|
楼主 |
发表于 2017-9-1 10:55:15
|
显示全部楼层
吉林省通化市
最终结果:
dd [[2CE4DCC]+0AE0]+40 数组起始指针
dd [[2CE4DCC]+0AE0]+44 数组结束指针
结构体数组
dd [[[2CE4DCC]+0AE0]+40]+38*n+4 物品位置 除以0x64 余数是格数,商是页数 符文页100开头,普通200开头,材料300开头,关注微信公众号:任鸟飞逆向,如果遍历到0-99的位置,说明不在物品栏里
dd [[[2CE4DCC]+0AE0]+40]+38*n+8 物品ID
dd [[[2CE4DCC]+0AE0]+40]+38*n+C 物品数量
分析过程以及特征码:
由于背包没有消耗品,所以我们只能从背包物品的位置,名字等其他属性入手
如果从想位置入手,可以,但是我们要搜索未知初始值,扫描精确的数值是扫描不到的,说明有加密或则规则运算
我们也可以从物品名字入手
搜索UNICODE型的名字,当然每种编码我们都要尝试的,并且分别下访问断,其中一个地址会在光标放在物品上时断下
然后像上追,追到了所有物品名字遍历的位置,说明并不是在背包遍历中,那么我们需要在堆栈中找线索,否则这个地址的访问对我们是没用的
我们发现堆栈里有物品的ID字串,顺着堆栈往下搜索 搜索到他最先出现的位置
关注微信公众号:任鸟飞逆向
回车到这个位置,代码如下:
0070C337 E8 DAC3E2FF call 00538716
0070C33C 8BC8 mov ecx, eax
0070C33E E8 BFBEF800 call 01698202
0070C343 8BF8 mov edi, eax
0070C345 85FF test edi, edi
0070C347 0F84 24130000 je 0070D671
0070C34D 8D8D D8EAFFFF lea ecx, dword ptr [ebp-1528]
0070C353 E8 F90BF0FF call 0060CF51
0070C358 33C0 xor eax, eax
0070C35A 8945 FC mov dword ptr [ebp-4], eax
0070C35D 8D85 D8EAFFFF lea eax, dword ptr [ebp-1528]
0070C363 50 push eax
0070C364 FFB5 08ECFFFF push dword ptr [ebp-13F8]
0070C36A 8BCF mov ecx, edi
0070C36C E8 9CECFB00 call 016CB00D
0070C371 8885 27ECFFFF mov byte ptr [ebp-13D9], al
0070C377 84C0 test al, al
0070C379 74 0A je short 0070C385
0070C37B 83FB FF cmp ebx, -1
0070C37E 0F449D E0EAFFFF cmove ebx, dword ptr [ebp-1520]
0070C385 53 push ebx ; 这个是传递进来的物品ID,这个是真正的ID
0070C386 E8 003DE3FF call 0054008B ; 这里有基地址
0070C38B 8BC8 mov ecx, eax
0070C38D E8 FF65B000 call 01212991 ; 这里也有个遍历
0070C392 8BF8 mov edi, eax ; eax
0070C394 89BD 20ECFFFF mov dword ptr [ebp-13E0], edi
0070C39A 85FF test edi, edi
0070C39C 0F84 C0120000 je 0070D662
0070C3A2 68 284ECE02 push 02CE4E28
0070C3A7 8BCF mov ecx, edi
0070C3A9 E8 7F3CB000 call 0121002D ; 这里有个遍历 是个二叉树
0070C3AE 68 1C4ECE02 push 02CE4E1C
0070C3B3 8BCF mov ecx, edi
0070C3B5 8985 D8EBFFFF mov dword ptr [ebp-1428], eax ; 追到这里
0070C3BB E8 6D3CB000 call 0121002D
0070C3C0 83BD D8EBFFFF 0>cmp dword ptr [ebp-1428], 0
0070C3C7 8985 14ECFFFF mov dword ptr [ebp-13EC], eax
0070C3CD 0F84 8F120000 je 0070D662
0070C3D3 85C0 test eax, eax
0070C3D5 0F84 87120000 je 0070D662
0070C3DB 8B85 08ECFFFF mov eax, dword ptr [ebp-13F8]
0070C3E1 66:0F6F05 70482>movq mm0, qword ptr [2264870]
0070C3E9 F3: prefix rep:
0070C3EA 0F7F85 DCEBFFFF movq qword ptr [ebp-1424], mm0
0070C3F1 66:0F6EC0 movd mm0, eax
0070C3F5 F3: prefix rep:
0070C3F6 0FE6 ??? ; 未知命令
0070C3F8 C0C1 E8 rol cl, 0E8
0070C3FB 1F pop ds
0070C3FC F2: prefix repne:
0070C3FD 0F5804C5 B0BE6E>addps xmm0, dqword ptr [eax*8+26EBEB0]
0070C405 F2: prefix repne:
0070C406 0F1185 ECEBFFFF movups dqword ptr [ebp-1414], xmm0
0070C40D C645 FC 04 mov byte ptr [ebp-4], 4
0070C411 8D85 DCEBFFFF lea eax, dword ptr [ebp-1424]
0070C417 50 push eax
0070C418 68 94492602 push 02264994 ; ASCII "id"
0070C41D 8BCE mov ecx, esi
0070C41F E8 5395EBFF call 005C5977
0070C424 33C9 xor ecx, ecx
0070C426 884D FC mov byte ptr [ebp-4], cl
0070C429 8D8D DCEBFFFF lea ecx, dword ptr [ebp-1424]
0070C42F E8 5415EBFF call 005BD988
0070C434 68 184ECE02 push 02CE4E18
0070C439 8BCF mov ecx, edi
0070C43B E8 ED3BB000 call 0121002D
0070C440 8985 1CECFFFF mov dword ptr [ebp-13E4], eax
0070C446 85C0 test eax, eax
0070C448 74 14 je short 0070C45E
0070C44A 8338 0A cmp dword ptr [eax], 0A
0070C44D 74 5D je short 0070C4AC
0070C44F 8338 00 cmp dword ptr [eax], 0
0070C452 74 58 je short 0070C4AC
0070C454 8338 1D cmp dword ptr [eax], 1D
0070C457 74 53 je short 0070C4AC
0070C459 8338 28 cmp dword ptr [eax], 28
0070C45C 74 4E je short 0070C4AC
0070C45E 8B85 14ECFFFF mov eax, dword ptr [ebp-13EC]
0070C464 66:0F6F05 70482>movq mm0, qword ptr [2264870]
0070C46C F3: prefix rep:
0070C46D 0F7F85 DCEBFFFF movq qword ptr [ebp-1424], mm0
0070C474 66:0F6E48 08 movd mm1, dword ptr [eax+8]
0070C479 F3: prefix rep:
0070C47A 0FE6 ??? ; 未知命令
0070C47C C9 leave
0070C47D F2: prefix repne:
0070C47E 0F118D ECEBFFFF movups dqword ptr [ebp-1414], xmm1
0070C485 C645 FC 05 mov byte ptr [ebp-4], 5
0070C489 8D85 DCEBFFFF lea eax, dword ptr [ebp-1424]
0070C48F 50 push eax
0070C490 68 A0022802 push 022802A0 ; ASCII "itemLevel"
0070C495 8BCE mov ecx, esi
0070C497 E8 DB94EBFF call 005C5977
0070C49C 33C0 xor eax, eax
0070C49E 8845 FC mov byte ptr [ebp-4], al
0070C4A1 8D8D DCEBFFFF lea ecx, dword ptr [ebp-1424]
0070C4A7 E8 DC14EBFF call 005BD988
0070C4AC 33C0 xor eax, eax
0070C4AE 8BC8 mov ecx, eax
0070C4B0 8B85 14ECFFFF mov eax, dword ptr [ebp-13EC]
0070C4B6 8B40 08 mov eax, dword ptr [eax+8]
0070C4B9 48 dec eax
0070C4BA 74 23 je short 0070C4DF
0070C4BC 48 dec eax
0070C4BD 74 1C je short 0070C4DB
0070C4BF 48 dec eax
0070C4C0 74 15 je short 0070C4D7
0070C4C2 48 dec eax
0070C4C3 74 0E je short 0070C4D3
0070C4C5 48 dec eax
0070C4C6 74 07 je short 0070C4CF
0070C4C8 48 dec eax
0070C4C9 75 17 jnz short 0070C4E2
0070C4CB 6A 64 push 64
0070C4CD EB 12 jmp short 0070C4E1
0070C4CF 6A 63 push 63
0070C4D1 EB 0E jmp short 0070C4E1
0070C4D3 6A 62 push 62
0070C4D5 EB 0A jmp short 0070C4E1
0070C4D7 6A 61 push 61
0070C4D9 EB 06 jmp short 0070C4E1
0070C4DB 6A 60 push 60
0070C4DD EB 02 jmp short 0070C4E1
0070C4DF 6A 5F push 5F
0070C4E1 59 pop ecx
0070C4E2 898D 10ECFFFF mov dword ptr [ebp-13F0], ecx
0070C4E8 8D8D 10ECFFFF lea ecx, dword ptr [ebp-13F0]
0070C4EE E8 527BC600 call 01374045
0070C4F3 50 push eax
0070C4F4 E8 32A0E2FF call 0053652B
0070C4F9 8BC8 mov ecx, eax
0070C4FB E8 7991A900 call 011A5679
0070C500 85C0 test eax, eax
0070C502 74 68 je short 0070C56C
0070C504 0FB610 movzx edx, byte ptr [eax]
0070C507 0FB648 04 movzx ecx, byte ptr [eax+4]
0070C50B 0FB640 08 movzx eax, byte ptr [eax+8]
0070C50F 66:0F6F05 70482>movq mm0, qword ptr [2264870]
0070C517 C1E2 08 shl edx, 8
0070C51A 0BD1 or edx, ecx
0070C51C C1E2 08 shl edx, 8
0070C51F 0BD0 or edx, eax
0070C521 F3: prefix rep:
0070C522 0F7F85 DCEBFFFF movq qword ptr [ebp-1424], mm0
0070C529 66:0F6EC2 movd mm0, edx
0070C52D F3: prefix rep:
0070C52E 0FE6 ??? ; 未知命令
0070C530 C0C1 EA rol cl, 0EA
0070C533 1F pop ds
0070C534 F2: prefix repne:
0070C535 0F5804D5 B0BE6E>addps xmm0, dqword ptr [edx*8+26EBEB0]
0070C53D F2: prefix repne:
0070C53E 0F1185 ECEBFFFF movups dqword ptr [ebp-1414], xmm0
0070C545 C645 FC 06 mov byte ptr [ebp-4], 6
0070C549 8D85 DCEBFFFF lea eax, dword ptr [ebp-1424]
0070C54F 50 push eax
0070C550 68 AC022802 push 022802AC ; ASCII "itemColor"
0070C555 8BCE mov ecx, esi
0070C557 E8 1B94EBFF call 005C5977
0070C55C 33C0 xor eax, eax
0070C55E 8845 FC mov byte ptr [ebp-4], al
0070C561 8D8D DCEBFFFF lea ecx, dword ptr [ebp-1424]
0070C567 E8 1C14EBFF call 005BD988
0070C56C 33C0 xor eax, eax
0070C56E 8985 B8ECFFFF mov dword ptr [ebp-1348], eax
0070C574 8985 BCECFFFF mov dword ptr [ebp-1344], eax
0070C57A C785 BCECFFFF 0>mov dword ptr [ebp-1344], 7
0070C584 8985 B8ECFFFF mov dword ptr [ebp-1348], eax
0070C58A 66:8985 A8ECFFF>mov word ptr [ebp-1358], ax
0070C591 C645 FC 07 mov byte ptr [ebp-4], 7
0070C595 3985 08ECFFFF cmp dword ptr [ebp-13F8], eax
0070C59B 74 54 je short 0070C5F1
0070C59D 8D85 D8EAFFFF lea eax, dword ptr [ebp-1528]
0070C5A3 50 push eax
0070C5A4 E8 E7BE0B01 call 017C8490
0070C5A9 59 pop ecx
0070C5AA 85C0 test eax, eax
0070C5AC 74 43 je short 0070C5F1
0070C5AE 33C9 xor ecx, ecx
0070C5B0 66:3908 cmp word ptr [eax], cx
0070C5B3 74 3C je short 0070C5F1
0070C5B5 50 push eax
0070C5B6 E8 6DE8E2FF call 0053AE28
0070C5BB 8BC8 mov ecx, eax
0070C5BD E8 117DAA00 call 011B42D3
0070C5C2 8BF0 mov esi, eax
0070C5C4 56 push esi
0070C5C5 E8 761ADEFF call 004EE040
0070C5CA 59 pop ecx
0070C5CB 50 push eax
0070C5CC 56 push esi
0070C5CD 8D8D A8ECFFFF lea ecx, dword ptr [ebp-1358]
0070C5D3 E8 684CDEFF call 004F1240
0070C5D8 BE 2C812502 mov esi, 0225812C
0070C5DD 56 push esi
0070C5DE E8 5D1ADEFF call 004EE040
0070C5E3 59 pop ecx
0070C5E4 50 push eax
0070C5E5 56 push esi
0070C5E6 8D8D A8ECFFFF lea ecx, dword ptr [ebp-1358]
0070C5EC E8 4F4CDEFF call 004F1240
0070C5F1 8B85 D8EBFFFF mov eax, dword ptr [ebp-1428] ; eax
0070C5F7 83C0 08 add eax, 8 ; eax+8
0070C5FA 8378 14 08 cmp dword ptr [eax+14], 8
0070C5FE 72 02 jb short 0070C602
0070C600 8B00 mov eax, dword ptr [eax]
0070C602 50 push eax ; 第一个参数
0070C603 E8 20E8E2FF call 0053AE28
0070C608 8BC8 mov ecx, eax
0070C60A E8 C47CAA00 call 011B42D3 ; 返回到这里
0070C60F 8BF0 mov esi, eax
0070C611 56 push esi
0070C612 E8 291ADEFF call 004EE040
0070C617 59 pop ecx
0070C618 50 push eax
0070C619 56 push esi
0070C61A 8D8D A8ECFFFF lea ecx, dword ptr [ebp-1358]
0070C620 E8 1B4CDEFF call 004F1240
0070C625 83BD BCECFFFF 0>cmp dword ptr [ebp-1344], 8
0070C62C 8D85 A8ECFFFF lea eax, dword ptr [ebp-1358]
0070C632 66:0F6F05 80482>movq mm0, qword ptr [2264880]
0070C63A 0F4385 A8ECFFFF cmovnb eax, dword ptr [ebp-1358]
0070C641 F3: prefix rep:
0070C642 0F7F85 DCEBFFFF movq qword ptr [ebp-1424], mm0
0070C649 8985 ECEBFFFF mov dword ptr [ebp-1414], eax
0070C64F C645 FC 08 mov byte ptr [ebp-4], 8
0070C653 8D85 DCEBFFFF lea eax, dword ptr [ebp-1424]
0070C659 8BB5 0CECFFFF mov esi, dword ptr [ebp-13F4]
0070C65F 8BCE mov ecx, esi
0070C661 50 push eax
0070C662 68 30472602 push 02264730 ; ASCII "title"
0070C667 E8 0B93EBFF call 005C5977
0070C66C C645 FC 07 mov byte ptr [ebp-4], 7
0070C670 8D8D DCEBFFFF lea ecx, dword ptr [ebp-1424]
0070C676 E8 0D13EBFF call 005BD988
0070C67B 66:0F6F05 70482>movq mm0, qword ptr [2264870]
关注微信公众号:任鸟飞逆向
追上去之后我们发现物品来源于一些遍历,下面的一个遍历是二叉树,我们很容易分析到了
然后上面还有一个遍历,里面有一个edx,他代表的物品现在背包里面的位置,但是我们并不知道
所以没办法,我们需要分析这个来源,于是我们继续像上面追ID的来源
上面一个遍历CALL内部的内容如下
01212991 55 push ebp
01212992 8BEC mov ebp, esp
01212994 51 push ecx
01212995 8B45 08 mov eax, dword ptr [ebp+8]
01212998 33D2 xor edx, edx
0121299A 56 push esi
0121299B BE 2C010000 mov esi, 12C
012129A0 F7F6 div esi
012129A2 8D45 08 lea eax, dword ptr [ebp+8]
012129A5 50 push eax
012129A6 8D45 FC lea eax, dword ptr [ebp-4]
012129A9 50 push eax
012129AA 8D34D1 lea esi, dword ptr [ecx+edx*8] ; 这个edx代表是位置
012129AD 8D4E 44 lea ecx, dword ptr [esi+44]
012129B0 E8 4A1F0000 call 012148FF
012129B5 8B45 FC mov eax, dword ptr [ebp-4]
012129B8 3B46 44 cmp eax, dword ptr [esi+44]
012129BB 5E pop esi
012129BC 74 05 je short 012129C3
012129BE 8B40 14 mov eax, dword ptr [eax+14]
012129C1 EB 02 jmp short 012129C5
012129C3 33C0 xor eax, eax
012129C5 8BE5 mov esp, ebp
012129C7 5D pop ebp
012129C8 C2 0400 retn 4
由于这部分代码比较麻烦,所以为了能简便的获得名字我们觉得调CALL来得到物品的名字ID字串
我们可以简化一下下面的这段代码,然后把名字ID字串得到
0070C385 53 push ebx ; 这个是传递进来的物品ID,这个是真正的ID
0070C386 E8 003DE3FF call 0054008B ; 这里有基地址
0070C38B 8BC8 mov ecx, eax
0070C38D E8 FF65B000 call 01212991 ; 这里也有个遍历
0070C392 8BF8 mov edi, eax ; eax
0070C394 89BD 20ECFFFF mov dword ptr [ebp-13E0], edi
0070C39A 85FF test edi, edi
0070C39C 0F84 C0120000 je 0070D662
0070C3A2 68 284ECE02 push 02CE4E28
0070C3A7 8BCF mov ecx, edi
0070C3A9 E8 7F3CB000 call 0121002D ; 这里有个遍历 是个二叉树
这里返回的[eax+8]+0就是名字ID字串
继续向上追传入的ID,我们发现追了很远也没有追到ebp-1520
于是我们通过CE搜索这个ID,得到了几个来源,这里我建议大家断下灰色名字的物品再搜索,这样比较少
分别在地址下断,其中一个会断到这样一个位置
016C8E31 55 push ebp
016C8E32 8BEC mov ebp, esp
016C8E34 56 push esi
016C8E35 8B75 08 mov esi, dword ptr [ebp+8]
016C8E38 57 push edi
016C8E39 8BF9 mov edi, ecx
016C8E3B 8B06 mov eax, dword ptr [esi]
016C8E3D 8907 mov dword ptr [edi], eax
016C8E3F 8D4F 18 lea ecx, dword ptr [edi+18]
016C8E42 8B46 04 mov eax, dword ptr [esi+4]
016C8E45 8947 04 mov dword ptr [edi+4], eax
016C8E48 8B46 08 mov eax, dword ptr [esi+8] ; 物品ID
016C8E4B 8947 08 mov dword ptr [edi+8], eax
016C8E4E 8B46 0C mov eax, dword ptr [esi+C]
016C8E51 8947 0C mov dword ptr [edi+C], eax
016C8E54 8B46 10 mov eax, dword ptr [esi+10]
016C8E57 8947 10 mov dword ptr [edi+10], eax
016C8E5A 8B46 14 mov eax, dword ptr [esi+14]
016C8E5D 8947 14 mov dword ptr [edi+14], eax
016C8E60 8D46 18 lea eax, dword ptr [esi+18]
继续追得到如下代码
016CB00D 55 push ebp
016CB00E 8BEC mov ebp, esp
016CB010 8B41 40 mov eax, dword ptr [ecx+40] ; 背包偏移2
016CB013 8B55 08 mov edx, dword ptr [ebp+8]
016CB016 EB 07 jmp short 016CB01F
016CB018 3910 cmp dword ptr [eax], edx
016CB01A 74 08 je short 016CB024
016CB01C 83C0 38 add eax, 38 ; +38数组
016CB01F 3B41 44 cmp eax, dword ptr [ecx+44]
016CB022 ^ 75 F4 jnz short 016CB018
016CB024 3B41 44 cmp eax, dword ptr [ecx+44]
016CB027 75 1A jnz short 016CB043
016CB029 8B41 78 mov eax, dword ptr [ecx+78]
016CB02C EB 07 jmp short 016CB035
016CB02E 3910 cmp dword ptr [eax], edx
016CB030 74 08 je short 016CB03A
016CB032 83C0 38 add eax, 38 ; +38数组
016CB035 3B41 7C cmp eax, dword ptr [ecx+7C]
016CB038 ^ 75 F4 jnz short 016CB02E
016CB03A 3B41 7C cmp eax, dword ptr [ecx+7C]
016CB03D 75 04 jnz short 016CB043
016CB03F 32C0 xor al, al
016CB041 EB 0B jmp short 016CB04E
016CB043 8B4D 0C mov ecx, dword ptr [ebp+C]
016CB046 50 push eax
016CB047 E8 E5DDFFFF call 016C8E31 ; CALL
016CB04C B0 01 mov al, 1
016CB04E 5D pop ebp
016CB04F C2 0800 retn 8
这里的两个+38没有具体的分析,应该只用到了上面的
这是一个结构体数组,数组大小为38
继续返回代码如下
007128F3 84C0 test al, al
007128F5 0F85 63020000 jnz 00712B5E
007128FB 8B8D 34FEFFFF mov ecx, dword ptr [ebp-1CC]
00712901 85C9 test ecx, ecx
00712903 75 79 jnz short 0071297E
00712905 85FF test edi, edi
00712907 0F84 83000000 je 00712990
0071290D E8 045EE2FF call 00538716 ; 基地址
00712912 8BC8 mov ecx, eax
00712914 E8 E958F800 call 01698202 ; 里面有大偏移
00712919 8985 34FEFFFF mov dword ptr [ebp-1CC], eax
0071291F 85C0 test eax, eax
00712921 74 6D je short 00712990
00712923 8D4D B8 lea ecx, dword ptr [ebp-48]
00712926 E8 26A6EFFF call 0060CF51
0071292B C645 FC 3B mov byte ptr [ebp-4], 3B
0071292F 8D45 B8 lea eax, dword ptr [ebp-48]
00712932 8B8D 34FEFFFF mov ecx, dword ptr [ebp-1CC] ; ecx
00712938 50 push eax
00712939 57 push edi
0071293A E8 CE86FB00 call 016CB00D ; call
0071293F 84C0 test al, al
00712941 74 2D je short 00712970
00712943 8B75 C0 mov esi, dword ptr [ebp-40]
00712946 56 push esi
00712947 E8 3FD7E2FF call 0054008B
0071294C 8BC8 mov ecx, eax
0071294E E8 3E00B000 call 01212991
00712953 85C0 test eax, eax
00712955 75 19 jnz short 00712970
00712957 C645 FC 02 mov byte ptr [ebp-4], 2
0071295B 8D4D D0 lea ecx, dword ptr [ebp-30]
0071295E E8 2D53ECFF call 005D7C90
00712963 33C0 xor eax, eax
00712965 8985 24FEFFFF mov dword ptr [ebp-1DC], eax
0071296B E9 F5010000 jmp 00712B65
这样我们就追到了基地址
|
|