.EAX, movement)
setBulletPositionCode.imul_exx_eyy(asm.EAX, asm.EBX)
setBulletPositionCode.neg_exx(asm.EAX)
setBulletPositionCode.mov_ptr_exx_add_byte_eyy(asm.ESP, 0x38, asm.EAX)
setBulletPositionCode.xor_exx_eyy(asm.EAX, asm.EAX)
setBulletPositionCode.jmp(0x0046E76D)
data.PVZ_memory.write_bytes(
newmem_setBulletPosition,
bytes(setBulletPositionCode.code[: setBulletPositionCode.index]),
setBulletPositionCode.index,
)
data.PVZ_memory.write_bytes(
0x0046E765,
b"\xe9"
+ calculate_call_address(newmem_setBulletPosition - 0x0046E76A)
+ b"\x90\x90\x90",
8,
)
else:
data.PVZ_memory.write_bytes(0x0046E772, b"\x89\x7c\x24\x40\x89\x5c\x24\x44", 8)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_setBulletSize)
data.PVZ_memory.write_bytes(0x0046E765, b"\x89\x44\x24\x34\x89\x44\x24\x38", 8)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_setBulletPosition
)
def setPlantBullet(f, plantType, bulletType, mode):
global newmem_setPlantBullet
if f:
newmem_setPlantBullet = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 64
)
shellcode = asm.Asm(newmem_setPlantBullet)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBP, 0x24, plantType)
shellcode.jne_short_offset(0xE)
shellcode.mov_ptr_exx_add_byte_dword(asm.EAX, 0x5C, bulletType)
shellcode.mov_ptr_exx_add_byte_dword(asm.EAX, 0x58, mode)
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.EDX, asm.ESP, 0x3C)
shellcode.mov_exx_eyy(asm.ECX, asm.EAX)
shellcode.jmp(0x004672BB)
data.PVZ_memory.write_bytes(
newmem_setPlantBullet,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x004672B5,
b"\xe9"
+ calculate_call_address(newmem_setPlantBullet - 0x004672BA)
+ b"\x90",
6,
)
else:
data.PVZ_memory.write_bytes(0x004672B5, b"\x8b\x54\x24\x3c\x8b\xc8", 6)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_setPlantBullet)
def startCar(addr):
class carStart:
def __init__(self, addr):
self.addr = addr
def creat_asm(self, startAddress):
carStart_asm = asm.Asm(startAddress)
carStart_asm.mov_exx(asm.ESI, self.addr)
carStart_asm.call(0x00458DA0)
return carStart_asm
asm.runThread(carStart(addr))
def recoveryCars():
class carsRecovery:
def __init__(self) -> None:
pass
def creat_asm(self, startAddress):
carsRecovery_asm = asm.Asm(startAddress)
carsRecovery_asm.mov_exx_dword_ptr(asm.EAX, 0x006A9EC0)
carsRecovery_asm.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x768)
carsRecovery_asm.push_exx(asm.EAX)
carsRecovery_asm.call(0x0040BC70)
return carsRecovery_asm
data.PVZ_memory.write_bytes(0x0040BC98, b"\xeb\x60", 2)
data.PVZ_memory.write_bytes(0x00458002, b"\xfc\x99", 2)
data.PVZ_memory.write_bytes(0x0040BD17, b"\x01", 1)
asm.runThread(carsRecovery())
data.PVZ_memory.write_bytes(0x0040BC98, b"\x75\x09", 2)
data.PVZ_memory.write_bytes(0x00458002, b"\xf8\x9b", 2)
data.PVZ_memory.write_bytes(0x0040BD17, b"\x00", 1)
def endlessCar(f):
global newmem_endlessCar
if f:
newmem_endlessCar = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 64
)
shellcode = asm.Asm(newmem_endlessCar)
shellcode.add_byte(0xD9)
shellcode.add_byte(0x43)
shellcode.add_byte(0x08)
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.EAX, asm.EBX, 0x34)
shellcode.cmp_dword_ptr_exx_add_byte_dword(asm.EBX, 0x8, 0x44480000)
shellcode.jb_offset(0x09)
shellcode.nop_4()
shellcode.jmp(0x00458AF2)
shellcode.cmp_dword_ptr_exx_add_byte_dword(asm.EBX, 0x8, 0x44444000)
shellcode.ja_offset(0x9)
shellcode.nop_4()
shellcode.jmp(0x00458AF2)
shellcode.mov_ptr_exx_add_byte_dword(asm.EBX, 0x08, 0xC2C80000)
shellcode.jmp(0x00458AF2)
data.PVZ_memory.write_bytes(
newmem_endlessCar, bytes(shellcode.code[: shellcode.index]), shellcode.index
)
data.PVZ_memory.write_bytes(
0x00458AEC,
b"\xe9" + calculate_call_address(newmem_endlessCar - 0x00458AF1) + b"\x90",
6,
)
else:
data.PVZ_memory.write_bytes(0x00458AEC, b"\xd9\x43\x08\x8b\x43\x34", 6)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_endlessCar)
def initCar(f):
if f:
data.PVZ_memory.write_bytes(0x0040BCA3, b"\x83\xfa\x14\x7a\x70", 5)
else:
data.PVZ_memory.write_bytes(0x0040BCA3, b"\x83\xfa\x14\x7a\x70", 5)
def autoCar(f):
global newmem_autoCar # 声明 newmem 为全局变量
if f:
# if enable_LawnMowers==1:
newmem_autoCar = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 128
)
# print(f"无限小车 by 妥妥的 2024-4-9 08:30:45, allocated memory: {hex(newmem)},patch addr: {hex(0x458d99)}")
data.PVZ_memory.write_bytes(
0x458D99, b"\xe9" + calculate_call_address(newmem_autoCar - 0x0458D9E), 5
)
byte_data = (
b"\x60\x9c\xbf\x00\x00\x00\x00\x8b\x35\xc0\x9e\x6a\x00\x8b\xae"
b"\x68\x07\x00\x00\x8d\xb5\x00\x01\x00\x00\x89\x7e\x04\x89\x7e"
b"\x0c\x89\x7e\x10\xb8\x77\xd1\x00\x00\x01\xf8\x89\x46\x14\xe8"
# pm.write_uint(newmem+45,0x41E120 - newmem - 0x31)
+ calculate_call_address(0x41E120 - newmem_autoCar - 0x31)
+ b"\x8b\xf0\x56\x8b\xc7\xe8"
+ calculate_call_address(0x00458000 - newmem_autoCar - 0x3B)
+ b"\xb8\x00\x00\xa8\xc1\x89\x46\x08\x83\xc7\x01\x83\xc3\x04\x83"
b"\xff\x06\x7c\xb9\x9d\x61\xc3"
)
data.PVZ_memory.write_bytes(newmem_autoCar, byte_data, 81)
else:
data.PVZ_memory.write_bytes(0x458D99, b"\xc3\xcc\xcc\xcc\xcc", 5)
# process_handle = pymem.process.open(pid[1])
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_autoCar)
def setPausePro(f):
global newmem_pauseFlag
if f:
try:
data.PVZ_memory.write_bytes(newmem_pauseFlag, b"\x01", 1)
except:
pass
else:
try:
print(data.PVZ_memory.read_bool(newmem_pauseFlag))
data.PVZ_memory.write_bytes(newmem_pauseFlag, b"\x00", 1)
except:
pass
def pauseProKey(key, r, g, b, a):
global newmem_pauseProKey
global newmem_drawTime
global newmem_pause
global newmem_pauseFlag
global newmem_draw
if key is not False:
newmem_pauseProKey = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 64
)
print(hex(newmem_pauseProKey))
newmem_pause = pymem.memory.allocate_memory(data.PVZ_memory.process_handle, 128)
print(hex(newmem_pause))
newmem_draw = pymem.memory.allocate_memory(data.PVZ_memory.process_handle, 256)
print(hex(newmem_draw))
newmem_drawTime = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 4
)
print(hex(newmem_drawTime))
newmem_pauseFlag = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 1
)
print(hex(newmem_pauseFlag))
shell_code_key = asm.Asm(newmem_pauseProKey)
shell_code_key.push_exx(asm.EDX)
shell_code_key.call(0x0051C5A0)
shell_code_key.cmp_exx_byte(asm.EDI, data.keyCode[key])
shell_code_key.jne_short_offset(7)
shell_code_key.xor_dword_ptr_address_val(newmem_pauseFlag, 1)
shell_code_key.jmp(0x0041B2A1)
data.PVZ_memory.write_bytes(
newmem_pauseProKey,
bytes(shell_code_key.code[: shell_code_key.index]),
shell_code_key.index,
)
data.PVZ_memory.write_bytes(
0x0041B29B,
b"\xe9" + calculate_call_address(newmem_pauseProKey - 0x0041B2A0) + b"\x90",
6,
)
pause_key = asm.Asm(newmem_pause)
pause_key.cmp_dword_ptr_address_byte(newmem_pauseFlag, 1)
pause_key.jne_short_offset(0x1F)
pause_key.add_dword_ptr_address_byte(newmem_drawTime, 24)
pause_key.cmp_dword_ptr_address_dword(newmem_drawTime, 1000)
pause_key.jl_offset(0x29)
pause_key.mov_dword_ptr_dword(newmem_drawTime, 1000)
pause_key.jmp_short_offset(0x1D)
pause_key.sub_dword_ptr_address_byte(newmem_drawTime, 32)
pause_key.cmp_dword_ptr_address_dword(newmem_drawTime, 0)
pause_key.jg_offset(0x0A)
pause_key.mov_dword_ptr_dword(newmem_drawTime, 0)
pause_key.cmp_dword_ptr_address_dword(newmem_drawTime, 0)
pause_key.jle_offset(0x45)
pause_key.pushad()
pause_key.mov_exx_dword_ptr_eyy_add_dword(asm.ESI, asm.EBP, 0x148)
pause_key.call(0x00448330)
pause_key.mov_exx_dword_ptr_eyy_add_dword(asm.EDI, asm.EBP, 0x13C)
pause_key.call(0x00438DA0)
pause_key.mov_exx_dword_ptr_eyy_add_dword(asm.ESI, asm.EBP, 0x138)
pause_key.call(0x00438780)
pause_key.popad()
pause_key.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.EBP, 0x13C)
pause_key.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EBP, 0x138)
pause_key.pop_exx(asm.EBP)
pause_key.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ESP, 0x104)
pause_key.mov_fs_offset_exx(0, asm.ECX)
pause_key.add_exx_dword(asm.ESP, 0x110)
pause_key.ret()
pause_key.cmp_dword_ptr_exx_add_dword_byte(asm.EBP, 0x164, 1)
pause_key.je(0x00415DF9)
pause_key.jmp(0x00415E2E)
data.PVZ_memory.write_bytes(
newmem_pause, bytes(pause_key.code[: pause_key.index]), pause_key.index
)
data.PVZ_memory.write_bytes(
0x00415DF0,
b"\xe9" + calculate_call_address(newmem_pause - 0x00415DF5) + b"\x90\x90",
7,
)
shellcode_draw = asm.Asm(newmem_draw)
shellcode_draw.cmp_dword_ptr_address_byte(newmem_drawTime, 0)
shellcode_draw.jng_dword_offset(0xB3)
shellcode_draw.pushad()
shellcode_draw.mov_exx_dword_ptr(asm.EAX, newmem_drawTime)
shellcode_draw.mov_ptr_exx_add_byte_dword(asm.EDI, 0x30, r)
shellcode_draw.mov_ptr_exx_add_byte_dword(asm.EDI, 0x34, g)
shellcode_draw.mov_ptr_exx_add_byte_dword(asm.EDI, 0x38, b)
shellcode_draw.mov_ptr_exx_add_byte_dword(asm.EDI, 0x3C, a)
shellcode_draw.push_exx(asm.EAX)
shellcode_draw.push_dword(300)
shellcode_draw.push_dword(400)
shellcode_draw.mov_exx_eyy(asm.EAX, asm.EDI)
shellcode_draw.call_dword_offset(6)
shellcode_draw.popad()
shellcode_draw.jmp_dword_offset(0x78)
shellcode_draw.pushad()
shellcode_draw.code[shellcode_draw.index : shellcode_draw.index + 94] = (
b"\x8b\xf0\x8b\x44\x24\x24\x8b\x5c\x24\x28\x8b\x4c\x24\x2c\x8d\x2c\x4d\x00\x00\x00\x00\x31\xd2\xdb\x44\x24\x2c\xd8\xc8\xd9\x5c\x24\xfc\x8b\x4c\x24\x2c\x29\xd1\x89\x4c\x24\xf8\xdb\x44\x24\xf8\xd8\xc8\xd9\x5c\x24\xf8\xd9\x44\x24\xfc\xd8\x64\x24\xf8\xd9\xfa\xdb\x5c\x24\xfc\x8b\x44\x24\xfc\x8d\x1c\x45\x00\x00\x00\x00\x8b\x4c\x24\x24\x29\xc1\x8b\x7c\x24\x28\x2b\x7c\x24\x2c\x01\xd7"
)
shellcode_draw.index += 94
shellcode_draw.pushad()
shellcode_draw.push_byte(1)
shellcode_draw.push_exx(asm.EBX)
shellcode_draw.push_exx(asm.EDI)
shellcode_draw.push_exx(asm.ECX)
shellcode_draw.mov_exx_eyy(asm.EAX, asm.ESI)
shellcode_draw.call(0x00586D50)
shellcode_draw.popad()
shellcode_draw.add_exx_byte(asm.EDX, 1)
shellcode_draw.cmp_exx_eyy(asm.EDX, asm.EBP)
shellcode_draw.jle_offset(0xA4)
shellcode_draw.popad()
shellcode_draw.ret_word(0xC)
shellcode_draw.cmp_dword_ptr_exx_add_dword_byte(asm.EBP, 0x5748, 0)
shellcode_draw.jmp(0x0041AAC5)
data.PVZ_memory.write_bytes(
newmem_draw,
bytes(shellcode_draw.code[: shellcode_draw.index]),
shellcode_draw.index,
)
data.PVZ_memory.write_bytes(
0x0041AABE,
b"\xe9" + calculate_call_address(newmem_draw - 0x0041AAC3) + b"\x90\x90",
7,
)
else:
data.PVZ_memory.write_bytes(0x0041B29B, b"\x52\xe8\xff\x12\x10\x00", 6)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_pauseProKey)
data.PVZ_memory.write_bytes(0x00415DF0, b"\x80\x8d\x64\x01\x00\x00\x00", 7)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_pause)
data.PVZ_memory.write_bytes(0x0041AABE, b"\x83\xbd\x48\x57\x00\x00\x00", 7)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_draw)
def creatSpecialEffects(id, x, y):
class specialEffects:
def __init__(self, id, x, y):
self.id = id
self.x = x
self.y = y
def creat_asm(self, startAddress):
specialEffects_asm = asm.Asm(startAddress)
specialEffects_asm.push_byte(self.id)
specialEffects_asm.push_dword(400000)
specialEffects_asm.push_float(y)
specialEffects_asm.push_float(x)
specialEffects_asm.mov_exx_dword_ptr(asm.ESI, 0x006A9EC0)
specialEffects_asm.mov_exx_dword_ptr_eyy_add_dword(asm.ESI, asm.ESI, 0x820)
specialEffects_asm.mov_exx_dword_ptr_eyy(asm.ESI, asm.ESI)
specialEffects_asm.call(0x00518A70)
return specialEffects_asm
asm.runThread(specialEffects(id, x, y))
def morph_all_plant():
print(1)
plant_list = []
try:
plant_num = data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x768)
+ 0xBC
)
except:
return
i = 0
j = 0
while i < plant_num:
plant_addresss = (
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.baseAddress) + 0x768
)
+ 0xAC
)
+ 0x204 * j
)
plant_exist = data.PVZ_memory.read_bytes(plant_addresss + 0x141, 1)
if plant_exist == b"\x00":
plant_list.append(data.plant(plant_addresss))
i = i + 1
j = j + 1
for p in plant_list:
if data.PVZ_version == 2.1:
plantType = random.randint(0, 102)
elif data.PVZ_version == 2.0:
plantType = random.randint(0, 96)
if plantType >= 48:
plantType = plantType + 27
if plantType == 118:
plantType = 123
if plantType == 11:
plantType = 123
if plantType == 45:
plantType = 123
if plantType == 110:
plantType = 38
if plantType == 105:
plantType = 21
if plantType == 108:
plantType = 10
if plantType == 112:
plantType = 43
if plantType == 113:
plantType = 78
putPlant(p.row, p.col, plantType)
p.setExist(True)
def plantInvincible(f):
PlantsConotExplodeDeath(f)
PlantConnotBurnedDeath(f)
PlantConnotBitedDeath(f)
PlantConnotCrushedDeath(f)
PlantConnotHitedDeath(f)
PlantConnotStolen(f)
def PlantsConotExplodeDeath(f):
if f:
data.PVZ_memory.write_bytes(0x0041CC2F, b"\xeb", 1)
else:
data.PVZ_memory.write_bytes(0x0041CC2F, b"\x74", 1)
def PlantConnotBurnedDeath(f):
if f:
data.PVZ_memory.write_bytes(0x005276EA, b"\xeb", 1)
else:
data.PVZ_memory.write_bytes(0x005276EA, b"\x75", 1)
def PlantConnotBitedDeath(f):
if f:
data.PVZ_memory.write_bytes(0x0052FCF3, b"\x00", 1)
else:
data.PVZ_memory.write_bytes(0x0052FCF3, b"\xfc", 1)
def PlantConnotCrushedDeath(f):
if f:
data.PVZ_memory.write_bytes(0x0052E93B, b"\xeb", 1)
else:
data.PVZ_memory.write_bytes(0x0052E93B, b"\x74", 1)
def PlantConnotHitedDeath(f):
if f:
data.PVZ_memory.write_bytes(0x0046CFEB, b"\x90\x90\x90", 3)
data.PVZ_memory.write_bytes(0x0046D7A6, b"\x90\x90\x90", 3)
if data.PVZ_version == 2.1:
data.PVZ_memory.write_bytes(0x008AD752, b"\x90\x90\x90", 3)
elif data.PVZ_version == 2.0:
data.PVZ_memory.write_bytes(0x0084F15D, b"\x90\x90\x90", 3)
data.PVZ_memory.write_bytes(0x0046CFEB, b"\x90\x90\x90", 3)
else:
data.PVZ_memory.write_bytes(0x0046CFEB, b"\x29\x50\x40", 3)
data.PVZ_memory.write_bytes(0x0046D7A6, b"\x29\x50\x40", 3)
if data.PVZ_version == 2.1:
data.PVZ_memory.write_bytes(0x008AD752, b"\x29\x50\x40", 3)
elif data.PVZ_version == 2.0:
data.PVZ_memory.write_bytes(0x0084F15D, b"\x29\x50\x40", 3)
data.PVZ_memory.write_bytes(0x0046CFEB, b"\x29\x50\x40", 3)
def PlantConnotStolen(f):
if f:
data.PVZ_memory.write_bytes(0x00524D33, b"\xeb", 1)
else:
data.PVZ_memory.write_bytes(0x00524D33, b"\x74", 1)
def fogDraw(f):
if data.PVZ_version == 2.0:
if f:
data.PVZ_memory.write_bytes(0x0086E521, b"\x0f\x80", 2)
else:
data.PVZ_memory.write_bytes(0x0086E521, b"\x0f\x84", 2)
elif data.PVZ_version == 2.1:
if f:
data.PVZ_memory.write_bytes(0x008A7821, b"\x0f\x80", 2)
else:
data.PVZ_memory.write_bytes(0x008A7821, b"\x0f\x84", 2)
def invisibleDraw(f):
if data.PVZ_version == 2.0:
if f:
data.PVZ_memory.write_bytes(0x0086E56C, b"\x70", 1)
else:
data.PVZ_memory.write_bytes(0x0086E56C, b"\x74", 1)
elif data.PVZ_version == 2.1:
if f:
data.PVZ_memory.write_bytes(0x008A786C, b"\x70", 1)
else:
data.PVZ_memory.write_bytes(0x008A786C, b"\x74", 1)
def bossHPDraw(f):
global newmem_resetBossNum
global newmem_bossNum
global newmem_bossHPDraw
if data.PVZ_version == 2.0:
if f:
newmem_resetBossNum = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 64
)
newmem_bossNum = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 4
)
newmem_bossHPDraw = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 512
)
resetBossNumcode = asm.Asm(newmem_resetBossNum)
resetBossNumcode.mov_dword_ptr_dword(newmem_bossNum, 0)
resetBossNumcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.EDX, 0x768)
resetBossNumcode.jmp(0x0086E553)
data.PVZ_memory.write_bytes(
newmem_resetBossNum,
bytes(resetBossNumcode.code[: resetBossNumcode.index]),
resetBossNumcode.index,
)
data.PVZ_memory.write_bytes(
0x0086E54D,
b"\xe9"
+ calculate_call_address(newmem_resetBossNum - 0x0086E552)
+ b"\x90",
6,
)
bossHPDrawcode = asm.Asm(newmem_bossHPDraw)
bossHPDrawcode.jne_long_offset(0x95)
bossHPDrawcode.push_exx(asm.EAX)
bossHPDrawcode.mov_exx(asm.EAX, 0)
bossHPDrawcode.add_exx_ptr_dword(asm.EAX, 0x00700104)
bossHPDrawcode.sub_exx_ptr_dword(asm.EAX, 0x00700100)
bossHPDrawcode.mov_dword_ptr_exx(0x00700B40, asm.EAX)
bossHPDrawcode.pop_exx(asm.EAX)
bossHPDrawcode.pushad()
bossHPDrawcode.pushad()
bossHPDrawcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EBX, 0xC8)
bossHPDrawcode.mov_exx_eyy(asm.ECX, asm.EAX)
bossHPDrawcode.lea_exx_dword_ptr(asm.EDX, newmem_bossHPDraw + 0xA9)
bossHPDrawcode.call(0x5B0280)
bossHPDrawcode.popad()
bossHPDrawcode.push_dword(newmem_bossHPDraw + 0xA4)
bossHPDrawcode.mov_exx(asm.ECX, 0x00700B00)
bossHPDrawcode.call(0x00404300)
bossHPDrawcode.popad()
bossHPDrawcode.pushad()
bossHPDrawcode.mov_exx_dword_ptr(asm.EAX, newmem_bossNum)
bossHPDrawcode.inc_exx(asm.EAX)
bossHPDrawcode.mov_dword_ptr_exx(newmem_bossNum, asm.EAX)
bossHPDrawcode.mov_exx_eyy(asm.EBX, asm.EAX)
bossHPDrawcode.mov_exx_eyy(asm.EDX, asm.EBX)
bossHPDrawcode.imul_exx_eyy_byte(asm.EDX, asm.EDX, 20)
bossHPDrawcode.add_exx_dword(asm.EDX, 250)
bossHPDrawcode.push_exx(asm.EDX)
bossHPDrawcode.push_dword(640)
bossHPDrawcode.push_dword(0x00700B00)
bossHPDrawcode.mov_exx_eyy(asm.EAX, asm.EDI)
bossHPDrawcode.mov_exx_dword_ptr(asm.EBX, 0x006A7314)
bossHPDrawcode.mov_ptr_exx_add_byte_eyy(asm.EDI, 0x40, asm.EBX)
bossHPDrawcode.mov_ptr_exx_add_byte_dword(asm.EDI, 0x30, 0xFF)
bossHPDrawcode.mov_ptr_exx_add_byte_dword(asm.EDI, 0x34, 0x00)
bossHPDrawcode.mov_ptr_exx_add_byte_dword(asm.EDI, 0x38, 0x00)
bossHPDrawcode.mov_ptr_exx_add_byte_dword(asm.EDI, 0x3C, 0xFF)
bossHPDrawcode.call(0x00587120)
bossHPDrawcode.popad()
bossHPDrawcode.jmp(0x0086E553)
bossHPDrawcode.cmp_byte_ptr_exx_add_byte_byte(asm.EBX, 0x18, 0)
bossHPDrawcode.jmp(0x0086E56C)
bossHPDrawcode.add_byte(0xBD)
bossHPDrawcode.add_byte(0xA9)
bossHPDrawcode.add_byte(0xCD)
bossHPDrawcode.add_byte(0xF5)
bossHPDrawcode.add_byte(0xD1)
bossHPDrawcode.add_byte(0xAA)
bossHPDrawcode.add_byte(0xC1)
bossHPDrawcode.add_byte(0xBF)
bossHPDrawcode.add_byte(0x3A)
bossHPDrawcode.add_byte(0x00)
data.PVZ_memory.write_bytes(
newmem_bossHPDraw,
bytes(bossHPDrawcode.code[: bossHPDrawcode.index]),
bossHPDrawcode.index,
)
data.PVZ_memory.write_bytes(
0x0086E566,
b"\xe9"
+ calculate_call_address(newmem_bossHPDraw - 0x0086E56B)
+ b"\x90",
6,
)
else:
data.PVZ_memory.write_bytes(0x0086E54D, b"\x8b\x92\x68\x07\x00\x00", 6)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_resetBossNum
)
data.PVZ_memory.write_bytes(0x0086E566, b"\x74\xeb\x80\x7b\x18\x00", 6)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_bossHPDraw)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_bossNum)
elif data.PVZ_version == 2.1:
if f:
newmem_resetBossNum = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 64
)
newmem_bossNum = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 4
)
newmem_bossHPDraw = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 512
)
resetBossNumcode = asm.Asm(newmem_resetBossNum)
resetBossNumcode.mov_dword_ptr_dword(newmem_bossNum, 0)
resetBossNumcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.EDX, 0x768)
resetBossNumcode.jmp(0x008A7853)
data.PVZ_memory.write_bytes(
newmem_resetBossNum,
bytes(resetBossNumcode.code[: resetBossNumcode.index]),
resetBossNumcode.index,
)
data.PVZ_memory.write_bytes(
0x008A784D,
b"\xe9"
+ calculate_call_address(newmem_resetBossNum - 0x008A7852)
+ b"\x90",
6,
)
bossHPDrawcode = asm.Asm(newmem_bossHPDraw)
bossHPDrawcode.jne_long_offset(0x95)
bossHPDrawcode.push_exx(asm.EAX)
bossHPDrawcode.mov_exx(asm.EAX, 0)
bossHPDrawcode.add_exx_ptr_dword(asm.EAX, 0x00700104)
bossHPDrawcode.sub_exx_ptr_dword(asm.EAX, 0x00700100)
bossHPDrawcode.mov_dword_ptr_exx(0x00700B40, asm.EAX)
bossHPDrawcode.pop_exx(asm.EAX)
bossHPDrawcode.pushad()
bossHPDrawcode.pushad()
bossHPDrawcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EBX, 0xC8)
bossHPDrawcode.mov_exx_eyy(asm.ECX, asm.EAX)
bossHPDrawcode.lea_exx_dword_ptr(asm.EDX, newmem_bossHPDraw + 0xA9)
bossHPDrawcode.call(0x5B0280)
bossHPDrawcode.popad()
bossHPDrawcode.push_dword(newmem_bossHPDraw + 0xA4)
bossHPDrawcode.mov_exx(asm.ECX, 0x00700B00)
bossHPDrawcode.call(0x00404300)
bossHPDrawcode.popad()
bossHPDrawcode.pushad()
bossHPDrawcode.mov_exx_dword_ptr(asm.EAX, newmem_bossNum)
bossHPDrawcode.inc_exx(asm.EAX)
bossHPDrawcode.mov_dword_ptr_exx(newmem_bossNum, asm.EAX)
bossHPDrawcode.mov_exx_eyy(asm.EBX, asm.EAX)
bossHPDrawcode.mov_exx_eyy(asm.EDX, asm.EBX)
bossHPDrawcode.imul_exx_eyy_byte(asm.EDX, asm.EDX, 20)
bossHPDrawcode.add_exx_dword(asm.EDX, 250)
bossHPDrawcode.push_exx(asm.EDX)
bossHPDrawcode.push_dword(640)
bossHPDrawcode.push_dword(0x00700B00)
bossHPDrawcode.mov_exx_eyy(asm.EAX, asm.EDI)
bossHPDrawcode.mov_exx_dword_ptr(asm.EBX, 0x006A7314)
bossHPDrawcode.mov_ptr_exx_add_byte_eyy(asm.EDI, 0x40, asm.EBX)
bossHPDrawcode.mov_ptr_exx_add_byte_dword(asm.EDI, 0x30, 0xFF)
bossHPDrawcode.mov_ptr_exx_add_byte_dword(asm.EDI, 0x34, 0x00)
bossHPDrawcode.mov_ptr_exx_add_byte_dword(asm.EDI, 0x38, 0x00)
bossHPDrawcode.mov_ptr_exx_add_byte_dword(asm.EDI, 0x3C, 0xFF)
bossHPDrawcode.call(0x00587120)
bossHPDrawcode.popad()
bossHPDrawcode.jmp(0x008A7853)
bossHPDrawcode.cmp_byte_ptr_exx_add_byte_byte(asm.EBX, 0x18, 0)
bossHPDrawcode.jmp(0x008A786C)
bossHPDrawcode.add_byte(0xBD)
bossHPDrawcode.add_byte(0xA9)
bossHPDrawcode.add_byte(0xCD)
bossHPDrawcode.add_byte(0xF5)
bossHPDrawcode.add_byte(0xD1)
bossHPDrawcode.add_byte(0xAA)
bossHPDrawcode.add_byte(0xC1)
bossHPDrawcode.add_byte(0xBF)
bossHPDrawcode.add_byte(0x3A)
bossHPDrawcode.add_byte(0x00)
data.PVZ_memory.write_bytes(
newmem_bossHPDraw,
bytes(bossHPDrawcode.code[: bossHPDrawcode.index]),
bossHPDrawcode.index,
)
data.PVZ_memory.write_bytes(
0x008A7866,
b"\xe9"
+ calculate_call_address(newmem_bossHPDraw - 0x008A786B)
+ b"\x90",
6,
)
else:
data.PVZ_memory.write_bytes(0x008A784D, b"\x8b\x92\x68\x07\x00\x00", 6)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_resetBossNum
)
data.PVZ_memory.write_bytes(0x008A7866, b"\x74\xeb\x80\x7b\x18\x00", 6)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_bossHPDraw)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_bossNum)
def spawisModified():
# pass
global newmem_spawisModified
if (
newmem_modifySpawNum is not None
or newmem_globalSpawModify is not None
or newmem_modifySpawMultiplier is not None
):
newmem_spawisModified = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode = asm.Asm(newmem_spawisModified)
shellcode.push_exx(asm.EAX)
shellcode.mov_exx(asm.EAX, 0)
shellcode.add_exx_ptr_dword(asm.EAX, 0x00700104)
shellcode.sub_exx_ptr_dword(asm.EAX, 0x00700100)
shellcode.mov_dword_ptr_exx(0x00700B40, asm.EAX)
shellcode.pop_exx(asm.EAX)
shellcode.pushad()
shellcode.push_dword(newmem_spawisModified + 0x79)
shellcode.mov_exx(asm.ECX, 0x00700B00)
shellcode.call(0x00404300)
shellcode.popad()
shellcode.pushad()
shellcode.push_dword(550)
shellcode.push_dword(720)
shellcode.push_dword(0x00700B00)
shellcode.mov_exx_eyy(asm.EAX, asm.EDI)
shellcode.mov_exx_dword_ptr(asm.EBX, 0x006A7314)
shellcode.mov_ptr_exx_add_byte_eyy(asm.EDI, 0x40, asm.EBX)
shellcode.mov_ptr_exx_add_byte_dword(asm.EDI, 0x30, 0x66)
shellcode.mov_ptr_exx_add_byte_dword(asm.EDI, 0x34, 0xCC)
shellcode.mov_ptr_exx_add_byte_dword(asm.EDI, 0x38, 0xFF)
shellcode.mov_ptr_exx_add_byte_dword(asm.EDI, 0x3C, 0xFF)
shellcode.call(0x00587120)
shellcode.popad()
shellcode.jmp_dword_offset(0)
shellcode.push_exx(asm.EDI)
shellcode.mov_ptr_exx_add_byte_dword(asm.ESP, 0x7C, 0xF)
shellcode.jmp(0x00417DC9)
shellcode.add_byte(0xB9)
shellcode.add_byte(0xD8)
shellcode.add_byte(0xBF)
shellcode.add_byte(0xA8)
shellcode.add_byte(0xB3)
shellcode.add_byte(0xF6)
shellcode.add_byte(0xB9)
shellcode.add_byte(0xD6)
shellcode.add_byte(0xD2)
shellcode.add_byte(0xD1)
shellcode.add_byte(0xB8)
shellcode.add_byte(0xFC)
shellcode.add_byte(0xB8)
shellcode.add_byte(0xC4)
shellcode.add_byte(0x00)
data.PVZ_memory.write_bytes(
newmem_spawisModified,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x00417DC0,
b"\xe9"
+ calculate_call_address(newmem_spawisModified - 0x00417DC5)
+ b"\x90\x90\x90\x90",
9,
)
else:
data.PVZ_memory.write_bytes(
0x00417DC0, b"\x57\xc7\x44\x24\x7c\x0f\x00\x00\x00", 9
)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_spawisModified)
def clearPlants():
try:
plant_num = data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x768)
+ 0xBC
)
except:
return
i = 0
j = 0
while i < plant_num:
plant_addresss = (
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.baseAddress) + 0x768
)
+ 0xAC
)
+ 0x204 * j
)
plant_exist = data.PVZ_memory.read_bytes(plant_addresss + 0x141, 1)
if plant_exist == b"\x00":
data.PVZ_memory.write_bytes(plant_addresss + 0x141, b"\x01", 1)
i = i + 1
j = j + 1
def modifySpawNum(f, num):
global newmem_modifySpawNum
if f:
newmem_modifySpawNum = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode = asm.Asm(newmem_modifySpawNum)
shellcode.mov_ptr_exx_add_dword_dword(asm.EAX, 0x5564, num * 10)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.EAX, 0x5564)
shellcode.jmp(0x0043A25A)
data.PVZ_memory.write_bytes(
newmem_modifySpawNum,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x0043A254,
b"\xe9"
+ calculate_call_address(newmem_modifySpawNum - 0x0043A259)
+ b"\x90",
6,
)
spawisModified()
else:
data.PVZ_memory.write_bytes(0x0043A254, b"\x8b\x88\x64\x55\x00\x00", 6)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_modifySpawNum)
# newmem_modifySpawNum = None
def modifySpawMultiplier(f, mult):
divzero(1)
unlimitedMonsterSpawning(1)
global newmem_modifySpawMultiplier
if data.PVZ_version == 2.0:
if f:
newmem_modifySpawMultiplier = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode = asm.Asm(newmem_modifySpawMultiplier)
shellcode.mov_ptr_exx_add_byte_dword(asm.ESP, 0x24, mult)
shellcode.jmp(0x00409968)
data.PVZ_memory.write_bytes(
newmem_modifySpawMultiplier,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x00409893,
b"\xe9"
+ calculate_call_address(newmem_modifySpawMultiplier - 0x00409898)
+ b"\x90",
6,
)
spawisModified()
else:
data.PVZ_memory.write_bytes(0x00409893, b"\xe9\x68\x37\x46\x00\x90", 6)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_modifySpawMultiplier
)
elif data.PVZ_version == 2.1:
if f:
newmem_modifySpawMultiplier = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode = asm.Asm(newmem_modifySpawMultiplier)
shellcode.mov_ptr_exx_add_byte_dword(asm.ESP, 0x24, mult)
shellcode.jmp(0x00409968)
data.PVZ_memory.write_bytes(
newmem_modifySpawMultiplier,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x00409893,
b"\xe9"
+ calculate_call_address(newmem_modifySpawMultiplier - 0x00409898)
+ b"\x90",
6,
)
spawisModified()
else:
data.PVZ_memory.write_bytes(0x00409893, b"\xe9\x68\x6b\x42\x00\x90", 6)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_modifySpawMultiplier
)
def globalSpawModify(f, zombieTypes):
divzero(1)
unlimitedMonsterSpawning(1)
global newmem_globalSpawModify
if data.PVZ_version == 2.0:
if f:
data.PVZ_memory.write_bytes(0x00425855, b"\xeb", 1)
data.PVZ_memory.write_bytes(0x0042584E, b"\x90\x90\x90\x90\x90", 5)
newmem_globalSpawModify = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode = asm.Asm(newmem_globalSpawModify)
for i in range(0, 42):
if str(i) in zombieTypes:
shellcode.mov_byte_ptr_exx_add_dword_byte(asm.EDX, 0x57D4 + i, 1)
else:
shellcode.mov_byte_ptr_exx_add_dword_byte(asm.EDX, 0x57D4 + i, 0)
shellcode.jmp(0x00425D1D)
data.PVZ_memory.write_bytes(
newmem_globalSpawModify,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x00820CFF,
b"\xe9"
+ calculate_call_address(newmem_globalSpawModify - 0x00820D04)
+ b"\x90",
6,
)
spawisModified()
else:
data.PVZ_memory.write_bytes(0x00425855, b"\x7f", 1)
data.PVZ_memory.write_bytes(0x0042584E, b"\xe9\xed\x9f\x42\x00", 5)
data.PVZ_memory.write_bytes(0x00820CFF, b"\x0f\x85\x21\x00\x00\x00", 6)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_globalSpawModify
)
elif data.PVZ_version == 2.1:
if f:
data.PVZ_memory.write_bytes(0x00425855, b"\xeb", 1)
data.PVZ_memory.write_bytes(0x0042584E, b"\x90\x90\x90\x90\x90", 5)
newmem_globalSpawModify = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode = asm.Asm(newmem_globalSpawModify)
for i in range(0, 42):
if str(i) in zombieTypes:
shellcode.mov_byte_ptr_exx_add_dword_byte(asm.EDX, 0x57D4 + i, 1)
else:
shellcode.mov_byte_ptr_exx_add_dword_byte(asm.EDX, 0x57D4 + i, 0)
shellcode.jmp(0x00425D1D)
data.PVZ_memory.write_bytes(
newmem_globalSpawModify,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x0082401F,
b"\xe9"
+ calculate_call_address(newmem_globalSpawModify - 0x00824024)
+ b"\x90",
6,
)
spawisModified()
else:
data.PVZ_memory.write_bytes(0x00425855, b"\x7f", 1)
data.PVZ_memory.write_bytes(0x0042584E, b"\xe9\xad\xaa\x48\x00", 5)
data.PVZ_memory.write_bytes(0x0082401F, b"\x0f\x85\x21\x00\x00\x00", 6)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_globalSpawModify
)
def changeZombieHead(f, zombieType):
print("changehead" + str(f))
global newmem_changeZombieHead
global newmem_changeZombieDeadHead
if data.PVZ_version == 2.0:
if f:
newmem_changeZombieHead = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode = asm.Asm(newmem_changeZombieHead)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x24, zombieType)
shellcode.jne_long_offset(0x4E)
shellcode.pushad()
shellcode.mov_exx_eyy(asm.EAX, asm.ESI)
shellcode.push_byte(0xFF)
shellcode.push_dword(0x0065851C)
shellcode.call(0x005331C0)
shellcode.mov_exx_eyy(asm.EAX, asm.ESI)
shellcode.push_byte(0xFF)
shellcode.push_dword(0x00658110)
shellcode.call(0x005331C0)
shellcode.mov_exx_dword_ptr_eyy(asm.EAX, asm.ESI)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.EAX, 0x820)
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.EDX, asm.ECX, 0x8)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ESI, 0x118)
shellcode.and_eax_dword(0xFFFF)
shellcode.lea_exx_eyy_ezz_times(asm.EBX, asm.EAX, asm.EAX, 4)
shellcode.shl_exx_byte(asm.EBX, 5)
shellcode.add_exx_ptr_eyy(asm.EBX, asm.EDX)
shellcode.push_dword_ptr(0x006A7A08)
shellcode.mov_exx(asm.EAX, 0x00658500)
shellcode.mov_exx_eyy(asm.ECX, asm.EBX)
shellcode.call(0x00473490)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.EAX, asm.ESI, 0x58)
shellcode.add_dword_ptr_exx_add_byte_byte(asm.ESI, 0x54, 0xFF)
shellcode.jmp(0x0052AF92)
data.PVZ_memory.write_bytes(
newmem_changeZombieHead,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x0052AF8B,
b"\xe9"
+ calculate_call_address(newmem_changeZombieHead - 0x0052AF90)
+ b"\x90\x90",
7,
)
newmem_changeZombieDeadHead = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode2 = asm.Asm(newmem_changeZombieDeadHead)
shellcode2.cmp_exx_byte(asm.EAX, zombieType)
shellcode2.jne_long_offset(0xB)
shellcode2.mov_exx_dword_ptr(asm.ESI, 0x006A7A08)
shellcode2.jmp(0x00529D07)
shellcode2.cmp_exx_byte(asm.EAX, 0x23)
shellcode2.jne(0x0084E4E4)
shellcode2.jmp(0x0084E4D9)
data.PVZ_memory.write_bytes(
newmem_changeZombieDeadHead,
bytes(shellcode2.code[: shellcode2.index]),
shellcode2.index,
)
data.PVZ_memory.write_bytes(
0x0084E4D0,
b"\xe9"
+ calculate_call_address(newmem_changeZombieDeadHead - 0x0084E4D5)
+ b"\x90\x90\x90\x90",
9,
)
else:
data.PVZ_memory.write_bytes(0x0052AF8B, b"\x8b\x46\x58\x83\x46\x54\xff", 7)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_changeZombieHead
)
data.PVZ_memory.write_bytes(
0x0084E4D0, b"\x83\xf8\x23\x0f\x85\x0b\x00\x00\x00", 9
)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_changeZombieDeadHead
)
elif data.PVZ_version == 2.1:
if f:
newmem_changeZombieHead = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode = asm.Asm(newmem_changeZombieHead)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x24, zombieType)
shellcode.jne_long_offset(0x4E)
shellcode.pushad()
shellcode.mov_exx_eyy(asm.EAX, asm.ESI)
shellcode.push_byte(0xFF)
shellcode.push_dword(0x0065851C)
shellcode.call(0x005331C0)
shellcode.mov_exx_eyy(asm.EAX, asm.ESI)
shellcode.push_byte(0xFF)
shellcode.push_dword(0x00658110)
shellcode.call(0x005331C0)
shellcode.mov_exx_dword_ptr_eyy(asm.EAX, asm.ESI)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.EAX, 0x820)
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.EDX, asm.ECX, 0x8)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ESI, 0x118)
shellcode.and_eax_dword(0xFFFF)
shellcode.lea_exx_eyy_ezz_times(asm.EBX, asm.EAX, asm.EAX, 4)
shellcode.shl_exx_byte(asm.EBX, 5)
shellcode.add_exx_ptr_eyy(asm.EBX, asm.EDX)
shellcode.push_dword_ptr(0x006A7A08)
shellcode.mov_exx(asm.EAX, 0x00658500)
shellcode.mov_exx_eyy(asm.ECX, asm.EBX)
shellcode.call(0x00473490)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.EAX, asm.ESI, 0x58)
shellcode.add_dword_ptr_exx_add_byte_byte(asm.ESI, 0x54, 0xFF)
shellcode.jmp(0x0052AF92)
data.PVZ_memory.write_bytes(
newmem_changeZombieHead,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x0052AF8B,
b"\xe9"
+ calculate_call_address(newmem_changeZombieHead - 0x0052AF90)
+ b"\x90\x90",
7,
)
newmem_changeZombieDeadHead = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode2 = asm.Asm(newmem_changeZombieDeadHead)
shellcode2.cmp_exx_byte(asm.EAX, zombieType)
shellcode2.jne_long_offset(0xB)
shellcode2.mov_exx_dword_ptr(asm.ESI, 0x006A7A08)
shellcode2.jmp(0x00529D07)
shellcode2.cmp_exx_byte(asm.EAX, 0x23)
shellcode2.jne(0x008A9214)
shellcode2.jmp(0x008A9209)
data.PVZ_memory.write_bytes(
newmem_changeZombieDeadHead,
bytes(shellcode2.code[: shellcode2.index]),
shellcode2.index,
)
data.PVZ_memory.write_bytes(
0x008A9200,
b"\xe9"
+ calculate_call_address(newmem_changeZombieDeadHead - 0x008A9205)
+ b"\x90\x90\x90\x90",
9,
)
else:
data.PVZ_memory.write_bytes(0x0052AF8B, b"\x8b\x46\x58\x83\x46\x54\xff", 7)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_changeZombieHead
)
data.PVZ_memory.write_bytes(
0x008A9200, b"\x83\xf8\x23\x0f\x85\x0b\x00\x00\x00", 9
)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_changeZombieDeadHead
)
def deathrattleCallZombie(f, deadZombieType):
global newmem_deathrattleCallZombie
if f:
newmem_deathrattleCallZombie = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode = asm.Asm(newmem_deathrattleCallZombie)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBP, 0x24, deadZombieType)
shellcode.jne_long_offset(0xB0)
shellcode.pushad()
shellcode.push_byte(0x47)
shellcode.push_dword(0x00061A80)
shellcode.sub_exx_byte(asm.ESP, 0x10)
shellcode.mov_ptr_exx_dword(asm.ESP, 0x28)
shellcode.mov_ptr_exx_add_byte_dword(asm.ESP, 4, 0x28)
shellcode.fild_dword_ptr_exx_add_byte(asm.EBP, 0x0C)
shellcode.fiadd_ptr_exx(asm.ESP)
shellcode.fstp_dword_ptr_exx_add_byte(asm.ESP, 0xC)
shellcode.fild_dword_ptr_exx_add_byte(asm.EBP, 0x08)
shellcode.fiadd_ptr_exx_add_byte(asm.ESP, 4)
shellcode.fstp_dword_ptr_exx_add_byte(asm.ESP, 0x8)
shellcode.mov_exx_dword_ptr(asm.ESI, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ESI, asm.ESI, 0x820)
shellcode.mov_exx_dword_ptr_eyy(asm.ESI, asm.ESI)
shellcode.add_exx_byte(asm.ESP, 8)
shellcode.call(0x00518A70)
shellcode.popad()
shellcode.pushad()
shellcode.mov_exx_eyy(asm.EDI, asm.EBP)
shellcode.mov_exx_dword_ptr(asm.EAX, 0x006A9EC0)
shellcode.cmp_dword_ptr_exx_add_dword_byte(asm.EAX, 0x7FC, 3)
shellcode.jne_long_offset(0x4C)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x768)
shellcode.cmp_byte_ptr_exx_add_dword_byte(asm.EAX, 0x164, 1)
shellcode.je_offset(0x39)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EDI, 0x24, deadZombieType)
shellcode.jne_long_offset(0x2F)
if data.PVZ_version == 2.0:
shellcode.mov_exx(asm.EAX, 42)
else:
shellcode.mov_exx(asm.EAX, 45)
shellcode.call(0x005AF400)
shellcode.cmp_exx_byte(asm.EAX, 25)
shellcode.nop_6()
shellcode.push_ptr_exx_add_byte(asm.EDI, 0x1C)
shellcode.push_exx(asm.EAX)
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.EAX, asm.EDI, 4)
shellcode.call(0x0040DDC0)
shellcode.fld_dword_ptr_exx_add_byte(asm.EDI, 0x2C)
shellcode.fstp_dword_ptr_exx_add_byte(asm.EAX, 0x2C)
shellcode.mov_ptr_exx_add_dword_dword(asm.EAX, 0x1B0, 1)
shellcode.popad()
shellcode.mov_ptr_exx_add_byte_dword(asm.EBP, 0x28, 3)
shellcode.push_exx(asm.EBP)
shellcode.mov_exx_eyy(asm.EBP, asm.ESP)
shellcode.add_byte(0x83)
shellcode.add_byte(0xE4)
shellcode.add_byte(0xF8)
shellcode.jmp(0x00529A36)
data.PVZ_memory.write_bytes(
newmem_deathrattleCallZombie,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x00529A30,
b"\xe9"
+ calculate_call_address(newmem_deathrattleCallZombie - 0x00529A35)
+ b"\x90",
6,
)
else:
data.PVZ_memory.write_bytes(0x00529A30, b"\x55\x8b\xec\x83\xe4\xf8", 6)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_deathrattleCallZombie
)
def zombieDeadZombie(f, deadZombieType, bossWeight):
global newmem_zombieDeadZombie
# [ENABLE]
# //code from here to '[DISABLE]' will be used to enable the cheat
# alloc(newmem,2048)
# label(returnhere)
# label(originalcode)
#
# newmem:
# cmp [ebp+24],#24
# jne originalcode
# pushad
# push 47//特效ID
# push 00061A80
# sub esp,10
# mov [esp],#40//y偏移
# mov [esp+4],#40//x偏移
# fild dword ptr [ebp+c]//y
# fiadd dword ptr [esp]
# fstp dword ptr [esp+c]
# fild dword ptr [ebp+8]//x
# fiadd dword ptr [esp+4]
# fstp dword ptr [esp+8]
# mov esi,[6A9EC0]
# mov esi,[esi+00000820]
# mov esi,[esi]
# add esp,8
# call PlantsVsZombies.exe+118A70
# popad
# pushad
# mov edi,ebp
# mov eax,[6a9ec0]
# cmp [eax+7fc],3
# jne end
# mov eax,[eax+768]
# cmp byte ptr [eax+164],1
# je end
# cmp [edi+24],#24
# jne end
#
# RZ:
# mov eax,#999
# call 5af400
# cmp eax,60
# mov eax,#25
# jl CZ
#
# mov eax,#41
# call 5af400
# cmp eax,#19
# je RZ
# CZ:
# push [edi+1c]//row
# push eax//id
# mov eax,[edi+4]//*Board
# call 40ddc0
# fld [edi+2c]
# fstp [eax+2c]
# mov [eax+1b0],1
#
# end:
# popad
# mov [ebp+28],3
#
# originalcode:
# push ebp
# mov ebp,esp
# and esp,-08
# jmp returnhere
#
#
#
# "PlantsVsZombies.exe"+129A30:
# jmp newmem
# nop
# returnhere:
#
#
#
#
# [DISABLE]
# //code from here till the end of the code will be used to disable the cheat
# dealloc(newmem)
# "PlantsVsZombies.exe"+129A30:
# push ebp
# mov ebp,esp
# and esp,-08
# //Alt: db 55 8B EC 83 E4 F8
if f:
newmem_zombieDeadZombie = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode = asm.Asm(newmem_zombieDeadZombie)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBP, 0x24, deadZombieType)
shellcode.jne_long_offset(0xC6)
shellcode.pushad()
shellcode.push_byte(0x47)
shellcode.push_dword(0x00061A80)
shellcode.sub_exx_byte(asm.ESP, 0x10)
shellcode.mov_ptr_exx_dword(asm.ESP, 0x28)
shellcode.mov_ptr_exx_add_byte_dword(asm.ESP, 4, 0x28)
shellcode.fild_dword_ptr_exx_add_byte(asm.EBP, 0x0C)
shellcode.fiadd_ptr_exx(asm.ESP)
shellcode.fstp_dword_ptr_exx_add_byte(asm.ESP, 0xC)
shellcode.fild_dword_ptr_exx_add_byte(asm.EBP, 0x08)
shellcode.fiadd_ptr_exx_add_byte(asm.ESP, 4)
shellcode.fstp_dword_ptr_exx_add_byte(asm.ESP, 0x8)
shellcode.mov_exx_dword_ptr(asm.ESI, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ESI, asm.ESI, 0x820)
shellcode.mov_exx_dword_ptr_eyy(asm.ESI, asm.ESI)
shellcode.add_exx_byte(asm.ESP, 8)
shellcode.call(0x00518A70)
shellcode.popad()
shellcode.pushad()
shellcode.mov_exx_eyy(asm.EDI, asm.EBP)
shellcode.mov_exx_dword_ptr(asm.EAX, 0x006A9EC0)
shellcode.cmp_dword_ptr_exx_add_dword_byte(asm.EAX, 0x7FC, 3)
shellcode.jne_long_offset(0x62)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x768)
shellcode.cmp_byte_ptr_exx_add_dword_byte(asm.EAX, 0x164, 1)
shellcode.je_offset(0x4F)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EDI, 0x24, deadZombieType)
shellcode.jne_long_offset(0x45)
shellcode.mov_exx(asm.EAX, 999)
shellcode.call(0x005AF400)
shellcode.cmp_exx_dword(asm.EAX, bossWeight)
shellcode.mov_exx(asm.EAX, 25)
shellcode.jl_long_offset(0x0F)
if data.PVZ_version == 2.0:
shellcode.mov_exx(asm.EAX, 42)
else:
shellcode.mov_exx(asm.EAX, 45)
shellcode.call(0x005AF400)
shellcode.cmp_exx_byte(asm.EAX, 25)
shellcode.je_offset(0xD7)
shellcode.push_ptr_exx_add_byte(asm.EDI, 0x1C)
shellcode.push_exx(asm.EAX)
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.EAX, asm.EDI, 4)
shellcode.call(0x0040DDC0)
shellcode.fld_dword_ptr_exx_add_byte(asm.EDI, 0x2C)
shellcode.fstp_dword_ptr_exx_add_byte(asm.EAX, 0x2C)
shellcode.mov_ptr_exx_add_dword_dword(asm.EAX, 0x1B0, 1)
shellcode.popad()
shellcode.mov_ptr_exx_add_byte_dword(asm.EBP, 0x28, 3)
shellcode.push_exx(asm.EBP)
shellcode.mov_exx_eyy(asm.EBP, asm.ESP)
shellcode.add_byte(0x83)
shellcode.add_byte(0xE4)
shellcode.add_byte(0xF8)
shellcode.jmp(0x00529A36)
data.PVZ_memory.write_bytes(
newmem_zombieDeadZombie,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x00529A30,
b"\xe9"
+ calculate_call_address(newmem_zombieDeadZombie - 0x00529A35)
+ b"\x90",
6,
)
else:
data.PVZ_memory.write_bytes(0x00529A30, b"\x55\x8b\xec\x83\xe4\xf8", 6)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_zombieDeadZombie
)
def reserveMaterialDropAllCard(f, zombieWeight, lmpWeight):
global newmem_reserveMaterialDropAllCard
if f:
newmem_reserveMaterialDropAllCard = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode = asm.Asm(newmem_reserveMaterialDropAllCard)
shellcode.mov_exx(asm.EAX, 99)
shellcode.call(0x005AF400)
shellcode.cmp_exx_byte(asm.EAX, zombieWeight)
shellcode.jl_long_offset(0x34)
shellcode.mov_exx(asm.EAX, 99)
shellcode.call(0x005AF400)
shellcode.cmp_exx_byte(asm.EAX, 50)
shellcode.jl_long_offset(0x12)
shellcode.mov_exx(asm.EAX, 49)
shellcode.call(0x005AF400)
shellcode.add_exx_byte(asm.EAX, 75)
shellcode.jmp_dword_offset(0x3B)
shellcode.mov_exx(asm.EAX, 48)
shellcode.call(0x005AF400)
shellcode.jmp_dword_offset(0x2C)
shellcode.mov_exx(asm.EAX, 99)
shellcode.call(0x005AF400)
shellcode.cmp_exx_byte(asm.EAX, lmpWeight)
shellcode.jl_long_offset(0x14)
if data.PVZ_version == 2.0:
shellcode.mov_exx(asm.EAX, 42)
else:
shellcode.mov_exx(asm.EAX, 45)
shellcode.call(0x005AF400)
shellcode.add_exx_dword(asm.EAX, 0x100)
shellcode.jmp_dword_offset(0x5)
shellcode.mov_exx(asm.EAX, 0x118)
shellcode.cmp_exx_byte(asm.EAX, 18)
shellcode.je_offset(0xFFFFFF84)
shellcode.cmp_exx_byte(asm.EAX, 47)
shellcode.je_offset(0xFFFFFF7B)
shellcode.cmp_exx_byte(asm.EAX, 112)
shellcode.je_offset(0xFFFFFF72)
shellcode.cmp_exx_byte(asm.EAX, 113)
shellcode.je_offset(0xFFFFFF69)
shellcode.cmp_exx_byte(asm.EAX, 114)
shellcode.je_offset(0xFFFFFF60)
shellcode.cmp_exx_byte(asm.EAX, 118)
shellcode.je_offset(0xFFFFFF57)
shellcode.mov_ptr_exx_add_byte_eyy(asm.EBX, 0x68, asm.EAX)
shellcode.popad()
shellcode.pushad()
shellcode.jmp(0x008689F7)
data.PVZ_memory.write_bytes(
newmem_reserveMaterialDropAllCard,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x008689F2,
b"\xe9"
+ calculate_call_address(newmem_reserveMaterialDropAllCard - 0x008689F7),
5,
)
else:
data.PVZ_memory.write_bytes(0x008689F2, b"\x89\x43\x68\x61\x60", 5)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_reserveMaterialDropAllCard
)
def creatBullet(bullets_list):
class bulletCreat:
def __init__(self, bullets_list):
pass
def creat_asm(self, startAddress):
bulletCreat_asm = asm.Asm(startAddress)
for bullet_params in bullets_list:
# 提取子弹的参数
bullet_type, x, y, v_x, v_y = bullet_params
bulletCreat_asm.pushad()
bulletCreat_asm.push_byte(bullet_type)
bulletCreat_asm.push_byte(0)
bulletCreat_asm.push_dword(400000)
bulletCreat_asm.push_dword(y)
bulletCreat_asm.push_dword(x)
bulletCreat_asm.mov_exx_dword_ptr(asm.EAX, 0x006A9EC0)
bulletCreat_asm.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x768)
bulletCreat_asm.call(0x0040D620)
bulletCreat_asm.mov_ptr_exx_add_byte_dword(asm.EAX, 0x58, 7)
bulletCreat_asm.mov_ptr_exx_add_byte_float(asm.EAX, 0x3C, v_x)
bulletCreat_asm.mov_ptr_exx_add_byte_float(asm.EAX, 0x40, v_y)
bulletCreat_asm.mov_ptr_exx_add_dword_dword(asm.EAX, 0x88, 1)
bulletCreat_asm.mov_byte_ptr_exx_add_byte_byte(asm.EAX, 0x74, 1)
bulletCreat_asm.popad()
return bulletCreat_asm
asm.runThread(bulletCreat(bullets_list))
def clearCards(type):
try:
card_num = data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x768)
+ 0xF4
)
print(card_num)
except:
return
i = 0
j = 0
while i < card_num:
card_addresss = (
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.baseAddress) + 0x768
)
+ 0xE4
)
+ 0x104 * j
)
card_exist = data.PVZ_memory.read_bytes(card_addresss + 0x38, 1)
if card_exist == b"\x00":
card_plant_type = data.PVZ_memory.read_int(card_addresss + 0x68)
if type == 0:
if card_plant_type < 255:
data.PVZ_memory.write_bytes(card_addresss + 0x38, b"\x01", 1)
data.PVZ_memory.write_bytes(card_addresss + 0x3C, b"\x01", 1)
elif type == 1:
if card_plant_type > 255:
data.PVZ_memory.write_bytes(card_addresss + 0x38, b"\x01", 1)
data.PVZ_memory.write_bytes(card_addresss + 0x3C, b"\x01", 1)
i = i + 1
j = j + 1
def cardsNotDisappear(f):
if f:
data.PVZ_memory.write_bytes(0x00430DD1, b"\x00", 1)
else:
data.PVZ_memory.write_bytes(0x00430DD1, b"\x01", 1)
def lockLevel(f, level):
divzero(1)
unlimitedMonsterSpawning(1)
global newmem_lockLevel
if f:
newmem_lockLevel = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode = asm.Asm(newmem_lockLevel)
shellcode.mov_exx(asm.EAX, level)
shellcode.mov_ptr_exx_add_dword_eyy(asm.ESI, 0x7F8, asm.EAX)
shellcode.jmp(0x0044F587)
data.PVZ_memory.write_bytes(
newmem_lockLevel,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x0044F581,
b"\xe9" + calculate_call_address(newmem_lockLevel - 0x0044F586) + b"\x90",
6,
)
else:
data.PVZ_memory.write_bytes(0x0044F581, b"\x89\x86\xf8\x07\x00\x00", 6)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_lockLevel)
def divzero(f):
global newmem_divzero
if f:
print("divzero")
newmem_divzero = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode2 = asm.Asm(newmem_divzero)
shellcode2.cmp_dword_ptr_exx_add_byte_byte(asm.ESP, 0x4, 0)
shellcode2.jne_long_offset(0x8)
shellcode2.mov_ptr_exx_add_byte_dword(asm.ESP, 0x4, 1)
shellcode2.add_byte(0xF7)
shellcode2.add_byte(0x74)
shellcode2.add_byte(0x24)
shellcode2.add_byte(0x04) # div [esp+4]
shellcode2.mov_exx_eyy(asm.EAX, asm.EDX)
shellcode2.jmp(0x005A9A4D)
data.PVZ_memory.write_bytes(
newmem_divzero,
bytes(shellcode2.code[: shellcode2.index]),
shellcode2.index,
)
data.PVZ_memory.write_bytes(
0x005A9A47,
b"\xe9" + calculate_call_address(newmem_divzero - 0x005A9A4C) + b"\x90",
6,
)
else:
data.PVZ_memory.write_bytes(0x005A9A47, b"\xf7\x74\x24\x04\x8b\xc2", 6)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_divzero)
def unlimitedMonsterSpawning(f):
if f:
data.PVZ_memory.write_bytes(0x0041C078, b"\xeb", 1)
data.PVZ_memory.write_bytes(0x0040D91F, b"\xeb", 1)
else:
data.PVZ_memory.write_bytes(0x0041C078, b"\x74", 1)
data.PVZ_memory.write_bytes(0x0040D91F, b"\x74", 1)
def bungeeFix(f):
global newmem_bungeeTipFix
global newmem_bungeePutFix
if f:
newmem_bungeeTipFix = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode = asm.Asm(newmem_bungeeTipFix)
shellcode.cmp_dword_ptr_exx_add_byte_dword(asm.ECX, 0x28, 276)
shellcode.jne(0x0042A35A)
shellcode.jmp(0x0042A2F5)
data.PVZ_memory.write_bytes(
newmem_bungeeTipFix,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x0042A2EF,
b"\xe9"
+ calculate_call_address(newmem_bungeeTipFix - 0x0042A2F4)
+ b"\x90",
6,
)
newmem_bungeePutFix = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode2 = asm.Asm(newmem_bungeePutFix)
shellcode2.cmp_exx_dword(asm.EBP, 276)
shellcode2.jne(0x004255F2)
shellcode2.jmp(0x004255E6)
data.PVZ_memory.write_bytes(
newmem_bungeePutFix,
bytes(shellcode2.code[: shellcode2.index]),
shellcode2.index,
)
data.PVZ_memory.write_bytes(
0x004255E1,
b"\xe9" + calculate_call_address(newmem_bungeePutFix - 0x004255E6),
5,
)
else:
data.PVZ_memory.write_bytes(0x0042A2EF, b"\x83\x79\x28\x42\x75\x65", 6)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_bungeeTipFix)
data.PVZ_memory.write_bytes(0x004255E1, b"\x83\xfd\x42\x75\x0c", 5)
pymem.memory.free_memory(data.PVZ_memory.process_handle, newmem_bungeePutFix)
def setZombieRedLine(row):
print(row)
data.PVZ_memory.write_int(0x004255DD, row)
data.PVZ_memory.write_int(0x004253F7, 20 + row * 80)
def findBoss():
bossList = []
try:
zombie_num = data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.PVZ_memory.read_int(data.baseAddress) + 0x768)
+ 0xA0
)
except:
return
i = 0
j = 0
while i < zombie_num:
zombie_addresss = (
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(
data.PVZ_memory.read_int(data.baseAddress) + 0x768
)
+ 0x90
)
+ 0x204 * j
)
zombie_exist = data.PVZ_memory.read_bytes(zombie_addresss + 0xEC, 1)
if zombie_exist == b"\x00":
z = data.zombie(zombie_addresss)
if z.type == 25:
bossList.append(z)
i = i + 1
j = j + 1
return bossList
def nightSun(f):
if f:
data.PVZ_memory.write_bytes(0x0040B196, b"\xeb\x14", 2)
data.PVZ_memory.write_bytes(
0x00413A76, b"\x90\x90\x90\x53\x57\xeb\x28\x90\x90\x90\x90", 11
)
else:
data.PVZ_memory.write_bytes(0x0040B196, b"\x74\x29", 2)
data.PVZ_memory.write_bytes(
0x00413A76, b"\x83\xf8\x01\x53\x57\x0f\x84\x70\x01\x00\x00", 11
)
newmem_bossCorrect_Outerleg = None
def bossCorrect_Outerleg(f):
global newmem_bossCorrect_Outerleg
if f:
newmem_bossCorrect_Outerleg = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode = asm.Asm(newmem_bossCorrect_Outerleg)
shellcode.mov_ptr_exx_add_eyy_times_add_byte_doword(asm.EBX, asm.ECX, 4, 8, 0)
shellcode.add_ptr_exx_add_eyy_times_add_byte_ezz(
asm.EBX, asm.ECX, 4, 8, asm.EBP
)
shellcode.lea_exx_ptr_eyy_add_ezz_times(asm.ECX, asm.EBX, asm.ECX, 4)
shellcode.push_dword(0x004167B1)
shellcode.ret()
data.PVZ_memory.write_bytes(
newmem_bossCorrect_Outerleg,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x004167A8,
b"\xe9"
+ calculate_call_address(newmem_bossCorrect_Outerleg - 0x004167AD)
+ b"\x90\x90\x90\x90\x90\x90",
11,
)
else:
data.PVZ_memory.write_bytes(
0x004167A8, b"\xc7\x44\x8b\x08\x00\x00\x00\x00\x8d\x0c\x8b", 11
)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_bossCorrect_Outerleg
)
newmem_bossCorrect_body = None
def bossCorrect_body(f):
global newmem_bossCorrect_body
if f:
newmem_bossCorrect_body = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 128
)
shellcode = asm.Asm(newmem_bossCorrect_body)
shellcode.mov_ptr_exx_add_eyy_times_add_byte_doword(asm.EBX, asm.ECX, 4, 8, 1)
shellcode.add_ptr_exx_add_eyy_times_add_byte_ezz(
asm.EBX, asm.ECX, 4, 8, asm.EBP
)
shellcode.lea_exx_ptr_eyy_add_ezz_times(asm.ECX, asm.EBX, asm.ECX, 4)
shellcode.push_dword(0x004167DC)
shellcode.ret()
data.PVZ_memory.write_bytes(
newmem_bossCorrect_body,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x004167D1,
b"\xe9"
+ calculate_call_address(newmem_bossCorrect_body - 0x004167D6)
+ b"\x90\x90\x90\x90\x90\x90",
11,
)
else:
data.PVZ_memory.write_bytes(
0x004167D1, b"\xc7\x44\x8b\x08\x01\x00\x00\x00\x8d\x0c\x8b", 11
)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_bossCorrect_body
)
newmem_bossCorrect_Innerleg = None
def bossCorrect_Innerleg(f):
global newmem_bossCorrect_Innerleg
if f:
newmem_bossCorrect_Innerleg = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 128
)
shellcode = asm.Asm(newmem_bossCorrect_Innerleg)
shellcode.mov_ptr_exx_add_byte_dword(asm.ECX, 0x08, 0x02)
shellcode.add_ptr_exx_add_byte_eyy(asm.ECX, 0x08, asm.EBP)
shellcode.lea_exx_ptr_eyy_add_ezz_times_add_byte(
asm.ECX, asm.EAX, asm.EAX, 2, 9
)
shellcode.push_dword(0x004167FE)
shellcode.ret()
data.PVZ_memory.write_bytes(
newmem_bossCorrect_Innerleg,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x004167F4,
b"\xe9"
+ calculate_call_address(newmem_bossCorrect_Innerleg - 0x004167F9)
+ b"\x90\x90\x90\x90\x90\x90",
11,
)
else:
data.PVZ_memory.write_bytes(
0x004167F4, b"\xc7\x41\x08\x02\x00\x00\x00\x8d\x4c\x40\x09", 11
)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_bossCorrect_Innerleg
)
newmem_bossCorrect_Innerarm = None
def bossCorrect_Innerarm(f):
global newmem_bossCorrect_Innerarm
# mov [ecx+08],00000003
# add [ecx+08],ebp
# mov edx,[edx+0000008C]
# push 00416821
# ret
if f:
newmem_bossCorrect_Innerarm = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 128
)
shellcode = asm.Asm(newmem_bossCorrect_Innerarm)
shellcode.mov_ptr_exx_add_byte_dword(asm.ECX, 0x08, 0x03)
shellcode.add_ptr_exx_add_byte_eyy(asm.ECX, 0x08, asm.EBP)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EDX, asm.EDX, 0x8C)
shellcode.push_dword(0x00416821)
shellcode.ret()
data.PVZ_memory.write_bytes(
newmem_bossCorrect_Innerarm,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x00416815,
b"\xe9"
+ calculate_call_address(newmem_bossCorrect_Innerarm - 0x0041681A)
+ b"\x90\x90\x90\x90\x90\x90\x90\x90",
13,
)
else:
data.PVZ_memory.write_bytes(
0x00416815, b"\xc7\x41\x08\x03\x00\x00\x00\x8b\x92\x8c\x00\x00\x00", 13
)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_bossCorrect_Innerarm
)
newmem_bossCorrect_Ball = None
def bossCorrect_Ball(f):
global newmem_bossCorrect_Ball
# mov [ebx+08],00000004
# add [ebx+08],ebp
# mov [edi],eax
# push 00416870
# ret
if f:
newmem_bossCorrect_Ball = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode = asm.Asm(newmem_bossCorrect_Ball)
shellcode.mov_ptr_exx_add_byte_dword(asm.EBX, 0x08, 0x04)
shellcode.add_ptr_exx_add_byte_eyy(asm.EBX, 0x08, asm.EBP)
shellcode.mov_ptr_exx_eyy(asm.EDI, asm.EAX)
shellcode.push_dword(0x00416870)
shellcode.ret()
data.PVZ_memory.write_bytes(
newmem_bossCorrect_Ball,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x00416867,
b"\xe9"
+ calculate_call_address(newmem_bossCorrect_Ball - 0x0041686C)
+ b"\x90\x90\x90\x90",
9,
)
else:
data.PVZ_memory.write_bytes(
0x00416867, b"\xc7\x43\x08\x04\x00\x00\x00\x89\x07", 9
)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_bossCorrect_Ball
)
newmem_bossCorrect_iterate = None
def bossCorrect_iterate(f):
global newmem_bossCorrect_iterate
# mov edx,[ebx]
# mov edi,edx
# mov eax,[ebp+08]
# mov eax,[eax+00000090]
# cmp edx,eax
# db 7D 06
# push 0041732E
# ret
# sub edx,eax
# mov cx,[0041C911]
# xchg eax,edx
# cdq
# sub eax,edx
# idiv cx
# sub edi,edx
# mov [ebx],edx
# mov eax,edi
# push 00417124
# ret
if f:
newmem_bossCorrect_iterate = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 256
)
shellcode = asm.Asm(newmem_bossCorrect_iterate)
shellcode.mov_exx_dword_ptr_eyy(asm.EDX, asm.EBX)
shellcode.mov_exx_eyy(asm.EDI, asm.EDX)
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.EAX, asm.EBP, 0x8)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x90)
shellcode.cmp_exx_eyy(asm.EDX, asm.EAX)
shellcode.jnl_offset(0x06)
shellcode.push_dword(0x0041732E)
shellcode.ret()
shellcode.sub_exx_eyy(asm.EDX, asm.EAX)
shellcode.mov_ex_ptr_dword(asm.CX, 0x0041C911)
shellcode.xchg_exx_eyy(asm.EAX, asm.EDX)
shellcode.cdq()
shellcode.sub_exx_eyy(asm.EAX, asm.EDX)
shellcode.idiv_ex(asm.CX)
shellcode.sub_exx_eyy(asm.EDI, asm.EDX)
shellcode.mov_ptr_exx_eyy(asm.EBX, asm.EDX)
shellcode.mov_exx_eyy(asm.EAX, asm.EDI)
shellcode.push_dword(0x00417124)
shellcode.ret()
data.PVZ_memory.write_bytes(
newmem_bossCorrect_iterate,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x0041711A,
b"\xe9"
+ calculate_call_address(newmem_bossCorrect_iterate - 0x0041711F)
+ b"\x90\x90\x90\x90\x90",
10,
)
else:
data.PVZ_memory.write_bytes(
0x0041711A, b"\x8b\x55\x08\xe8\x6e\x62\x00\x00\x8b\xf8", 10
)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_bossCorrect_iterate
)
newmem_bossCorrect_Coordinate = None
def bossCorrect_Coordinate(f):
global newmem_bossCorrect_Coordinate
# fldz
# fstp dword ptr [edi+30]
# mov ecx,edi
# db E8 26 00 00 00
# test al,al
# db 74 0E
# fld dword ptr [00679FE4]
# fadd dword ptr [00679498]
# db EB 02
# fldz
# fstp dword ptr [edi+2C]
# fild dword ptr [edi+08]
# mov esi,[ebp+0C]
# mov edx,[ebx]
# push edx
# push 0041713F
# ret
# push 0052BEE0
# ret
if f:
newmem_bossCorrect_Coordinate = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 128
)
shellcode = asm.Asm(newmem_bossCorrect_Coordinate)
shellcode.fldz()
shellcode.fstp_dword_ptr_exx_add_byte(asm.EDI, 0x30)
shellcode.mov_exx_eyy(asm.ECX, asm.EDI)
shellcode.call(newmem_bossCorrect_Coordinate + 0x32)
shellcode.test_8(asm.AL, asm.AL)
shellcode.je_short_offset(0x0E)
shellcode.fld_dword_ptr_address(0x00679FE4)
shellcode.fadd_dword_ptr_address(0x00679498)
shellcode.jmp_short_offset(2)
shellcode.fldz()
shellcode.fstp_dword_ptr_exx_add_byte(asm.EDI, 0x2C)
shellcode.fild_dword_ptr_exx_add_byte(asm.EDI, 0x08)
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.ESI, asm.EBP, 0x0C)
shellcode.mov_exx_dword_ptr_eyy(asm.EDX, asm.EBX)
shellcode.push_exx(asm.EDX)
shellcode.push_dword(0x0041713F)
shellcode.ret()
shellcode.push_dword(0x0052BEE0)
shellcode.ret()
data.PVZ_memory.write_bytes(
newmem_bossCorrect_Coordinate,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x00417136,
b"\xe9"
+ calculate_call_address(newmem_bossCorrect_Coordinate - 0x0041713B)
+ b"\x90\x90\x90\x90",
9,
)
else:
data.PVZ_memory.write_bytes(
0x00417136, b"\xdb\x47\x08\x8b\x75\x0c\x8b\x13\x52", 9
)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_bossCorrect_Coordinate
)
newmem_bossCorrect_fire_melting_iceBall = None
def bossCorrect_fire_melting_iceBall(f):
global newmem_bossCorrect_fire_melting_iceBall
# pushad
# push 00
# mov esi,esp
# mov edx,[edi+04]
# db E8 27 00 00 00
# test al,al
# db 74 19
# mov esi,[esi]
# cmp dword ptr [esi+24],19
# db 75 EA
# cmp byte ptr [esi+000000B8],01
# db 74 E1
# push esi
# db E8 12 00 00 00
# db EB D9
# add esp,04
# popad
# push 004664A5
# ret
# push 0041C8F0
# ret
# push 005356D0
# ret
if f:
newmem_bossCorrect_fire_melting_iceBall = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 2048
)
shellcode = asm.Asm(newmem_bossCorrect_fire_melting_iceBall)
shellcode.pushad()
shellcode.push_byte(0)
shellcode.mov_exx_eyy(asm.ESI, asm.ESP)
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.EDX, asm.EDI, 0x04)
shellcode.call(newmem_bossCorrect_fire_melting_iceBall + 0x34)
shellcode.test_8(asm.AL, asm.AL)
shellcode.je_short_offset(0x19)
shellcode.mov_exx_dword_ptr_eyy(asm.ESI, asm.ESI)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x24, 0x19)
shellcode.jne_short_offset(0xEA)
shellcode.cmp_byte_ptr_exx_add_dword_byte(asm.ESI, 0xB8, 0x01)
shellcode.je_short_offset(0xE1)
shellcode.push_exx(asm.ESI)
shellcode.call(newmem_bossCorrect_fire_melting_iceBall + 0x3A)
shellcode.jmp_short_offset(0xD9)
shellcode.add_exx_byte(asm.ESP, 0x04)
shellcode.popad()
shellcode.push_dword(0x004664A5)
shellcode.ret()
shellcode.push_dword(0x0041C8F0)
shellcode.ret()
shellcode.push_dword(0x005356D0)
shellcode.ret()
data.PVZ_memory.write_bytes(
newmem_bossCorrect_fire_melting_iceBall,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x00466493,
b"\xe9"
+ calculate_call_address(
newmem_bossCorrect_fire_melting_iceBall - 0x00466498
)
+ b"\x90\x90\x90\x90\x90",
10,
)
else:
data.PVZ_memory.write_bytes(
0x00466493, b"\x8b\x57\x04\xe8\xf5\x6e\xfb\xff\x85\xc0", 10
)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_bossCorrect_fire_melting_iceBall
)
newmem_bossCorrect_ice_melting_fireBall = None
def bossCorrect_ice_melting_fireBall(f):
global newmem_bossCorrect_ice_melting_fireBall
# [ENABLE]
# //code from here to '[DISABLE]' will be used to enable the cheat
# alloc(newmem,2048)
# label(returnhere)
#
# newmem: //this is allocated memory, you have read,write,execute access
# //place your code here
# mov ebx,[esp+14]
# pushad
# push 00
# mov esi,esp
# mov edx,[edi+04]
# db E8 30 00 00 00
# test al,al
# db 74 22
# mov esi,[esi]
# cmp dword ptr [esi+24],19
# db 75 EA
# cmp byte ptr [esi+000000B8],01
# db 74 E1
# cmp ebx,[esi+00000148]
# db 75 D9
# mov eax,esi
# db E8 12 00 00 00
# db EB D0
# add esp,04
# popad
# push 004665A4
# ret
# push 0041C8F0
# ret
# push 00535630
# ret
#
#
# "PlantsVsZombies.exe"+66587:
# jmp newmem
# nop
# nop
# nop
# returnhere:
#
#
#
#
# [DISABLE]
# //code from here till the end of the code will be used to disable the cheat
# dealloc(newmem)
# "PlantsVsZombies.exe"+66587:
# db 8B 57 04 E8 01 6E FB FF
# //mov edx,[edi+04]
# //call 0041D390
if f:
newmem_bossCorrect_ice_melting_fireBall = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 2048
)
shellcode = asm.Asm(newmem_bossCorrect_ice_melting_fireBall)
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.EBX, asm.ESP, 0x14)
shellcode.pushad()
shellcode.push_byte(0)
shellcode.mov_exx_eyy(asm.ESI, asm.ESP)
shellcode.mov_exx_dword_ptr_eyy_add_byte(asm.EDX, asm.EDI, 0x04)
shellcode.call(newmem_bossCorrect_ice_melting_fireBall + 0x41)
shellcode.test_8(asm.AL, asm.AL)
shellcode.je_short_offset(0x22)
shellcode.mov_exx_dword_ptr_eyy(asm.ESI, asm.ESI)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.ESI, 0x24, 0x19)
shellcode.jne_short_offset(0xEA)
shellcode.cmp_byte_ptr_exx_add_dword_byte(asm.ESI, 0xB8, 0x01)
shellcode.je_short_offset(0xE1)
shellcode.cmp_exx_ptr_eyy_add_dword(asm.EBX, asm.ESI, 0x148)
shellcode.jne_short_offset(0xD9)
shellcode.mov_exx_eyy(asm.EAX, asm.ESI)
shellcode.call(newmem_bossCorrect_ice_melting_fireBall + 0x47)
shellcode.jmp_short_offset(0xD0)
shellcode.add_exx_byte(asm.ESP, 0x04)
shellcode.popad()
shellcode.push_dword(0x004665A4)
shellcode.ret()
shellcode.push_dword(0x0041C8F0)
shellcode.ret()
shellcode.push_dword(0x00535630)
shellcode.ret()
data.PVZ_memory.write_bytes(
newmem_bossCorrect_ice_melting_fireBall,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x00466587,
b"\xe9"
+ calculate_call_address(
newmem_bossCorrect_ice_melting_fireBall - 0x0046658C
)
+ b"\x90\x90\x90\x90",
9,
)
else:
data.PVZ_memory.write_bytes(0x00466587, b"\x8b\x57\x04\xe8\x01\x6e\xfb\xff", 9)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_bossCorrect_ice_melting_fireBall
)
newmem_bossCorrect_dead = None
def bossCorrect_dead(f):
global newmem_bossCorrect_dead
# [ENABLE]
# //code from here to '[DISABLE]' will be used to enable the cheat
# alloc(newmem,2048)
# label(returnhere)
# label(originalcode)
# label(exit)
#
# newmem: //this is allocated memory, you have read,write,execute access
# //place your code here
# push ecx
# mov ecx,edi
# call 530510
# pop ecx
#
# originalcode:
# cmp dword ptr [ebx+5C],00
# jle 00533D7A
#
# exit:
# jmp returnhere
#
# "PlantsVsZombies.exe"+133D6D:
# jmp newmem
# nop
# returnhere:
#
#
#
#
# [DISABLE]
# //code from here till the end of the code will be used to disable the cheat
# dealloc(newmem)
# "PlantsVsZombies.exe"+133D6D:
# db 83 7B 5C 00 7E 07
# //cmp dword ptr [ebx+5C],00
# //jle 00533D7A
if f:
newmem_bossCorrect_dead = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 2048
)
shellcode = asm.Asm(newmem_bossCorrect_dead)
shellcode.push_exx(asm.ECX)
shellcode.mov_exx_eyy(asm.ECX, asm.EDI)
shellcode.call(0x00530510)
shellcode.pop_exx(asm.ECX)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x5C, 0)
shellcode.jng(0x00533D7A)
shellcode.jmp(0x00533D73)
data.PVZ_memory.write_bytes(
newmem_bossCorrect_dead,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x00533D6D,
b"\xe9"
+ calculate_call_address(newmem_bossCorrect_dead - 0x00533D72)
+ b"\x90",
6,
)
else:
data.PVZ_memory.write_bytes(0x00533D6D, b"\x83\x7b\x5c\x00\x7e\x07", 6)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_bossCorrect_dead
)
def bossCorrect(f):
bossCorrect_Outerleg(f)
bossCorrect_body(f)
bossCorrect_Innerleg(f)
bossCorrect_Innerarm(f)
bossCorrect_Ball(f)
bossCorrect_iterate(f)
bossCorrect_Coordinate(f)
bossCorrect_fire_melting_iceBall(f)
bossCorrect_ice_melting_fireBall(f)
bossCorrect_dead(f)
def unpack(src_file, dst_dir):
try:
with open(src_file, "rb") as f:
data = f.read()
except FileNotFoundError:
return "UNPACK_SRC_NOT_EXIST"
# 整个文件与 0xF7 异或
data = bytes([b ^ 0xF7 for b in data])
# 文件偏移量
offset = 0
# 检查文件头
file_header_magic, file_header_version = struct.unpack_from("<II", data, offset)
offset += 8
if file_header_magic != 0xBAC04AC0 or file_header_version > 0x00000000:
return "UNPACK_SRC_HEADER_ERROR"
# 索引区域数据结构
files_count = 0
files_name = []
files_size = []
while True:
(eof_flag,) = struct.unpack_from("<B", data, offset)
offset += 1
if eof_flag != 0x00 or eof_flag == 0x80:
break
(name_width,) = struct.unpack_from("<B", data, offset)
offset += 1
file_name = data[offset : offset + name_width].decode("utf-8", errors="ignore")
offset += name_width
(file_size,) = struct.unpack_from("<I", data, offset)
offset += 4
offset += 8 # skip file_time
files_name.append(file_name)
files_size.append(file_size)
files_count += 1
# 提取数据区所有文件
for i in range(files_count):
output_path = os.path.join(dst_dir, files_name[i])
output_size = files_size[i]
os.makedirs(os.path.dirname(output_path), exist_ok=True)
with open(output_path, "wb") as f:
f.write(data[offset : offset + output_size])
offset += output_size
return "UNPACK_SUCCESS"
def pack(src_dir, dst_file):
# 获取源目录下的所有文件
files = [
os.path.join(root, file)
for root, dirs, files in os.walk(src_dir)
for file in files
]
# 创建一个临时的二进制数据列表
data = bytearray()
# 写入文件头
data.extend(struct.pack("<II", 0xBAC04AC0, 0x00000000))
# 写入索引区域
for file in files:
# 获取文件名和大小
name = os.path.relpath(file, src_dir)
size = os.path.getsize(file)
# 写入文件名长度和文件名
name_utf8 = name.encode("utf-8")
data.extend(struct.pack("<B", len(name_utf8)))
data.extend(name_utf8)
# 写入文件大小
data.extend(struct.pack("<I", size))
# 写入文件时间(这里简化为0)
data.extend(struct.pack("<Q", 0))
# 写入结束标志
data.extend(struct.pack("<B", 0x80))
# 写入数据区域
for file in files:
# 读取并写入文件内容
with open(file, "rb") as src_f:
data.extend(src_f.read())
# 对整个文件进行异或操作
data = bytearray([b ^ 0xF7 for b in data])
# 写入目标文件
with open(dst_file, "wb") as f:
f.write(data)
newmem_zombieHitDeadSun = None
def zombieHitDeadSun(f, large_sun_weight, middle_sun_weight, small_sun_weight):
global newmem_zombieHitDeadSun
# [ENABLE]
# //code from here to '[DISABLE]' will be used to enable the cheat
# alloc(newmem,2048)
# label(returnhere)
# label(originalcode)
# label(exit)
#
# newmem: //this is allocated memory, you have read,write,execute access
# //place your code here
# pushad
# mov ebx,eax
# mov eax,99
# call 5AF400
# cmp eax,1//大阳光概率
# jg nolargesun
# mov ecx,[6a9ec0]
# mov ecx,[ecx+768]
# push 02
# push 06
# fld [ebx+30]
# sub esp,4
# fistp [esp]
# fld [ebx+2c]
# sub esp,4
# fistp [esp]
# mov [00743F62],1
# call 0040CB10
# jmp nosun
#
# nolargesun:
# mov eax,99
# call 5AF400
# cmp eax,1//中阳光概率
# jg nomiddlesun
# mov ecx,[6a9ec0]
# mov ecx,[ecx+768]
# push 02
# push 04
# fld [ebx+30]
# sub esp,4
# fistp [esp]
# fld [ebx+2c]
# sub esp,4
# fistp [esp]
# mov [00743F62],1
# call 0040CB10
# jmp nosun
#
# nomiddlesun:
# mov eax,99
# call 5AF400
# cmp eax,80//小阳光概率
# jg nosun
# mov ecx,[6a9ec0]
# mov ecx,[ecx+768]
# push 02
# push 05
# fld [ebx+30]
# sub esp,4
# fistp [esp]
# fld [ebx+2c]
# sub esp,4
# fistp [esp]
# mov [00743F62],1
# call 0040CB10
#
#
#
# nosun:
# popad
#
#
# originalcode:
# call 00530170
#
# exit:
# jmp returnhere
#
# "PlantsVsZombies.exe"+1317A4:
# jmp newmem
# returnhere:
#
#
#
#
# [DISABLE]
# //code from here till the end of the code will be used to disable the cheat
# dealloc(newmem)
# "PlantsVsZombies.exe"+1317A4:
# db E8 C7 E9 FF FF
if f:
newmem_zombieHitDeadSun = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 2048
)
shellcode = asm.Asm(newmem_zombieHitDeadSun)
shellcode.pushad()
shellcode.mov_exx_eyy(asm.EBX, asm.EAX)
shellcode.mov_exx(asm.EAX, 99)
shellcode.call(0x005AF400)
shellcode.cmp_exx_byte(asm.EAX, large_sun_weight)
shellcode.jg_long_offset(0x36)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x768)
shellcode.push_byte(0x02)
shellcode.push_byte(0x06)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x30)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x2C)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.mov_ptr_dword_dword(0x00743F62, 1)
shellcode.call(0x0040CB10)
shellcode.jmp_dword_offset(0x8D)
shellcode.mov_exx(asm.EAX, 99)
shellcode.call(0x005AF400)
shellcode.cmp_exx_byte(asm.EAX, middle_sun_weight)
shellcode.jg_long_offset(0x36)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x768)
shellcode.push_byte(0x02)
shellcode.push_byte(0x04)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x30)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x2C)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.mov_ptr_dword_dword(0x00743F62, 1)
shellcode.call(0x0040CB10)
shellcode.jmp_dword_offset(0x44)
shellcode.mov_exx(asm.EAX, 99)
shellcode.call(0x005AF400)
shellcode.cmp_exx_byte(asm.EAX, small_sun_weight)
shellcode.jg_long_offset(0x31)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x768)
shellcode.push_byte(0x02)
shellcode.push_byte(0x05)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x30)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x2C)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.mov_ptr_dword_dword(0x00743F62, 1)
shellcode.call(0x0040CB10)
shellcode.popad()
shellcode.call(0x00530170)
shellcode.jmp(0x005317A9)
data.PVZ_memory.write_bytes(
newmem_zombieHitDeadSun,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x005317A4,
b"\xe9" + calculate_call_address(newmem_zombieHitDeadSun - 0x005317A9),
5,
)
else:
data.PVZ_memory.write_bytes(0x005317A4, b"\xe8\xc7\xe9\xff\xff", 5)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_zombieHitDeadSun
)
newmem_zombieBombDeadSun = None
def zombieBombDeadSun(f, large_sun_weight, middle_sun_weight, small_sun_weight):
global newmem_zombieBombDeadSun
# [ENABLE]
# //code from here to '[DISABLE]' will be used to enable the cheat
# alloc(newmem,2048)
# label(returnhere)
# label(originalcode)
# label(exit)
#
# newmem: //this is allocated memory, you have read,write,execute access
# //place your code here
# pushad
# mov ebx,eax
# mov eax,99
# call 5AF400
# cmp eax,1//大阳光概率
# jg nolargesun
# mov ecx,[6a9ec0]
# mov ecx,[ecx+768]
# push 02
# push 06
# fld [ebx+30]
# sub esp,4
# fistp [esp]
# fld [ebx+2c]
# sub esp,4
# fistp [esp]
# mov [00743F62],1
# call 0040CB10
# jmp nosun
#
# nolargesun:
# mov eax,99
# call 5AF400
# cmp eax,10//中阳光概率
# jg nomiddlesun
# mov ecx,[6a9ec0]
# mov ecx,[ecx+768]
# push 02
# push 04
# fld [ebx+30]
# sub esp,4
# fistp [esp]
# fld [ebx+2c]
# sub esp,4
# fistp [esp]
# mov [00743F62],1
# call 0040CB10
# jmp nosun
#
# nomiddlesun:
# mov eax,99
# call 5AF400
# cmp eax,99//小阳光概率
# jg nosun
# mov ecx,[6a9ec0]
# mov ecx,[ecx+768]
# push 02
# push 05
# fld [ebx+30]
# sub esp,4
# fistp [esp]
# fld [ebx+2c]
# sub esp,4
# fistp [esp]
# mov [00743F62],1
# call 0040CB10
#
# nosun:
# popad
#
#
# originalcode:
# call 00530170
#
# exit:
# jmp returnhere
#
# "PlantsVsZombies.exe"+130301:
# jmp newmem
# returnhere:
#
#
#
#
# [DISABLE]
# //code from here till the end of the code will be used to disable the cheat
# dealloc(newmem)
# "PlantsVsZombies.exe"+130301:
# db E8 6A FE FF FF
# //call 00530170
if f:
newmem_zombieBombDeadSun = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 2048
)
shellcode = asm.Asm(newmem_zombieBombDeadSun)
shellcode.pushad()
shellcode.mov_exx_eyy(asm.EBX, asm.EAX)
shellcode.mov_exx(asm.EAX, 99)
shellcode.call(0x005AF400)
shellcode.cmp_exx_byte(asm.EAX, large_sun_weight)
shellcode.jg_long_offset(0x36)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x768)
shellcode.push_byte(0x02)
shellcode.push_byte(0x06)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x30)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x2C)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.mov_ptr_dword_dword(0x00743F62, 1)
shellcode.call(0x0040CB10)
shellcode.jmp_dword_offset(0x8D)
shellcode.mov_exx(asm.EAX, 99)
shellcode.call(0x005AF400)
shellcode.cmp_exx_byte(asm.EAX, middle_sun_weight)
shellcode.jg_long_offset(0x36)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x768)
shellcode.push_byte(0x02)
shellcode.push_byte(0x04)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x30)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x2C)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.mov_ptr_dword_dword(0x00743F62, 1)
shellcode.call(0x0040CB10)
shellcode.jmp_dword_offset(0x44)
shellcode.mov_exx(asm.EAX, 99)
shellcode.call(0x005AF400)
shellcode.cmp_exx_byte(asm.EAX, small_sun_weight)
shellcode.jg_long_offset(0x31)
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x768)
shellcode.push_byte(0x02)
shellcode.push_byte(0x05)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x30)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x2C)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.mov_ptr_dword_dword(0x00743F62, 1)
shellcode.call(0x0040CB10)
shellcode.popad()
shellcode.call(0x00530170)
shellcode.jmp(0x00530306)
data.PVZ_memory.write_bytes(
newmem_zombieBombDeadSun,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x00530301,
b"\xe9" + calculate_call_address(newmem_zombieBombDeadSun - 0x00530306),
5,
)
else:
data.PVZ_memory.write_bytes(0x00530301, b"\xe8\x6a\xfe\xff\xff", 5)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_zombieBombDeadSun
)
def zombieTypeDeadDropSun(f, large_sun_weight, middle_sun_weight, small_sun_weight):
zombieTypeBomeDeadDropSun(f, large_sun_weight, middle_sun_weight, small_sun_weight)
zombieTypeHitDeadDropSun(f, large_sun_weight, middle_sun_weight, small_sun_weight)
def zombieTypeHitDeadDropSun(f, type):
global newmem_zombieTypeHitDeadDropSun
# [ENABLE]
# //code from here to '[DISABLE]' will be used to enable the cheat
# alloc(newmem,2048)
# label(returnhere)
# label(originalcode)
# label(exit)
#
# newmem: //this is allocated memory, you have read,write,execute access
# //place your code here
# pushad
# mov ebx,eax
# cmp [eax+24],2
# jne nosun
# pushad
# mov ecx,[6a9ec0]
# mov ecx,[ecx+768]
# push 02
# push 06
# fld [ebx+30]
# sub esp,4
# fistp [esp]
# fld [ebx+2c]
# sub esp,4
# fistp [esp]
# mov [00743F62],1
# call 0040CB10
# popad
# pushad
# mov ecx,[6a9ec0]
# mov ecx,[ecx+768]
# push 02
# push 06
# fld [ebx+30]
# sub esp,4
# fistp [esp]
# fld [ebx+2c]
# sub esp,4
# fistp [esp]
# mov [00743F62],1
# call 0040CB10
# popad
# pushad
# mov ecx,[6a9ec0]
# mov ecx,[ecx+768]
# push 02
# push 06
# fld [ebx+30]
# sub esp,4
# fistp [esp]
# fld [ebx+2c]
# sub esp,4
# fistp [esp]
# mov [00743F62],1
# call 0040CB10
# popad
# pushad
# mov ecx,[6a9ec0]
# mov ecx,[ecx+768]
# push 02
# push 06
# fld [ebx+30]
# sub esp,4
# fistp [esp]
# fld [ebx+2c]
# sub esp,4
# fistp [esp]
# mov [00743F62],1
# call 0040CB10
# popad
#
#
#
# nosun:
# popad
#
#
# originalcode:
# call 00530170
#
# exit:
# jmp returnhere
#
# "PlantsVsZombies.exe"+1317A4:
# jmp newmem
# returnhere:
#
#
#
#
# [DISABLE]
# //code from here till the end of the code will be used to disable the cheat
# dealloc(newmem)
# "PlantsVsZombies.exe"+1317A4:
# db E8 C7 E9 FF FF
if f:
newmem_zombieTypeHitDeadDropSun = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 2048
)
shellcode = asm.Asm(newmem_zombieTypeHitDeadDropSun)
shellcode.pushad()
shellcode.mov_exx_eyy(asm.EBX, asm.EAX)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x24, type)
shellcode.jne_long_offset(0xCC)
shellcode.pushad()
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x768)
shellcode.push_byte(0x02)
shellcode.push_byte(0x06)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x30)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x2C)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.mov_ptr_dword_dword(0x00743F62, 1)
shellcode.call(0x0040CB10)
shellcode.popad()
shellcode.pushad()
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x768)
shellcode.push_byte(0x02)
shellcode.push_byte(0x06)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x30)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x2C)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.mov_ptr_dword_dword(0x00743F62, 1)
shellcode.call(0x0040CB10)
shellcode.popad()
shellcode.pushad()
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x768)
shellcode.push_byte(0x02)
shellcode.push_byte(0x06)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x30)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x2C)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.mov_ptr_dword_dword(0x00743F62, 1)
shellcode.call(0x0040CB10)
shellcode.popad()
shellcode.pushad()
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x768)
shellcode.push_byte(0x02)
shellcode.push_byte(0x06)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x30)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x2C)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.mov_ptr_dword_dword(0x00743F62, 1)
shellcode.call(0x0040CB10)
shellcode.popad()
shellcode.popad()
shellcode.call(0x00530170)
shellcode.jmp(0x005317A9)
data.PVZ_memory.write_bytes(
newmem_zombieTypeHitDeadDropSun,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x005317A4,
b"\xe9"
+ calculate_call_address(newmem_zombieTypeHitDeadDropSun - 0x005317A9),
5,
)
else:
data.PVZ_memory.write_bytes(0x005317A4, b"\xe8\xc7\xe9\xff\xff", 5)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_zombieTypeHitDeadDropSun
)
newmem_zombieTypeBomeDeadDropSun = None
def zombieTypeBomeDeadDropSun(f, type):
global newmem_zombieTypeBomeDeadDropSun
# [ENABLE]
# //code from here to '[DISABLE]' will be used to enable the cheat
# alloc(newmem,2048)
# label(returnhere)
# label(originalcode)
# label(exit)
#
# newmem: //this is allocated memory, you have read,write,execute access
# //place your code here
# pushad
# mov ebx,eax
# cmp [eax+24],2
# jne nosun
# pushad
# mov ecx,[6a9ec0]
# mov ecx,[ecx+768]
# push 02
# push 06
# fld [ebx+30]
# sub esp,4
# fistp [esp]
# fld [ebx+2c]
# sub esp,4
# fistp [esp]
# mov [00743F62],1
# call 0040CB10
# popad
# pushad
# mov ecx,[6a9ec0]
# mov ecx,[ecx+768]
# push 02
# push 06
# fld [ebx+30]
# sub esp,4
# fistp [esp]
# fld [ebx+2c]
# sub esp,4
# fistp [esp]
# mov [00743F62],1
# call 0040CB10
# popad
# pushad
# mov ecx,[6a9ec0]
# mov ecx,[ecx+768]
# push 02
# push 06
# fld [ebx+30]
# sub esp,4
# fistp [esp]
# fld [ebx+2c]
# sub esp,4
# fistp [esp]
# mov [00743F62],1
# call 0040CB10
# popad
# pushad
# mov ecx,[6a9ec0]
# mov ecx,[ecx+768]
# push 02
# push 06
# fld [ebx+30]
# sub esp,4
# fistp [esp]
# fld [ebx+2c]
# sub esp,4
# fistp [esp]
# mov [00743F62],1
# call 0040CB10
# popad
#
# nosun:
# popad
#
#
# originalcode:
# call 00530170
#
# exit:
# jmp returnhere
#
# "PlantsVsZombies.exe"+130301:
# jmp newmem
# returnhere:
#
#
#
#
# [DISABLE]
# //code from here till the end of the code will be used to disable the cheat
# dealloc(newmem)
# "PlantsVsZombies.exe"+130301:
# db E8 6A FE FF FF
if f:
newmem_zombieTypeBomeDeadDropSun = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 2048
)
shellcode = asm.Asm(newmem_zombieTypeBomeDeadDropSun)
shellcode.pushad()
shellcode.mov_exx_eyy(asm.EBX, asm.EAX)
shellcode.cmp_dword_ptr_exx_add_byte_byte(asm.EBX, 0x24, type)
shellcode.jne_long_offset(0xCC)
shellcode.pushad()
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x768)
shellcode.push_byte(0x02)
shellcode.push_byte(0x06)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x30)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x2C)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.mov_ptr_dword_dword(0x00743F62, 1)
shellcode.call(0x0040CB10)
shellcode.popad()
shellcode.pushad()
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x768)
shellcode.push_byte(0x02)
shellcode.push_byte(0x06)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x30)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x2C)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.mov_ptr_dword_dword(0x00743F62, 1)
shellcode.call(0x0040CB10)
shellcode.popad()
shellcode.pushad()
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x768)
shellcode.push_byte(0x02)
shellcode.push_byte(0x06)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x30)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x2C)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.mov_ptr_dword_dword(0x00743F62, 1)
shellcode.call(0x0040CB10)
shellcode.popad()
shellcode.pushad()
shellcode.mov_exx_dword_ptr(asm.ECX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.ECX, asm.ECX, 0x768)
shellcode.push_byte(0x02)
shellcode.push_byte(0x06)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x30)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.fld_dword_ptr_exx_add_byte(asm.EBX, 0x2C)
shellcode.sub_exx_byte(asm.ESP, 0x04)
shellcode.fistp_dword_ptr_exx(asm.ESP)
shellcode.mov_ptr_dword_dword(0x00743F62, 1)
shellcode.call(0x0040CB10)
shellcode.popad()
shellcode.popad()
shellcode.call(0x00530170)
shellcode.jmp(0x00530306)
data.PVZ_memory.write_bytes(
newmem_zombieTypeBomeDeadDropSun,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x00530301,
b"\xe9"
+ calculate_call_address(newmem_zombieTypeBomeDeadDropSun - 0x00530306),
5,
)
else:
data.PVZ_memory.write_bytes(0x00530301, b"\xe8\x6a\xfe\xff\xff", 5)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_zombieTypeBomeDeadDropSun
)
newmem_infiniteItems = None
def infiniteItems(f):
global newmem_infiniteItems
if data.PVZ_version == 2.0:
pass
elif data.PVZ_version == 2.1:
if f:
newmem_infiniteItems = pymem.memory.allocate_memory(
data.PVZ_memory.process_handle, 2048
)
shellcode = asm.Asm(newmem_infiniteItems)
shellcode.pushad()
shellcode.mov_exx_dword_ptr(asm.EAX, 0x006A9EC0)
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.EAX, 0x82C)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x208, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x20C, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x210, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x220, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x1CB4, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x1CB8, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x1CBC, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x1CC0, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x1CC4, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x1CEC, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x1CF0, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x1CF4, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x1CF8, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x1CFC, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x1D00, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x1D04, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x1D08, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x1D0C, 9999)
shellcode.mov_dword_ptr_exx_add_dword_dowrd(asm.EAX, 0x1D10, 9999)
shellcode.popad()
shellcode.mov_exx_dword_ptr_eyy_add_dword(asm.EAX, asm.ECX, 0x28)
shellcode.cmp_ptr_exx_add_byte_eyy(asm.ESI, 0x24, asm.EAX)
shellcode.jmp(0x00538020)
data.PVZ_memory.write_bytes(
newmem_infiniteItems,
bytes(shellcode.code[: shellcode.index]),
shellcode.index,
)
data.PVZ_memory.write_bytes(
0x0053801A,
b"\xe9"
+ calculate_call_address(newmem_infiniteItems - 0x0053801F)
+ b"\x90",
6,
)
else:
data.PVZ_memory.write_bytes(0x0053801A, b"\x8b\x41\x28\x39\x46\x24", 6)
pymem.memory.free_memory(
data.PVZ_memory.process_handle, newmem_infiniteItems
)
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
Python
1
https://gitee.com/EFrostBlade/PVZHybrid_Editor.git
git@gitee.com:EFrostBlade/PVZHybrid_Editor.git
EFrostBlade
PVZHybrid_Editor
PVZHybrid_Editor
main

搜索帮助

344bd9b3 5694891 D2dac590 5694891