王权与自由 喊话CALL 特征码
0F????F8110000E8????????48??????3848????74
0F????F8110000E8 28639FFF48?????? 38 48???? 74 29
$-40 0 | 83F8 01 | cmp eax,1 |
$-3D 0 | 75 22 | jne tl.7FF7CBA00FAA |
$-3B 0 | 48:8B07 | mov rax,qword ptr ds: |
$-38 0 | 48:8BCF | mov rcx,rdi |
$-35 0 | FF10 | call qword ptr ds: |
$-33 0 | 8BC3 | mov eax,ebx |
$-31 0 | F0:0FC147 0C | lock xadd dword ptr ds:,eax |
$-2C 0 | 83F8 01 | cmp eax,1 |
$-29 0 | 75 0E | jne tl.7FF7CBA00FAA |
$-27 0 | 48:8B07 | mov rax,qword ptr ds: |
$-24 0 | BA 01000000 | mov edx,1 |
$-1F 0 | 48:8BCF | mov rcx,rdi |
$-1C 0 | FF50 08 | call qword ptr ds: |
$-19 0 | 48:8B86 D8110000 | mov rax,qword ptr ds: |
$-12 0 | 4C:8D4C24 30 | lea r9,qword ptr ss: |
$-D 0 | 4D:8BC6 | mov r8,r14 | r8=&L"abbbbbbbb123" 喊话内容
$-A 0 | 49:8BCF | mov rcx,r15 | TLChatMessageManagerN 控件对象
$-7 0 | 0FB690 F8110000 | movzx edx,byte ptr ds: |6-耳语0-通用 7-世界 //
$ ==> 0 | E8 28639FFF | call tl.7FF7CB3F72F0 | 聊天CALL
$+5 0 | 48:8B7C24 38 | mov rdi,qword ptr ss: |
$+A 0 | 48:85FF | test rdi,rdi |
$+D 0 | 74 29 | je tl.7FF7CBA00FFB |
$+F 0 | 8BC3 | mov eax,ebx |
$+11 0 | F0:0FC147 08 | lock xadd dword ptr ds:,eax |
$+16 0 | 83F8 01 | cmp eax,1 |
聊天喊话CALL 返回多层后 就是按键CALL
$-5B 00 | 49:C1FF 10 | sar r15,10 |
$-57 00 | BA 03000000 | mov edx,3 |
$-52 00 | 41:0FB6CF | movzx ecx,r15b |
$-4E 00 | FF15 0FD88202 | call qword ptr ds:[<&JMP.&MapVirtualKeyW>] |
$-48 00 | 44:8BF0 | mov r14d,eax |
$-45 00 | 3D A0000000 | cmp eax,A0 |
$-40 00 | 75 11 | jne tl.7FF6BC7C9A7C |
$-3E 00 | 44:0FB6A6 01010000 | movzx r12d,byte ptr ds: |
$-36 00 | C686 01010000 01 | mov byte ptr ds:,1 |
$-2F 00 | EB 0F | jmp tl.7FF6BC7C9A8B |
$-2D 00 | 44:0FB6A6 02010000 | movzx r12d,byte ptr ds: |
$-25 00 | C686 02010000 01 | mov byte ptr ds:,1 |
$-1E 00 | BA 02000000 | mov edx,2 |
$-19 00 | 8BCF | mov ecx,edi |
$-17 00 | FF15 D8D78202 | call qword ptr ds:[<&JMP.&MapVirtualKeyW>] |
$-11 00 | 48:8B4E 18 | mov rcx,qword ptr ds: |
$-D 00 | 45:0FB6CC | movzx r9d,r12b | 0
$-9 00 | 44:8BC0 | mov r8d,eax | 41
$-6 00 | 41:8BD6 | mov edx,r14d | 41
$-3 00 | 4C:8B11 | mov r10,qword ptr ds: |
$ ==> 00 | 41:FF52 18 | call qword ptr ds: |
$+4 00 | 84C0 | test al,al | 按键
$+6 00 | 0F85 98010000 | jne tl.7FF6BC7C9C4D |
$+C 00 | 41:81FD 04010000 | cmp r13d,104 |
$+13 00 | 0F84 44090000 | je tl.7FF6BC7CA406 |
$+19 00 | 45:33F6 | xor r14d,r14d |
$+1C 00 | E9 40070000 | jmp tl.7FF6BC7CA20A |
$+21 00 | 8BCF | mov ecx,edi |
$+23 00 | 44:8BF7 | mov r14d,edi |
$+26 00 | 83E9 10 | sub ecx,10 |
页:
[1]