好友
阅读权限10
听众
最后登录1970-1-1
|
本帖最后由 quanmou 于 2015-1-25 14:07 编辑
对某某游戏周围玩家数组 完整逆向过程
0056E31E . 33C0 xor eax,eax ; ctrl+f9返回
0056E320 . 3981 60010000 cmp ds:[ecx+0x160],eax ; 这写入周边玩家血量----ce入手点
0056E326 . 0F94C0 sete al
0056E329 . C3 retn
-------------------------------------------------------------------------------------------------------------------
00573320 /$ 55 push ebp
00573321 |. 8BEC mov ebp,esp
00573323 |. 83E4 F8 and esp,0xFFFFFFF8
00573326 |. 83EC 44 sub esp,0x44
00573329 |. 53 push ebx
0057332A |. 56 push esi
0057332B |. 8BF1 mov esi,ecx ; dd ecx+0x160
0057332D |. 8B0D 48E4C200 mov ecx,ds:[0xC2E448]
00573333 |. 8B49 7C mov ecx,ds:[ecx+0x7C]
00573336 |. 8D86 34030000 lea eax,ds:[esi+0x334]
0057333C |. 57 push edi
0057333D |. 3908 cmp ds:[eax],ecx
0057333F |. 0F84 A5030000 je 005736EA
00573345 |. 8908 mov ds:[eax],ecx
00573347 |. 8B06 mov eax,ds:[esi]
00573349 |. 8BCE mov ecx,esi
0057334B |. C686 A9000000>mov byte ptr ds:[esi+0xA9],0x1
00573352 |. FF50 50 call ds:[eax+0x50] ; 从这进
---------------------------------------------------------------------------------------------------------------
0056C314 /$ 55 push ebp
0056C315 |. 8BEC mov ebp,esp
0056C317 |. 83EC 0C sub esp,0xC
0056C31A |. 56 push esi
0056C31B |. 8BF1 mov esi,ecx ; dd ecx+0x160
0056C31D |. 8B86 34030000 mov eax,ds:[esi+0x334]
0056C323 |. 8B0D 48E4C200 mov ecx,ds:[0xC2E448]
0056C329 |. 3B41 7C cmp eax,ds:[ecx+0x7C]
0056C32C |. 0F84 51010000 je 0056C483
0056C332 |. 8B46 18 mov eax,ds:[esi+0x18]
0056C335 |. C1E8 03 shr eax,0x3
0056C338 |. A8 01 test al,0x1
0056C33A |. 75 20 jnz X0056C35C ; 这跳下来
0056C33C |. 8B06 mov eax,ds:[esi]
0056C33E |. 8BCE mov ecx,esi
0056C340 |. FF90 A8000000 call ds:[eax+0xA8]
0056C346 |. 84C0 test al,al
0056C348 |. 74 12 je X0056C35C
0056C34A |. F686 F1050000>test byte ptr ds:[esi+0x5F1],0x1
0056C351 |. 76 09 jbe X0056C35C
0056C353 |. 6A 01 push 0x1
0056C355 |. 8BCE mov ecx,esi
0056C357 |. E8 7E350000 call 0056F8DA
0056C35C |> 57 push edi ; 发现这有个跳转
0056C35D |. FF75 08 push dword ptr ss:[ebp+0x8]
0056C360 |. 8BCE mov ecx,esi ; dd esi+0x160
0056C362 |. E8 B96F0000 call 00573320
------------------------------------------------------------------------------------------------------------
0055B476 /$ 55 push ebp
0055B477 |. 8BEC mov ebp,esp
0055B479 |. 83E4 F8 and esp,0xFFFFFFF8
0055B47C |. 64:A1 0000000>mov eax,fs:[0]
0055B482 |. 6A FF push -0x1
0055B484 |. 68 20F99F00 push 009FF920
0055B489 |. 50 push eax
0055B48A |. 64:8925 00000>mov fs:[0],esp
0055B491 |. 83EC 28 sub esp,0x28
0055B494 |. 53 push ebx
0055B495 |. 56 push esi
0055B496 |. 57 push edi
0055B497 |. 8B7D 08 mov edi,ss:[ebp+0x8] ; 这里对edi写入,上层最後一个push进来的
0055B49A |. 8D4F 60 lea ecx,ds:[edi+0x60]
0055B49D |. FF15 4C63A100 call ds:[<&MSVCP90.std::basic_string<cha>; MSVCP90.std::basic_string<char,std::char_traits<char>,std::allocator<char> >::clear
0055B4A3 |. E8 0379EAFF call 00402DAB
0055B4A8 |. 8B10 mov edx,ds:[eax]
0055B4AA |. 8BC8 mov ecx,eax
0055B4AC |. FF52 18 call ds:[edx+0x18]
0055B4AF |. 803D B359C100>cmp byte ptr ds:[0xC159B3],0x0
0055B4B6 |. 75 55 jnz X0055B50D
0055B4B8 |. 8B4D 0C mov ecx,ss:[ebp+0xC]
0055B4BB |. 8D87 FC010000 lea eax,ds:[edi+0x1FC]
0055B4C1 |. E8 7C79EAFF call 00402E42
0055B4C6 |. 84C0 test al,al
0055B4C8 |. 74 43 je X0055B50D
0055B4CA |. 833D B456C100>cmp dword ptr ds:[0xC156B4],0x0
0055B4D1 |. 75 3A jnz X0055B50D
0055B4D3 |. 6A 06 push 0x6
0055B4D5 |. 8D4424 1C lea eax,ss:[esp+0x1C]
0055B4D9 |. C64424 1C 02 mov byte ptr ss:[esp+0x1C],0x2
0055B4DE |. C64424 1D 04 mov byte ptr ss:[esp+0x1D],0x4
0055B4E3 |. E8 C585EAFF call 00403AAD
0055B4E8 |. 8B35 5CE4C200 mov esi,ds:[0xC2E45C]
0055B4EE |. 59 pop ecx
0055B4EF |. E8 AD9BEAFF call 004050A1
0055B4F4 |. A3 B456C100 mov ds:[0xC156B4],eax
0055B4F9 |. E8 AD78EAFF call 00402DAB
0055B4FE |. 8B0D 5CE4C200 mov ecx,ds:[0xC2E45C]
0055B504 |. 8B51 2C mov edx,ds:[ecx+0x2C]
0055B507 |. 0351 28 add edx,ds:[ecx+0x28]
0055B50A |. 8950 4C mov ds:[eax+0x4C],edx
0055B50D |> 33DB xor ebx,ebx
0055B50F |. 43 inc ebx
0055B510 |. 841D E0A6C300 test ds:[0xC3A6E0],bl
0055B516 |. 75 46 jnz X0055B55E
0055B518 |. 091D E0A6C300 or ds:[0xC3A6E0],ebx
0055B51E |. 836424 3C 00 and dword ptr ss:[esp+0x3C],0x0
0055B523 |. E8 B4A5F1FF call 00475ADC
0055B528 |. A3 D406C300 mov ds:[0xC306D4],eax
0055B52D |. 8858 15 mov ds:[eax+0x15],bl
0055B530 |. A1 D406C300 mov eax,ds:[0xC306D4]
0055B535 |. 8940 04 mov ds:[eax+0x4],eax
0055B538 |. A1 D406C300 mov eax,ds:[0xC306D4]
0055B53D |. 8900 mov ds:[eax],eax
0055B53F |. A1 D406C300 mov eax,ds:[0xC306D4]
0055B544 |. 8940 08 mov ds:[eax+0x8],eax
0055B547 |. 8325 D806C300>and dword ptr ds:[0xC306D8],0x0
0055B54E |. 68 132DA100 push 00A12D13
0055B553 |. E8 88394300 call 0098EEE0
0055B558 |. 834C24 40 FF or dword ptr ss:[esp+0x40],0xFFFFFFFF
0055B55D |. 59 pop ecx
0055B55E |> E8 F3260000 call 0055DC56
0055B563 |. 6A 02 push 0x2
0055B565 |. 5E pop esi
0055B566 |. C64424 13 00 mov byte ptr ss:[esp+0x13],0x0
0055B56B |. 8935 38C4BB00 mov ds:[0xBBC438],esi
0055B571 |. E8 1A840700 call 005D3990
0055B576 |. 3970 1C cmp ds:[eax+0x1C],esi
0055B579 |. 7C 35 jl X0055B5B0
0055B57B |. E8 10840700 call 005D3990
0055B580 |. 80B8 A8030000>cmp byte ptr ds:[eax+0x3A8],0x0
0055B587 |. 75 27 jnz X0055B5B0
0055B589 |. 8B47 20 mov eax,ds:[edi+0x20]
0055B58C |. 2B47 1C sub eax,ds:[edi+0x1C]
0055B58F |. C1F8 02 sar eax,0x2
0055B592 |. 3D A0000000 cmp eax,0xA0
0055B597 |. 76 08 jbe X0055B5A1
0055B599 |. 891D 38C4BB00 mov ds:[0xBBC438],ebx
0055B59F |. EB 0B jmp X0055B5AC
0055B5A1 |> 83F8 50 cmp eax,0x50
0055B5A4 |. 76 0A jbe X0055B5B0
0055B5A6 |. 8935 38C4BB00 mov ds:[0xBBC438],esi
0055B5AC |> 885C24 13 mov ss:[esp+0x13],bl
0055B5B0 |> 8B47 20 mov eax,ds:[edi+0x20]
0055B5B3 |. 2B47 1C sub eax,ds:[edi+0x1C]
0055B5B6 |. C1F8 02 sar eax,0x2
0055B5B9 |. 83F8 50 cmp eax,0x50
0055B5BC |. 76 1C jbe X0055B5DA
0055B5BE |. E8 CD830700 call 005D3990
0055B5C3 |. 3970 1C cmp ds:[eax+0x1C],esi
0055B5C6 |. 7C 12 jl X0055B5DA
0055B5C8 |. E8 C3830700 call 005D3990
0055B5CD |. 80B8 A8030000>cmp byte ptr ds:[eax+0x3A8],0x0
0055B5D4 |. 75 04 jnz X0055B5DA
0055B5D6 |. 885C24 13 mov ss:[esp+0x13],bl
0055B5DA |> 8B47 20 mov eax,ds:[edi+0x20]
0055B5DD |. 8B5F 1C mov ebx,ds:[edi+0x1C] ; dd [[edi+0x1C]]+0x160 往上找edi
0055B5E0 |. 8BC8 mov ecx,eax
0055B5E2 |. 2BCB sub ecx,ebx
0055B5E4 |. F7C1 FCFFFFFF test ecx,0xFFFFFFFC
0055B5EA |. 74 64 je X0055B650
0055B5EC |. 3BD8 cmp ebx,eax
0055B5EE |. 74 60 je X0055B650
0055B5F0 |> 8B0B /mov ecx,ds:[ebx] ; dd [ebx]+0x160 具体还是从这往上跟ebx
0055B5F2 |. FF75 0C |push dword ptr ss:[ebp+0xC] ; 这段只是实现了 傳統遊戲數組eax+ecx*4 这种结构
0055B5F5 |. 8B01 |mov eax,ds:[ecx]
0055B5F7 |. FF90 98000000 |call ds:[eax+0x98]
0055B5FD |. 807C24 13 00 |cmp byte ptr ss:[esp+0x13],0x0
0055B602 |. 74 44 |je X0055B648
0055B604 |. 8B03 |mov eax,ds:[ebx]
0055B606 |. 8D7C24 18 |lea edi,ss:[esp+0x18]
0055B60A |. E8 48320100 |call 0056E857
0055B60F |. 0FB74424 1C |movzx eax,word ptr ss:[esp+0x1C]
0055B614 |. 8B4C24 18 |mov ecx,ss:[esp+0x18]
0055B618 |. C1E1 10 |shl ecx,0x10
0055B61B |. 0BC1 |or eax,ecx
0055B61D |. 8D7424 14 |lea esi,ss:[esp+0x14]
0055B621 |. 894424 14 |mov ss:[esp+0x14],eax
0055B625 |. E8 9F250000 |call 0055DBC9
0055B62A |. FE00 |inc byte ptr ds:[eax]
0055B62C |. E8 98250000 |call 0055DBC9
0055B631 |. 0FB600 |movzx eax,byte ptr ds:[eax]
0055B634 |. 3B05 38C4BB00 |cmp eax,ds:[0xBBC438]
0055B63A |. 7E 09 |jle X0055B645
0055B63C |. 8B0B |mov ecx,ds:[ebx]
0055B63E |. 8B01 |mov eax,ds:[ecx]
0055B640 |. 6A 00 |push 0x0
0055B642 |. FF50 4C |call ds:[eax+0x4C]
0055B645 |> 8B7D 08 |mov edi,ss:[ebp+0x8]
0055B648 |> 83C3 04 |add ebx,0x4 ; 这里+4 等於是便历内存
0055B64B |. 3B5F 20 |cmp ebx,ds:[edi+0x20]
0055B64E |.^ 75 A0 \jnz X0055B5F0 ; 这段只是实现了 傳統遊戲數組eax+ecx*4 这种结构
-----------------------------------------------------------------------------------------------------------------------
0055B476 /$ 55 push ebp
0055B477 |. 8BEC mov ebp,esp
0055B479 |. 83E4 F8 and esp,0xFFFFFFF8
0055B47C |. 64:A1 0000000>mov eax,fs:[0]
0055B482 |. 6A FF push -0x1
0055B484 |. 68 20F99F00 push 009FF920
0055B489 |. 50 push eax
0055B48A |. 64:8925 00000>mov fs:[0],esp
0055B491 |. 83EC 28 sub esp,0x28
0055B494 |. 53 push ebx
0055B495 |. 56 push esi
0055B496 |. 57 push edi
0055B497 |. 8B7D 08 mov edi,ss:[ebp+0x8] ; 这里对edi写入,上层最後一个push进来的
-----------------------------------------------------------------------------------------------------
005997B4 . 68 5CDBB200 push 00B2DB5C ; .\ztParticleThread.cpp
005997B9 . 8BCE mov ecx,esi
005997BB . FF50 04 call ds:[eax+0x4]
005997BE . 83C7 74 add edi,0x74
005997C1 . 57 push edi
005997C2 . E8 29CB1A00 call 007462F0
005997C7 . 8B06 mov eax,ds:[esi]
005997C9 . 59 pop ecx
005997CA . 8BCE mov ecx,esi
005997CC . FF50 0C call ds:[eax+0xC]
005997CF > A1 B8F1C200 mov eax,ds:[0xC2F1B8]
005997D4 . 85C0 test eax,eax
005997D6 . 74 05 je X005997DD
005997D8 . E8 8EF00900 call 0063886B
005997DD > E8 33D8FFFF call 00597015
005997E2 . 8B6C24 10 mov ebp,ss:[esp+0x10]
005997E6 . 83BD 44010000>cmp dword ptr ss:[ebp+0x144],0x3
005997ED . 75 1C jnz X0059980B
005997EF . E8 AB38FFFF call 0058D09F
005997F4 . A1 5CE4C200 mov eax,ds:[0xC2E45C]
005997F9 . 8B48 2C mov ecx,ds:[eax+0x2C]
005997FC . 0348 28 add ecx,ds:[eax+0x28]
005997FF . 51 push ecx
00599800 . FF35 08EBC200 push dword ptr ds:[0xC2EB08] ; PUSH 个基址 找到整个结构了
00599806 . E8 6B1CFCFF call 0055B476 ; dd [[[0xC2EB08]+0x1C]+0*4]+0x160
0059980B > A1 08EBC200 mov eax,ds:[0xC2EB08]
00599810 . 8B80 C4010000 mov eax,ds:[eax+0x1C4]
00599816 . 85C0 test eax,eax
00599818 . 74 0F je X00599829
0059981A . 83F8 01 cmp eax,0x1
0059981D . 74 0A je X00599829
0059981F . 83F8 06 cmp eax,0x6
------------------------------------------------------------------------------------
所以周边玩家的血量是这样dd [[[0x0C2EB08]+0x1C]+1*4]+0x160
|
|
发表于 2015-1-25 13:58
