找CALL找基址 失落方舟 深入分析明文组包数据B
论坛网址 www.yjxsoft.com
郁金香老师:QQ-150330575
VIP群 153338418
QQ交流群 909233189569245158280115
外挂技术及游戏安全研究
本教程视频1920*1080分辩率下观看最佳
VS2017+win10 64位 环境
郁金香老师:Q扣 150330575
欢迎大家参加 郁金香灬技术 游戏安全与外挂的研究学习。
兴趣是我们最好的老师
成长需要过程与循序渐进
兴趣+坚持+时间+优秀的课教程会帮助你快速成功
需要准备工具 CrazyDbg调试器和配套的CE和xdbg
免责申明:
本课程仅供个人学习和研究软件内含的设计思想和原理,不得用于非法用途.
参考
高级班
041-分析明文组包功能代码
学习目标:
深入分析明文组包数据
明文包CALL
重要的事说三遍:
组包功能是最核心,最重要的知识点
组包功能是最核心,最重要的知识点
组包功能是最核心,最重要的知识点
包类型
包内容
包大小
Warning! Unknown Packet Id
$-323 | 8B 94 98 90 3C 31 01 | mov edx,dword ptr ds: |
$-31C | 48 03 D0 | add rdx,rax |
$-319 | FF E2 | jmp rdx |
$-317 | 33 FF | xor edi,edi |
$-315 | 48 89 BD 68 51 00 00 | mov qword ptr ss:,rdi |
$-30E | 48 89 BD 70 51 00 00 | mov qword ptr ss:,rdi |
$-307 | 48 8D 05 9F 53 3F 02 | lea rax,qword ptr ds:[<lostark.0+3707c50 |
$-300 | 48 89 85 60 51 00 00 | mov qword ptr ss:,rax | vftable
$-2F9 | 66 89 BD 79 51 00 00 | mov word ptr ss:,di |
$-2F2 | 48 8D 8D 70 53 00 00 | lea rcx,qword ptr ss: |
$-2EB | E8 E5 8C C4 FF | call lostark.7FF7413DB5B0 |
$-2E6 | 48 83 8D 70 51 00 00 0F | or qword ptr ss:,F |
$-2DE | 48 8B 44 24 48 | mov rax,qword ptr ss: | :&L"3333 3"
$-2D9 | 39 78 08 | cmp dword ptr ds:,edi |
$-2D6 | 74 05 | je lostark.7FF7417928E2 |
$-2D4 | 48 8B 00 | mov rax,qword ptr ds: |
$-2D1 | EB 07 | jmp lostark.7FF7417928E9 |
$-2CF | 48 8D 05 1F B7 06 02 | lea rax,qword ptr ds: |
$-2C8 | 4C 8D 05 18 B7 06 02 | lea r8,qword ptr ds: |
$-2C1 | 48 85 C0 | test rax,rax |
$-2BE | 4C 0F 45 C0 | cmovne r8,rax |
$-2BA | 4D 8B CF | mov r9,r15 |
$-2B7 | BA FB 00 00 00 | mov edx,FB |
$-2B2 | 48 8D 8D 79 51 00 00 | lea rcx,qword ptr ss: |
$-2AB | FF 15 EC 31 04 02 | call qword ptr ds:[<&wcsncpy_s>] |
$-2A5 | 48 8B 8D 70 51 00 00 | mov rcx,qword ptr ss: |
$-29E | 48 83 E1 FD | and rcx,FFFFFFFFFFFFFFFD |
$-29A | 88 9D 78 51 00 00 | mov byte ptr ss:,bl |
$-294 | 48 83 E1 FE | and rcx,FFFFFFFFFFFFFFFE |
$-290 | 83 3D C8 0D 4B 03 00 | cmp dword ptr ds:,0 |
$-289 | 0F 95 85 E0 77 00 00 | setne byte ptr ss: |
$-282 | 48 83 E1 F3 | and rcx,FFFFFFFFFFFFFFF3 |
$-27E | 48 89 8D 70 51 00 00 | mov qword ptr ss:,rcx |
$-277 | 4D 85 E4 | test r12,r12 |
$-274 | 0F 84 B0 01 00 00 | je lostark.7FF741792AF3 |
$-26E | 48 83 E1 FB | and rcx,FFFFFFFFFFFFFFFB |
$-26A | 66 89 B5 D6 54 00 00 | mov word ptr ss:,si |
$-263 | 48 83 E1 FB | and rcx,FFFFFFFFFFFFFFFB |
$-25F | 48 89 8D 70 51 00 00 | mov qword ptr ss:,rcx |
$-258 | 44 88 B5 FE 76 00 00 | mov byte ptr ss:,r14b |
$-251 | BA 05 00 00 00 | mov edx,5 |
$-24C | 41 39 54 24 08 | cmp dword ptr ds:,edx |
$-247 | 41 0F 4E 54 24 08 | cmovle edx,dword ptr ds: |
$-241 | 8B F7 | mov esi,edi |
$-23F | 4C 63 F2 | movsxd r14,edx |
$-23C | 85 D2 | test edx,edx |
$-23A | 0F 8E 76 01 00 00 | jle lostark.7FF741792AF3 |
$-234 | 0F 1F 00 | nop dword ptr ds: |
$-231 | 49 8B 1C 24 | mov rbx,qword ptr ds: |
$-22D | 83 3C 3B 00 | cmp dword ptr ds:,0 |
$-229 | 75 6D | jne lostark.7FF7417929F7 |
$-227 | 48 83 E1 FB | and rcx,FFFFFFFFFFFFFFFB |
$-223 | 48 89 8D 70 51 00 00 | mov qword ptr ss:,rcx |
$-21C | 0F BF 95 EC 54 00 00 | movsx edx,word ptr ss: |
$-215 | 8B CA | mov ecx,edx |
$-213 | 8D 42 01 | lea eax,dword ptr ds: |
$-210 | 83 F8 05 | cmp eax,5 |
$-20D | 7F 1F | jg lostark.7FF7417929C5 |
$-20B | 48 0F BF C2 | movsx rax,dx |
$-207 | 48 69 C8 D0 06 00 00 | imul rcx,rax,6D0 |
$-200 | 48 8D 8C 0D EE 54 00 00 | lea rcx,qword ptr ss: |
$-1F8 | 66 FF C2 | inc dx |
$-1F5 | 66 89 95 EC 54 00 00 | mov word ptr ss:,dx |
$-1EE | EB 17 | jmp lostark.7FF7417929DC |
$-1EC | 8D 41 FF | lea eax,dword ptr ds: |
$-1E9 | 48 63 C8 | movsxd rcx,eax |
$-1E6 | 48 69 C1 D0 06 00 00 | imul rax,rcx,6D0 |
$-1DF | 48 8D 8D EE 54 00 00 | lea rcx,qword ptr ss: |
$-1D8 | 48 03 C8 | add rcx,rax |
$-1D5 | 48 63 C6 | movsxd rax,esi |
$-1D2 | 48 69 D0 40 07 00 00 | imul rdx,rax,740 |
$-1CB | 48 83 C2 04 | add rdx,4 |
$-1C7 | 48 03 D3 | add rdx,rbx |
$-1C4 | E8 7E F3 7F FF | call lostark.7FF740F91D70 |
$-1BF | E9 E1 00 00 00 | jmp lostark.7FF741792AD8 |
$-1BA | 83 3C 3B 01 | cmp dword ptr ds:,1 |
$-1B6 | 75 38 | jne lostark.7FF741792A35 |
$-1B4 | 48 83 E1 FB | and rcx,FFFFFFFFFFFFFFFB |
$-1B0 | 48 89 8D 70 51 00 00 | mov qword ptr ss:,rcx |
$-1A9 | 48 8D 8D 70 53 00 00 | lea rcx,qword ptr ss: |
$-1A2 | E8 0C B9 FC FF | call lostark.7FF74175E320 |
$-19D | 48 63 CE | movsxd rcx,esi |
$-19A | 48 69 D1 40 07 00 00 | imul rdx,rcx,740 |
$-193 | 48 81 C2 D4 06 00 00 | add rdx,6D4 |
$-18C | 48 03 D3 | add rdx,rbx |
$-189 | 48 8B C8 | mov rcx,rax |
$-186 | E8 A0 48 FC FF | call lostark.7FF7417572D0 |
$-181 | E9 A3 00 00 00 | jmp lostark.7FF741792AD8 |
$-17C | 83 3C 3B 02 | cmp dword ptr ds:,2 |
$-
$-21 | 48 8D 88 8C 00 00 00 | lea rcx,qword ptr ds: |
$-1A | 48 8B 01 | mov rax,qword ptr ds: |
$-17 | FF 50 08 | call qword ptr ds: |
$-14 | 48 8B 0D 04 10 48 03 | mov rcx,qword ptr ds: |
$-D | 45 33 C9 | xor r9d,r9d |
$-A | 45 33 C0 | xor r8d,r8d |
$-7 | 48 8D 95 60 51 00 00 | lea rdx,qword ptr ss: | :lostark.0+3707c50
$ ==> | E8 1A C1 14 01 | call <lostark.mwsend1> | 喊话组包
$ ==> 00007FF743B87C50 lostark.lostark.0+3707c50
$+8 0000000000000000
$+10 0000000000000000
$+18 00
$+19 6C0070 0070 0061
$+20 72006F0020006500
$+28 650067006E006100
$+30 75006C0062002000
$+38 4200410020006500
$+40 0000000000004300
$+48 0000000000000198
$+50 00000064BA8F5B9E
$+58 00000064000001F3
$+60 00000064BA8F5FC6
$+68 00000064BA8F5FF4
$+70 0000000000000000
$ ==> apple orange blue ABC (21)*2=42=0x2A
1A+15*2+4
19+15*2+
+000 vftable
+008固定为0 UINT64
+010固定为0 UINT64
+0180 UINT64
+019BYTE
+01A被丢弃物品对象下标
+01C被丢弃物品对象数量
+021BYTE 0
+01A word 被丢弃物品对象下标
+01C dword被丢弃物品对象数量
+021 BYTE 0
$ ==> 00007FF699A2DE68 vftable
$+8 0000000000000000 固定为0
$+10 0000000000000000 固定为0
$+18 000000030005 FF FE
$+20 0000021131F2008C
$+28 0000000000000000
00007FF741781310 | B8 6D CF 00 00 | mov eax,CF6D 包ID
00007FF741781315 | C3 | ret |
包大小 =
00007FF742848190 | 40 53 | push rbx |
00007FF742848192 | 48 83 EC 20 | sub rsp,20 |
00007FF742848196 | 48 8B D9 | mov rbx,rcx |
00007FF742848199 | 48 81 C1 10 02 00 00 | add rcx,210 |
00007FF7428481A0 | E8 AB D4 FF FF | call lostark.7FF742845650 |
00007FF7428481A5 | 48 83 C9 FF | or rcx,FFFFFFFFFFFFFFFF |
00007FF7428481A9 | 0F 1F 80 00 00 00 00 | nop dword ptr ds: |
00007FF7428481B0 | 66 83 7C 4B 1B 00 | cmp word ptr ds:,0 |
00007FF7428481B6 | 48 8D 49 01 | lea rcx,qword ptr ds: |
00007FF7428481BA | 75 F4 | jne lostark.7FF7428481B0 |
00007FF7428481BC | 8D 04 48 | lea eax,dword ptr ds: |
00007FF7428481BF | 83 C0 04 | add eax,4 |
00007FF7428481C2 | 48 83 C4 20 | add rsp,20 |
00007FF7428481C6 | 5B | pop rbx |
**** Hidden Message *****
论坛网址 www.yjxsoft.com
郁金香老师:QQ-150330575
VIP群 153338418
QQ交流群 909233189569245158280115
页:
[1]