外挂技术研究-封装动作数组功能
2015-02-02 16:39
465 查看
目标:
1、封装动作对象
2、封装动作对象列表
3、封装使用对象功能函数
作业:
BOOL TActionList::UseAction(char* szpActionName)
//背包对象 怪物对象 动作对象 玩家对象
0061BD29 |. BE 40E71C03 MOV ESI,Client.031CE740
dd [031CE740+0ee3*4]
//动作对象数组
dd [31A9A98]+410+4*0
+08 //总的分类编号
+0C //总的对象数组 下标
+4C //动作分类ID 动作使用CALL参数
+5C //动作名字
mov ebx,2
mov edi,31A9A98
mov edi,[edi]
mov eax,[edi+410+4*ebx]
mov edx,[eax+4c]
mov eax,[0xf418E0]
MOV ECX,DWORD PTR DS:[EAX+27C] //[[0xf418E0]+0x27C] //*(DWORD*)((*(DWORD*)0xf418E0)+0x27c)
push edx
call
0079D2CF - 80 B8 30020000 00 - cmp byte ptr [eax+00000230],00
0079D2D6 - 75 6D - jne Client.exe+39D345
0079D2D8 - 8B 8C 9F 10040000 - mov ecx,[edi+ebx*4+00000410] << 从这里 F8单步步过跟
0079D2DF - 85 C9 - test ecx,ecx
0079D2E1 - 74 62 - je Client.exe+39D345
0079DB98 - 83 BF 08160000 35 - cmp dword ptr [edi+00001608],35
0079DB9F - 75 1F - jne Client.exe+39DBC0
0079DBA1 - 8B 84 9F 10040000 - mov eax,[edi+ebx*4+00000410] <<
0079DBA8 - 85 C0 - test eax,eax
0079DBAA - 74 14 - je Client.exe+39DBC0
0079DB2E |. /E9 D9000000 JMP Client.0079DC0C
0079DB33 |> |83F8 FF CMP EAX,-1
0079DB36 |. |0F84 D0000000 JE Client.0079DC0C
0079DB3C |. |50 PUSH EAX
0079DB3D |. |6A 01 PUSH 1
0079DB3F |. |6A 00 PUSH 0
0079DB41 |. |8BCF MOV ECX,EDI
0079DB43 |. |E8 B80FFFFF CALL Client.0078EB00
0079DB48 |. |E9 BF000000 JMP Client.0079DC0C
0079DB4D |> |8B8F 08160000 MOV ECX,DWORD PTR DS:[EDI+1608]
0079DB53 |. |8B97 D01B0000 MOV EDX,DWORD PTR DS:[EDI+1BD0]
0079DB59 |. |53 PUSH EBX
0079DB5A |. |51 PUSH ECX
0079DB5B |. |52 PUSH EDX
0079DB5C |. |8BCF MOV ECX,EDI
0079DB5E |. |E8 9D0FFFFF CALL Client.0078EB00
0079DB63 |. |E9 A4000000 JMP Client.0079DC0C
0079DB68 |> |E8 A3B2F2FF CALL Client.006C8E10
0079DB6D |. |84C0 TEST AL,AL
0079DB6F |. |0F85 97000000 JNZ Client.0079DC0C
0079DB75 |. |803D 318B1A03>CMP BYTE PTR DS:[31A8B31],1
0079DB7C |. |0F84 8A000000 JE Client.0079DC0C
0079DB82 |. |8B87 08160000 MOV EAX,DWORD PTR DS:[EDI+1608]
0079DB88 |. |8B8F D01B0000 MOV ECX,DWORD PTR DS:[EDI+1BD0]
0079DB8E |. |53 PUSH EBX ; 对象在数组里的下标
0079DB8F |. |50 PUSH EAX ; 35
0079DB90 |. |51 PUSH ECX ; 5
0079DB91 |. |8BCF MOV ECX,EDI
0079DB93 |. |E8 1878FFFF CALL Client.007953B0 ; ecx=[31A9A98]
0079DB98 |. |83BF 08160000>CMP DWORD PTR DS:[EDI+1608],35
0079DB9F |. |75 1F JNZ SHORT Client.0079DBC0
0079DBA1 |. |8B849F 100400>MOV EAX,DWORD PTR DS:[EDI+EBX*4+410] ; ebx动作下标
0079DBA8 |. |85C0 TEST EAX,EAX
0079DBAA |. |74 14 JE SHORT Client.0079DBC0
0079DBAC |. |8B50 4C MOV EDX,DWORD PTR DS:[EAX+4C]
0079DBAF |. |A1 E018F400 MOV EAX,DWORD PTR DS:[F418E0]
0079DBB4 |. |8B88 7C020000 MOV ECX,DWORD PTR DS:[EAX+27C]
0079DBBA |. |52 PUSH EDX
0079DBBB |. |E8 F0BAEDFF CALL Client.006796B0 ; 动作使用CALL
0079DBC0 |> |83BF 08160000>CMP DWORD PTR DS:[EDI+1608],36
0079DBC7 |. |75 20 JNZ SHORT Client.0079DBE9
0079DBC9 |. |8B849F 100400>MOV EAX,DWORD PTR DS:[EDI+EBX*4+410]
0079DBD0 |. |85C0 TEST EAX,EAX
0079DBD2 |. |74 15 JE SHORT Client.0079DBE9
0079DBD4 |. |8B48 4C MOV ECX,DWORD PTR DS:[EAX+4C]
0079DBD7 |. |8B15 E018F400 MOV EDX,DWORD PTR DS:[F418E0]
//dd [31A9A98]+410+4*0
//+08 //总的分类编号
//+0C //总的对象数组 下标
//+4C //动作分类ID 动作使用CALL参数
//+5C //动作名字
TActionList *TActionList::GetData()
{
DWORD ndpFirstObj=0;
DWORD ndObj=NULL;
try
{
ndpFirstObj=*(DWORD*)(Base_ActionList)+0x410;
for (int i=0;i<12;i++)
{
ndObj=*(DWORD*)(ndpFirstObj+4*i);
tList[i].szpName=(char*)(ndObj+0x5C);
tList[i].ndActionID=*(DWORD*)(ndObj+0x4C);
}
}
catch (...)
{
DbgPrintf_Mine("*TActionList::GetData() 异常\r\n");
}
return this;
}
BOOL TActionList::dbgPrintMsg()
{
for (int i=0;i<12;i++)
{
DbgPrintf_Mine("%s[%d] ID=%d \r\n",tList[i].szpName,i,tList[i].ndActionID);
}
return TRUE;
}
BOOL TActionList::UseAction(DWORD ndIndex)
{
DWORD ndEcx=BaseCallEcx_ActionUse;
DWORD ndArg1=GetData()->tList[ndIndex].ndActionID;
try
{
__asm
{
mov ecx,ndEcx
mov eax,ndArg1
push eax
mov eax,BaseCall_ActionUse
call eax
}
}
catch (...)
{
}
return TRUE;
}
#define Base_ActionList 0x31C1EB0
+5C 名字
8B91380200002B9134020000B8ABAAAA2AF7EAD1FA8BC253c1E81F33db03c274 //第一个 能搜到 共2个
+0x31 //00677AD1-00677AA0
dc [[0x31C1EB0]+410]+5c
00677A9F CC INT3
00677AA0 8B91 38020000 MOV EDX,DWORD PTR DS:[ECX+0x238]
00677AA6 2B91 34020000 SUB EDX,DWORD PTR DS:[ECX+0x234]
00677AAC B8 ABAAAA2A MOV EAX,0x2AAAAAAB
00677AB1 F7EA IMUL EDX
00677AB3 D1FA SAR EDX,1
00677AB5 8BC2 MOV EAX,EDX
00677AB7 53 PUSH EBX
00677AB8 C1E8 1F SHR EAX,0x1F
00677ABB 33DB XOR EBX,EBX
00677ABD 03C2 ADD EAX,EDX
00677ABF 74 7C JE SHORT Client.00677B3D
00677AC1 56 PUSH ESI
00677AC2 57 PUSH EDI
00677AC3 BE 10040000 MOV ESI,0x410
00677AC8 EB 06 JMP SHORT Client.00677AD0
00677ACA 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
00677AD0 A1 B01E1C03 MOV EAX,DWORD PTR DS:[0x31C1EB0] //基址
00677AD5 833C06 00 CMP DWORD PTR DS:[ESI+EAX],0x0
00677AA0 8B91 38020000 MOV EDX,DWORD PTR DS:[ECX+0x238]
00677AA6 2B91 34020000 SUB EDX,DWORD PTR DS:[ECX+0x234]
00677AAC B8 ABAAAA2A MOV EAX,0x2AAAAAAB
00677AB1 F7EA IMUL EDX
00677AB3 D1FA SAR EDX,1
00677AB5 8BC2 MOV EAX,EDX
00677AB7 53 PUSH EBX
00677AB8 C1E8 1F SHR EAX,0x1F
00677ABB 33DB XOR EBX,EBX
00677ABD 03C2 ADD EAX,EDX
00677ABF 74 7C JE SHORT Client.00677B3D
00677AC1 56 PUSH ESI
00677AC2 57 PUSH EDI
00677AC3 BE 10040000 MOV ESI,0x410
00677AC8 EB 06 JMP SHORT Client.00677AD0
00677ACA 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
00677AD0 A1 B01E1C03 MOV EAX,DWORD PTR DS:[0x31C1EB0] ; 动作基址
00677AD5 833C06 00 CMP DWORD PTR DS:[ESI+EAX],0x0
00677AD9 74 3C JE SHORT Client.00677B17
00677ADB 8B0406 MOV EAX,DWORD PTR DS:[ESI+EAX]
00677ADE 8B50 4C MOV EDX,DWORD PTR DS:[EAX+0x4C]
00677AE1 8B78 50 MOV EDI,DWORD PTR DS:[EAX+0x50]
007AAAAF /0F85 97000000 JNZ Client.007AAB4C
007AAAB5 |803D 490F1C03 0>CMP BYTE PTR DS:[0x31C0F49],0x1
007AAABC |0F84 8A000000 JE Client.007AAB4C
007AAAC2 |8B87 08160000 MOV EAX,DWORD PTR DS:[EDI+0x1608]
007AAAC8 |8B8F D01B0000 MOV ECX,DWORD PTR DS:[EDI+0x1BD0]
007AAACE |53 PUSH EBX ; 下标
007AAACF |50 PUSH EAX ; 1
007AAAD0 |51 PUSH ECX ; 0
007AAAD1 |8BCF MOV ECX,EDI
007AAAD3 |E8 08EAFEFF CALL Client.007994E0 ; 背包物品使用CALL //动作使用CALL
007AAAD8 |83BF 08160000 3>CMP DWORD PTR DS:[EDI+0x1608],0x35
007AAADF |75 1F JNZ SHORT Client.007AAB00
007AAAE1 |8B849F 10040000 MOV EAX,DWORD PTR DS:[EDI+EBX*4+0x410]
1、封装动作对象
2、封装动作对象列表
3、封装使用对象功能函数
作业:
BOOL TActionList::UseAction(char* szpActionName)
//背包对象 怪物对象 动作对象 玩家对象
0061BD29 |. BE 40E71C03 MOV ESI,Client.031CE740
dd [031CE740+0ee3*4]
//动作对象数组
dd [31A9A98]+410+4*0
+08 //总的分类编号
+0C //总的对象数组 下标
+4C //动作分类ID 动作使用CALL参数
+5C //动作名字
mov ebx,2
mov edi,31A9A98
mov edi,[edi]
mov eax,[edi+410+4*ebx]
mov edx,[eax+4c]
mov eax,[0xf418E0]
MOV ECX,DWORD PTR DS:[EAX+27C] //[[0xf418E0]+0x27C] //*(DWORD*)((*(DWORD*)0xf418E0)+0x27c)
push edx
call
0079D2CF - 80 B8 30020000 00 - cmp byte ptr [eax+00000230],00
0079D2D6 - 75 6D - jne Client.exe+39D345
0079D2D8 - 8B 8C 9F 10040000 - mov ecx,[edi+ebx*4+00000410] << 从这里 F8单步步过跟
0079D2DF - 85 C9 - test ecx,ecx
0079D2E1 - 74 62 - je Client.exe+39D345
0079DB98 - 83 BF 08160000 35 - cmp dword ptr [edi+00001608],35
0079DB9F - 75 1F - jne Client.exe+39DBC0
0079DBA1 - 8B 84 9F 10040000 - mov eax,[edi+ebx*4+00000410] <<
0079DBA8 - 85 C0 - test eax,eax
0079DBAA - 74 14 - je Client.exe+39DBC0
0079DB2E |. /E9 D9000000 JMP Client.0079DC0C
0079DB33 |> |83F8 FF CMP EAX,-1
0079DB36 |. |0F84 D0000000 JE Client.0079DC0C
0079DB3C |. |50 PUSH EAX
0079DB3D |. |6A 01 PUSH 1
0079DB3F |. |6A 00 PUSH 0
0079DB41 |. |8BCF MOV ECX,EDI
0079DB43 |. |E8 B80FFFFF CALL Client.0078EB00
0079DB48 |. |E9 BF000000 JMP Client.0079DC0C
0079DB4D |> |8B8F 08160000 MOV ECX,DWORD PTR DS:[EDI+1608]
0079DB53 |. |8B97 D01B0000 MOV EDX,DWORD PTR DS:[EDI+1BD0]
0079DB59 |. |53 PUSH EBX
0079DB5A |. |51 PUSH ECX
0079DB5B |. |52 PUSH EDX
0079DB5C |. |8BCF MOV ECX,EDI
0079DB5E |. |E8 9D0FFFFF CALL Client.0078EB00
0079DB63 |. |E9 A4000000 JMP Client.0079DC0C
0079DB68 |> |E8 A3B2F2FF CALL Client.006C8E10
0079DB6D |. |84C0 TEST AL,AL
0079DB6F |. |0F85 97000000 JNZ Client.0079DC0C
0079DB75 |. |803D 318B1A03>CMP BYTE PTR DS:[31A8B31],1
0079DB7C |. |0F84 8A000000 JE Client.0079DC0C
0079DB82 |. |8B87 08160000 MOV EAX,DWORD PTR DS:[EDI+1608]
0079DB88 |. |8B8F D01B0000 MOV ECX,DWORD PTR DS:[EDI+1BD0]
0079DB8E |. |53 PUSH EBX ; 对象在数组里的下标
0079DB8F |. |50 PUSH EAX ; 35
0079DB90 |. |51 PUSH ECX ; 5
0079DB91 |. |8BCF MOV ECX,EDI
0079DB93 |. |E8 1878FFFF CALL Client.007953B0 ; ecx=[31A9A98]
0079DB98 |. |83BF 08160000>CMP DWORD PTR DS:[EDI+1608],35
0079DB9F |. |75 1F JNZ SHORT Client.0079DBC0
0079DBA1 |. |8B849F 100400>MOV EAX,DWORD PTR DS:[EDI+EBX*4+410] ; ebx动作下标
0079DBA8 |. |85C0 TEST EAX,EAX
0079DBAA |. |74 14 JE SHORT Client.0079DBC0
0079DBAC |. |8B50 4C MOV EDX,DWORD PTR DS:[EAX+4C]
0079DBAF |. |A1 E018F400 MOV EAX,DWORD PTR DS:[F418E0]
0079DBB4 |. |8B88 7C020000 MOV ECX,DWORD PTR DS:[EAX+27C]
0079DBBA |. |52 PUSH EDX
0079DBBB |. |E8 F0BAEDFF CALL Client.006796B0 ; 动作使用CALL
0079DBC0 |> |83BF 08160000>CMP DWORD PTR DS:[EDI+1608],36
0079DBC7 |. |75 20 JNZ SHORT Client.0079DBE9
0079DBC9 |. |8B849F 100400>MOV EAX,DWORD PTR DS:[EDI+EBX*4+410]
0079DBD0 |. |85C0 TEST EAX,EAX
0079DBD2 |. |74 15 JE SHORT Client.0079DBE9
0079DBD4 |. |8B48 4C MOV ECX,DWORD PTR DS:[EAX+4C]
0079DBD7 |. |8B15 E018F400 MOV EDX,DWORD PTR DS:[F418E0]
//dd [31A9A98]+410+4*0
//+08 //总的分类编号
//+0C //总的对象数组 下标
//+4C //动作分类ID 动作使用CALL参数
//+5C //动作名字
TActionList *TActionList::GetData()
{
DWORD ndpFirstObj=0;
DWORD ndObj=NULL;
try
{
ndpFirstObj=*(DWORD*)(Base_ActionList)+0x410;
for (int i=0;i<12;i++)
{
ndObj=*(DWORD*)(ndpFirstObj+4*i);
tList[i].szpName=(char*)(ndObj+0x5C);
tList[i].ndActionID=*(DWORD*)(ndObj+0x4C);
}
}
catch (...)
{
DbgPrintf_Mine("*TActionList::GetData() 异常\r\n");
}
return this;
}
BOOL TActionList::dbgPrintMsg()
{
for (int i=0;i<12;i++)
{
DbgPrintf_Mine("%s[%d] ID=%d \r\n",tList[i].szpName,i,tList[i].ndActionID);
}
return TRUE;
}
BOOL TActionList::UseAction(DWORD ndIndex)
{
DWORD ndEcx=BaseCallEcx_ActionUse;
DWORD ndArg1=GetData()->tList[ndIndex].ndActionID;
try
{
__asm
{
mov ecx,ndEcx
mov eax,ndArg1
push eax
mov eax,BaseCall_ActionUse
call eax
}
}
catch (...)
{
}
return TRUE;
}
#define Base_ActionList 0x31C1EB0
+5C 名字
8B91380200002B9134020000B8ABAAAA2AF7EAD1FA8BC253c1E81F33db03c274 //第一个 能搜到 共2个
+0x31 //00677AD1-00677AA0
dc [[0x31C1EB0]+410]+5c
00677A9F CC INT3
00677AA0 8B91 38020000 MOV EDX,DWORD PTR DS:[ECX+0x238]
00677AA6 2B91 34020000 SUB EDX,DWORD PTR DS:[ECX+0x234]
00677AAC B8 ABAAAA2A MOV EAX,0x2AAAAAAB
00677AB1 F7EA IMUL EDX
00677AB3 D1FA SAR EDX,1
00677AB5 8BC2 MOV EAX,EDX
00677AB7 53 PUSH EBX
00677AB8 C1E8 1F SHR EAX,0x1F
00677ABB 33DB XOR EBX,EBX
00677ABD 03C2 ADD EAX,EDX
00677ABF 74 7C JE SHORT Client.00677B3D
00677AC1 56 PUSH ESI
00677AC2 57 PUSH EDI
00677AC3 BE 10040000 MOV ESI,0x410
00677AC8 EB 06 JMP SHORT Client.00677AD0
00677ACA 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
00677AD0 A1 B01E1C03 MOV EAX,DWORD PTR DS:[0x31C1EB0] //基址
00677AD5 833C06 00 CMP DWORD PTR DS:[ESI+EAX],0x0
00677AA0 8B91 38020000 MOV EDX,DWORD PTR DS:[ECX+0x238]
00677AA6 2B91 34020000 SUB EDX,DWORD PTR DS:[ECX+0x234]
00677AAC B8 ABAAAA2A MOV EAX,0x2AAAAAAB
00677AB1 F7EA IMUL EDX
00677AB3 D1FA SAR EDX,1
00677AB5 8BC2 MOV EAX,EDX
00677AB7 53 PUSH EBX
00677AB8 C1E8 1F SHR EAX,0x1F
00677ABB 33DB XOR EBX,EBX
00677ABD 03C2 ADD EAX,EDX
00677ABF 74 7C JE SHORT Client.00677B3D
00677AC1 56 PUSH ESI
00677AC2 57 PUSH EDI
00677AC3 BE 10040000 MOV ESI,0x410
00677AC8 EB 06 JMP SHORT Client.00677AD0
00677ACA 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
00677AD0 A1 B01E1C03 MOV EAX,DWORD PTR DS:[0x31C1EB0] ; 动作基址
00677AD5 833C06 00 CMP DWORD PTR DS:[ESI+EAX],0x0
00677AD9 74 3C JE SHORT Client.00677B17
00677ADB 8B0406 MOV EAX,DWORD PTR DS:[ESI+EAX]
00677ADE 8B50 4C MOV EDX,DWORD PTR DS:[EAX+0x4C]
00677AE1 8B78 50 MOV EDI,DWORD PTR DS:[EAX+0x50]
007AAAAF /0F85 97000000 JNZ Client.007AAB4C
007AAAB5 |803D 490F1C03 0>CMP BYTE PTR DS:[0x31C0F49],0x1
007AAABC |0F84 8A000000 JE Client.007AAB4C
007AAAC2 |8B87 08160000 MOV EAX,DWORD PTR DS:[EDI+0x1608]
007AAAC8 |8B8F D01B0000 MOV ECX,DWORD PTR DS:[EDI+0x1BD0]
007AAACE |53 PUSH EBX ; 下标
007AAACF |50 PUSH EAX ; 1
007AAAD0 |51 PUSH ECX ; 0
007AAAD1 |8BCF MOV ECX,EDI
007AAAD3 |E8 08EAFEFF CALL Client.007994E0 ; 背包物品使用CALL //动作使用CALL
007AAAD8 |83BF 08160000 3>CMP DWORD PTR DS:[EDI+0x1608],0x35
007AAADF |75 1F JNZ SHORT Client.007AAB00
007AAAE1 |8B849F 10040000 MOV EAX,DWORD PTR DS:[EDI+EBX*4+0x410]
相关文章推荐
- 外挂辅助技术研究-分析动作数组与攻击捡物功能
- 外挂技术研究-封装完善动作使用CALL-重复包含头文件
- 外挂辅助编写-分析动作数组与攻击捡物功能
- 追逐自己的梦想----------辅助制作第十课:分析动作数组以及攻击捡物品等功能call的封装
- 外挂辅助技术研究-封装背包对象列表+读物背包物品信息
- 外挂辅助技术研究-完善选怪功能
- 外挂辅助技术研究-分析选怪功能
- VS2010测试功能之旅:编码的UI测试(2)-操作“.NET研究”动作的录制原理(下)
- 用泛型与反射技术封装分页功能(JPA)
- 用泛型与反射技术封装分页功能(示例代码)
- 外挂辅助技术分析任务对象基址及封装任务更新函数
- 外挂辅助技术研究教程
- 封装一个字符数组,实现增加,删除,替换,打印,搜索等功能
- 外挂技术研究系列-分析人物属性数据和偏移
- 外挂辅助技术研究-逆向分析任务等级需求并测试
- 外挂编程-动作模拟技术
- 外挂技术研究系列-分析人物的HPMP
- 云功能服务器指纹信息提取关键技术研究
- 应用层反外挂技术研究
- 一起谈.NET技术,VS2010测试功能之旅:编码的UI测试(2)-操作动作的录制原理(下)