目标:
1、分析動作數組
2、分析攻擊與打坐
思路:
通過選中對象逆向回溯出動作數組
通過動作對象通路逆向回溯到攻擊CALL附近
封包斷點bp WSASend
225F5050
225F5298
225F54E0
//背包對象 怪物對象 動作對象 玩家對象
0061BD29 |. BE 40E71C03 MOV ESI,Client.031CE740
//動作對象數組
dd [31A9A98]+410+4*0
0079D2CF - 80 B8 30020000 00 - cmp byte ptr [eax+00000230],00
0079D2D6 - 75 6D - jne Client.exe+39D345
0079D2D8 - 8B 8C 9F 10040000 - mov ecx,[edi+ebx*4+00000410] << 從這裡 F8單步步過跟
0079D2DF - 85 C9 - test ecx,ecx
0079D2E1 - 74 62 - je Client.exe+39D345
0079DB98 - 83 BF 08160000 35 - cmp dword ptr [edi+00001608],35
0079DB9F - 75 1F - jne Client.exe+39DBC0
0079DBA1 - 8B 84 9F 10040000 - mov eax,[edi+ebx*4+00000410] <<
0079DBA8 - 85 C0 - test eax,eax
0079DBAA - 74 14 - je Client.exe+39DBC0
0079DB2E |. /E9 D9000000 JMP Client.0079DC0C
0079DB33 |> |83F8 FF CMP EAX,-1
0079DB36 |. |0F84 D0000000 JE Client.0079DC0C
0079DB3C |. |50 PUSH EAX
0079DB3D |. |6A 01 PUSH 1
0079DB3F |. |6A 00 PUSH 0
0079DB41 |. |8BCF MOV ECX,EDI
0079DB43 |. |E8 B80FFFFF CALL Client.0078EB00
0079DB48 |. |E9 BF000000 JMP Client.0079DC0C
0079DB4D |> |8B8F 08160000 MOV ECX,DWORD PTR DS:[EDI+1608]
0079DB53 |. |8B97 D01B0000 MOV EDX,DWORD PTR DS:[EDI+1BD0]
0079DB59 |. |53 PUSH EBX
0079DB5A |. |51 PUSH ECX
0079DB5B |. |52 PUSH EDX
0079DB5C |. |8BCF MOV ECX,EDI
0079DB5E |. |E8 9D0FFFFF CALL Client.0078EB00
0079DB63 |. |E9 A4000000 JMP Client.0079DC0C
0079DB68 |> |E8 A3B2F2FF CALL Client.006C8E10
0079DB6D |. |84C0 TEST AL,AL
0079DB6F |. |0F85 97000000 JNZ Client.0079DC0C
0079DB75 |. |803D 318B1A03>CMP BYTE PTR DS:[31A8B31],1
0079DB7C |. |0F84 8A000000 JE Client.0079DC0C
0079DB82 |. |8B87 08160000 MOV EAX,DWORD PTR DS:[EDI+1608]
0079DB88 |. |8B8F D01B0000 MOV ECX,DWORD PTR DS:[EDI+1BD0]
0079DB8E |. |53 PUSH EBX ; 對象在數組裡的下标
0079DB8F |. |50 PUSH EAX ; 35
0079DB90 |. |51 PUSH ECX ; 5
0079DB91 |. |8BCF MOV ECX,EDI
0079DB93 |. |E8 1878FFFF CALL Client.007953B0 ; ecx=[31A9A98]
0079DB98 |. |83BF 08160000>CMP DWORD PTR DS:[EDI+1608],35
0079DB9F |. |75 1F JNZ SHORT Client.0079DBC0
0079DBA1 |. |8B849F 100400>MOV EAX,DWORD PTR DS:[EDI+EBX*4+410] ; ebx動作下标
0079DBA8 |. |85C0 TEST EAX,EAX
0079DBAA |. |74 14 JE SHORT Client.0079DBC0
0079DBAC |. |8B50 4C MOV EDX,DWORD PTR DS:[EAX+4C]
0079DBAF |. |A1 E018F400 MOV EAX,DWORD PTR DS:[F418E0]
0079DBB4 |. |8B88 7C020000 MOV ECX,DWORD PTR DS:[EAX+27C]
0079DBBA |. |52 PUSH EDX
0079DBBB |. |E8 F0BAEDFF CALL Client.006796B0 ; 動作使用CALL
0079DBC0 |> |83BF 08160000>CMP DWORD PTR DS:[EDI+1608],36
0079DBC7 |. |75 20 JNZ SHORT Client.0079DBE9
0079DBC9 |. |8B849F 100400>MOV EAX,DWORD PTR DS:[EDI+EBX*4+410]
0079DBD0 |. |85C0 TEST EAX,EAX
0079DBD2 |. |74 15 JE SHORT Client.0079DBE9
0079DBD4 |. |8B48 4C MOV ECX,DWORD PTR DS:[EAX+4C]
0079DBD7 |. |8B15 E018F400 MOV EDX,DWORD PTR DS:[F418E0]
mov ebx,2
mov edi,31A9A98
mov edi,[edi]
mov eax,[edi+410+4*ebx]
mov edx,[eax+4c]
mov eax,[0xf418E0]
MOV ECX,DWORD PTR DS:[EAX+27C]
push edx
call 006796b0
#define Base_ActionList 0x31C1EB0
+5C 名字
8B91380200002B9134020000B8ABAAAA2AF7EAD1FA8BC253c1E81F33db03c274 //第一個 能搜到 共2個
+0x31 //00677AD1-00677AA0
dc [[0x31C1EB0]+410]+5c
00677A9F CC INT3
00677AA0 8B91 38020000 MOV EDX,DWORD PTR DS:[ECX+0x238]
00677AA6 2B91 34020000 SUB EDX,DWORD PTR DS:[ECX+0x234]
00677AAC B8 ABAAAA2A MOV EAX,0x2AAAAAAB
00677AB1 F7EA IMUL EDX
00677AB3 D1FA SAR EDX,1
00677AB5 8BC2 MOV EAX,EDX
00677AB7 53 PUSH EBX
00677AB8 C1E8 1F SHR EAX,0x1F
00677ABB 33DB XOR EBX,EBX
00677ABD 03C2 ADD EAX,EDX
00677ABF 74 7C JE SHORT Client.00677B3D
00677AC1 56 PUSH ESI
00677AC2 57 PUSH EDI
00677AC3 BE 10040000 MOV ESI,0x410
00677AC8 EB 06 JMP SHORT Client.00677AD0
00677ACA 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
00677AD0 A1 B01E1C03 MOV EAX,DWORD PTR DS:[0x31C1EB0] //基址
00677AD5 833C06 00 CMP DWORD PTR DS:[ESI+EAX],0x0
00677AA0 8B91 38020000 MOV EDX,DWORD PTR DS:[ECX+0x238]
00677AA6 2B91 34020000 SUB EDX,DWORD PTR DS:[ECX+0x234]
00677AAC B8 ABAAAA2A MOV EAX,0x2AAAAAAB
00677AB1 F7EA IMUL EDX
00677AB3 D1FA SAR EDX,1
00677AB5 8BC2 MOV EAX,EDX
00677AB7 53 PUSH EBX
00677AB8 C1E8 1F SHR EAX,0x1F
00677ABB 33DB XOR EBX,EBX
00677ABD 03C2 ADD EAX,EDX
00677ABF 74 7C JE SHORT Client.00677B3D
00677AC1 56 PUSH ESI
00677AC2 57 PUSH EDI
00677AC3 BE 10040000 MOV ESI,0x410
00677AC8 EB 06 JMP SHORT Client.00677AD0
00677ACA 8D9B 00000000 LEA EBX,DWORD PTR DS:[EBX]
00677AD0 A1 B01E1C03 MOV EAX,DWORD PTR DS:[0x31C1EB0] ; 動作基址
00677AD5 833C06 00 CMP DWORD PTR DS:[ESI+EAX],0x0
00677AD9 74 3C JE SHORT Client.00677B17
00677ADB 8B0406 MOV EAX,DWORD PTR DS:[ESI+EAX]
00677ADE 8B50 4C MOV EDX,DWORD PTR DS:[EAX+0x4C]
00677AE1 8B78 50 MOV EDI,DWORD PTR DS:[EAX+0x50]
007AAAAF /0F85 97000000 JNZ Client.007AAB4C
007AAAB5 |803D 490F1C03 0>CMP BYTE PTR DS:[0x31C0F49],0x1
007AAABC |0F84 8A000000 JE Client.007AAB4C
007AAAC2 |8B87 08160000 MOV EAX,DWORD PTR DS:[EDI+0x1608]
007AAAC8 |8B8F D01B0000 MOV ECX,DWORD PTR DS:[EDI+0x1BD0]
007AAACE |53 PUSH EBX ; 下标
007AAACF |50 PUSH EAX ; 1
007AAAD0 |51 PUSH ECX ; 0
007AAAD1 |8BCF MOV ECX,EDI
007AAAD3 |E8 08EAFEFF CALL Client.007994E0 ; 背包物品使用CALL //動作使用CALL
007AAAD8 |83BF 08160000 3>CMP DWORD PTR DS:[EDI+0x1608],0x35
007AAADF |75 1F JNZ SHORT Client.007AAB00
007AAAE1 |8B849F 10040000 MOV EAX,DWORD PTR DS:[EDI+EBX*4+0x410]