Several Game-Assisted Analysis notes (1)

The annual "big project" for reinstallation of the system has been under construction.

Sort out the tools and materials of last year. Today, we start to give our customers a bit of gameplay assistance. (The customer will not mind if it has been more than a year)

Today is the first article.

Analysis notes of long Xiang mi Chuan

Blame

Breakthrough:

Ce searches for the change value and does not stop selecting the blame. Locate the following:Code:

 
00413b5e-89 be B0 00 00-mov [ESI + 000000b0], EDI
 

Trace back

00435bdc/E9 4b090000 JMP running | 8b0d 08536300 mov ECx, dword ptr [635308] 00435be7 | 8b11 mov edX, dword ptr [ECx] 00435be9 | 8b46 0C mov eax, dword ptr [ESI + C] 00435bec | 8b52 34 mov edX, dword ptr [edX + 34] 00435bef | 6a 00 push 0; fixed parameter 00435bf1 | 50 push eax; monster id00435bf2 | ffd2 call edX; special call edX = 0048ac00
 

This call is a strange call.

 
This call can be called directly to select the strange _ ASM {push 0 // fixed parameter push ID // monster idcall 0x0048ac00}
 

 

Monster list
Breakthrough:
Follow up the call of 00435bf2 and find another call:

00413aa9 |. 53 push EBX; monster id00413aaa |. ffd2 call edX; obtain the base address of the object based on the monster ID and follow up the call to find another call: 00412ca5 |. 50 push eax; monster ID pointer 00412ca6 |. 8d4c24 14 Lea ECx, dword ptr [esp + 14] 00412caa |. 51 push ECx; the return address of the Upper-layer call is 00412cab |. e8 30260000 call 003852e0; get the monster list ///// 00412cab |. e8 30260000 call 0000002e0; get the monster list
 

This call is critical, and it is critical to traverse the monster list. The following is an analysis of this call:

0000002e0/$55 push ebp0000002e1 |. 8bec mov EBP, esp001162e3 |. 8b4f 18 mov ECx, dword ptr [EDI + 18]; Super image monster list (ECx = [01c398b8 + 18] = 01c000090) 003662e6 |. 8b41 04 mov eax, dword ptr [ECx + 4]; eax = [[[635210] + 90 + 18] + 4] = 209046180020.2e9 |. 83ec 10 sub ESP, 1000100002ec |. 8078 15 00 CMP byte PTR [eax + 15], 000100002f0 |. 53 push ebx0000002f1 |. 56 push esi0000002f2 |. 8bf1 mov ESI, ecx0000002f4 |. 75 1E jnz short 0000003140000002f6 |. 8b4d 0C mov ECx, dword ptr [EBP + C]; monster id003852f9 |. 8b09 mov ECx, dword ptr [ECx] 002132fb |. EB 03 JMP short 0000003000000002fd | 8d49 00 Lea ECx, dword ptr [ECx] 00415300 |> 3948 0C/cmp dword ptr [eax + C], ecx000000303 |. 7D 05 | jge short 00000030a000000305 |. 8b40 08 | mov eax, dword ptr [eax + 8] 00415308 |. EB 04 | JMP short 00000030e00000030a |> 8bf0 | mov ESI, eax; ESI will be treated as the return value of this call 00000030c |. 8b00 | mov eax, dword ptr [eax] 0034730e |> 8078 15 00 | CMP byte PTR [eax + 15], 000415312 |. ^ 74 EC \ je short 00415300

After checking the memory model accessed by code 00415300 to code 00415312, you can determine that the monster list is a binary tree. first obtain the eax, that is, the root node of the monster binary tree. eax = [[[635210] + 90 + 18] + 4], and then from 00415300 to 00415312 is the key. Here we traverse the binary tree to find the object of the corresponding ID. the left Tree is small ([eax]), and the right tree is large ([eax + 8]). [eax + 4] is the parent node. [eax + C] is ID. [eax + 15] is a bool type. The disassembly Code shows that this variable is the final condition of the entire traversal. therefore, we boldly speculate that [eax + 15] indicates whether the previous node of the node is selected. true if it is selected.

By calling the upper-layer call of this call: 00412cef |> \ 8b47 10 mov eax, dword ptr [EDI + 10]; we can see that [eax + 10] is the address of the monster object, so we can declare a data structure as follows:

 
Typedef struct _ NPC {NPC * leftsmall; NPC * parent; NPC * rightbig; int ID; Data * pdata;} NPC;
 

Write a rough Simulation Based on the disassembly code 00.02ec to 00415312AlgorithmAs follows:

NPC * getaddressbyid (int nid) {NPC * A =. head; NPC * temp = NULL; NPC * Find = NULL; if (a-> selected = false) {int id = NID; do {if (a-> id <ID) // if the current ID is smaller than the given ID, traverse the {temp = A-> rigthbig ;} else {find = A; A = A-> leftsmall ;}} while (a-> Selecte! = False);} return find ;}
 

The following is an algorithm for traversing the monster list based on analysis data: (pre-order recursion)

 
Carray <data *, data * &>Npcarray;VoidPreorder (NPC *Tree ){If(Tree-> ID! =0) {Npcarray. Add (tree->Pdata); preorder (tree->Leftsmall); preorder (tree->Rightbig );}}
 

Note that this root node is used to traverse and include monster objects and other useless objects, which need to be filtered out.
If the item is filtered out, the maximum blood volume and the current blood volume are both 0, which can be used as a basis for determining whether the item is an item. the leaf node of a binary tree has a variable indicating the object type, such as a backpack, a monster, or an item on the ground. no analysis is available. the maximum blood volume and current blood volume are used for determination.

 

Blame

Breakthrough:

Od searches for "skill" in the gameclient module and finds send_skill... after looking back at several call layers, it finds a switch branch, which is strange when it is 7.

00423317 |. e8 14200000 call 0000003300042331c |. 5f pop edi0042331d |. 5E pop esi0042331e |. 8be5 mov ESP, ebp00423320 |. 5D pop ebp00423321 |. c3 retn00423322 |> 56 push ESI; ESI = upper ECx (DWORD [esi] constant is 5e6e68); Case 7 of switch 0042327e00423323 |. e8 d81c0000 call 00425000; *************** the real call distance will automatically be closer to step 1, 00423328 if the call distance is not enough |. 5f pop edi00423329 |. 5E pop esi0042332a |. 8be5 mov ESP, ebp0042332c |. 5D pop ebp0042332d |. c3 retn
 

Direct call 00425000 will attack the currently selected blame.
ESI = upper ECx.

The upper-Layer Code is as follows:

00418f0f |. 8b8b cc010000 mov ECx, dword ptr [EBX + 1cc]; ECx = [upper ECx + 1cc] upper ECx = 1eb3512800418f15 |. 85c9 test ECx, ecx00418f17 |. 74 06 je short 00418f1f00418f19 |. 8b01 mov eax, dword ptr [ECx] 00418f1b |. 8b10 mov edX, dword ptr [eax] 00418f1d |. ffd2 call edX; edX = 00423210, containing the real call
 

The ECX of this layer is equivalent to [ECx + 1cc of the upper layer of this layer]. After actual measurement, the ECX of the upper layer is always 1eb35128 (this value is very familiar, just like a value in the monster list, to be verified)

After the above analysis, the calling code of the call is as follows:

 
_ ASM {mov eax, [1eb35128 + 1cc] Push eaxcall 0x00425000}
 

The value of ECx = 1eb35128 is not constant. It is a new address after tracking.
Search process:
We found that DWORD [esi] is always 56e6e8 and directly searched for constants. We found two references: constructor and destructor, which can be used to break through. the Code near the constructor is as follows:

0041fc91 |. E8 08771300 call <JMP. & msvcr90.operator new> ;!!!!!!!!!!!!! Here we have a new object, which requires 0041fc96 for calling. |. 83c4 04 add ESP, 40041fc99 8945 F0 mov dword ptr [ebp-10], eax0041fc9c c645 FC 01 mov byte PTR [ebp-4], 10041fca0 3bc7 CMP eax, edi0041fca |. 74 09 je short 0041fcad0041fca4 |. 56 push esi0041fca5 |. 50 push eax0041fca6 |. e8 d5330000 call 00423080
 

OK. Now that it is new, we can make a memory patch for it:

Find a blank space below (the key is that the needle cannot overwrite the original code)
Enter the following code:

 
0041fd31 A3 0afd4100 mov dword ptr [41fd0a], eax0041fd36 8945 F0 mov dword ptr [ebp-10], eax0041fd39 E9 15010000 JMP 0041fe530041fe53 c645 FC 01 mov byte PTR [ebp-4], 10041fe57 ^ E9 44 feffff JMP 0041fca0
 

After the modification, the original code becomes as follows:

 
0041fc91 |. E8 08771300 call <JMP. & msvcr90.operator new> ;!!!!!!!!!!!!! Here we have a new object, which requires 0041fc96 for calling. |. 83c4 04 add ESP, 40041fc99 E9 93000000 JMP 0041fd310041fc9e 90 nop0041fc9f 90 nop0041fca0 |. 3bc7 CMP eax, edi0041fca |. 74 09 je short 0041fcad0041fca4 |. 56 push esi0041fca5 |. 50 push eax0041fca6 |. e8 d5330000 call 00423080; In this call, eax is filled with 56e6e80041fcab |. EB 02 JMP short 0041 fcaf
 

Note:Because the new code is in the. text section, and the section cannot be written, you can use PE explorer to change the section to writable during the test. Otherwise
004236d9 A3 d8364200 mov dword ptr [4236d8], the eax code will be incorrect. Pay attention to modifying the Memory attribute when implementing the code.

(Updated) the call was found in the first test version because it would judge the strange distance. If it was not enough, it would automatically approach. after actual measurement, when this call is not completed (that is, when it is automatically approaching the monster) and the call is called again, the game will crash, thus determining that this call is not a thread-safe function, the caller needs to ensure thread security. so this call is too bad! Continue to find a perfect call...

 
004235b5 |> \ 8b42 08 mov eax, dword ptr [edX + 8]; Case 3 of switch 00423555004235b8 |. 8b4a 0C mov ECx, dword ptr [edX + C] 004235bb |. 8b52 10 mov edX, dword ptr [edX + 10] 004235be |. 52 push edX; edX = 1eb monster id004235bf |. 51 push ECx; 1004235c0 |. 50 push eax; 0004235c1 |. e8 9a120000 call 00424860;
 

The previous call is actually automatically called by the message loop. If you check whether a tag exists, the call previously found is called automatically. here, this call can be understood as setting a flag. after setting, messages can be automatically called cyclically.
Note !!!!!!!!!!!Call this call, which requires an internal ESI value assignment.

The ESI value assignment for the previous call is as follows:

0048b85a |. /74 54 je short 0048b8b00048b85c |. | 8b0d 10526300 mov ECx, dword ptr [635210] 0048b862 |. | 8b51 50 mov edX, dword ptr [ECx + 50] 0048b865 |. | 8b8a cc010000 mov ECx, dword ptr [edX + 1cc]; The esi0048b86b is provided for calling monsters. |. | c74424 50 020> mov dword ptr [esp + 50], 20048b873 |. | Ba 03000000 mov edX, 30048b878 |. | 66: 895424 08 mov word PTR [esp + 8], dx0048b87d |. | 8b10 mov edX, dword ptr [eax]
 

Code implementation:

 
_ ASM {mov ECx, [635210] mov edX, [ECx + 50] mov ESI, [edX + 1cc] Push 0x6d // monster idpush 1 Push 0 call 00424860}
 

Monster object:
+ Maximum value of the 14 ID range
+ 48 monster ID
+ 11C X coordinate
+ 120 Y coordinates
Name: [158] + 8] + 8 + 4
Breakthrough: Ce searches for the name, finds the corresponding blame, and downloads the memory access breakpoint
Blood Volume:
Current: [[+ 158] + 8] + 80]
Maximum: [[+ 158] + 8] + 80 + 8]

004191a2 |. 8b86 58010000 mov eax, dword ptr [ESI + 158]; key start of reading name 004191a8 |. 8b40 08 mov eax, dword ptr [eax + 8] 004191ab |. 83c0 08 add eax, 8004191ae |. 8378 18 10 cmp dword ptr [eax + 18], 10004191b2 |. 72 05 JB short 004191b9004191b4 |. 8b40 04 mov eax, dword ptr [eax + 4] 004191b7 |. EB 03 JMP short 004191bc004191b9 |> 83c0 04 add eax, 4004191bc |> 8d50 01 Lea edX, dword ptr [eax + 1] 004191bf |. 90 nop004191c0 |> 8a08/mov Cl, byte PTR [eax] 004191c2 |. 40 | Inc eax004191c3 |. 84c9 | test Cl, cl004191c5 |. ^ 75 F9 \ jnz short 004191c0
 

Analysis of the selected object:

 00436848 |. 8b4424 10 mov eax, dword ptr [esp + 10] 0041084c |. 8bf0 mov ESI, eax0044e 4E |. 75 0f jnz short 00400005f004000050 |. c780 e8000000> mov dword ptr [eax + E8], 30041085a |. e9 8e010000 JMP 004425ed0044255f |> c780 e8000000> mov dword ptr [eax + E8], 200436869 |. d903 upload dword ptr [EBX] 00400006b |. d998 a0000000 fstp dword ptr [eax + a0]; currently selected item id004000071 |. d943 08 export dword ptr [EBX + 8] 00436874 |. c780 a8000000> mov dword ptr [eax + A8], 10044257e |. d998 a4000000 fstp dword ptr [eax + A4]; the currently selected strange ID eax = 01c36c80 is constant 00436884 |. e9 64010000 JMP 004108ed0041049 |> 8b17 mov edX, dword ptr [EDI]; Case 3 of switch 004366e7004104b |. 8b42 18 mov eax, dword ptr [edX + 18] 0043688e |. 8bcf mov ECx, edi004000090 |. ffd0 call eax 

This code segment keeps pushing the stack out of the stack in the floating point register. eax = 01c36c80 is the base address of the currently selected object.
Eax = 01c36c80 is constant. To ensure that the address can be found successfully after the game is upgraded, the following is the eax signature.
First, eax = [esp] + 10
Check the start of the function. It is actually the pressure stack of EBX. Continue back to EBX.
The following code is obtained:

 
0051ff10 |. 395d C0 cmp dword ptr [ebp-40], ebx0051ff13 |. 0f85 87020000 jnz 005201a00051ff19 |. 8b0d 34526300 mov ECx, dword ptr [635234] 0051ff1f |. 8b1d 1c526300 mov EBX, dword ptr [63521c]; base address of the currently selected object 0051ff25 |. 8b01 mov eax, dword ptr [ECx] 0051ff27 |. 8b33 mov ESI, dword ptr [EBX]; gameclie.005e7efc0051ff29 |. 8b50 40 mov edX, dword ptr [eax + 40] 0051ff2c |. 83c6 4C add ESI, 4c0051ff2f |. ffd2 call edX
 

As shown above: [63521c] is the base address of eax.

+ A0 ID of the currently selected item

+ A4 the ID of the selected monster

 

Item List

Breakthrough

Ce monitoring rewrite address 01c36c80 + a0 code:

 
00400006b-D9 98 A0 00 00-fstp dword ptr [eax + 000000a0] // 0042fbf5-89 47 08-mov [EDI + 08] is excluded, eax0041ff3e-C7 40 08 00 00 00-mov [eax + 08], 00000000 // cleared
 

0042fbf5-89 47 08-mov [EDI + 08], eax is the key

All the way back, we found that the function of traversing the item list is the same as that of traversing the monster.
Note that this root node is used to traverse and include monster objects and other useless objects, which need to be filtered out.
If the item is filtered out, the maximum blood volume and the current blood volume are both 0, which can be used as a basis for determining whether the item is an item. the leaf node of a binary tree has a variable indicating the object type, such as a backpack, a monster, or an item on the ground. no analysis is available.

 

Skills

 

004235ec |. 53 push EBX;-1004235ed |. 8b5c24 18 mov EBX, dword ptr [esp + 18] 004235f1 |. 53 push EBX;-1004235f2 |. 8b5c24 18 mov EBX, dword ptr [esp + 18] 004235f6 |. 53 push EBX;-1004235f7 |. 57 push EDI; monster id004235f8 |. 52 push edX;-1004235f9 |. 51 push ECx; 2004235fa |. 50 push eax; 0x16 skill code 004235fb |. 56 push ESI; ESI = 01c28be8 constant 004235fc |. e8 0f0b0000 call 00424110; this is the skill call