• 177阅读
  • 0回复

《全职大师》背包遍历任鸟飞分享 [复制链接]

上一主题 下一主题
离线任鸟飞
 


最终结果:
dd [[2CE4DCC]+0AE0]+40    数组起始指针
dd [[2CE4DCC]+0AE0]+44    数组结束指针
结构体数组
dd [[[2CE4DCC]+0AE0]+40]+38*n+4    物品位置  除以0x64  余数是格数,商是页数   符文页100开头,普通200开头,材料300开头,关注微信公众号:任鸟飞逆向,如果遍历到0-99的位置,说明不在物品栏里
dd [[[2CE4DCC]+0AE0]+40]+38*n+8    物品ID
dd [[[2CE4DCC]+0AE0]+40]+38*n+C       物品数量



分析过程以及特征码:

由于背包没有消耗品,所以我们只能从背包物品的位置,名字等其他属性入手
如果从想位置入手,可以,但是我们要搜索未知初始值,扫描精确的数值是扫描不到的,说明有加密或则规则运算
我们也可以从物品名字入手
搜索UNICODE型的名字,当然每种编码我们都要尝试的,并且分别下访问断,其中一个地址会在光标放在物品上时断下
然后像上追,追到了所有物品名字遍历的位置,说明并不是在背包遍历中,那么我们需要在堆栈中找线索,否则这个地址的访问对我们是没用的
我们发现堆栈里有物品的ID字串,顺着堆栈往下搜索  搜索到他最先出现的位置
关注微信公众号:任鸟飞逆向
回车到这个位置,代码如下:




0070C337    E8 DAC3E2FF     call    00538716
0070C33C    8BC8            mov     ecx, eax
0070C33E    E8 BFBEF800     call    01698202
0070C343    8BF8            mov     edi, eax
0070C345    85FF            test    edi, edi
0070C347    0F84 24130000   je      0070D671
0070C34D    8D8D D8EAFFFF   lea     ecx, dword ptr [ebp-1528]
0070C353    E8 F90BF0FF     call    0060CF51
0070C358    33C0            xor     eax, eax
0070C35A    8945 FC         mov     dword ptr [ebp-4], eax
0070C35D    8D85 D8EAFFFF   lea     eax, dword ptr [ebp-1528]
0070C363    50              push    eax
0070C364    FFB5 08ECFFFF   push    dword ptr [ebp-13F8]
0070C36A    8BCF            mov     ecx, edi
0070C36C    E8 9CECFB00     call    016CB00D
0070C371    8885 27ECFFFF   mov     byte ptr [ebp-13D9], al
0070C377    84C0            test    al, al
0070C379    74 0A           je      short 0070C385
0070C37B    83FB FF         cmp     ebx, -1
0070C37E    0F449D E0EAFFFF cmove   ebx, dword ptr [ebp-1520]
0070C385    53              push    ebx                              ; 这个是传递进来的物品ID,这个是真正的ID
0070C386    E8 003DE3FF     call    0054008B                         ; 这里有基地址
0070C38B    8BC8            mov     ecx, eax
0070C38D    E8 FF65B000     call    01212991                         ; 这里也有个遍历
0070C392    8BF8            mov     edi, eax                         ; eax
0070C394    89BD 20ECFFFF   mov     dword ptr [ebp-13E0], edi
0070C39A    85FF            test    edi, edi
0070C39C    0F84 C0120000   je      0070D662
0070C3A2    68 284ECE02     push    02CE4E28
0070C3A7    8BCF            mov     ecx, edi
0070C3A9    E8 7F3CB000     call    0121002D                         ; 这里有个遍历  是个二叉树
0070C3AE    68 1C4ECE02     push    02CE4E1C
0070C3B3    8BCF            mov     ecx, edi
0070C3B5    8985 D8EBFFFF   mov     dword ptr [ebp-1428], eax        ; 追到这里
0070C3BB    E8 6D3CB000     call    0121002D
0070C3C0    83BD D8EBFFFF 0>cmp     dword ptr [ebp-1428], 0
0070C3C7    8985 14ECFFFF   mov     dword ptr [ebp-13EC], eax
0070C3CD    0F84 8F120000   je      0070D662
0070C3D3    85C0            test    eax, eax
0070C3D5    0F84 87120000   je      0070D662
0070C3DB    8B85 08ECFFFF   mov     eax, dword ptr [ebp-13F8]
0070C3E1    66:0F6F05 70482>movq    mm0, qword ptr [2264870]
0070C3E9    F3:             prefix rep:
0070C3EA    0F7F85 DCEBFFFF movq    qword ptr [ebp-1424], mm0
0070C3F1    66:0F6EC0       movd    mm0, eax
0070C3F5    F3:             prefix rep:
0070C3F6    0FE6            ???                                      ; 未知命令
0070C3F8    C0C1 E8         rol     cl, 0E8
0070C3FB    1F              pop     ds
0070C3FC    F2:             prefix repne:
0070C3FD    0F5804C5 B0BE6E>addps   xmm0, dqword ptr [eax*8+26EBEB0]
0070C405    F2:             prefix repne:
0070C406    0F1185 ECEBFFFF movups  dqword ptr [ebp-1414], xmm0
0070C40D    C645 FC 04      mov     byte ptr [ebp-4], 4
0070C411    8D85 DCEBFFFF   lea     eax, dword ptr [ebp-1424]
0070C417    50              push    eax
0070C418    68 94492602     push    02264994                         ; ASCII "id"
0070C41D    8BCE            mov     ecx, esi
0070C41F    E8 5395EBFF     call    005C5977
0070C424    33C9            xor     ecx, ecx
0070C426    884D FC         mov     byte ptr [ebp-4], cl
0070C429    8D8D DCEBFFFF   lea     ecx, dword ptr [ebp-1424]
0070C42F    E8 5415EBFF     call    005BD988
0070C434    68 184ECE02     push    02CE4E18
0070C439    8BCF            mov     ecx, edi
0070C43B    E8 ED3BB000     call    0121002D
0070C440    8985 1CECFFFF   mov     dword ptr [ebp-13E4], eax
0070C446    85C0            test    eax, eax
0070C448    74 14           je      short 0070C45E
0070C44A    8338 0A         cmp     dword ptr [eax], 0A
0070C44D    74 5D           je      short 0070C4AC
0070C44F    8338 00         cmp     dword ptr [eax], 0
0070C452    74 58           je      short 0070C4AC
0070C454    8338 1D         cmp     dword ptr [eax], 1D
0070C457    74 53           je      short 0070C4AC
0070C459    8338 28         cmp     dword ptr [eax], 28
0070C45C    74 4E           je      short 0070C4AC
0070C45E    8B85 14ECFFFF   mov     eax, dword ptr [ebp-13EC]
0070C464    66:0F6F05 70482>movq    mm0, qword ptr [2264870]
0070C46C    F3:             prefix rep:
0070C46D    0F7F85 DCEBFFFF movq    qword ptr [ebp-1424], mm0
0070C474    66:0F6E48 08    movd    mm1, dword ptr [eax+8]
0070C479    F3:             prefix rep:
0070C47A    0FE6            ???                                      ; 未知命令
0070C47C    C9              leave
0070C47D    F2:             prefix repne:
0070C47E    0F118D ECEBFFFF movups  dqword ptr [ebp-1414], xmm1
0070C485    C645 FC 05      mov     byte ptr [ebp-4], 5
0070C489    8D85 DCEBFFFF   lea     eax, dword ptr [ebp-1424]
0070C48F    50              push    eax
0070C490    68 A0022802     push    022802A0                         ; ASCII "itemLevel"
0070C495    8BCE            mov     ecx, esi
0070C497    E8 DB94EBFF     call    005C5977
0070C49C    33C0            xor     eax, eax
0070C49E    8845 FC         mov     byte ptr [ebp-4], al
0070C4A1    8D8D DCEBFFFF   lea     ecx, dword ptr [ebp-1424]
0070C4A7    E8 DC14EBFF     call    005BD988
0070C4AC    33C0            xor     eax, eax
0070C4AE    8BC8            mov     ecx, eax
0070C4B0    8B85 14ECFFFF   mov     eax, dword ptr [ebp-13EC]
0070C4B6    8B40 08         mov     eax, dword ptr [eax+8]
0070C4B9    48              dec     eax
0070C4BA    74 23           je      short 0070C4DF
0070C4BC    48              dec     eax
0070C4BD    74 1C           je      short 0070C4DB
0070C4BF    48              dec     eax
0070C4C0    74 15           je      short 0070C4D7
0070C4C2    48              dec     eax
0070C4C3    74 0E           je      short 0070C4D3
0070C4C5    48              dec     eax
0070C4C6    74 07           je      short 0070C4CF
0070C4C8    48              dec     eax
0070C4C9    75 17           jnz     short 0070C4E2
0070C4CB    6A 64           push    64
0070C4CD    EB 12           jmp     short 0070C4E1
0070C4CF    6A 63           push    63
0070C4D1    EB 0E           jmp     short 0070C4E1
0070C4D3    6A 62           push    62
0070C4D5    EB 0A           jmp     short 0070C4E1
0070C4D7    6A 61           push    61
0070C4D9    EB 06           jmp     short 0070C4E1
0070C4DB    6A 60           push    60
0070C4DD    EB 02           jmp     short 0070C4E1
0070C4DF    6A 5F           push    5F
0070C4E1    59              pop     ecx
0070C4E2    898D 10ECFFFF   mov     dword ptr [ebp-13F0], ecx
0070C4E8    8D8D 10ECFFFF   lea     ecx, dword ptr [ebp-13F0]
0070C4EE    E8 527BC600     call    01374045
0070C4F3    50              push    eax
0070C4F4    E8 32A0E2FF     call    0053652B
0070C4F9    8BC8            mov     ecx, eax
0070C4FB    E8 7991A900     call    011A5679
0070C500    85C0            test    eax, eax
0070C502    74 68           je      short 0070C56C
0070C504    0FB610          movzx   edx, byte ptr [eax]
0070C507    0FB648 04       movzx   ecx, byte ptr [eax+4]
0070C50B    0FB640 08       movzx   eax, byte ptr [eax+8]
0070C50F    66:0F6F05 70482>movq    mm0, qword ptr [2264870]
0070C517    C1E2 08         shl     edx, 8
0070C51A    0BD1            or      edx, ecx
0070C51C    C1E2 08         shl     edx, 8
0070C51F    0BD0            or      edx, eax
0070C521    F3:             prefix rep:
0070C522    0F7F85 DCEBFFFF movq    qword ptr [ebp-1424], mm0
0070C529    66:0F6EC2       movd    mm0, edx
0070C52D    F3:             prefix rep:
0070C52E    0FE6            ???                                      ; 未知命令
0070C530    C0C1 EA         rol     cl, 0EA
0070C533    1F              pop     ds
0070C534    F2:             prefix repne:
0070C535    0F5804D5 B0BE6E>addps   xmm0, dqword ptr [edx*8+26EBEB0]
0070C53D    F2:             prefix repne:
0070C53E    0F1185 ECEBFFFF movups  dqword ptr [ebp-1414], xmm0
0070C545    C645 FC 06      mov     byte ptr [ebp-4], 6
0070C549    8D85 DCEBFFFF   lea     eax, dword ptr [ebp-1424]
0070C54F    50              push    eax
0070C550    68 AC022802     push    022802AC                         ; ASCII "itemColor"
0070C555    8BCE            mov     ecx, esi
0070C557    E8 1B94EBFF     call    005C5977
0070C55C    33C0            xor     eax, eax
0070C55E    8845 FC         mov     byte ptr [ebp-4], al
0070C561    8D8D DCEBFFFF   lea     ecx, dword ptr [ebp-1424]
0070C567    E8 1C14EBFF     call    005BD988
0070C56C    33C0            xor     eax, eax
0070C56E    8985 B8ECFFFF   mov     dword ptr [ebp-1348], eax
0070C574    8985 BCECFFFF   mov     dword ptr [ebp-1344], eax
0070C57A    C785 BCECFFFF 0>mov     dword ptr [ebp-1344], 7
0070C584    8985 B8ECFFFF   mov     dword ptr [ebp-1348], eax
0070C58A    66:8985 A8ECFFF>mov     word ptr [ebp-1358], ax
0070C591    C645 FC 07      mov     byte ptr [ebp-4], 7
0070C595    3985 08ECFFFF   cmp     dword ptr [ebp-13F8], eax
0070C59B    74 54           je      short 0070C5F1
0070C59D    8D85 D8EAFFFF   lea     eax, dword ptr [ebp-1528]
0070C5A3    50              push    eax
0070C5A4    E8 E7BE0B01     call    017C8490
0070C5A9    59              pop     ecx
0070C5AA    85C0            test    eax, eax
0070C5AC    74 43           je      short 0070C5F1
0070C5AE    33C9            xor     ecx, ecx
0070C5B0    66:3908         cmp     word ptr [eax], cx
0070C5B3    74 3C           je      short 0070C5F1
0070C5B5    50              push    eax
0070C5B6    E8 6DE8E2FF     call    0053AE28
0070C5BB    8BC8            mov     ecx, eax
0070C5BD    E8 117DAA00     call    011B42D3
0070C5C2    8BF0            mov     esi, eax
0070C5C4    56              push    esi
0070C5C5    E8 761ADEFF     call    004EE040
0070C5CA    59              pop     ecx
0070C5CB    50              push    eax
0070C5CC    56              push    esi
0070C5CD    8D8D A8ECFFFF   lea     ecx, dword ptr [ebp-1358]
0070C5D3    E8 684CDEFF     call    004F1240
0070C5D8    BE 2C812502     mov     esi, 0225812C
0070C5DD    56              push    esi
0070C5DE    E8 5D1ADEFF     call    004EE040
0070C5E3    59              pop     ecx
0070C5E4    50              push    eax
0070C5E5    56              push    esi
0070C5E6    8D8D A8ECFFFF   lea     ecx, dword ptr [ebp-1358]
0070C5EC    E8 4F4CDEFF     call    004F1240
0070C5F1    8B85 D8EBFFFF   mov     eax, dword ptr [ebp-1428]        ; eax
0070C5F7    83C0 08         add     eax, 8                           ; eax+8
0070C5FA    8378 14 08      cmp     dword ptr [eax+14], 8
0070C5FE    72 02           jb      short 0070C602
0070C600    8B00            mov     eax, dword ptr [eax]
0070C602    50              push    eax                              ; 第一个参数
0070C603    E8 20E8E2FF     call    0053AE28
0070C608    8BC8            mov     ecx, eax
0070C60A    E8 C47CAA00     call    011B42D3                         ; 返回到这里
0070C60F    8BF0            mov     esi, eax
0070C611    56              push    esi
0070C612    E8 291ADEFF     call    004EE040
0070C617    59              pop     ecx
0070C618    50              push    eax
0070C619    56              push    esi
0070C61A    8D8D A8ECFFFF   lea     ecx, dword ptr [ebp-1358]
0070C620    E8 1B4CDEFF     call    004F1240
0070C625    83BD BCECFFFF 0>cmp     dword ptr [ebp-1344], 8
0070C62C    8D85 A8ECFFFF   lea     eax, dword ptr [ebp-1358]
0070C632    66:0F6F05 80482>movq    mm0, qword ptr [2264880]
0070C63A    0F4385 A8ECFFFF cmovnb  eax, dword ptr [ebp-1358]
0070C641    F3:             prefix rep:
0070C642    0F7F85 DCEBFFFF movq    qword ptr [ebp-1424], mm0
0070C649    8985 ECEBFFFF   mov     dword ptr [ebp-1414], eax
0070C64F    C645 FC 08      mov     byte ptr [ebp-4], 8
0070C653    8D85 DCEBFFFF   lea     eax, dword ptr [ebp-1424]
0070C659    8BB5 0CECFFFF   mov     esi, dword ptr [ebp-13F4]
0070C65F    8BCE            mov     ecx, esi
0070C661    50              push    eax
0070C662    68 30472602     push    02264730                         ; ASCII "title"
0070C667    E8 0B93EBFF     call    005C5977
0070C66C    C645 FC 07      mov     byte ptr [ebp-4], 7
0070C670    8D8D DCEBFFFF   lea     ecx, dword ptr [ebp-1424]
0070C676    E8 0D13EBFF     call    005BD988
0070C67B    66:0F6F05 70482>movq    mm0, qword ptr [2264870]

关注微信公众号:任鸟飞逆向
追上去之后我们发现物品来源于一些遍历,下面的一个遍历是二叉树,我们很容易分析到了
然后上面还有一个遍历,里面有一个edx,他代表的物品现在背包里面的位置,但是我们并不知道
所以没办法,我们需要分析这个来源,于是我们继续像上面追ID的来源
上面一个遍历CALL内部的内容如下
01212991    55              push    ebp
01212992    8BEC            mov     ebp, esp
01212994    51              push    ecx
01212995    8B45 08         mov     eax, dword ptr [ebp+8]
01212998    33D2            xor     edx, edx
0121299A    56              push    esi
0121299B    BE 2C010000     mov     esi, 12C
012129A0    F7F6            div     esi
012129A2    8D45 08         lea     eax, dword ptr [ebp+8]
012129A5    50              push    eax
012129A6    8D45 FC         lea     eax, dword ptr [ebp-4]
012129A9    50              push    eax
012129AA    8D34D1          lea     esi, dword ptr [ecx+edx*8]       ; 这个edx代表是位置
012129AD    8D4E 44         lea     ecx, dword ptr [esi+44]
012129B0    E8 4A1F0000     call    012148FF
012129B5    8B45 FC         mov     eax, dword ptr [ebp-4]
012129B8    3B46 44         cmp     eax, dword ptr [esi+44]
012129BB    5E              pop     esi
012129BC    74 05           je      short 012129C3
012129BE    8B40 14         mov     eax, dword ptr [eax+14]
012129C1    EB 02           jmp     short 012129C5
012129C3    33C0            xor     eax, eax
012129C5    8BE5            mov     esp, ebp
012129C7    5D              pop     ebp
012129C8    C2 0400         retn    4


由于这部分代码比较麻烦,所以为了能简便的获得名字我们觉得调CALL来得到物品的名字ID字串
我们可以简化一下下面的这段代码,然后把名字ID字串得到
0070C385    53              push    ebx                              ; 这个是传递进来的物品ID,这个是真正的ID
0070C386    E8 003DE3FF     call    0054008B                         ; 这里有基地址
0070C38B    8BC8            mov     ecx, eax
0070C38D    E8 FF65B000     call    01212991                         ; 这里也有个遍历
0070C392    8BF8            mov     edi, eax                         ; eax
0070C394    89BD 20ECFFFF   mov     dword ptr [ebp-13E0], edi
0070C39A    85FF            test    edi, edi
0070C39C    0F84 C0120000   je      0070D662
0070C3A2    68 284ECE02     push    02CE4E28
0070C3A7    8BCF            mov     ecx, edi
0070C3A9    E8 7F3CB000     call    0121002D                         ; 这里有个遍历  是个二叉树
这里返回的[eax+8]+0就是名字ID字串

继续向上追传入的ID,我们发现追了很远也没有追到ebp-1520
于是我们通过CE搜索这个ID,得到了几个来源,这里我建议大家断下灰色名字的物品再搜索,这样比较少
分别在地址下断,其中一个会断到这样一个位置
016C8E31    55              push    ebp
016C8E32    8BEC            mov     ebp, esp
016C8E34    56              push    esi
016C8E35    8B75 08         mov     esi, dword ptr [ebp+8]
016C8E38    57              push    edi
016C8E39    8BF9            mov     edi, ecx
016C8E3B    8B06            mov     eax, dword ptr [esi]
016C8E3D    8907            mov     dword ptr [edi], eax
016C8E3F    8D4F 18         lea     ecx, dword ptr [edi+18]
016C8E42    8B46 04         mov     eax, dword ptr [esi+4]
016C8E45    8947 04         mov     dword ptr [edi+4], eax
016C8E48    8B46 08         mov     eax, dword ptr [esi+8]           ; 物品ID
016C8E4B    8947 08         mov     dword ptr [edi+8], eax
016C8E4E    8B46 0C         mov     eax, dword ptr [esi+C]
016C8E51    8947 0C         mov     dword ptr [edi+C], eax
016C8E54    8B46 10         mov     eax, dword ptr [esi+10]
016C8E57    8947 10         mov     dword ptr [edi+10], eax
016C8E5A    8B46 14         mov     eax, dword ptr [esi+14]
016C8E5D    8947 14         mov     dword ptr [edi+14], eax
016C8E60    8D46 18         lea     eax, dword ptr [esi+18]


继续追得到如下代码
016CB00D    55              push    ebp
016CB00E    8BEC            mov     ebp, esp
016CB010    8B41 40         mov     eax, dword ptr [ecx+40]          ; 背包偏移2
016CB013    8B55 08         mov     edx, dword ptr [ebp+8]
016CB016    EB 07           jmp     short 016CB01F
016CB018    3910            cmp     dword ptr [eax], edx
016CB01A    74 08           je      short 016CB024
016CB01C    83C0 38         add     eax, 38                          ; +38数组
016CB01F    3B41 44         cmp     eax, dword ptr [ecx+44]
016CB022  ^ 75 F4           jnz     short 016CB018
016CB024    3B41 44         cmp     eax, dword ptr [ecx+44]
016CB027    75 1A           jnz     short 016CB043
016CB029    8B41 78         mov     eax, dword ptr [ecx+78]
016CB02C    EB 07           jmp     short 016CB035
016CB02E    3910            cmp     dword ptr [eax], edx
016CB030    74 08           je      short 016CB03A
016CB032    83C0 38         add     eax, 38                          ; +38数组
016CB035    3B41 7C         cmp     eax, dword ptr [ecx+7C]
016CB038  ^ 75 F4           jnz     short 016CB02E
016CB03A    3B41 7C         cmp     eax, dword ptr [ecx+7C]
016CB03D    75 04           jnz     short 016CB043
016CB03F    32C0            xor     al, al
016CB041    EB 0B           jmp     short 016CB04E
016CB043    8B4D 0C         mov     ecx, dword ptr [ebp+C]
016CB046    50              push    eax
016CB047    E8 E5DDFFFF     call    016C8E31                         ; CALL
016CB04C    B0 01           mov     al, 1
016CB04E    5D              pop     ebp
016CB04F    C2 0800         retn    8
这里的两个+38没有具体的分析,应该只用到了上面的
这是一个结构体数组,数组大小为38
继续返回代码如下
007128F3    84C0            test    al, al
007128F5    0F85 63020000   jnz     00712B5E
007128FB    8B8D 34FEFFFF   mov     ecx, dword ptr [ebp-1CC]
00712901    85C9            test    ecx, ecx
00712903    75 79           jnz     short 0071297E
00712905    85FF            test    edi, edi
00712907    0F84 83000000   je      00712990
0071290D    E8 045EE2FF     call    00538716                         ; 基地址
00712912    8BC8            mov     ecx, eax
00712914    E8 E958F800     call    01698202                         ; 里面有大偏移
00712919    8985 34FEFFFF   mov     dword ptr [ebp-1CC], eax
0071291F    85C0            test    eax, eax
00712921    74 6D           je      short 00712990
00712923    8D4D B8         lea     ecx, dword ptr [ebp-48]
00712926    E8 26A6EFFF     call    0060CF51
0071292B    C645 FC 3B      mov     byte ptr [ebp-4], 3B
0071292F    8D45 B8         lea     eax, dword ptr [ebp-48]
00712932    8B8D 34FEFFFF   mov     ecx, dword ptr [ebp-1CC]         ; ecx
00712938    50              push    eax
00712939    57              push    edi
0071293A    E8 CE86FB00     call    016CB00D                         ; call
0071293F    84C0            test    al, al
00712941    74 2D           je      short 00712970
00712943    8B75 C0         mov     esi, dword ptr [ebp-40]
00712946    56              push    esi
00712947    E8 3FD7E2FF     call    0054008B
0071294C    8BC8            mov     ecx, eax
0071294E    E8 3E00B000     call    01212991
00712953    85C0            test    eax, eax
00712955    75 19           jnz     short 00712970
00712957    C645 FC 02      mov     byte ptr [ebp-4], 2
0071295B    8D4D D0         lea     ecx, dword ptr [ebp-30]
0071295E    E8 2D53ECFF     call    005D7C90
00712963    33C0            xor     eax, eax
00712965    8985 24FEFFFF   mov     dword ptr [ebp-1DC], eax
0071296B    E9 F5010000     jmp     00712B65
这样我们就追到了基地址
































快速回复
限100 字节
如果您提交过一次失败了,可以用”恢复数据”来恢复帖子内容
 
上一个 下一个