斗地主的出牌部分的判断。
调试环境 windows 2000
工具 softice 。
斗地主的版本付在后面
抛个砖,有兴趣的朋友可以分析分析看看有没有漏洞。
如果服务器也对出牌进行判断,修改客户端是没有戏。
早期的一些这类游戏是没有加服务器判断的,所以可以
修改后乱出牌的。
001B:00421310 64A100000000 MOV EAX,FS:[00000000]
001B:00421316 6AFF PUSH FF
001B:00421318 685CB74200 PUSH 0042B75C
001B:0042131D 50 PUSH EAX
001B:0042131E 64892500000000 MOV FS:[00000000],ESP
001B:00421325 A178554300 MOV EAX,[00435578]
001B:0042132A 81ECF0020000 SUB ESP,000002F0
001B:00421330 53 PUSH EBX
001B:00421331 55 PUSH EBP
001B:00421332 56 PUSH ESI
001B:00421333 57 PUSH EDI
001B:00421334 33FF XOR EDI,EDI
001B:00421336 8BF1 MOV ESI,ECX
001B:00421338 3BC7 CMP EAX,EDI
001B:0042133A 0F84E0010000 JZ 00421520
001B:00421340 39BE08FA0000 CMP [ESI+0000FA08],EDI
001B:00421346 740B JZ 00421353
001B:00421348 89BEE0F90000 MOV [ESI+0000F9E0],EDI
001B:0042134E E9D5000000 JMP 00421428
001B:00421353 8B8EE0F90000 MOV ECX,[ESI+0000F9E0]
001B:00421359 41 INC ECX
001B:0042135A 8BC1 MOV EAX,ECX
001B:0042135C 898EE0F90000 MOV [ESI+0000F9E0],ECX
001B:00421362 83F802 CMP EAX,02
001B:00421365 7C67 JL 004213CE
001B:00421367 8D4C2410 LEA ECX,[ESP+10]
001B:0042136B E8706B0000 CALL 00427EE0
001B:00421370 680C444300 PUSH 0043440C
001B:00421375 8D442414 LEA EAX,[ESP+14]
001B:00421379 6838304300 PUSH 00433038
001B:0042137E 50 PUSH EAX
001B:0042137F 89BC2414030000 MOV [ESP+00000314],EDI
001B:00421386 E84F6B0000 CALL 00427EDA
001B:0042138B 8B4E20 MOV ECX,[ESI+20]
001B:0042138E 83C40C ADD ESP,0C
001B:00421391 57 PUSH EDI
001B:00421392 6A01 PUSH 01
001B:00421394 6888040000 PUSH 00000488
001B:00421399 51 PUSH ECX
001B:0042139A FF1568C54200 CALL [USER32!PostMessageA]
001B:004213A0 8B4620 MOV EAX,[ESI+20]
001B:004213A3 8D542410 LEA EDX,[ESP+10]
001B:004213A7 68FF000000 PUSH 000000FF
001B:004213AC 52 PUSH EDX
001B:004213AD 6873040000 PUSH 00000473
001B:004213B2 50 PUSH EAX
001B:004213B3 FF1578C54200 CALL [USER32!SendMessageA]
001B:004213B9 83CBFF OR EBX,-01
001B:004213BC 8D4C2410 LEA ECX,[ESP+10]
001B:004213C0 899C2408030000 MOV [ESP+00000308],EBX
001B:004213C7 E8086B0000 CALL 00427ED4
001B:004213CC EB5D JMP 0042142B
001B:004213CE 8D4C2414 LEA ECX,[ESP+14]
001B:004213D2 E8096B0000 CALL 00427EE0
001B:004213D7 8B8EE0F90000 MOV ECX,[ESI+0000F9E0]
001B:004213DD 8D542414 LEA EDX,[ESP+14]
001B:004213E1 51 PUSH ECX
001B:004213E2 68E0434300 PUSH 004343E0
001B:004213E7 52 PUSH EDX
001B:004213E8 C7842414030000010000MOV DWORD PTR [ESP+00000314],00000001
001B:004213F3 E8E26A0000 CALL 00427EDA
001B:004213F8 8B4E20 MOV ECX,[ESI+20]
001B:004213FB 83C40C ADD ESP,0C
001B:004213FE 8D442414 LEA EAX,[ESP+14]
001B:00421402 68FF000000 PUSH 000000FF
001B:00421407 50 PUSH EAX
001B:00421408 6873040000 PUSH 00000473
001B:0042140D 51 PUSH ECX
001B:0042140E FF1578C54200 CALL [USER32!SendMessageA]
001B:00421414 8D4C2414 LEA ECX,[ESP+14]
001B:00421418 C7842408030000FFFFFFMOV DWORD PTR [ESP+00000308],FFFFFFFF
001B:00421423 E8AC6A0000 CALL 00427ED4
001B:00421428 83CBFF OR EBX,-01
001B:0042142B 8D4C2458 LEA ECX,[ESP+58]
001B:0042142F E8BC34FEFF CALL 004048F0
001B:00421434 8D4C2458 LEA ECX,[ESP+58]
001B:00421438 C7842408030000020000MOV DWORD PTR [ESP+00000308],00000002
001B:00421443 E81837FEFF CALL 00404B60
001B:00421448 B948514300 MOV ECX,00435148
001B:0042144D E80EA3FFFF CALL 0041B760
001B:00421452 8BE8 MOV EBP,EAX
001B:00421454 3BEF CMP EBP,EDI
001B:00421456 0F84B4000000 JZ 00421510
001B:0042145C 8A85B8010000 MOV AL,[EBP+000001B8]
001B:00421462 84C0 TEST AL,AL
001B:00421464 7E26 JLE 0042148C
001B:00421466 8D5D78 LEA EBX,[EBP+78]
001B:00421469 8B4304 MOV EAX,[EBX+04]
001B:0042146C 85C0 TEST EAX,EAX
001B:0042146E 740A JZ 0042147A
001B:00421470 53 PUSH EBX
001B:00421471 8D4C245C LEA ECX,[ESP+5C]
001B:00421475 E80635FEFF CALL 00404980
001B:0042147A 0FBE95B8010000 MOVSX EDX,BYTE PTR [EBP+000001B8]
001B:00421481 47 INC EDI
001B:00421482 83C308 ADD EBX,08
001B:00421485 3BFA CMP EDI,EDX
001B:00421487 7CE0 JL 00421469
001B:00421489 83CBFF OR EBX,-01
001B:0042148C 8A84249C010000 MOV AL,[ESP+0000019C]
001B:00421493 84C0 TEST AL,AL
001B:00421495 7479 JZ 00421510
001B:00421497 8D8C24AC010000 LEA ECX,[ESP+000001AC]
001B:0042149E E84D34FEFF CALL 004048F0
001B:004214A3 8D8424AC010000 LEA EAX,[ESP+000001AC]
001B:004214AA B948514300 MOV ECX,00435148
001B:004214AF 50 PUSH EAX
001B:004214B0 C684240C03000003 MOV BYTE PTR [ESP+0000030C],03
001B:004214B8 E8C3A8FFFF CALL 0041BD80
001B:004214BD 8A8424F0020000 MOV AL,[ESP+000002F0]
001B:004214C4 8B0DB8524300 MOV ECX,[004352B8]
001B:004214CA 8D542458 LEA EDX,[ESP+58]
001B:004214CE 51 PUSH ECX
001B:004214CF 84C0 TEST AL,AL
001B:004214D1 52 PUSH EDX
001B:004214D2 B9BC584300 MOV ECX,004358BC
001B:004214D7 7567 JNZ 00421540
001B:004214D9 E82237FEFF CALL 00404C00
001B:004214DE 85C0 TEST EAX,EAX
001B:004214E0 0F8596000000 JNZ 0042157C
001B:004214E6 8B4620 MOV EAX,[ESI+20]
001B:004214E9 6A00 PUSH 00
001B:004214EB 68C8434300 PUSH 004343C8--------->显示出的牌不符合规则
001B:004214F0 6885040000 PUSH 00000485
001B:004214F5 50 PUSH EAX
001B:004214F6 FF1578C54200 CALL [USER32!SendMessageA]
001B:004214FC 8D8C24AC010000 LEA ECX,[ESP+000001AC]
001B:00421503 C684240803000002 MOV BYTE PTR [ESP+00000308],02
001B:0042150B E82034FEFF CALL 00404930
001B:00421510 8D4C2458 LEA ECX,[ESP+58]
001B:00421514 899C2408030000 MOV [ESP+00000308],EBX
001B:0042151B E81034FEFF CALL 00404930
001B:00421520 8B8C2400030000 MOV ECX,[ESP+00000300]
001B:00421527 5F POP EDI
001B:00421528 5E POP ESI
001B:00421529 5D POP EBP
001B:0042152A B801000000 MOV EAX,00000001
001B:0042152F 5B POP EBX
001B:00421530 64890D00000000 MOV FS:[00000000],ECX
001B:00421537 81C4FC020000 ADD ESP,000002FC
001B:0042153D C20800 RET 0008
001B:00421540 E8BB36FEFF CALL 00404C00
001B:00421545 A1B8524300 MOV EAX,[004352B8]
001B:0042154A 8D8C24AC010000 LEA ECX,[ESP+000001AC]
001B:00421551 50 PUSH EAX
001B:00421552 51 PUSH ECX
001B:00421553 B9BC584300 MOV ECX,004358BC
001B:00421558 E8A336FEFF CALL 00404C00----------->分析出牌的规则
001B:0042155D 8D9424AC010000 LEA EDX,[ESP+000001AC]
001B:00421564 8D442458 LEA EAX,[ESP+58]
001B:00421568 52 PUSH EDX
001B:00421569 50 PUSH EAX
001B:0042156A B9BC584300 MOV ECX,004358BC
001B:0042156F E8BC50FEFF CALL 00406630----------->是否能压住对方的牌
001B:00421574 85C0 TEST EAX,EAX
001B:00421576 0F846AFFFFFF JZ 004214E6
001B:0042157C 8D4C2458 LEA ECX,[ESP+58]
001B:00421580 51 PUSH ECX
001B:00421581 8D4D74 LEA ECX,[EBP+74]
001B:00421584 E83735FEFF CALL 00404AC0
001B:00421589 B948514300 MOV ECX,00435148
001B:0042158E E81DA3FFFF CALL 0041B8B0
001B:00421593 0FBE0574554300 MOVSX EAX,BYTE PTR [00435574]
001B:0042159A 8A94249C010000 MOV DL,[ESP+0000019C]
001B:004215A1 6A00 PUSH 00
001B:004215A3 50 PUSH EAX
001B:004215A4 8B4620 MOV EAX,[ESI+20]
001B:004215A7 6889040000 PUSH 00000489
001B:004215AC 50 PUSH EAX
001B:004215AD C644242A03 MOV BYTE PTR [ESP+2A],03
001B:004215B2 8854242B MOV [ESP+2B],DL
001B:004215B6 FF1568C54200 CALL [USER32!PostMessageA]
001B:004215BC 8DBDC8010000 LEA EDI,[EBP+000001C8]
001B:004215C2 8BCF MOV ECX,EDI
001B:004215C4 E89735FEFF CALL 00404B60
001B:004215C9 8D4C2458 LEA ECX,[ESP+58]
001B:004215CD 51 PUSH ECX
001B:004215CE 8BCF MOV ECX,EDI
001B:004215D0 E8AB34FEFF CALL 00404A80
001B:004215D5 8A84249C010000 MOV AL,[ESP+0000019C]
001B:004215DC 33FF XOR EDI,EDI
001B:004215DE 84C0 TEST AL,AL
001B:004215E0 7E28 JLE 0042160A
001B:004215E2 8D5C245C LEA EBX,[ESP+5C]
001B:004215E6 53 PUSH EBX
001B:004215E7 B948514300 MOV ECX,00435148
001B:004215EC E8AFA3FFFF CALL 0041B9A0
001B:004215F1 88443C1C MOV [EDI+ESP+1C],AL
001B:004215F5 8A84249C010000 MOV AL,[ESP+0000019C]
001B:004215FC 0FBED0 MOVSX EDX,AL
001B:004215FF 47 INC EDI
001B:00421600 83C308 ADD EBX,08
001B:00421603 3BFA CMP EDI,EDX
001B:00421605 7CDF JL 004215E6
001B:00421607 83CBFF OR EBX,-01
001B:0042160A 660FBEF8 MOVSX EDI,AL
001B:0042160E 83C704 ADD EDI,04
001B:00421611 57 PUSH EDI
001B:00421612 E819810000 CALL 00429730
001B:00421617 6A00 PUSH 00
001B:00421619 6A02 PUSH 02
001B:0042161B 8BCE MOV ECX,ESI
001B:0042161D 6689442420 MOV [ESP+20],AX
001B:00421622 E8B90A0000 CALL 004220E0
001B:00421627 6A00 PUSH 00
001B:00421629 6A00 PUSH 00
001B:0042162B 8BCE MOV ECX,ESI
001B:0042162D E83EFBFFFF CALL 00421170
001B:00421632 8A85B8010000 MOV AL,[EBP+000001B8]
001B:00421638 84C0 TEST AL,AL
001B:0042163A 741A JZ 00421656
001B:0042163C B948514300 MOV ECX,00435148
001B:00421641 E87AA1FFFF CALL 0041B7C0
001B:00421646 6A01 PUSH 01
001B:00421648 6A02 PUSH 02
001B:0042164A 8BCE MOV ECX,ESI
001B:0042164C A344CB4300 MOV [0043CB44],EAX
001B:00421651 E88A0A0000 CALL 004220E0
001B:00421656 0FBE0574554300 MOVSX EAX,BYTE PTR [00435574]
001B:0042165D 68283B4300 PUSH 00433B28
001B:00421662 B948514300 MOV ECX,00435148
001B:00421667 C704857C554300000000MOV DWORD PTR [EAX*4+0043557C],00000000
001B:00421672 E819A5FFFF CALL 0041BB90
001B:00421677 0FBFD7 MOVSX EDX,DI
001B:0042167A 8D4C2418 LEA ECX,[ESP+18]
001B:0042167E 51 PUSH ECX
001B:0042167F 52 PUSH EDX
001B:00421680 B910514300 MOV ECX,00435110
001B:00421685 E886B2FEFF CALL 0040C910
001B:0042168A 6A03 PUSH 03
001B:0042168C B940514300 MOV ECX,00435140
001B:00421691 E83A640000 CALL 00427AD0
001B:00421696 E961FEFFFF JMP 004214FC
几个主要的断点
01) BPX #001B:0042131E
02) BPX #001B:00421489
03) BPX #001B:0042156A
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)