用的网狐的端,都是这个框架,某些平台某些鱼如果服务端设定的爆率高,你就爽翻天了,你懂得
花了2天搞的东西,
技术研究不要干坏事
////////////分析记录
//捕鱼
04BE1B6F CC int3
04BE1B70 53 push ebx
04BE1B71 55 push ebp
04BE1B72 56 push esi
04BE1B73 57 push edi
04BE1B74 8BF9 mov edi, ecx
04BE1B76 33F6 xor esi, esi
04BE1B78 FF15 0C40BE04 call dword ptr [<&KERNEL32.GetTickCount>] ; kernel32.GetTickCount
04BE1B7E 8B5C24 18 mov ebx, dword ptr [esp+0x18]
04BE1B82 8BC8 mov ecx, eax
04BE1B84 B8 D34D6210 mov eax, 0x10624DD3
04BE1B89 F7E1 mul ecx
04BE1B8B 8A87 EC400100 mov al, byte ptr [edi+0x140EC]
04BE1B91 C1EA 06 shr edx, 0x6
04BE1B94 84C0 test al, al
04BE1B96 8997 08410100 mov dword ptr [edi+0x14108], edx
04BE1B9C 75 49 jnz short 04BE1BE7
04BE1B9E 8B6C24 14 mov ebp, dword ptr [esp+0x14]
04BE1BA2 66:3BF3 cmp si, bx
04BE1BA5 73 2C jnb short 04BE1BD3
04BE1BA7 0FB7C6 movzx eax, si
04BE1BAA 0FB7D3 movzx edx, bx
04BE1BAD 6A 00 push 0x0
04BE1BAF 2BD0 sub edx, eax
04BE1BB1 52 push edx
04BE1BB2 03C5 add eax, ebp
04BE1BB4 50 push eax
04BE1BB5 8B47 5C mov eax, dword ptr [edi+0x5C]
04BE1BB8 50 push eax
04BE1BB9 FF15 F041BE04 call dword ptr [<&WS2_32.#send_19>] ; send
04BE1BBF 83F8 FF cmp eax, -0x1
04BE1BC2 74 2D je short 04BE1BF1
04BE1BC4 03F0 add esi, eax
04BE1BC6 8A87 EC400100 mov al, byte ptr [edi+0x140EC]
04BE1BCC 84C0 test al, al
04BE1BCE ^ 74 D2 je short 04BE1BA2
04BE1BD0 66:3BF3 cmp si, bx
04BE1BD3 76 12 jbe short 04BE1BE7
04BE1BD5 8BC3 mov eax, ebx
04BE1BD7 0FB7CE movzx ecx, si
04BE1BDA 2BC6 sub eax, esi
04BE1BDC 03CD add ecx, ebp
04BE1BDE 50 push eax
04BE1BDF 51 push ecx
04BE1BE0 8BCF mov ecx, edi
//上层sendbuf
04BE21E2 E8 0A0C0000 call 04BE2DF1
04BE21E7 81C4 04200000 add esp, 0x2004
04BE21ED C3 retn
04BE21EE 66:8B8C24 10200>mov cx, word ptr [esp+0x2010]
04BE21F6 66:8B9424 0C200>mov dx, word ptr [esp+0x200C]
04BE21FE 56 push esi
04BE21FF 68 00200000 push 0x2000
04BE2204 8D70 AC lea esi, dword ptr [eax-0x54]
04BE2207 6A 08 push 0x8
04BE2209 8D4424 0C lea eax, dword ptr [esp+0xC]
04BE220D 66:894C24 12 mov word ptr [esp+0x12], cx
04BE2212 50 push eax
04BE2213 8BCE mov ecx, esi
04BE2215 66:895424 14 mov word ptr [esp+0x14], dx
04BE221A E8 C1F4FFFF call 04BE16E0
04BE221F 8D4C24 04 lea ecx, dword ptr [esp+0x4]
04BE2223 50 push eax
04BE2224 51 push ecx
04BE2225 8BCE mov ecx, esi
04BE2227 E8 44F9FFFF call 04BE1B70
04BE222C 8B8C24 04200000 mov ecx, dword ptr [esp+0x2004]
04BE2233 5E pop esi
04BE2234 E8 B80B0000 call 04BE2DF1
04BE2239 81C4 04200000 add esp, 0x2004
04BE223F C3 retn
04BE2240 55 push ebp
04BE2241 8BEC mov ebp, esp
04BE2243 83E4 F8 and esp, -0x8
04BE2246 B8 0C200000 mov eax, 0x200C
04BE224B E8 B00B0000 call 04BE2E00
04BE2250 A1 6060BE04 mov eax, dword ptr [0x4BE6060]
04BE2255 8B55 08 mov edx, dword ptr [ebp+0x8]
04BE2258 53 push ebx
04BE2259 898424 0C200000 mov dword ptr [esp+0x200C], eax
04BE2260 837A 08 FF cmp dword ptr [edx+0x8], -0x1
04BE2264 56 push esi
04BE2265 57 push edi
04BE2266 74 0F je short 04BE2277
04BE2268 807A 06 02 cmp byte ptr [edx+0x6], 0x2
04BE226C 75 09 jnz short 04BE2277
04BE226E 8B45 18 mov eax, dword ptr [ebp+0x18]
04BE2271 66:3D F01F cmp ax, 0x1FF0
04BE2275 76 15 jbe short 04BE228C
04BE2277 33C0 xor eax, eax
04BE2279 8B8C24 14200000 mov ecx, dword ptr [esp+0x2014]
04BE2280 E8 6C0B0000 call 04BE2DF1
04BE2285 5F pop edi
04BE2286 5E pop esi
04BE2287 5B pop ebx
04BE2288 8BE5 mov esp, ebp
04BE228A 5D pop ebp
04BE228B C3 retn
04BE228C 66:85C0 test ax, ax
04BE228F 66:8B4D 0C mov cx, word ptr [ebp+0xC]
04BE2293 66:894C24 14 mov word ptr [esp+0x14], cx
04BE2298 66:8B4D 10 mov cx, word ptr [ebp+0x10]
04BE229C 66:894C24 16 mov word ptr [esp+0x16], cx
04BE22A1 76 18 jbe short 04BE22BB
04BE22A3 8B75 14 mov esi, dword ptr [ebp+0x14]
04BE22A6 0FB7C8 movzx ecx, ax
04BE22A9 8BD9 mov ebx, ecx
04BE22AB C1E9 02 shr ecx, 0x2
04BE22AE 8D7C24 18 lea edi, dword ptr [esp+0x18]
04BE22B2 F3:A5 rep movs dword ptr es:[edi], dword ptr [esi]
04BE22B4 8BCB mov ecx, ebx
04BE22B6 83E1 03 and ecx, 0x3
04BE22B9 F3:A4 rep movs byte ptr es:[edi], byte ptr [esi]
04BE22BB 68 00200000 push 0x2000
04BE22C0 8D72 AC lea esi, dword ptr [edx-0x54]
04BE22C3 83C0 08 add eax, 0x8
04BE22C6 50 push eax ; size
04BE22C7 8D5424 18 lea edx, dword ptr [esp+0x18]
04BE22CB 52 push edx ; preBuff 前4个字节 内部填充头
04BE22CC 8BCE mov ecx, esi
04BE22CE E8 0DF4FFFF call 04BE16E0 ; EncodeCall,内部加密
04BE22D3 8BCE mov ecx, esi
04BE22D5 50 push eax ; size
04BE22D6 8D4424 14 lea eax, dword ptr [esp+0x14]
04BE22DA 50 push eax ; Encodebuf
04BE22DB E8 90F8FFFF call 04BE1B70
04BE22E0 8B8C24 14200000 mov ecx, dword ptr [esp+0x2014]
04BE22E7 E8 050B0000 call 04BE2DF1
04BE22EC 5F pop edi
04BE22ED 5E pop esi
04BE22EE 5B pop ebx
04BE22EF 8BE5 mov esp, ebp
04BE22F1 5D pop ebp
04BE22F2 C3 retn
04BE22F3 CC int3
B9 F9 FF 76
64 00 92 01 2A 00 00 00 19 00 00 00
19 FC 18 00
0C F9 1E 41
64 00 92 01 54 00 00 00 19 00 00 00 .
19 FC 18 00
5E 9E 2B 41
64 00 92 01 DB 00 00 00 19 00 00 00
19 FC 18 00
CC 3C 26 41
64 00 92 01 04 01 00 00 19 00 00 00
19 FC 18 00
1B 72 25 41
64 00 92 01 08 01 00 00 19 00 00 00
19 FC 18 00
AD F3 27 41
明文包
//0x12
head:4byte
64 00 92 01 C7 01 00 00 19 00 00 00
19 FC 18 00
94 C3 25 41
//0x48
head:4yte
64 00 97 01 00 00 0F 00 02 00 00 00
C7 01 00 00 19 00 00 00 6C 0F 00 00
6C 0F 00 00 52 0D 00 00 00 00 00 00
00 00 00 00 00 00 00 00 02 00 00 00
02 00 00 00 07 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00
64 00 92 01 01 00 00 00 19 00 00 00 郭vd.?......
0018DB20 19 FC 18 00 DE 69 EA 40 92 8E 01 77 58 0E 84 03 ?.辤闌拵wX?
0018DB30 B0 0D 84 03 03 01 00 00 58 0E 84 03 AC DB 18 00 ??..X?.
0018DB40 FA 1E 0F 72 2A 43 0E 72 1F 48 4D 42 C8 4E EE 02 ?r*CrHMB萅?
0018DB50 08 4D 04 M
64 00 92 01 0B 00 00 00 32 00 00 00 ?.wd.?...2...
0018DB20 32 FC 18 00 8F 0E E5 40 00 00 00 00 B0 0D 84 03 2?.?錊....??
0018DB30 B0 0D 84 03 03 01 00 00 58 0E 84 03 AC DB 18 ??..X?.
64 00 97 01 03 00 21 7C 04 00 00 00 fOH.d.?.!|...
00186758 0B 00 00 00 32 00 00 00 15 01 00 00 2B 01 00 00 ...2.....+..
00186768 15 01 00 00 2B 01 00 00 00 00 00 00 00 00 00 00 ..+..........
00186778 06 00 00 00 06 00 00 00 06 00 00 00 06 00 00 00 ............
00186788 00 00 00 00 00 00 00 00 02 00 00 02 28 63 30 08 ..........(c0
00186798 5A 00 00 5A 39 00 32 00 30 00 39 00 00 00 00 00 Z..Z9.2.0.9.....
001867A8 80 00 00 00 35 00 32 00 F3 98 00 6B F8 12 AC 05 €...5.2.髽.k??
64 00 92 01 17 00 00 00 19 00 00 00 郭vd.?......
0018DB20 19 FC 18 00 E4 CB 96 40 92 8E 01 77 58 0E 84 03 ?.渌朄拵wX?
0018DB30 B0 0D 84 03 03 01 00 00 58 0E 84 03 AC DB 18 00 ??..X?.
0018DB40 FA 1E 0F 72 2A 43 0E 72 1F 48 4D 42 C8 4E EE 02 ?r*CrHMB萅?
//
66 0B 18 00
5A CA 6E 4D 1E 97 4D 6B 41 CE 8A 80
16 5F DB 44 4B 95 ED AB 00 00 00 00
//
66 F2 18 00
43 95 35 07 2E F8 1D 1E 9E 42 D8 1D
09 75 E8 C0 F2 6F 1C E9 92 8E 01 77
//上分
66 33 0C 00
9A 95 59 C8 E9 68 4E 42
66 33 0C 00
D6 F5 AE AA CA B7 3E BC
66 33 0C 00
9A 32 E6 A8 1D A3 E0 43
66 33 0C 00
32 47 AF 0A 2A 88 08 ED
0018DB10 F6 1A 00 77 64 00 97 01 03 00 02 88 02 00 00 00 ?.wd.?.?...
0018DB20 E6 01 00 00 E1 00 00 00 54 0C 00 00 54 0C 00 00 ?..?..T...T...
0018DB30 16 0B 00 00 75 09 00 00 76 09 00 00 00 00 00 00 ..u...v.......
0018DB40 01 00 00 00 01 00 00 00 02 00 00 00 11 00 00 00 ............
0018DB50 11 00 00 00 00 00 00 00 E4 DB 18 00 01 00 00 00 .......溘....
0018DB10 F6 1A 00 77 64 00 97 01 03 00 02 88 02 00 00 00 ?.wd.?.?...
0018DB20 C6 05 00 00 E1 00 00 00 BE 11 00 00 BE 11 00 00 ?..?..?..?..
0018DB30 C9 10 00 00 BE 10 00 00 C6 10 00 00 00 00 00 00 ?..?..?......
0018DB40 01 00 00 00 01 00 00 00 0E 00 00 00 0E 00 00 00 ............
0018DB50 0E 00 00 00 00 00 00 00 E4 DB 18 00 01 00 00 00 .......溘....
00186748 66 91 18 00 64 00 97 01 03 00 21 7C 02 00 00 00 f?.d.?.!|...
00186758 C7 05 00 00 E1 00 00 00 BE 11 00 00 BE 11 00 00 ?..?..?..?..
00186768 2A 11 00 00 BE 0F 00 00 C1 0F 00 00 00 00 00 00 *..?..?......
00186778 02 00 00 00 02 00 00 00 01 00 00 00 0F 00 00 00 ............
00186788 0F 00 00 00 00 00 00 00 02 00 00 02 28 63 30 08 .........(c0
00186798 5A 00 00 5A 39 00 32 00 30 00 39 00 00 00 00 00 Z..Z9.2.0.9.....
001867A8 80 00 00 00 €...
0018A720 00 00 00 00 64 00 97 01 03 00 00 00 02 00 00 00 ....d.?......
0018A730 C1 05 00 00 E1 00 00 00 BA 11 00 00 BA 11 00 00 ?..?..?..?..
0018A740 3F 11 00 00 BC 10 00 00 4E 10 00 00 00 00 00 00 ?..?..N......
0018A750 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ............
0018A760 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
0018A770 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018A720 00 00 00 00 64 00 97 01 03 00 0E 00 05 00 00 00 ....d.?.....
0018A730 FA 08 00 00 E1 00 00 00 08 18 00 00 09 18 00 00 ?..?.......
0018A740 0A 18 00 00 0B 18 00 00 0C 18 00 00 00 00 00 00 ............
0018A750 3C 00 00 00 3C 00 00 00 3C 00 00 00 3C 00 00 00 <...<...<...<...
0018A760 3C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <...............
0018A770 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00186748 66 9E 48 00 64 00 97 01 03 00 0E 00 05 00 00 00 f濰.d.?.....
00186758 F4 08 00 00 E1 00 00 00 90 17 00 00 91 17 00 00 ?..?..?..?..
00186768 92 17 00 00 93 17 00 00 94 17 00 00 00 00 00 00 ?..?..?......
00186778 3C 00 00 00 3C 00 00 00 3C 00 00 00 3C 00 00 00 <...<...<...<...
00186788 3C 00 00 00 00 00 00 00 02 00 00 02 28 63 30 08 <.........(c0
00186798 5A 00 00 5A 39 00 32 00 30 00 39 00 00 00 00 00 Z..Z9.2.0.9.....
//jcby.exe--->平台通讯
00406AC0 56 push esi
00406AC1 8D8F 24320000 lea ecx, dword ptr [edi+3224]
00406AC7 E8 443A0000 call 0040A510
00406ACC D95C24 14 fstp dword ptr [esp+14]
00406AD0 8A4424 20 mov al, byte ptr [esp+20]
00406AD4 8B7424 1C mov esi, dword ptr [esp+1C]
00406AD8 8B0E mov ecx, dword ptr [esi]
00406ADA 8B56 04 mov edx, dword ptr [esi+4]
00406ADD 884424 10 mov byte ptr [esp+10], al
00406AE1 6A 10 push 10
00406AE3 8D4424 0C lea eax, dword ptr [esp+C]
00406AE7 50 push eax
00406AE8 894C24 10 mov dword ptr [esp+10], ecx
00406AEC 68 92010000 push 192
00406AF1 8BCF mov ecx, edi
00406AF3 895424 18 mov dword ptr [esp+18], edx
00406AF7 FF15 D0104600 call dword ptr [<&GameFrame.CGameFram>; GameFram.CGameFrameDlg::SendData
00406AFD 56 push esi
00406AFE E8 F32A0100 call <jmp.&MFC71.#operator delete_764>
00406B03 83C4 04 add esp, 4
00406B06 5E pop esi
00406B07 33C0 xor eax, eax
00406B09 5F pop edi
00406B0A 83C4 10 add esp, 10
00406B0D C2 0800 retn 8
00406B10 8B4424 04 mov eax, dword ptr [esp+4]
00406B14 83EC 40 sub esp, 40
00406B17 85C0 test eax, eax
00406B19 53 push ebx
00406B1A 56 push esi
00406B1B 8BD9 mov ebx, ecx
00406B1D 0F85 BB000000 jnz 00406BDE
00406B23 8B7424 50 mov esi, dword ptr [esp+50]
00406B27 85F6 test esi, esi
00406B29 0F84 AF000000 je 00406BDE
00406B2F FF15 CC104600 call dword ptr [<&GameFrame.CGameFram>; GameFram.CGameFrameDlg::IsLookonMode
00406B35 3C 01 cmp al, 1
00406B37 0F84 A1000000 je 00406BDE
00406B3D 33C0 xor eax, eax
00406B3F 57 push edi
00406B40 B9 0F000000 mov ecx, 0F
00406B45 8D7C24 10 lea edi, dword ptr [esp+10]
00406B49 F3:AB rep stos dword ptr es:[edi]
00406B4B 8D46 28 lea eax, dword ptr [esi+28]
00406B4E 8B08 mov ecx, dword ptr [eax]
00406B50 8B50 04 mov edx, dword ptr [eax+4]
00406B53 894C24 34 mov dword ptr [esp+34], ecx
00406B57 8B48 08 mov ecx, dword ptr [eax+8]
00406B5A 895424 38 mov dword ptr [esp+38], edx
00406B5E 8B50 0C mov edx, dword ptr [eax+C]
00406B61 894C24 3C mov dword ptr [esp+3C], ecx
00406B65 8B48 10 mov ecx, dword ptr [eax+10]
00406B68 895424 40 mov dword ptr [esp+40], edx
00406B6C 8B50 14 mov edx, dword ptr [eax+14]
00406B6F 894C24 44 mov dword ptr [esp+44], ecx
00406B73 895424 48 mov dword ptr [esp+48], edx
00406B77 8D46 10 lea eax, dword ptr [esi+10]
00406B7A 8B08 mov ecx, dword ptr [eax]
00406B7C 8B50 04 mov edx, dword ptr [eax+4]
00406B7F 894C24 1C mov dword ptr [esp+1C], ecx
00406B83 8B48 08 mov ecx, dword ptr [eax+8]
00406B86 895424 20 mov dword ptr [esp+20], edx
00406B8A 8B50 0C mov edx, dword ptr [eax+C]
00406B8D 894C24 24 mov dword ptr [esp+24], ecx
00406B91 8B48 10 mov ecx, dword ptr [eax+10]
00406B94 894C24 2C mov dword ptr [esp+2C], ecx
00406B98 8B4E 0C mov ecx, dword ptr [esi+C]
00406B9B 895424 28 mov dword ptr [esp+28], edx
00406B9F 8B50 14 mov edx, dword ptr [eax+14]
00406BA2 8B46 08 mov eax, dword ptr [esi+8]
00406BA5 894C24 18 mov dword ptr [esp+18], ecx
00406BA9 6A 40 push 40
00406BAB 8D4C24 10 lea ecx, dword ptr [esp+10]
00406BAF 51 push ecx
00406BB0 895424 38 mov dword ptr [esp+38], edx
00406BB4 8B56 04 mov edx, dword ptr [esi+4]
00406BB7 894424 1C mov dword ptr [esp+1C], eax
00406BBB 66:8B06 mov ax, word ptr [esi]
00406BBE 68 97010000 push 197
00406BC3 8BCB mov ecx, ebx
00406BC5 895424 1C mov dword ptr [esp+1C], edx
00406BC9 66:894424 18 mov word ptr [esp+18], ax
00406BCE FF15 D0104600 call dword ptr [<&GameFrame.CGameFram>; 击中鱼数据发送
00406BD4 56 push esi
00406BD5 E8 1C2A0100 call <jmp.&MFC71.#operator delete_764>
00406BDA 83C4 04 add esp, 4
00406BDD 5F pop edi
00406BDE 5E pop esi
00406BDF 33C0 xor eax, eax
00406BE1 5B pop ebx
00406BE2 83C4 40 add esp, 40
00406BE5 C2 0800 retn 8
00406BE8 CC int3
00406BE9 CC int3
//开火数据发送
00406AAC CC int3
00406AAD CC int3
00406AAE CC int3
00406AAF CC int3
00406AB0 83EC 10 sub esp, 10
00406AB3 57 push edi
00406AB4 8BF9 mov edi, ecx
00406AB6 FF15 CC104600 call dword ptr [<&GameFrame.CGameFrameDlg::IsLookonMod>; GameFram.CGameFrameDlg::IsLookonMode
00406ABC 3C 01 cmp al, 1
00406ABE 74 47 je short 00406B07
00406AC0 56 push esi
00406AC1 8D8F 24320000 lea ecx, dword ptr [edi+3224]
00406AC7 E8 443A0000 call 0040A510
00406ACC D95C24 14 fstp dword ptr [esp+14]
00406AD0 8A4424 20 mov al, byte ptr [esp+20]
00406AD4 8B7424 1C mov esi, dword ptr [esp+1C]
00406AD8 8B0E mov ecx, dword ptr [esi]
00406ADA 8B56 04 mov edx, dword ptr [esi+4]
00406ADD 884424 10 mov byte ptr [esp+10], al
00406AE1 6A 10 push 10
00406AE3 8D4424 0C lea eax, dword ptr [esp+C]
00406AE7 50 push eax
00406AE8 894C24 10 mov dword ptr [esp+10], ecx
00406AEC 68 92010000 push 192
00406AF1 8BCF mov ecx, edi
00406AF3 895424 18 mov dword ptr [esp+18], edx
00406AF7 FF15 D0104600 call dword ptr [<&GameFrame.CGameFrameDlg::SendData>] ; 开火 数据发送
00406AFD 56 push esi
00406AFE E8 F32A0100 call <jmp.&MFC71.#operator delete_764>
00406B03 83C4 04 add esp, 4
00406B06 5E pop esi
00406B07 33C0 xor eax, eax
00406B09 5F pop edi
00406B0A 83C4 10 add esp, 10
00406B0D C2 0800 retn 8
00406B10 8B4424 04 mov eax, dword ptr [esp+4]
00406B14 83EC 40 sub esp, 40
00406B17 85C0 test eax, eax
00406B19 53 push ebx
00406B1A 56 push esi
00406B1B 8BD9 mov ebx, ecx
00406B1D 0F85 BB000000 jnz 00406BDE
00406B23 8B7424 50 mov esi, dword ptr [esp+50]
00406B27 85F6 test esi, esi
//
0018FBF4 00 00 F8 07 04 00 00 00 3F 00 00 00 19 00 00 00 ..?...?......
0018FC04 F6 0B 00 00 F7 0B 00 00 F6 0B 00 00 F7 0B 00 00 ?..?..?..?..
0018FC14 00 00 00 00 00 00 00 00 0C 00 00 00 0C 00 00 00 ................
0018FC24 0C 00 00 00 0C 00 00 00 00 00 00 00 00 00 00 00 ................
0018FC34 A0 狘
0018FBF4 00 00 F8 07 04 00 00 00 40 00 00 00 19 00 00 00 ..?...@......
0018FC04 00 0C 00 00 01 0C 00 00 00 0C 00 00 01 0C 00 00 ..............
0018FC14 00 00 00 00 00 00 00 00 24 00 00 00 24 00 00 00 ........$...$...
0018FC24 24 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 $...$...........
0018FC34 A0 FC 16 7C 00 00 00 00 90 2F 4C 00 20 DB 46 02 狘|....?L. 跢
0018FC44 20 DB 46 02 58 D3 2F 00 54 FC 18 00 64 80 00 00 跢X?.T?.d€..
0018FBF4 00 00 F8 07 04 00 00 00 41 00 00 00 19 00 00 00 ..?...A......
0018FC04 82 0C 00 00 83 0C 00 00 82 0C 00 00 83 0C 00 00 ?..?..?..?..
0018FC14 00 00 00 00 00 00 00 00 30 00 00 00 30 00 00 00 ........0...0...
0018FC24 30 00 00 00 30 00 00 00 00 00 00 00 00 00 00 00 0...0...........
0018FC34 A0 FC 16 7C 00 00 00 00 D0 2F 4C 00 20 DB 46 狘|....?L. 跢
0018FBF4 00 00 F8 07 02 00 00 00 42 00 00 00 19 00 00 00 ..?...B......
0018FC04 0C 0D 00 00 0C 0D 00 00 00 00 00 00 00 00 00 00 ................
0018FC14 00 00 00 00 00 00 00 00 03 00 00 00 03 00 00 00 ..............
0018FC24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018FC34 A0 FC 16 7C 00 00 00 00 10 30 4C 00 20 DB 46 02 狘|....0L. 跢
0018FBF4 00 00 F8 07 02 00 00 00 46 00 00 00 19 00 00 00 ..?...F......
0018FC04 27 0E 00 00 27 0E 00 00 00 00 00 00 00 00 00 00 '..'..........
0018FC14 00 00 00 00 00 00 00 00 03 00 00 00 03 00 00 00 ..............
0018FC24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018FC34 A0 FC 16 7C 00 00 00 00 10 31 4C 00 20 DB 46 02 狘|....1L. 跢
0018FBF4 00 00 F8 07 04 00 00 00 47 00 00 00 19 00 00 00 ..?...G......
0018FC04 EF 0E 00 00 32 0F 00 00 EF 0E 00 00 C1 0E 00 00 ?..2..?..?..
0018FC14 00 00 00 00 00 00 00 00 09 00 00 00 1A 00 00 00 ...............
0018FC24 09 00 00 00 0A 00 00 00 00 00 00 00 00 00 00 00 ................
0018FC34 A0 FC 16 7C 00 00 00 00 50 31 4C 00 20 DB 46 02 狘|....P1L. 跢
0018FC44 20 DB 46 02 58 D3 2F 00 54 FC 18 00 64 80 00 00 跢X?.T?.d€..
0018FBF4 00 00 A0 E2 02 00 00 00 37 00 00 00 19 00 00 00 ..犫...7......
0018FC04 7C 01 00 00 7C 01 00 00 00 00 00 00 00 00 00 00 |..|..........
0018FC14 00 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ..............
0018FC24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018FC34 A0 FC 16 7C 00 00 00 00 50 2D 4C 00 20 DB 39 02 狘|....P-L. ?
0018FBF4 00 00 A0 E2 02 00 00 00 3A 00 00 00 19 00 00 00 ..犫...:......
0018FC04 06 03 00 00 06 03 00 00 00 00 00 00 00 00 00 00 ............
0018FC14 00 00 00 00 00 00 00 00 03 00 00 00 03 00 00 00 ..............
0018FC24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
0018FC34 A0 FC 16 7C 00 00 00 00 10 2E 4C 00 20 DB 39 02 狘|.....L. ?
0018FBF4 03 00 5D 7F 03 00 00 00 0E 01 00 00 19 00 00 00 .]........
0018FC04 75 02 00 00 87 02 00 00 75 02 00 00 AF 01 00 00 u..?..u..?..
0018FC14 25 01 00 00 00 00 00 00 05 00 00 00 11 00 00 00 %............
0018FC24 05 00 00 00 03 00 00 00 1F 00 00 00 00 00 00 00 .............
0018FC34 A0 FC 16 7C 00 00 00 00 D0 21 4C 00 20 DB 6E 02 狘|....?L. 踤
0018FBF4 04 00 C4 19 05 00 00 00 01 00 00 00 19 00 00 00 .?.........
0018FC04 AF 01 00 00 B0 01 00 00 B1 01 00 00 B5 01 00 00 ?..?..?..?..
0018FC14 B6 01 00 00 00 00 00 00 13 00 00 00 13 00 00 00 ?............
0018FC24 13 00 00 00 13 00 00 00 13 00 00 00 00 00 00 00 .............
0018FC34 A0 FC 16 7C 00 00 00 00 10 20 4C 00 20 DB 56 02 狘|.... L. 踁
0018FC44 20 DB 踁
0018FBF4 04 00 C4 19 05 00 00 00 02 00 00 00 19 00 00 00 .?.........
0018FC04 69 02 00 00 66 02 00 00 67 02 00 00 6A 02 00 00 i..f..g..j..
0018FC14 69 02 00 00 00 00 00 00 06 00 00 00 12 00 00 00 i............
0018FC24 12 00 00 00 12 00 00 00 06 00 00 00 00 00 00 00 .............
0018FC34 A0 FC 16 7C 00 00 00 00 50 20 4C 00 20 DB 56 02 狘|....P L. 踁
0018FC44 20 DB 56 02 58 D3 7A 00 54 FC 18 00 64 80 00 00 踁X觶.T?.d€..
0018FC54 00 00 00 00 B8 FC 18 00 4F E1 16 7C 64 80 00 00 ....更.O?|d€..
//写入包数据
004062C0 85F6 test esi, esi
004062C2 74 6F je short 00406333
004062C4 837E 08 01 cmp dword ptr [esi+0x8], 0x1
004062C8 ^ 75 D6 jnz short 004062A0
004062CA 66:8B86 3240000>mov ax, word ptr [esi+0x4032]
004062D1 66:3B86 3040000>cmp ax, word ptr [esi+0x4030]
004062D8 ^ 73 C6 jnb short 004062A0
004062DA 0FB7C8 movzx ecx, ax
004062DD 8B048D C8384800 mov eax, dword ptr [ecx*4+0x4838C8]
004062E4 8B4CC6 30 mov ecx, dword ptr [esi+eax*8+0x30]
004062E8 8B44C6 34 mov eax, dword ptr [esi+eax*8+0x34]
004062EC 50 push eax
004062ED 51 push ecx
004062EE 8D5424 24 lea edx, dword ptr [esp+0x24]
004062F2 52 push edx
004062F3 FF15 94174600 call dword ptr [<&USER32.PtInRect>] ; user32.PtInRect
004062F9 85C0 test eax, eax
004062FB ^ 74 A3 je short 004062A0
004062FD 837F 04 05 cmp dword ptr [edi+0x4], 0x5
00406301 ^ 7D 9D jge short 004062A0
00406303 8BCB mov ecx, ebx
00406305 E8 A6F2FFFF call 004055B0 ;esi+0c 这是写入数据
0040630A 0FB7C0 movzx eax, ax
0040630D 99 cdq
0040630E B9 64000000 mov ecx, 0x64
00406313 F7F9 idiv ecx
00406315 8B47 04 mov eax, dword ptr [edi+0x4]
00406318 895487 28 mov dword ptr [edi+eax*4+0x28], edx
0040631C 8B4F 04 mov ecx, dword ptr [edi+0x4]
0040631F 8B56 0C mov edx, dword ptr [esi+0xC]
00406322 89548F 10 mov dword ptr [edi+ecx*4+0x10], edx
00406326 FF47 04 inc dword ptr [edi+0x4] ; 写入数据
00406329 ^ E9 72FFFFFF jmp 004062A0
0040632E E8 C9320100 call <jmp.&MFC71.#AfxThrowInvalidArgException_1185>
00406333 8A4424 5C mov al, byte ptr [esp+0x5C]
//dd dd 4c2010
//包结构
$+240 >00000001 //座位号
$+244 >00000003 //
$+248 >0000000E //已发炮次数
$+24C >00000032 //炮类型
$+250 >0000068D //坐标x
$+254 >00000684 //坐标y
$+258 >00000000
$+25C >00000000
$+260 >00000000
$+264 >00000000
$+268 >00000002 //unknow 这个并非id
$+26C >00000001 //unknow
$+270 >00000002 //unknow
00402218 8B4C24 3C mov ecx, dword ptr [esp+0x3C]
0040221C 52 push edx
0040221D 50 push eax
0040221E E8 6D3E0000 call 00406090
00402223 3C 01 cmp al, 0x1
00402225 74 16 je short 0040223D
00402227 8B4424 18 mov eax, dword ptr [esp+0x18]
0040222B 05 BC020000 add eax, 0x2BC
00402230 3D 8C344A00 cmp eax, 004A348C
00402235 894424 18 mov dword ptr [esp+0x18], eax
00402239 ^ 7C A5 jl short 004021E0
0040223B EB 62 jmp short 0040229F
0040223D 807D 40 01 cmp byte ptr [ebp+0x40], 0x1
00402241 C64424 1F 01 mov byte ptr [esp+0x1F], 0x1
00402246 75 57 jnz short 0040229F
00402248 BE A8F54900 mov esi, 0049F5A8
0040224D 8D49 00 lea ecx, dword ptr [ecx]
00402250 8B4D 44 mov ecx, dword ptr [ebp+0x44]
00402253 0FB785 66100000 movzx eax, word ptr [ebp+0x1066]
0040225A 57 push edi
0040225B 33D2 xor edx, edx
0040225D 8A55 48 mov dl, byte ptr [ebp+0x48]
00402260 6A 00 push 0x0
00402262 6A 01 push 0x1
00402264 52 push edx
00402265 8B95 6C100000 mov edx, dword ptr [ebp+0x106C]
0040226B 52 push edx ; edx
0040226C 8B93 58020000 mov edx, dword ptr [ebx+0x258]
00402272 51 push ecx
00402273 33C9 xor ecx, ecx
00402275 8A4D 40 mov cl, byte ptr [ebp+0x40]
00402278 51 push ecx
00402279 8B4CC5 68 mov ecx, dword ptr [ebp+eax*8+0x68]
0040227D 52 push edx
0040227E 8B54C5 64 mov edx, dword ptr [ebp+eax*8+0x64]
00402282 66:0FB645 49 movzx ax, byte ptr [ebp+0x49]
00402287 51 push ecx
00402288 52 push edx
00402289 8BCE mov ecx, esi
0040228B 50 push eax
0040228C E8 FF3D0000 call 00406090 ; !!!写数据
00402291 81C6 BC020000 add esi, 0x2BC
00402297 81FE 8C344A00 cmp esi, 004A348C
0040229D ^ 7C B1 jl short 00402250
0040229F 8B8D 6C100000 mov ecx, dword ptr [ebp+0x106C]
004022A5 894F 0C mov dword ptr [edi+0xC], ecx
004022A8 8B55 44 mov edx, dword ptr [ebp+0x44]
004022AB 8957 08 mov dword ptr [edi+0x8], edx
004022AE 66:8B85 6810000>mov ax, word ptr [ebp+0x1068]
0018E964 00000003 |Arg1 = 00000003
0018E968 000000E5 |Arg2 = 000000E5
0018E96C 00000251 |Arg3 = 00000251
0018E970 00000004 |Arg4 = 00000004
0018E974 00000001 |Arg5 = 00000001
0018E978 0000001A |Arg6 = 0000001A
0018E97C 00000019 |Arg7 = 00000019
0018E980 00000007 |Arg8 = 00000007
0018E984 00000000 |Arg9 = 00000000
0018E988 00000000 |Arg10 = 00000000
0018E98C 004C2650 \Arg11 = 004C2650
0018E994 00000001 |Arg1 = 00000001
0018E998 0000025B |Arg2 = 0000025B
0018E99C 00000234 |Arg3 = 00000234
0018E9A0 00000004 |Arg4 = 00000004
0018E9A4 00000001 |Arg5 = 00000001
0018E9A8 0000000F |Arg6 = 0000000F
0018E9AC 00000019 |Arg7 = 00000019
0018E9B0 00000007 |Arg8 = 00000007
0018E9B4 00000001 |Arg9 = 00000001
0018E9B8 00000000 |Arg10 = 00000000
0018E9BC 004C2390 \Arg11 = 004C2390
0018E964 00000001 |Arg1 = 00000001
0018E968 0000027C |Arg2 = 0000027C
0018E96C 0000024B |Arg3 = 0000024B
0018E970 00000004 |Arg4 = 00000004
0018E974 00000001 |Arg5 = 00000001
0018E978 00000003 |Arg6 = 00000003
0018E97C 00000019 |Arg7 = 00000019
0018E980 00000007 |Arg8 = 00000007
0018E984 00000001 |Arg9 = 00000001
0018E988 00000000 |Arg10 = 00000000
0018E98C 004C2090 \Arg11 = 004C2090
0018E964 00000001 |Arg1 = 00000001
0018E968 0000026D |Arg2 = 0000026D
0018E96C 0000024A |Arg3 = 0000024A
0018E970 00000004 |Arg4 = 00000004
0018E974 00000001 |Arg5 = 00000001
0018E978 00000004 |Arg6 = 00000004
0018E97C 00000019 |Arg7 = 00000019
0018E980 00000007 |Arg8 = 00000007
0018E984 00000001 |Arg9 = 00000001
0018E988 00000000 |Arg10 = 00000000
0018E98C 004C20D0 \Arg11 = 004C20D0
0018E964 00000004 |Arg1 = 00000004 座位号
0018E968 0000026B |Arg2 = 0000026B x
0018E96C 0000024A |Arg3 = 0000024A y
0018E970 00000004 |Arg4 = 00000004 固定
0018E974 00000001 |Arg5 = 00000001 固定
0018E978 00000009 |Arg6 = 00000009 次数
0018E97C 00000019 |Arg7 = 00000019 炮类型
0018E980 00000007 |Arg8 = 00000007 固定
0018E984 00000001 |Arg9 = 00000001 固定
0018E988 00000000 |Arg10 = 00000000 固定
0018E98C 004C2210 \Arg11 = 004C2210 buff_ptr
0018E994 00000004 |Arg1 = 00000004
0018E998 00000036 |Arg2 = 00000036
0018E99C 0000023C |Arg3 = 0000023C
0018E9A0 00000004 |Arg4 = 00000004
0018E9A4 00000001 |Arg5 = 00000001
0018E9A8 0000000F |Arg6 = 0000000F
0018E9AC 00000019 |Arg7 = 00000019
0018E9B0 00000007 |Arg8 = 00000007
0018E9B4 00000001 |Arg9 = 00000001
0018E9B8 00000000 |Arg10 = 00000000
0018E9BC 004C2390 \Arg11 = 004C2390
//
004060A7 . C2 2C00 retn 0x2C
004060AA > 55 push ebp
004060AB . 56 push esi
004060AC . 33C0 xor eax, eax
004060AE . 57 push edi
004060AF . 884424 5C mov byte ptr [esp+0x5C], al
004060B3 . EB 0B jmp short 004060C0
004060B5 > 8B5C24 14 mov ebx, dword ptr [esp+0x14]
004060B9 . 8B4424 18 mov eax, dword ptr [esp+0x18]
004060BD . 8D49 00 lea ecx, dword ptr [ecx]
004060C0 > 85C0 test eax, eax
004060C2 . 7C 1D jl short 004060E1
004060C4 . 8B8B 88020000 mov ecx, dword ptr [ebx+0x288]
004060CA . 3BC1 cmp eax, ecx
004060CC . 7D 13 jge short 004060E1
004060CE . 3BC1 cmp eax, ecx
004060D0 . 0F8D 58020000 jge 0040632E
004060D6 . 8B8B 7C020000 mov ecx, dword ptr [ebx+0x27C] ; !!!!!存有坐标参数
004060DC . 8B2C81 mov ebp, dword ptr [ecx+eax*4]
004060DF . EB 02 jmp short 004060E3
004060E1 > 33ED xor ebp, ebp
004060E3 > 40 inc eax
004060E4 . 85ED test ebp, ebp
004060E6 . 894424 18 mov dword ptr [esp+0x18], eax
004060EA . 0F84 28010000 je 00406218
004060F0 . 837D 08 01 cmp dword ptr [ebp+0x8], 0x1
004060F4 . 74 07 je short 004060FD
004060F6 . 807C24 50 01 cmp byte ptr [esp+0x50], 0x1
004060FB .^ 74 C3 je short 004060C0
004060FD > 66:8B8D 32400>mov cx, word ptr [ebp+0x4032]
00406104 . 66:3B8D 30400>cmp cx, word ptr [ebp+0x4030]
0040610B .^ 73 B3 jnb short 004060C0
0040610D . 8B93 58020000 mov edx, dword ptr [ebx+0x258] ; !!!!!
00406113 . 807D 01 02 cmp byte ptr [ebp+0x1], 0x2
00406117 . 8B3C95 283549>mov edi, dword ptr [edx*4+0x493528]
0040611E . 8BF7 mov esi, edi
00406120 . 75 3D jnz short 0040615F
00406122 . 8BC2 mov eax, edx
00406124 . 83F8 0A cmp eax, 0xA ; Switch (cases A..C)
00406127 . 75 0D jnz short 00406136
00406129 . 8B3D 84354900 mov edi, dword ptr [0x493584] ; Case A of switch 00406124
0040612F . A1 14354900 mov eax, dword ptr [0x493514]
00406134 . EB 22 jmp short 00406158
00406136 > 83F8 0B cmp eax, 0xB
00406139 . 75 0D jnz short 00406148
0040613B . 8B3D 88354900 mov edi, dword ptr [0x493588] ; Case B of switch 00406124
00406141 . A1 18354900 mov eax, dword ptr [0x493518]
00406146 . EB 10 jmp short 00406158
00406148 > 83F8 0C cmp eax, 0xC
0040614B . 75 12 jnz short 0040615F
0040614D . 8B3D 8C354900 mov edi, dword ptr [0x49358C] ; Case C of switch 00406124
00406153 . A1 1C354900 mov eax, dword ptr [0x49351C]
00406158 > 99 cdq
00406159 . 2BC2 sub eax, edx
//开火post
0040F10E 52 push edx
0040F10F C74424 48 00000>mov dword ptr ss:[esp+48], 0
0040F117 8B94C6 E8380000 mov edx, dword ptr ds:[esi+eax*8+38E8]
0040F11E D98486 44390000 fld dword ptr ds:[esi+eax*4+3944]
0040F125 8B84C6 E4380000 mov eax, dword ptr ds:[esi+eax*8+38E4]
0040F12C D95C24 20 fstp dword ptr ss:[esp+20]
0040F130 8B4C24 20 mov ecx, dword ptr ss:[esp+20]
0040F134 51 push ecx
0040F135 52 push edx
0040F136 8B5424 68 mov edx, dword ptr ss:[esp+68]
0040F13A 50 push eax
0040F13B 6A 05 push 5
0040F13D 8D4C24 58 lea ecx, dword ptr ss:[esp+58]
0040F141 51 push ecx
0040F142 6A 01 push 1
0040F144 52 push edx
0040F145 8BCD mov ecx, ebp
0040F147 E8 542BFFFF call 00401CA0
0040F14C 8BE8 mov ebp, eax
0040F14E 33C0 xor eax, eax
0040F150 66:8B86 B001000>mov ax, word ptr ds:[esi+1B0]
0040F157 8D8E 8C360000 lea ecx, dword ptr ds:[esi+368C]
0040F15D 50 push eax
0040F15E E8 5D3BFFFF call 00402CC0
0040F163 85ED test ebp, ebp
0040F165 75 0C jnz short 0040F173
0040F167 5B pop ebx
0040F168 5F pop edi
0040F169 5D pop ebp
0040F16A 32C0 xor al, al
0040F16C 5E pop esi
0040F16D 83C4 3C add esp, 3C
0040F170 C2 0C00 retn 0C
0040F173 6A 08 push 8
0040F175 E8 88A40000 call <jmp.&MFC71.#operator new_762>
0040F17A 8B4C24 5C mov ecx, dword ptr ss:[esp+5C]
0040F17E 8928 mov dword ptr ds:[eax], ebp
0040F180 8948 04 mov dword ptr ds:[eax+4], ecx
0040F183 8B8E 40760000 mov ecx, dword ptr ds:[esi+7640]
0040F189 83C4 04 add esp, 4
0040F18C 85C9 test ecx, ecx
0040F18E 74 0C je short 0040F19C
0040F190 53 push ebx
0040F191 50 push eax
0040F192 68 64040000 push 464 ; 消息号
0040F197 E8 0425FFFF call 004016A0 ; 开火 发消息(内部post)
0040F19C 833CBD 74414C00>cmp dword ptr ds:[edi*4+4C4174], 1
0040F1A4 8BCE mov ecx, esi
0040F1A6 6A 01 push 1
0040F1A8 75 09 jnz short 0040F1B3
0040F1AA 6A 0C push 0C
0040F1AC 68 84384600 push 00463884 ; ASCII "28.ogg"
0040F1B1 EB 07 jmp short 0040F1BA
0040F1B3 6A 0E push 0E
0040F1B5 68 7C384600 push 0046387C ; ASCII "25.ogg"
0040F1BA E8 E1E7FFFF call 0040D9A0
0040F1BF 837C24 14 28 cmp dword ptr ss:[esp+14], 28
0040F1C4 8BBCBE C8000000 mov edi, dword ptr ds:[esi+edi*4+C8]
0040F1CB 8B1D 4C174600 mov ebx, dword ptr ds:[<&USER32.SetTimer>] ; user32.SetTimer
0040F1D1 0F8C A3000000 jl 0040F27A
[课程]Linux pwn 探索篇!