wangbeng

  博客园  :: 首页  :: 新随笔  :: 联系 :: 订阅 订阅  :: 管理
大航海时代ol台服找Call记(五)终于找到海上的跟随Call

海上直接点“跟随”的call一直搞不定,无奈只得迂回“先点TD,在出来的窗口中,点'跟随'按钮”;
1.选中TD,(根据tabID变化,找出选中id的call)
2.根据码头进城的call,在打开TD的信息界面,选择跟随按钮call (跟随按钮 = 0x3c)

------------选中TD窗口---------------------

找tabId的call, tabId上find who access this address
00440F92 - 89 7E 34  - mov [esi+34],edi

gvonline.bin+40F82 - 6A 01                 - push 01  
gvonline.bin+40F84 - 8B CE                 - mov ecx,esi
gvonline.bin+40F86 - E8 45F8FFFF           - call gvonline.bin+407D0
gvonline.bin+40F8B - C7 46 30 00000000     - mov [esi+30],00000000   
gvonline.bin+40F92 - 89 7E 34              - mov [esi+34],edi      //断在此处
gvonline.bin+40F95 - 5F                    - pop edi

返回1:
gvonline.bin+5E3ED8 - 53                    - push ebx       //tabID
gvonline.bin+5E3ED9 - E8 22B3A5FF           - call gvonline.bin+3F200
gvonline.bin+5E3EDE - 8B C8                 - mov ecx,eax
gvonline.bin+5E3EE0 - E8 3BD0A5FF           - call gvonline.bin+40F20  //选中call
gvonline.bin+5E3EE5 - 5E                    - pop esi      //返回此处
gvonline.bin+5E3EE6 - 5B                    - pop ebx

------------选中TD,点跟随按钮---------------------------------------

alloc(newmem,2048)

newmem: //this is allocated memory, you have read,write,execute access
//place your code here
 push 0x01060a4
call 0043F200 //选中TD
mov ecx,0x01212120
call 00440F20   //选中TD

 push 0x3c
mov ecx,0x01212120
call gvonline.bin+441D0    //点击“跟随”,跟进城、进码头为同一call
ret
createthread(newmem)

//=优化:跟踪点击“跟随”按钮call,找出最终跟随call==================

gvonline.bin+406A6 - 50                    - push eax              //按钮ID
gvonline.bin+406A7 - 8B CF                 - mov ecx,edi         //edi = 1212120
gvonline.bin+406A9 - E8 223B0000           - call gvonline.bin+441D0  //按钮call   -->跟进
----------
gvonline.bin+441D6 - 83 3E 00              - cmp dword ptr [esi],00 { 0 }
gvonline.bin+441D9 - 75 15                 - jne gvonline.bin+441F0
gvonline.bin+441DB - FF 75 08              - push [ebp+08]                   //按钮ID
gvonline.bin+441DE - E8 7DFEFFFF           - call gvonline.bin+44060  ------> 跟进
gvonline.bin+441E3 - 83 7E 10 FF           - cmp dword ptr [esi+10],-01 { 255 }
--------------------
gvonline.bin+440EA - 56                    - push esi
gvonline.bin+440EB - E8 B0030000           - call gvonline.bin+444A0   //一长串call,应该为不同的按钮功能。
gvonline.bin+440F0 - 85 C0                 - test eax,eax
                                             jne gvonline.bin+4408A   /对应按钮功能,则跳走

gvonline.bin+44153 - E8 28110000           - call gvonline.bin+45280  //此call重点 ---------->
gvonline.bin+44158 - 85 C0                 - test eax,eax
gvonline.bin+4415A - 0F85 2AFFFFFF         - jne gvonline.bin+4408A  <------------跳走了
gvonline.bin+44160 - 56                    - push esi

----------------------------
gvonline.bin+452CC - 81 BF 04010000 C8010000 - cmp [edi+00000104],000001C8 { 456 }
gvonline.bin+452D6 - 0F84 2E050000         - je gvonline.bin+4580A
gvonline.bin+452DC - 83 C0 CC              - add eax,-34 { 204 }
gvonline.bin+452DF - 56                    - push esi
gvonline.bin+452E0 - 3D 93000000           - cmp eax,00000093 { 147 }
gvonline.bin+452E5 - 0F87 0A050000         - ja gvonline.bin+457F5
gvonline.bin+452EB - 0FB6 80 D4584400      - movzx eax,byte ptr [eax+gvonline.bin+458D4]
gvonline.bin+452F2 - FF 24 85 74584400     - jmp dword ptr [eax*4+gvonline.bin+45874]   //重点,根据按钮ID跳到不同的功能代码  ----------->


--------------------------------------
gvonline.bin+45489 - 8D 4F 30              - lea ecx,[edi+30]
gvonline.bin+4548C - E8 2FDEFFFF           - call gvonline.bin+432C0
gvonline.bin+45491 - 85 C0                 - test eax,eax
gvonline.bin+45493 - 0F84 5C030000         - je gvonline.bin+457F5
gvonline.bin+45499 - 83 7F 30 00           - cmp dword ptr [edi+30],00 { 0 }   //挺熟悉的地址
gvonline.bin+4549D - 0F85 52030000         - jne gvonline.bin+457F5
gvonline.bin+454A3 - 83 7F 34 00           - cmp dword ptr [edi+34],00 { 0 }  //tabid是否0
gvonline.bin+454A7 - 0F84 48030000         - je gvonline.bin+457F5    //0跳走
gvonline.bin+454AD - 8B 77 34              - mov esi,[edi+34]             //读取tabID
gvonline.bin+454B0 - 6A 00                 - push 00 { 0 }
gvonline.bin+454B2 - 8B CF                 - mov ecx,edi                     //edi = 0x01212120
gvonline.bin+454B4 - E8 17B3FFFF           - call gvonline.bin+407D0  //跟随call 1
gvonline.bin+454B9 - 56                    - push esi
gvonline.bin+454BA - 6A 00                 - push 00 { 0 }
gvonline.bin+454BC - 6A 3C                 - push 3C { 60 }
gvonline.bin+454BE - 8B CB                 - mov ecx,ebx
gvonline.bin+454C0 - E8 AB9F6E00           - call gvonline.bin+72F470   //跟随call 2
gvonline.bin+454C5 - E9 0B030000           - jmp gvonline.bin+457D5
-------------------------------------------------------------
alloc(newmem,2048)
newmem: 
mov esi,0x1060a4
mov edi,0x01212120
push 00
mov ecx,0x01212120
call 004407D0
push esi
push 00
push 3c
mov ecx,0x1217388
call 00B2F470
ret
createthread(newmem)
=======继续优化下,call 004407D0不需要==============
alloc(newmem,2048)
newmem: 
mov esi ,0x1060a4
push   esi  //跟随id
push 00
push 3c    //跟随按钮ID=0x3c
mov ecx,0x1217388
call 00B2F470   ------>进一步优化
ret
createthread(newmem)
posted on 2026-02-05 14:49  wangbeng  阅读(0)  评论(0)    收藏  举报