|
|
发表于 2023-10-7 22:34:23
|
查看: 1912 |
回复: 0
学外挂推荐 郁金香老师:QQ 150330575
郁金香灬游戏外挂技术论坛 https://www.yjxsoft.com/
本教程视频1920*1080分辩率下观看最佳
欢迎大家与我一起交流游戏相关技术
本人小宇 QQ :790555885 逆向学习交流群 451261568
环境:win10 64位 xdbg调试器 CE
分析目标(知识点):
分析控件点击CALL
分析控件点击CALL参数
分析思路:
1 找到设置界面的某个开关按钮
2 在DEBUG中下一个写入断点
3 一直寻找上一层直到游戏运行起来(根据自己游戏的一个状态去判断)
4 在每层返回上去后观察是虚函数的位置标记
5 退回寻找合适的控件点击CALL
6 调用实现控件点击call
分析过程:
00007FF7618AB870 | 48:897C24 20 | mov qword ptr ss:[rsp+0x20],rdi |
00007FF7618AB875 | 41:56 | push r14 |
00007FF7618AB877 | 48:83EC 20 | sub rsp,0x20 |
00007FF7618AB87B | 48:8B3D B6F9A404 | mov rdi,qword ptr ds:[0x7FF7662FB238] |
00007FF7618AB882 | 4C:8BF1 | mov r14,rcx |
00007FF7618AB885 | 48:85FF | test rdi,rdi |
00007FF7618AB888 | 0F84 EA000000 | je b2.7FF7618AB978 |
00007FF7618AB88E | 48:897424 40 | mov qword ptr ss:[rsp+0x40],rsi |
00007FF7618AB893 | 48:8BB7 60050000 | mov rsi,qword ptr ds:[rdi+0x560] |
00007FF7618AB89A | 48:8BBF 68050000 | mov rdi,qword ptr ds:[rdi+0x568] |
00007FF7618AB8A1 | 48:85FF | test rdi,rdi |
00007FF7618AB8A4 | 74 03 | je b2.7FF7618AB8A9 |
00007FF7618AB8A6 | FF47 08 | inc dword ptr ds:[rdi+0x8] |
00007FF7618AB8A9 | 48:85F6 | test rsi,rsi |
00007FF7618AB8AC | 0F84 9A000000 | je b2.7FF7618AB94C |
00007FF7618AB8B2 | 48:896C24 38 | mov qword ptr ss:[rsp+0x38],rbp |
00007FF7618AB8B7 | 48:8B6E 40 | mov rbp,qword ptr ds:[rsi+0x40] |
00007FF7618AB8BB | 48:8B76 48 | mov rsi,qword ptr ds:[rsi+0x48] |
00007FF7618AB8BF | 48:85F6 | test rsi,rsi |
00007FF7618AB8C2 | 74 03 | je b2.7FF7618AB8C7 |
00007FF7618AB8C4 | FF46 08 | inc dword ptr ds:[rsi+0x8] |
00007FF7618AB8C7 | 48:85ED | test rbp,rbp |
00007FF7618AB8CA | 74 54 | je b2.7FF7618AB920 |
00007FF7618AB8CC | 48:8B12 | mov rdx,qword ptr ds:[rdx] | rdx:"(/"
00007FF7618AB8CF | 48:81C1 400B0000 | add rcx,0xB40 |
00007FF7618AB8D6 | 48:895C24 30 | mov qword ptr ss:[rsp+0x30],rbx |
00007FF7618AB8DB | E8 20F4FDFF | call b2.7FF76188AD00 |
00007FF7618AB8E0 | 3C 04 | cmp al,0x4 |
00007FF7618AB8E2 | 49:8D8E 980B0000 | lea rcx,qword ptr ds:[r14+0xB98] |
00007FF7618AB8E9 | 0F94C3 | sete bl |
00007FF7618AB8EC | 0FB6D3 | movzx edx,bl |
00007FF7618AB8EF | E8 4C090200 | call b2.7FF7618CC240 |
00007FF7618AB8F4 | 49:8D8E 800B0000 | lea rcx,qword ptr ds:[r14+0xB80] |
00007FF7618AB8FB | 0FB6D3 | movzx edx,bl |
00007FF7618AB8FE | E8 6D080200 | call b2.7FF7618CC170 |
00007FF7618AB903 | 838D 28090000 04 | or dword ptr ss:[rbp+0x928],0x4 |
00007FF7618AB90A | 0FB6C3 | movzx eax,bl |
00007FF7618AB90D | 48:8B5C24 30 | mov rbx,qword ptr ss:[rsp+0x30] |
00007FF7618AB912 | 8985 540B0000 | mov dword ptr ss:[rbp+0xB54],eax | 自动扫描 写入断下
00007FF7618AB918 | 41:C686 100B0000 01 | mov byte ptr ds:[r14+0xB10],0x1 |
00007FF7618AB920 | 48:8B6C24 38 | mov rbp,qword ptr ss:[rsp+0x38] |
00007FF7618AB925 | 48:85F6 | test rsi,rsi |
00007FF7618AB928 | 74 22 | je b2.7FF7618AB94C |
00007FF7618AB92A | 836E 08 01 | sub dword ptr ds:[rsi+0x8],0x1 |
00007FF7618AB92E | 75 1C | jne b2.7FF7618AB94C |
00007FF7618AB930 | 48:8B06 | mov rax,qword ptr ds:[rsi] |
00007FF7618AB933 | 48:8BCE | mov rcx,rsi |
00007FF7618AB936 | FF10 | call qword ptr ds:[rax] |
00007FF7618AB938 | 836E 0C 01 | sub dword ptr ds:[rsi+0xC],0x1 |
00007FF7618AB93C | 75 0E | jne b2.7FF7618AB94C |
00007FF7618AB93E | 48:8B06 | mov rax,qword ptr ds:[rsi] |
00007FF7618AB941 | BA 01000000 | mov edx,0x1 |
00007FF7618AB946 | 48:8BCE | mov rcx,rsi |
00007FF7618AB949 | FF50 08 | call qword ptr ds:[rax+0x8] |
00007FF7618AB94C | 48:8B7424 40 | mov rsi,qword ptr ss:[rsp+0x40] |
00007FF7618AB951 | 48:85FF | test rdi,rdi |
00007FF7618AB954 | 74 22 | je b2.7FF7618AB978 |
00007FF7618AB956 | 836F 08 01 | sub dword ptr ds:[rdi+0x8],0x1 |
00007FF7618AB95A | 75 1C | jne b2.7FF7618AB978 |
00007FF7618AB95C | 48:8B07 | mov rax,qword ptr ds:[rdi] |
00007FF7618AB95F | 48:8BCF | mov rcx,rdi |
00007FF7618AB962 | FF10 | call qword ptr ds:[rax] |
00007FF7618AB964 | 836F 0C 01 | sub dword ptr ds:[rdi+0xC],0x1 |
00007FF7618AB968 | 75 0E | jne b2.7FF7618AB978 |
00007FF7618AB96A | 48:8B07 | mov rax,qword ptr ds:[rdi] |
00007FF7618AB96D | BA 01000000 | mov edx,0x1 |
00007FF7618AB972 | 48:8BCF | mov rcx,rdi |
00007FF7618AB975 | FF50 08 | call qword ptr ds:[rax+0x8] |
00007FF7618AB978 | 48:8B7C24 48 | mov rdi,qword ptr ss:[rsp+0x48] |
00007FF7618AB97D | 48:83C4 20 | add rsp,0x20 |
00007FF7618AB981 | 41:5E | pop r14 |
00007FF7618AB983 | C3 | ret |
控件点击CALL
00007FF761B82370 | 48:83EC 28 | sub rsp,0x28 |
00007FF761B82374 | 48:8339 00 | cmp qword ptr ds:[rcx],0x0 |
00007FF761B82378 | 4C:8BC1 | mov r8,rcx |
00007FF761B8237B | 74 73 | je b2.7FF761B823F0 |
00007FF761B8237D | 48:895C24 20 | mov qword ptr ss:[rsp+0x20],rbx |
00007FF761B82382 | 48:8B59 08 | mov rbx,qword ptr ds:[rcx+0x8] |
00007FF761B82386 | 48:85DB | test rbx,rbx |
00007FF761B82389 | 74 60 | je b2.7FF761B823EB |
00007FF761B8238B | 8B43 08 | mov eax,dword ptr ds:[rbx+0x8] |
00007FF761B8238E | 85C0 | test eax,eax |
00007FF761B82390 | 7E 59 | jle b2.7FF761B823EB |
00007FF761B82392 | 75 04 | jne b2.7FF761B82398 |
00007FF761B82394 | 32C9 | xor cl,cl |
00007FF761B82396 | EB 07 | jmp b2.7FF761B8239F |
00007FF761B82398 | FFC0 | inc eax |
00007FF761B8239A | B1 01 | mov cl,0x1 |
00007FF761B8239C | 8943 08 | mov dword ptr ds:[rbx+0x8],eax |
00007FF761B8239F | 33C0 | xor eax,eax |
00007FF761B823A1 | 84C9 | test cl,cl |
00007FF761B823A3 | 48:0F44D8 | cmove rbx,rax |
00007FF761B823A7 | 48:85DB | test rbx,rbx |
00007FF761B823AA | 74 03 | je b2.7FF761B823AF |
00007FF761B823AC | 49:8B00 | mov rax,qword ptr ds:[r8] | 控件对象
00007FF761B823AF | 49:6348 18 | movsxd rcx,dword ptr ds:[r8+0x18] |
00007FF761B823B3 | 48:03C8 | add rcx,rax |
00007FF761B823B6 | 41:FF50 10 | call qword ptr ds:[r8+0x10] | 控件点击CALL
00007FF761B823BA | 48:85DB | test rbx,rbx |
00007FF761B823BD | 74 2C | je b2.7FF761B823EB |
00007FF761B823BF | 836B 08 01 | sub dword ptr ds:[rbx+0x8],0x1 |
00007FF761B823C3 | 75 26 | jne b2.7FF761B823EB |
00007FF761B823C5 | 48:8B03 | mov rax,qword ptr ds:[rbx] |
00007FF761B823C8 | 48:8BCB | mov rcx,rbx |
00007FF761B823CB | FF10 | call qword ptr ds:[rax] |
00007FF761B823CD | 836B 0C 01 | sub dword ptr ds:[rbx+0xC],0x1 |
00007FF761B823D1 | 75 18 | jne b2.7FF761B823EB |
00007FF761B823D3 | 48:8B03 | mov rax,qword ptr ds:[rbx] |
00007FF761B823D6 | BA 01000000 | mov edx,0x1 |
00007FF761B823DB | 48:8BCB | mov rcx,rbx |
00007FF761B823DE | 48:8B5C24 20 | mov rbx,qword ptr ss:[rsp+0x20] |
00007FF761B823E3 | 48:83C4 28 | add rsp,0x28 |
00007FF761B823E7 | 48:FF60 08 | jmp qword ptr ds:[rax+0x8] |
00007FF761B823EB | 48:8B5C24 20 | mov rbx,qword ptr ss:[rsp+0x20] |
00007FF761B823F0 | 48:83C4 28 | add rsp,0x28 |
00007FF761B823F4 | C3 | ret |
汇编测试
52 41 52 41 53 41 50 51 50 48 B8 00 00 7F B3 0B 04 00 00 80 38 01 75 18 48 33 C9 48 89 08 4C 8B 40 08 49 8B 00 49 63 48 18 48 03 C8 41 FF 50 10 58 59 41 58 41 5B 41 5A 5A E9 5B 57 20 FC
访问断下
B2.0+12EB912
52 41 52 41 53 41 50 51 50 48 B8 00 00 7F B3 0B 04 00 00 80 38 01 75 18 48 33 C9 48 89 08 4C 8B 40 08 49 8B 00 49 63 48 18 48 03 C8 41 FF 50 10 58 59 41 58 41 5B 41 5A 5A E9 5B 57 20 FC
汇编
00007FF7489DBF90
空白
0000040BB37F0000
HOOK
B2.0+6718CC
恢复
jmp 0x00007FF744BE1729
对象
00000817B66354D8
|
|
游戏安全课程 学员办理咨询联系QQ150330575 手机 139 9636 2600 免费课程 在 www.bilibili.com 搜 郁金香灬老师
|
|
