0AA75D8 | 84C0 | test al, al |
00AA75DA | 0F85 D7010000 | jnz 00AA77B7 |
00AA75E0 | 8B06 | mov eax, dword ptr [esi] |
00AA75E2 | 8B50 38 | mov edx, dword ptr [eax+38] |
00AA75E5 | 8BCE | mov ecx, esi |
00AA75E7 | FFD2 | call near edx |
00AA75E9 | 84C0 | test al, al |
00AA75EB | 74 04 | je 00AA75F1 |
00AA75ED | C645 0C 00 | mov byte ptr [ebp+C], 0 |
00AA75F1 | 6A FF | push -1 |
00AA75F3 | 56 | push esi |
00AA75F4 | 8BCF | mov ecx, edi |
00AA75F6 | E8 35AA0B00 | call 00B62030 |
00AA75FB | 8BD8 | mov ebx, eax |
00AA75FD | 8B06 | mov eax, dword ptr [esi] |
00AA75FF | 8B50 38 | mov edx, dword ptr [eax+38] |
00AA7602 | 8BCE | mov ecx, esi |
00AA7604 | 895D E4 | mov dword ptr [ebp-1C], ebx |
00AA7607 | FFD2 | call near edx |
00AA7609 | 84C0 | test al, al |
00AA760B | 75 73 | jnz 00AA7680 |
00AA760D | 85DB | test ebx, ebx |
00AA760F | 74 6F | je 00AA7680 |
00AA7611 | 8B45 08 | mov eax, dword ptr [ebp+8] |
00AA7614 | 50 | push eax |
00AA7615 | 8BCE | mov ecx, esi |
00AA7617 | E8 14CEFEFF | call 00A94430 |
00AA761C | 3BC3 | cmp eax, ebx |
00AA761E | 7C 60 | jl 00AA7680 |
00AA7620 | 807D 0C 00 | cmp byte ptr [ebp+C], 0 |
00AA7624 | 74 56 | je 00AA767C |
00AA7626 | 8B16 | mov edx, dword ptr [esi] |
00AA7628 | 8B42 38 | mov eax, dword ptr [edx+38] |
00AA762B | 8BCE | mov ecx, esi |
00AA762D | FFD0 | call near eax |
00AA762F | 84C0 | test al, al |
00AA7631 | 75 2D | jnz 00AA7660 |
00AA7633 | 6A 00 | push 0 |
00AA7635 | 6A 00 | push 0 |
00AA7637 | 6A 00 | push 0 |
00AA7639 | 6A 11 | push 11 |
00AA763B | 68 E6C89BFF | push FF9BC8E6 |
00AA7640 | 68 0D0E0000 | push E0D |
00AA7645 | E8 2644A400 | call 014EBA70 |
00AA764A | 8B0D 7456E601 | mov ecx, dword ptr [1E65674] |
00AA7650 | 83C4 04 | add esp, 4 |
00AA7653 | 50 | push eax |
00AA7654 | E8 07FDEAFF | call 00957360 |
00AA7659 | 8BC8 | mov ecx, eax |
00AA765B | E8 B0DD1200 | call 00BD5410 |
00AA7660 | 6A 00 | push 0 |
00AA7662 | 6A 00 | push 0 |
00AA7664 | 6A FF | push -1 |
00AA7666 | 68 48D79301 | push 193D748 |
00AA766B | E8 402B9900 | call 0143A1B0 |
00AA7670 | 83C4 04 | add esp, 4 |
00AA7673 | 50 | push eax |
00AA7674 | E8 07E3ECFF | call 00975980 |
00AA7679 | 83C4 10 | add esp, 10 |
00AA767C | C645 F3 00 | mov byte ptr [ebp-D], 0 |
00AA7680 | 8BCF | mov ecx, edi |
00AA7682 | E8 E2A3C301 | call 026E1A69 |
[COLOR="Red"]00AA7687 | 84C0 | test al, al |
00AA7689 | 0F84 90000000 | je 00AA771F | 技能无cd [/COLOR]
00AA768F | 8BCF | mov ecx, edi |
00AA7691 | E8 8A7A0B00 | call 00B5F120 |
00AA7696 | 84C0 | test al, al |
00AA7698 | 74 19 | je 00AA76B3 |
00AA769A | 8BCF | mov ecx, edi |
00AA769C | E8 8FA46300 | call 010E1B30 |
00AA76A1 | 8BC8 | mov ecx, eax |
00AA76A3 | E8 E87D0B00 | call 00B5F490 |
00AA76A8 | 83F8 01 | cmp eax, 1 |
00AA76AB | 7E 06 | jle 00AA76B3 |
我只知道上面汇编,红色字部分test al,al
| je 00AA771F
test al,al al=0的时候实现跳转,跳转会无cd,也就是放技能没冷却,就可以放,但是这段代码好像有crc检测,无论改哪点就会被检测到,但是我发现
00AA7680 | 8BCF | mov ecx, edi |
00AA7682 | E8 E2A3C301 | call 026E1A69 |
00AA7687 | 84C0 | test al, al |
00AA7689 | 0F84 90000000 | je 00AA771F | 技能无cd
这三句中call 026e1a69中,改里面的代码,就不会检测到,所以我的想法就是,在这个call里面改它的返回值, 也是mov eax,0
retn
我直接在这个call里面返回,游戏挂掉,但是我又找不到这个call是在哪里返回的,求大师分析一下
我把这个call贴出来,有空的帮忙看下
call 026E1A6A
026E1A6A | 8B2C24 | mov ebp, dword ptr [esp] |
026E1A6D | 55 | push ebp |
026E1A6E | 8B2C24 | mov ebp, dword ptr [esp] |
026E1A71 | 89AC24 04000000 | mov dword ptr [esp+4], ebp |
026E1A78 | 5D | pop ebp |
026E1A79 | 8BEC | mov ebp, esp |
026E1A7B | 83EC 08 | sub esp, 8 |
026E1A7E | 53 | push ebx |
026E1A7F | 8B1C24 | mov ebx, dword ptr [esp] |
026E1A82 | 53 | push ebx |
026E1A83 | 8B1C24 | mov ebx, dword ptr [esp] |
026E1A86 | 899C24 04000000 | mov dword ptr [esp+4], ebx |
026E1A8D | 56 | push esi |
026E1A8E | 8BB424 04000000 | mov esi, dword ptr [esp+4] |
026E1A95 | 56 | push esi |
026E1A96 | 8BB424 04000000 | mov esi, dword ptr [esp+4] |
026E1A9D | E9 17180000 | jmp 026E32B9 |
026E1AA2 | 71 8D | jno 026E1A31 |
026E1AA4 | 64:24 04 | and al, 4 | Superfluous prefix.
026E1AA7 | 81C1 F77F9154 | add ecx, 54917FF7 |
026E1AAD | 8DA424 FCFFFFFF | lea esp, dword ptr [esp-4] |
026E1AB4 | 890C24 | mov dword ptr [esp], ecx |
026E1AB7 | 52 | push edx |
026E1AB8 | 8B9424 04000000 | mov edx, dword ptr [esp+4] |
026E1ABF | E8 15B30100 | call 026FCDD9 |
026E1AC4 | 72 59 | jb 026E1B1F |
026E1AC6 | 59 | pop ecx |
026E1AC7 | 8F0424 | pop dword ptr [esp] |
026E1ACA | 50 | push eax |
026E1ACB | 8B8424 08000000 | mov eax, dword ptr [esp+8] |
026E1AD2 | 890424 | mov dword ptr [esp], eax |
026E1AD5 | 8B0424 | mov eax, dword ptr [esp] |
026E1AD8 | 898424 0C000000 | mov dword ptr [esp+C], eax |
026E1ADF | 58 | pop eax |
026E1AE0 | 5A | pop edx |
026E1AE1 | 9C | pushfd |
026E1AE2 | 50 | push eax |
026E1AE3 | 8B8424 08000000 | mov eax, dword ptr [esp+8] |
026E1AEA | 890424 | mov dword ptr [esp], eax |
026E1AED | 51 | push ecx |
026E1AEE | E8 01000000 | call 026E1AF4 |
026E1AF3 | E3 59 | jecxz 026E1B4E |
026E1AF5 | 8D89 71520200 | lea ecx, dword ptr [ecx+25271] |
026E1AFB | FFE1 | jmp near ecx |
026E1AFD | 72 68 | jb 026E1B67 |
--
026E1B00 | 77 22 | ja 026E1B24 |
026E1B02 | EA 51525350 56E9 | jmp far E956:50535251 |
026E1B09 | BC CD0100E9 | mov esp, E90001CD |
026E1B0E | 66:F7D0 | not ax |
026E1B11 | 66:C1C8 07 | ror ax, 7 |
026E1B15 | 66:C1C0 03 | rol ax, 3 |
026E1B19 | 66:C1C0 07 | rol ax, 7 |
026E1B1D | E8 04FC3BFE | call 00AA1726 |
026E1B22 | E3 57 | jecxz 026E1B7B |
026E1B24 | E9 D08BFDFF | jmp 026BA6F9 |
026E1B29 | 77 03 | ja 026E1B2E |
026E1B2B | 07 | pop es | Modification of segment register.
026E1B2C | 81C0 20CF5342 | add eax, 4253CF20 |
026E1B32 | 8DA424 FCFFFFFF | lea esp, dword ptr [esp-4] |
026E1B39 | 890424 | mov dword ptr [esp], eax |
026E1B3C | 56 | push esi |
026E1B3D | 8BB424 04000000 | mov esi, dword ptr [esp+4] |
026E1B44 | 8DA424 FCFFFFFF | lea esp, dword ptr [esp-4] |
026E1B4B | 9C | pushfd |
026E1B4C | 68 B0713F25 | push 253F71B0 |
026E1B51 | 56 | push esi |
026E1B52 | 8BB424 10000000 | mov esi, dword ptr [esp+10] |
026E1B59 | C2 1400 | retn 14 |
[课程]Android-CTF解题方法汇总!
