在码头里,不断出航,打开出航窗口,取消窗口,搜索unknow ,0
得绿色基址一堆,gvonline.bin+E8487C 在此地址find who access this address ,不断断下,选出航,观察选择如下
00D81525 - 8B 41 1C - mov eax,[ecx+1C]
返回几次后,到如上
gvonline.bin+2E2F73 - 8B 45 08 - mov eax,[ebp+08]
gvonline.bin+2E2F76 - 56 - push esi
gvonline.bin+2E2F77 - 8B F1 - mov esi,ecx
gvonline.bin+2E2F79 - 3D E02E0000 - cmp eax,00002EE0 { 12000 } //eax为按钮的id(如2ee0),根据不同id跳转执行
gvonline.bin+2E2F7E - 0F87 87000000 - ja gvonline.bin+2E300B //>则跳到2e300b
gvonline.bin+2E2F84 - 74 68 - je gvonline.bin+2E2FEE
gvonline.bin+2E2F86 - 2D 51270000 - sub eax,00002751 { 10065 }
gvonline.bin+2E2F8B - 74 1C - je gvonline.bin+2E2FA9
gvonline.bin+2E2F8D - 83 E8 19 - sub eax,19 { 25 }
gvonline.bin+2E2F90 - 0F85 FA000000 - jne gvonline.bin+2E3090
gvonline.bin+2E2F96 - 39 45 0C - cmp [ebp+0C],eax
gvonline.bin+2E2F99 - 0F85 F1000000 - jne gvonline.bin+2E3090
gvonline.bin+2E2F9F - E8 3CFBFFFF - call gvonline.bin+2E2AE0
gvonline.bin+2E2FA4 - 5E - pop esi
gvonline.bin+2E2FA5 - 5D - pop ebp
gvonline.bin+2E2FA6 - C2 0C00 - ret 000C { 12 }
gvonline.bin+2E2FA9 - 8B 45 0C - mov eax,[ebp+0C]
gvonline.bin+2E2FAC - 83 E8 00 - sub eax,00 { 0 }
gvonline.bin+2E2FAF - 74 11 - je gvonline.bin+2E2FC2
gvonline.bin+2E2FB1 - 48 - dec eax
gvonline.bin+2E2FB2 - 0F85 D8000000 - jne gvonline.bin+2E3090
gvonline.bin+2E2FB8 - E8 13FDFFFF - call gvonline.bin+2E2CD0
gvonline.bin+2E2FBD - 5E - pop esi
gvonline.bin+2E2FBE - 5D - pop ebp
gvonline.bin+2E2FBF - C2 0C00 - ret 000C { 12 }
gvonline.bin+2E2FC2 - E8 09FDFFFF - call gvonline.bin+2E2CD0
gvonline.bin+2E2FC7 - E8 4490E7FF - call gvonline.bin+15C010
gvonline.bin+2E2FCC - 6A 02 - push 02 { 2 }
gvonline.bin+2E2FCE - 8D 88 A81A0000 - lea ecx,[eax+00001AA8]
gvonline.bin+2E2FD4 - E8 F72C4500 - call gvonline.bin+735CD0
gvonline.bin+2E2FD9 - 83 F8 FF - cmp eax,-01 { 255 }
gvonline.bin+2E2FDC - 0F84 AE000000 - je gvonline.bin+2E3090
gvonline.bin+2E2FE2 - C6 86 0E080000 02 - mov byte ptr [esi+0000080E],02 { 2 }
gvonline.bin+2E2FE9 - E9 91000000 - jmp gvonline.bin+2E307F
gvonline.bin+2E2FEE - 83 7D 0C 00 - cmp dword ptr [ebp+0C],00 { 0 }
gvonline.bin+2E2FEE - 83 7D 0C 00 - cmp dword ptr [ebp+0C],00 { 0 }
gvonline.bin+2E2FF2 - 0F85 98000000 - jne gvonline.bin+2E3090
gvonline.bin+2E2FF8 - 6A 01 - push 01 { 1 }
gvonline.bin+2E2FFA - E8 01C2D5FF - call gvonline.bin+3F200 //eax = 2ee0 (在wiking的blog上看到过,应该是按钮的id)
gvonline.bin+2E2FFF - 8B C8 - mov ecx,eax
gvonline.bin+2E3001 - E8 3AB4D6FF - call gvonline.bin+4E440
gvonline.bin+2E3006 - 5E - pop esi
gvonline.bin+2E3007 - 5D - pop ebp
gvonline.bin+2E3008 - C2 0C00 - ret 000C { 12 }
gvonline.bin+2E300B - 05 1FD1FFFF - add eax,FFFFD11F { -12001 } // 2E2F7E跳过来
gvonline.bin+2E3010 - 83 F8 03 - cmp eax,03 { 3 }
gvonline.bin+2E3013 - 77 7B - ja gvonline.bin+2E3090 //> 结束
gvonline.bin+2E3015 - FF 24 85 98306E00 - jmp dword ptr [eax*4+gvonline.bin+2E3098] //跳到相应call
gvonline.bin+2E301C - 83 7D 0C 00 - cmp dword ptr [ebp+0C],00 { 0 }
//=在港口里面点击(出航)========
alloc(newmem,2048)
newmem:
mov eax,0x02ee0 //按钮ID
push 0x01
call 0x0043F200
mov ecx,0x01212120
call 0x0044E440
ret
createthread(newmem)
//=在港口里面点击(委任航行=======
alloc(newmem,2048)
newmem:
push 0x0
mov ecx,0x1217388
call 00B35CD0
ret
CreateThread(newmem)
//================================
在港外海面上选中港口,在TabId的 地址上 find who access this address
0043F86C - 89 7E 34 - mov [esi+34],edi
gvonline.bin+3F865 - C7 46 30 01000000 - mov [esi+30],00000001 { 1 }
gvonline.bin+3F86C - 89 7E 34 - mov [esi+34],edi //[esi+34]为 tabid
gvonline.bin+3F86F - E8 5CEA5400 - call gvonline.bin+58E2D0
gvonline.bin+3F874 - 5B - pop ebx
//=================================
gvonline.bin+5E4211 - 75 0D - jne gvonline.bin+5E4220
gvonline.bin+5E4213 - 57 - push edi //edi = tabld
gvonline.bin+5E4214 - E8 E7AFA5FF - call gvonline.bin+3F200
gvonline.bin+5E4219 - 8B C8 - mov ecx,eax // eax = 01212120 基址
gvonline.bin+5E421B - E8 80B5A5FF - call gvonline.bin+3F7A0
gvonline.bin+5E4220 - 5B - pop ebx //返回
//=船进港call===================
alloc(newmem,2048)
newmem:
push 0x4010079 //港口的ID
//call 0043F200 //试了下,这个Call可以去掉
mov ecx,0x01212120
call 0043F7A0
ret
createthread(newmem)
//====================================
浙公网安备 33010602011771号