能力值:
( LV9,RANK:370 )
|
-
-
2 楼
【案例一香港的晴空物语】
【版本】 2011-07-27
【dump游戏的game.bin】
- 虽然无壳, 但是找不到 Game.exe,只有一个Launcher.exe。
原因:游戏的客户端exe(_Launcher.exe ),是2个exe的合成:Launcher.exe 和 Game.exe
静态下: Game.exe是作为_Launcher.exe的数据段存在的,并且加密压缩过。
- 游戏的真实启动过程:
用OD先启动 Launcher.exe,然后看到 创建一个Game.exe的进程,并挂起。
然后,解密解压缩数据段Game.bin,WriteMem写入到刚才挂起的进程。
然后,Launcher.exe退出,Game.exe 恢复Sume。
- 关键点:
.text:00422690
.text:00422690 ; 作用:修复Pe文件头;这里很关键,修复Game.exe的Pe头。
.text:00422690 ; 功能: 在这里DUmp出来Game.exe
.text:00422690 ; 参数:
.text:00422690 ; 0012DFAC 01C80020 Gamebin的原始地址
.text:00422690 ; 0012DFB0 008AC198 写入地址
.text:00422690 ; 0012DFB4 0012DFD8
.text:00422690 ; 0012DFB8 0012DFD4
.text:00422690 ; 0012DFBC 0012DFDC
.text:00422690 ; 0012DFC0 0012DFE0 路径
.text:00422690 ; 备注:
.text:00422690 ; 0012DFD4 00 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00 ...............
.text:00422690 ; 0012DFE4 46 3A 5C C7 E7 BF D5 CE EF D5 5A 5C 47 44 4F 6E F:\晴空物語\GDOn
.text:00422690 ; 0012DFF4 6C 69 6E 65 48 4B 5C 5F 4C 61 75 6E 63 68 65 72 lineHK\_Launcher
.text:00422690 ; 0012E004 2E 65 78 65 .exe
.text:00422690
.text:00422690 ; int __stdcall Fix_GameBin_PE(int pAddrGamebin,int,int,int,int,int)
.text:00422690 Fix_GameBin_PE proc near ; CODE XREF: CreateProcessA_WriteMem_Quit3+DAp
.text:00422690
.text:00422690 pAddrGamebin = dword ptr 4
.text:00422690 arg_4 = dword ptr 8
.text:00422690 arg_8 = dword ptr 0Ch
.text:00422690 arg_C = dword ptr 10h
.text:00422690 arg_10 = dword ptr 14h
.text:00422690 arg_14 = dword ptr 18h
.text:00422690
.text:00422690 mov eax, [esp+arg_4]
.text:00422694 cmp eax, 40h
.text:00422697 jnb short loc_42269E
.text:00422699 xor al, al
.text:0042269B retn 18h
.text:0042269E ; ---------------------------------------------------------------------------
.text:0042269E
.text:0042269E loc_42269E: ; CODE XREF: Fix_GameBin_PE+7j
.text:0042269E push ebx
.text:0042269F mov ebx, [esp+4+pAddrGamebin]
.text:004226A3 cmp word ptr [ebx], 5A4Dh //PE头标志
.text:004226A8 jz short loc_4226B0
.text:004226AA xor al, al
.text:004226AC pop ebx
.text:004226AD retn 18h
.text:004226B0 ; ---------------------------------------------------------------------------
.text:004226B0
.text:004226B0 loc_4226B0: ; CODE XREF: Fix_GameBin_PE+18j
.text:004226B0 push esi
.text:004226B1 mov esi, [ebx+3Ch]
.text:004226B4 lea edx, [esi+0F8h]
.text:004226BA cmp eax, edx
.text:004226BC jl loc_422834
.text:004226C2 add esi, ebx
.text:004226C4 cmp dword ptr [esi], 4550h
.text:004226CA jnz loc_422834
.text:004226D0 movzx edx, word ptr [esi+16h]
.text:004226D4 test edx, 2000h
.text:004226DA jnz loc_422834
.text:004226E0 test dl, 2
.text:004226E3 jz loc_422834
.text:004226E9 cmp word ptr [esi+14h], 0E0h
.text:004226EF jnz loc_422834
.text:004226F5 push edi
.text:004226F6 lea edi, [esi+0F8h]
.text:004226FC push edi
.text:004226FD push esi
.text:004226FE push eax
.text:004226FF push ebx
.text:00422700 call sub_4225E0
.text:00422705 test eax, eax
.text:00422707 mov ecx, [esp+0Ch+arg_14]
.text:0042270B mov [ecx], eax
.text:0042270D jnz short loc_422717
.text:0042270F pop edi
.text:00422710 pop esi
.text:00422711 xor al, al
.text:00422713 pop ebx
.text:00422714 retn 18h
.text:00422717 ; ---------------------------------------------------------------------------
.text:00422717
.text:00422717 loc_422717: ; CODE XREF: Fix_GameBin_PE+7Dj
.text:00422717 push ebp
.text:00422718 push 40h ; flProtect
.text:0042271A push 1000h ; flAllocationType
.text:0042271F push eax ; dwSize
.text:00422720 push 0 ; lpAddress
.text:00422722 call ds:VirtualAlloc
.text:00422728 test eax, eax
.text:0042272A mov ebp, [esp+10h+arg_10]
.text:0042272E mov [ebp+0], eax
.text:00422731 jz loc_42282B
.text:00422737 movzx ecx, word ptr [esi+6]
.text:0042273B test ecx, ecx
.text:0042273D mov edx, [esi+54h]
.text:00422740 jle short loc_42275B
.text:00422742 lea esi, [edi+14h]
.text:00422745 mov edi, ecx
.text:00422747
.text:00422747 loc_422747: ; CODE XREF: Fix_GameBin_PE+C9j
.text:00422747 mov ecx, [esi]
.text:00422749 test ecx, ecx
.text:0042274B jz short loc_422753
.text:0042274D cmp ecx, edx
.text:0042274F jnb short loc_422753
.text:00422751 mov edx, ecx
.text:00422753
.text:00422753 loc_422753: ; CODE XREF: Fix_GameBin_PE+BBj
.text:00422753 ; Fix_GameBin_PE+BFj
.text:00422753 add esi, 28h
.text:00422756 sub edi, 1
.text:00422759 jnz short loc_422747
.text:0042275B
.text:0042275B loc_42275B: ; CODE XREF: Fix_GameBin_PE+B0j
.text:0042275B push edx
.text:0042275C push ebx
.text:0042275D push eax
.text:0042275E call unknown_libname_54 ; Microsoft VisualC 2-8/net runtime
.text:00422763 mov eax, [ebp+0]
.text:00422766 mov edx, [eax+3Ch]
.text:00422769 mov ebp, [esp+1Ch+arg_8]
.text:0042276D add eax, edx
.text:0042276F mov [ebp+0], eax
.text:00422772 lea edi, [eax+0F8h]
.text:00422778 mov eax, [esp+1Ch+arg_C]
.text:0042277C mov [eax], edi
.text:0042277E mov ebx, [ebp+0]
.text:00422781 mov ecx, [ebx+38h]
.text:00422784 mov edx, [ebx+54h]
.text:00422787 lea eax, [edx+ecx-1]
.text:0042278B xor edx, edx
.text:0042278D div ecx
.text:0042278F add esp, 0Ch
.text:00422792 mov [esp+10h+arg_4], 0
.text:0042279A mov esi, eax
.text:0042279C mov eax, [esp+10h+arg_10]
.text:004227A0 imul esi, ecx
.text:004227A3 add esi, [eax]
.text:004227A5 cmp word ptr [ebx+6], 0
.text:004227AA jbe short loc_42282B
.text:004227AC xor ebx, ebx
.text:004227AE mov edi, edi
.text:004227B0
.text:004227B0 loc_4227B0: ; CODE XREF: Fix_GameBin_PE+199j
.text:004227B0 mov eax, [ebx+edi+0Ch]
.text:004227B4 test eax, eax
.text:004227B6 jz short loc_4227C0
.text:004227B8 mov edx, [esp+10h+arg_10]
.text:004227BC mov esi, [edx]
.text:004227BE add esi, eax
.text:004227C0
.text:004227C0 loc_4227C0: ; CODE XREF: Fix_GameBin_PE+126j
.text:004227C0 mov eax, [ebx+edi+10h]
.text:004227C4 test eax, eax
.text:004227C6 jz short loc_422801
.text:004227C8 push eax
.text:004227C9 mov eax, [ebx+edi+14h]
.text:004227CD add eax, [esp+14h+pAddrGamebin]
.text:004227D1 push eax
.text:004227D2 push esi
.text:004227D3 call unknown_libname_54 ; Microsoft VisualC 2-8/net runtime
.text:004227D8 mov ecx, [esp+1Ch+arg_C]
.text:004227DC mov edi, [ecx]
.text:004227DE mov eax, [ebx+edi+10h]
.text:004227E2 mov edx, [ebx+edi+8]
.text:004227E6 add esp, 0Ch
.text:004227E9 cmp edx, eax
.text:004227EB jnb short loc_4227F9
.text:004227ED mov edx, [ebp+0]
.text:004227F0 mov ecx, [edx+38h]
.text:004227F3 lea eax, [eax+ecx-1]
.text:004227F7 jmp short loc_422809
.text:004227F9 ; ---------------------------------------------------------------------------
.text:004227F9
.text:004227F9 loc_4227F9: ; CODE XREF: Fix_GameBin_PE+15Bj
.text:004227F9 mov eax, [ebp+0]
.text:004227FC mov ecx, [eax+38h]
.text:004227FF jmp short loc_422805
.text:00422801 ; ---------------------------------------------------------------------------
.text:00422801
.text:00422801 loc_422801: ; CODE XREF: Fix_GameBin_PE+136j
.text:00422801 mov edx, [ebx+edi+8]
.text:00422805
.text:00422805 loc_422805: ; CODE XREF: Fix_GameBin_PE+16Fj
.text:00422805 lea eax, [edx+ecx-1]
.text:00422809
.text:00422809 loc_422809: ; CODE XREF: Fix_GameBin_PE+167j
.text:00422809 xor edx, edx
.text:0042280B div ecx
.text:0042280D mov edx, [ebp+0]
.text:00422810 movzx edx, word ptr [edx+6]
.text:00422814 add ebx, 28h
.text:00422817 imul eax, ecx
.text:0042281A add esi, eax
.text:0042281C mov eax, [esp+10h+arg_4]
.text:00422820 add eax, 1
.text:00422823 cmp eax, edx
.text:00422825 mov [esp+10h+arg_4], eax
.text:00422829 jl short loc_4227B0
.text:0042282B
.text:0042282B loc_42282B: ; CODE XREF: Fix_GameBin_PE+A1j
.text:0042282B ; Fix_GameBin_PE+11Aj
.text:0042282B pop ebp
.text:0042282C pop edi
.text:0042282D pop esi
.text:0042282E mov al, 1
.text:00422830 pop ebx
.text:00422831 retn 18h
.text:00422834 ; ---------------------------------------------------------------------------
.text:00422834
.text:00422834 loc_422834: ; CODE XREF: Fix_GameBin_PE+2Cj
.text:00422834 ; Fix_GameBin_PE+3Aj ...
.text:00422834 pop esi
.text:00422835 xor al, al
.text:00422837 pop ebx
.text:00422838 retn 18h
.text:00422838 Fix_GameBin_PE endp
- 简单dump方法: 游戏更新完毕之后,OD附加,然后下断,Dump
00421995 |. 83C4 20 add esp, 20
00421998 |. 8D5424 1C lea edx, dword ptr [esp+1C]
0042199C |. 52 push edx
0042199D |. 8D4424 1C lea eax, dword ptr [esp+1C]
004219A1 |. 50 push eax
004219A2 |. 8B8424 38110000 mov eax, dword ptr [esp+1138]
004219A9 |. 8D4C24 18 lea ecx, dword ptr [esp+18]
004219AD |. 51 push ecx
004219AE |. 8D5424 20 lea edx, dword ptr [esp+20]
004219B2 |. 52 push edx
004219B3 |. 50 push eax
004219B4 |. 55 push ebp ; Dump: ebp;ebp就是Game.bin的镜像首地址。
004219B5 |. 8BCE mov ecx, esi
004219B7 |. 83CF FF or edi, FFFFFFFF
004219BA |. E8 41F9FFFF call 00421300
004219BF |. 84C0 test al, al
【启动参数】
在call 00422690 ;修复Pe文件头;这里很关键,修复Game.exe的Pe头。
从Call=00422690的最后一个参数ebp,ebp+$20就是 Game.bin的地址。Dump另存出来,可以得到 boGame.exe.
另存出来的boGame.exe. 加参数 " EasyFun -a -p" 可以直接启动游戏。
- 先Dump出来boGame.exe ; 启动参数EasyFun -a -p
另存出来的 boGame.exe.exe 加参数 EasyFun -a -p
可以直接启动游戏。
【游戏本身的通讯协议加密算法的破解过程】
-用 OD+strong版本。
-根据WSARecv,然后一直下 硬件读取断点,找到Decrypt的Call,然后在DecryptCall下断点,发现加密也
用这个Call。于是,找到了SendPack的未加密之前的明文地址。
-- 下面是关于通讯协议的加密,解密算法。
关键Call.HookSendAddr: 对通讯协议加密处理。
版本:游戏_Launcher.exe 2011-08-24
空间:_Launcher.exe
特征码: 83C5025583C3025383C7FE - 48h ;
00A87880 53 push ebx
; Login_Acc(只有一个参数A,Ecx是SocketClass),
HookSendAddr(明文数据buf首地址):buf=[[Esp+4]+4]+2 ,(明文长度)SrcSize=[[Esp+4]+4] ;(返回地址)lpRet=[Esp+2C]
00A87881 55 push ebp
00A87882 56 push esi
00A87883 57 push edi
00A87884 8B7C24 14 mov edi, dword ptr [esp+14] ; 参数A
00A87888 8B6F 04 mov ebp, dword ptr [edi+4] ; ebp=[edi+4]=Srcbuf
00A8788B 3B6F 08 cmp ebp, dword ptr [edi+8]
00A8788E 8BF1 mov esi, ecx
00A87890 76 08 jbe short 00A8789A
00A87892 E8 40E8A3FF call 004C60D7
00A87897 3B6F 08 cmp ebp, dword ptr [edi+8]
00A8789A 72 05 jb short 00A878A1
00A8789C E8 36E8A3FF call 004C60D7
00A878A1 8B5F 04 mov ebx, dword ptr [edi+4]
00A878A4 3B5F 08 cmp ebx, dword ptr [edi+8]
00A878A7 76 08 jbe short 00A878B1
00A878A9 E8 29E8A3FF call 004C60D7
00A878AE 3B5F 08 cmp ebx, dword ptr [edi+8]
00A878B1 72 05 jb short 00A878B8
00A878B3 E8 1FE8A3FF call 004C60D7
00A878B8 8B47 04 mov eax, dword ptr [edi+4]
00A878BB 85C0 test eax, eax
00A878BD 75 04 jnz short 00A878C3
00A878BF 33FF xor edi, edi
00A878C1 EB 05 jmp short 00A878C8
00A878C3 8B7F 08 mov edi, dword ptr [edi+8]
00A878C6 2BF8 sub edi, eax
00A878C8 83C5 02 add ebp, 2 //特征码 83C5025583C3025383C7FE
00A878CB 55 push ebp
00A878CC 83C3 02 add ebx, 2
00A878CF 53 push ebx
00A878D0 83C7 FE add edi, -2
00A878D3 8D46 54 lea eax, dword ptr [esi+54]
00A878D6 57 push edi
00A878D7 50 push eax
00A878D8 E8 A3260000 call 00A89F80 ;EnCryptCall 加密数据
00A878DD 8B9E 80280000 mov ebx, dword ptr [esi+2880] ;特征码//mov ebx, dword ptr [esi+2880]
00A878E3 8B53 04 mov edx, dword ptr [ebx+4]
00A878E6 83C4 10 add esp, 10
00A878E9 8DBE 7C280000 lea edi, dword ptr [esi+287C]
00A878EF 8D4C24 14 lea ecx, dword ptr [esp+14]
00A878F3 51 push ecx
00A878F4 52 push edx
00A878F5 53 push ebx
00A878F6 8BCF mov ecx, edi
00A878F8 E8 3377DEFF call 0086F030
00A878FD 6A 01 push 1
关键Call.HookRecvAddr:对通讯协议解密处理。
版本:游戏_Launcher.exe 2011-08-24
空间:_Launcher.exe
特征码: 895D048B430489188B4E04 -2B
00A8FA50 3B5F 08 cmp ebx, dword ptr [edi+8]
00A8FA53 72 05 jb short 00A8FA5A
00A8FA55 E8 246BA3FF call 004C657E
00A8FA5A 8B6F 04 mov ebp, dword ptr [edi+4]
00A8FA5D 3B6F 08 cmp ebp, dword ptr [edi+8]
00A8FA60 76 08 jbe short 00A8FA6A
00A8FA62 E8 176BA3FF call 004C657E
00A8FA67 3B6F 08 cmp ebp, dword ptr [edi+8]
00A8FA6A 72 05 jb short 00A8FA71
00A8FA6C E8 0D6BA3FF call 004C657E
00A8FA71 8B47 04 mov eax, dword ptr [edi+4]
00A8FA74 85C0 test eax, eax
00A8FA76 75 04 jnz short 00A8FA7C
00A8FA78 33FF xor edi, edi
00A8FA7A EB 05 jmp short 00A8FA81
00A8FA7C 8B7F 08 mov edi, dword ptr [edi+8]
00A8FA7F 2BF8 sub edi, eax
00A8FA81 53 push ebx
00A8FA82 55 push ebp
00A8FA83 8D86 5C040000 lea eax, dword ptr [esi+45C]
00A8FA89 57 push edi
00A8FA8A 50 push eax
00A8FA8B E8 30200000 call 00A91AC0 //解密Decrypt
00A8FA90 8BAE 74280000 mov ebp, dword ptr [esi+2874] ; 特征码,
HookRecvAddr:Ebx=Ebp=Buf(明文buf首地址),Eax=Edi=SrcSize长度,
00A8FA96 8B55 04 mov edx, dword ptr [ebp+4]
00A8FA99 83C4 10 add esp, 10
00A8FA9C 8DBE 70280000 lea edi, dword ptr [esi+2870]
00A8FAA2 8D4C24 20 lea ecx, dword ptr [esp+20]
00A8FAA6 51 push ecx
00A8FAA7 52 push edx
00A8FAA8 55 push ebp
00A8FAA9 8BCF mov ecx, edi
00A8FAAB E8 0056C7FF call 007050B0
00A8FAB0 6A 01 push 1
00A8FAB2 8BCF mov ecx, edi
00A8FAB4 8BD8 mov ebx, eax
00A8FAB6 E8 0562E9FF call 00925CC0
00A8FABB 895D 04 mov dword ptr [ebp+4], ebx //特征码 895D048B430489188B4E04
00A8FABE 8B43 04 mov eax, dword ptr [ebx+4]
00A8FAC1 8918 mov dword ptr [eax], ebx
00A8FAC3 8B4E 04 mov ecx, dword ptr [esi+4]
00A8FAC6 E8 75E4FFFF call 00A8DF40
00A8FACB 0FBF8E 92280000 movsx ecx, word ptr [esi+2892]
【跟踪Game.exe加载Apex.exe的过程】
Apex.exe 是作为数据存放在Game.exe里面,ACDC.dat只是更新补丁。
1,从Game.exe的数据段读取出,Apex.exe。
2,修复Apex。exe的IAT,reloc。
3,启动Apex。exe。
4,解密出 ACDC.dat的文件名,解密出 shplain (用来解密ACDC.dat数据的Key)
5,用shplain 解密ACDC.dat,并写入Apex。exe线程。
原始ACDC.dta
1A2008A0 1F 8B 08 00 00 00 00 00 00 0B C4 BD 0B 7C 54 D5 ?......慕|T
1A2008B0 B5 30 7E 66 E6 24 1C 60 64 06 1C 70 94 58 62 1D ?~f?`dp擷b
1A2008C0 6D 34 B1 46 27 D6 E0 80 4D CC 83 80 80 F3 20 33 m4盕'粥€M虄€€?3
1A2008D0 D8 90 C4 B6 5C 1A 53 DA 8B 30 03 58 79 48 27 63 貝亩\S趮0XyH'c
1A2008E0 39 6C 46 69 AB D5 F6 DA 56 6F 6D EB A7 B6 9F BD 9lFi鲒Vom毵稛
1A2008F0 AD 8A F5 D1 84 60 12 1E F2 F2 01 8A AD A8 54 77 瓓跹刞蝌姯═w
1A200900 9C A0 41 04 C2 2B F3 5F 6B ED 73 E6 1D 1E B6 F7 湢A?骭k韘?恩
1A200910 FF F1 23 C9 39 FB EC E7 DA 6B AD BD D6 DA 6B AF ??缵k众k
1A200920 FD 33 E5 9F 07 A4 A7 47 48 B2 04 FF AC 2D 6C 98 ?鍩ぇGH??l
解密之后ACDC.exe
04CD0040 0E 1F BA 0E 00 B4 09 CD 21 B8 01 4C CD 21 54 68 ?.???L?Th
04CD0050 69 73 20 70 72 6F 67 72 61 6D 20 63 61 6E 6E 6F is program canno
04CD0060 74 20 62 65 20 72 75 6E 20 69 6E 20 44 4F 53 20 t be run in DOS
04CD0070 6D 6F 64 65 2E 0D 0D 0A 24 00 00 00 00 00 00 00 mode....$.......
04CD0080 D9 7B 95 BB 9D 1A FB E8 9D 1A FB E8 9D 1A FB E8 賩暬???
04CD0090 1E 12 A6 E8 9E 1A FB E8 9D 1A FA E8 D3 1A FB E8 ﹁???
04CD00A0 98 16 F4 E8 89 1A FB E8 98 16 9B E8 98 1A FB E8 ?翳??涜?
04CD00B0 98 16 A4 E8 E1 1A FB E8 98 16 A7 E8 9C 1A FB E8 ?よ??ц?
04CD00C0 98 16 A1 E8 9C 1A FB E8 52 69 63 68 9D 1A FB E8 ?¤?Rich?
04CD00D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
04CD00E0 00 00 00 00 00 00 00 00 50 45 00 00 4C 01 04 00 ........PE..L.
04CD00F0 21 88 C6 41 00 00 00 00 00 00 00 00 E0 00 0E 21 !埰A........?!
04CD0100 0B 01 07 0A 00 A0 00 00 00 90 00 00 00 00 00 00 ..?..?.....
04CD0110 8C 62 00 00 00 10 00 00 00 B0 00 00 00 00 00 10 宐......?....
[OEP ]
【跟踪Apex线程的通讯--得到“APex的加密算法”】
参数只有Ecx: SendbufAddr=[Ecx+0D50]
190E7C00 55 push ebp
190E7C01 8BEC mov ebp, esp
190E7C03 83EC 08 sub esp, 8
190E7C06 53 push ebx
190E7C07 56 push esi
190E7C08 57 push edi
190E7C09 8BF1 mov esi, ecx
190E7C0B C645 FF 00 mov byte ptr [ebp-1], 0
190E7C0F 50 push eax
190E7C10 E8 00000000 call 190E7C15
190E7C15 58 pop eax
190E7C16 8945 F8 mov dword ptr [ebp-8], eax
190E7C19 58 pop eax
190E7C1A 0FB645 FB movzx eax, byte ptr [ebp-5]
190E7C1E 8B1D F0C01219 mov ebx, dword ptr [1912C0F0] ; KERNEL32.WaitForSingleObject
190E7C24 8BC8 mov ecx, eax
190E7C26 0FAFC8 imul ecx, eax
190E7C29 81C1 E9000000 add ecx, 0E9
190E7C2F 898E 74110000 mov dword ptr [esi+1174], ecx
190E7C35 C705 3FF01519 00000000 mov dword ptr [1915F03F], 0
190E7C3F 8DBE 640F0000 lea edi, dword ptr [esi+F64]
190E7C45 8B15 3FF01519 mov edx, dword ptr [1915F03F]
190E7C4B 42 inc edx
190E7C4C 8BCE mov ecx, esi
190E7C4E 8915 3FF01519 mov dword ptr [1915F03F], edx
190E7C54 C605 43F01519 0B mov byte ptr [1915F043], 0B
190E7C5B E8 8016FFFF call 190D92E0
190E7C60 8BCE mov ecx, esi
190E7C62 C605 43F01519 0C mov byte ptr [1915F043], 0C
190E7C69 E8 F29AFEFF call 190D1760 ;加密;ApexEncryptCall
190E7C6E 8BCE mov ecx, esi
190E7C70 C605 43F01519 0D mov byte ptr [1915F043], 0D
190E7C77 E8 24BCFFFF call 190E38A0 ;Sendbuf; ApexSendbuf_1; 最终调用 Send4500 ;0DE824BCFFFF85C0
190E7C7C 85C0 test eax, eax
190E7C7E 7D 04 jge short 190E7C84
190E7C80 C645 FF 01 mov byte ptr [ebp-1], 1
190E7C84 57 push edi
190E7C85 C605 43F01519 0E mov byte ptr [1915F043], 0E
190E7C8C C745 F8 00000000 mov dword ptr [ebp-8], 0
190E7C93 FF15 9CC01219 call dword ptr [1912C09C] ; ntdll.RtlEnterCriticalSection
【APEX通信数据的加密——解密的Call】
因为apex和server的通讯协议的加密算法,不是用的游戏本事的加密算法。而是apex自己的加密算法。
4个参数:
0012FC64 036C0C64 结果的长度 036C0C64 06 00 00 00
0012FC68 00000006 原始长度
0012FC6C 036D8250 Srcbuf 036D8250 01 07 F9 F6 90 A0
0012FC70 036D8250 Destbuf 036D8250 01 07 F9 F6 90 A0
说明:加密,解密都使用这个Call。这个Call的上层就可以找到Hook的地址。
00A89F80 55 push ebp ; 封包数据加密_解密
00A89F81 53 push ebx
00A89F82 56 push esi
00A89F83 57 push edi
00A89F84 8B7C24 14 mov edi, dword ptr [esp+14]
00A89F88 8B5424 18 mov edx, dword ptr [esp+18]
00A89F8C 8B7424 1C mov esi, dword ptr [esp+1C]
00A89F90 8B6C24 20 mov ebp, dword ptr [esp+20]
00A89F94 31C0 xor eax, eax
00A89F96 31DB xor ebx, ebx
00A89F98 81FA 00000000 cmp edx, 0
00A89F9E 0F84 63010000 je 00A8A107
00A89FA4 8A07 mov al, byte ptr [edi]
00A89FA6 8A5F 04 mov bl, byte ptr [edi+4]
00A89FA9 81C7 08000000 add edi, 8
00A89FAF 8D0C16 lea ecx, dword ptr [esi+edx]
00A89FB2 29F5 sub ebp, esi
00A89FB4 894C24 18 mov dword ptr [esp+18], ecx
00A89FB8 FEC0 inc al
00A89FBA 81BF 00010000 FFFFFFFF cmp dword ptr [edi+100], -1
00A89FC4 0F84 06010000 je 00A8A0D0
00A89FCA 8B0C87 mov ecx, dword ptr [edi+eax*4]
00A89FCD 81E2 FCFFFFFF and edx, FFFFFFFC
00A89FD3 0F84 B7000000 je 00A8A090
00A89FD9 8D5416 FC lea edx, dword ptr [esi+edx-4]
00A89FDD 895424 1C mov dword ptr [esp+1C], edx
00A89FE1 896C24 20 mov dword ptr [esp+20], ebp
00A89FF0 00CB add bl, cl
00A89FF2 8B149F mov edx, dword ptr [edi+ebx*4]
00A89FF5 890C9F mov dword ptr [edi+ebx*4], ecx
00A89FF8 891487 mov dword ptr [edi+eax*4], edx
00A89FFB 01CA add edx, ecx
00A89FFD FEC0 inc al
00A89FFF 81E2 FF000000 and edx, 0FF
00A8A005 8B0C87 mov ecx, dword ptr [edi+eax*4]
00A8A008 8B2C97 mov ebp, dword ptr [edi+edx*4]
00A8A00B 00CB add bl, cl
00A8A00D 8B149F mov edx, dword ptr [edi+ebx*4]
00A8A010 890C9F mov dword ptr [edi+ebx*4], ecx
00A8A013 891487 mov dword ptr [edi+eax*4], edx
00A8A016 01CA add edx, ecx
00A8A018 FEC0 inc al
00A8A01A 81E2 FF000000 and edx, 0FF
00A8A020 C1CD 08 ror ebp, 8
00A8A023 8B0C87 mov ecx, dword ptr [edi+eax*4]
00A8A026 0B2C97 or ebp, dword ptr [edi+edx*4]
00A8A029 00CB add bl, cl
00A8A02B 8B149F mov edx, dword ptr [edi+ebx*4]
00A8A02E 890C9F mov dword ptr [edi+ebx*4], ecx
00A8A031 891487 mov dword ptr [edi+eax*4], edx
00A8A034 01CA add edx, ecx
00A8A036 FEC0 inc al
00A8A038 81E2 FF000000 and edx, 0FF
00A8A03E C1CD 08 ror ebp, 8
00A8A041 8B0C87 mov ecx, dword ptr [edi+eax*4]
00A8A044 0B2C97 or ebp, dword ptr [edi+edx*4]
00A8A047 00CB add bl, cl
00A8A049 8B149F mov edx, dword ptr [edi+ebx*4]
00A8A04C 890C9F mov dword ptr [edi+ebx*4], ecx
00A8A04F 891487 mov dword ptr [edi+eax*4], edx
00A8A052 01CA add edx, ecx
00A8A054 FEC0 inc al
00A8A056 81E2 FF000000 and edx, 0FF
00A8A05C C1CD 08 ror ebp, 8
00A8A05F 8B4C24 20 mov ecx, dword ptr [esp+20]
00A8A063 0B2C97 or ebp, dword ptr [edi+edx*4]
00A8A066 C1CD 08 ror ebp, 8
00A8A069 332E xor ebp, dword ptr [esi]
00A8A06B 3B7424 1C cmp esi, dword ptr [esp+1C]
00A8A06F 892C31 mov dword ptr [ecx+esi], ebp ; 关键的:Crypt结果存放地址,封包数据解密
00A8A072 8D76 04 lea esi, dword ptr [esi+4]
00A8A075 8B0C87 mov ecx, dword ptr [edi+eax*4]
00A8A078 ^ 0F82 72FFFFFF jb 00A89FF0
00A8A07E 3B7424 18 cmp esi, dword ptr [esp+18]
00A8A082 0F84 77000000 je 00A8A0FF
00A8A088 8B6C24 20 mov ebp, dword ptr [esp+20]
00A8A090 00CB add bl, cl
00A8A092 8B149F mov edx, dword ptr [edi+ebx*4]
00A8A095 890C9F mov dword ptr [edi+ebx*4], ecx
00A8A098 891487 mov dword ptr [edi+eax*4], edx
00A8A09B 01CA add edx, ecx
00A8A09D FEC0 inc al
00A8A09F 81E2 FF000000 and edx, 0FF
00A8A0A5 8B1497 mov edx, dword ptr [edi+edx*4]
00A8A0A8 3216 xor dl, byte ptr [esi]
00A8A0AA 8D76 01 lea esi, dword ptr [esi+1]
00A8A0AD 8B0C87 mov ecx, dword ptr [edi+eax*4]
00A8A0B0 3B7424 18 cmp esi, dword ptr [esp+18]
00A8A0B4 885435 FF mov byte ptr [ebp+esi-1], dl
00A8A0B8 ^ 0F82 D2FFFFFF jb 00A8A090
00A8A0BE E9 3C000000 jmp 00A8A0FF
00A8A0D0 0FB60C07 movzx ecx, byte ptr [edi+eax]
00A8A0D4 00CB add bl, cl
00A8A0D6 0FB6141F movzx edx, byte ptr [edi+ebx]
00A8A0DA 880C1F mov byte ptr [edi+ebx], cl
00A8A0DD 881407 mov byte ptr [edi+eax], dl
00A8A0E0 00CA add dl, cl
00A8A0E2 0FB61417 movzx edx, byte ptr [edi+edx]
00A8A0E6 04 01 add al, 1
00A8A0E8 3216 xor dl, byte ptr [esi]
00A8A0EA 8D76 01 lea esi, dword ptr [esi+1]
00A8A0ED 0FB60C07 movzx ecx, byte ptr [edi+eax]
00A8A0F1 3B7424 18 cmp esi, dword ptr [esp+18]
00A8A0F5 885435 FF mov byte ptr [ebp+esi-1], dl
00A8A0F9 ^ 0F82 D5FFFFFF jb 00A8A0D4
00A8A0FF FEC8 dec al
00A8A101 885F FC mov byte ptr [edi-4], bl
00A8A104 8847 F8 mov byte ptr [edi-8], al
00A8A107 5F pop edi
00A8A108 5E pop esi
00A8A109 5B pop ebx
00A8A10A 5D pop ebp
00A8A10B C3 retn
00A8A10C 90 nop
【关于Apex的心跳包】
S<=2D00(0002)Ret=0087ABB5 Ecx=04CEEA2C 19:59:46
S<=4500013C007DC3EB6AE459F805996C6C4B074C7FB038351FE19E7D3DB474B6FBCBA17ED406552C2D6B29C429D0FBE32F9B217378064578AF715C93DCFD59B6DC39(0041)Ret=00592038 Ecx=040C84EC 19:59:51
S<=02000800666F736F6D3030311200C1F7A4A7B4CB28A4C0AC79373AB0C6A5BB29090073686573686F753031000000000D003030312E3031302E30312E313000000F0050432D323031303031313350504453BC20832200000B0057696E58502D33326269743408(0066)Ret=00569094 Ecx=040C84EC 20:00:03
S<=2D00(0002)Ret=0087ABB5 Ecx=04CEEA2C 20:00:16
S<=4500013700E161B7FED559BE25A6A6CAD0D96F43D641ED854CE28335ACBF5A6F78376C78B9C3B4A8C06EF935DE6EAF81CF535101543DF9782B2943A8(003C)Ret=00592038 Ecx=040C84EC 20:00:24
S<=2D00(0002)Ret=0087ABB5 Ecx=04CEEA2C 20:00:46
S<=45000143009906473CD5591E79719BDC607755B1F4D341075A859BC5624F089D6172086418F207AB562228B36DDEB26BE2FEE58518548CC3E2D9B27358B203D668AEE4C68337E1C9(0048)Ret=00592038 Ecx=040C84EC 20:00:57
S<=02000800666F736F6D3030311200C1F7A4A7B4CB28A4C0AC79373AB0C6A5BB29090073686573686F753031000000000D003030312E3031302E30312E313000000F0050432D323031303031313350504453BC200C0000000B0057696E58502D33326269743408(0066)Ret=00569094 Ecx=040C84EC 20:01:03
S<=2D00(0002)Ret=0087ABB5 Ecx=04CEEA2C 20:01:16
S<=450001390021F64A63C859A64E3020040F39808301B8B67ED189FB24B876BFF222A1B670B537CC0D6D08BE7720847BFFBB17659A53675F8736B83DBA89E7(003E)Ret=00592038 Ecx=040C84EC 20:01:36
S<=2D00(0002)Ret=0087ABB5 Ecx=04CEEA2C 20:01:46
每30秒一次,不发,发错,多开,都会导致断线。
把S<=4500的数据包,通过上面的Apex协议的解密算法可以得到:
11 11 00 0100 0000 7573657233322E646C6C00 user32.dll
13 13 00 0200 0000 6B65726E656C33322E646C6C00 kernel32.dll
0A 0A 00 6600 0100 01004E04
0A 0A 00 6700 0100 01004F04
0A 0A 00 6800 0100 01005004
0A 0A 00 6A00 0100 01005204
0A 0A 00 6B00 0100 01005304
0A 0A 00 DE00 0100 0200C604
0A 0A 00 DF00 0100 0200C704
12 12 00 4E04 0000 46696E6457696E646F774100 FindWindowA
10 10 00 4F04 0000 47657457696E646F7700 GetWindow
13 13 00 5004 0000 476574546F7057696E646F7700 GetTopWindow
14 14 00 5204 0000 476574436C6173734E616D654100 GetClassNameA
15 15 00 5304 0000 47657457696E646F774C6F6E674100 GetWindowLongA
13 13 00 C604 0000 4C6F61644C6962726172794100 LoadLibraryA
15 15 00 C704 0000 47657450726F634164647265737300 GetProcAddress
可以看到,乱七八糟的检测了一大堆东西啊。
一个一个的Call去搞定,太累了,而且,关键地方加了vm,还原起来有点累。
写脱机,怎么办?
:一台机器开一个游戏Client,只是开起来,写dll注入进去,主动启动Apex,
然后让dll一直不停的把关于apex通讯部分的协议抓出来,然后发给脱机,
脱机只需要接受数据,并发给Server。
这下,vm,和多开都不重要了。
【最后,打怪的协议分析】
S<=7000 F823FFFF(0006)Ret=00A8DF15 18:47:28
点选怪物
R=>5C01 F823FFFF CB0D6C43 CFBD8242 6A00000000(0013) 18:47:28
怪物坐标
R=>AB01 F823FFFF 0000000000(000B) 18:47:28
-射手
S<=DE00 F823FFFF 00(0007)Ret=00A8DF15 18:47:40
射手物理攻击
S<=DE00 F823FFFF 00(0007)Ret=00A8DF15 18:47:40
10LV以下 射手物理攻击
S<=DD00 F823FFFF 00(0007)Ret=00A8DF15 18:47:40
10LV以上 射手物理攻击
R=>6701 3DCBE60E F823FFFF 80000000 01000000 8E050000(0016) 18:47:40
伤害信息 AtkID DeAtkID Hurt 玩家对怪物伤害
R=>6801 F823FFFF 0001 3DCBE60E(000C) 18:47:41
R=>4501 F823FFFF 0000 040001(000B) 18:47:41
R=>4501 3DCBE60E 0000 04011F(000B) 18:47:41
R=>4F01 F823FFFF 0000 9A000000(000C) 18:47:41
怪物CurHP CurHP
R=>6701 3DCBE60E F823FFFF 8000000001000000FFFFFFFF(0016) 18:47:41
R=>AB01 F823FFFF 00 3DCBE60E(000B) 18:47:41
S<=36000000(0004)Ret=00A8DF15 18:47:41
S<=DE00 F823FFFF00(0007)Ret=00A8DF15 18:47:41
R=>6701 3DCBE60E F823FFFF 96000000 01000000 8E050000(0016) 18:47:41
R=>4F01 F823FFFF 0000 04000000(000C) 18:47:42
R=>6701 3DCBE60E F823FFFF 9600000001000000FFFFFFFF(0016) 18:47:42
R=>4501 F823FFFF 0000140002(000B) 18:47:42
R=>4501 F823FFFF 0000140003(000B) 18:47:42
R=>4F01 F823FFFF 210058020000(000C) 18:47:42
R=>4501 F823FFFF 0000140004(000B) 18:47:42
R=>6701 F823FFFF 3DCBE60E 05000000 01000000FD030000(0016) 18:47:42
伤害信息 AtkID DeAtkID Hurt 怪物对玩家伤害
S<=DE00 F823FFFF00(0007)Ret=00A8DF15 18:47:42
R=>6701 3DCBE60E F823FFFF 93000000010000008D050000(0016) 18:47:42
R=>4F01 3DCBE60E 0000 F8000000(000C) 18:47:42
玩家当前HP CurHP
R=>6701 F823FFFF 3DCBE60E 0500000001000000FFFFFFFF(0016) 18:47:42
R=>4F01 F823FFFF 000000000000(000C) 18:47:43
怪物死亡 CurHP=0
R=>6701 3DCBE60E F823FFFF 9300000005000000FFFFFFFF(0016) 18:47:43
R=>4201 F823FFFF 3DCBE60E00(000B) 18:47:43
S<=1A000000000002(0007)Ret=00A8DF15 18:47:43
战斗结束
S<=700000000000(0006)Ret=00A8DF15 18:47:43
R=>4501 3DCBE60E0000000120(000B) 18:47:43
R=>AB01000000000000000000(000B) 18:47:43
S<=36000000(0004)Ret=00A8DF15 18:47:43
R=>4F01 3DCBE60E 0500 F4000000(000C) 18:47:43
玩家经验
R=>2B01 C803010038(0007) 18:47:43
R=>4F01 3DCBE60E 0200 41000000(000C) 18:47:43
玩家金币
R=>2B01 0E0004003120BBC9(000A) 18:47:43
R=>4F01 3DCBE60E 0000 FD000000(000C) 18:47:45
**********技能攻击-射手***************************************
S<=7000 04DBFFFF(0006)Ret=00A8DF15 19:20:34
点选怪
S<=1E00 A1C4 04DBFFFF(0008)Ret=00A8DF15 19:20:34
技能攻击
R=>5C01 04DBFFFF 65D96F43 08F38042 6A00000000(0013) 19:20:34
怪物坐标
R=>AB01 04DBFFFF0000000000(000B) 19:20:34
R=>5001 A1C4000000000 4DBFFFF 01(000D) 19:20:34
R=>5701 0E000000 04DBFFFF A1C4 07000000 65D96F43 08F38042 00000000 CC03 00000000000000(0025) 19:20:34
S<=DE00 04DBFFFF00(0007)Ret=00A8DF15 19:20:34
R=>6701 3DCBE60E 04DBFFFF 93000000 010000008E050000(0016) 19:20:34
伤害
R=>9F01 3DCBE60E 0100 FBFFFFFF(000C) 19:20:35
R=>6801 04DBFFFF 0001 3DCBE60E(000C) 19:20:35
R=>4F01 04DBFFFF 0000 8E000000(000C) 19:20:35
怪物CurHP
R=>4F01 04DBFFFF 1300 38000000(000C) 19:20:35
R=>4A01 A1C4 04DBFFFF 3DCBE60E 8C0000000100010000(0015) 19:20:35
技能伤害效果
R=>4A01 A1C4 04DBFFFF 3DCBE60E 8C000000 0100010000(0015) 19:20:35
技能ID 怪物ID 自己ID 伤害值
R=>4F01 04DBFFFF 21008C000000(000C) 19:20:35
R=>3C01 04DBFFFF B0C43200000002010000000000010000000000(0019) 19:20:35
R=>4F01 3DCBE60E 2D00 FD020000(000C) 19:20:35
R=>AB01 04DBFFFF 00 3DCBE60E(000B) 19:20:35
S<=36000000(0004)Ret=00A8DF15 19:20:35
R=>4F01 04DBFFFF 000000000000(000C) 19:20:35
怪物CurHP=0
R=>6701 3DCBE60E 04DBFFFF 9300000005000000FFFFFFFF(0016) 19:20:35
R=>4201 04DBFFFF 3DCBE60E00(000B) 19:20:35
R=>4F01 04DBFFFF 2100C8000000(000C) 19:20:35
R=>3B01 04DBFFFF B0C4030000000000000000(0011) 19:20:35
S<=1A000000000002(0007)Ret=00A8DF15 19:20:35
S<=700000000000(0006)Ret=00A8DF15 19:20:35
R=>AB01000000000000000000(000B) 19:20:35
S<=36000000(0004)Ret=00A8DF15 19:20:35
R=>4F01 3DCBE60E 0500 14010000(000C) 19:20:36
R=>2B01 C803010038(0007) 19:20:36
R=>4F01 3DCBE60E 0100 03010000(000C) 19:20:38
玩家当前CurMP
**********技能攻击-力士***************************************
S<=1E00 49C5 5424FDFF(0008)Ret=00875925 Ecx=1A68BFAC
力士技能攻击
S<=D0005424FDFF00(0007)Ret=00875925 Ecx=1A68BFAC
力士物理攻击
**********技能攻击-武者***************************************
S<=1E0051C3C152FDFF(0008)Ret=00875925 Ecx=1A68BF9C
S<=36000000(0004)Ret=00875925 Ecx=1A68BF9C
S<=DE00C152FDFF00(0007)Ret=00875925 Ecx=1A68BF9C
**********技能攻击-法师***************************************
S<=1E00F9C3BD52FCFF(0008)Ret=00875925 Ecx=1324849C
S<=DE00BD52FCFF00(0007)Ret=00875925 Ecx=1324849C
**********技能攻击-阴阳师***************************************
S<=DE0047EAFCFF00(0007)Ret=00875925 Ecx=1A76289C
物理攻击
S<=1E00F1C51260FCFF(0008)Ret=00875925 Ecx=1A76289C
技能攻击
S<=0700 05C6 B7B7F343 4AEA0344(000C)Ret=00875925 Ecx=1A76289C
加血
怪物NPC出现
R=>3901 9992C988 C7C3008320F94321380844F90FC93F000000000500000000000041020A000000FEFFFFFF02000000(002E)
NPC出现
R=>5C01 9992C988 8320F943 21380844 6A00000000(0013)
NPC坐标 498.25 544.87
R=>9D01 9992C988 241F 0E22 07483E00000000(0011)
NPC坐标 498.25 544.875
R=>AB01 9992C988 0000000000(000B)
R=>5C01 9992C988 8320F943 21380844 6A00000000(0013)
NPC坐标
R=>9D01 9992C988 241F 0E22 07483E00000000(0011)
NPC坐标
S<=2100 9992C988(0006)Ret=00875925 Ecx=04E673EC
CallNPC
R=>3901 9992C988 C7C3 00 8320F943 21380844 F90FC93F 000000000500000000 0000 4102 0A000000 FEFFFFFF02000000(002E)
R=>3901 105FFFFF D9D6 00 CE6C4B43 17811D42 E4CB9640 000000400A00000000 0800A5D0B3A5AAE1BAEB 5502 1A010000 00000000 38000000 FFFFFFFF 03000000(003E) 16:59:06
R=>3901 0F97FFFF D9D6 00 8A344E43 A7FFEA41 E43C8240 000000400A00000000 0800A5D0B3A5AAE1BAEB 5502 1A010000 00000000 38000000 FFFFFFFF03000000(003E) 16:59:07
R=>3901 E4A4FEFF D9D6 00 79584B43 51D46742 AE7C9F40 000000400A00000000 0800A5D0B3A5AAE1BAEB 5502 1A010000 00000000 38000000 FFFFFFFF03000000(003E) 16:59:10
R=>3901 0F97FFFF D9D6 00 58244D43 AD0EEC41 A8173F40 000000400A00000000 0800A5D0B3A5AAE1BAEB 5502 1A010000 00000000 38000000 FFFFFFFF03000000(003E) 16:59:15
R=>3901 E4A4FEFF D9D6 00 C5904B43 BBDF6142 8086A140 000000400A00000000 0800A5D0B3A5AAE1BAEB 5502 1A010000 00000000 38000000 FFFFFFFF03000000(003E) 16:59:20
R=>3901 0F97FFFF D9D6 00 F5034E43 A67FEC41 72FF6D40 000000400A00000000 0800A5D0B3A5AAE1BAEB 5502 1A010000 00000000 38000000 FFFFFFFF03000000(003E) 16:59:21
R=>3901 1183FFFF E2D6 00 29944B43 68239C42 9F1B9140 000000400A00000000 1000B941A5D0AF7DC361AACCA144A4D7A4D7 5502 CA080000 00000000 C2010000 FFFFFFFF03000000(0046) 16:59:22
R=>3901 E4A4FEFF D9D6 00 3D5E4B43 85CF6442 FAD97140 000000400A00000000 0800A5D0B3A5AAE1BAEB 5502 1A010000 00000000 38000000 FFFFFFFF03000000(003E) 16:59:27
R=>3901 0F97FFFF D9D6 00 B3055043 9CE9EA41 93E97D40 000000400A00000000 0800A5D0B3A5AAE1BAEB 5502 1A010000 00000000 38000000 FFFFFFFF03000000(003E) 16:59:41
ID X Y Z Name HP MP
R=>3901 7D14FDFF E6D6 00 CC92B643 4796E443 E4CB9640 000000400A00000000 0000 5502 CA1E00000000000028060000FFFFFFFF03000000(0036)
Boss 可以攻击
R=>3901 61C5FFFF E8D6 04 1596E843 2CDFD343 DE8EFA3F 000048410A00001400 0000 5702 A23A00008458000000000000B4110000FFFFFFFF03000000(003A)
R=>3901 99B5FEFF E8D6 00 69D6E043 C3EED143 3905AB40 000000400A00000000 0A00C2CEB34DB950A661C37E 5502 8458000000000000B4110000FFFFFFFF07000000(0040)
boss_NPC 任务Boss 可以攻击
R=>3901 C4FBFFFF FCDE AB 90A3E543 3360D643 2055AD40 0000C0400A00001400 0000 5502 B3110000000000008A030000FFFFFFFF 02000000(0036)
R=>3901 C3FBFFFF FCDE 67 EF4FE543 D0F8D543 320CA940 0000C0400A00001400 0000 5502 B3110000000000008A030000FFFFFFFF02000000(0036)
R=>3901 BCFBFFFF FCDE 8B 67FDE443 1273D243 D2BE8A40 0000C0400A00001400 0000 5502 B3110000000000008A030000FFFFFFFF02000000(0036)
R=>3901 BEFBFFFF FCDE 04 89D1E443 DBFFD243 14848F40 0000C0400A00001400 0000 5502 B3110000000000008A030000FFFFFFFF02000000(0036)
NPC 任务怪物,不可攻击
R=>3901 4E9DFCFF 45D8 00 D2924243 90D9C343 D58B7240 000000400A00000000 0000 5502 97200000 0000000085060000FFFFFFFF03000000(0036)
普通怪物 可以攻击
|
蛮不错的
