刺激战场
六合彩
贵宾厅
  • 1256阅读
  • 1回复

又一种下断返回相同数据的游戏与实践解决找到真正发包CALL绝密思路。 [复制链接]

上一主题 下一主题
离线啊冲
 

只看楼主 倒序阅读 使用道具 楼主  发表于: 2016-08-28
----------------
魔鬼作坊
游戏“禁技巧”分析技术揭秘中……
http://www.moguizuofang.com/bbs/
----------------
屏幕 1024*768  系统:XP3
又一种下断返回相同数据的游戏与实践解决找到真正发包CALL绝密思路。
魔恩QQ:8643245
各位亲爱的朋友:
我们又在VIP课程相会了,那么,这节课,我将与你分享又一种下断返回相同数据的游戏与实践解决找到真正发包CALL绝密思路。

解决问题万能思路:遇到什么问题需要解决,百度谷歌一下,你就知道了。
                  因为你想解决的问题,别人可能早已解决。


绝密思路:下断获取返回的相同数据,从返回数据最开始循环处分析,分析测试循环流程与相关数据效果用途。

测试用途:1.跳转语句用途测试,例如:jnz,je等,实现跳的注释1,未实现跳的注释0,方便区别流程。 跳转的可以修改为不跳后回游戏看效果,未跳转的可以修改为跳回游戏看效果。

          2.CALL子程序用途测试,无参数的可以直接nop掉回游戏看效果,有参数的可以直接修改CALL为add esp,4 堆栈平衡语句,这里举例只有一个参数,所以是4,2个参数就是8(十六进制),类推,识别参数有几个,最快速的就是直接进入CALL后,到CALL尾部看retn * 这个*是几,假如是:retn 0c  说明有3个参数,0c(十六进制)转成十进制 是12 除以4=3个参数。

有什么方法测试出具体是哪个CALL发包的呢?
测试思路:只需要在CALL头部下断,回游戏测试找CALL,看堆栈返回是否是原来的相同数据,如果下断后立刻就断下,多数情况下都不是,但与发包相关。

具体操作技巧:




选怪CALL   TAB

调用堆栈:     线程  000008B0
地址       堆栈       函数过程                              调用来自                      结构
05C2FF00   0078F7A6   ws2_32.send                           rxsj.0078F7A0                 05C2FF24
05C2FF28   0078F90C   rxsj.0078F780                         rxsj.0078F907                 05C2FF24
05C2FF50   0078F191   rxsj.0078F7F0                         rxsj.0078F18C                 05C2FF4C
05C2FF5C   007910DD   包含rxsj.0078F191                       rxsj.007910DB                

05C2FF58



调用堆栈:     主线程
地址       堆栈       函数过程                              调用来自                      结构
0013F288   0070040E   rxsj.00672A20                         rxsj.00700409                 0013F2B4
0013F2B8   006FD0C0   ? rxsj.00700340                       rxsj.006FD0BB                 0013F2B4
//选怪CALL
0013F34C   006E583D   rxsj.006FCD60                         rxsj.006E5838                 0013F348
0013F364   00668189   rxsj.006E5810                         rxsj.00668184                 0013F360
0013F44C   00792E9F   包含rxsj.00668189                       rxsj.00792E9D                

0013F448
0013F470   77D18734   包含rxsj.00792E9F                       USER32.77D18731              

0013F46C
0013F49C   77D18816   ? USER32.77D1870C                     USER32.77D18811               0013F498
0013F504   77D189CD   ? USER32.77D1875F                     USER32.77D189C8               0013F500
0013F564   77D196C7   ? USER32.77D188F1                     USER32.77D196C2               0013F560
0013F574   00796D00   ? USER32.DispatchMessageA             rxsj.00796CFA                 0013F570
0013F610   006717E9   rxsj.00796A40                         rxsj.006717E4                 0013F60C
0013F620   00671F13   rxsj.00671780                         rxsj.00671F0E                 0013F61C
0013F668   00A7EE8D   rxsj.00671E50                         rxsj.00A7EE88                 0013F664



调用堆栈:     主线程
地址       堆栈       函数过程                              调用来自                      结构
0013F280   00700438   rxsj.0078F680                         rxsj.00700433                 0013F2B4
0013F2B8   006FD0C0   ? rxsj.00700340                       rxsj.006FD0BB                 0013F2B4
0013F34C   006E583D   rxsj.006FCD60                         rxsj.006E5838                 0013F348
0013F364   00668189   rxsj.006E5810                         rxsj.00668184                 0013F360
0013F44C   00792E9F   包含rxsj.00668189                       rxsj.00792E9D                

0013F448
0013F470   77D18734   包含rxsj.00792E9F                       USER32.77D18731              

0013F46C
0013F49C   77D18816   ? USER32.77D1870C                     USER32.77D18811               0013F498
0013F504   77D189CD   ? USER32.77D1875F                     USER32.77D189C8               0013F500
0013F564   77D196C7   ? USER32.77D188F1                     USER32.77D196C2               0013F560
0013F574   00796D00   ? USER32.DispatchMessageA             rxsj.00796CFA                 0013F570
0013F610   006717E9   rxsj.00796A40                         rxsj.006717E4                 0013F60C
0013F620   00671F13   rxsj.00671780                         rxsj.00671F0E                 0013F61C
0013F668   00A7EE8D   rxsj.00671E50                         rxsj.00A7EE88                 0013F664


代码注入器 测试成功:

mov ecx,0AF9CE68
mov eax,166
mov [ecx+0adc],eax
push 1
push 1AF24C00
mov ecx,0AF9CE68
call 00700340

OD死码:

MOV ECX,DWORD PTR SS:[EBP+10]
PUSH ECX
MOV EDX,DWORD PTR SS:[EBP+8]
PUSH EDX
MOV EAX,DWORD PTR SS:[EBP+C]
PUSH EAX
MOV ECX,DWORD PTR SS:[EBP-74]

搜到后,往上找第9个CALL就是选怪CALL












走路CALL

调用堆栈:     线程  000008B0
地址       堆栈       函数过程                              调用来自                      结构
05C2FF00   0078F7A6   ws2_32.send                           rxsj.0078F7A0                 05C2FF24
05C2FF28   0078F90C   rxsj.0078F780                         rxsj.0078F907                 05C2FF24
05C2FF50   0078F191   rxsj.0078F7F0                         rxsj.0078F18C                 05C2FF4C
05C2FF5C   007910DD   包含rxsj.0078F191                       rxsj.007910DB                

05C2FF58



007910BA   /74 37           JE SHORT rxsj.007910F3                   ; 0 跳的话,游戏无法与服务器验



007910C7    FFD0            CALL EAX                                 ; EAX=0041EE70 (rxsj.0041EE70)

nop后游戏出错


007910DB    FFD0            CALL EAX                                 ; EAX=0078F1B0 (rxsj.0078F1B0)

游戏无响应,恢复后,游戏立刻有反应







=================================

0041EA00    55              PUSH EBP
0041EA01    8BEC            MOV EBP,ESP
0041EA03    83EC 14         SUB ESP,14
0041EA06    894D EC         MOV DWORD PTR SS:[EBP-14],ECX
0041EA09    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
0041EA0C    8945 FC         MOV DWORD PTR SS:[EBP-4],EAX
0041EA0F    8B4D FC         MOV ECX,DWORD PTR SS:[EBP-4]
0041EA12    0FB611          MOVZX EDX,BYTE PTR DS:[ECX]
0041EA15    83FA 01         CMP EDX,1
0041EA18    75 36           JNZ SHORT rxsj.0041EA50                  ; 1
0041EA1A    8B45 FC         MOV EAX,DWORD PTR SS:[EBP-4]
0041EA1D    0FB648 01       MOVZX ECX,BYTE PTR DS:[EAX+1]
0041EA21    83F9 02         CMP ECX,2
0041EA24    75 2A           JNZ SHORT rxsj.0041EA50
0041EA26    8D4D F0         LEA ECX,DWORD PTR SS:[EBP-10]
0041EA29    E8 72020000     CALL rxsj.0041ECA0                       ; 测试走路不断下
0041EA2E    E8 9D030000     CALL rxsj.0041EDD0                       ; 下断后立刻就断下
0041EA33    8BC8            MOV ECX,EAX
0041EA35    E8 E63F2500     CALL rxsj.00672A20                       ; 很大可能是发包CALL
0041EA3A    8945 F2         MOV DWORD PTR SS:[EBP-E],EAX
0041EA3D    8955 F6         MOV DWORD PTR SS:[EBP-A],EDX
0041EA40    6A 0A           PUSH 0A
0041EA42    8D55 F0         LEA EDX,DWORD PTR SS:[EBP-10]
0041EA45    52              PUSH EDX
0041EA46    8B4D EC         MOV ECX,DWORD PTR SS:[EBP-14]
0041EA49    E8 320C3700     CALL rxsj.0078F680                       ; 很大可能是发包CALL
0041EA4E    EB 57           JMP SHORT rxsj.0041EAA7
0041EA50    8B45 FC         MOV EAX,DWORD PTR SS:[EBP-4]
0041EA53    0FB608          MOVZX ECX,BYTE PTR DS:[EAX]
0041EA56    83F9 01         CMP ECX,1
0041EA59    75 36           JNZ SHORT rxsj.0041EA91                  ; 1
0041EA5B    8B55 FC         MOV EDX,DWORD PTR SS:[EBP-4]
0041EA5E    0FB642 01       MOVZX EAX,BYTE PTR DS:[EDX+1]
0041EA62    83F8 01         CMP EAX,1
0041EA65    75 2A           JNZ SHORT rxsj.0041EA91
0041EA67    8B4D FC         MOV ECX,DWORD PTR SS:[EBP-4]
0041EA6A    51              PUSH ECX
0041EA6B    E8 60030000     CALL rxsj.0041EDD0                       ; 不停的断下
0041EA70    8BC8            MOV ECX,EAX
0041EA72    E8 F93F2500     CALL rxsj.00672A70                       ; 不断下
0041EA77    8B55 FC         MOV EDX,DWORD PTR SS:[EBP-4]
0041EA7A    8B42 0E         MOV EAX,DWORD PTR DS:[EDX+E]
0041EA7D    50              PUSH EAX
0041EA7E    8B4A 0A         MOV ECX,DWORD PTR DS:[EDX+A]
0041EA81    51              PUSH ECX
0041EA82    68 8076AF00     PUSH rxsj.00AF7680
0041EA87    E8 E4FBFEFF     CALL rxsj.0040E670                       ; 不断下
0041EA8C    83C4 0C         ADD ESP,0C
0041EA8F    EB 16           JMP SHORT rxsj.0041EAA7
0041EA91    8B55 0C         MOV EDX,DWORD PTR SS:[EBP+C]
0041EA94    52              PUSH EDX
0041EA95    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
0041EA98    50              PUSH EAX
0041EA99    8B4D EC         MOV ECX,DWORD PTR SS:[EBP-14]
0041EA9C    81C1 70370100   ADD ECX,13770
0041EAA2    E8 79040000     CALL rxsj.0041EF20
0041EAA7    8BE5            MOV ESP,EBP
0041EAA9    5D              POP EBP
0041EAAA    C2 0800         RETN 8




设立OD死码:

MOV DWORD PTR SS:[EBP-0E],EAX
MOV DWORD PTR SS:[EBP-0A],EDX
PUSH 0A
LEA EDX,DWORD PTR SS:[EBP-10]
PUSH EDX
MOV ECX,DWORD PTR SS:[EBP-14]

搜到后,上面第一个与下面第一个CALL都是真正的发包CALL。






万事万物相生相克,遇到问题解决不了,不是你能力的问题,而是你的"方法"不对而已。
善者 慈悲心常在 无怨无恨 以苦为乐
默认压缩密码www.hifyl.com
文件分享密码问题:http://www.hifyl.com/read-htm-tid-4444.html
离线啊冲

只看该作者 沙发  发表于: 2016-08-28

选怪CALL   TAB

调用堆栈:     线程  000008B0
地址       堆栈       函数过程                              调用来自                      结构
05C2FF00   0078F7A6   ws2_32.send                           rxsj.0078F7A0                 05C2FF24
05C2FF28   0078F90C   rxsj.0078F780                         rxsj.0078F907                 05C2FF24
05C2FF50   0078F191   rxsj.0078F7F0                         rxsj.0078F18C                 05C2FF4C
05C2FF5C   007910DD   包含rxsj.0078F191                       rxsj.007910DB                 05C2FF58



调用堆栈:     主线程
地址       堆栈       函数过程                              调用来自                      结构
0013F288   0070040E   rxsj.00672A20                         rxsj.00700409                 0013F2B4
0013F2B8   006FD0C0   ? rxsj.00700340                       rxsj.006FD0BB                 0013F2B4
//选怪CALL
0013F34C   006E583D   rxsj.006FCD60                         rxsj.006E5838                 0013F348
0013F364   00668189   rxsj.006E5810                         rxsj.00668184                 0013F360
0013F44C   00792E9F   包含rxsj.00668189                       rxsj.00792E9D                 0013F448
0013F470   77D18734   包含rxsj.00792E9F                       USER32.77D18731               0013F46C
0013F49C   77D18816   ? USER32.77D1870C                     USER32.77D18811               0013F498
0013F504   77D189CD   ? USER32.77D1875F                     USER32.77D189C8               0013F500
0013F564   77D196C7   ? USER32.77D188F1                     USER32.77D196C2               0013F560
0013F574   00796D00   ? USER32.DispatchMessageA             rxsj.00796CFA                 0013F570
0013F610   006717E9   rxsj.00796A40                         rxsj.006717E4                 0013F60C
0013F620   00671F13   rxsj.00671780                         rxsj.00671F0E                 0013F61C
0013F668   00A7EE8D   rxsj.00671E50                         rxsj.00A7EE88                 0013F664



调用堆栈:     主线程
地址       堆栈       函数过程                              调用来自                      结构
0013F280   00700438   rxsj.0078F680                         rxsj.00700433                 0013F2B4
0013F2B8   006FD0C0   ? rxsj.00700340                       rxsj.006FD0BB                 0013F2B4
0013F34C   006E583D   rxsj.006FCD60                         rxsj.006E5838                 0013F348
0013F364   00668189   rxsj.006E5810                         rxsj.00668184                 0013F360
0013F44C   00792E9F   包含rxsj.00668189                       rxsj.00792E9D                 0013F448
0013F470   77D18734   包含rxsj.00792E9F                       USER32.77D18731               0013F46C
0013F49C   77D18816   ? USER32.77D1870C                     USER32.77D18811               0013F498
0013F504   77D189CD   ? USER32.77D1875F                     USER32.77D189C8               0013F500
0013F564   77D196C7   ? USER32.77D188F1                     USER32.77D196C2               0013F560
0013F574   00796D00   ? USER32.DispatchMessageA             rxsj.00796CFA                 0013F570
0013F610   006717E9   rxsj.00796A40                         rxsj.006717E4                 0013F60C
0013F620   00671F13   rxsj.00671780                         rxsj.00671F0E                 0013F61C
0013F668   00A7EE8D   rxsj.00671E50                         rxsj.00A7EE88                 0013F664


代码注入器 测试成功:

mov ecx,0AF9CE68
mov eax,166
mov [ecx+0adc],eax
push 1
push 1AF24C00
mov ecx,0AF9CE68
call 00700340

OD死码:

MOV ECX,DWORD PTR SS:[EBP+10]
PUSH ECX
MOV EDX,DWORD PTR SS:[EBP+8]
PUSH EDX
MOV EAX,DWORD PTR SS:[EBP+C]
PUSH EAX
MOV ECX,DWORD PTR SS:[EBP-74]

搜到后,往上找第9个CALL就是选怪CALL












走路CALL

调用堆栈:     线程  000008B0
地址       堆栈       函数过程                              调用来自                      结构
05C2FF00   0078F7A6   ws2_32.send                           rxsj.0078F7A0                 05C2FF24
05C2FF28   0078F90C   rxsj.0078F780                         rxsj.0078F907                 05C2FF24
05C2FF50   0078F191   rxsj.0078F7F0                         rxsj.0078F18C                 05C2FF4C
05C2FF5C   007910DD   包含rxsj.0078F191                       rxsj.007910DB                 05C2FF58



007910BA   /74 37           JE SHORT rxsj.007910F3                   ; 0 跳的话,游戏无法与服务器验证

007910C7    FFD0            CALL EAX                                 ; EAX=0041EE70 (rxsj.0041EE70) nop后游戏出错


007910DB    FFD0            CALL EAX                                 ; EAX=0078F1B0 (rxsj.0078F1B0) 游戏无响应,恢复后,游戏立刻有反应







=================================

0041EA00    55              PUSH EBP
0041EA01    8BEC            MOV EBP,ESP
0041EA03    83EC 14         SUB ESP,14
0041EA06    894D EC         MOV DWORD PTR SS:[EBP-14],ECX
0041EA09    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
0041EA0C    8945 FC         MOV DWORD PTR SS:[EBP-4],EAX
0041EA0F    8B4D FC         MOV ECX,DWORD PTR SS:[EBP-4]
0041EA12    0FB611          MOVZX EDX,BYTE PTR DS:[ECX]
0041EA15    83FA 01         CMP EDX,1
0041EA18    75 36           JNZ SHORT rxsj.0041EA50                  ; 1
0041EA1A    8B45 FC         MOV EAX,DWORD PTR SS:[EBP-4]
0041EA1D    0FB648 01       MOVZX ECX,BYTE PTR DS:[EAX+1]
0041EA21    83F9 02         CMP ECX,2
0041EA24    75 2A           JNZ SHORT rxsj.0041EA50
0041EA26    8D4D F0         LEA ECX,DWORD PTR SS:[EBP-10]
0041EA29    E8 72020000     CALL rxsj.0041ECA0                       ; 测试走路不断下
0041EA2E    E8 9D030000     CALL rxsj.0041EDD0                       ; 下断后立刻就断下
0041EA33    8BC8            MOV ECX,EAX
0041EA35    E8 E63F2500     CALL rxsj.00672A20                       ; 很大可能是发包CALL
0041EA3A    8945 F2         MOV DWORD PTR SS:[EBP-E],EAX
0041EA3D    8955 F6         MOV DWORD PTR SS:[EBP-A],EDX
0041EA40    6A 0A           PUSH 0A
0041EA42    8D55 F0         LEA EDX,DWORD PTR SS:[EBP-10]
0041EA45    52              PUSH EDX
0041EA46    8B4D EC         MOV ECX,DWORD PTR SS:[EBP-14]
0041EA49    E8 320C3700     CALL rxsj.0078F680                       ; 很大可能是发包CALL
0041EA4E    EB 57           JMP SHORT rxsj.0041EAA7
0041EA50    8B45 FC         MOV EAX,DWORD PTR SS:[EBP-4]
0041EA53    0FB608          MOVZX ECX,BYTE PTR DS:[EAX]
0041EA56    83F9 01         CMP ECX,1
0041EA59    75 36           JNZ SHORT rxsj.0041EA91                  ; 1
0041EA5B    8B55 FC         MOV EDX,DWORD PTR SS:[EBP-4]
0041EA5E    0FB642 01       MOVZX EAX,BYTE PTR DS:[EDX+1]
0041EA62    83F8 01         CMP EAX,1
0041EA65    75 2A           JNZ SHORT rxsj.0041EA91
0041EA67    8B4D FC         MOV ECX,DWORD PTR SS:[EBP-4]
0041EA6A    51              PUSH ECX
0041EA6B    E8 60030000     CALL rxsj.0041EDD0                       ; 不停的断下
0041EA70    8BC8            MOV ECX,EAX
0041EA72    E8 F93F2500     CALL rxsj.00672A70                       ; 不断下
0041EA77    8B55 FC         MOV EDX,DWORD PTR SS:[EBP-4]
0041EA7A    8B42 0E         MOV EAX,DWORD PTR DS:[EDX+E]
0041EA7D    50              PUSH EAX
0041EA7E    8B4A 0A         MOV ECX,DWORD PTR DS:[EDX+A]
0041EA81    51              PUSH ECX
0041EA82    68 8076AF00     PUSH rxsj.00AF7680
0041EA87    E8 E4FBFEFF     CALL rxsj.0040E670                       ; 不断下
0041EA8C    83C4 0C         ADD ESP,0C
0041EA8F    EB 16           JMP SHORT rxsj.0041EAA7
0041EA91    8B55 0C         MOV EDX,DWORD PTR SS:[EBP+C]
0041EA94    52              PUSH EDX
0041EA95    8B45 08         MOV EAX,DWORD PTR SS:[EBP+8]
0041EA98    50              PUSH EAX
0041EA99    8B4D EC         MOV ECX,DWORD PTR SS:[EBP-14]
0041EA9C    81C1 70370100   ADD ECX,13770
0041EAA2    E8 79040000     CALL rxsj.0041EF20
0041EAA7    8BE5            MOV ESP,EBP
0041EAA9    5D              POP EBP
0041EAAA    C2 0800         RETN 8




设立OD死码:

MOV DWORD PTR SS:[EBP-0E],EAX
MOV DWORD PTR SS:[EBP-0A],EDX
PUSH 0A
LEA EDX,DWORD PTR SS:[EBP-10]
PUSH EDX
MOV ECX,DWORD PTR SS:[EBP-14]

搜到后,上面第一个与下面第一个CALL都是真正的发包CALL。




善者 慈悲心常在 无怨无恨 以苦为乐
默认压缩密码www.hifyl.com
文件分享密码问题:http://www.hifyl.com/read-htm-tid-4444.html
快速回复
限100 字节
批量上传需要先选择文件,再选择上传
 
上一个 下一个