Analysis of Plant vs. Zombie Game: logic Analysis of Cherry explosion function

Post here (make sure thread doesn't exist first) any type of tutorials: text, images, videos or oriented discussions on specific games. No online-related discussions/posts OR warez!
Post Reply
User avatar
mochongli
Expert Cheater
Expert Cheater
Posts: 82
Joined: Wed Apr 22, 2020 7:36 pm
Reputation: 97

Analysis of Plant vs. Zombie Game: logic Analysis of Cherry explosion function

Post by mochongli »

Logical implementation:
Image
Simulation implementation:



Simulation implementation:

Remote injection, call explosion function:

Code: Select all

__declspec(naked)void BoomCall(DWORD *pxy)

{

_asm

{


mov ebx,[esp+4] //Parameters

mov ecx,[ebx]  //x

mov edx,[ebx+4] //y


push 0x7F

push 0x1

push 0x1

push 0x73

push edx //y

push ecx //x

push 0x3 //Items nearby

mov eax,dword ptr ds:[0x7794f8] 

mov eax,dword ptr ds:[eax+0x868]

//db [007794F8]+868

push eax

mov edx,0x00436190

call edx

ret


}            

 

}

 

HANDLE hProcess = GetGameProcessHandle();

//Allocate memory space in the target process to facilitate writing code to be executed

PVOID FarCall2 = 

VirtualAllocEx(hProcess,NULL,0x8FFF,MEM_COMMIT,PAGE_EXECUTE_READWRITE);

//Allocate space to parameters

PVOID CallArg2 = 

VirtualAllocEx(hProcess,NULL,sizeof(int)*2,MEM_COMMIT,PAGE_READWRITE);

//Write the code we want to execute to the target address of the target process 

WriteProcessMemory(hProcess,FarCall2,BoomCall,0x8FFF,&bw);

//Write parameters to the target process

WriteProcessMemory(hProcess,CallArg2,xy,sizeof(DWORD)*2,&bw);

//Print out the injected thread address

TRACE("\n addr_BoomCall=%x \n",FarCall2);

HANDLE threadinject2 = 

CreateRemoteThread(hProcess,NULL,NULL,( LPTHREAD_START_ROUTINE)FarCall2,CallArg2,NULL,NULL);

WaitForSingleObject(threadinject2,0xFFFFFFFF); //wait ...
Image

The cherry bomb is not planted in the picture, but it achieves the explosive effect of killing a zombie.

Analysis ideas:
In order to determine the explosion process of the cherry bomb, this process must be reproduced, but in the game, the cherry bomb often achieves the effect of second kill, so it is difficult to analyze the explosion process.
So we use the pea cannon attack to determine the zombie's health, and then increase the health so that the cherry bomb explosion process can occur many times.
Through pea cannon attack and CE scanning memory, it is determined that the health of zombies is 270, and a pea cannon attack is reduced by 20%.
Image

We increase the health of zombies.
The attack address of the cherry explosion, the attack power of the cherry bomb is 1800

Image
See who changed the address.
Image
See who accessed the address.
Image



Remove the cmp, above and trace it back to the place where the cherry bomb exploded:
Image



Analysis conclusion:

Through the analysis, even if the cherry bomb is not planted (or cherry is not selected in the card slot), the explosion effect can be achieved through the explosion function of the call cherry bomb.

User avatar
silver001
Novice Cheater
Novice Cheater
Posts: 20
Joined: Tue Sep 01, 2020 4:59 pm
Reputation: 12

Re: Analysis of Plant vs. Zombie Game: logic Analysis of Cherry explosion function

Post by silver001 »

Thanks ! I really like how you have to think 'outside the box' and sometimes INCREASE enemy health ( or even freeze it ) to open up access to other parts of the program.

Post Reply

Who is online

Users browsing this forum: No registered users