5&6，选择怪call,普通攻击,释放技能call，自己数据

icxldd

于 2022-12-17 14:50:46 发布

阅读量273

点赞数

分类专栏：游戏安全逆向文章标签：游戏引擎技能释放内存操作对象交互汇编指令

本文链接：https://blog.csdn.net/qq_18131999/article/details/128353573

版权

游戏安全逆向专栏收录该内容

6 篇文章 1 订阅

订阅专栏

选择怪CALL

751E8B7F??8B9F????????8BBF????????E8????????5753E8????????83C408F605????????04    +19
006B3E96     | 75 1E                  | jne xajh.6B3EB6                          |
006B3E98     | 8B7F 08                | mov edi,dword ptr ds:[edi+0x8]           |
006B3E9B     | 8B9F B01E0000          | mov ebx,dword ptr ds:[edi+0x1EB0]        |
006B3EA1     | 8BBF B41E0000          | mov edi,dword ptr ds:[edi+0x1EB4]        |
006B3EA7     | E8 1429DAFF            | call xajh.4567C0                         |
006B3EAC     | 57                     | push edi                                 |
006B3EAD     | 53                     | push ebx                                 |
006B3EAE     | E8 5D2B6000            | call xajh.CB6A10                         | yd6<< 选怪call
006B3EB3     | 83C4 08                | add esp,0x8                              |
006B3EB6     | F605 842F5B02 04       | test byte ptr ds:[0x25B2F84],0x4         |

push 01000000
push 11c
call 00CB6A10
add esp,0x8

普通攻击

push    esi    //6D3F7FD8 [[[[[0x01597F50]+0x30]+0xc]+0x4]+0x40]    A1????????85C074048B40??C333C0C3A1????????85C0740E8B40??85C074078B80????????C333C0C3 x ->是对象地址
push    0
push    0
push    0    //坐标
push    7
push    0Ah
//call    8B4E??8B54243451528B54241C538D4C24245152508BCFE8????????5E5D5F5B83C420C204008B4E??8B5424346A01






0019F130    //    A3????????A3????????A3????????A3????????A3????????A3????????A3????????A3????????B9????????E8????????84C0
004623ED     | B9 E0955901            | mov ecx,xajh.15995E0                     | 15995E0:&"爼C"    //0x15995E0


00F8DD93     | 8B4E 04                | mov ecx,dword ptr ds:[esi+0x4]           |从堆栈获取地址  不是对象偏移


---
015995E0

0043581B     | 8B4E 30                | mov ecx,dword ptr ds:[esi+0x30]          |
004541AC     | 8B8E 94000000          | mov ecx,dword ptr ds:[esi+0x94]          |
0058CEAA     | 8BE9                   | mov ebp,ecx                              |
0058CEE9     | 8B45 04                | mov eax,dword ptr ss:[ebp+0x4]           |
0058CEEC     | 8B88 8C000000          | mov ecx,dword ptr ds:[eax+0x8C]          | [eax+8C]:&"笆i"
006962A6     | 8B8E 541F0000          | mov ecx,dword ptr ds:[esi+0x1F54]        |


[[[[[015995E0+0x30]+0x94]+0x4]+0x8C]+0x1F54]

释放技能call

C204008B4424248B4E??6A016A006A016A006A006A006A008D54242C528B56??5052

004D179D     | 8D5424 2C              | lea edx,dword ptr ss:[esp+0x2C]          |
004D17A1     | 52                     | push edx                                 |
004D17A2     | 8B56 18                | mov edx,dword ptr ds:[esi+0x18]          |
004D17A5     | 50                     | push eax                                 |
004D17A6     | 52                     | push edx                                 |
004D17A7     | C74424 3C 01000000     | mov dword ptr ss:[esp+0x3C],0x1          |
004D17AF     | C64424 40 FF           | mov byte ptr ss:[esp+0x40],0xFF          |
004D17B4     | C64424 41 00           | mov byte ptr ss:[esp+0x41],0x0           |
004D17B9     | C64424 42 01           | mov byte ptr ss:[esp+0x42],0x1           |
004D17BE     | C64424 43 01           | mov byte ptr ss:[esp+0x43],0x1           |
004D17C3     | C64424 44 01           | mov byte ptr ss:[esp+0x44],0x1           |
004D17C8     | C64424 45 00           | mov byte ptr ss:[esp+0x45],0x0           |
004D17CD     | C64424 46 00           | mov byte ptr ss:[esp+0x46],0x0           |
004D17D2     | 894C24 38              | mov dword ptr ss:[esp+0x38],ecx          |
004D17D6     | 8B8D 581F0000          | mov ecx,dword ptr ss:[ebp+0x1F58]        |
004D17DC     | 6A 01                  | push 0x1                                 |
004D17DE     | E8 DD981F00            | call xajh.6CB0C0                         | jn10
004D17E3     | 5F                     | pop edi                                  |
004D17E4     | 5B                     | pop ebx                                  |
004D17E5     | 5E                     | pop esi                                  |
004D17E6     | 5D                     | pop ebp                                  |
004D17E7     | 83C4 10                | add esp,0x10                             |
004D17EA     | C2 0400                | ret 0x4                                  |

call
0019EE1C  00000001             
0019EE20  00004902             
0019EE24  00000001             
0019EE28  0019EE58             
0019EE2C  00000000             
0019EE30  00000000             
0019EE34  00000000             
0019EE38  00000000             
0019EE3C  00000001             
0019EE40  00000000             
0019EE44  00000001

自己数据


00A3DE60     | 8B55 00                | mov edx,dword ptr ss:[ebp]               |
00A3DE63     | 8B82 88000000          | mov eax,dword ptr ds:[edx+0x88]          |


00655960     | 8B81 F8040000          | mov eax,dword ptr ds:[ecx+0x4F8]         |




CCCCCCA1????????85C0740E8B40??85C074078B80????????C333C0C3CCCCCCCC    3
00A2282E     | 52                     | push edx                                 |
00A2282F     | E8 5C525000            | call xajh.F27A90                         |
00A22834     | EB 1A                  | jmp xajh.A22850                          |
00A22836     | 6A 00                  | push 0x0                                 |
00A22838     | 6A 01                  | push 0x1                                 |
00A2283A     | 6A 01                  | push 0x1                                 |
00A2283C     | 8BCE                   | mov ecx,esi                              |
00A2283E     | E8 7D674B00            | call xajh.ED8FC0                         |
00A22843     | 6A 00                  | push 0x0                                 |
00A22845     | 6A 00                  | push 0x0                                 |
00A22847     | 6A 02                  | push 0x2                                 |
00A22849     | 8BCE                   | mov ecx,esi                              |
00A2284B     | E8 70674B00            | call xajh.ED8FC0                         |
00A22850     | E8 EBDFE1FF            | call xajh.840840                         |
00A22855     | 8BE8                   | mov ebp,eax                              | 5781BE90
00A22857     | C686 AC030000 00       | mov byte ptr ds:[esi+0x3AC],0x0          |
00A2285E     | 85ED                   | test ebp,ebp                             |
00A22860     | 0F84 D9010000          | je xajh.A22A3F                           |
00A22866     | E8 C53EA3FF            | call xajh.456730                         |
00A2286B     | 8B98 A8000000          | mov ebx,dword ptr ds:[eax+0xA8]          |
00A22871     | 8B85 D0030000          | mov eax,dword ptr ss:[ebp+0x3D0]         |
00A22877     | 85C0                   | test eax,eax                             |
00A22879     | 74 0C                  | je xajh.A22887                           |
00A2287B     | 3985 C8030000          | cmp dword ptr ss:[ebp+0x3C8],eax         |
00A22881     | 0F84 E7000000          | je xajh.A2296E                           |
00A22887     | E8 F43EA3FF            | call <xajh.人物基质>                         |
00A2288C     | 8B8D 541C0000          | mov ecx,dword ptr ss:[ebp+0x1C54]        |
00A22892     | 83E1 0F                | and ecx,0xF                              |
00A22895     | 80F9 0F                | cmp cl,0xF                               |
00A22898     | 0F85 A1010000          | jne xajh.A22A3F                          |



00A22A92     | 8B42 2C                | mov eax,dword ptr ds:[edx+0x2C]          |
00A22A95     | 8A80 28010000          | mov al,byte ptr ds:[eax+0x128]           |
00A22A9B     | 24 01                  | and al,0x1                               |
00A22A9D     | 0FB6C8                 | movzx ecx,al                             |
00A22AA0     | 51                     | push ecx                                 |
00A22AA1     | 8B8E 54030000          | mov ecx,dword ptr ds:[esi+0x354]         |
00A22AA7     | E8 B41C5200            | call xajh.F44760                         |
00A22AAC     | 8B95 6C0A0000          | mov edx,dword ptr ss:[ebp+0xA6C]         | level
00A22AB2     | D985 9F0A0000          | fld st(0),dword ptr ss:[ebp+0xA9F]       | <当前Hp
00A22AB8     | 895424 14              | mov dword ptr ss:[esp+0x14],edx          |
00A22ABC     | D95C24 24              | fstp dword ptr ss:[esp+0x24],st(0)       |
00A22AC0     | D9E8                   | fld1                                     |
00A22AC2     | D895 F70A0000          | fcom st(0),dword ptr ss:[ebp+0xAF7]      | 最大hp
00A22AC8     | DFE0                   | fnstsw ax                                |
00A22ACA     | F6C4 05                | test ah,0x5                              |
00A22ACD     | 7A 0C                  | jp xajh.A22ADB                           |
00A22ACF     | D985 F70A0000          | fld st(0),dword ptr ss:[ebp+0xAF7]       |
00A22AD5     | D95C24 18              | fstp dword ptr ss:[esp+0x18],st(0)       |
00A22AD9     | EB 04                  | jmp xajh.A22ADF                          |
00A22ADB     | D95424 18              | fst dword ptr ss:[esp+0x18],st(0)        |
00A22ADF     | D985 A30A0000          | fld st(0),dword ptr ss:[ebp+0xAA3]       | 当前mp
00A22AE5     | D95C24 20              | fstp dword ptr ss:[esp+0x20],st(0)       |
00A22AE9     | D895 FB0A0000          | fcom st(0),dword ptr ss:[ebp+0xAFB]      | 最大mp
00A22AEF     | DFE0                   | fnstsw ax                                |
00A22AF1     | F6C4 05                | test ah,0x5                              |