|
|
发表于 2024-1-25 21:06:57
|
查看: 812 |
回复: 0
郁金香灬游戏外挂技术
https://www.yjxsoft.com/
本教程视频1920*1080分辩率下观看最佳
VS2017+win10 64位 环境
郁金香灬老师:QQ -> 150330575
欢迎大家参加 游戏安全与外挂的研究学习。
兴趣是我们最好的老师
兴趣+坚持+时间+优秀老师会帮助你快速成功
学习目标:
数据分析前的准备-定位 GArray 基址偏移
提取特征码
GWorld GName GArray
可参考 2022.6在线班->005-UE4,UE5引擎和实例游戏分析
001-UE4,UE5引擎里 GWorld与GName,GObjectBaseArray
031-快速定位 全局对象数组GName GObjArrayBase,通杀所有UE4,UE5引擎
055-UE4.26.1版本分析怪物数组-定位 GName 和 GArray
xdbg里的 标签 Shift+;
xdbg里的 注释 ;
L"Trying to add an unreachable object %s to FAsyncPackage %s referenced objects list." //-5E
地址 反汇编 标签
00007FF700300E00 ??? GWorld = TL.exe+8B20E00
00007FF700186640 add byte ptr ds:[rax],al GName = TL.exe+89A6640
00007FF7001C2C20 ??? GArray = TL.exe+89E2C20
00007FF7B75ACE2D | 48:63C9 | movsxd rcx, ecx |
00007FF7B75ACE30 | 48:8D1440 | lea rdx, qword ptr ds:[rax+rax*2] | 488D1440 48 8B05 ???????? 488B0CC8 488D04D1 jmp
00007FF7B75ACE34 | 48:8B05 F55F1606 | mov rax, qword ptr ds:[<GArray>]
00007FF7B75ACE3B | 48:8B0CC8 | mov rcx, qword ptr ds:[rax+rcx*8] |
00007FF7B75ACE3F | 48:8D04D1 | lea rax, qword ptr ds:[rcx+rdx*8] |
00007FF7B75ACE43 | EB 02 | jmp mir4s.7FF7B75ACE47 |
00007FF7B75ACE45 | 33C0 | xor eax, eax |
00007FF7B75ACE47 | 8B40 08 | mov eax, dword ptr ds:[rax+8] |
00007FF7B75ACE4A | C1E8 1D | shr eax, 1D |
00007FF7B75ACE4D | A8 01 | test al, 1 |
00007FF7B75ACE4F | 0F84 5B020000 | je mir4s.7FF7B75AD0B0 |
00007FF7B75ACE55 | 48:8B03 | mov rax, qword ptr ds:[rbx] |
00007FF7B75ACE58 | 48:8BCB | mov rcx, rbx |
00007FF7B75ACE5B | FF90 50010000 | call qword ptr ds:[rax+150] |
00007FF7B75ACE61 | E8 BA2CFB02 | call mir4s.7FF7BA55FB20 |
00007FF7B75ACE66 | 48:8B0D EBB12406 | mov rcx, qword ptr ds:[7FF7BD7F8058] |
00007FF7B75ACE6D | 45:33E4 | xor r12d, r12d |
00007FF7B75ACE70 | 41:8BDC | mov ebx, r12d |
00007FF7B75ACE73 | 44:8BF0 | mov r14d, eax |
00007FF7B75ACE76 | E8 752FF602 | call mir4s.7FF7BA50FDF0 |
00007FF7B75ACE7B | 48:85C0 | test rax, rax |
00007FF7B75ACE7E | 0F84 43010000 | je mir4s.7FF7B75ACFC7 |
00007FF7B75ACE84 | E8 27A3B701 | call mir4s.7FF7B91271B0 |
00007FF7B75ACE89 | 48:8D15 1044BD03 | lea rdx, qword ptr ds:[7FF7BB1812A0] | 00007FF7BB1812A0:L"NewObject with empty name can't be used to create default subobjects (inside of UObject derived class constructor) as it produces inconsistent object names. Use ObjectInitializer.CreateDefaultSuobject<> instead."
$-68 | C1F9 10 | sar ecx,10 |
$-65 | 48:63C9 | movsxd rcx,ecx |
$-62 | 48:8D1440 | lea rdx,qword ptr ds:[rax+rax*2] |
$-5E | 48:8B05 7BCB1105 | mov rax,qword ptr ds:[<GArray>] |
$-57 | 48:8B0CC8 | mov rcx,qword ptr ds:[rax+rcx*8] |
$-53 | 48:8D04D1 | lea rax,qword ptr ds:[rcx+rdx*8] |
$-4F | EB 02 | jmp tl.7FF6FB0A60B1 |
$-4D | 33C0 | xor eax,eax |
$-4B | 8B40 08 | mov eax,dword ptr ds:[rax+8] |
$-48 | C1E8 1C | shr eax,1C |
$-45 | A8 01 | test al,1 |
$-43 | 0F84 8F000000 | je tl.7FF6FB0A614E |
$-3D | 48:8D4D 14 | lea rcx,qword ptr ss:[rbp+14] |
$-39 | 48:8D5424 50 | lea rdx,qword ptr ss:[rsp+50] |
$-34 | E8 9353FAFF | call tl.7FF6FB04B460 |
$-2F | 8378 08 00 | cmp dword ptr ds:[rax+8],0 |
$-2B | 74 05 | je tl.7FF6FB0A60D8 |
$-29 | 48:8B18 | mov rbx,qword ptr ds:[rax] |
$-26 | EB 03 | jmp tl.7FF6FB0A60DB |
$-24 | 48:8BDE | mov rbx,rsi |
$-21 | 45:33C9 | xor r9d,r9d |
$-1E | 48:8D5424 40 | lea rdx,qword ptr ss:[rsp+40] |
$-19 | 45:33C0 | xor r8d,r8d |
$-16 | 48:8BCF | mov rcx,rdi | rdi:"ㄢy総Y'緉馪磕漫>"
$-13 | E8 B2881A00 | call tl.7FF6FB24E9A0 |
$-E | 8378 08 00 | cmp dword ptr ds:[rax+8],0 |
$-A | 74 03 | je tl.7FF6FB0A60F7 |
$-8 | 48:8B30 | mov rsi,qword ptr ds:[rax] | rsi:"%s failed"
$-5 | 48:895C24 30 | mov qword ptr ss:[rsp+30],rbx |
$ ==> | 48:8D05 2D92E002 | lea rax,qword ptr ds:[7FF6FDEAF330] | 00007FF6FDEAF330:L"Trying to add an unreachable object %s to FAsyncPackage %s referenced objects list."
$+7 | 48:897424 28 | mov qword ptr ss:[rsp+28],rsi |
$+C | 4C:8D05 3D800B05 | lea r8,qword ptr ds:[7FF70015E14C] |
$+13 | 41:B9 01000000 | mov r9d,1 | r9d:"HalT"
$+19 | 48:894424 20 | mov qword ptr ss:[rsp+20],rax |
$+1E | BA DA140000 | mov edx,14DA |
$+23 | 48:8D0D 0A779303 | lea rcx,qword ptr ds:[7FF6FE9DD830] | 00007FF6FE9DD830:"Unknown"
$+2A | E8 45EDEFFF | call tl.7FF6FAFA4E70 |
$+2F | E8 F081F3FF | call tl.7FF6FAFDE320 |
$+34 | 48:8B4C24 40 | mov rcx,qword ptr ss:[rsp+40] |
$+39 | 48:85C9 | test rcx,rcx |
$+3C | 74 05 | je tl.7FF6FB0A613F |
$+3E | E8 0117E9FF | call tl.7FF6FAF37840 |
$+43 | 48:8B4C24 50 | mov rcx,qword ptr ss:[rsp+50] |
$+48 | 48:85C9 | test rcx,rcx |
$+4B | 74 05 | je tl.7FF6FB0A614E |
$+4D | E8 F216E9FF | call tl.7FF6FAF37840 |
$+52 | 48:8B9C24 80000000 | mov rbx,qword ptr ss:[rsp+80] |
$+5A | 48:8BB424 98000000 | mov rsi,qword ptr ss:[rsp+98] | [rsp+98]:"€枠"
$+62 | 48:83C4 68 | add rsp,68 |
$+66 | 5F | pop rdi |
$+67 | 5D | pop rbp |
$+68 | C3 | ret |
$-AC | 85C0 | test eax,eax |
$-AA | 79 0B | jns tl.7FF6FB0CBBFB |
$-A8 | 05 FFFF0000 | add eax,FFFF |
$-A3 | 81EA 00000100 | sub edx,10000 |
$-9D | C1F8 10 | sar eax,10 |
$-9A | 48:63C8 | movsxd rcx,eax |
$-97 | 45:33FF | xor r15d,r15d |
$-94 | 48:63C2 | movsxd rax,edx |
$-91 | 48:8D1440 | lea rdx,qword ptr ds:[rax+rax*2] |
$-8D | 48:8B05 0E700F05 | mov rax,qword ptr ds:[<GArray>] | -8D
$-86 | 48:8B0CC8 | mov rcx,qword ptr ds:[rax+rcx*8] |
$-82 | 48:8D04D1 | lea rax,qword ptr ds:[rcx+rdx*8] |
$-7E | EB 06 | jmp tl.7FF6FB0CBC22 |
$-7C | 45:33FF | xor r15d,r15d |
$-79 | 41:8BC7 | mov eax,r15d |
$-76 | 8B40 08 | mov eax,dword ptr ds:[rax+8] |
$-73 | C1E8 1C | shr eax,1C |
$-70 | A8 01 | test al,1 |
$-6E | 0F84 AB000000 | je tl.7FF6FB0CBCDB |
$-68 | 48:8B8D 00020000 | mov rcx,qword ptr ss:[rbp+200] |
$-61 | 48:8D95 80010000 | lea rdx,qword ptr ss:[rbp+180] |
$-5A | 48:83C1 14 | add rcx,14 |
$-56 | E8 19F8F7FF | call tl.7FF6FB04B460 |
$-51 | 8378 08 00 | cmp dword ptr ds:[rax+8],0 |
$-4D | 74 05 | je tl.7FF6FB0CBC52 |
$-4B | 48:8B18 | mov rbx,qword ptr ds:[rax] |
$-48 | EB 07 | jmp tl.7FF6FB0CBC59 |
$-46 | 48:8D1D 6F6D9003 | lea rbx,qword ptr ds:[7FF6FE9D29C8] |
$-3F | 45:33C9 | xor r9d,r9d | r9d:"HalT"
$-3C | 48:8D95 70010000 | lea rdx,qword ptr ss:[rbp+170] |
$-35 | 45:33C0 | xor r8d,r8d |
$-32 | 49:8BCE | mov rcx,r14 |
$-2F | E8 322D1800 | call tl.7FF6FB24E9A0 |
$-2A | 8378 08 00 | cmp dword ptr ds:[rax+8],0 |
$-26 | 74 05 | je tl.7FF6FB0CBC79 |
$-24 | 48:8B00 | mov rax,qword ptr ds:[rax] |
$-21 | EB 07 | jmp tl.7FF6FB0CBC80 |
$-1F | 48:8D05 486D9003 | lea rax,qword ptr ds:[7FF6FE9D29C8] |
$-18 | 48:895C24 30 | mov qword ptr ss:[rsp+30],rbx |
$-13 | 4C:8D05 C0240905 | lea r8,qword ptr ds:[7FF70015E14C] |
$-C | 48:894424 28 | mov qword ptr ss:[rsp+28],rax | [rsp+28]:NVENCODEAPI_Thunk+DEAD2
$-7 | 48:8D0D 981B9103 | lea rcx,qword ptr ds:[7FF6FE9DD830] | 00007FF6FE9DD830:"Unknown"
$ ==> | 48:8D05 9136DE02 | lea rax,qword ptr ds:[7FF6FDEAF330] | 00007FF6FDEAF330:L"Trying to add an unreachable object %s to FAsyncPackage %s referenced objects list."
$+7 | 41:B9 01000000 | mov r9d,1 | r9d:"HalT"
$+D | BA DA140000 | mov edx,14DA |
$+12 | 48:894424 20 | mov qword ptr ss:[rsp+20],rax |
论坛网址 www.yjxsoft.com
郁金香老师:QQ-150330575 手机 139 9636 2600
QQ交流群 9569245 158280115
|
|
游戏安全课程 学员办理咨询联系QQ150330575 手机 139 9636 2600 免费课程 在 www.bilibili.com 搜 郁金香灬老师
|
|
