追逐自己的梦想----------辅助制作第十三课:快速查找基址
要实现快速查找基址,就需要用到以前保存的关键代码了。
然后在OD中,查找全部序列就可以了
下面给出目前的基址
MOV EAX,DWORD PTR DS:[EDI+EBX*4+0x410]
TEST EAX,EAX
007AD091 3B3D E4841B03 CMP EDI,DWORD PTR DS:[0x31B84E4]
//背包基址
007AD07F 03C6 ADD EAX,ESI
007AD081 03D9 ADD EBX,ECX
007AD083 3BC3 CMP EAX,EBX
007AD085 0F8C BA090000 JL Client.007ADA45
007AD08B 8B9D E4D7FFFF MOV EBX,DWORD PTR SS:[EBP-0x281C]
007AD091 3B3D E4841B03 CMP EDI,DWORD PTR DS:[0x31B84E4] //
007AD097 75 2A JNZ SHORT Client.007AD0C3
007AD099 8B849F 10040000 MOV EAX,DWORD PTR DS:[EDI+EBX*4+0x410]
007AD0A0 85C0 TEST EAX,EAX
007AD0A2 74 1F JE SHORT Client.007AD0C3
007AD0A4 8B88 300C0000 MOV ECX,DWORD PTR DS:[EAX+0xC30]
007AD0AA 85C9 TEST ECX,ECX
007AD0AC 74 15 JE SHORT Client.007AD0C3
007AD0AE 51 PUSH ECX
007AD0AF 8B0D 4CE3F500 MOV ECX,DWORD PTR DS:[0xF5E34C]
007AD0B5 50 PUSH EAX
物品使用call地址
MOV EAX,DWORD PTR DS:[EDI+0x1608]
MOV ECX,DWORD PTR DS:[EDI+0x1BD0]
007AE293 E8 289BFEFF CALL Client.00797DC0
007AE26D 84C0 TEST AL,AL
007AE26F 0F85 97000000 JNZ Client.007AE30C
007AE275 803D D9841B03 0>CMP BYTE PTR DS:[0x31B84D9],0x1
007AE27C 0F84 8A000000 JE Client.007AE30C
007AE282 8B87 08160000 MOV EAX,DWORD PTR DS:[EDI+0x1608]
007AE288 8B8F D01B0000 MOV ECX,DWORD PTR DS:[EDI+0x1BD0]
007AE28E 53 PUSH EBX
007AE28F 50 PUSH EAX
007AE290 51 PUSH ECX
007AE291 8BCF MOV ECX,EDI
007AE293 E8 289BFEFF CALL Client.00797DC0 //
007AE298 83BF 08160000 3>CMP DWORD PTR DS:[EDI+0x1608],0x35
007AE29F 75 1F JNZ SHORT Client.007AE2C0
007AE2A1 8B849F 10040000 MOV EAX,DWORD PTR DS:[EDI+EBX*4+0x410]
007AE2A8 85C0 TEST EAX,EAX
007AE2AA 74 14 JE SHORT Client.007AE2C0
007AE2AC 8B50 4C MOV EDX,DWORD PTR DS:[EAX+0x4C]
007AE2AF A1 50E3F500 MOV EAX,DWORD PTR DS:[0xF5E350]
007AE2B4 8B88 7C020000 MOV ECX,DWORD PTR DS:[EAX+0x27C]
007AE2BA 52 PUSH EDX
怪物对象基址
MOV EDX,DWORD PTR DS:[EBX]
MOV ECX,DWORD PTR DS:[EDX+0x10]
007F69EC 890C85 203F5F04 MOV DWORD PTR DS:[EAX*4+0x45F3F20],ECX
007F69CE /75 2B JNZ SHORT Client.007F69FB
007F69D0 |8B11 MOV EDX,DWORD PTR DS:[ECX]
007F69D2 |8B42 04 MOV EAX,DWORD PTR DS:[EDX+0x4]
007F69D5 |6A 00 PUSH 0x0
007F69D7 |6A 00 PUSH 0x0
007F69D9 |68 0F040000 PUSH 0x40F
007F69DE |FFD0 CALL EAX
007F69E0 |83F8 01 CMP EAX,0x1
007F69E3 |7F 16 JG SHORT Client.007F69FB
007F69E5 |A1 30781E03 MOV EAX,DWORD PTR DS:[0x31E7830]
007F69EA |8B0B MOV ECX,DWORD PTR DS:[EBX]
007F69EC |890C85 203F5F04 MOV DWORD PTR DS:[EAX*4+0x45F3F20],ECX
007F69F3 |40 INC EAX
007F69F4 |A3 30781E03 MOV DWORD PTR DS:[0x31E7830],EAX
007F69F9 |EB 14 JMP SHORT Client.007F6A0F
007F69FB \8B13 MOV EDX,DWORD PTR DS:[EBX]
007F69FD 8B4A 10 MOV ECX,DWORD PTR DS:[EDX+0x10]
007F6A00 C1E1 04 SHL ECX,0x4
007F6A03 53 PUSH EBX
007F6A04 81C1 60DB5F04 ADD ECX,Client.045FDB60
007F6A0A E8 31FEFFFF CALL Client.007F6840
007F6A0F 83C3 04 ADD EBX,0x4
007F6A12 4E DEC ESI
007F6A13 ^ 0F85 27FFFFFF JNZ Client.007F6940
007F6A19 3935 B8F9F500 CMP DWORD PTR DS:[0xF5F9B8],ESI
007F6A1F 75 07 JNZ SHORT Client.007F6A28
动作数组分析
动作call分析
MOV EAX,DWORD PTR DS:[EDI+0x1608]
MOV ECX,DWORD PTR DS:[EDI+0x1BD0]
007AE26D 84C0 TEST AL,AL
007AE26F 0F85 97000000 JNZ Client.007AE30C
007AE275 803D D9841B03 0>CMP BYTE PTR DS:[0x31B84D9],0x1
007AE27C 0F84 8A000000 JE Client.007AE30C
007AE282 8B87 08160000 MOV EAX,DWORD PTR DS:[EDI+0x1608]
007AE288 8B8F D01B0000 MOV ECX,DWORD PTR DS:[EDI+0x1BD0]
007AE28E 53 PUSH EBX
007AE28F 50 PUSH EAX
007AE290 51 PUSH ECX
007AE291 8BCF MOV ECX,EDI
007AE293 E8 289BFEFF CALL Client.00797DC0
007AE298 83BF 08160000 3>CMP DWORD PTR DS:[EDI+0x1608],0x35
007AE29F 75 1F JNZ SHORT Client.007AE2C0
007AE2A1 8B849F 10040000 MOV EAX,DWORD PTR DS:[EDI+EBX*4+0x410]
007AE2A8 85C0 TEST EAX,EAX
007AE2AA 74 14 JE SHORT Client.007AE2C0
007AE2AC 8B50 4C MOV EDX,DWORD PTR DS:[EAX+0x4C]
007AE2AF A1 50E3F500 MOV EAX,DWORD PTR DS:[0xF5E350]
007AE2B4 8B88 7C020000 MOV ECX,DWORD PTR DS:[EAX+0x27C]
007AE2BA 52 PUSH EDX
007AE2BB E8 C0A3EDFF CALL Client.00688680
007AE2C0 83BF 08160000 3>CMP DWORD PTR DS:[EDI+0x1608],0x36
007AE2C7 75 20 JNZ SHORT Client.007AE2E9
007AE2C9 8B849F 10040000 MOV EAX,DWORD PTR DS:[EDI+EBX*4+0x410]
007AE2D0 85C0 TEST EAX,EAX
edi =22D13488
基址为31b9440
31e1720
dc [[31b9440]+410+4*0]+5c
玩家对象地址
CMP DWORD PTR DS:[EDI+0x14D4],0x1
MOV DWORD PTR SS:[EBP+0xFFFFAAFC],0xFFFF
004E7ABA E8 21A2F9FF CALL Client.00481CE0
004E7ABF 8B0D 50E3F500 MOV ECX,DWORD PTR DS:[0xF5E350]
004E7AC5 8B46 14 MOV EAX,DWORD PTR DS:[ESI+0x14]
004E7AC8 8B91 C4020000 MOV EDX,DWORD PTR DS:[ECX+0x2C4]
004E7ACE 8B8A 70020000 MOV ECX,DWORD PTR DS:[EDX+0x270]
004E7AD4 50 PUSH EAX
004E7AD5 6A 05 PUSH 0x5
004E7AD7 E8 64AAF9FF CALL Client.00482540
004E7ADC 8B46 0C MOV EAX,DWORD PTR DS:[ESI+0xC]
004E7ADF 8B0D C4DB1D03 MOV ECX,DWORD PTR DS:[0x31DDBC4]
004E7AE5 8981 B8140000 MOV DWORD PTR DS:[ECX+0x14B8],EAX
004E7AEB EB 2C JMP SHORT Client.004E7B19
004E7AED 83BF D4140000 0>CMP DWORD PTR DS:[EDI+0x14D4],0x1
004E7AF4 C785 FCAAFFFF F>MOV DWORD PTR SS:[EBP+0xFFFFAAFC],0xFFFF
004E7AFE 74 06 JE SHORT Client.004E7B06
MOV DWORD PTR DS:[EDI+0x14B8],ECX
MOV EDX,DWORD PTR DS:[ESI]
MOV EAX,DWORD PTR DS:[EDX+0x4]
004EB812 E8 99D91000 CALL Client.005F91B0
004EB817 8B87 B8140000 MOV EAX,DWORD PTR DS:[EDI+0x14B8]
004EB81D 3D FFFF0000 CMP EAX,0xFFFF
004EB822 74 1B JE SHORT Client.004EB83F
004EB824 8B0C85 C8DB1D03 MOV ECX,DWORD PTR DS:[EAX*4+0x31DDBC8]
004EB82B 85C9 TEST ECX,ECX
004EB82D 74 10 JE SHORT Client.004EB83F
004EB82F 8B11 MOV EDX,DWORD PTR DS:[ECX]
004EB831 8B42 04 MOV EAX,DWORD PTR DS:[EDX+0x4]
004EB834 6A 00 PUSH 0x0
004EB836 6A 00 PUSH 0x0
004EB838 68 50040000 PUSH 0x450
004EB83D FFD0 CALL EAX
004EB83F 8B4E 0C MOV ECX,DWORD PTR DS:[ESI+0xC]
004EB842 6A 00 PUSH 0x0
004EB844 898F B8140000 MOV DWORD PTR DS:[EDI+0x14B8],ECX
004EB84A 8B16 MOV EDX,DWORD PTR DS:[ESI]
004EB84C 8B42 04 MOV EAX,DWORD PTR DS:[EDX+0x4]
004EB84F 6A 01 PUSH 0x1
004EB851 68 50040000 PUSH 0x450
004EB856 8BCE MOV ECX,ESI
004EB858 FFD0 CALL EAX
004EB85A B8 01000000 MOV EAX,0x1
004EB85F E9 50080000 JMP Client.004EC0B4
004EB864 8B87 7C200000 MOV EAX,DWORD PTR DS:[EDI+0x207C]
004EB86A DDD8 FSTP ST(0)
004EB86C E9 43080000 JMP Client.004EC0B4
004EB871 DDD8 FSTP ST(0)
004EB873 3997 0C2D0000 CMP DWORD PTR DS:[EDI+0x2D0C],EDX
还有部分没找完,原理都相同
更多精彩内容
