学着找天龙八部的基址,但就是找不到,请大虾们帮忙指点一二。
找血量。
OD断下代码如下:
0045F8C4 CC int3
0045F8C5 CC int3
0045F8C6 CC int3
0045F8C7 CC int3
0045F8C8 CC int3
0045F8C9 CC int3
0045F8CA CC int3
0045F8CB CC int3
0045F8CC CC int3
0045F8CD CC int3
0045F8CE CC int3
0045F8CF CC int3
0045F8D0 55 push ebp
0045F8D1 8BEC mov ebp, esp
0045F8D3 56 push esi
0045F8D4 8BF1 mov esi, ecx
0045F8D6 8B4E 08 mov ecx, dword ptr [esi+8]
0045F8D9 8B01 mov eax, dword ptr [ecx]
0045F8DB 57 push edi
0045F8DC FF90 1C010000 call dword ptr [eax+11C]
0045F8E2 83F8 02 cmp eax, 2
0045F8E5 8B3D 20996300 mov edi, dword ptr [639920] ;
tengine.tThrowStringException
0045F8EB 75 19 jnz short 0045F906
0045F8ED 68 5C060000 push 65C
0045F8F2 68 34FA6300 push 0063FA34 ;
ASCII ".\DataPool\GMDP_CharacterData.cpp"
0045F8F7 68 94FA6300 push 0063FA94 ;
ASCII "CT_MONSTER"
0045F8FC 68 6CFA6300 push 0063FA6C ;
ASCII "Character must not %s,(File:%s Line:%d)"
0045F901 FFD7 call edi
0045F903 83C4 10 add esp, 10
0045F906 8B4E 08 mov ecx, dword ptr [esi+8]
0045F909 8B11 mov edx, dword ptr [ecx]
0045F90B FF92 1C010000 call dword ptr [edx+11C]
0045F911 83F8 01 cmp eax, 1
0045F914 75 19 jnz short 0045F92F
0045F916 68 5D060000 push 65D
0045F91B 68 34FA6300 push 0063FA34 ;
ASCII ".\DataPool\GMDP_CharacterData.cpp"
0045F920 68 B4FA6300 push 0063FAB4 ;
ASCII "CT_PLAYEROTHER"
0045F925 68 6CFA6300 push 0063FA6C ;
ASCII "Character must not %s,(File:%s Line:%d)"
0045F92A FFD7 call edi
0045F92C 83C4 10 add esp, 10
0045F92F 8B46 04 mov eax, dword ptr [esi+4]
0045F932 8B4D 08 mov ecx, dword ptr [ebp+8]
0045F935 8988 F4080000 mov dword ptr [eax+8F4], ecx
0045F93B 8B0D 30776A00 mov ecx, dword ptr [6A7730]
得到eax+8F4=血量地址
eax=esi+4
esi=ecx
可以看出ecx由父函数而来,CTRL+F9到父函数。
0054BE17 50 push eax
0054BE18 FF52 44 call dword ptr [edx+44]
0054BE1B 8BD8 mov ebx, eax
0054BE1D 85DB test ebx, ebx
0054BE1F 895D F8 mov dword ptr [ebp-8], ebx
0054BE22 0F84 CF090000 je 0054C7F7
0054BE28 F646 10 01 test byte ptr [esi+10], 1
0054BE2C 57 push edi
0054BE2D 8BBB 58010000 mov edi, dword ptr [ebx+158]
0054BE33 74 2B je short 0054BE60
0054BE35 8B46 20 mov eax, dword ptr [esi+20]
0054BE38 50 push eax
0054BE39 8BCF mov ecx, edi
0054BE3B E8 E01CF1FF call 0045DB20
0054BE40 8B0D 5C0B6A00 mov ecx, dword ptr [6A0B5C]
0054BE46 3B59 64 cmp ebx, dword ptr [ecx+64]
0054BE49 75 15 jnz short 0054BE60
0054BE4B 8B47 04 mov eax, dword ptr [edi+4]
0054BE4E 8B0D 10786A00 mov ecx, dword ptr [6A7810]
0054BE54 8B40 5C mov eax, dword ptr [eax+5C]
0054BE57 8B11 mov edx, dword ptr [ecx]
0054BE59 50 push eax
0054BE5A FF92 B4000000 call dword ptr [edx+B4]
0054BE60 F646 10 02 test byte ptr [esi+10], 2
0054BE64 74 0B je short 0054BE71
0054BE66 8B4E 28 mov ecx, dword ptr [esi+28]
0054BE69 51 push ecx
0054BE6A 8BCF mov ecx, edi
0054BE6C E8 5F3AF1FF call 0045F8D0
从上可看出ecx=edi,edi=ebx+158
ebx=eax
通过观察值的变化,发现eax由0054BE18 FF52 44 call dword ptr [edx+44]传回
按F7步入Call
004121B0 55 push ebp
004121B1 8BEC mov ebp, esp
004121B3 51 push ecx
004121B4 56 push esi
004121B5 8BF1 mov esi, ecx
004121B7 8D45 08 lea eax, dword ptr [ebp+8]
004121BA 50 push eax
004121BB 8D4D FC lea ecx, dword ptr [ebp-4]
004121BE 51 push ecx
004121BF 8D4E 54 lea ecx, dword ptr [esi+54]
004121C2 E8 49F90100 call 00431B10
004121C7 8B4E 58 mov ecx, dword ptr [esi+58]
004121CA 8B45 FC mov eax, dword ptr [ebp-4]
004121CD 3BC1 cmp eax, ecx
004121CF 5E pop esi
004121D0 75 08 jnz short 004121DA
004121D2 33C0 xor eax, eax
004121D4 8BE5 mov esp, ebp
004121D6 5D pop ebp
004121D7 C2 0400 retn 4
004121DA 8B40 10 mov eax, dword ptr [eax+10]
004121DD 8BE5 mov esp, ebp
004121DF 5D pop ebp
004121E0 C2 0400 retn 4
得出eax=eax+10
eax=ebp-4
ebp=esp
再怎么找也找不到了。是不是找错了。
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课