Several Game-Assisted Analysis notes (2)

Several Game-Assisted Analysis notes (2)

---- Search for the base address of five cards on the Apsara 5 chess and card Platform

The game input name is showhand.exe. This process starts a new process every time it enters a different table for a game, and ends when it leaves the table. A player must be an object. this object must contain the cards in the current hand. however, I do not know how the various cards of the game are displayed in the memory. Therefore, it is impossible to use ce to search for related cards. therefore, the key is to find a breakthrough.

Boldly speculate that the player object has a variable that records the number of cards on the current table. this serves as a breakthrough. use ce to search for the number of cards in the current hand (the search method is omitted), and get two addresses. after observing the number of the two addresses, one is the number of cards in the house, one is your own quantity. through the experiment, we found that the number of cards on the table is reduced by 1, so that we can determine which address records the number of cards on the table.

Next, enter the OD, attach it to the game, record the memory address of your card quantity, and write a breakpoint to the next memory. The game looks at the card and the game goes downCode:10001f02-89 73 10-mov [EBX + 10], ESI

Next, run the OD command: dd EBX to view the memory data of the EBX address and find that the memory is very similar to the Player Object. Then, find the Player Object and open the breakthrough.

Next, you can sort out the information: the code above shows that the base address + 10 of the object is the number of cards you own, and no data similar to card information is found in this memory. intuitively, this object must have a variable that records the address of the card information. next we will look for data that looks like a memory address. first, we found that [object base address + 4] This data is very similar to an address. OD "data follows" this address. Try it in the game and observe the memory. this memory is found. Each time a card is added, part of the memory will be modified. by experience, this is where we are looking for card information. next, we will focus on decoding card information. the specific process is to read more and observe more. the following is the final piece of information:

[Card information base address + 0x2] (bytes) card information

[Card information base address + 0x7] (bytes) First card information

[Card information base address + 0x0d] (bytes) second card information

[Card information base address + 0x13] (bytes) third card information

[Card information base address + 0x19] (bytes) Fourth card information

Card information is represented in one byte. Four digits in height represent the color, and four digits in height represent the color (four digits in height): Square: 0 flowers: 1 red heart: 2 black peaches: 3

Points (4 lower) ~ K: (0x1 ~ 0xd) for example, 0xd indicates K, 0x10 indicates 10, and 0x0c indicates Q.

Another example: if the byte memory data of a card is 3A, it indicates that the card is black peach 10. If it is 1d, It is cahua K.

At this point, each card has been found, and the card is still poor. no card information was found by observing the card information. however, with the card information analyzed above, it would be much easier. then go to the game and use ce to find the byte. Then, you can use the card information analyzed above to search for the hex byte data. for example, if the card is red-hearted 9, search for 29, so that you can locate the card. use ce to debug the game process to find the code to access the memory and get some code. Note that the address for all code operations is [xxx + 2017160a], so select a code as needed:00404214-8A 8e 0a 16 00 00-mov Cl, [ESI + 2017160a]When the code is disconnected, the OD command dd ESI + 160a comes to the memory address after the code is disconnected. Check the data and find that the card data here is much better than the card data analyzed above, there are not only card information but card information. the address used to read card information is used here. the analysis result is as follows:

[(ESI + 160a) + 0] (byte) Card

[(ESI + 160a) + 2] (byte) the first card

[(ESI + 160a) + 3] (byte) second card

[(ESI + 160a) + 4] (byte) third card

[(ESI + 160a) + 5] (byte) Fourth card

The 4-bit high and 4-bit low of each byte are consistent with the above analysis.

The remaining key is to find the ESI base address. return to the following code 00404214-8A 8e 0a 16 00 00-mov Cl, [ESI + 2017160a] And find that ESI is the ECX of the Upper-layer call, it is found that the MFC module is followed up, which is too inefficient and troublesome to find. if you try to find out the ESI value directly by Ce, you will find that the ESI value is saved in 41a1c8, if 41a1c8 is tested, the base address of the card information is [[41a1c8] + 160a.

prawns in the Lijiang River