Game: tianlong Babu
Version: 0.13.0402
System: Windows XP
Tool: ce5.2 + od1.10
Objective: To search for the character base address
Step 1: search for the person Hp with Ce, get a bunch of addresses, continue searching after blood loss, get the unique address 0abdc360 (HP address)
Step 2: Switch the map and find that the value in the address is no longer HP, it is a dynamic address. Repeat the first step to search for a new HP address (the address is omitted)
Step 3: Do not switch the map at this time. Use ce5.2 to write access memory breakpoint under the found HP address. This step can also use OD write memory breakpoint. Find the Assembly statement as follows:
0044b280 55 push EBP
0044b281 8bec mov EBP, ESP
0044b283 56 push ESI
0044b284 8bf1 mov ESI, ECx; 1.2 ESI = ECx
0044b286 8b4e 04 mov ECx, dword ptr ds: [ESI + 4]
0044b289 8b01 mov eax, dword ptr ds: [ECx]
0044b28b 57 push EDI
0044b28c ff90 14010000 call dword ptr ds: [eax + 114]
0044b292 83f8 02 CMP eax, 2
0044b295 8b3d 48465700 mov EDI, dword ptr ds: [<& tengine .? Tthrows>; tengine .? Tthrowstringexception @ yaxpbdzz
0044b29b 75 19 jnz short game.0044b2b6
0044b29d 68 63050000 push 563
0044b2a2 68 54975700 push game.00579754; ASCII ". \ datapool \ gmdp_characterdata.cpp"
0044b2a7 68 48975700 push game.00579748; ASCII "ct_monster"
0044b2ac 68 20975700 push game.00579720; ASCII "character must not % s, (File: % s line: % d )"
0044b2b1 ffd7 call EDI
0044b2b3 83c4 10 Add ESP, 10
0044b2b6 8b4e 04 mov ECx, dword ptr ds: [ESI + 4]
0044b2b9 8b11 mov edX, dword ptr ds: [ECx]
0044b2bb ff92 14010000 call dword ptr ds: [edX + 114]
0044b2c1 83f8 01 CMP eax, 1
0044b2c4 75 19 jnz short game.0044b2df
0044b2c6 68 64050000 push 564
0044b2cb 68 54975700 push game.00579754; ASCII ". \ datapool \ gmdp_characterdata.cpp"
0044b2d0 68 78975700 push game.00579778; ASCII "ct_playerother"
0044b2d5 68 20975700 push game.00579720; ASCII "character must not % s, (File: % s line: % d )"
0044b2da ffd7 call EDI
0044b2dc 83c4 10 Add ESP, 10
0044b2df 8b46 08 mov eax, dword ptr ds: [ESI + 8]; 1.2 eax = [ESI + 8]
0044b2e2 8b4d 08 mov ECx, dword ptr ss: [EBP + 8]; 01.1 blood comes from the first parameter of the parent Function
0044b2e5 8988 b8060000 mov dword ptr ds: [eax + 6b8], ECx; 1.1 blood written
0044b2eb 8b0d 9c975b00 mov ECx, dword ptr ds: [5b979c]
0044b2f1 8b11 mov edX, dword ptr ds: [ECx]
0044b2f3 68 b4545700 push game.005754b4; ASCII "Player"
0044b2f8 6a 19 push 19
0044b2fa ff52 4C call dword ptr ds: [edX + 4C]
0044b2fd 5f pop EDI
0044b2fe 5E pop ESI
0044b2ff 5d pop EBP
0044b300 C2 0400 retn 4
This is a complete sub-function. The code written to the actual blood is the red sentence, so we can know that the blood is in [eax + 6b8], and 6b8 is an offset, the HP pointer address actually exists in eax. According to the analysis of the Code in this section, we know that eax = [ESI + 8], while ESI = calls the ECX brought in by the function. Note 1.1 in the above Code, 1.2, 1.3 indicates that the values of eax and ECx at this time will remain unchanged.
Step 4: Let yourself lose blood and find that the HP address has not changed. In OD, the code line 0044b2f5 has a breakpoint, And the eax and ECx have not changed at this time, it is suggested that the IP address can be re-allocated only when the map is switched.
Step 5: After switching a map, the code is interrupted and the eax and ECx are different from the previous one. The above guess may be correct, because eax = [ESI + 8] = [ECx + 8], eax depends on ECx and ECx comes from calling functions, therefore, you can use the call stack to check how ECx is in the call function. Press enter at the parent function of the stack called in OD. The following is the parent Function Code 004d7a10 55 push EBP.
004d7a11 8bec mov EBP, ESP
004d7a13 51 push ECx
004d7a14 A1 f0975b00 mov eax, dword ptr ds: [5b97f0]
004d7a19 3b05 e4975b00 CMP eax, dword ptr ds: [5b97e4]
004d7a1f 53 push EBX
004d7a20 56 push ESI
004d7a21 0f85 ab080000 jnz game.004d82d2
004d7a27 8b75 08 mov ESI, dword ptr ss: [EBP + 8]
004d7a2a 8b0d 78695b00 mov ECx, dword ptr ds: [5b6978]
004d7a30 8b46 08 mov eax, dword ptr ds: [ESI + 8]
004d7a33 8b11 mov edX, dword ptr ds: [ECx]
004d7a35 50 push eax
004d7a36 ff52 44 call dword ptr ds: [edX + 44]; 2.5 eax is the return value of this function. This function returns an important address.
004d7a39 8bd8 mov EBX, eax; 2.4 EBX = eax
004d7a3b 85db test EBX, EBX
004d7a3d 0f84 8f080000 je game.004d82d2
004d7a43 33c0 XOR eax, eax
004d7a45 8a46 0C mov Al, byte ptr ds: [ESI + C]
004d7a48 57 push EDI
004d7a49 8bbb 2c010000 mov EDI, dword ptr ds: [EBX + 12C]; 2.3 EDI = [EBX + 12C]
004d7a4f 83e0 01 and eax, 1
004d7a52 8945 FC mov dword ptr ss: [EBP-4], eax
004d7a55 74 2B je short game.004d7a82
004d7a57 8b4e 18 mov ECx, dword ptr ds: [ESI + 18]
004d7a5a 51 push ECx
004d7a5b 8bcf mov ECx, EDI
004d7a5d E8 de1ff7ff call game.00449a40
004d7a62 8b15 78695b00 mov edX, dword ptr ds: [5b6978]
004d7a68 3b5a 44 cmp ebx, dword ptr ds: [edX + 44]
004d7a6b 75 15 jnz short game.004d7a82
004d7a6d 8b57 08 mov edX, dword ptr ds: [EDI + 8]
004d7a70 8b0d 10985b00 mov ECx, dword ptr ds: [5b9810]
004d7a76 8b52 70 mov edX, dword ptr ds: [edX + 70]
004d7a79 8b01 mov eax, dword ptr ds: [ECx]
004d7a7b 52 push edX
004d7a7c ff90 a0000000 call dword ptr ds: [eax + a0]
004d7a82 33c0 XOR eax, eax
004d7a84 8a46 0C mov Al, byte ptr ds: [ESI + C]
004d7a87 83e0 02 and eax, 2
004d7a8a d1e8 SHR eax, 1
004d7a8c 85c0 test eax, eax
004d7a8e 74 0b je short game.004d7a9b
004d7a90 8b46 20 mov eax, dword ptr ds: [ESI + 20]
004d7a93 50 push eax; 02.1 eax stores blood and is used by subfunctions.
004d7a94 8bcf mov ECx, EDI; 2.2 ECx = EDI
004d7a96 E8 e537f7ff call game.0044b280; 2.1 ECx affects subfunctions
004d7a9b 33c0 XOR eax, eax
Call game.0044b280 is the sub-function found in step 3. when calling the sub-function, the blood volume value is passed as a parameter. I have not figured out the specific sub-function, in general, it may be that the HP address in the memory is assigned a value after the data packet is obtained.
Continue to analyze this Code. The three sentences 2.1, 2.2, and 2.3 found that ECx = [EBX + 12C]. It seems that 12C here is an offset, and the breakpoint is reached at 2.3, after obtaining the EBX = 0b387708 at this time, we can continue to analyze the returned values of the sub-functions called by EBX = eax = 2.4 in 2.5 and 2.5, after dynamic debugging, we found that the 0b387708 of the sub-functions called in line 2.5 was indeed obtained to obtain the 0b387708. The specific function functions were not understood, and this value was obtained by a bunch of complicated address operations.
Step 6: In Ce, find the address in 0b387708 and find the address 013d2bd8 and 013d6064. Then, switch the map and find that the values in the two addresses have changed, but they are still the same, use this new value to perform the [[New Value + 12C] + 8] + 6b8] operation, and finally get the hpvalue.
It seems that these two addresses may be a constant value. After restarting the game, confirm that the hpvalue can be obtained through the same operation.
The first value of the job, 013d2bd8, is the base address to be searched, and the blood is found three times after the offset, Which is 12C, 8, 6b8, respectively.
The target is basically completed. Over!