逆向分析打开NPC 对话菜单
2015-02-04 10:18
423 查看
学习目标:
分析NPC对话CALL
分析思路:
1、打开NPC对话时 一般会访问NPC对象数据,可以用CE尝试找出对NPC对象访问的代码,然后回溯。
2、打开NPC对话时 可能会与服务器通讯。那么可以尝试发包函数处下断点回溯。
#define BaseAllObjList 0x31E6640//所有对象数组 dd [031CE740+4*0]
#define BaseRoleObj 0x31E663C //角色对象基址<自己>
所有对象基址+4*[[个色对象基址]+14b8]
dd [45E4A88+4*0]
+008 //对象类型分类编号 0X2E 0x31是玩家 0x55 动作对象
+314 //选中状态,是否显示了血条
+320 //怪物名字
+380 //死亡状态 死亡为1 未死亡为0
+768 //
+5b4 //怪物血量
+5B8 //怪物等级
+1018 //X
+1020 //Y
+1024 //X
+102c //Y
[[0x31E663C]+14B8] //下标
dd [0x31E6640+4*0]
dd [0x31E6640+4*[[0x31E663C]+14B8]]
dc [0x31E6640+4*[[0x31E663C]+14B8]]+320 //0x2E怪物类型 选中名字
mov edi,dword ptr ds:[0x31E663C]
MOV EAX,DWORD PTR DS:[EDI+0x14B8]
push eax
mov ecx,edi
CALL 004CBFC0 //不是的
004CBFC8 - 81 FA 0F270000 - cmp edx,0000270F
004CBFCE - 0F87 C8000000 - ja Client.exe+CC09C
004CBFD4 - 8B 0C 95 40661E03 - mov ecx,[edx*4+Client.exe+2DE6640] <<
004CBFDB - 85 C9 - test ecx,ecx
004CBFDD - 0F84 B9000000 - je Client.exe+CC09C
004E4506 - E8 A50E1100 - call Client.exe+1F53B0
004E450B - 8B 97 B8140000 - mov edx,[edi+000014B8]
004E4511 - 8B 04 95 40661E03 - mov eax,[edx*4+Client.exe+2DE6640] <<
004E4518 - 85 C0 - test eax,eax
004E451A - 74 4A - je Client.exe+E4566
004E456C - 3D 10270000 - cmp eax,00002710
004E4571 - 73 1B - jae Client.exe+E458E
004E4573 - 8B 0C 85 40661E03 - mov ecx,[eax*4+Client.exe+2DE6640] <<
004E457A - 85 C9 - test ecx,ecx
004E457C - 74 10 - je Client.exe+E458E
004E46AE - 81 FE FFFF0000 - cmp esi,0000FFFF
004E46B4 - 74 47 - je Client.exe+E46FD
004E46B6 - 8B 0C B5 40661E03 - mov ecx,[esi*4+Client.exe+2DE6640] <<
004E46BD - 85 C9 - test ecx,ecx
004E46BF - 74 28 - je Client.exe+E46E9
mov edi,dword ptr ds:[0x31E663C]
MOV EAX,DWORD PTR DS:[EDI+0x14B8]
push eax
mov ecx,edi
CALL 004C5160 不是
004C5166 - 3D 0F270000 - cmp eax,0000270F
004C516B - 77 2B - ja Client.exe+C5198
004C516D - 8B 04 85 40661E03 - mov eax,[eax*4+Client.exe+2DE6640] <<5
004C5174 - 85 C0 - test eax,eax
004C5176 - 74 20 - je Client.exe+C5198
004CB796 - 81 FA 0F270000 - cmp edx,0000270F
004CB79C - 0F87 BB000000 - ja Client.exe+CB85D
004CB7A2 - 8B 0C 95 40661E03 - mov ecx,[edx*4+Client.exe+2DE6640] <<
004CB7A9 - 85 C9 - test ecx,ecx
004CB7AB - 0F84 AC000000 - je Client.exe+CB85D
004E481A - 3D FFFF0000 - cmp eax,0000FFFF
004E481F - 0F84 AF000000 - je Client.exe+E48D4
004E4825 - 8B 0C 85 40661E03 - mov ecx,[eax*4+Client.exe+2DE6640] <<
004E482C - 85 C9 - test ecx,ecx
004E482E - 0F84 A0000000 - je Client.exe+E48D4
004E4878 - D9 5E 2C - fstp dword ptr [esi+2C]
004E487B - 8B 95 FCAAFFFF - mov edx,[ebp-00005504]
004E4881 - 8B 04 95 40661E03 - mov eax,[edx*4+Client.exe+2DE6640] <<
004E4888 - 50 - push eax
004E4889 - 56 - push esi
004DCCC2 - D9 46 2C - fld dword ptr [esi+2C]
004DCCC5 - E8 F6D34500 - call Client.exe+53A0C0
004DCCCA - 8B 0C BD 40661E03 - mov ecx,[edi*4+Client.exe+2DE6640] << 9
004DCCD1 - 50 - push eax
004DCCD2 - 51 - push ecx
004DD018 - DC 05 30C49E00 - fadd qword ptr [Client.exe+5EC430]
004DD01E - E8 9DD04500 - call Client.exe+53A0C0
004DD023 - 8B 0C BD 40661E03 - mov ecx,[edi*4+Client.exe+2DE6640] <<
004DD02A - 50 - push eax
004DD02B - 51 - push ecx
004DD035 - 0F84 D6090000 - je Client.exe+DDA11
004DD03B - 8B 56 14 - mov edx,[esi+14]
004DD03E - 8B 3C 95 40661E03 - mov edi,[edx*4+Client.exe+2DE6640] <<
004DD045 - 8B 07 - mov eax,[edi]
004DD047 - 8B 50 04 - mov edx,[eax+04]
004DD729 - 0F85 B9020000 - jne Client.exe+DD9E8
004DD72F - 8B 46 14 - mov eax,[esi+14]
004DD732 - 8B 0C 85 40661E03 - mov ecx,[eax*4+Client.exe+2DE6640] <<
004DD739 - 85 C9 - test ecx,ecx
004DD73B - 74 7F - je Client.exe+DD7BC
004DD7AE - 74 49 - je Client.exe+DD7F9
004DD7B0 - 8B 46 14 - mov eax,[esi+14]
004DD7B3 - 8B 0C 85 40661E03 - mov ecx,[eax*4+Client.exe+2DE6640] <<
004DD7BA - EB 2D - jmp Client.exe+DD7E9
004DD7BC - 8B 4E 14 - mov ecx,[esi+14]
00735A1D - 8B 15 3C661E03 - mov edx,[Client.exe+2DE663C]
00735A23 - 8B 82 B8140000 - mov eax,[edx+000014B8]
00735A29 - 8B 0C 85 40661E03 - mov ecx,[eax*4+Client.exe+2DE6640] <<
00735A30 - 51 - push ecx
00735A31 - 8B 0D 586DCF00 - mov ecx,[Client.exe+8F6D58]
007F04D6 - 8D A4 24 00000000 - lea esp,[esp+00000000]
007F04DD - 8D 49 00 - lea ecx,[ecx+00]
007F04E0 - 39 1C 85 40661E03 - cmp [eax*4+Client.exe+2DE6640],ebx <<
007F04E7 - 0F84 3E010000 - je Client.exe+3F062B
007F04ED - 40 - inc eax
0073A685 /74 2A JE SHORT Client.0073A6B1
0073A687 |83E8 77 SUB EAX,0x77
0073A68A |74 11 JE SHORT Client.0073A69D
0073A68C |83E8 1A SUB EAX,0x1A
0073A68F |75 39 JNZ SHORT Client.0073A6CA
0073A691 |57 PUSH EDI
0073A692 |E8 99DFFFFF CALL Client.00738630 ; 打开 关闭NPC
0073A697 |5F POP EDI
0073A698 |5E POP ESI
0073A699 |5D POP EBP
0073A20C E8 EFF2D1FF CALL Client.00459500
0073A211 EB 07 JMP SHORT Client.0073A21A
0073A213 6A 00 PUSH 0x0
0073A215 E8 2618D2FF CALL Client.0045BA40
0073A21A 8B15 C098F500 MOV EDX,DWORD PTR DS:[0xF598C0]
0073A220 6A 00 PUSH 0x0
0073A222 C705 C812F500 0>MOV DWORD PTR DS:[0xF512C8],0x0
0073A22C 8B82 A0020000 MOV EAX,DWORD PTR DS:[EDX+0x2A0]
0073A232 FF88 28020000 DEC DWORD PTR DS:[EAX+0x228]
0073A238 6A 01 PUSH 0x1
0073A23A 68 31040000 PUSH 0x431
0073A23F E8 2C060B00 CALL Client.007EA870
0073A244 83C4 0C ADD ESP,0xC
0073A247 C686 B5020000 0>MOV BYTE PTR DS:[ESI+0x2B5],0x0
0073A24E EB 3B JMP SHORT Client.0073A28B
0073A250 394B 04 CMP DWORD PTR DS:[EBX+0x4],ECX
0073A253 75 12 JNZ SHORT Client.0073A267
0073A255 8B0D C098F500 MOV ECX,DWORD PTR DS:[0xF598C0]
0073A25B 6A 09 PUSH 0x9
0073A25D 68 B5030000 PUSH 0x3B5
0073A262 E8 49B1EBFF CALL Client.005F53B0
0073A267 837B 04 01 CMP DWORD PTR DS:[EBX+0x4],0x1
0073A26B 75 1E JNZ SHORT Client.0073A28B
0073A26D 8B43 08 MOV EAX,DWORD PTR DS:[EBX+0x8] ; 00F4363E==EBX
0073A270 6A 01 PUSH 0x1
0073A272 50 PUSH EAX ; 27,1 NPC编号
0073A273 8BCE MOV ECX,ESI ; 0990D828
0073A275 E8 46D9FFFF CALL Client.00737BC0 ; 打开NPC 对话的CALL
0073A27A C705 C812F500 0>MOV DWORD PTR DS:[0xF512C8],0x1
0073A284 C686 B5020000 0>MOV BYTE PTR DS:[ESI+0x2B5],0x1
0073A28B 8B03 MOV EAX,DWORD PTR DS:[EBX]
0073A28D 83C0 FE ADD EAX,-0x2
0073A290 83F8 2F CMP EAX,0x2F
0073A293 74 10 JE SHORT Client.0073A2A5
0073A295 83F8 34 CMP EAX,0x34
0073A298 74 0B JE SHORT Client.0073A2A5
0073A29A 3D 9A000000 CMP EAX,0x9A
0073A29F 0F85 DE000000 JNZ Client.0073A383
0073A2A5 817B 0C C800000>CMP DWORD PTR DS:[EBX+0xC],0xC8
0073A2AC 0F85 D1000000 JNZ Client.0073A383
0073A2B2 A1 44A3AF00 MOV EAX,DWORD PTR DS:[0xAFA344]
0073A2B7 8985 E49EFFFF MOV DWORD PTR SS:[EBP+0xFFFF9EE4],EAX
0073A2BD C745 FC 0000000>MOV DWORD PTR SS:[EBP-0x4],0x0
0073A2C4 8985 E89EFFFF MOV DWORD PTR SS:[EBP+0xFFFF9EE8],EAX
分析NPC对话CALL
分析思路:
1、打开NPC对话时 一般会访问NPC对象数据,可以用CE尝试找出对NPC对象访问的代码,然后回溯。
2、打开NPC对话时 可能会与服务器通讯。那么可以尝试发包函数处下断点回溯。
#define BaseAllObjList 0x31E6640//所有对象数组 dd [031CE740+4*0]
#define BaseRoleObj 0x31E663C //角色对象基址<自己>
所有对象基址+4*[[个色对象基址]+14b8]
dd [45E4A88+4*0]
+008 //对象类型分类编号 0X2E 0x31是玩家 0x55 动作对象
+314 //选中状态,是否显示了血条
+320 //怪物名字
+380 //死亡状态 死亡为1 未死亡为0
+768 //
+5b4 //怪物血量
+5B8 //怪物等级
+1018 //X
+1020 //Y
+1024 //X
+102c //Y
[[0x31E663C]+14B8] //下标
dd [0x31E6640+4*0]
dd [0x31E6640+4*[[0x31E663C]+14B8]]
dc [0x31E6640+4*[[0x31E663C]+14B8]]+320 //0x2E怪物类型 选中名字
mov edi,dword ptr ds:[0x31E663C]
MOV EAX,DWORD PTR DS:[EDI+0x14B8]
push eax
mov ecx,edi
CALL 004CBFC0 //不是的
004CBFC8 - 81 FA 0F270000 - cmp edx,0000270F
004CBFCE - 0F87 C8000000 - ja Client.exe+CC09C
004CBFD4 - 8B 0C 95 40661E03 - mov ecx,[edx*4+Client.exe+2DE6640] <<
004CBFDB - 85 C9 - test ecx,ecx
004CBFDD - 0F84 B9000000 - je Client.exe+CC09C
004E4506 - E8 A50E1100 - call Client.exe+1F53B0
004E450B - 8B 97 B8140000 - mov edx,[edi+000014B8]
004E4511 - 8B 04 95 40661E03 - mov eax,[edx*4+Client.exe+2DE6640] <<
004E4518 - 85 C0 - test eax,eax
004E451A - 74 4A - je Client.exe+E4566
004E456C - 3D 10270000 - cmp eax,00002710
004E4571 - 73 1B - jae Client.exe+E458E
004E4573 - 8B 0C 85 40661E03 - mov ecx,[eax*4+Client.exe+2DE6640] <<
004E457A - 85 C9 - test ecx,ecx
004E457C - 74 10 - je Client.exe+E458E
004E46AE - 81 FE FFFF0000 - cmp esi,0000FFFF
004E46B4 - 74 47 - je Client.exe+E46FD
004E46B6 - 8B 0C B5 40661E03 - mov ecx,[esi*4+Client.exe+2DE6640] <<
004E46BD - 85 C9 - test ecx,ecx
004E46BF - 74 28 - je Client.exe+E46E9
mov edi,dword ptr ds:[0x31E663C]
MOV EAX,DWORD PTR DS:[EDI+0x14B8]
push eax
mov ecx,edi
CALL 004C5160 不是
004C5166 - 3D 0F270000 - cmp eax,0000270F
004C516B - 77 2B - ja Client.exe+C5198
004C516D - 8B 04 85 40661E03 - mov eax,[eax*4+Client.exe+2DE6640] <<5
004C5174 - 85 C0 - test eax,eax
004C5176 - 74 20 - je Client.exe+C5198
004CB796 - 81 FA 0F270000 - cmp edx,0000270F
004CB79C - 0F87 BB000000 - ja Client.exe+CB85D
004CB7A2 - 8B 0C 95 40661E03 - mov ecx,[edx*4+Client.exe+2DE6640] <<
004CB7A9 - 85 C9 - test ecx,ecx
004CB7AB - 0F84 AC000000 - je Client.exe+CB85D
004E481A - 3D FFFF0000 - cmp eax,0000FFFF
004E481F - 0F84 AF000000 - je Client.exe+E48D4
004E4825 - 8B 0C 85 40661E03 - mov ecx,[eax*4+Client.exe+2DE6640] <<
004E482C - 85 C9 - test ecx,ecx
004E482E - 0F84 A0000000 - je Client.exe+E48D4
004E4878 - D9 5E 2C - fstp dword ptr [esi+2C]
004E487B - 8B 95 FCAAFFFF - mov edx,[ebp-00005504]
004E4881 - 8B 04 95 40661E03 - mov eax,[edx*4+Client.exe+2DE6640] <<
004E4888 - 50 - push eax
004E4889 - 56 - push esi
004DCCC2 - D9 46 2C - fld dword ptr [esi+2C]
004DCCC5 - E8 F6D34500 - call Client.exe+53A0C0
004DCCCA - 8B 0C BD 40661E03 - mov ecx,[edi*4+Client.exe+2DE6640] << 9
004DCCD1 - 50 - push eax
004DCCD2 - 51 - push ecx
004DD018 - DC 05 30C49E00 - fadd qword ptr [Client.exe+5EC430]
004DD01E - E8 9DD04500 - call Client.exe+53A0C0
004DD023 - 8B 0C BD 40661E03 - mov ecx,[edi*4+Client.exe+2DE6640] <<
004DD02A - 50 - push eax
004DD02B - 51 - push ecx
004DD035 - 0F84 D6090000 - je Client.exe+DDA11
004DD03B - 8B 56 14 - mov edx,[esi+14]
004DD03E - 8B 3C 95 40661E03 - mov edi,[edx*4+Client.exe+2DE6640] <<
004DD045 - 8B 07 - mov eax,[edi]
004DD047 - 8B 50 04 - mov edx,[eax+04]
004DD729 - 0F85 B9020000 - jne Client.exe+DD9E8
004DD72F - 8B 46 14 - mov eax,[esi+14]
004DD732 - 8B 0C 85 40661E03 - mov ecx,[eax*4+Client.exe+2DE6640] <<
004DD739 - 85 C9 - test ecx,ecx
004DD73B - 74 7F - je Client.exe+DD7BC
004DD7AE - 74 49 - je Client.exe+DD7F9
004DD7B0 - 8B 46 14 - mov eax,[esi+14]
004DD7B3 - 8B 0C 85 40661E03 - mov ecx,[eax*4+Client.exe+2DE6640] <<
004DD7BA - EB 2D - jmp Client.exe+DD7E9
004DD7BC - 8B 4E 14 - mov ecx,[esi+14]
00735A1D - 8B 15 3C661E03 - mov edx,[Client.exe+2DE663C]
00735A23 - 8B 82 B8140000 - mov eax,[edx+000014B8]
00735A29 - 8B 0C 85 40661E03 - mov ecx,[eax*4+Client.exe+2DE6640] <<
00735A30 - 51 - push ecx
00735A31 - 8B 0D 586DCF00 - mov ecx,[Client.exe+8F6D58]
007F04D6 - 8D A4 24 00000000 - lea esp,[esp+00000000]
007F04DD - 8D 49 00 - lea ecx,[ecx+00]
007F04E0 - 39 1C 85 40661E03 - cmp [eax*4+Client.exe+2DE6640],ebx <<
007F04E7 - 0F84 3E010000 - je Client.exe+3F062B
007F04ED - 40 - inc eax
0073A685 /74 2A JE SHORT Client.0073A6B1
0073A687 |83E8 77 SUB EAX,0x77
0073A68A |74 11 JE SHORT Client.0073A69D
0073A68C |83E8 1A SUB EAX,0x1A
0073A68F |75 39 JNZ SHORT Client.0073A6CA
0073A691 |57 PUSH EDI
0073A692 |E8 99DFFFFF CALL Client.00738630 ; 打开 关闭NPC
0073A697 |5F POP EDI
0073A698 |5E POP ESI
0073A699 |5D POP EBP
0073A20C E8 EFF2D1FF CALL Client.00459500
0073A211 EB 07 JMP SHORT Client.0073A21A
0073A213 6A 00 PUSH 0x0
0073A215 E8 2618D2FF CALL Client.0045BA40
0073A21A 8B15 C098F500 MOV EDX,DWORD PTR DS:[0xF598C0]
0073A220 6A 00 PUSH 0x0
0073A222 C705 C812F500 0>MOV DWORD PTR DS:[0xF512C8],0x0
0073A22C 8B82 A0020000 MOV EAX,DWORD PTR DS:[EDX+0x2A0]
0073A232 FF88 28020000 DEC DWORD PTR DS:[EAX+0x228]
0073A238 6A 01 PUSH 0x1
0073A23A 68 31040000 PUSH 0x431
0073A23F E8 2C060B00 CALL Client.007EA870
0073A244 83C4 0C ADD ESP,0xC
0073A247 C686 B5020000 0>MOV BYTE PTR DS:[ESI+0x2B5],0x0
0073A24E EB 3B JMP SHORT Client.0073A28B
0073A250 394B 04 CMP DWORD PTR DS:[EBX+0x4],ECX
0073A253 75 12 JNZ SHORT Client.0073A267
0073A255 8B0D C098F500 MOV ECX,DWORD PTR DS:[0xF598C0]
0073A25B 6A 09 PUSH 0x9
0073A25D 68 B5030000 PUSH 0x3B5
0073A262 E8 49B1EBFF CALL Client.005F53B0
0073A267 837B 04 01 CMP DWORD PTR DS:[EBX+0x4],0x1
0073A26B 75 1E JNZ SHORT Client.0073A28B
0073A26D 8B43 08 MOV EAX,DWORD PTR DS:[EBX+0x8] ; 00F4363E==EBX
0073A270 6A 01 PUSH 0x1
0073A272 50 PUSH EAX ; 27,1 NPC编号
0073A273 8BCE MOV ECX,ESI ; 0990D828
0073A275 E8 46D9FFFF CALL Client.00737BC0 ; 打开NPC 对话的CALL
0073A27A C705 C812F500 0>MOV DWORD PTR DS:[0xF512C8],0x1
0073A284 C686 B5020000 0>MOV BYTE PTR DS:[ESI+0x2B5],0x1
0073A28B 8B03 MOV EAX,DWORD PTR DS:[EBX]
0073A28D 83C0 FE ADD EAX,-0x2
0073A290 83F8 2F CMP EAX,0x2F
0073A293 74 10 JE SHORT Client.0073A2A5
0073A295 83F8 34 CMP EAX,0x34
0073A298 74 0B JE SHORT Client.0073A2A5
0073A29A 3D 9A000000 CMP EAX,0x9A
0073A29F 0F85 DE000000 JNZ Client.0073A383
0073A2A5 817B 0C C800000>CMP DWORD PTR DS:[EBX+0xC],0xC8
0073A2AC 0F85 D1000000 JNZ Client.0073A383
0073A2B2 A1 44A3AF00 MOV EAX,DWORD PTR DS:[0xAFA344]
0073A2B7 8985 E49EFFFF MOV DWORD PTR SS:[EBP+0xFFFF9EE4],EAX
0073A2BD C745 FC 0000000>MOV DWORD PTR SS:[EBP-0x4],0x0
0073A2C4 8985 E89EFFFF MOV DWORD PTR SS:[EBP+0xFFFF9EE8],EAX
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- 追逐自己的梦想----------辅助制作第二十九课:分析打开NPC后功能打开
- 外挂辅助技术研究-打开指定NPC对话
- 追逐自己的梦想----------辅助制作第二十八课:打开系统NPC CALL分析
- 通过逆向分析360safe驱动取得的源码
- 逆向思维--魔兽世界封包分析(1)
- 蠕虫 srv32.exe 逆向分析笔记
- CRC原理及其逆向分析方法
- 如何在你的网页中或论谈中设计自己的QQ状态和直接打开留言对话
- 在快捷方式的右键菜单上添加打开所在目录的菜单项
- 一个WinForm记事本程序(包含主/下拉/弹出菜单/打开文件/保存文件/打印/页面设置/字体/颜色对话框/剪切版操作等等控件用法以及记事本菜单事件/按键事件的具体代码)
- 一个可以打开常用程序文件的菜单
- 又一导航菜单的代码分析
- 一个WinForm记事本程序(包含主/下拉/弹出菜单/打开文件/保存文件/打印/页面设置/字体/颜色对话框/剪切版操作等等控件用法以及记事本菜单事件/按键事件的具体代码)
- 动态树菜单,可以选择打开父菜单或者是打开子菜单.
- 360最新cnnic专杀工具-360SuperKill“破冰”技术逆向分析
- 在MAXIMO5.2中业务分析报告增加菜单
- 这两天XP系统的右键打开菜单明显变慢,解决方法附内
- 基于数据库的Struts Menu动态菜单分析
- 右键菜单快速打开VS 2005 Website项目
- 动态树菜单,可以选择打开父菜单或者是打开子菜单.