能力值:
( LV2,RANK:10 )
|
-
-
9 楼
这个程序是2D的,这个call功能是在小地图点一下,实现角色走路功能
下面这段是OD里看进程里的这个call asm码:
我的理解
edx放Y坐标
eax放X坐标
ecx放的对象指针上一个属性值(具体是什么,不清楚)
然后call.
------------------------------------------------------------------------------
004AB3D9 /E9 94000000 jmp 004AB472
004AB3DE |8B55 10 mov edx, dword ptr [ebp+10]
004AB3E1 |52 push edx
004AB3E2 |8B45 0C mov eax, dword ptr [ebp+C]
004AB3E5 |50 push eax
004AB3E6 |8B0D 80B77100 mov ecx, dword ptr [71B780]
004AB3EC |81C1 70590000 add ecx, 5970
004AB3F2 |E8 79420B00 call 0055F670
------------------------------------------------------------------------------
004AB3F7 |85C0 test eax, eax
004AB3F9 |75 07 jnz short 004AB402
004AB3FB |C745 FC 0000000>mov dword ptr [ebp-4], 0
004AB402 |EB 6E jmp short 004AB472
004AB404 |8B4D 10 mov ecx, dword ptr [ebp+10]
004AB407 |51 push ecx
004AB408 |8B55 0C mov edx, dword ptr [ebp+C]
004AB40B |52 push edx
004AB40C |B9 F84B7100 mov ecx, 00714BF8
004AB411 |E8 1AECFFFF call 004AA030
|
能力值:
( LV7,RANK:100 )
|
-
-
11 楼
ecx是this指针
也许这里的this指针在你调用call时需要做些初始化工作 例如地图切换后等等
堆栈平衡和现在的保护需要你自己多次跟踪对比
另外要注意此函数在你调用时是否有其它现成调用, 如果有加个线程锁试试吧.
|
能力值:
( LV2,RANK:10 )
|
-
-
12 楼
(9楼的call地址不对,因为目标程序更新了,原理是一样的)
该目标程序使用了lua5,和自己的一套engine,我是下bp send后ctrl+F9按第9次,才找到的这个call.
对了,有一个情况,我测试了一个直接走路的call,它同小地图上走路的call一样,也会时不时的引起目标程序崩溃.
因为这些上层的call,几乎最后都会去调用send,发数据到服务器.
难道是,我在用一个call把数据发到服务器时,目标程序自己也有一些数据要发到服务器,
这时候,就存在2个线程最后都要用send...所以目标程序崩溃了?
我去试试.
|
能力值:
( LV2,RANK:10 )
|
-
-
14 楼
004AB280 8985 A8E6FFFF mov dword ptr [ebp-1958], eax
004AB286 83BD A8E6FFFF 0>cmp dword ptr [ebp-1958], 0
004AB28D 74 18 je short 004AB2A7
004AB28F 8B85 A8E6FFFF mov eax, dword ptr [ebp-1958]
004AB295 8B48 04 mov ecx, dword ptr [eax+4]
004AB298 898D 50E6FFFF mov dword ptr [ebp-19B0], ecx
004AB29E 83BD 50E6FFFF 0>cmp dword ptr [ebp-19B0], 1
004AB2A5 74 05 je short 004AB2AC
004AB2A7 E9 C6010000 jmp 004AB472
004AB2AC 8D95 B0E6FFFF lea edx, dword ptr [ebp-1950]
004AB2B2 52 push edx
004AB2B3 8B85 A4E6FFFF mov eax, dword ptr [ebp-195C]
004AB2B9 50 push eax
004AB2BA 8B8D A8E6FFFF mov ecx, dword ptr [ebp-1958]
004AB2C0 E8 8B020C00 call 0056B550
004AB2C5 85C0 test eax, eax
004AB2C7 7F 05 jg short 004AB2CE
004AB2C9 E9 A4010000 jmp 004AB472
004AB2CE 8B8D A4E6FFFF mov ecx, dword ptr [ebp-195C]
004AB2D4 51 push ecx
004AB2D5 8B95 B0E6FFFF mov edx, dword ptr [ebp-1950]
004AB2DB 52 push edx
004AB2DC 8B8D A8E6FFFF mov ecx, dword ptr [ebp-1958]
004AB2E2 E8 590C0C00 call 0056BF40
004AB2E7 C745 FC 0100000>mov dword ptr [ebp-4], 1
004AB2EE E9 7F010000 jmp 004AB472
004AB2F3 8B45 10 mov eax, dword ptr [ebp+10]
004AB2F6 25 FFFF0000 and eax, 0FFFF
004AB2FB 0FB7C8 movzx ecx, ax
004AB2FE 898D A0E6FFFF mov dword ptr [ebp-1960], ecx
004AB304 8B55 10 mov edx, dword ptr [ebp+10]
004AB307 C1EA 10 shr edx, 10
004AB30A 0FB7C2 movzx eax, dx
004AB30D 8985 98E6FFFF mov dword ptr [ebp-1968], eax
004AB313 C785 9CE6FFFF 0>mov dword ptr [ebp-1964], 0
004AB31D 8B8D 9CE6FFFF mov ecx, dword ptr [ebp-1964]
004AB323 51 push ecx
004AB324 8D95 98E6FFFF lea edx, dword ptr [ebp-1968]
004AB32A 52 push edx
004AB32B 8D85 A0E6FFFF lea eax, dword ptr [ebp-1960]
004AB331 50 push eax
004AB332 B9 A066CD00 mov ecx, 00CD66A0
004AB337 E8 C4DB1800 call 00638F00
004AB33C 6A 02 push 2
004AB33E 68 601AD200 push 00D21A60
004AB343 8B8D 9CE6FFFF mov ecx, dword ptr [ebp-1964]
004AB349 51 push ecx
004AB34A 8B95 98E6FFFF mov edx, dword ptr [ebp-1968]
004AB350 52 push edx
004AB351 8B85 A0E6FFFF mov eax, dword ptr [ebp-1960]
004AB357 50 push eax
004AB358 6A 00 push 0
004AB35A 6A 06 push 6
004AB35C B9 A066CD00 mov ecx, 00CD66A0
004AB361 E8 5AC21800 call 006375C0
004AB366 6A 02 push 2
004AB368 68 601AD200 push 00D21A60
004AB36D 8B8D 9CE6FFFF mov ecx, dword ptr [ebp-1964]
004AB373 51 push ecx
004AB374 8B95 98E6FFFF mov edx, dword ptr [ebp-1968]
004AB37A 52 push edx
004AB37B 8B85 A0E6FFFF mov eax, dword ptr [ebp-1960]
004AB381 50 push eax
004AB382 6A 00 push 0
004AB384 6A 06 push 6
004AB386 B9 A066CD00 mov ecx, 00CD66A0
004AB38B E8 30C21800 call 006375C0
004AB390 C705 681AD200 0>mov dword ptr [D21A68], 1
004AB39A E9 D3000000 jmp 004AB472
004AB39F 8B4D 0C mov ecx, dword ptr [ebp+C]
004AB3A2 51 push ecx
004AB3A3 68 20AB6B00 push 006BAB20 ; ASCII "OpenShop"
004AB3A8 8B0D 80B77100 mov ecx, dword ptr [71B780]
004AB3AE 81C1 70590000 add ecx, 5970
004AB3B4 E8 A7760B00 call 00562A60
004AB3B9 E9 B4000000 jmp 004AB472
004AB3BE 68 641B6B00 push 006B1B64
004AB3C3 68 14AB6B00 push 006BAB14 ; ASCII "ServerTime"
004AB3C8 8B0D 80B77100 mov ecx, dword ptr [71B780]
004AB3CE 81C1 70590000 add ecx, 5970
004AB3D4 E8 87760B00 call 00562A60
004AB3D9 E9 94000000 jmp 004AB472
------------------------------------------------------------------
004AB3DE 8B55 10 mov edx, dword ptr [ebp+10]
004AB3E1 52 push edx
004AB3E2 8B45 0C mov eax, dword ptr [ebp+C]
004AB3E5 50 push eax
004AB3E6 8B0D 80B77100 mov ecx, dword ptr [71B780]
004AB3EC 81C1 70590000 add ecx, 5970
004AB3F2 E8 79420B00 call 0055F670
-------------------------------------------------------------------
004AB3F7 85C0 test eax, eax
004AB3F9 75 07 jnz short 004AB402
004AB3FB C745 FC 0000000>mov dword ptr [ebp-4], 0
004AB402 EB 6E jmp short 004AB472
004AB404 8B4D 10 mov ecx, dword ptr [ebp+10]
004AB407 51 push ecx
004AB408 8B55 0C mov edx, dword ptr [ebp+C]
004AB40B 52 push edx
004AB40C B9 F84B7100 mov ecx, 00714BF8
004AB411 E8 1AECFFFF call 004AA030
004AB416 8945 FC mov dword ptr [ebp-4], eax
004AB419 EB 57 jmp short 004AB472
004AB41B 8B45 10 mov eax, dword ptr [ebp+10]
004AB41E 50 push eax
004AB41F 8B4D 0C mov ecx, dword ptr [ebp+C]
004AB422 51 push ecx
004AB423 B9 F84B7100 mov ecx, 00714BF8
004AB428 E8 33ECFFFF call 004AA060
004AB42D 8945 FC mov dword ptr [ebp-4], eax
004AB430 EB 40 jmp short 004AB472
004AB432 8B15 ACFEA900 mov edx, dword ptr [A9FEAC]
004AB438 8955 FC mov dword ptr [ebp-4], edx
004AB43B EB 35 jmp short 004AB472
004AB43D 833D B0B17100 0>cmp dword ptr [71B1B0], 0
004AB444 74 1C je short 004AB462
004AB446 8B45 0C mov eax, dword ptr [ebp+C]
004AB449 50 push eax
004AB44A 8B0D B0B17100 mov ecx, dword ptr [71B1B0]
004AB450 8B11 mov edx, dword ptr [ecx]
004AB452 8B0D B0B17100 mov ecx, dword ptr [71B1B0]
004AB458 8B42 04 mov eax, dword ptr [edx+4]
004AB45B FFD0 call eax
004AB45D 8945 FC mov dword ptr [ebp-4], eax
004AB460 EB 07 jmp short 004AB469
004AB462 C745 FC 0000000>mov dword ptr [ebp-4], 0
004AB469 EB 07 jmp short 004AB472
004AB46B C745 FC 0000000>mov dword ptr [ebp-4], 0
004AB472 8B45 FC mov eax, dword ptr [ebp-4]
004AB475 8DA5 30E6FFFF lea esp, dword ptr [ebp-19D0]
004AB47B 8B4D E0 mov ecx, dword ptr [ebp-20]
004AB47E 33CD xor ecx, ebp
004AB480 E8 93DA0800 call 00538F18
004AB485 8BE5 mov esp, ebp
004AB487 5D pop ebp
004AB488 C2 1000 retn 10
004AB48B 90 nop
004AB48C CF iretd
|
能力值:
( LV2,RANK:10 )
|
-
-
15 楼
目标程序崩溃后,有异常提示:
<Exception>
<ExceptionRecord ModuleName="E:\game\game.exe" ExceptionType="0xc0000005" ExceptionDescription="EXCEPTION_ACCESS_VIOLATION" ExceptionAddress="0X003A1202" />
003A1202相关的asm代码:
003A11E0 > 8B4424 08 mov eax, dword ptr [esp+8]
003A11E4 56 push esi
003A11E5 8B7424 08 mov esi, dword ptr [esp+8]
003A11E9 8BCE mov ecx, esi
003A11EB E8 10FEFFFF call 003A1000
003A11F0 83C0 10 add eax, 10
003A11F3 3B46 08 cmp eax, dword ptr [esi+8]
003A11F6 73 23 jnb short 003A121B
003A11F8 8D48 F0 lea ecx, dword ptr [eax-10]
003A11FB EB 03 jmp short 003A1200
003A11FD 8D49 00 lea ecx, dword ptr [ecx]
003A1200 8B10 mov edx, dword ptr [eax]
003A1202 8911 mov dword ptr [ecx], edx
003A1204 8B50 04 mov edx, dword ptr [eax+4]
003A1207 8951 04 mov dword ptr [ecx+4], edx
003A120A 8B51 18 mov edx, dword ptr [ecx+18]
003A120D 8951 08 mov dword ptr [ecx+8], edx
003A1210 83C0 10 add eax, 10
003A1213 83C1 10 add ecx, 10
003A1216 3B46 08 cmp eax, dword ptr [esi+8]
003A1219 ^ 72 E5 jb short 003A1200
003A121B 8346 08 F0 add dword ptr [esi+8], -10
003A121F 5E pop esi
003A1220 C3 retn
|