外挂辅助技术-分析任务等级需求并测试

学习目标：

      任务等级相关数据
    作业：
      分析更新任务相关CALL 或者是代码

void printfMissionList()
  {
      DWORD ndStart;
      DWORD ndEnd;
      char *szpCurMissionName;//任务名
      BYTE  nbLevel;//任务等级
      //[[[0XF598C0]+2A4]+4C4] //起始地址
      //[[[0XF598C0]+2A4]+4C8] //结束地址
      //[[[0XF598C0]+2A4]+4C4]+8
         // dc [0x2FA3D6C]+ [[[0XF598C0]+2A4]+4c4]*0xc0+4]*0c0+4
      __try
      {
          ndStart=*(DWORD*)BaseF1_F10ArgEcx;
          ndStart=*(DWORD*)(ndStart+0x2A4);
          ndStart=*(DWORD*)(ndStart+0x4d4);

          ndEnd=*(DWORD*)BaseF1_F10ArgEcx;
          ndEnd=*(DWORD*)(ndEnd+0x2A4);
          ndEnd=*(DWORD*)(ndEnd+0x4d8);
          __asm
          {
            mov edi,ndStart
GotoStart:
            MOV EAX,DWORD PTR DS:[EDI]
            MOV ECX,DWORD PTR DS:[0x2FA3D6C]        ;//  150C4
            LEA EAX,DWORD PTR DS:[EAX+EAX*2]        ; // [edx*3]
            SHL EAX,0x6                             ;// eax=eax*0x40 [edi]*0xc0
            CMP DWORD PTR DS:[EAX+ECX+0x18],0x10
            MOVZX EBX,BYTE PTR DS:[ECX+EAX+0x20]
            LEA EAX,DWORD PTR DS:[EAX+ECX+0x4]      ;//  [0x2FA3D6C]+[edi]*0xc0+4

            JB EndMission
            MOV EAX,DWORD PTR DS:[EAX]
EndMission:
            mov szpCurMissionName,eax
            mov nbLevel,bl
          }
          DbgPrintf_Mine("[%d]%s \r\n",nbLevel,szpCurMissionName);
        _asm{

            add edi,8
            cmp edi,ndEnd
            jnz GotoStart
          }

      }__except(1)
      {
          DbgPrintf_Mine("遍历任务列表出错\r\n");
      }
      return;
  }


00760C47 - 8D 50 01  - lea edx,[eax+01]
00760C4A - 8D 9B 00000000  - lea ebx,[ebx+00000000]
00760C50 - 8A 08  - mov cl,[eax] <<
00760C52 - 40 - inc eax
00760C53 - 84 C9  - test cl,cl

0093A03D - 74 9F - je Client.exe+539FDE
0093A03F - BA FFFEFE7E - mov edx,7EFEFEFF
0093A044 - 8B 06  - mov eax,[esi] <<
0093A046 - 03 D0  - add edx,eax
0093A048 - 83 F0 FF - xor eax,FF

0093A048 - 83 F0 FF - xor eax,FF
0093A04B - 33 C2  - xor eax,edx
0093A04D - 8B 16  - mov edx,[esi] <<
0093A04F - 83 C6 04 - add esi,04
0093A052 - A9 00010181 - test eax,81010100

00610003  |. /0F85 A8000000 JNZ Client.006100B1                      ;  edi=[[edi+0x2A4]+0x4C4]
00610009  |. |8B87 A4020000 MOV EAX,DWORD PTR DS:[EDI+0x2A4]         ;  Case 11 of switch 0060FE5E
0061000F  |. |85C0          TEST EAX,EAX

#define  BaseF1_F10ArgEcx  0XF598C0 //BaseF1_F10ArgEcx
dd [[[BaseF1_F10ArgEcx]+2A4]+4c4]
dd [[[0XF598C0]+2A4]+4c4]  //BaseF1_F10ArgEcx
[[0x2FA3D6C]+[edi]*0xc0+4]]*0c0

dc [0x2FA3D6C]+ [[[0XF598C0]+2A4]+4c4]*0xc0+4]*0c0
+4 //任务名 char* 或者是char**类型
+18 //指针类型标记大于0x10 char**
+20 //1字节任务等级

006E9D65  |.  66:8945 ED    |MOV WORD PTR SS:[EBP-0x13],AX
006E9D69  |.  8845 EF       |MOV BYTE PTR SS:[EBP-0x11],AL
006E9D6C  |.  8B07          |MOV EAX,DWORD PTR DS:[EDI]
006E9D6E  |.  8D0C40        |LEA ECX,DWORD PTR DS:[EAX+EAX*2]
006E9D71  |.  C1E1 06       |SHL ECX,0x6
006E9D74  |.  885D E8       |MOV BYTE PTR SS:[EBP-0x18],BL
006E9D77  |.  0FB64411 20   |MOVZX EAX,BYTE PTR DS:[ECX+EDX+0x20]    ;  任务等级
006E9D7C  |.  50            |PUSH EAX
006E9D7D  |.  68 D4BEA000   |PUSH Client.00A0BED4                    ;  ASCII "[%d]"
006E9D82  |.  8D4D E8       |LEA ECX,DWORD PTR SS:[EBP-0x18]
006E9D85  |.  6A 08         |PUSH 0x8
006E9D87  |.  51            |PUSH ECX
006E9D88  |.  C745 FC FFFFF>|MOV DWORD PTR SS:[EBP-0x4],-0x1         ;  sprintf
006E9D8F  |.  E8 4C06E1FF   |CALL Client.004FA3E0
006E9D94  |.  83C4 10       |ADD ESP,0x10
006E9D97  |.  6A FF         |PUSH -0x1
006E9D99  |.  8D55 E8       |LEA EDX,DWORD PTR SS:[EBP-0x18]
006E9D9C  |.  52            |PUSH EDX
006E9D9D  |.  53            |PUSH EBX
006E9D9E  |.  8BCE          |MOV ECX,ESI
006E9DA0  |.  E8 3B6D0700   |CALL Client.00760AE0
006E9DA5  |.  8B07          |MOV EAX,DWORD PTR DS:[EDI]
006E9DA7  |.  8B0D 6C3DFA02 |MOV ECX,DWORD PTR DS:[0x2FA3D6C]
006E9DAD  |.  8D0440        |LEA EAX,DWORD PTR DS:[EAX+EAX*2]
006E9DB0  |.  C1E0 06       |SHL EAX,0x6
006E9DB3  |.  837C08 18 10  |CMP DWORD PTR DS:[EAX+ECX+0x18],0x10    ;  判断任务名是否是指针
006E9DB8  |.  8D4408 04     |LEA EAX,DWORD PTR DS:[EAX+ECX+0x4]      ;  任务名，或者是任务名指针
006E9DBC  |.  72 02         |JB SHORT Client.006E9DC0                ;  <0x10
006E9DBE  |.  8B00          |MOV EAX,DWORD PTR DS:[EAX]
006E9DC0  |>  6A 01         |PUSH 0x1
006E9DC2  |.  6A 2A         |PUSH 0x2A
006E9DC4  |.  50            |PUSH EAX
006E9DC5  |.  6A 01         |PUSH 0x1
006E9DC7  |.  8BCE          |MOV ECX,ESI
006E9DC9  |.  E8 526E0700   |CALL Client.00760C20                    ;  所有任务列表
006E9DCE  |.  8B55 E4       |MOV EDX,DWORD PTR SS:[EBP-0x1C]
006E9DD1  |.  889E 39020000 |MOV BYTE PTR DS:[ESI+0x239],BL
006E9DD7  |.  8B8A 60020000 |MOV ECX,DWORD PTR DS:[EDX+0x260]
006E9DDD  |.  56            |PUSH ESI
006E9DDE  |.  E8 CD7C0700   |CALL Client.00761AB0
006E9DE3  |.  8B75 E4       |MOV ESI,DWORD PTR SS:[EBP-0x1C]
006E9DE6  |>  83C7 08       |ADD EDI,0x8

006E9B4B  |.  8945 F0       MOV DWORD PTR SS:[EBP-0x10],EAX
006E9B4E  |.  53            PUSH EBX
006E9B4F  |.  56            PUSH ESI
006E9B50  |.  57            PUSH EDI
006E9B51  |.  50            PUSH EAX
006E9B52  |.  8D45 F4       LEA EAX,DWORD PTR SS:[EBP-0xC]
006E9B55  |.  64:A3 0000000>MOV DWORD PTR FS:[0],EAX
006E9B5B  |.  8BF1          MOV ESI,ECX
006E9B5D  |.  68 4D010000   PUSH 0x14D
006E9B62  |.  8975 E4       MOV DWORD PTR SS:[EBP-0x1C],ESI
006E9B65  |.  E8 F6C3FFFF   CALL Client.006E5F60
006E9B6A  |.  8BBE C4040000 MOV EDI,DWORD PTR DS:[ESI+0x4C4]         ;  ESI==[[0XF598C0]+2A4] //初始值
006E9B70  |.  3BBE C8040000 CMP EDI,DWORD PTR DS:[ESI+0x4C8]         ;  循环结束标志地址
006E9B76  |.  0F84 28010000 JE Client.006E9CA4
006E9B7C  |.  33DB          XOR EBX,EBX
006E9B7E  |.  8BFF          MOV EDI,EDI

006E9CF5  |.  E8 66C2FFFF   CALL Client.006E5F60
006E9CFA  |.  8BBE D4040000 MOV EDI,DWORD PTR DS:[ESI+0x4D4] //所有任务列表
006E9D00  |.  3BBE D8040000 CMP EDI,DWORD PTR DS:[ESI+0x4D8]
006E9D06  |.  0F84 E9000000 JE Client.006E9DF5
006E9D0C  |.  33DB          XOR EBX,EBX

秒客网

外挂辅助技术-分析任务等级需求并测试

相关文章