007AFFC1 - A1 0CA4F500 - mov eax,[Client.exe+B5A40C]
007AFFC6 - 83 C4 10 - add esp,10
007AFFC9 - C7 80 28020000 00000000 - mov [eax+00000228],00000000 <<
007AFFD3 - E9 7799FFFF - jmp Client.exe+3A994F
007AFFD8 - 8B 85 B0D0FFFF - mov eax,[ebp-00002F50]
EAX=09EA7B28
EBX=1AA895F4
ECX=00000432
EDX=0000007D
ESI=00000001
EDI=1AA89168
ESP=001874E4
EBP=0018A46C
EIP=007AFFD3
通过转到上面的地址
然后转到上层就得到 call
007B3803 /74 0E JE SHORT Client.007B3813
007B3805 |40 INC EAX
007B3806 |83C1 04 ADD ECX,4
007B3809 |83F8 24 CMP EAX,24
007B380C ^|7C F2 JL SHORT Client.007B3800
007B380E |E9 D9000000 JMP Client.007B38EC
007B3813 \83F8 FF CMP EAX,-1
007B3816 0F84 D0000000 JE Client.007B38EC
007B381C 50 PUSH EAX
007B381D 6A 01 PUSH 1
007B381F 6A 00 PUSH 0
007B3821 8BCF MOV ECX,EDI
007B3823 E8 C85FFFFF CALL Client.007A97F0
007B3828 E9 BF000000 JMP Client.007B38EC
007B382D 8B8F 08160000 MOV ECX,DWORD PTR DS:[EDI+1608]
007B3833 8B97 D01B0000 MOV EDX,DWORD PTR DS:[EDI+1BD0]
007B3839 53 PUSH EBX ; 01
007B383A 51 PUSH ECX ; 0x0D
007B383B 52 PUSH EDX ; 0x04 可能是拖拽call
007B383C 8BCF MOV ECX,EDI
007B383E E8 AD5FFFFF CALL Client.007A97F0
007B3843 E9 A4000000 JMP Client.007B38EC
EDI 的值
0078FCBA 3B3D 58851B03 CMP EDI,DWORD PTR DS:[31B8558]
0078FCC0 75 11 JNZ SHORT Client.0078FCD3
007B30E7 83B8 8C020000 0>CMP DWORD PTR DS:[EAX+28C],0
007B30EE 0F84 F8070000 JE Client.007B38EC
007B30F4 8B88 8C020000 MOV ECX,DWORD PTR DS:[EAX+28C]
007B30FA 53 PUSH EBX
007B30FB E8 D0ACF0FF CALL Client.006BDDD0
007B3100 E9 E7070000 JMP Client.007B38EC
007B3105 8B849F 10040000 MOV EAX,DWORD PTR DS:[EDI+EBX*4+410]
007B310C 8B0D 0CA4F500 MOV ECX,DWORD PTR DS:[F5A40C] //让ECX写入数据时候用到的值
007B3112 8981 28020000 MOV DWORD PTR DS:[ECX+228],EAX
007B3118 8B15 0CA4F500 MOV EDX,DWORD PTR DS:[F5A40C]
007B311E C682 30020000 0>MOV BYTE PTR DS:[EDX+230],1
007B3125 A1 0CA4F500 MOV EAX,DWORD PTR DS:[F5A40C]
007B312A 8B88 28020000 MOV ECX,DWORD PTR DS:[EAX+228]
007B3130 66:8B97 0816000>MOV DX,WORD PTR DS:[EDI+1608]
007B3137 66:8991 F201000>MOV WORD PTR DS:[ECX+1F2],DX
007B313E 8B35 0CA4F500 MOV ESI,DWORD PTR DS:[F5A40C]
007B3144 8B8E 28020000 MOV ECX,DWORD PTR DS:[ESI+228]
007B314A 8B41 50 MOV EAX,DWORD PTR DS:[ECX+50]
007B314D 8B51 4C MOV EDX,DWORD PTR DS:[ECX+4C]
最后根据上面的分析写出以下的拖拽技能到物品栏的call
mov edi,[31B85B0]
mov eax,[edi+4+00000410]
mov ecx,[0F5A40C]
mov [ecx+00000228],eax
mov edi,[31B8558]
MOV ECX,DWORD PTR DS:[EDI+1608]
MOV EDX,DWORD PTR DS:[EDI+1BD0]
push 0
push ecx
push edx
mov ecx, edi
call 0x007a97f0
<pre name="code" class="cpp">typedef struct TSkillObj{
DWORD ndBaseObj;//返回对象基址
DWORD ndType; //分类 1B技能书分类 1C 才是使用技能分类
DWORD ndIndexForSkill; //技能列表里面的下表分类
char* szpName;
DWORD ndIndexForAll; //+0c 所有对象ID
BOOL IsUseable;//+1f6
}_TSkillObj;
#define Skill_ListSize 32
typedef struct TSkillList
{
TSkillObj t_list[Skill_ListSize];
TSkillList* GetData();
void DbgPrintMsg();
BOOL DropSkillToF1F10(char*szpSkillName, DWORD ndIndexF1F10);//根据技能名字拖放技能至快捷栏
}_TSkillList;
BOOL TSkillList::DropSkillToF1F10(char*szpSkillName, DWORD ndIndexF1F10)//根据技能名字拖放技能至快捷栏
{
DWORD ndBase = NULL;
GetData();
__try{
for (int i = 0; i < 32; i++){
if (t_list[i].ndType == NULL){
continue;
}
if (strcmp(szpSkillName, t_list[i].szpName) == 0){
ndBase = t_list[i].ndBaseObj;
__asm{
//mov edi, [31B85B0]
//mov eax, [edi + 4 + 00000410]
//mov ecx, [0F5A40C]
//mov[ecx + 00000228], eax
mov ecx, Base_SelGoodSkill
mov ecx, [ecx]
mov eax , ndBase
mov [ecx + 0x228],eax
}
}
}
if (ndBase == NULL){
return FALSE;
}
__asm{
mov edi, Base_DrapSkillArg
mov edi, [edi]
MOV ECX, DWORD PTR DS : [EDI + 0x1608]
MOV EDX, DWORD PTR DS : [EDI + 0x1BD0]
mov eax , ndIndexF1F10
push eax
push ecx
push edx
mov ecx, edi
mov eax ,Base_DrapSkillCall
call eax
}
//mov edi, [31B8558]
//MOV ECX, DWORD PTR DS : [EDI + 1608]
//MOV EDX, DWORD PTR DS : [EDI + 1BD0]
//push 0
//push ecx
//push edx
//mov ecx, edi
//call 0x007a97f0
}
__except (1){
DbgPrintf_Mine("BOOL TSkillList::DropSkillToF1F10(char*szpSkillName, DWORD ndIndexF1F10)出现异常");
return FALSE;
}
return TRUE;
}