这个月由于某种原因,心态一直没有调整好,所以也一直没有监督自己学习,到今天才开始学习,想想也是够了,作为程序员一天怎么可以这么的堕落呢,应了网上的一句话就是fuck the dog ,下面给出缓冲区解密的关键数据分析:具体函数封装,以及字节填充留到后面来实现
首先,要准备多个不同的物品,并且都是具有多个数量的物品
例如:金疮药 雪原参等
可以利用bp WSASend 检测发包的数据缓冲区来实现发包函数的分析,从而达到向仓库存入N个物品的功能
下面就开始测试
然后找到发包call,然后在ESP堆栈中发现一个地址,跟进去就可以发现这个地址
007A91CE |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
007A91D0 |. 8995 0AD8FFFF MOV DWORD PTR SS:[EBP-27F6],EDX
007A91D6 |. 8985 0ED8FFFF MOV DWORD PTR SS:[EBP-27F2],EAX
007A91DC |. 68 86000000 PUSH 86
007A91E1 |> 8D8D E8D7FFFF LEA ECX,DWORD PTR SS:[EBP-2818]
007A91E7 |. 51 PUSH ECX
007A91E8 |> 8B0D 8038F300 MOV ECX,DWORD PTR DS:[F33880]
007A91EE E8 1D17D0FF CALL Client.004AA910 ; 可能的存入N个物品的call 1
007A91F3 |. 8BCB MOV ECX,EBX
007A91F5 |. E8 F699FEFF CALL Client.00792BF0
007A91FA |. E9 6E050000 JMP Client.007A976D
007A91FF |> 8B15 9C4BF300 MOV EDX,DWORD PTR DS:[F34B9C] ; Case 11 of switch 007A8CCE
007A9205 |. 81C2 3C010000 ADD EDX,13C
007A920B |. 52 PUSH EDX
007A920C |. E8 49B81900 CALL Client.00944A5A
007A9211 |. 83C4 04 ADD ESP,4
007A9214 |. 85C0 TEST EAX,EAX
007A9216 |. 0F8E 20050000 JLE Client.007A973C
下面就在VS中写一段代码来进行测试
00 00 94 00 84 00 01 00 00 00 03 00 00 00 2B 0C
17 24 68 CA 9A 3B 00 00 00 00 05 00 00 00 00 00
00 00 15 01 00 00 00 00 00 00 3D 9E 64 E1 20 05
B0 0B 68 CA 9A 3B 00 00 00 00 1F 00 00 00 00 00
00 00 01 06 00 00 01 00 4F 90 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 AB 00 00 00 00 00 00 00 00 00 00 27 3A 00 00
00 00 00 00 00 00 00 00 00 00 00 0F 1C 28 00 00
00 00 1C 29 12 20 2D 0E 1A 26 00 00 00 00 00 00
BYTE nbData[0x90] = {
0x00,0x00,0x94,0x00,0x84,0x00,0x01,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x2B,0x0C,
0x17,0x24,0x68,0xCA,0x9A,0x3B,0x00,0x00,0x00,0x00,0x05,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x15,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x3D,0x9E,0x64,0xE1,0x20,0x05,
0xB0,0x0B,0x68,0xCA,0x9A,0x3B,0x00,0x00,0x00,0x00,0x1F,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x01,0x06,0x00,0x00,0x01,0x00,0x4F,0x90,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0xAB,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x27,0x3A,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0F,0x1C,0x28,0x00,0x00,
0x00,0x00,0x1C,0x29,0x12,0x20,0x2D,0x0E,0x1A,0x26,0x00,0x00,0x00,0x00,0x00,0x00};
__asm{
push 0x86
lea ecx , nbData
push ecx
MOV ECX,DWORD PTR DS:[F33880]
CALL 004AA910
}
下面在VS环境中进行测试
经过测试,这个数据段 就可以将5个雪原参放入到仓库中,存入N个物品函数正确
测试关键代码如下
BYTE nbData[0x90] = {
0x00, 0x00, 0x94, 0x00, 0x84, 0x00, 0x01, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x2B, 0x0C,
0x17, 0x24, 0x68, 0xCA, 0x9A, 0x3B, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x15, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3D, 0x9E, 0x64, 0xE1, 0x20, 0x05,
0xB0, 0x0B, 0x68, 0xCA, 0x9A, 0x3B, 0x00, 0x00, 0x00, 0x00, 0x1F, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x01, 0x06, 0x00, 0x00, 0x01, 0x00, 0x4F, 0x90, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0xAB, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x27, 0x3A, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0F, 0x1C, 0x28, 0x00, 0x00,
0x00, 0x00, 0x1C, 0x29, 0x12, 0x20, 0x2D, 0x0E, 0x1A, 0x26, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
CWPSTRUCT *lpArg = (CWPSTRUCT*)lParam;
if (nCode == HC_ACTION){//判断是否是自己的消息
if (lpArg->hwnd == GetGameHandle() && myMsgCode == lpArg->message){
DbgPrintf_Mine("传递到自己的消息处理函数");
switch (lpArg->wParam)
{
case TESTMSG:
/*g_tminsterlist.GetData()->OpenNpcObjForName("韦大宝");*/
__asm{
push 0x86
lea ecx, nbData
push ecx
MOV ECX, DWORD PTR DS : [0xF33880]
mov eax, 0x004AA910
CALL eax
}
+12 //8字节 来源于 物品对