学习目标:
更新任务列表的相关数据
点击任务选项卡CALL ->初始化任务列表CALL->写入动作
FB 36
//全部任务
mov ecx,169E6508
MOV EDX,DWORD PTR DS:[ECX]
MOV EDX,DWORD PTR DS:[EDX+0x4]
PUSH 0x0
PUSH 2332
PUSH 0x3F4
CALL EDX
push 2333
mov ecx,1A0A5120
CALL 006EF940
void printfMissionList()
{
DWORD ndStart;
DWORD ndEnd;
char *szpCurMissionName;//任务名
BYTE nbLevel;//任务等级
//[[[0XF598C0]+2A4]+4C4] //起始地址
//[[[0XF598C0]+2A4]+4C8] //结束地址
//[[[0XF598C0]+2A4]+4C4]+8
// dc [0x2FA3D6C]+ [[0XF598C0]+2A4]+4c4]*0xc0+4
__try
{
ndStart=*(DWORD*)BaseF1_F10ArgEcx;
ndStart=*(DWORD*)(ndStart+0x2A4);
ndStart=*(DWORD*)(ndStart+0x4d4);
ndEnd=*(DWORD*)BaseF1_F10ArgEcx;
ndEnd=*(DWORD*)(ndEnd+0x2A4);
ndEnd=*(DWORD*)(ndEnd+0x4d8);
__asm
{
mov edi,ndStart
GotoStart:
MOV EAX,DWORD PTR DS:[EDI]
MOV ECX,DWORD PTR DS:[0x2FA3D6C] ;// 150C4
LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; // [edx*3]
SHL EAX,0x6 ;// eax=eax*0x40 [edi]*0xc0
CMP DWORD PTR DS:[EAX+ECX+0x18],0x10
MOVZX EBX,BYTE PTR DS:[ECX+EAX+0x20]
LEA EAX,DWORD PTR DS:[EAX+ECX+0x4] ;// [0x2FA3D6C]+[edi]*0xc0+4
JB EndMission
MOV EAX,DWORD PTR DS:[EAX]
EndMission:
mov szpCurMissionName,eax
mov nbLevel,bl
}
DbgPrintf_Mine("[%d]%s \r\n",nbLevel,szpCurMissionName);
_asm{
add edi,8
cmp edi,ndEnd
jnz GotoStart
}
}__except(1)
{
DbgPrintf_Mine("遍历任务列表出错\r\n");
}
return;
}
00760C47 - 8D 50 01 - lea edx,[eax+01]
00760C4A - 8D 9B 00000000 - lea ebx,[ebx+00000000]
00760C50 - 8A 08 - mov cl,[eax] <<
00760C52 - 40 - inc eax
00760C53 - 84 C9 - test cl,cl
0093A03D - 74 9F - je Client.exe+539FDE
0093A03F - BA FFFEFE7E - mov edx,7EFEFEFF
0093A044 - 8B 06 - mov eax,[esi] <<
0093A046 - 03 D0 - add edx,eax
0093A048 - 83 F0 FF - xor eax,FF
0093A048 - 83 F0 FF - xor eax,FF
0093A04B - 33 C2 - xor eax,edx
0093A04D - 8B 16 - mov edx,[esi] <<
0093A04F - 83 C6 04 - add esi,04
0093A052 - A9 00010181 - test eax,81010100
00610003 |. /0F85 A8000000 JNZ Client.006100B1 ; edi=[[edi+0x2A4]+0x4C4]
00610009 |. |8B87 A4020000 MOV EAX,DWORD PTR DS:[EDI+0x2A4] ; Case 11 of switch 0060FE5E
0061000F |. |85C0 TEST EAX,EAX
#define BaseF1_F10ArgEcx 0XF598C0 //BaseF1_F10ArgEcx
dd [[[BaseF1_F10ArgEcx]+2A4]+4c4]
dd [[[0XF598C0]+2A4]+4c4] //BaseF1_F10ArgEcx
[[0x2FA3D6C]+[edi]*0xc0+4]]*0c0
dc [0x2FA3D6C]+ [[0XF598C0]+2A4]+4c4]*0xc0
[[0XF598C0]+2A4]+4d4]*0xc0
+4 //任务名 char* 或者是char**类型
+18 //指针类型 标记 大于0x10 char**
+20 //1字节 任务等级
006E9D65 |. 66:8945 ED |MOV WORD PTR SS:[EBP-0x13],AX
006E9D69 |. 8845 EF |MOV BYTE PTR SS:[EBP-0x11],AL
006E9D6C |. 8B07 |MOV EAX,DWORD PTR DS:[EDI]
006E9D6E |. 8D0C40 |LEA ECX,DWORD PTR DS:[EAX+EAX*2]
006E9D71 |. C1E1 06 |SHL ECX,0x6
006E9D74 |. 885D E8 |MOV BYTE PTR SS:[EBP-0x18],BL
006E9D77 |. 0FB64411 20 |MOVZX EAX,BYTE PTR DS:[ECX+EDX+0x20] ; 任务等级
006E9D7C |. 50 |PUSH EAX
006E9D7D |. 68 D4BEA000 |PUSH Client.00A0BED4 ; ASCII "[%d]"
006E9D82 |. 8D4D E8 |LEA ECX,DWORD PTR SS:[EBP-0x18]
006E9D85 |. 6A 08 |PUSH 0x8
006E9D87 |. 51 |PUSH ECX
006E9D88 |. C745 FC FFFFF>|MOV DWORD PTR SS:[EBP-0x4],-0x1 ; sprintf
006E9D8F |. E8 4C06E1FF |CALL Client.004FA3E0
006E9D94 |. 83C4 10 |ADD ESP,0x10
006E9D97 |. 6A FF |PUSH -0x1
006E9D99 |. 8D55 E8 |LEA EDX,DWORD PTR SS:[EBP-0x18]
006E9D9C |. 52 |PUSH EDX
006E9D9D |. 53 |PUSH EBX
006E9D9E |. 8BCE |MOV ECX,ESI
006E9DA0 |. E8 3B6D0700 |CALL Client.00760AE0
006E9DA5 |. 8B07 |MOV EAX,DWORD PTR DS:[EDI]
006E9DA7 |. 8B0D 6C3DFA02 |MOV ECX,DWORD PTR DS:[0x2FA3D6C]
006E9DAD |. 8D0440 |LEA EAX,DWORD PTR DS:[EAX+EAX*2]
006E9DB0 |. C1E0 06 |SHL EAX,0x6
006E9DB3 |. 837C08 18 10 |CMP DWORD PTR DS:[EAX+ECX+0x18],0x10 ; 判断 任务名是否是指针
006E9DB8 |. 8D4408 04 |LEA EAX,DWORD PTR DS:[EAX+ECX+0x4] ; 任务名,或者是任务名指针
006E9DBC |. 72 02 |JB SHORT Client.006E9DC0 ; <0x10
006E9DBE |. 8B00 |MOV EAX,DWORD PTR DS:[EAX]
006E9DC0 |> 6A 01 |PUSH 0x1
006E9DC2 |. 6A 2A |PUSH 0x2A
006E9DC4 |. 50 |PUSH EAX
006E9DC5 |. 6A 01 |PUSH 0x1
006E9DC7 |. 8BCE |MOV ECX,ESI
006E9DC9 |. E8 526E0700 |CALL Client.00760C20 ; 所有任务列表
006E9DCE |. 8B55 E4 |MOV EDX,DWORD PTR SS:[EBP-0x1C]
006E9DD1 |. 889E 39020000 |MOV BYTE PTR DS:[ESI+0x239],BL
006E9DD7 |. 8B8A 60020000 |MOV ECX,DWORD PTR DS:[EDX+0x260]
006E9DDD |. 56 |PUSH ESI
006E9DDE |. E8 CD7C0700 |CALL Client.00761AB0
006E9DE3 |. 8B75 E4 |MOV ESI,DWORD PTR SS:[EBP-0x1C]
006E9DE6 |> 83C7 08 |ADD EDI,0x8
006E9B4B |. 8945 F0 MOV DWORD PTR SS:[EBP-0x10],EAX
006E9B4E |. 53 PUSH EBX
006E9B4F |. 56 PUSH ESI
006E9B50 |. 57 PUSH EDI
006E9B51 |. 50 PUSH EAX
006E9B52 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-0xC]
006E9B55 |. 64:A3 0000000>MOV DWORD PTR FS:[0],EAX
006E9B5B |. 8BF1 MOV ESI,ECX
006E9B5D |. 68 4D010000 PUSH 0x14D
006E9B62 |. 8975 E4 MOV DWORD PTR SS:[EBP-0x1C],ESI
006E9B65 |. E8 F6C3FFFF CALL Client.006E5F60
006E9B6A |. 8BBE C4040000 MOV EDI,DWORD PTR DS:[ESI+0x4C4] ; 执行中任务列表开始地址 ESI==[[0XF598C0]+2A4] //初始值
006E9B70 |. 3BBE C8040000 CMP EDI,DWORD PTR DS:[ESI+0x4C8] ; 循环结束标志地址
006E9B76 |. 0F84 28010000 JE Client.006E9CA4
006E9B7C |. 33DB XOR EBX,EBX
006E9B7E |. 8BFF MOV EDI,EDI
006E9CF5 |. E8 66C2FFFF CALL Client.006E5F60
006E9CFA |. 8BBE D4040000 MOV EDI,DWORD PTR DS:[ESI+0x4D4] //可执行列表开始地址
006E9D00 |. 3BBE D8040000 CMP EDI,DWORD PTR DS:[ESI+0x4D8]
006E9D06 |. 0F84 E9000000 JE Client.006E9DF5
006E9D0C |. 33DB XOR EBX,EBX
更新任务列表的相关数据
点击任务选项卡CALL ->初始化任务列表CALL->写入动作
FB 36
//全部任务
mov ecx,169E6508
MOV EDX,DWORD PTR DS:[ECX]
MOV EDX,DWORD PTR DS:[EDX+0x4]
PUSH 0x0
PUSH 2332
PUSH 0x3F4
CALL EDX
push 2333
mov ecx,1A0A5120
CALL 006EF940
void printfMissionList()
{
DWORD ndStart;
DWORD ndEnd;
char *szpCurMissionName;//任务名
BYTE nbLevel;//任务等级
//[[[0XF598C0]+2A4]+4C4] //起始地址
//[[[0XF598C0]+2A4]+4C8] //结束地址
//[[[0XF598C0]+2A4]+4C4]+8
// dc [0x2FA3D6C]+ [[0XF598C0]+2A4]+4c4]*0xc0+4
__try
{
ndStart=*(DWORD*)BaseF1_F10ArgEcx;
ndStart=*(DWORD*)(ndStart+0x2A4);
ndStart=*(DWORD*)(ndStart+0x4d4);
ndEnd=*(DWORD*)BaseF1_F10ArgEcx;
ndEnd=*(DWORD*)(ndEnd+0x2A4);
ndEnd=*(DWORD*)(ndEnd+0x4d8);
__asm
{
mov edi,ndStart
GotoStart:
MOV EAX,DWORD PTR DS:[EDI]
MOV ECX,DWORD PTR DS:[0x2FA3D6C] ;// 150C4
LEA EAX,DWORD PTR DS:[EAX+EAX*2] ; // [edx*3]
SHL EAX,0x6 ;// eax=eax*0x40 [edi]*0xc0
CMP DWORD PTR DS:[EAX+ECX+0x18],0x10
MOVZX EBX,BYTE PTR DS:[ECX+EAX+0x20]
LEA EAX,DWORD PTR DS:[EAX+ECX+0x4] ;// [0x2FA3D6C]+[edi]*0xc0+4
JB EndMission
MOV EAX,DWORD PTR DS:[EAX]
EndMission:
mov szpCurMissionName,eax
mov nbLevel,bl
}
DbgPrintf_Mine("[%d]%s \r\n",nbLevel,szpCurMissionName);
_asm{
add edi,8
cmp edi,ndEnd
jnz GotoStart
}
}__except(1)
{
DbgPrintf_Mine("遍历任务列表出错\r\n");
}
return;
}
00760C47 - 8D 50 01 - lea edx,[eax+01]
00760C4A - 8D 9B 00000000 - lea ebx,[ebx+00000000]
00760C50 - 8A 08 - mov cl,[eax] <<
00760C52 - 40 - inc eax
00760C53 - 84 C9 - test cl,cl
0093A03D - 74 9F - je Client.exe+539FDE
0093A03F - BA FFFEFE7E - mov edx,7EFEFEFF
0093A044 - 8B 06 - mov eax,[esi] <<
0093A046 - 03 D0 - add edx,eax
0093A048 - 83 F0 FF - xor eax,FF
0093A048 - 83 F0 FF - xor eax,FF
0093A04B - 33 C2 - xor eax,edx
0093A04D - 8B 16 - mov edx,[esi] <<
0093A04F - 83 C6 04 - add esi,04
0093A052 - A9 00010181 - test eax,81010100
00610003 |. /0F85 A8000000 JNZ Client.006100B1 ; edi=[[edi+0x2A4]+0x4C4]
00610009 |. |8B87 A4020000 MOV EAX,DWORD PTR DS:[EDI+0x2A4] ; Case 11 of switch 0060FE5E
0061000F |. |85C0 TEST EAX,EAX
#define BaseF1_F10ArgEcx 0XF598C0 //BaseF1_F10ArgEcx
dd [[[BaseF1_F10ArgEcx]+2A4]+4c4]
dd [[[0XF598C0]+2A4]+4c4] //BaseF1_F10ArgEcx
[[0x2FA3D6C]+[edi]*0xc0+4]]*0c0
dc [0x2FA3D6C]+ [[0XF598C0]+2A4]+4c4]*0xc0
[[0XF598C0]+2A4]+4d4]*0xc0
+4 //任务名 char* 或者是char**类型
+18 //指针类型 标记 大于0x10 char**
+20 //1字节 任务等级
006E9D65 |. 66:8945 ED |MOV WORD PTR SS:[EBP-0x13],AX
006E9D69 |. 8845 EF |MOV BYTE PTR SS:[EBP-0x11],AL
006E9D6C |. 8B07 |MOV EAX,DWORD PTR DS:[EDI]
006E9D6E |. 8D0C40 |LEA ECX,DWORD PTR DS:[EAX+EAX*2]
006E9D71 |. C1E1 06 |SHL ECX,0x6
006E9D74 |. 885D E8 |MOV BYTE PTR SS:[EBP-0x18],BL
006E9D77 |. 0FB64411 20 |MOVZX EAX,BYTE PTR DS:[ECX+EDX+0x20] ; 任务等级
006E9D7C |. 50 |PUSH EAX
006E9D7D |. 68 D4BEA000 |PUSH Client.00A0BED4 ; ASCII "[%d]"
006E9D82 |. 8D4D E8 |LEA ECX,DWORD PTR SS:[EBP-0x18]
006E9D85 |. 6A 08 |PUSH 0x8
006E9D87 |. 51 |PUSH ECX
006E9D88 |. C745 FC FFFFF>|MOV DWORD PTR SS:[EBP-0x4],-0x1 ; sprintf
006E9D8F |. E8 4C06E1FF |CALL Client.004FA3E0
006E9D94 |. 83C4 10 |ADD ESP,0x10
006E9D97 |. 6A FF |PUSH -0x1
006E9D99 |. 8D55 E8 |LEA EDX,DWORD PTR SS:[EBP-0x18]
006E9D9C |. 52 |PUSH EDX
006E9D9D |. 53 |PUSH EBX
006E9D9E |. 8BCE |MOV ECX,ESI
006E9DA0 |. E8 3B6D0700 |CALL Client.00760AE0
006E9DA5 |. 8B07 |MOV EAX,DWORD PTR DS:[EDI]
006E9DA7 |. 8B0D 6C3DFA02 |MOV ECX,DWORD PTR DS:[0x2FA3D6C]
006E9DAD |. 8D0440 |LEA EAX,DWORD PTR DS:[EAX+EAX*2]
006E9DB0 |. C1E0 06 |SHL EAX,0x6
006E9DB3 |. 837C08 18 10 |CMP DWORD PTR DS:[EAX+ECX+0x18],0x10 ; 判断 任务名是否是指针
006E9DB8 |. 8D4408 04 |LEA EAX,DWORD PTR DS:[EAX+ECX+0x4] ; 任务名,或者是任务名指针
006E9DBC |. 72 02 |JB SHORT Client.006E9DC0 ; <0x10
006E9DBE |. 8B00 |MOV EAX,DWORD PTR DS:[EAX]
006E9DC0 |> 6A 01 |PUSH 0x1
006E9DC2 |. 6A 2A |PUSH 0x2A
006E9DC4 |. 50 |PUSH EAX
006E9DC5 |. 6A 01 |PUSH 0x1
006E9DC7 |. 8BCE |MOV ECX,ESI
006E9DC9 |. E8 526E0700 |CALL Client.00760C20 ; 所有任务列表
006E9DCE |. 8B55 E4 |MOV EDX,DWORD PTR SS:[EBP-0x1C]
006E9DD1 |. 889E 39020000 |MOV BYTE PTR DS:[ESI+0x239],BL
006E9DD7 |. 8B8A 60020000 |MOV ECX,DWORD PTR DS:[EDX+0x260]
006E9DDD |. 56 |PUSH ESI
006E9DDE |. E8 CD7C0700 |CALL Client.00761AB0
006E9DE3 |. 8B75 E4 |MOV ESI,DWORD PTR SS:[EBP-0x1C]
006E9DE6 |> 83C7 08 |ADD EDI,0x8
006E9B4B |. 8945 F0 MOV DWORD PTR SS:[EBP-0x10],EAX
006E9B4E |. 53 PUSH EBX
006E9B4F |. 56 PUSH ESI
006E9B50 |. 57 PUSH EDI
006E9B51 |. 50 PUSH EAX
006E9B52 |. 8D45 F4 LEA EAX,DWORD PTR SS:[EBP-0xC]
006E9B55 |. 64:A3 0000000>MOV DWORD PTR FS:[0],EAX
006E9B5B |. 8BF1 MOV ESI,ECX
006E9B5D |. 68 4D010000 PUSH 0x14D
006E9B62 |. 8975 E4 MOV DWORD PTR SS:[EBP-0x1C],ESI
006E9B65 |. E8 F6C3FFFF CALL Client.006E5F60
006E9B6A |. 8BBE C4040000 MOV EDI,DWORD PTR DS:[ESI+0x4C4] ; 执行中任务列表开始地址 ESI==[[0XF598C0]+2A4] //初始值
006E9B70 |. 3BBE C8040000 CMP EDI,DWORD PTR DS:[ESI+0x4C8] ; 循环结束标志地址
006E9B76 |. 0F84 28010000 JE Client.006E9CA4
006E9B7C |. 33DB XOR EBX,EBX
006E9B7E |. 8BFF MOV EDI,EDI
006E9CF5 |. E8 66C2FFFF CALL Client.006E5F60
006E9CFA |. 8BBE D4040000 MOV EDI,DWORD PTR DS:[ESI+0x4D4] //可执行列表开始地址
006E9D00 |. 3BBE D8040000 CMP EDI,DWORD PTR DS:[ESI+0x4D8]
006E9D06 |. 0F84 E9000000 JE Client.006E9DF5
006E9D0C |. 33DB XOR EBX,EBX