yjx_rxjh_18_3.1.2

Propaganda function VC + + realization

(a) Analysis of the parameter base + offset of the call

(b), VC + + code implementation

"03:45" find the source of ESI first.

"04:20" use CE to search for the value of the current ESI

"05:08" will find the base + non-base address directly. You can use this base address directly (ZC: Do not need to verify it), and so will be debugged to see if it will change

"06:53" try to find the source of ESI with a non-base address.

"07:03" Next Memory Access Breakpoint

"08:30" is a more complicated way to find it.

"09:20" to find the 2nd parameter, is the address of the string we entered when sent

"09:30" Ce search for a subset of the text entered

"09:50" Modify, then scan

"10:15" sees the same phenomenon as the previous lesson, where the base address is used for the input box display, and the non-base address is used to send network data. Test verification (CE modified text content, the game directly press ENTER, see the role of what appears on the top of the head)

"10:49" above the non-base address found above, OD in memory Write breakpoint (ZC: Why write breakpoints?) Send network data should be read breakpoint Ah ... The purpose here is to find the origin of this memory, not the same as not to locate the sending network data, positioning to write data can still ah ...! !)

"11:25" above found non-base address, OD in memory Access breakpoint (ZC:-.-)

"12:26" "Repne scas" command (ZC: Default is EAX, ECX)

"16:00" the command od press F7, will be executed once in a loop

"17:11" At this time the EDI value is 0x065ef2ab, minus 7 to 0x065ef2a4 to the head of the string (ZC: If EDI points to a struct pointer, how can I feel this structure is so strange ...)

"17:20" ZC: Here he is right, here is the original value of restoring EDI. "15:58" at "Repne SCAs" before the beginning of EDI is 0X065EF2A4 point to the beginning of the string, with each "Repne scas" execution of the EDI value +1 (equivalent to the char* pointer in turn), the ∵ directive explicitly specifies the use of EDI ( Whether or not the command is generally the default use of the Edi?∵ string operation is generally using esi/edi). EDI does not point to struct pointers, but char*

1.

2.

yjx_rxjh_18_3.1.2