操作步骤
突破口[怪物名称]
1. 扫描团团兔,扫出来10个3个符合预期,坑爹呢,游戏里肉眼看到都大于3个,很明显游戏字符串应该是UNICODE编码,我说人物名字我怎么找不到呢,回头把人物名称补上.
2. 切换UNICODE编码,扫描看看,1000多个,选几个符合预期的od试试水
3. 看看字符串是否正确[验证通过]
4. 下访问断点试试
访问断点,写入断点都尝试后,无反应,此路不通,换一个,重复步骤 3
由此可知,团团兔占用6个字节,换个方式扫描
目标字节[E2 56 E2 56 54 51 00 00 00 00 00 00]
这个下断不断,还有脏数据,舍弃[E2 56 E2 56 54 51 00 00 4A 1B CD BD]
10多个一个一个排除吧,暂时没有好办法
33CD6824 [E2 56 E2 56 54 51 00 00 4A 1B CD BD] 下断不断
02E7CA3C [E2 56 E2 56 54 51 00 00 00 00 00 00] 下断不断
05B0A704 [E2 56 E2 56 54 51 00 00 00 00 00 00] 下断不断
05B13554
05B1377C
0EBB0E10
0EBB0E44 [E2 56 E2 56 54 51 00 00 00 00 00 00] 下断不断
0EBE4A58
0EBE4A8C
0EC20C8C
0EC4DB52
0EC4DE72
0EC4E192
10FFADCC [E2 56 E2 56 54 51 00 00 00 00 00 00] 下断不断
12429BB8 [E2 56 E2 56 54 51 00 00 00 00 00 00] 下断不断
1242DF60
15202A32
15218A02
18F6B4E2
我草 都不行啊
扫出来的都不断,退出游戏重新登陆,再次扫描,看看谁访问了代码
突破口1
008D0429 - D9 5C 24 28 - fstp dword ptr [esp+28]
008D042D - FF 15 F862BE00 - call dword ptr [ELEMENTCLIENT.EXE+7E62F8]
008D0433 - 66 83 7D 00 00 - cmp word ptr [ebp+00],00 <<
008D0438 - 0F84 B9020000 - je ELEMENTCLIENT.EXE+4D06F7
008D043E - 8B BC 24 D8000000 - mov edi,[esp+000000D8]
突破口2
008D0452 - 85 C0 - test eax,eax
008D0454 - 0F84 98020000 - je ELEMENTCLIENT.EXE+4D06F2
008D045A - 66 8B 4D 00 - mov cx,[ebp+00] <<
008D045E - 8D 44 24 13 - lea eax,[esp+13]
008D0462 - 50 - push eax
突破口3
008D06DC - 8B 88 8C000000 - mov ecx,[eax+0000008C]
008D06E2 - E8 F9430C00 - call ELEMENTCLIENT.EXE+594AE0
008D06E7 - 66 83 7D 00 00 - cmp word ptr [ebp+00],00 <<
008D06EC - 0F85 59FDFFFF - jne ELEMENTCLIENT.EXE+4D044B
008D06F2 - 8B 7C 24 44 - mov edi,[esp+44]
5. 目标 33A3C22C 追踪 ebp寄存器
6. 如图所示,查看堆栈 怪物走到这里人物也走到这里,追人物名称异曲同工
008D03E0 /$ 81EC BC000000 sub esp, 0BC 这里下断点
7. 如图所示,追eax
8. 公式 [[ecx+C]+0*4] 看起来像数组,Ctrl+F9 追ecx
00417B20 /$ 83EC 14 sub esp, 14
00417B23 |. A1 1CDFD000 mov eax, dword ptr [D0DF1C]
00417B28 |. 53 push ebx
00417B29 |. 57 push edi
00417B2A |. 8BF9 mov edi, ecx ; [[ecx+C]+0*4]
00417B2C |. 8B48 1C mov ecx, dword ptr [eax+1C]
00417B2F |. 8B51 04 mov edx, dword ptr [ecx+4]
00417B32 |. 8B4A 08 mov ecx, dword ptr [edx+8]
00417B35 |. 8B41 1C mov eax, dword ptr [ecx+1C]
00417B38 |. 8B11 mov edx, dword ptr [ecx]
00417B3A |. 894424 08 mov dword ptr [esp+8], eax
00417B3E |. FF52 4C call dword ptr [edx+4C]
00417B41 |. 8B4F 3C mov ecx, dword ptr [edi+3C]
00417B44 |. 8B5C24 24 mov ebx, dword ptr [esp+24]
00417B48 |. 894424 18 mov dword ptr [esp+18], eax
00417B4C |. 8B4424 28 mov eax, dword ptr [esp+28]
00417B50 |. 894424 28 mov dword ptr [esp+28], eax
00417B54 |. 33C0 xor eax, eax
00417B56 |. 3BC8 cmp ecx, eax
00417B58 |. 894424 10 mov dword ptr [esp+10], eax
00417B5C |. 894424 14 mov dword ptr [esp+14], eax
00417B60 |. 0F8E F1000000 jle 00417C57
00417B66 |. 55 push ebp
00417B67 |. 56 push esi
00417B68 |. 894424 14 mov dword ptr [esp+14], eax
00417B6C |> 8B77 38 /mov esi, dword ptr [edi+38]
00417B6F |. 8B4C24 14 |mov ecx, dword ptr [esp+14]
00417B73 |. 8B4424 18 |mov eax, dword ptr [esp+18]
00417B77 |. 03F1 |add esi, ecx
00417B79 |. 8B6E 10 |mov ebp, dword ptr [esi+10]
00417B7C |. 3BE8 |cmp ebp, eax
00417B7E |. 74 21 |je short 00417BA1
00417B80 |. DB87 84040000 |fild dword ptr [edi+484]
00417B86 |. 8B5C24 2C |mov ebx, dword ptr [esp+2C]
00417B8A |. D84C24 10 |fmul dword ptr [esp+10]
00417B8E |. E8 FDDC7500 |call <jmp.&MSVCRT._ftol>
00417B93 |. 8B4C24 30 |mov ecx, dword ptr [esp+30]
00417B97 |. 896C24 18 |mov dword ptr [esp+18], ebp
00417B9B |. 03C8 |add ecx, eax
00417B9D |. 894C24 30 |mov dword ptr [esp+30], ecx
00417BA1 |> 833E 00 |cmp dword ptr [esi], 0
00417BA4 |. 75 48 |jnz short 00417BEE
00417BA6 |. 8B4E 04 |mov ecx, dword ptr [esi+4]
00417BA9 |. 8B57 0C |mov edx, dword ptr [edi+C] ; ecx=0 [[edx+0*4]] [[edi+C]+0*4]
00417BAC |. 8B46 14 |mov eax, dword ptr [esi+14]
00417BAF |. 8B0C8A |mov ecx, dword ptr [edx+ecx*4] ; ecx=0 [[edx+0*4]]
00417BB2 |. 85C0 |test eax, eax
00417BB4 |. 75 04 |jnz short 00417BBA
00417BB6 |. 8B4424 34 |mov eax, dword ptr [esp+34]
00417BBA |> 8B5424 38 |mov edx, dword ptr [esp+38]
00417BBE |. 68 0AD7A33D |push 3DA3D70A
00417BC3 |. 68 000000FF |push FF000000
00417BC8 |. 6A 00 |push 0
00417BCA |. 68 0000803F |push 3F800000
00417BCF |. 6A FF |push -1
00417BD1 |. 52 |push edx
00417BD2 |. 68 000000FF |push FF000000
00417BD7 |. 6A 01 |push 1
00417BD9 |. 50 |push eax
00417BDA |. 8B01 |mov eax, dword ptr [ecx] ; [ecx]
00417BDC |. 8B4C24 54 |mov ecx, dword ptr [esp+54]
00417BE0 |. 50 |push eax
00417BE1 |. 51 |push ecx
00417BE2 |. 8B4C24 4C |mov ecx, dword ptr [esp+4C]
00417BE6 |. 53 |push ebx
00417BE7 |. E8 F4874B00 |call 008D03E0
9. 公式 [[ecx+C]+0*4] 看起来像数组,看edi的值[206A9C10] 因为 edi = ecx [00417B20 ]处下断点Ctrl+F9 追ecx 看看ecx是不是等于这个
0064F6E0 /$ 56 push esi
0064F6E1 |. 57 push edi
0064F6E2 |. 8BF9 mov edi, ecx
0064F6E4 |. 33F6 xor esi, esi
0064F6E6 |. 8B47 54 mov eax, dword ptr [edi+54]
0064F6E9 |. 85C0 test eax, eax
0064F6EB |. 7E 36 jle short 0064F723
0064F6ED |. 53 push ebx
0064F6EE |. 8B5C24 10 mov ebx, dword ptr [esp+10]
0064F6F2 |> 8B47 50 /mov eax, dword ptr [edi+50] ; [[[[edi+50]+0*4]+C]+0*4] 051F3638 [[[[051F3638 +50]+0*4]+C]+0*4]
0064F6F5 |. 8B0CB0 |mov ecx, dword ptr [eax+esi*4] ; [[[eax+0*4]+C]+0*4]
0064F6F8 |. 8B91 A4040000 |mov edx, dword ptr [ecx+4A4]
0064F6FE |. 8B81 A0040000 |mov eax, dword ptr [ecx+4A0]
0064F704 |. 52 |push edx
0064F705 |. 8B91 9C040000 |mov edx, dword ptr [ecx+49C]
0064F70B |. 50 |push eax
0064F70C |. 8B81 98040000 |mov eax, dword ptr [ecx+498]
0064F712 |. 52 |push edx
0064F713 |. 50 |push eax
0064F714 |. 53 |push ebx
0064F715 |. E8 0684DCFF |call 00417B20 ; [[ecx+C]+0*4] 256FF490 [[256FF490+C]+0*4]
0064F71A |. 8B47 54 |mov eax, dword ptr [edi+54]
0064F71D |. 46 |inc esi
0064F71E |. 3BF0 |cmp esi, eax
0064F720 |.^ 7C D0 \jl short 0064F6F2
0064F722 |. 5B pop ebx
0064F723 |> C747 54 00000>mov dword ptr [edi+54], 0
0064F72A |. 8B0D 1CDFD000 mov ecx, dword ptr [D0DF1C] ; ELEMENTC.00D11A50
0064F730 |. 6A 00 push 0
0064F732 |. E8 C992DFFF call 00448A00
0064F737 |. 8BC8 mov ecx, eax
0064F739 |. E8 D2D93500 call 009AD110
0064F73E |. 5F pop edi
0064F73F |. B0 01 mov al, 1
0064F741 |. 5E pop esi
0064F742 \. C2 0400 retn 4
得出公式[[[[edi+50]+04]+C]+04]
10. 公式[[[[edi+50]+04]+C]+04] ,如下所示公式转变为[[[[ecx +50]+04]+C]+04] 追edi就是追ecx Ctrl+F9 返回上一层
0064F6E0 /$ 56 push esi
0064F6E1 |. 57 push edi
0064F6E2 |. 8BF9 mov edi, ecx >>>>>
0064F6E4 |. 33F6 xor esi, esi
0064F6E6 |. 8B47 54 mov eax, dword ptr [edi+54]
0064F6E9 |. 85C0 test eax, eax
0064F6EB |. 7E 36 jle short 0064F723
0064F6ED |. 53 push ebx
0064F6EE |. 8B5C24 10 mov ebx, dword ptr [esp+10]
0064F6F2 |> 8B47 50 /mov eax, dword ptr [edi+50] ; [[[[edi+50]+0*4]+C]+0*4] 051F3638 [[[[051F3638 +50]+0*4]+C]+0*4]
0064F6F5 |. 8B0CB0 |mov ecx, dword ptr [eax+esi*4] ; [[[eax+0*4]+C]+0*4]
0064F6F8 |. 8B91 A4040000 |mov edx, dword ptr [ecx+4A4]
11. 返回到如图所示 公式变为 dd [[[[[[ebp+8]+30]+50]+04]+C]+04]
0045ADEB |. 8B4D 08 mov ecx, dword ptr [ebp+8]
0045ADEE |. 53 push ebx
0045ADEF |. 8B49 30 mov ecx, dword ptr [ecx+30] ; dd [[[[[[ebp+8]+30]+50]+0*4]+C]+0*4]
0045ADF2 |. E8 E9481F00 call 0064F6E0 ; 怪物数组遍历
esp和ebp相差很大,这里ebp非栈底乃普通寄存器 这里需要追ebp
如下所示,公式替换为dd [[[[[[ecx+8]+30]+50]+04]+C]+04] 追ecx即可
0045AA30 /$ 83EC 44 sub esp, 44
0045AA33 |. 53 push ebx
0045AA34 |. 55 push ebp
0045AA35 |. 8BE9 mov ebp, ecx>>>>> dd [[[[[[ecx+8]+30]+50]+0*4]+C]+0*4]
0045AA37 |. 56 push esi
0045AA38 |. 57 push edi
0045AA39 |. 8B4D 08 mov ecx, dword ptr [ebp+8]
0045AA3C |. 85C9 test ecx, ecx
0045AA3E |. 0F84 80060000 je 0045B0C4
0045AA44 |. E8 0786FEFF call 00443050
0045AA49 |. 8A0D AC19D100 mov cl, byte ptr [D119AC]
0045AA4F |. 8BD0 mov edx, eax
0045AA51 |. A1 1CDFD000 mov eax, dword ptr [D0DF1C]
0045AA56 |. 895424 18 mov dword ptr [esp+18], edx
0045AA5A |. 84C9 test cl, cl
0045AA5C |. 8B78 04 mov edi, dword ptr [eax+4]
0045AA5F |. 8B70 08 mov esi, dword ptr [eax+8]
0045AA62 |. 8B58 14 mov ebx, dword ptr [eax+14]
0045AA65 |. 897C24 14 mov dword ptr [esp+14], edi
0045AA69 |. 897424 10 mov dword ptr [esp+10], esi
0045AA6D |. 0F85 A9050000 jnz 0045B01C
0045AA73 |. 8B8D C0000000 mov ecx, dword ptr [ebp+C0]
0045AA79 |. 83F9 02 cmp ecx, 2
0045AA7C |. 75 11 jnz short 0045AA8F
0045AA7E |. 85D2 test edx, edx
0045AA80 |. 74 0D je short 0045AA8F
0045AA82 |. 80BA 8C080000>cmp byte ptr [edx+88C], 0
0045AA89 |. 0F84 8D050000 je 0045B01C
0045AA8F |> 8B40 18 mov eax, dword ptr [eax+18]
0045AA92 |. 8A90 94000000 mov dl, byte ptr [eax+94]
0045AA98 |. 84D2 test dl, dl
0045AA9A |. 74 40 je short 0045AADC
0045AA9C |. 83F9 02 cmp ecx, 2
0045AA9F |. 75 3B jnz short 0045AADC
0045AAA1 |. 8B0D 94DFD000 mov ecx, dword ptr [D0DF94]
0045AAA7 |. 85C9 test ecx, ecx
0045AAA9 |. 74 31 je short 0045AADC
0045AAAB |. A1 88DFD000 mov eax, dword ptr [D0DF88]
0045AAB0 |. 83F8 0A cmp eax, 0A
0045AAB3 |. 7D 1B jge short 0045AAD0
0045AAB5 |. 8B15 90DFD000 mov edx, dword ptr [D0DF90]
0045AABB |. 8D0440 lea eax, dword ptr [eax+eax*2]
0045AABE |. 03D1 add edx, ecx
0045AAC0 |. 8D0480 lea eax, dword ptr [eax+eax*4]
0045AAC3 |. 8D0480 lea eax, dword ptr [eax+eax*4]
0045AAC6 |. D1E0 shl eax, 1
0045AAC8 |. 3BD0 cmp edx, eax
0045AACA |. 0F8F F4050000 jg 0045B0C4
0045AAD0 |> 33C0 xor eax, eax
0045AAD2 |. A3 90DFD000 mov dword ptr [D0DF90], eax
0045AAD7 |. A3 88DFD000 mov dword ptr [D0DF88], eax
0045AADC |> E8 1F3F5100 call 0096EA00
0045AAE1 |. 8BCD mov ecx, ebp
0045AAE3 |. 894424 1C mov dword ptr [esp+1C], eax
0045AAE7 |. E8 E4050000 call 0045B0D0
0045AAEC |. 84C0 test al, al
0045AAEE |. 75 1B jnz short 0045AB0B
0045AAF0 |> 68 CC0ACA00 push 00CA0ACC ; ASCII "CECGameRun::Render(), Failed to begin render!"
0045AAF5 |. 6A 01 push 1
0045AAF7 |. E8 343F5100 call 0096EA30
0045AAFC |. 83C4 08 add esp, 8
0045AAFF |. 32C0 xor al, al
0045AB01 |. 5F pop edi
0045AB02 |. 5E pop esi
0045AB03 |. 5D pop ebp
0045AB04 |. 5B pop ebx
0045AB05 |. 83C4 44 add esp, 44
0045AB08 |. C2 0400 retn 4
0045AB0B |> A1 1CDFD000 mov eax, dword ptr [D0DF1C]
0045AB10 |. 8B48 18 mov ecx, dword ptr [eax+18]
0045AB13 |. 8A91 C4000000 mov dl, byte ptr [ecx+C4]
0045AB19 |. 84D2 test dl, dl
0045AB1B |. 0F84 99000000 je 0045ABBA
0045AB21 |. 8B50 14 mov edx, dword ptr [eax+14]
0045AB24 |. 83C6 10 add esi, 10
0045AB27 |. B9 07000000 mov ecx, 7
0045AB2C |. 8D7C24 38 lea edi, dword ptr [esp+38]
0045AB30 |. F3:A5 rep movs dword ptr es:[edi], dword p>
0045AB32 |. 8B7A 04 mov edi, dword ptr [edx+4]
0045AB35 |. 83C7 14 add edi, 14
0045AB38 |. 8B47 04 mov eax, dword ptr [edi+4]
0045AB3B |. 85C0 test eax, eax
0045AB3D |. 76 77 jbe short 0045ABB6
0045AB3F |. 8B7424 10 mov esi, dword ptr [esp+10]
0045AB43 |. 33C9 xor ecx, ecx
0045AB45 |. 894C24 20 mov dword ptr [esp+20], ecx
0045AB49 |. 894C24 24 mov dword ptr [esp+24], ecx
0045AB4D |. 8B4C24 3C mov ecx, dword ptr [esp+3C]
0045AB51 |. 8D5424 20 lea edx, dword ptr [esp+20]
0045AB55 |. 894C24 28 mov dword ptr [esp+28], ecx
0045AB59 |. 52 push edx
0045AB5A |. 8BCE mov ecx, esi
0045AB5C |. 894424 30 mov dword ptr [esp+30], eax
0045AB60 |. C74424 34 000>mov dword ptr [esp+34], 0
0045AB68 |. C74424 38 000>mov dword ptr [esp+38], 3F800000
0045AB70 |. E8 5BBA5300 call 009965D0
0045AB75 |. 6A 00 push 0
0045AB77 |. 68 0000803F push 3F800000
0045AB7C |. 6A 00 push 0
0045AB7E |. 6A 01 push 1
0045AB80 |. 8BCE mov ecx, esi
0045AB82 |. E8 39B45300 call 00995FC0
0045AB87 |. 8B7F 04 mov edi, dword ptr [edi+4]
0045AB8A |. 8B4424 40 mov eax, dword ptr [esp+40]
0045AB8E |. 8D4C24 20 lea ecx, dword ptr [esp+20]
0045AB92 |. 2BC7 sub eax, edi
0045AB94 |. 51 push ecx
0045AB95 |. 8BCE mov ecx, esi
0045AB97 |. 894424 28 mov dword ptr [esp+28], eax
0045AB9B |. 897C24 30 mov dword ptr [esp+30], edi
0045AB9F |. E8 2CBA5300 call 009965D0
0045ABA4 |. 6A 00 push 0
0045ABA6 |. 68 0000803F push 3F800000
0045ABAB |. 6A 00 push 0
0045ABAD |. 6A 01 push 1
0045ABAF |. 8BCE mov ecx, esi
0045ABB1 |. E8 0AB45300 call 00995FC0
0045ABB6 |> 8B7C24 14 mov edi, dword ptr [esp+14]
0045ABBA |> 8B45 20 mov eax, dword ptr [ebp+20]
0045ABBD |. 85C0 test eax, eax
0045ABBF |. 74 4E je short 0045AC0F
0045ABC1 |. 8B4B 08 mov ecx, dword ptr [ebx+8]
0045ABC4 |. 8B70 10 mov esi, dword ptr [eax+10]
0045ABC7 |. E8 040E5300 call 0098B9D0
0045ABCC |. 8B10 mov edx, dword ptr [eax]
0045ABCE |. 8956 14 mov dword ptr [esi+14], edx
0045ABD1 |. 8B48 04 mov ecx, dword ptr [eax+4]
0045ABD4 |. 894E 18 mov dword ptr [esi+18], ecx
0045ABD7 |. 8B50 08 mov edx, dword ptr [eax+8]
0045ABDA |. 8BCE mov ecx, esi
0045ABDC |. 8956 1C mov dword ptr [esi+1C], edx
0045ABDF |. E8 AC095300 call 0098B590
0045ABE4 |. 8B43 08 mov eax, dword ptr [ebx+8]
0045ABE7 |. 8B55 20 mov edx, dword ptr [ebp+20]
0045ABEA |. 8D48 2C lea ecx, dword ptr [eax+2C]
0045ABED |. 83C0 20 add eax, 20
0045ABF0 |. 51 push ecx
0045ABF1 |. 8B4A 10 mov ecx, dword ptr [edx+10]
0045ABF4 |. 50 push eax
0045ABF5 |. E8 C6035300 call 0098AFC0
0045ABFA |. 8B45 08 mov eax, dword ptr [ebp+8]
0045ABFD |. 8B4B 04 mov ecx, dword ptr [ebx+4]
0045AC00 |. 50 push eax
0045AC01 |. 68 A03E4400 push 00443EA0
0045AC06 |. 51 push ecx
0045AC07 |. 8B4D 20 mov ecx, dword ptr [ebp+20]
0045AC0A |. E8 8105FCFF call 0041B190
0045AC0F |> 8B4D 18 mov ecx, dword ptr [ebp+18]
0045AC12 |. 85C9 test ecx, ecx
0045AC14 |. 74 1A je short 0045AC30
0045AC16 |. E8 C561FBFF call 00410DE0
0045AC1B |. 8B15 1CDFD000 mov edx, dword ptr [D0DF1C] ; ELEMENTC.00D11A50
0045AC21 |. 8B4D 18 mov ecx, dword ptr [ebp+18]
0045AC24 |. 8B82 90070000 mov eax, dword ptr [edx+790]
0045AC2A |. 50 push eax
0045AC2B |. E8 A062FBFF call 00410ED0
0045AC30 |> 8B4D 1C mov ecx, dword ptr [ebp+1C]
0045AC33 |. 85C9 test ecx, ecx
0045AC35 |. 74 12 je short 0045AC49
0045AC37 |. 8B15 1CDFD000 mov edx, dword ptr [D0DF1C] ; ELEMENTC.00D11A50
0045AC3D |. 8B82 90070000 mov eax, dword ptr [edx+790]
0045AC43 |. 50 push eax
0045AC44 |. E8 2731FCFF call 0041DD70
0045AC49 |> 8B4D 20 mov ecx, dword ptr [ebp+20]
0045AC4C |. 85C9 test ecx, ecx
0045AC4E |. 74 12 je short 0045AC62
0045AC50 |. 8B15 1CDFD000 mov edx, dword ptr [D0DF1C] ; ELEMENTC.00D11A50
0045AC56 |. 8B82 90070000 mov eax, dword ptr [edx+790]
0045AC5C |. 50 push eax
0045AC5D |. E8 1E05FCFF call 0041B180
0045AC62 |> 8B4424 18 mov eax, dword ptr [esp+18]
0045AC66 |. 85C0 test eax, eax
0045AC68 |. 74 34 je short 0045AC9E
0045AC6A |. 8A88 14050000 mov cl, byte ptr [eax+514]
0045AC70 |. 84C9 test cl, cl
0045AC72 |. 74 2A je short 0045AC9E
0045AC74 |. 6A 00 push 0
0045AC76 |. 8BCB mov ecx, ebx
0045AC78 |. E8 A3C40000 call 00467120
0045AC7D |. 8B0D 1CDFD000 mov ecx, dword ptr [D0DF1C] ; ELEMENTC.00D11A50
0045AC83 |. 6A 00 push 0
0045AC85 |. 68 0000803F push 3F800000
0045AC8A |. 68 000000FF push FF000000
0045AC8F |. 8B49 08 mov ecx, dword ptr [ecx+8]
0045AC92 |. 6A 03 push 3
0045AC94 |. E8 27B35300 call 00995FC0
0045AC99 |. E9 7C010000 jmp 0045AE1A
0045AC9E |> 6A 00 push 0
0045ACA0 |. 8BCB mov ecx, ebx
0045ACA2 |. E8 79C40000 call 00467120
0045ACA7 |. 8B15 1CDFD000 mov edx, dword ptr [D0DF1C] ; ELEMENTC.00D11A50
0045ACAD |. 6A 00 push 0
0045ACAF |. 68 0000803F push 3F800000
0045ACB4 |. 68 000000FF push FF000000
0045ACB9 |. 8B4A 08 mov ecx, dword ptr [edx+8]
0045ACBC |. 6A 02 push 2
0045ACBE |. E8 FDB25300 call 00995FC0
0045ACC3 |. 8B4D 08 mov ecx, dword ptr [ebp+8]
0045ACC6 |. 85C9 test ecx, ecx
0045ACC8 |. 74 22 je short 0045ACEC
0045ACCA |. 53 push ebx
0045ACCB |. E8 507AFEFF call 00442720
0045ACD0 |. 83BD C0000000>cmp dword ptr [ebp+C0], 1
0045ACD7 |. 75 13 jnz short 0045ACEC
0045ACD9 |. 8B4D 04 mov ecx, dword ptr [ebp+4]
0045ACDC |. E8 0F391F00 call 0064E5F0
0045ACE1 |. 85C0 test eax, eax
0045ACE3 |. 74 07 je short 0045ACEC
0045ACE5 |. 8BC8 mov ecx, eax
0045ACE7 |. E8 84F71E00 call 0064A470
0045ACEC |> 53 push ebx
0045ACED |. B9 C8DED000 mov ecx, 00D0DEC8
0045ACF2 |. E8 C9B1FEFF call 00445EC0
0045ACF7 |. A1 1CDFD000 mov eax, dword ptr [D0DF1C]
0045ACFC |. 53 push ebx
0045ACFD |. 8B48 3C mov ecx, dword ptr [eax+3C]
0045AD00 |. E8 4B91FBFF call 00413E50
0045AD05 |. 8B4B 04 mov ecx, dword ptr [ebx+4]
0045AD08 |. 6A FF push -1
0045AD0A |. 51 push ecx
0045AD0B |. 8BCF mov ecx, edi
0045AD0D |. E8 5E4F5400 call 0099FC70
0045AD12 |. 8B15 8428D400 mov edx, dword ptr [D42884]
0045AD18 |. 8A42 18 mov al, byte ptr [edx+18]
0045AD1B |. 84C0 test al, al
0045AD1D |. 74 0D je short 0045AD2C
0045AD1F |. A1 1CDFD000 mov eax, dword ptr [D0DF1C]
0045AD24 |. 8B48 28 mov ecx, dword ptr [eax+28]
0045AD27 |. E8 A41E3F00 call 0084CBD0
0045AD2C |> 8B0D 1CDFD000 mov ecx, dword ptr [D0DF1C] ; ELEMENTC.00D11A50
0045AD32 |. 8B53 04 mov edx, dword ptr [ebx+4]
0045AD35 |. 6A 00 push 0
0045AD37 |. 52 push edx
0045AD38 |. 8BB1 B4020000 mov esi, dword ptr [ecx+2B4]
0045AD3E |. 8BCE mov ecx, esi
0045AD40 |. E8 9BC05600 call 009C6DE0
0045AD45 |. 6A 00 push 0
0045AD47 |. 8BCE mov ecx, esi
0045AD49 |. E8 62AC5600 call 009C59B0
0045AD4E |. 8B43 04 mov eax, dword ptr [ebx+4]
0045AD51 |. 8BCE mov ecx, esi
0045AD53 |. 50 push eax
0045AD54 |. E8 47C45600 call 009C71A0
0045AD59 |. 6A 01 push 1
0045AD5B |. 8BCE mov ecx, esi
0045AD5D |. E8 4EAC5600 call 009C59B0
0045AD62 |. 8B4B 04 mov ecx, dword ptr [ebx+4]
0045AD65 |. 8B15 1CDFD000 mov edx, dword ptr [D0DF1C] ; ELEMENTC.00D11A50
0045AD6B |. 6A 00 push 0
0045AD6D |. 51 push ecx
0045AD6E |. 8B4A 28 mov ecx, dword ptr [edx+28]
0045AD71 |. E8 DA1C3F00 call 0084CA50
0045AD76 |. 8BB7 90000000 mov esi, dword ptr [edi+90]
0045AD7C |. 8BCE mov ecx, esi
0045AD7E |. E8 FD655700 call 009D1380
0045AD83 |. 8BCE mov ecx, esi
0045AD85 |. E8 B6665700 call 009D1440
0045AD8A |. 8BB7 8C000000 mov esi, dword ptr [edi+8C]
0045AD90 |. 8BCE mov ecx, esi
0045AD92 |. E8 B99E5300 call 00994C50
0045AD97 |. 8BCE mov ecx, esi
0045AD99 |. E8 729F5300 call 00994D10
0045AD9E |. 8B4D 18 mov ecx, dword ptr [ebp+18]
0045ADA1 |. 85C9 test ecx, ecx
0045ADA3 |. 74 09 je short 0045ADAE
0045ADA5 |. 8B43 04 mov eax, dword ptr [ebx+4]
0045ADA8 |. 50 push eax
0045ADA9 |. E8 4261FBFF call 00410EF0
0045ADAE |> 8B4D 1C mov ecx, dword ptr [ebp+1C]
0045ADB1 |. 85C9 test ecx, ecx
0045ADB3 |. 74 12 je short 0045ADC7
0045ADB5 |. 8B55 08 mov edx, dword ptr [ebp+8]
0045ADB8 |. 8B43 04 mov eax, dword ptr [ebx+4]
0045ADBB |. 52 push edx
0045ADBC |. 68 903E4400 push 00443E90
0045ADC1 |. 50 push eax
0045ADC2 |. E8 B92FFCFF call 0041DD80
0045ADC7 |> 8B45 08 mov eax, dword ptr [ebp+8]
0045ADCA |. 85C0 test eax, eax
0045ADCC |. 74 3B je short 0045AE09
0045ADCE |. 8B48 30 mov ecx, dword ptr [eax+30]
0045ADD1 |. 85C9 test ecx, ecx
0045ADD3 |. 74 34 je short 0045AE09
0045ADD5 |. 8B7424 10 mov esi, dword ptr [esp+10]
0045ADD9 |. 6A 00 push 0
0045ADDB |. 8BCE mov ecx, esi
0045ADDD |. E8 5EB55300 call 00996340
0045ADE2 |. 6A 01 push 1
0045ADE4 |. 8BCE mov ecx, esi
0045ADE6 |. E8 E5B55300 call 009963D0
0045ADEB |. 8B4D 08 mov ecx, dword ptr [ebp+8]
0045ADEE |. 53 push ebx
0045ADEF |. 8B49 30 mov ecx, dword ptr [ecx+30] ; dd [[[[[[ebp+8]+30]+50]+0*4]+C]+0*4]
0045ADF2 |. E8 E9481F00 call 0064F6E0 ; 怪物数组遍历
12. 公式替换为 dd [[[[[[[ebp+1C]+8]+30]+50]+04]+C]+04] ebp=ecx
13. 追ecx
14. 追ecx…
追到这里Ctrl+F9 不好使了,可能被VM 无法返回,跟丢了 记录目标edi寄存器的值[00D11A50] 借助CE看看
004492E0 /$ 53 push ebx
004492E1 |. 8B1D 0462BE00 mov ebx, dword ptr [<&KERNEL32.Resum>; kernel32.ResumeThread
004492E7 |. 55 push ebp
004492E8 |. 56 push esi
004492E9 |. 8B35 CC62BE00 mov esi, dword ptr [<&KERNEL32.WaitF>; kernel32.WaitForSingleObject
004492EF |. 57 push edi
004492F0 |. 8BF9 mov edi, ecx>>>>>>>>>>>>>不执行
004492F2 |. 83CD FF or ebp, FFFFFFFF
004492F5 |> A0 6CDBD000 /mov al, byte ptr [D0DB6C]
004492FA |. 84C0 |test al, al
004492FC |. 75 38 |jnz short 00449336
004492FE |. A1 8825D100 |mov eax, dword ptr [D12588]
00449303 |. 6A 00 |push 0
00449305 |. 50 |push eax
00449306 |. FFD6 |call esi
00449308 |. 85C0 |test eax, eax
0044930A |. 74 2A |je short 00449336
0044930C |. A0 9825D100 |mov al, byte ptr [D12598]
00449311 |. 84C0 |test al, al
00449313 |. 74 09 |je short 0044931E
00449315 |. 8B0D 7C25D100 |mov ecx, dword ptr [D1257C]
0044931B |. 51 |push ecx
0044931C |. FFD3 |call ebx
0044931E |> 8B15 8C25D100 |mov edx, dword ptr [D1258C]
00449324 |. 6A 14 |push 14
00449326 |. 52 |push edx
00449327 |. FFD6 |call esi
00449329 |. 8BCF |mov ecx, edi>>>>>>>>追edi
0044932B |. E8 E0000000 |call 00449410 ; 6
00449330 |. 84C0 |test al, al
00449332 |. 74 09 |je short 0044933D
00449334 |.^ EB BF \jmp short 004492F5
00449336 |> 5F pop edi
00449337 |. 5E pop esi
00449338 |. 5D pop ebp
00449339 |. 33C0 xor eax, eax
0044933B |. 5B pop ebx
0044933C |. C3 retn
0044933D |> 5F pop edi
0044933E |. 8BC5 mov eax, ebp
00449340 |. 5E pop esi
00449341 |. 5D pop ebp
00449342 |. 5B pop ebx
00449343 \. C3 retn
15. 原来是基址啊 那公式替换成dd [[[[[[[00D11A50+1C]+8]+30]+50]+04]+C]+04]
16. 数据不对回去看看,少套了一层dd [[[[[[[[[00D11A50+1C]+8]+30]+50]+04]+C]+04]]
验证如下:
dd [[[[[[[[00D11A50+1C]+8]+30]+50]+0*4]+C]+0*4]]
dd [[[[[[[[[00D0DF1C]+1C]+8]+30]+50]+0*4]+C]+0*4]] // 人物名称
dd [[[[[[[[[00D0DF1C]+1C]+8]+30]+50]+1*4]+C]+0*4]] 33A3BB0C 56E256E2 OD显示不太友好 用ce验证
dd [[[[[[[[[00D0DF1C]+1C]+8]+30]+50]+2*4]+C]+0*4]] 33A3BB0C 56E256E2
dd [[[[[[[[[00D0DF1C]+1C]+8]+30]+50]+3*4]+C]+0*4]] 33A3BB0C 56E256E2
总结如下
口袋西游周围遍历属于数组结构 这里用代码遍历的时候 数组长度大概率为0,可以说追的这个表达式可以舍弃
dd [[[[[[[[00D11A50+1C]+8]+30]+50]+0*4]+C]+0*4]]
dd [[[[[[[[[00D0DF1C]+1C]+8]+30]+50]+0*4]+C]+0*4]] // 人物名称
dd [[[[[[[[[00D0DF1C]+1C]+8]+30]+50]+1*4]+C]+0*4]] 33A3BB0C 56E256E2 OD显示不太友好 用ce验证
dd [[[[[[[[[00D0DF1C]+1C]+8]+30]+50]+2*4]+C]+0*4]] 33A3BB0C 56E256E2
dd [[[[[[[[[00D0DF1C]+1C]+8]+30]+50]+3*4]+C]+0*4]] 33A3BB0C 56E256E2
扫一扫
1754
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
