- 注册时间
- 2011-3-6
- 最后登录
- 1970-1-1
该用户从未签到
|
分析步骤:
1、打开口袋西游,登入账号后用OD附加
如果一开始就附加,输入账号那里老提示密码错误,不能登陆游戏的!
2、bp send下断,游戏里按F1,OD断下,按CTRL+F9七次,找到如下地址:
[00569297 E8 34C2F2FF CALL elementc.004954D0
0056929C 85C0 TEST EAX,EAX
0056929E 74 07 JE SHORT elementc.005692A7
005692A0 8B10 MOV EDX,DWORD PTR DS:[EAX]
005692A2 8BC8 MOV ECX,EAX
005692A4 FF52 08 CALL DWORD PTR DS:[EDX+8]
005692A7 5F POP EDI
005692A8 5E POP ESI
005692A9 5D POP EBP
005692AA B0 01 MOV AL,1
005692AC 5B POP EBX
005692AD 59 POP ECX
005692AE C2 0C00 RETN 0C
断在蓝色那行,CALL DWORD PTR DS:[EDX+8]便是我们要找的call
3、分析CALL与紧邻的上2行
005692A0 8B10 MOV EDX,DWORD PTR DS:[EAX]
005692A2 8BC8 MOV ECX,EAX
005692A4 FF52 08 CALL DWORD PTR DS:[EDX+8]
得知:
EDX=[EAX]
ECX=EAX
CALL [[EAX]+8]
好我们找EAX
4、继续向上找EAX
00569297 E8 34C2F2FF CALL elementc.004954D0
好我们CTRL+G定位到地址004954D0
004954D0 8B4424 04 MOV EAX,DWORD PTR SS:[ESP+4]
004954D4 85C0 TEST EAX,EAX
004954D6 7C 1E JL SHORT elementc.004954F6
004954D8 3B41 10 CMP EAX,DWORD PTR DS:[ECX+10]
004954DB 7D 19 JGE SHORT elementc.004954F6
004954DD 8B49 0C MOV ECX,DWORD PTR DS:[ECX+C]
004954E0 8A5424 08 MOV DL,BYTE PTR SS:[ESP+8]
004954E4 84D2 TEST DL,DL
004954E6 8D0C81 LEA ECX,DWORD PTR DS:[ECX+EAX*4]
004954E9 8B01 MOV EAX,DWORD PTR DS:[ECX]
004954EB 74 0B JE SHORT elementc.004954F8
004954ED C701 00000000 MOV DWORD PTR DS:[ECX],0
004954F3 C2 0800 RETN 8
004954F6 33C0 XOR EAX,EAX
004954F8 C2 0800 RETN 8
结合:主要是找[ESP+4]
005692C7 83C7 90 ADD EDI,-70
005692CC 57 PUSH EDI
得知:
EAX=[ESP+4] //按键-70
ECX=[ECX+C]
ECX=*[ECX+EAX*4]
EAX=[ECX]
公式1:EAX=*[ECX+C]+(F1:0-F8:7)*4
EAX=*[ECX+C]+(按键-$70)*4
5、回到主线程,继续向上找EAX
005692CD 8B8483 E8090000 MOV EAX,DWORD PTR DS:[EBX+EAX*4+9E8]
005692D4 8BC8 MOV ECX,EAX
得知:
EAX=[EBX+EAX*4+9E8]
ECX=EAX
公式1:EAX=*[[EBX+EAX*4+9E8]+C]+(F1:0-F8:7)*4
EAX=*[[EBX+EAX*4+9E8]+C]+(按键-$70)*4
6、继续线上找EAX
CALL elementc.0051D620
DEC EAX //之前这一行代码没看到,导致分析造成误差,切忌马虎啊~~
0051D620 A1 886B9200 MOV EAX,DWORD PTR DS:[926B88]
0051D625 C3 RETN
得知:
公式1:EAX=*[[EBX+0*4+9E8]+C]+(F1:0-F8:7)*4
EAX=*[[EBX+0*4+9E8]+C]+(按键-$70)*4
7、向上找EBX了
00569171 8B5C24 10 MOV EBX,DWORD PTR SS:[ESP+10]
00569090 51 PUSH ECX
00569091 A1 5CFC9600 MOV EAX,DWORD PTR DS:[96FC5C]
00569096 53 PUSH EBX
00569097 55 PUSH EBP
00569098 56 PUSH ESI
00569099 8BF1 MOV ESI,ECX
0056909B 8B48 1C MOV ECX,DWORD PTR DS:[EAX+1C]
0056909E 57 PUSH EDI
0056909F 8B41 28 MOV EAX,DWORD PTR DS:[ECX+28]
005690A2 894424 10 MOV DWORD PTR SS:[ESP+10],EAX
EAX=[96FC5C]
ECX=[EAX+1C]
EAX=[ECX+28]
[ESP+10]=EAX
[ESP+10]=[[[96FC5C]+1C]+28] //是PUSH进栈的,然后被修改了数值
8、大功告成,由此分析所得:
公式2:
EAX=*[[[[[96FC5C]+1C]+28]+0*4+9E8]+C]+(F1:0-F8:7)*4
EAX=*[[[[[96FC5C]+1C]+28]+0*4+9E8]+C]+(按键-$70)*4
EDX=[EAX]
ECX=EAX
CALL [[EAX]+8]
9、写出代码(delphi)
asm
pushad
//delhi代码
MOV EAX, DWORD PTR [CallBaseAddr]
MOV EAX, DWORD PTR [EAX+$1C]
MOV EAX, DWORD PTR [EAX+$28]
MOV EAX, DWORD PTR [EAX+$9F4] //按键1-7:9F4 按键F1-F8:9E8
MOV EAX, DWORD PTR [EAX+$C]
MOV EAX, DWORD PTR [EAX+$4*($1-1)] //按键序号X(从1开始)-1
MOV ECX,EAX
MOV EDX,DWORD PTR [ECX]
CALL DWORD PTR [EDX+$8]
popad
end;
当然了,清楚了整个脉络,用OD原型代码一样OK:
asm
pushad
//原始OD指令顺序
MOV EAX,DWORD PTR DS:[$96FC5C]
MOV ECX,DWORD PTR DS:[EAX+$1C]
MOV EAX,DWORD PTR DS:[ECX+$28]
MOV EBX,EAX
MOV EAX,DWORD PTR DS:[$926B88]
DEC EAX
MOV EAX,DWORD PTR DS:[EBX+EAX*$4+$9E8]
MOV ECX,EAX
MOV EAX,$4*0
MOV ECX,DWORD PTR DS:[ECX+$C]
LEA ECX,DWORD PTR DS:[ECX+EAX*$4]
MOV EAX,DWORD PTR DS:[ECX]
MOV EDX,DWORD PTR DS:[EAX]
MOV ECX,EAX
CALL DWORD PTR DS:[EDX+$8]
popad
end;
公式整理如下,按键1-7的一样分析即可,想学的可以自己练习下:
按键F1-F7:
EAX=*[[[[[96FC5C]+1C]+28]+0*4+9E8]+C]+(F1:0-F8:7)*4
EAX=*[[[[[96FC5C]+1C]+28]+0*4+9E8]+C]+(按键-$70)*4
EDX=[EAX]
ECX=EAX
CALL [[EAX]+8]
按键1-7:
EAX=*[[[[[96FC5C]+1C]+28]+0*4+9F4]+C]+(1:0-7:6)*4
EAX=*[[[[[96FC5C]+1C]+28]+0*4+9F4]+C]+(按键-$31)*4
EDX=[EAX]
ECX=EAX
CALL [[EAX]+8]
结合按键位置的公式,CALL这个按键前加入保护,就不会导致崩溃拉!
快捷键 1~9
[[[[[[BaseAddr]+$28]+$9F4]+$C]+4*n]+$10]
F1~F8
[[[[[[BaseAddr]+$28]+$9E8]+$C]+4*n]+$10] |
|
发表于 2011-8-5 13:12:33
