• 879阅读
  • 0回复

多重过滤心跳包技术解决断太快与断后返回相同数据。 [复制链接]

上一主题 下一主题
在线啊冲
 

只看楼主 倒序阅读 使用道具 楼主  发表于: 2016-08-27
----------------
魔鬼作坊
游戏“禁技巧”分析技术揭秘中……
VIP会员办理唯一QQ:8643245
VIP究极模块办理唯一QQ:7189694
----------------
屏幕 1024*768  系统:XP3
多重过滤心跳包技术解决断太快与断后返回相同数据。
魔恩QQ:8643245
各位亲爱的朋友:
我们又在VIP绝密课程相会了,那么,这节课,我将与你分享多重过滤心跳包技术解决断太快与断后返回相同数据。


解决问题万能思路:遇到什么问题需要解决,百度谷歌一下,你就知道了。
                  因为你想解决的问题,别人可能早已解决。
绝密思维:如果找CALL下断断太快或者断后返回相同数据,可以利用条件断点shift+F2来过滤心跳包以达到找各种CALL目的。
具体操作技巧


游戏:神仙传

喊话

调用堆栈:     主线程
地址       堆栈       函数过程                              调用来自                      

结构
00125AA4  00648A58   WS2_32.send                           Game.00648A52                

00125ABC
00125AC0  00647AF4   Game.00648A40                         Game.00647AEF                

00125ABC
00125AE0  0041751D   Game.00647AC0                         Game.00417518                

00125ADC
00125AF8  00AD2EDF   Game.00417500                         Game.00AD2EDA                

00125AF4
00125B10  00AD6078   Game.00AD2EC0                         Game.00AD6073                

00125B0C
00125B54  00AE014B   Game.00AD5FA0                         Game.00AE0146                

00125B50
00125B64  00AE00B1   Game.00AE0130                         Game.00AE00AC                

00125B60
//以上相同
00125B78  00ADC5F0   包含Game.00AE00B1                       Game.00ADC5EE                

00125B74
0012DE58  00818EA3   Game.00ADC420                         Game.00818E9E                

0012DE54
//正确,喊话CALL
0012DF2C  00443DFA   包含Game.00818EA3                       Game.00443DF8                

0012DF28
0012E27C  00443A03   Game.00440DA0                         Game.004439FE                

0012E278
0012E5E0  0045261C   Game.00440DA0                         Game.00452617                

0012E5DC
0012E610  00447A88   Game.004525D0                         Game.00447A83                

0012E60C
0012E644  004487B6   Game.00447960                         Game.004487B1                

0012E640
0012E688  00447B76   Game.004486F0                         Game.00447B71                

0012E684
0012E6C4  0051E46D   Game.00447B50                         Game.0051E468                

0012E6C0
0012EBAC  0053281C   包含Game.0051E46D                       Game.0053281A                

0012EBA8
0012EBD8   005326B8  包含Game.0053281C                       Game.005326B6                

0012EBD4
0012EBEC  008079E0   包含Game.005326B8                       Game.008079DE                

0012EBE8
0012EBFC  00807F63   Game.00807980                         Game.00807F5E                

0012EBF8
0012EC34  00815946   包含Game.00807F63                       Game.00815944                

0012EC30
0012EC50  0080E8D9   包含Game.00815946                       Game.0080E8D7                

0012EC4C
0012EC70  0080E750   Game.0080E890                         Game.0080E74B                

0012EC6C
0012EC8C  0081276A   包含Game.0080E750                       Game.00812767                

0012EC88
0012ECA8  008122C5   Game.00812690                         Game.008122C0                

0012ECA4
0012ECCC  00811FFD   Game.00812290                         Game.00811FF8                

0012ECC8
0012ED10  00811894   Game.00811D50                         Game.0081188F                

0012ED0C
0012EFC8  00812054   Game.00811340                         Game.0081204F                

0012EFC4
0012EFF0  00810AB3   Game.00812020                         Game.00810AAE                

0012EFEC
0012F05C  0046ACA5   包含Game.00810AB3                       Game.0046ACA3                

0012F058
0012F068  005D25F8   包含Game.0046ACA5                       Game.005D25F6                

0012F064
0012F078  007FFE02   Game.005D25C0                         Game.007FFDFD                

0012F074
0012F080  004133DA   Game.007FFDF0                         Game.004133D5                

0012F07C
0012F0E0  008271AC   Game.004132A0                         Game.008271A7                

0012F0DC
0012FDCC  00665594   Game.00826CA0                         Game.0066558F                

0012FDC8
0012FDE0  00665776   Game.00665570                         Game.00665771                

0012FDDC
0012FF34  00C699B0   Game.006655B0                         Game.00C699AB                

0012FF30


00818E84   8985 7CFFFFFF   MOV DWORD PTRSS:[EBP-84],EAX
00818E8A   83BD 7CFFFFFF 0>CMP DWORD PTR SS:[EBP-84],0
00818E91   74 10           JE SHORTGame.00818EA3
00818E93   68 205C1001     PUSHGame.01105C20                       ;ASCII "33333333"
00818E98   8B8D 7CFFFFFF   MOV ECX,DWORD PTRSS:[EBP-84]            ; 堆栈 SS:[0012DEA4]

=148D9BA8
00818E9E   E8 7D352C00     CALL Game.00ADC420

测试成功:
push 1105c20
mov ecx,148d9ba8
call 00adc420


TAB选怪:

调用堆栈:     主线程
地址       堆栈       函数过程                              调用来自                      

结构
0012EDE4  00648A58   WS2_32.send                           Game.00648A52                

0012EDFC
0012EE00  00647AF4   Game.00648A40                         Game.00647AEF                

0012EDFC
0012EE20  0041751D   Game.00647AC0                         Game.00417518                

0012EE1C
0012EE38  00AD2EDF   Game.00417500                         Game.00AD2EDA                

0012EE34
0012EE50  00AD6078   Game.00AD2EC0                         Game.00AD6073                

0012EE4C
0012EE94  00AE014B   Game.00AD5FA0                         Game.00AE0146                

0012EE90
0012EEA4  00AE00B1   Game.00AE0130                         Game.00AE00AC                

0012EEA0
//以上相同
0012EEB8  00647357   包含Game.00AE00B1                       Game.00647355                

0012EEB4
0012EED4  00647E01   Game.006472D0                         Game.00647DFC                

0012EED0
0012EF54  006BF5EC   Game.00647C60                         Game.006BF5E7                

0012EF50
0012EF80  006BF4E6   包含Game.006BF5EC                       Game.006BF4E4                

0012EF7C
0012EFA0  006C8941   ? Game.006BF360                       Game.006C893C                

0012EF9C
0012EFB4  0041312A   Game.006C88E0                         Game.00413125                

0012EFB0

通过状态,选怪为1,不选为0 CE找到内存地址,对内存地址下断获取返回数据,就能找到CALL了。

ESC取消选怪

0012EDE4  00648A58  X.  /CALL send 来自 Game.00648A52
0012EDE8  00000820   ..  |Socket = 820
0012EDEC  0C450020   .E.  |Data = 0C450020
0012EDF0  00000038  8...  |DataSize = 38 (56.)
0012EDF4  00000000  ....  \Flags = 0

0012EDE4  00648A58  X.  /CALL send 来自 Game.00648A52
0012EDE8  00000820   ..  |Socket = 820
0012EDEC  0C450020   .E.  |Data = 0C450020
0012EDF0  00000039  9...  |DataSize = 39 (57.)
0012EDF4  00000000  ....  \Flags = 0

0012EDE4  00648A58  X.  /CALL send 来自 Game.00648A52
0012EDE8  00000820   ..  |Socket = 820
0012EDEC  0C450020   .E.  |Data = 0C450020
0012EDF0  0000003A  :...  |DataSize = 3A (58.)
0012EDF4   00000000 ....  \Flags = 0

0012EDE4  00648A58  X.  /CALL send 来自 Game.00648A52
0012EDE8  00000820   ..  |Socket = 820
0012EDEC  0C450020   .E.  |Data = 0C450020
0012EDF0  0000003B  ;...  |DataSize = 3B (59.)
0012EDF4  00000000  ....  \Flags = 0


[esp+c]!=38

[esp+c]!=38 && [esp+c]!=39&& [esp+c]!=3A && [esp+c]!=3B
善者 慈悲心常在 无怨无恨 以苦为乐
默认压缩密码www.hifyl.com
文件分享密码问题:http://www.hifyl.com/read-htm-tid-4444.html
快速回复
限100 字节
如果您在写长篇帖子又不马上发表,建议存为草稿
 
上一个 下一个