- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
诛仙2最新寻路call
00d0ee8c 访问地址
00d21430 鼠标点击地址 以这个来寻路的
00445BDD 8B13 mov edx, dword ptr [ebx]
00445BDF 8957 2C mov dword ptr [edi+2C], edx ; 目的地X坐标
00445BE2 8B43 04 mov eax, dword ptr [ebx+4]
00445BE5 8B55 10 mov edx, dword ptr [ebp+10]
00445BE8 8947 30 mov dword ptr [edi+30], eax ; 目的地Z坐标
00445BEB 8B4B 08 mov ecx, dword ptr [ebx+8]
00445BEE 8B45 08 mov eax, dword ptr [ebp+8]
00445BF1 894F 34 mov dword ptr [edi+34], ecx ; 目的地Y坐标
00445BF4 50 push eax ; eax=0012ECDC当前坐标
00445BF5 8BCF mov ecx, edi ; edi=00D0EE60
00445BF7 8957 28 mov dword ptr [edi+28], edx ; 地图ID 00D0EE88
00445BFA E8 71FAFFFF call 00445670 ; 寻路call
00445BFF 8B4D F4 mov ecx, dword ptr [ebp-C]
00445C02 5F pop edi
00445C03 5B pop ebx
00445C04 64:890D 0000000>mov dword ptr fs:[0], ecx
00445C0B 8BE5 mov esp, ebp
00445C0D 5D pop ebp
00445C0E C2 1000 retn 10
上面是call内部调用call还在上一层
0060A706 . E8 D539F3FF call 0053E0E0
0060A70B . 8B80 98000000 mov eax, dword ptr [eax+98]
0060A711 . 8B0D C4EED000 mov ecx, dword ptr [D0EEC4]
0060A717 . A3 5C17D200 mov dword ptr [D2175C], eax
0060A71C . 8B41 1C mov eax, dword ptr [ecx+1C]
0060A71F . 8B48 0C mov ecx, dword ptr [eax+C]
0060A722 . 85C9 test ecx, ecx
0060A724 . 75 03 jnz short 0060A729
0060A726 . 8B48 08 mov ecx, dword ptr [eax+8]
0060A729 > 8BB9 98000000 mov edi, dword ptr [ecx+98]
0060A72F . 8B48 0C mov ecx, dword ptr [eax+C]
0060A732 . 85C9 test ecx, ecx
0060A734 . 75 03 jnz short 0060A739
0060A736 . 8B48 08 mov ecx, dword ptr [eax+8]
0060A739 > E8 328CE3FF call 00443370
0060A73E . D940 44 fld dword ptr [eax+44] ; 当前X坐标 eax=249442D0 eax=[[D0EEC4]+1C]+2C]
0060A741 . D940 40 fld dword ptr [eax+40] ; 当前Z坐标
0060A744 . D940 3C fld dword ptr [eax+3C] ; 当前Y坐标
0060A747 . 83C0 0C add eax, 0C
0060A74A . 6A 00 push 0
0060A74C . D95C24 20 fstp dword ptr [esp+20] ; esp=0012ECBC 12ECDC
0060A750 . 57 push edi ; 地图ID
0060A751 . 8D5424 24 lea edx, dword ptr [esp+24] ; 堆栈地址=0012ECDC esp=0012ECB8 12ECDC
0060A755 . D95C24 28 fstp dword ptr [esp+28] ; esp=0012ECB8 12ECE0
0060A759 . 68 3014D200 push 00D21430
0060A75E . 52 push edx ; 0012ECDC
0060A75F . D95C24 34 fstp dword ptr [esp+34] ; esp=0012ECB0 12ECE4
0060A763 . B9 60EED000 mov ecx, 00D0EE60
0060A768 . E8 63B1E3FF call 004458D0
MFC代码
CString strx, stry;
GetDlgItemText(IDC_EDIT1, strx);
GetDlgItemText(IDC_EDIT2, stry);
if (strx == "" || stry == "") return;
float x, y, z;
x = (float)atoi(strx);
y = (float)atoi(stry);
z = (float)0;
__asm
{
mov ebx, 0xD21430
mov eax, x
mov dword ptr [ebx], eax
mov eax, z
mov dword ptr [ebx+4], eax
mov eax, y
mov dword ptr [ebx+8], eax
mov eax, 0xD0EEC4
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+0x1C]
mov eax, dword ptr [eax+0x2C]
fld dword ptr [eax+0x44]
fld dword ptr [eax+0x40]
fld dword ptr [eax+0x3C]
add eax, 0xC
push 0
mov edx, 0x12ECDC
fstp dword ptr [edx]
push 2
lea edx, dword ptr [edx]
fstp dword ptr [edx+4]
push 0xD21430
push edx
fstp dword ptr [edx+8]
mov ecx, 0xD0EE60
mov eax, 0x4458D0
call eax
}
简化版
// 寻路call
void CallAutoGotoCoordinates(float x, float y, float z, DWORD GotoMapID)
{
DWORD m_CALL_BASE_ADDR = 0xD0EEC4;
DWORD m_OFFSET_ONE_BASE = 0x1C;
DWORD m_OFFSET_ROLE_BASE = 0x2C;
DWORD m_CALL_FIND_ROUTES_PUSH = 0xD21430;
DWORD m_CALL_FIND_ROUTES_MOVE = 0xD0EE60;
DWORD m_CALL_FIND_ROUTES_ADDR = 0x4458D0;
__try
{
__asm
{
mov ebx, m_CALL_FIND_ROUTES_PUSH
mov eax, x
mov dword ptr [ebx], eax
mov eax, z
mov dword ptr [ebx+4], eax
mov eax, y
mov dword ptr [ebx+8], eax
mov eax, m_CALL_BASE_ADDR
mov eax, dword ptr [eax]
mov edi, m_OFFSET_ONE_BASE
mov eax, dword ptr [eax+edi]
mov edi, m_OFFSET_ROLE_BASE
mov eax, dword ptr [eax+edi]
lea edx, dword ptr [eax+0x3C]
push 0
push GotoMapID
push m_CALL_FIND_ROUTES_PUSH
push edx
mov ecx, m_CALL_FIND_ROUTES_MOVE
mov eax, m_CALL_FIND_ROUTES_ADDR
call eax
}
}
__except(1){}
}
这call花了我一天时间和一晚了,一晚就找那个esi,真不好找,最后我想了个办法,要传入当前坐标值首地址,那我就直接用自身的坐标地址不行,果然成功了 |
|