Game Data Capturing (tulip study notes)

Directory:

1. Get role object attributes

2. Get the call for taking the medicine

3. Get the shortcut key call.

4. Obtain the ID of the selected monster.

5. Get the monster list

6. Get the monster attributes

7. Get the call for the display blood.

8. Get the normal attack call

9. Get the pick-up item call

10. Obtain the address of the backpack list.

11. Get the call

12. Coordinate information

13. obtain comprehensive memory information

14. Get the call for buying and selling items

15. Questions about OD multi-thread debugging

16. Multiple game implementations

17. Auxiliary programming considerations

Write down Study Notes on the recently learned tulip video for future query.

 
1. Get role object attributes
The role attribute is an object. You can get the life value address through the change of the life value, view the memory nearby, and get other attributes.
Role object base address 02ee5b98
02ee5be8 role name
02ee5c68 live address DWORD
+ 4 internal functions DWORD
+ 8 anger value: DWORD kilobytes
+ C life limit DWORD
+ 10 internal work limit DWORD
+ 14 3e8
+ 18 experience value 2 DWORD
+ 20 lower-level experience value 2 DWORD
+ 28 0a
+ 2C experience DWORD
+ 30-core DWORD
+ 34 gas DWORD
+ 38-body DWORD
+ 3C soul DWORD
+ 40 0
+ 44 0
+ 48 attack DWORD
+ 4C defense DWORD
+ 50 DWORD hits
+ 54 avoid DWORD
+ 58 what is the DWORD hit by martial arts?
+ 5C martial arts defense DWORD?
+ 60 0
+ 64 RMB
+ 68 0

2. Get the call for taking the medicine
Locate a small amount of jinchuangyao by quantity address 2f8dae24
The CE code for monitoring the number of access requests is obtained.
// Call address for medication
Push 0 // item bar ID
Push 1 // quantity
Push 0
Call 00757700
Signature extraction a1648110038b8498040400008bb0b80200000bb0bc0200007433

3. Get the shortcut key call.
Using the shortcut key to take medicine call is to trace the shortcut key in the shortcut key call layer to the shortcut key call
F1-F10 shortcuts
0065bf07 50 push eax // 0-9
0065bf0e E8 bd65ffff call 00652520
The extracted signature is 741f83bcb104040000000f84f40900008b84b10404000083784800, which is easy to locate when updating programs.

4. Obtain the ID of the selected monster.
Different monsters have different IDs to locate
You can use ce to monitor unchanged values.
Obtain the address of the selected monster ID [312df1c] + 1478

5. Get the monster list
By monitoring and rewriting the code of the selected monster ID, you can see that a value is filled with the selected ID
004af442 8981 78140000 mov dword ptr [ECx + 0x1478], eax; specifies the ID of the selected monster
Trace context can be found
004af470-8B 0C 85 20df1203-mov ECx, [eax * 4 + 0312df20]
Eax is the monster ID and array ID. This array is generally the monster list address.

6. Get the monster attributes
Get the monster object from the monster list. Select different monsters and get different monster properties by killing them.
Monster list address
0312df20
{
+ Id * 4 monster object address
{
+ 0 lists function pointers for various features of monsters
+ 8 Type blame 2e
+ C id/array subscript
+ 31C distance from the monster
+ 320 monster name
+ 37C monster resurrection process
+ 380 monsters in the Life and Death status 0: 1: Death
+ 1018 monster coordinates x
+ 1020 monster coordinate Y
}
}

Among them, the Life and Death status of the monster can pass the CE to lock the selected monster ID. After the selected monster ID is killed, it will be automatically flushed so that you can easily observe the various attributes in the monster object memory.
Some attributes are floating-point, such as coordinate distance. Therefore, when using OD to observe data, use the corresponding data type.

7. Get the call for the display blood.
Manually override the ID code of the selected monster when no mouse is selected
We found that there was a call that was tested to show blood records.

If you select "show blood records", it is recommended that you do not select the "show blood records" option. Otherwise, multiple "show blood records" appear.
MoV ESI, 0x2b1ebe18
MoV eax, dword ptr [esi]
MoV edX, dword ptr [eax + 0x4]
Push 0 // After the push goes through a jump, it is easy to miss the next push.
Push 0x1
Push 0x44f
MoV ECx, ESI
Call edX
MoV eax, dword ptr [ESI + 0xc]
MoV ECx, dword ptr [0x312df1c]
MoV dword ptr [ECx + 0x1478], eax
Extracted signature 83c410ebda-b068b50046a01684f0400008bceffd2

8. Get the normal attack call
The code used to monitor access to the selected monster ID is the code that appears after the attack is pressed. This code is generally used in the call of a common attack.
One-by-one test finds common attack call
0064da3f 8b0d 1cdf1203 mov ECx, dword ptr [0x312df1c]
0064da45 E8 d689e5ff call 004a6470
Extract Signature
The addresses of the selected monster objects are found through normal attacks [312df1c]

9. Get the pick-up item call
By dropping an item, you can find that all the objects selected by the mouse are placed in the Address [312df1c] + 1478, and the monster NPC items are common.
Monitoring and accessing this address for items with missing items can get a code inside the call for items to get the call for items. This method is more difficult to track.

Another way is because the general attack and the hacker belong to the same type of action. Most programmers will put them in one case.
For example:
Switch)
{
Case General Attack ID: {call general attack call}
Case identification ID: {corresponding call}
Case meditation ID: {corresponding call}
Case: Run ID: {corresponding call}
Case escape ID: {corresponding call}
Case Team ID: {corresponding call}
Case transaction ID: {corresponding call}
...
...
Default:
}
The front side gets the calling place of the general attack call. You can use the IDA view to easily obtain several other calls.
They are
Run: 0064da51 call sub_64ce10
Luck: 0064da71 call sub_64cea0
General Attack: 0064da95 call sub_4a6470
Things: 0064dab9 call sub_4a66c0
And so on...

Get the code after tracking the call Parameters
0076cbb4 8b0d fc2fea00 mov ECx, dword ptr [0xea2ffc]
0076 cbba 8b89 74020000 mov ECx, dword ptr [ECx + 0x274]

Complete call parameters are as follows:
A.
MoV ECx, dword ptr [0xea2ffc]
MoV ECx, dword ptr [ECx + 0x274]
Call 64cdc0

B. Call luck
MoV ECx, dword ptr [0xea2ffc]
MoV ECx, dword ptr [ECx + 0x274]
Call 64cea0
And so on...

10. Obtain the address of the backpack list.
The data structure of a backpack is generally:
Item backpack array (base address 1)
+ 4 object 1
+ 8 item object 2
+ ??
+ ?? Item quantity
+ ?? Item Name
+ ?? Function Description
Each character corresponds to an object. These objects are continuous arrays.

Starting from the number of people involved, obtain the number of addresses. The monitored access address is the temporary base address in the item bar where the person involved is located.
0dd97468, search for this address to get several codes to monitor the access respectively. Move the mouse to change the person's character to get the code:
0076b9d1-3B 3D 64811003-cmp edi, [03108164]
0076b9d7-75 2a-JNE 0076ba03
0076b9d9-8B 84 B7 04040000-mov eax, [EDI + ESI * 4 + 00000404]
Obviously [EDI + ESI * 4 + 00000404] This is the key EDI value. It may be the base address of the backpack, but it is found that its value is 19eba4c0, which is also a temporary address. Go to the code.
We found cmp edi. [03108164] We can speculate that [03108164] is the place where the base address of each game backpack is stored.

Based on the above findings, the OD observation memory is:
Base Address of the item bar [03108164]
+ 404 device item first-level base address 0dd97468 (temporary)
+ 5C Item Name
+ AC usage level
+ F1 description
+ 23C quantity
+ 26C defense
+ 290 backpack array subscript
+ 30C durability
+ 408 second Frame
...
...
+ ?? If no item exists, the value is 0.

11. Get the call
Call process:
Enter different strings in the dialog box to obtain two addresses, respectively. rewrite these two addresses in CE.
After address a is changed, it is immediately updated to the shouting dialog box, but the message sending dialog box displays the content of address B.
Track B ce monitoring to access the address code to get the code Ce IN A memset function to view the ECX value during access
In OD, when a breakpoint is disconnected, put it back to the previous layer. Use IDA to view the address, view the view, and track the call repeatedly.
ESI = [312e7e0] = 0e278010
00447a9e 8b06 mov eax, dword ptr [esi]
00447aa0 8b50 04 mov edX, dword ptr [eax + 0x4]
00447aa3 57 push EDI // 0xd
00447aa4 53 push EBX // 0xd
00447aa5 68 ed030000 push 0x3ed
00447aaa 8bce mov ECx, ESI
00447aac ffd2 call edX
Specific access code:

MoV ESI, dword ptr [312e7e0]
MoV EDI, 0xd
MoV EBX, 0xd
MoV eax, dword ptr [esi]
MoV edX, dword ptr [eax + 0x4]
Push EDI
Push EBX
Push 0x3ed
MoV ECx, ESI
Call edX
Function Code 8b068b5004575108ed0300008bceffd2

Content base address search process:
Monitor address B access code
MoV Cl, [eax]
This can be obtained by tracking up
MoV EBX, dword_e73d1c
Lea EDI, [EBX + 13ch]
MoV eax, EDI
The base address of the call is [0e73d1c] + 13C.


12. Coordinate information
Note that the coordinates in 3D games are determined by x y z, where Z is high. If you do not pay attention to the coordinates during the instantaneous transfer, z is likely to be moved
In the mountains, in the lake, in the ground, or in the sky, the system will monitor it, so it will be restored to a correct position.
The zcoordinate calculation can generally be based on the above values. Therefore, the more negative the Z is, the lower the altitude, the less negative the sea is,
Imagine placing the entire 3D field model in a box. The top angle of the box is the coordinate 0.

Observe the mouse coordinates through Ce.
The base address of the coordinate object 0312df1c, where the mouse selected strange ID is also stored.
+ 0x1614 current role X coordinate
+ 0x1618 zcoordinate of the current role
+ 0x161c y coordinate of the current role or 0012762c
+ 0x15d8 click the coordinates x or 00e9ab50
+ 0x15dc click coordinates Z
+ 0x15e0 click the coordinate Y or 00e9ab58
This set of mouse addresses is mainly used to calculate the sent data
Another group is used for image running.
[[312df1c] + 2c94] + 280 current x // after modification, Jump directly to the corresponding coordinates, but the local server data has not changed
[[312df1c] + 2c94] + 284 current Z
[[312df1c] + 2c94] + 288 current y
[312df1c] + 147C target x
[312df1c] + 1480 target Z
[312df1c] + 1484 target y
A group
It is difficult to track the running function by mouse changes, so it is determined by the dynamic and static states.
After ce search, the target address is changed and the status is used to determine whether the role is moved.
The following two switches
[312df1c] + 1494 switch 1 1
[312df1c] + 1498 switch 2 1
However, it is found that not every time the figures on the screen can be moved, the result is that when the character is set to poss, switch 2 will change to 1, and then change to 0 after the action is completed.
At this time, you can modify the target address and switch it. It is assumed that poss is not only nice-looking, but should have the data update and reset function.
The Code rewritten by tracking switch 2 came to the Code place where the poss was placed and found that a place would be rewritten each time and this place was approaching.
Obtained by Ce Testing
[312df1c] + 149c switch when 3 is 0, the coordinate switch 12 can be moved.
Now we can move freely, but we can find that we are moving in straight lines and not moving in the same way. This will inevitably hit the wall. We should have code to determine whether there are obstacles.
Use ce to modify the target address so that the main character can run and monitor X or Y. When a wall is hit, a value of X or Y will not change. In this case, view and write code.
Address 004b1693 if the address cannot be executed on the wall, the front side of the address should have correction Ida view. Browsing will soon find three processes.
However, they are all returned values of the 54cec0 function. Therefore, we can infer that the 54cec0 function is a function that judges obstacles. Four return values are returned when you enter the function.
0, 1, 2, 3, OD, when the breakpoint detection is normal, 1 is returned for quick verification. If the modified function code is normal, 0 is returned, 1 is returned, and CE is used for modification.
Run the target address to get through everything.
Everything above is a function for sending coordinate data when image changes server data does not change.
Because the mouse functions are complex and the game itself has the flexibility to be instantly moved, this saves the need for mouse function calls, but there are functions for sending data.
Ce monitors the mouse coordinates and uses the Tulane to obtain the function 495ad0. When you click the mouse, this function should be called.
The data sending function is used, but the prop is different from the mouse-clicking parameter to write the complete role-moving call.

MoV ESI, dword ptr [312df1c]
// Set the target address
MoV dword ptr [ESI + 147C], 44c70000
MoV dword ptr [ESI + 1480], 0xc3b621ef
MoV dword ptr [ESI + 1484], 4465c000
MoV dword ptr [ESI + 1494], 1
MoV dword ptr [ESI + 1498], 1
MoV dword ptr [ESI + 149c], 0
// Send data to the server
MoV dword ptr [ESI + 15d8], 44c70000
MoV dword ptr [ESI + 15dc], 0xc3b621ef
MoV dword ptr [ESI + 15e0], 4465c000
MoV edX, dword ptr [ESI + 15d8]
MoV ECx, dword ptr [ESI + 15dc]
Push 2
Sub ESP, 0c
MoV eax, ESP
MoV [eax], EDX
MoV edX, [ESI + 15e0]
MoV [eax + 4], ECx
MoV ECx, ESI
MoV [eax + 8], EDX
Call 495ad0

13. obtain comprehensive memory information
Click an item and click other places to cancel the collection. You can get the same item ID and monster as the selected item.
Observe the memory block of the item.
0312df20
{
+ Id * 4 object address
{
+ 8 type 33
+ C id/array subscript
+ 64 item distance
+ 94 Item Name
+ 198 Item coordinate X
+ 19C item coordinate z
+ 1a0 item coordinate Y
}
}

Characters and roles memory
0312df20
{
+ Id * 4 character object address
{
+ 8 Type 2e
+ C id/array subscript
+ 18 characters
+ 1d00 character level
+ 147C coordinate X
+ 1480 Z
+ 1484 y
}
}

14. Get the call for buying and selling items
Obtain the packet information of the purchased and sold items through OD monitoring.
You can check different data for observation multiple times.
0012a48c 00 00 92 00 80 00 00 00 00 00 19 41 68 F3 68 ca // 92 80 02 is a constant
0012a49c 9A 3B 00 00 00 00 00 00 00 00 00 00 00 32 1B // 01 quantity 32 is the count ID
0012a4ac 02 00 00 00 00 00 17 39 C2 90 23 A2 E8 0C 68 ca // item type
0012a4bc 9A 3B 00 00 00 00 00 00 00 00 00 00 01 0C // 01 quantity 0C is a backpack subscript
0012a4cc 00 00 01 00 6C F3 00 00 00 00 00 00 00 00 00 00 00
0012a4dc 00 00 00 00 00 00 00 00 00 00 00 00 F3 00 00
0012a4ec 00 00 00 00 00 00 00 68 F3 00 00 00 00 00 00
0012a4fc 00 00 00 00 00 00 45 65 F3 00 00 00 00 00 27 44
0012a50c 62 F3 26 42 62 F3 00 00 00 00 00 00 00 00 00 00

0012a48c 00 00 92 00 80 00 02 00 00 00 00 00 00 00 94 ca ..? € ........... Timeout
0012a49c 9A 3B 00 00 00 00 00 00 00 00 00 00 36 1B ?........... 6
0012a4ac 02 00 00 00 00 F7 57 2f D0 AE A8 E8 0C 94 ca ...... examples/ ㄨ. Examples
0012a4bc 9A 3B 00 00 00 00 00 00 00 00 00 00 01 00 ?............
0012a4cc 00 14 01 00 00 00 00 00 00 00 00 00 00 00 00 ..............
0012a4dc 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0012a4ec 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

6c6eb130> 00 00 92 00 80 00 02 00 00 00 00 00 00 00 94 ca ..? € ........... Timeout
6c6eb140 9A 3B 00 00 00 00 00 00 00 00 00 00 36 1B ?........... 6
6c6eb150 02 00 00 00 00 00 F7 57 2f D0 AE A8 E8 0C 94 ca ...... examples/ ㄨ. Examples
6c6eb160 9A 3B 00 00 00 00 00 00 00 00 00 00 01 00 ?............
6c6eb170 00 14 01 00 00 00 00 00 00 00 00 00 00 00 00 ..............
6c6eb180 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
6c6eb190 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
6c6eb1a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
6c6eb1b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

3233fdc0 00 00 92 00 80 00 02 00 00 00 00 00 00 00 94 ca ..? € ........... Timeout
3233fdd0 9A 3B 00 00 00 00 00 00 00 00 00 00 36 1B ?........... 6
3233fde0 02 00 00 00 00 F7 57 2f D0 AE A8 E8 0C 94 ca... Please/ ㄨ. Please
3233fdf0 9A 3B 00 00 00 00 01 00 00 00 00 00 00 01 00 ?............
3233fe00 00 14 01 00 00 00 00 00 00 00 00 00 00 00 ..............

Sale item data packet structure
Struct
{
+ 0 const0 word 00
+ 2 const1 word 92
+ 4 const2 word 80
+ 6 const3 DWORD 2
+ ?? DWORD can be 0
+ E item object + 4C DWORD item ID
+ 12 Item objects + 50 DWORD
+ 16 count 23C DWORD
+ 1A ?? DWORD can be 0
+ 1E role attribute [0x2ee5ccc] DWORD
+ 22 role attribute [0x2ee5cd0] DWORD
+ 26 Item objects + 54 DWORD
+ 2a item object + 58 DWORD
+ 2e item object + 4C DWORD
+ 32 Item objects + 50 DWORD
+ 36 23C DWORD
+ 3A item object + 240 DWORD
+ 3E item object + 1f2 byte
+ 3f backpack subscript 290 byte
+ 40 objects + 238 bytes
+ 41 objects + 244 bytes
+ 42 items + AC byte
+ 43 Item objects + A4 byte
6c F3 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 F3 00 00
00 00 00 00 00 00 00 68 F3 00 00 00 00 00 00
00 00 00 00 00 00 45 65 F3 00 00 00 00 27 44
62 F3 26 42 62 F3 00 00 00 00 00 00 00 00 00
}
Extracted signature 8d853cffffff50b840e94700ffd0

Obtain the call packet of the purchased item. Open the call packet in the NPC sales dialog box to complete automatic purchase and sale.

15. Questions about OD multi-thread debugging
This problem occurs when debugging multiple threads in OD.
"Ollyice cannot breakpoint (may be invalid) Address to read registers and update EIP
It is usually impossible to try again after rectification, and then you can take risks on your own.
Restore and continue"
Solution reference http://blog.csdn.net/whatday/article/details/9059281

16. Multiple game implementations
When this game is opened multiple times, there will be a prompt box, OD loading, removal, removal, or no online search. It is a client folder conflict. Think about it as the first client file.
Copy the client folder and name it another name. Copy launcher.exe and change the path to "more ".

17. Auxiliary programming considerations
1. Because memory is involved, try to use the isbadreadptr function before reading each memory.
2. Various object attributes are best based on pointers because data changes dynamically only when used to obtain data or the most correct data

3. The monster Object ID will not change, but the object base address may change. Therefore, the ID should be used to find the object base address.