首先更正筆記1中的人物基址的尋找方法,具體尋找方法以下簡單說明:
1.CE中根據人物經驗或血找到某唯一地址(實際中我是根據經驗的)
2.OD中對經驗地址下記憶體寫斷點
0044BC28 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C] 此處為寫經驗地址,得到第二個位移值C和地址ESI的值
0044BC2B 89B8 C0060000 MOV DWORD PTR DS:[EAX+6C0],EDI 此處為寫經驗,得到第一個位移值6C0和地址EAX的值
0044BC31 8B0D C4B75B00 MOV ECX,DWORD PTR DS:[5BB7C4]
0044BC37 8B11 MOV EDX,DWORD PTR DS:[ECX]
0044BC39 68 04755700 PUSH Game.00577504 ; ASCII "player"
0044BC3E 6A 1D PUSH 1D
0044BC40 FF52 4C CALL DWORD PTR DS:[EDX+4C]
3.OD中逆向分析
004D82D0 55 PUSH EBP
……………………省略……………………………………………………………………………………
004D82F6 FF52 44 CALL DWORD PTR DS:[EDX+44]
004D82F9 8BD8 MOV EBX,EAX ; ebx=eax
004D82FB 85DB TEST EBX,EBX
004D82FD 0F84 8F080000 JE Game.004D8B92
004D8303 33C0 XOR EAX,EAX
004D8305 8A46 0C MOV AL,BYTE PTR DS:[ESI+C]
004D8308 57 PUSH EDI
004D8309 8BBB 2C020000 MOV EDI,DWORD PTR DS:[EBX+22C] ; edi=ebx+22c,此處的ebx得到第三個位移值22C和地址ebx值
004D830F 83E0 01 AND EAX,1
……………………省略……………………………………………………………………………………
004D838A E8 4137F7FF CALL Game.0044BAD0 ; 調用經驗擷取函數
4.發現此處ebx的值切換地圖時不變,始終位移三次後能取到經驗(筆記一中認為這時的ebx已經是基地址,此處更正),對ebx的地址下記憶體寫訪問斷點,得到下面程式碼片段
00501957 8945 F0 MOV DWORD PTR SS:[EBP-10],EAX
0050195A A1 88895B00 MOV EAX,DWORD PTR DS:[5B8988] ;基地址5b5888
0050195F 57 PUSH EDI
00501960 8BF9 MOV EDI,ECX
00501962 8B48 44 MOV ECX,DWORD PTR DS:[EAX+44] ;第四個位移值44
00501965 894F 08 MOV DWORD PTR DS:[EDI+8],ECX ; 寫地址
00501968 8B11 MOV EDX,DWORD PTR DS:[ECX]
0050196A FF52 3C CALL DWORD PTR DS:[EDX+3C]
總結,人物資料地址=[[[5B8988]+44]+22C]+C,經驗值=[人物資料地址+6C0]
好了,接下來開始尋找怪數組了
找記憶體位址這幾天學下來已經比較熟練了,所以後面的步驟簡寫,唯寫方法和關鍵步驟
第一步:CE中尋找當前地圖某個怪的名稱(text)格式的,找出一堆地址來。切換怪地區,發現哪些地址有變化,結果有幾個地址有變化,這幾個地址特徵是比較接近,猜測可能是數組中某幾項,查看該記憶體地區,截取片段如下:
02816660 02 00 00 00 41 F1 0F 43 \u0002A?C
02816668 00 00 00 00 3F 57 5B 42 .?W[B
02816670 00 00 00 00 00 00 00 00 ..
02816678 B5 C1 C4 B9 D0 A1 D4 F4 盜墓小賊
02816680 00 00 00 00 00 00 00 00 ..
02816688 08 00 00 00 0F 00 00 00 \u0008\u000F
02816690 F5 00 00 00 00 00 00 00 ?
02816698 00 00 00 00 2D 23 10 43 .-#\u0010C
028166A0 00 00 00 00 8C 9B 83 42 .寷傿
028166A8 00 00 00 00 00 00 00 00 ..
028166B0 B5 C1 C4 B9 D0 A1 D4 F4 盜墓小賊
028166B8 00 B4 B6 FE B2 E3 00 00 .炊?.
028166C0 08 00 00 00 0F 00 00 00 \u0008\u000F
028166C8 EC 00 00 00 00 00 00 00 ?
028166D0 00 00 00 00 6B 8F 18 43 .k?C
028166D8 00 00 00 00 4F 40 26 42 .O@&B
028166E0 00 00 00 00 00 00 00 00 ..
028166E8 B5 C1 C4 B9 D0 A1 D4 F4 盜墓小賊
028166F0 00 B4 B6 FE B2 E3 00 00 .炊?.
028166F8 08 00 00 00 0F 00 00 00 \u0008\u000F
02816700 E9 00 00 00 00 00 00 00 ?
02816708 00 00 00 00 2F DB 1B 43 ./?C
02816710 00 00 00 00 1E BA 52 42 .\u001E篟B
02816718 00 00 00 00 00 00 00 00 ..
經分析發現其中存了怪座標,名稱,編號,類型等資料
第二步:OD中對自己認為最有把握的地址下記憶體寫訪問斷點,得到代碼如下:
7C364344 89448F E4 MOV DWORD PTR DS:[EDI+ECX*4-1C],EAX
7C364348 8B448E E8 MOV EAX,DWORD PTR DS:[ESI+ECX*4-18]
7C36434C 89448F E8 MOV DWORD PTR DS:[EDI+ECX*4-18],EAX
7C364350 8B448E EC MOV EAX,DWORD PTR DS:[ESI+ECX*4-14]
7C364354 89448F EC MOV DWORD PTR DS:[EDI+ECX*4-14],EAX
7C364358 8B448E F0 MOV EAX,DWORD PTR DS:[ESI+ECX*4-10]
7C36435C 89448F F0 MOV DWORD PTR DS:[EDI+ECX*4-10],EAX
7C364360 8B448E F4 MOV EAX,DWORD PTR DS:[ESI+ECX*4-C]
7C364364 89448F F4 MOV DWORD PTR DS:[EDI+ECX*4-C],EAX
7C364368 8B448E F8 MOV EAX,DWORD PTR DS:[ESI+ECX*4-8]
7C36436C 89448F F8 MOV DWORD PTR DS:[EDI+ECX*4-8],EAX
7C364370 8B448E FC MOV EAX,DWORD PTR DS:[ESI+ECX*4-4]
7C364374 89448F FC MOV DWORD PTR DS:[EDI+ECX*4-4],EAX
7C364378 8D048D 00000000 LEA EAX,DWORD PTR DS:[ECX*4]
第三步:中斷後逆向分析代碼退後幾步代碼如下:
0050143E 8B0D 50895B00 MOV ECX,DWORD PTR DS:[5B8950] ;基地址
00501444 8B11 MOV EDX,DWORD PTR DS:[ECX]
00501446 FF52 54 CALL DWORD PTR DS:[EDX+54]
如上紅色部分為基地址,怪物數組的起始地址為[5B8950]+7C
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
