0069EFF1 - 8B 15 54851B03 - mov edx,[Client.exe+2DB8554]
0069EFF7 - A1 58851B03 - mov eax,[Client.exe+2DB8558]
0069EFFC - 39 9C B8 10040000 - cmp [eax+edi*4+00000410],ebx << A
0069F003 - 0F84 DE030000 - je Client.exe+29F3E7
0069F009 - 8B C8 - mov ecx,eax
0069F003 - 0F84 DE030000 - je Client.exe+29F3E7
0069F009 - 8B C8 - mov ecx,eax
0069F00B - 8B 84 B9 10040000 - mov eax,[ecx+edi*4+00000410] << B
0069F012 - 89 85 D0D7FFFF - mov [ebp-00002830],eax
0069F018 - 38 98 08040000 - cmp [eax+00000408],bl
通过A得到基址
0069392A - 83 FE 72 - cmp esi,72
0069392D - 0F87 E9160000 - ja Client.exe+29501C
00693933 - A1 58851B03 - mov eax,[Client.exe+2DB8558] << 基址
00693938 - 85 C0 - test eax,eax
0069393A - 0F84 45060000 - je Client.exe+293F85
007FA9A8 - 33 C0 - xor eax,eax
007FA9AA - 8D 9B 00000000 - lea ebx,[ebx+00000000]
007FA9B0 - 39 1C 85 B0BE1D03 - cmp [eax*4+Client.exe+2DDBEB0],ebx << 所有对象的基址
007FA9B7 - 0F84 AE010000 - je Client.exe+3FAB6B
007FA9BD - 40 - inc eax
通过转到基址
可以得到真正的基址为:
0069392A 83FE 72 CMP ESI,72
0069392D 0F87 E9160000 JA Client.0069501C
00693933 A1 58851B03 MOV EAX,DWORD PTR DS:[31B8558]
00693938 85C0 TEST EAX,EAX
0069393A 0F84 45060000 JE Client.00693F85
00693940 83BCB0 10040000>CMP DWORD PTR DS:[EAX+ESI*4+410],0
00693948 0F84 37060000 JE Client.00693F85
0069394E 833D ACBE1D03 0>CMP DWORD PTR DS:[31DBEAC],0
00693955 0F84 2A060000 JE Client.00693F85
dc [[31B8558]+410+4*0]
+5c技能名字
+08 对象属性1E
+0C 所有对象的ID
找F1-F10call
首先通过访问了快捷栏中第一个技能 得到以下的数据
00693938 - 85 C0 - test eax,eax
0069393A - 0F84 45060000 - je Client.exe+293F85
00693940 - 83 BC B0 10040000 00 - cmp dword ptr [eax+esi*4+00000410],00 <<
00693948 - 0F84 37060000 - je Client.exe+293F85
0069394E - 83 3D ACBE1D03 00 - cmp dword ptr [Client.exe+2DDBEAC],00
006939A4 - 89 99 2C020000 - mov [ecx+0000022C],ebx
006939AA - 8B 0D 58851B03 - mov ecx,[Client.exe+2DB8558]
006939B0 - 83 BC B1 10040000 00 - cmp dword ptr [ecx+esi*4+00000410],00 <<
006939B8 - 0F84 C6050000 - je Client.exe+293F84
006939BE - 8B 94 B1 10040000 - mov edx,[ecx+esi*4+00000410]
006939B0 - 83 BC B1 10040000 00 - cmp dword ptr [ecx+esi*4+00000410],00
006939B8 - 0F84 C6050000 - je Client.exe+293F84
006939BE - 8B 94 B1 10040000 - mov edx,[ecx+esi*4+00000410] <<
006939C5 - 83 BA F8010000 00 - cmp dword ptr [edx+000001F8],00
006939CC - 89 95 C486FFFF - mov [ebp-0000793C],edx
006939D2 - 0F84 AC050000 - je Client.exe+293F84
006939D8 - 8B C6 - mov eax,esi
006939DA - 8B 84 81 10040000 - mov eax,[ecx+eax*4+00000410] <<
006939E1 - 8B 70 4C - mov esi,[eax+4C]
006939E4 - 8B 40 48 - mov eax,[eax+48]
006943E9 - 0F8C 71FCFFFF - jl Client.exe+294060
006943EF - 8B 85 DC86FFFF - mov eax,[ebp-00007924]
006943F5 - 8B 8C 83 10040000 - mov ecx,[ebx+eax*4+00000410] <<
006943FC - 80 B9 FD030000 00 - cmp byte ptr [ecx+000003FD],00
00694403 - 8B BD B886FFFF - mov edi,[ebp-00007948]
0069C761 - 6A 01 - push 01
0069C763 - 51 - push ecx
0069C764 - 8B 8C 86 10040000 - mov ecx,[esi+eax*4+00000410] <<
0069C76B - 52 - push edx
0069C76C - E8 3FC71100 - call Client.exe+3B8EB0
然后在OD中找call
006938FF C3 RETN
00693900 55 PUSH EBP //EBP来自上层
00693901 8BEC MOV EBP,ESP
00693903 B8 98790000 MOV EAX,7998
00693908 E8 F3102B00 CALL Client.00944A00
0069390D A1 0834B100 MOV EAX,DWORD PTR DS:[B13408]
00693912 33C5 XOR EAX,EBP
00693914 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00693917 56 PUSH ESI
00693918 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] //ESI->EBP
0069391B 57 PUSH EDI
0069391C 8BF9 MOV EDI,ECX
0069391E 89BD B486FFFF MOV DWORD PTR SS:[EBP+FFFF86B4],EDI
00693924 89B5 DC86FFFF MOV DWORD PTR SS:[EBP+FFFF86DC],ESI
0069392A 83FE 72 CMP ESI,72
0069392D 0F87 E9160000 JA Client.0069501C
00693933 A1 58851B03 MOV EAX,DWORD PTR DS:[31B8558] //EAX
00693938 85C0 TEST EAX,EAX
0069393A 0F84 45060000 JE Client.00693F85
00693940 83BCB0 10040000>CMP DWORD PTR DS:[EAX+ESI*4+410],0 //EAX+ESI*4+410
得到以上的一段代码
在EBP下断点
可以看到寄存器中EAX中存放的就是 快捷栏数据中的下标
然后在反汇编窗口中跟随
就可以得到以下数据
0079D40F 83BC9A 10040000>CMP DWORD PTR DS:[EDX+EBX*4+410],0
0079D417 0F84 E24B0000 JE Client.007A1FFF
0079D41D 8B0D 20A4F500 MOV ECX,DWORD PTR DS:[F5A420]
0079D423 8B89 7C020000 MOV ECX,DWORD PTR DS:[ECX+27C]
0079D429 53 PUSH EBX
0079D42A E8 D164EFFF CALL Client.00693900
0079D42F E9 CB4B0000 JMP Client.007A1FFF
0079D434 83F9 01 CMP ECX,1
0079D437 0F85 9F000000 JNZ Client.0079D4DC
0079D43D 8B15 20A4F500 MOV EDX,DWORD PTR DS:[F5A420]
也许就是快捷栏使用的call
用代码注入器测试便知
MOV ECX,DWORD PTR DS:[0xF5A420]
MOV ECX,DWORD PTR DS:[ECX+27C]
PUSH 0
CALL 00693900
最后得到的快捷栏使用call就是以上的汇编代码了
0069EFF7 - A1 58851B03 - mov eax,[Client.exe+2DB8558]
0069EFFC - 39 9C B8 10040000 - cmp [eax+edi*4+00000410],ebx << A
0069F003 - 0F84 DE030000 - je Client.exe+29F3E7
0069F009 - 8B C8 - mov ecx,eax
0069F003 - 0F84 DE030000 - je Client.exe+29F3E7
0069F009 - 8B C8 - mov ecx,eax
0069F00B - 8B 84 B9 10040000 - mov eax,[ecx+edi*4+00000410] << B
0069F012 - 89 85 D0D7FFFF - mov [ebp-00002830],eax
0069F018 - 38 98 08040000 - cmp [eax+00000408],bl
通过A得到基址
0069392A - 83 FE 72 - cmp esi,72
0069392D - 0F87 E9160000 - ja Client.exe+29501C
00693933 - A1 58851B03 - mov eax,[Client.exe+2DB8558] << 基址
00693938 - 85 C0 - test eax,eax
0069393A - 0F84 45060000 - je Client.exe+293F85
007FA9A8 - 33 C0 - xor eax,eax
007FA9AA - 8D 9B 00000000 - lea ebx,[ebx+00000000]
007FA9B0 - 39 1C 85 B0BE1D03 - cmp [eax*4+Client.exe+2DDBEB0],ebx << 所有对象的基址
007FA9B7 - 0F84 AE010000 - je Client.exe+3FAB6B
007FA9BD - 40 - inc eax
通过转到基址
可以得到真正的基址为:
0069392A 83FE 72 CMP ESI,72
0069392D 0F87 E9160000 JA Client.0069501C
00693933 A1 58851B03 MOV EAX,DWORD PTR DS:[31B8558]
00693938 85C0 TEST EAX,EAX
0069393A 0F84 45060000 JE Client.00693F85
00693940 83BCB0 10040000>CMP DWORD PTR DS:[EAX+ESI*4+410],0
00693948 0F84 37060000 JE Client.00693F85
0069394E 833D ACBE1D03 0>CMP DWORD PTR DS:[31DBEAC],0
00693955 0F84 2A060000 JE Client.00693F85
dc [[31B8558]+410+4*0]
+5c技能名字
+08 对象属性1E
+0C 所有对象的ID
找F1-F10call
首先通过访问了快捷栏中第一个技能 得到以下的数据
00693938 - 85 C0 - test eax,eax
0069393A - 0F84 45060000 - je Client.exe+293F85
00693940 - 83 BC B0 10040000 00 - cmp dword ptr [eax+esi*4+00000410],00 <<
00693948 - 0F84 37060000 - je Client.exe+293F85
0069394E - 83 3D ACBE1D03 00 - cmp dword ptr [Client.exe+2DDBEAC],00
006939A4 - 89 99 2C020000 - mov [ecx+0000022C],ebx
006939AA - 8B 0D 58851B03 - mov ecx,[Client.exe+2DB8558]
006939B0 - 83 BC B1 10040000 00 - cmp dword ptr [ecx+esi*4+00000410],00 <<
006939B8 - 0F84 C6050000 - je Client.exe+293F84
006939BE - 8B 94 B1 10040000 - mov edx,[ecx+esi*4+00000410]
006939B0 - 83 BC B1 10040000 00 - cmp dword ptr [ecx+esi*4+00000410],00
006939B8 - 0F84 C6050000 - je Client.exe+293F84
006939BE - 8B 94 B1 10040000 - mov edx,[ecx+esi*4+00000410] <<
006939C5 - 83 BA F8010000 00 - cmp dword ptr [edx+000001F8],00
006939CC - 89 95 C486FFFF - mov [ebp-0000793C],edx
006939D2 - 0F84 AC050000 - je Client.exe+293F84
006939D8 - 8B C6 - mov eax,esi
006939DA - 8B 84 81 10040000 - mov eax,[ecx+eax*4+00000410] <<
006939E1 - 8B 70 4C - mov esi,[eax+4C]
006939E4 - 8B 40 48 - mov eax,[eax+48]
006943E9 - 0F8C 71FCFFFF - jl Client.exe+294060
006943EF - 8B 85 DC86FFFF - mov eax,[ebp-00007924]
006943F5 - 8B 8C 83 10040000 - mov ecx,[ebx+eax*4+00000410] <<
006943FC - 80 B9 FD030000 00 - cmp byte ptr [ecx+000003FD],00
00694403 - 8B BD B886FFFF - mov edi,[ebp-00007948]
0069C761 - 6A 01 - push 01
0069C763 - 51 - push ecx
0069C764 - 8B 8C 86 10040000 - mov ecx,[esi+eax*4+00000410] <<
0069C76B - 52 - push edx
0069C76C - E8 3FC71100 - call Client.exe+3B8EB0
然后在OD中找call
006938FF C3 RETN
00693900 55 PUSH EBP //EBP来自上层
00693901 8BEC MOV EBP,ESP
00693903 B8 98790000 MOV EAX,7998
00693908 E8 F3102B00 CALL Client.00944A00
0069390D A1 0834B100 MOV EAX,DWORD PTR DS:[B13408]
00693912 33C5 XOR EAX,EBP
00693914 8945 FC MOV DWORD PTR SS:[EBP-4],EAX
00693917 56 PUSH ESI
00693918 8B75 08 MOV ESI,DWORD PTR SS:[EBP+8] //ESI->EBP
0069391B 57 PUSH EDI
0069391C 8BF9 MOV EDI,ECX
0069391E 89BD B486FFFF MOV DWORD PTR SS:[EBP+FFFF86B4],EDI
00693924 89B5 DC86FFFF MOV DWORD PTR SS:[EBP+FFFF86DC],ESI
0069392A 83FE 72 CMP ESI,72
0069392D 0F87 E9160000 JA Client.0069501C
00693933 A1 58851B03 MOV EAX,DWORD PTR DS:[31B8558] //EAX
00693938 85C0 TEST EAX,EAX
0069393A 0F84 45060000 JE Client.00693F85
00693940 83BCB0 10040000>CMP DWORD PTR DS:[EAX+ESI*4+410],0 //EAX+ESI*4+410
得到以上的一段代码
在EBP下断点
可以看到寄存器中EAX中存放的就是 快捷栏数据中的下标
然后在反汇编窗口中跟随
就可以得到以下数据
0079D40F 83BC9A 10040000>CMP DWORD PTR DS:[EDX+EBX*4+410],0
0079D417 0F84 E24B0000 JE Client.007A1FFF
0079D41D 8B0D 20A4F500 MOV ECX,DWORD PTR DS:[F5A420]
0079D423 8B89 7C020000 MOV ECX,DWORD PTR DS:[ECX+27C]
0079D429 53 PUSH EBX
0079D42A E8 D164EFFF CALL Client.00693900
0079D42F E9 CB4B0000 JMP Client.007A1FFF
0079D434 83F9 01 CMP ECX,1
0079D437 0F85 9F000000 JNZ Client.0079D4DC
0079D43D 8B15 20A4F500 MOV EDX,DWORD PTR DS:[F5A420]
也许就是快捷栏使用的call
用代码注入器测试便知
MOV ECX,DWORD PTR DS:[0xF5A420]
MOV ECX,DWORD PTR DS:[ECX+27C]
PUSH 0
CALL 00693900
最后得到的快捷栏使用call就是以上的汇编代码了