能力值:
( LV2,RANK:10 )
|
-
-
2 楼
客户端内存0x5629330附近的值将会提交给服务器:
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
0056292E0 00 00 00 00 5C 5F 63 6C 5F 61 75 74 6F 77 65 70 ....\_cl_autowep
0056292F0 73 77 69 74 63 68 5C 30 5C 62 6F 74 74 6F 6D 63 switch\0\bottomc
005629300 6F 6C 6F 72 5C 30 5C 63 6C 5F 64 6C 6D 61 78 5C olor\0\cl_dlmax\
005629310 31 32 38 5C 63 6C 5F 6C 63 5C 31 5C 63 6C 5F 6C 128\cl_lc\1\cl_l
005629320 77 5C 31 5C 6D 6F 64 65 6C 5C 61 72 63 74 69 63 w\1\model\arctic
005629330 5C 6E 61 6D 65 5C E7 82 B9 E9 80 9A 5C 74 6F 70 \name\轤ケ騾喀top
005629340 63 6F 6C 6F 72 5C 30 5C 5F 76 67 75 69 5F 6D 65 color\0\_vgui_me
005629350 6E 75 73 5C 30 5C 5F 61 68 5C 30 5C 63 6C 5F 75 nus\0\_ah\0\cl_u
005629360 70 64 61 74 65 72 61 74 65 5C 31 30 31 5C 72 61 pdaterate\101\ra
005629370 74 65 5C 32 35 30 30 30 00 00 00 00 00 00 00 00 te\25000........
这里\name\后面 是我用winhex编译ram后的样子 即"点通",修改为中文后,提交服务器则显示unamed,如果\name\后是英文或数字符号等 则显示正常
|
能力值:
( LV2,RANK:10 )
|
-
-
3 楼
哈哈哈,对CS下手了。
|
能力值:
( LV2,RANK:10 )
|
-
-
4 楼
我不太爱玩这个游戏
|
能力值:
( LV2,RANK:10 )
|
-
-
5 楼
我在服务器一个要传递给客户端ID的内存数据处做了断点
035A5A73 C3 retn
035A5A74 90 nop
035A5A75 90 nop
035A5A76 90 nop
035A5A77 90 nop
035A5A78 90 nop
035A5A79 90 nop
035A5A7A 90 nop
035A5A7B 90 nop
035A5A7C 90 nop
035A5A7D 90 nop
035A5A7E 90 nop
035A5A7F 90 nop
035A5A80 55 push ebp
035A5A81 8BEC mov ebp, esp
035A5A83 8B4D 0C mov ecx, dword ptr [ebp+C]
035A5A86 8B55 08 mov edx, dword ptr [ebp+8]
035A5A89 56 push esi
035A5A8A 8B75 10 mov esi, dword ptr [ebp+10]
035A5A8D 85C9 test ecx, ecx
035A5A8F 57 push edi
035A5A90 74 13 je short 035A5AA5
035A5A92 8A01 mov al, byte ptr [ecx]
035A5A94 84C0 test al, al
035A5A96 74 0D je short 035A5AA5
035A5A98 8BFE mov edi, esi
035A5A9A 4E dec esi
035A5A9B 85FF test edi, edi
035A5A9D 74 06 je short 035A5AA5
035A5A9F 8802 mov byte ptr [edx], al //断在此处
035A5AA1 42 inc edx
035A5AA2 41 inc ecx
035A5AA3 ^ 75 ED jnz short 035A5A92
035A5AA5 5F pop edi
035A5AA6 85F6 test esi, esi
035A5AA8 5E pop esi
035A5AA9 7E 03 jle short 035A5AAE
035A5AAB C602 00 mov byte ptr [edx], 0
035A5AAE 5D pop ebp
035A5AAF C3 retn
EAX 00000065
ECX 0012F6B5 ASCII "e\25000\name\unamed" //unamed就是服务器过滤中文后的样子(应该是显示"点通" utf8:E782B9E9809A)
EDX 071A60E1
EBX 00000000
ESP 0012EBF8
EBP 0012EC00
ESI 0000007E
EDI 0000007F
EIP 035A5A9F swds.035A5A9F
C 0 ES 0023 32位 0(FFFFFFFF)
P 0 CS 001B 32位 0(FFFFFFFF)
A 0 SS 0023 32位 0(FFFFFFFF)
Z 0 DS 0023 32位 0(FFFFFFFF)
S 0 FS 003B 32位 7FFDF000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00010202 (NO,NB,NE,A,NS,PO,GE,G)
ST0 empty 1.0000000000000000000
ST1 empty 0.0
ST2 empty 0.0107647663921568336
ST3 empty -317.25524374842644480
ST4 empty -554.37171864509583360
ST5 empty 90.509668350219724800
ST6 empty 0.0071629683608450368
ST7 empty 0.0
3 2 1 0 E S P U O Z D I
FST 4023 Cond 1 0 0 0 Err 0 0 1 0 0 0 1 1 (EQ)
FCW 027F Prec NEAR,53 掩码 1 1 1 1 1 1
服务器内存:
071A605B 5C 5F 63 6C 5F 61 75 74 6F 77 65 \_cl_autowe
071A606B 70 73 77 69 74 63 68 5C 30 5C 62 6F 74 74 6F 6D pswitch\0\bottom
071A607B 63 6F 6C 6F 72 5C 30 5C 63 6C 5F 64 6C 6D 61 78 color\0\cl_dlmax
071A608B 5C 31 32 38 5C 63 6C 5F 6C 63 5C 31 5C 63 6C 5F \128\cl_lc\1\cl_
071A609B 6C 77 5C 31 5C 6D 6F 64 65 6C 5C 61 72 63 74 69 lw\1\model\arcti
071A60AB 63 5C 74 6F 70 63 6F 6C 6F 72 5C 30 5C 5F 76 67 c\topcolor\0\_vg
071A60BB 75 69 5F 6D 65 6E 75 73 5C 30 5C 5F 61 68 5C 30 ui_menus\0\_ah\0
071A60CB 5C 63 6C 5F 75 70 64 61 74 65 72 61 74 65 5C 31 \cl_updaterate\1
071A60DB 30 31 5C 72 61 74 00 00 00 00 00 00 00 00 00 00 01\rat..........//这里下了断点
071A60EB 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
071A60FB 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
071A610B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
071A611B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
071A612B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
071A613B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
071A614B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
071A615B 00 00 00 00 00 00 00 00 00 F0 F7 F3 41 35 36 35 .........瘅驛565
071A616B 63 62 65 31 63 66 64 30 62 35 39 32 62 62 63 36 cbe1cfd0b592bbc6
071A617B 38 36 34 32 62 32 62 65 33 62 38 65 36 00 00 00 8642b2be3b8e6...
071A618B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
071A619B 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6E 61 ..............na
071A61AB 6D 65 64 med
注:测试表明内存071A60DB行 也就是内存断点处ASCII "e\25000\name\"后的值(现在是unamed) 与071A619B行中的ASCII值(现在为named)相同则客户端显示这个ASCII值 不同则显示unamed
现在该如何查找程序是在哪里做的过滤呢?谢谢
|
能力值:
( LV2,RANK:10 )
|
-
-
6 楼
035A70A0 /$ 56 push esi
035A70A1 |. 33F6 xor esi, esi
035A70A3 |. E8 88FDFFFF call 035A6E30 //关键call?
035A70A8 |. 83F8 FF cmp eax, -1
035A70AB |. 74 22 je short 035A70CF
035A70AD |> 85C0 /test eax, eax
035A70AF |. 74 1E |je short 035A70CF
035A70B1 |. 83F8 0A |cmp eax, 0A
035A70B4 |. 74 19 |je short 035A70CF
035A70B6 |. 8886 54068803 |mov byte ptr [esi+3880654], al //EAX的FFFFFF没写入,是因为这个al
035A70BC |. 46 |inc esi
035A70BD |. 81FE FF070000 |cmp esi, 7FF
035A70C3 |. 73 0A |jnb short 035A70CF
035A70C5 |. E8 66FDFFFF |call 035A6E30
035A70CA |. 83F8 FF |cmp eax, -1
035A70CD |.^ 75 DE \jnz short 035A70AD
035A70CF |> C686 54068803>mov byte ptr [esi+3880654], 0
035A70D6 |. B8 54068803 mov eax, 03880654 ; ASCII 63,"onnect 48 605249322 ""\prot\3\unique\-1\raw\steam\cdkey\565cbe1cfd0b592bbc68642b2be3b8e6"" ""\_cl_auto"
035A70DB |. 5E pop esi
035A70DC \. C3 retn
EAX FFFFFFE7 //发现了吧?中文的前面会加FFFFFF 正常数据则是0000006C这样的
ECX 000000B2
EDX 03DCD620 swds.03DCD620
EBX 7E42A340 USER32.PeekMessageA
ESP 0012FAC0
EBP 0012FAD8
ESI 000000AD
EDI 00000000
EIP 035A70BC swds.035A70BC
C 0 ES 0023 32位 0(FFFFFFFF)
P 1 CS 001B 32位 0(FFFFFFFF)
A 1 SS 0023 32位 0(FFFFFFFF)
Z 0 DS 0023 32位 0(FFFFFFFF)
S 1 FS 003B 32位 7FFDF000(FFF)
T 0 GS 0000 NULL
D 0
O 0 LastErr ERROR_SUCCESS (00000000)
EFL 00000296 (NO,NB,NE,A,S,PE,L,LE)
ST0 empty -6.1413354853043189760e-2235
ST1 empty -4.1943969555812971520e+1131
ST2 empty -9.1242693181852497920e+4103
ST3 empty -4.7815533112118016000e-1414
ST4 empty 1.8031373271307578880e-4777
ST5 empty 3.3734323420923919360e-4932
ST6 empty 0.0065427415040146088
ST7 empty 1.0000000000000000000
3 2 1 0 E S P U O Z D I
FST 0023 Cond 0 0 0 0 Err 0 0 1 0 0 0 1 1 (GT)
FCW 027F Prec NEAR,53 掩码 1 1 1 1 1 1
上面的那个call:
035A6E30 /$ A1 0833E703 mov eax, dword ptr [3E73308]
035A6E35 |. 8B15 F0D5DC03 mov edx, dword ptr [3DCD5F0]
035A6E3B |. 8D48 01 lea ecx, dword ptr [eax+1]
035A6E3E |. 3BCA cmp ecx, edx
035A6E40 |. 7E 0E jle short 035A6E50
035A6E42 |. C705 0C33E703>mov dword ptr [3E7330C], 1
035A6E4C 83C8 FF or eax, FFFFFFFF
035A6E4F |. C3 retn
035A6E50 |> 8B15 E8D5DC03 mov edx, dword ptr [3DCD5E8] ; swds.03DCD620
035A6E56 |. 890D 0833E703 mov dword ptr [3E73308], ecx
035A6E5C |. 0FBE0402 movsx eax, byte ptr [edx+eax]
035A6E60 \. C3 retn
035A6E3B |. 8D48 01 lea ecx, dword ptr [eax+1]
035A6E4C 83C8 FF or eax, FFFFFFFF
035A6E5C |. 0FBE0402 movsx eax, byte ptr [edx+eax] //不明白这句话是什么意思 此句话过后中文的utf8(比如E7)会被扩展成FFFFFFE7,为什么??? 此处EDX 03DCD620的内存值是FFFF
这三句话怎么理解的?
|
能力值:
( LV2,RANK:10 )
|
-
-
7 楼
已经破解
http://www.dt-club.net/forum/viewthread.php?tid=42415
|
能力值:
( LV2,RANK:10 )
|
-
-
8 楼
楼主自己解决的啊
厉害
有没有什么教程传承下来
|
能力值:
( LV2,RANK:10 )
|
-
-
9 楼
部分代码解释下就明白了
01DA4BBF |. /74 4A je short 01DA4C0B
01DA4BC1 |> |83FA 32 /cmp edx, 32
01DA4BC4 |. |7D 45 |jge short 01DA4C0B
01DA4BC6 |> |3C 20 |/cmp al, 20
01DA4BC8 |. |7E 04 ||jle short 01DA4BCE //不在ASCii表内则跳,不用管
01DA4BCA |. |3C 7E ||cmp al, 7E
01DA4BCC |7E 0A jle short 01DA4BD8 //不在ASCii表内则跳,jmp掉
01DA4BCE |> |8A41 01 ||mov al, byte ptr [ecx+1]
01DA4BD1 |. |41 ||inc ecx
01DA4BD2 |. |84C0 ||test al, al
01DA4BD4 |.^|75 F0 |\jnz short 01DA4BC6
|