发包函数:
WSASend WSASendTo send sendto
bp WSASend
004AAD0E 8985 44DFFFFF MOV DWORD PTR SS:[EBP-20BC],EAX
004AAD14 8B47 10 MOV EAX,DWORD PTR DS:[EDI+10]
004AAD17 52 PUSH EDX
004AAD18 83C6 0F ADD ESI,0F
004AAD1B 50 PUSH EAX
004AAD1C 89B5 40DFFFFF MOV DWORD PTR SS:[EBP-20C0],ESI ; 修炼call1
004AAD22 FF15 E0269F00 CALL DWORD PTR DS:[<&WS2_32.WSASend>] ; ws2_32.WSASend
004AAD28 68 00200000 PUSH 2000
004AAD2D 8D8D 50DFFFFF LEA ECX,DWORD PTR SS:[EBP-20B0]
004AAD33 51 PUSH ECX
004AAD34 6A 03 PUSH 3
004AAD36 8BF0 MOV ESI,EAX
004AAD38 E8 F3B04E00 CALL Client.00995E30
004AAD3D 83FE FF CMP ESI,-1
004AAD40 74 04 JE SHORT Client.004AAD46
004AAD42 85F6 TEST ESI,ESI
004AAD44 74 06 JE SHORT Client.004AAD4C
004AAD46 FF15 94269F00 CALL DWORD PTR DS:[<&WS2_32.#111>] ; ws2_32.WSAGetLastError
004AAD4C 8B4D F4 MOV ECX,DWORD PTR SS:[EBP-C]
004F7CBF CC INT3
004F7CC0 55 PUSH EBP
004F7CC1 8BEC MOV EBP,ESP
004F7CC3 66:8B49 14 MOV CX,WORD PTR DS:[ECX+14]
004F7CC7 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]
004F7CCA 8B55 0C MOV EDX,DWORD PTR SS:[EBP+C]
004F7CCD 66:8908 MOV WORD PTR DS:[EAX],CX
004F7CD0 8B4D 10 MOV ECX,DWORD PTR SS:[EBP+10]
004F7CD3 C740 02 45003C0>MOV DWORD PTR DS:[EAX+2],Client.013C0045
004F7CDA 68 42010000 PUSH 142
004F7CDF 8950 06 MOV DWORD PTR DS:[EAX+6],EDX
004F7CE2 8988 3E010000 MOV DWORD PTR DS:[EAX+13E],ECX
004F7CE8 8B0D 8038F300 MOV ECX,DWORD PTR DS:[F33880]
004F7CEE 50 PUSH EAX
004F7CEF E8 1C2CFBFF CALL Client.004AA910 ; 修炼call2
004F7CF4 5D POP EBP ; 0018CCD8
004F7CF5 C2 0C00 RETN 0C
004F7CF8 CC INT3
006C36D0 /0F85 AA020000 JNZ Client.006C3980
006C36D6 |8D8D F4D7FFFF LEA ECX,DWORD PTR SS:[EBP-280C]
006C36DC |E8 CF66D4FF CALL Client.00409DB0
006C36E1 |83BCB7 60030000>CMP DWORD PTR DS:[EDI+ESI*4+360],0
006C36E9 |0F84 91020000 JE Client.006C3980
006C36EF |8B8CB7 60030000 MOV ECX,DWORD PTR DS:[EDI+ESI*4+360]
006C36F6 |A1 F43DF902 MOV EAX,DWORD PTR DS:[2F93DF4]
006C36FB |8B51 4C MOV EDX,DWORD PTR DS:[ECX+4C]
006C36FE |8B0D ACBE1D03 MOV ECX,DWORD PTR DS:[31DBEAC]
006C3704 |50 PUSH EAX
006C3705 |52 PUSH EDX
006C3706 |8D85 F4D7FFFF LEA EAX,DWORD PTR SS:[EBP-280C]
006C370C |50 PUSH EAX
006C370D |E8 AE45E3FF CALL Client.004F7CC0 ; 修炼call3
006C3712 |E9 69020000 JMP Client.006C3980
006C3717 |83FE 48 CMP ESI,48
006C371A |0F8C FB000000 JL Client.006C381B
006C3720 |83FE 68 CMP ESI,68
00763978 /74 6E JE SHORT Client.007639E8
0076397A |8B0D 0CA4F500 MOV ECX,DWORD PTR DS:[F5A40C]
00763980 |83B9 28020000 0>CMP DWORD PTR DS:[ECX+228],0
00763987 |75 5F JNZ SHORT Client.007639E8
00763989 |837E 40 00 CMP DWORD PTR DS:[ESI+40],0
0076398D |74 59 JE SHORT Client.007639E8
0076398F |80BE 28020000 0>CMP BYTE PTR DS:[ESI+228],0
00763996 |74 1C JE SHORT Client.007639B4
00763998 |8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
0076399B |85C9 TEST ECX,ECX
0076399D |74 15 JE SHORT Client.007639B4
0076399F |8B86 4C020000 MOV EAX,DWORD PTR DS:[ESI+24C]
007639A5 |8B11 MOV EDX,DWORD PTR DS:[ECX]
007639A7 |8B52 04 MOV EDX,DWORD PTR DS:[EDX+4]
007639AA |6A 00 PUSH 0
007639AC |50 PUSH EAX
007639AD |68 F4030000 PUSH 3F4
007639B2 |FFD2 CALL EDX ; 修炼call4
007639B4 |5F POP EDI ; Client.009F6308
007639B5 |5B POP EBX
007639B6 |C686 28020000 0>MOV BYTE PTR DS:[ESI+228],0
007639BD |B8 01000000 MOV EAX,1
007639C2 |5E POP ESI
007639C3 |5D POP EBP
007639C4 |C2 0C00 RETN 0C
007639C7 |8B86 34020000 MOV EAX,DWORD PTR DS:[ESI+234]
007639CD |85C0 TEST EAX,EAX
由修炼call4得到 如下的代码
mov ecx, 0x1AC77730
MOV EDX,DWORD PTR DS:[ECX]
MOV EDX,DWORD PTR DS:[EDX+4]
push 0
push 0d
push 3f4
call edx
由修炼call3得到 如下的代码
006C3640 . 8B94B7 E00300>MOV EDX,DWORD PTR DS:[EDI+ESI*4+3E0]
006C3647 . 66:83BA F6010>CMP WORD PTR DS:[EDX+1F6],0
006C364F . 0F85 2B030000 JNZ Client.006C3980
006C3655 . 8D8D F4D7FFFF LEA ECX,DWORD PTR SS:[EBP-280C]
006C365B . E8 5067D4FF CALL Client.00409DB0
006C3660 . 8B8CB7 E00300>MOV ECX,DWORD PTR DS:[EDI+ESI*4+3E0]
006C3667 . E9 8A000000 JMP Client.006C36F6
006C366C > 83FE 2C CMP ESI,2C
006C366F . 0F8C A2000000 JL Client.006C3717
006C3675 > 83FE 48 CMP ESI,48
006C3678 . 0F8D A2000000 JGE Client.006C3720
006C367E . 803D C1671B03>CMP BYTE PTR DS:[31B67C1],0
006C36D6 . 8D8D F4D7FFFF LEA ECX,DWORD PTR SS:[EBP-280C]
006C36DC . E8 CF66D4FF CALL Client.00409DB0
006C36E1 . 83BCB7 600300>CMP DWORD PTR DS:[EDI+ESI*4+360],0
006C36E9 . 0F84 91020000 JE Client.006C3980
006C36EF . 8B8CB7 600300>MOV ECX,DWORD PTR DS:[EDI+ESI*4+360]
006C36F6 > A1 F43DF902 MOV EAX,DWORD PTR DS:[2F93DF4]
006C36FB . 8B51 4C MOV EDX,DWORD PTR DS:[ECX+4C]
006C36FE . 8B0D ACBE1D03 MOV ECX,DWORD PTR DS:[31DBEAC]
006C3704 . 50 PUSH EAX ; 000066F9
006C3705 . 52 PUSH EDX ; 00030DA5,00030DA6
006C3706 . 8D85 F4D7FFFF LEA EAX,DWORD PTR SS:[EBP-280C]
006C370C . 50 PUSH EAX ; 0018A4CC
006C370D . E8 AE45E3FF CALL Client.004F7CC0 ; 修炼call3
006C3712 . E9 69020000 JMP Client.006C3980
006C3717 > 83FE 48 CMP ESI,48
006C371A . 0F8C FB000000 JL Client.006C381B
最后得到的修炼call为:
mov edi ,[31B85B0]
MOV ECX,DWORD PTR DS:[EDI+414]
MOV EAX,DWORD PTR DS:[2F93DF4]
MOV EDX,DWORD PTR DS:[ECX+4C]
MOV ECX,DWORD PTR DS:[31DBEAC]
push eax
push edx
sub esp,150
lea eax,[esp]
push eax
call 004f7cc0
add esp,150
*********************************************************************
最后得到的算法为
dd [31B85B0]+410+ 4*1
+8 //技能类型 1B表示技能书 1C表示技能书中的技能
+0c //表示所有对象数组ID
+4C 服务器ID
+5c //技能名字
+0b1 //玩家职业
+1f6 //是否修炼 (WORD表示)
本文详细分析了游戏辅助制作中涉及的自动修炼call的代码实现,包括WSASend等发包函数的使用,以及通过特定内存地址读取和设置数据来实现技能修炼的功能。通过对修炼call的逐行分析,揭示了技能自动修炼的内部逻辑,为游戏辅助开发者提供了关键的参考信息。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
