需要更多 数据 学习 联系 QQ 150330575
#include"pch.h"
#include "TCALL.H"
/*
$-CB | 83 FF 01 | cmp edi,1 |
$-C8 | 75 0A | jne wowt.140CC4844 |
$-C6 | E8 A1 5A FE FF | call wowt.140CAA2E0 |
$-C1 | E9 05 01 00 00 | jmp wowt.140CC4949 |
$-BC | E8 77 5E FE FF | call wowt.140CAA6C0 |
$-B7 | E9 FB 00 00 00 | jmp wowt.140CC4949 |
$-B2 | 8B 8B 70 03 00 00 | mov ecx,dword ptr ds:[rbx+370] |
$-AC | 85 C9 | test ecx,ecx |
$-AA | 0F 84 AB 00 00 00 | je wowt.140CC4907 |
$-A4 | 83 E9 01 | sub ecx,1 |
$-A1 | 74 2D | je wowt.140CC488E |
$-9F | 83 E9 01 | sub ecx,1 |
$-9C | 74 0C | je wowt.140CC4872 |
$-9A | 83 F9 01 | cmp ecx,1 |
$-97 | 74 23 | je wowt.140CC488E |
$-95 | 33 C0 | xor eax,eax |
$-93 | E9 D7 00 00 00 | jmp wowt.140CC4949 |
$-8E | 0F 10 83 78 03 00 00 | movups xmm0,xmmword ptr ds:[rbx+378] |
$-87 | 48 8D 4D A0 | lea rcx,qword ptr ss:[rbp-60] |
$-83 | 89 7D B0 | mov dword ptr ss:[rbp-50],edi |
$-80 | 0F 11 45 A0 | movups xmmword ptr ss:[rbp-60],xmm0 |
$-7C | E8 67 98 FD FF | call wowt.140C9E0F0 |
$-77 | E9 BB 00 00 00 | jmp wowt.140CC4949 |
$-72 | E8 0D 42 9D FF | call wowt.140698AA0 |
$-6D | 84 C0 | test al,al |
$-6B | 74 1B | je wowt.140CC48B2 |
$-69 | E8 64 D3 9B FF | call wowt.140681C00 |
$-64 | 84 C0 | test al,al |
$-62 | 74 12 | je wowt.140CC48B2 |
$-60 | 48 8D 93 78 03 00 00 | lea rdx,qword ptr ds:[rbx+378] |
$-59 | 45 33 C0 | xor r8d,r8d | arg3
$-56 | 48 8B CB | mov rcx,rbx |
$-53 | E8 4E 81 FF FF | call wowt.140CBCA00 |
$-4E | 48 8B 83 80 03 00 00 | mov rax,qword ptr ds:[rbx+380] |
$-47 | 48 C1 E8 3A | shr rax,3A |
$-43 | 3C 06 | cmp al,6 |
$-41 | 75 0D | jne wowt.140CC48CE |
$-3F | 0F 10 83 78 03 00 00 | movups xmm0,xmmword ptr ds:[rbx+378] |
$-38 | 0F 11 45 A0 | movups xmmword ptr ss:[rbp-60],xmm0 |
$-34 | EB 0A | jmp wowt.140CC48D8 |
$-32 | 33 C0 | xor eax,eax |
$-30 | 48 89 45 A0 | mov qword ptr ss:[rbp-60],rax |
$-2C | 48 89 45 A8 | mov qword ptr ss:[rbp-58],rax |
$-28 | F2 0F 10 8B 88 03 00 00 | movsd xmm1,qword ptr ds:[rbx+388] |
$-20 | 48 8D 45 A0 | lea rax,qword ptr ss:[rbp-60] |
$-1C | 0F 10 00 | movups xmm0,xmmword ptr ds:[rax] |
$-19 | 8B 83 90 03 00 00 | mov eax,dword ptr ds:[rbx+390] |
$-13 | 48 8D 4D B8 | lea rcx,qword ptr ss:[rbp-48] |
$-F | F2 0F 11 4D C8 | movsd qword ptr ss:[rbp-38],xmm1 | r9=000007FFFFFD7000 //好像不需要这个参数
$-A | 0F 11 45 B8 | movups xmmword ptr ss:[rbp-48],xmm0 | r8d=0
$-6 | 89 45 D0 | mov dword ptr ss:[rbp-30],eax | edx=0x400
$-3 | 89 7D D4 | mov dword ptr ss:[rbp-2C],edi | rcx=<0,0,0,0,x,y,z,0,0>
$ ==> | E8 5B 99 FD FF | call <wowt.CALL_MOVE_ROLE> | 技能指向,与移动角色 同一个CALL
$+5 | EB 42 | jmp wowt.140CC4949 |
$+7 | E8 94 41 9D FF | call wowt.140698AA0 |
$+C | 84 C0 | test al,al |
$+E | 0F 84 9F 00 00 00 | je wowt.140CC49B3 |
$+14 | E8 E7 D2 9B FF | call wowt.140681C00 |
$+19 | 84 C0 | test al,al |
$+1B | 0F 84 92 00 00 00 | je wowt.140CC49B3 |
$+21 | 41 B0 01 | mov r8b,1 |
$+24 | 48 89 B4 24 90 00 00 00 | mov qword ptr ss:[rsp+90],rsi |
$+2C | 48 8D 93 78 03 00 00 | lea rdx,qword ptr ds:[rbx+378] |
$+33 | 48 8B CB | mov rcx,rbx |
$+36 | E8 C5 80 FF FF | call wowt.140CBCA00 |
$+3B | 84 C0 | test al,al |
$+3D | 75 1F | jne wowt.140CC495E |
$+3F | 33 C0 | xor eax,eax |
$+41 | 48 8B B4 24 90 00 00 00 | mov rsi,qword ptr ss:[rsp+90] |
$+49 | 4C 8D 9C 24 80 00 00 00 | lea r11,qword ptr ss:[rsp+80] |
$+51 | 49 8B 5B 18 | mov rbx,qword ptr ds:[r11+18] |
$+55 | 49 8B 7B 28 | mov rdi,qword ptr ds:[r11+28] |
$+59 | 49 8B E3 | mov rsp,r11 |
$+5C | 5D | pop rbp |
$+5D | C3 | ret |
//经分析 此函数 应该只有 RCX一个参数
$ ==> | 40 53 | push rbx | CALL_MOVE_ROLE
$+2 | 48 81 EC 90 00 00 00 | sub rsp,90 | CALL_MOVE_ROLE
$+9 | 8B 41 1C | mov eax,dword ptr ds:[rcx+1C] |
$+C | 48 8B D9 | mov rbx,rcx |
$+F | 83 F8 04 | cmp eax,4 | 4移动么
$+12 | 74 09 | je <wowt.CALL_MOVE_ROLE_1D> |
$+14 | 83 3D 8D AE AB 01 00 | cmp dword ptr ds:[142BA9108],0 |
$+1B | 74 0F | je <wowt.CALL_MOVE_ROLE_2C> |
$+1D | BA 01 00 00 00 | mov edx,1 | 好像只有rcx参数?
$+22 | 8B CA | mov ecx,edx | 0x400 是技能指向
$+24 | E8 17 76 FF FF | call wowt.1410E58A0 |
$+29 | 8B 43 1C | mov eax,dword ptr ds:[rbx+1C] |
$+2C | 83 F8 01 | cmp eax,1 | 1指向么
$+2F | 75 10 | jne <wowt.CALL_MOVE_ROLE_41> |
$+31 | 48 8B CB | mov rcx,rbx |
$+34 | E8 C7 46 9F FF | call wowt.140AE2960 |
$+39 | 84 C0 | test al,al |
$+3B | 0F 85 96 01 00 00 | jne <wowt.CALL_MOVE_ROLE_1D7> |
$+41 | 83 7B 1C 01 | cmp dword ptr ds:[rbx+1C],1 |
$+45 | 0F 85 8A 00 00 00 | jne <wowt.CALL_MOVE_ROLE_D5> |
$+4B | 48 8B CB | mov rcx,rbx |
$+4E | E8 9D EF 2F 00 | call wowt.1413ED250 |
$+53 | 84 C0 | test al,al |
$+55 | 0F 85 7C 01 00 00 | jne <wowt.CALL_MOVE_ROLE_1D7> |
$+5B | 83 7B 1C 01 | cmp dword ptr ds:[rbx+1C],1 |
$+5F | 75 74 | jne <wowt.CALL_MOVE_ROLE_D5> |
$+61 | 48 8B 05 08 AE AB 01 | mov rax,qword ptr ds:[142BA90D0] |
$+68 | 48 C1 E8 3A | shr rax,3A |
$+6C | 84 C0 | test al,al |
$+6E | 74 22 | je <wowt.CALL_MOVE_ROLE_92> |
$+70 | 48 8B 05 09 AE AB 01 | mov rax,qword ptr ds:[142BA90E0] |
$+77 | 48 C1 E8 3A | shr rax,3A |
$+7B | 84 C0 | test al,al |
$+7D | 74 13 | je <wowt.CALL_MOVE_ROLE_92> |
$+7F | E8 9C 9C FF FF | call wowt.1410E7F80 |
$+84 | B8 01 00 00 00 | mov eax,1 |
$+89 | 48 81 C4 90 00 00 00 | add rsp,90 |
$+90 | 5B | pop rbx |
$+91 | C3 | ret |
$+92 | 48 8B 05 FF A6 AB 01 | mov rax,qword ptr ds:[142BA89F8] |
$+99 | 83 78 5C 00 | cmp dword ptr ds:[rax+5C],0 |
$+9D | 0F 84 34 01 00 00 | je <wowt.CALL_MOVE_ROLE_1D7> |
$+A3 | 48 8B 0D A6 A7 7E 01 | mov rcx,qword ptr ds:[1428D8AB0] |
$+AA | 33 D2 | xor edx,edx |
$+AC | 45 33 C9 | xor r9d,r9d |
$+AF | 41 B0 01 | mov r8b,1 |
$+B2 | 48 8B 01 | mov rax,qword ptr ds:[rcx] |
$+B5 | 48 89 54 24 30 | mov qword ptr ss:[rsp+30],rdx |
$+BA | 48 89 54 24 38 | mov qword ptr ss:[rsp+38],rdx |
$+BF | 48 8D 54 24 30 | lea rdx,qword ptr ss:[rsp+30] |
$+C4 | FF 50 28 | call qword ptr ds:[rax+28] |
$+C7 | B8 01 00 00 00 | mov eax,1 |
$+CC | 48 81 C4 90 00 00 00 | add rsp,90 |
$+D3 | 5B | pop rbx |
$+D4 | C3 | ret |
$+D5 | 48 89 BC 24 A0 00 00 00 | mov qword ptr ss:[rsp+A0],rdi |
$+DD | E8 0E DC BA FF | call wowt.140C9BF50 |
$+E2 | 48 8B F8 | mov rdi,rax |
$+E5 | 48 85 C0 | test rax,rax |
$+E8 | 0F 84 E1 00 00 00 | je <wowt.CALL_MOVE_ROLE_1CF> |
$+EE | 8B 4B 18 | mov ecx,dword ptr ds:[rbx+18] |
$+F1 | F2 0F 10 43 10 | movsd xmm0,qword ptr ds:[rbx+10] |
$+F6 | 89 4C 24 28 | mov dword ptr ss:[rsp+28],ecx |
$+FA | 48 8B 4B 08 | mov rcx,qword ptr ds:[rbx+8] |
$+FE | 48 C1 E9 3A | shr rcx,3A |
$+102 | F2 0F 11 44 24 20 | movsd qword ptr ss:[rsp+20],xmm0 |
$+108 | 84 C9 | test cl,cl |
$+10A | 0F 84 9C 00 00 00 | je <wowt.CALL_MOVE_ROLE_1AC> |
$+110 | 41 B9 FD 3B 00 00 | mov r9d,3BFD | 3BFD 关键特征 //41 B9 FD 3B 00 00 唯一
$+116 | 4C 8D 05 E3 41 1D 01 | lea r8,qword ptr ds:[1422C2560] |
1422C2560:"D:\\BuildServer\\WoW\\7\\work\\shared-checkout\\branches\\wow-patch-9_0_1-branch-fastpatch-27\\Mainline\\Source\\Ui\\GameUI.cpp"
$+11D | BA 01 00 00 00 | mov edx,1 |
$+122 | 48 8B CB | mov rcx,rbx |
$+125 | E8 16 66 E1 FF | call wowt.140F049A0 |
$+12A | 48 85 C0 | test rax,rax |
$+12D | 0F 84 9C 00 00 00 | je <wowt.CALL_MOVE_ROLE_1CF> |
$+133 | 48 8B 08 | mov rcx,qword ptr ds:[rax] |
$+136 | 48 8D 54 24 50 | lea rdx,qword ptr ss:[rsp+50] |
$+13B | 4C 8B 81 D8 02 00 00 | mov r8,qword ptr ds:[rcx+2D8] |
$+142 | 48 8B C8 | mov rcx,rax |
$+145 | 41 FF D0 | call r8 |
$+148 | F3 0F 10 5B 14 | movss xmm3,dword ptr ds:[rbx+14] |
$+14D | 48 8D 54 24 40 | lea rdx,qword ptr ss:[rsp+40] |
$+152 | F3 0F 10 4B 10 | movss xmm1,dword ptr ds:[rbx+10] |
$+157 | 48 8D 4C 24 30 | lea rcx,qword ptr ss:[rsp+30] |
$+15C | F3 0F 10 53 18 | movss xmm2,dword ptr ds:[rbx+18] |
$+161 | 0F 10 40 10 | movups xmm0,xmmword ptr ds:[rax+10] |
$+165 | 0F C6 DB 00 | shufps xmm3,xmm3,0 |
$+169 | 0F 59 D8 | mulps xmm3,xmm0 |
$+16C | 0F 10 00 | movups xmm0,xmmword ptr ds:[rax] |
$+16F | 0F C6 C9 00 | shufps xmm1,xmm1,0 |
$+173 | 0F 59 C8 | mulps xmm1,xmm0 |
$+176 | 0F 10 40 20 | movups xmm0,xmmword ptr ds:[rax+20] |
$+17A | 0F C6 D2 00 | shufps xmm2,xmm2,0 |
$+17E | 0F 58 D9 | addps xmm3,xmm1 |
$+181 | 0F 59 D0 | mulps xmm2,xmm0 |
$+184 | 0F 10 48 30 | movups xmm1,xmmword ptr ds:[rax+30] |
$+188 | 0F 58 D1 | addps xmm2,xmm1 |
$+18B | 0F 58 DA | addps xmm3,xmm2 |
$+18E | 0F 11 5C 24 40 | movups xmmword ptr ss:[rsp+40],xmm3 |
$+193 | E8 08 CF FC FF | call wowt.1410BB300 |
$+198 | F2 0F 10 44 24 30 | movsd xmm0,qword ptr ss:[rsp+30] |
$+19E | 8B 44 24 38 | mov eax,dword ptr ss:[rsp+38] |
$+1A2 | F2 0F 11 44 24 20 | movsd qword ptr ss:[rsp+20],xmm0 |
$+1A8 | 89 44 24 28 | mov dword ptr ss:[rsp+28],eax |
$+1AC | 48 8B 8F F8 05 00 00 | mov rcx,qword ptr ds:[rdi+5F8] |
$+1B3 | 4C 8D 44 24 20 | lea r8,qword ptr ss:[rsp+20] |
$+1B8 | 48 8D 54 24 30 | lea rdx,qword ptr ss:[rsp+30] |
$+1BD | E8 BE 09 AB FF | call wowt.140B9EDE0 |
$+1C2 | 48 8D 54 24 30 | lea rdx,qword ptr ss:[rsp+30] |
$+1C7 | 48 8B CF | mov rcx,rdi |
$+1CA | E8 31 4D BD FF | call wowt.140CC3160 |
$+1CF | 48 8B BC 24 A0 00 00 00 | mov rdi,qword ptr ss:[rsp+A0] |
$+1D7 | B8 01 00 00 00 | mov eax,1 | CALL_MOVE_ROLE_1D7
$+1DC | 48 81 C4 90 00 00 00 | add rsp,90 |
$+1E3 | 5B | pop rbx |
$+1E4 | C3 | ret |
//普通移动 dword[rcx+1C]= <1 指向 4移动>?
$ ==> 00000000 00000000 00000000 00000000
$+10 C603BECA 43BE8DA2 4307B5A4 00000004
$+20 4048C106 00000001 429E5D10 00000001
$ ==> 00000000 00000000 00000000 00000000
$+10 C603C609 43B8F668 4307599C 00000004
$+20 CCCCCCCC CCCCCCCC CCCCCCCC CCCCCCCC
$+30 CCCCCCCC CCCCCCCC CCCCCCCC CCCCCCCC
//指向
$ ==> 0 0 0 0
$+10 -8430.54 394.473 135.71 (int)1
$+20 3.13678 <难道是朝向> (int)1 79.1818 (int)1
//指向
$ ==> 00000000 00000000 00000000 00000000
$+10 C603BA27 43C53C95 4307B5A4 00000001
$+20 4048C106 00000001 429E5D10 00000001
$+30 0000001E 00000000 0018EB90 00000000
$ ==> 00000000 00000000 00000000 00000000
$+10 C603E6AD 43BC3AC3 4307B3FC 00000001
$+20 CCCCCCCC CCCCCCCC CCCCCCCC CCCCCCCC
$+30 CCCCCCCC CCCCCCCC CCCCCCCC CCCCCCCC
//指向
$ ==> 0000000000000000
$+8 0000000000000000
$+10 43C53C95C603BA27
$+18 000000014307B5A4 wowt.000000014307B5A4
$+20 000000014048C106 返回到 wowt.000000014048C106 自 ???
$+28 00000001429E5D10 wowt.00000001429E5D10
$+30 000000000000001E
$+38 000000000018EB90 &"STICKYCAMERA"
$+40 000000000018EB90 &"STICKYCAMERA"
$+48 000000000018ED19
$+50 00000001415CB47F 返回到 wowt.00000001415CB47F 自 wowt.0000000141114720
$+58 0000000000000000
*/
#pragma pack(4)
typedef struct TRCX移动指向
{
UINT32 f1[4];
float x;
float y;
float z;
UINT32 iMoveType_0x1C;//1指向,4移动 ??
float f_0x20;//3.13678f; //是不是朝向
UINT32 n_0x24;// 1;
float f_0x28; // 79.1818;
UINT32 n_0x2c;//1
UINT32 f_0x30;//
}TRCX移动指向;
#pragma pack()
UINT_PTR TCALL::movePlayer(UINT64 x,UINT64 y,UINT64 z)
{
UINT_PTR pcall = GetExeBase()+GetWowBaseInfo()->CALL_MOVE_ROLE;
//float xyz[16] = { 0,0,0,0,x,y,z,4,0 };
TRCX移动指向 xyz = { 0 };
xyz.x = *(float*)& x;
xyz.y = *(float*)& y;
xyz.z = *(float*)& z;
xyz.iMoveType_0x1C = 4; //1指向 4移动
#ifdef DEBUG123
gdbg.printFileA("c:\\movePlayer.log", "TCALL::movePlayer((%f,%f,%f)<%llx,%llx,%llx> \r\n(%s,%u)\r\n", xyz.x, xyz.y, xyz.z, x, y, z, __FILE__, __LINE__);
#endif // DEBUG
LRESULT ret64 = call3_x64(pcall, (UINT_PTR)&xyz, 0, 0);// callSend64((UINT_PTR)pcall, (UINT_PTR)xyz, 0);
return ret64;
}
//范围技能 第二个动作
UINT64 TCALL::技能指向(float x, float y, float z)
{
UINT64 nRax = 0;
// UINT64 nrcx = TCALL::角色对象();
TRCX移动指向 xyz = { 0 };
xyz.x = x;
xyz.y = y;
xyz.z = z;
xyz.iMoveType_0x1C =1; //1指向 4移动
//WowClassic.exe+7897D0
typedef UINT64 (*TPCALL)(UINT64,UINT64,UINT64);
TPCALL movCall = (TPCALL)(GetExeBase()+GetWowBaseInfo()->CALL_MOVE_ROLE);// g_CALL移动);//0x7897D0);//0x789840);//0xD67F70);
//#ifdef DEBUG
// gdbg.printFileA("c:\\技能指向.log", "指向(%f,%f,%f) movCall=%llX line=%u\r\n", x, y, z, movCall, __LINE__);
//#endif // DEBUG
__try
{
//只有一个参数 rcx
//#ifdef DEBUG
// gdbg.printFileA("c:\\技能指向.log", "指向(%f,%f,%f) movCall=%llX line=%u\r\n", x, y, z, movCall, __LINE__);
//#endif // DEBUG
nRax = movCall((UINT64)&xyz, 0,0);
}
__except (1)
{
#ifdef DEBUG
gdbg.printBoxA("TCALL_MOVePlayer.cpp %u\r\n",__LINE__);
#endif // DEBUG
}
//#ifdef DEBUG
// gdbg.printFileA("c:\\技能指向.log", "指向(%f,%f,%f)line=%u\r\n", x, y, z, __LINE__);
//#endif // DEBUG
return nRax;
};
|
|小黑屋|手机版|郁金香外挂技术-郁金香灬老师
( 苏ICP备10059359号 )
发表于 2021-1-11 16:32:38
