Qq four-country military flag 2.1 beat03 builde018 card recorder development ideas (III)

Today we found that the four-nation version was updated to 18. The starting value of the corresponding chess piece memory changed to 0x4979fc. The full address is:

// C #Code
Private Static readonly intptr baseaddresss = (intptr) (0x4979fc );

Int address = baseaddresss. toint32 ();

For (INT I = 0; I <17; I ++ ){

For (Int J = 0; j <17; J ++ ){

Land [I, j] = address;

Address + = 12;

Console. Write (land [I, j]. tostring ("X "));

Console. Write ("\ t ");

}

Console. writeline ();

}

It is an array of 17x17, with an element length of 12. The first 4 bytes are the pawns, and the middle 4 bytes are the color of the pawns. A friend asked, are you sure you want to verify it on the client? If the client is verified, it is the developer rather than the card reader.

As mentioned above, we are still looking for call (the previous address is no longer applicable, but the signature can still be used .)

As mentioned above, in mov eax, dword ptr ds: [EBX + 110] And mov eax, dword ptr ds: [4976f4 (updated to 496754, there should be important data analysis segments. The entire code segment is:

0041155f 8b83 10010000 mov eax, dword ptr ds: [EBX + 110]
00411565 85c0 test eax, eax

00411567 0f84 ca010000 je junqirpg.00411737

0041156d 8b0d d89a4900 mov ECx, dword ptr ds: [499ad8]

00411573 85c9 test ECx, ECx

00411575 75 06 jnz short junqirpg.0041157d

00411577 894c24 14 mov dword ptr ss: [esp + 14], ECx

0041157b EB 0e JMP short junqirpg.0041158b

0041157d A1 dc9a4900 mov eax, dword ptr ds: [499adc]

00411582 2bc1 sub eax, ECx

00411584 c1f8 02 SAR eax, 2

00411587 894424 14 mov dword ptr ss: [esp + 14], eax

0041158b A1 54674900 mov eax, dword ptr ds: [496754]

However, after detailed tracking, the memory coordinates cannot be found (for example, the number of pawns from 498638 to 49856c .) There are also useful data. The key is the following:

0041156d 8b0d d89a4900 mov ECx, dword ptr ds: [499ad8]

0041157d A1 dc9a4900 mov eax, dword ptr ds: [499adc]

00411582 2bc1 sub eax, ECx

00411584 c1f8 02 SAR eax, 2

What have you found? The value within 499ad8 remains unchanged (within a lifecycle), while the value within 499adc is its increment. It can be understood as a step with a 4-byte stepping size. Step by step, that is, increase 8, and step by step 12. Why? This value should describe its complete path. For example, it takes a step from 498638 to 49856c, but it must represent its original position and current position. Although it is a step, but the value is obviously 2.

This is useless, but the address cannot be found after carefully analyzing the code below 0041158b A1 54674900 mov eax, dword ptr ds: [496754. This shows that the start and end tags are not marked with memory addresses. If it is marked with a memory address, there must be a starting and ending address in the memory when it is disconnected during walking.

Change your mind and notice thatArticleIs there a 17-dimensional array at the beginning? The start and end may also be implemented using array indexes. Find a pawn with an index of [6, 15] And Go To [6, 14]. After the breakpoint, search for 06 15 or 15 06 in the Data Segment (the high/low bits in bytes may be reversed, this is a feature of the stack .) No !!! Not found, poor ....

After thinking about the entire process, we found that a problem was missing. During the search, we need to search for hexadecimal notation. That is to say, we need to search for 06 0f, 0f 06, and 1, the address of this value exists. Through this analysis, we can find that the starting index is in the range of (16 bytes) and the ending index is in the range of (16 bytes ). On the top of the 499ad8 step address, there is a line difference, but it takes a long time to analyze it. The C ++ code starting and ending is generally:
Typedef struct {

Byte X,

Byte y
} Node;

Node from;
Node;

If the two data types are required, there are two Processing Methods: dynamic memory scan or hook api as described in the first article. the scan method is easy to implement, but the probability of errors is also high. To avoid errors, it is best to always scan, so that the accuracy is high, but the data may not be synchronized, the principle is the same as that of dirty data in databases. The hook api technology is more difficult,ProgramBetter stability.