wangbeng

  博客园  :: 首页  :: 新随笔  :: 联系 :: 订阅 订阅  :: 管理

大航海时代ol台服找Call记(六)邀请组队、同意(拒绝)组队Call

(1)邀请组队Call:
参考码头进城市、海上跟随call查找方法
点击队员人物,邀请组队
gvonline.bin+452EB - 0FB6 80 D4584400 - movzx eax,byte ptr [eax+gvonline.bin+458D4]
gvonline.bin+452F2 - FF 24 85 74584400 - jmp dword ptr [eax4+gvonline.bin+45874] //按钮call跳转关键处----->
gvonline.bin+452F9 - 8D 4F 30 - lea ecx,[edi+30] //直接跳转在此处
gvonline.bin+452FC - E8 BFDFFFFF - call gvonline.bin+432C0
gvonline.bin+45301 - 85 C0 - test eax,eax
gvonline.bin+45303 - 0F84 EC040000 - je gvonline.bin+457F5
gvonline.bin+45309 - 83 7F 30 00 - cmp dword ptr [edi+30],00 { 0 }
gvonline.bin+4530D - 0F85 E2040000 - jne gvonline.bin+457F5
gvonline.bin+45313 - 8B 47 34 - mov eax,[edi+34] //tabID
gvonline.bin+45316 - 85 C0 - test eax,eax
gvonline.bin+45318 - 0F84 D7040000 - je gvonline.bin+457F5
gvonline.bin+4531E - 50 - push eax //eax = tabID
gvonline.bin+4531F - 8B CB - mov ecx,ebx //ebx = 1217388
gvonline.bin+45321 - E8 4A256A00 - call gvonline.bin+6E7870 //邀请组队call
gvonline.bin+45326 - E9 AA040000 - jmp gvonline.bin+457D5
gvonline.bin+4532B - 8D 4F 30 - lea ecx,[edi+30]
//--------------------------------------------------
alloc(newmem,1024)
newmem:
push 0x01060a4
mov ecx, 0x1217388
call 00AE7870
ret
createthread(newmem)
//=================================================
(2)接受组队Call:
//---------------------------------------------------
点击邀请铃铛后,同意邀请按钮call:
利用鼠标悬念在按钮上时,有个地址会反映鼠标悬停(焦点)时下面控件或窗口的ID(基址?)
gvonline.bin+E91270
find who access this address:
00D815DB - C7 05 70122901 00000000 - mov [01291270],00000000
00D80BE2 - 8B 35 70122901 - mov esi,[01291270] //这个比较像
//---------下断:
gvonline.bin+980BCE - C7 05 68122901 00000000 - mov [gvonline.bin+E91268],00000000 { (0),0 }
gvonline.bin+980BD8 - C7 05 74122901 00000000 - mov [gvonline.bin+E91274],00000000 { (0),0 }
gvonline.bin+980BE2 - 8B 35 70122901 - mov esi,[gvonline.bin+E91270] { (0) } --->这里断下
gvonline.bin+980BE8 - 5F - pop edi
返回4次后,来到下面这儿:
gvonline.bin+3D5F3 - 8B 45 08 - mov eax,[ebp+08] //eax = 按钮id,“是” 2ee1,"否“2ee0
gvonline.bin+3D5F6 - 2D E02E0000 - sub eax,00002EE0 { 12000 }
gvonline.bin+3D5FB - 74 1A - je gvonline.bin+3D617 //否? 跳走
gvonline.bin+3D5FD - 48 - dec eax
gvonline.bin+3D5FE - 75 21 - jne gvonline.bin+3D621
gvonline.bin+3D600 - 39 45 0C - cmp [ebp+0C],eax
gvonline.bin+3D603 - 75 1C - jne gvonline.bin+3D621
gvonline.bin+3D605 - 6A 01 - push 01 { 1 }
gvonline.bin+3D607 - E8 F41B0000 - call gvonline.bin+3F200
gvonline.bin+3D60C - 8B C8 - mov ecx,eax //----------------------------ecx = 0x1212358
gvonline.bin+3D60E - E8 AD270300 - call gvonline.bin+6FDC0 //<-----同意组队call
gvonline.bin+3D613 - 5D - pop ebp
gvonline.bin+3D614 - C2 0C00 - ret 000C { 12 }
...
gvonline.bin+3D617 - 8B 01 - mov eax,[ecx] ////否, 跳到这儿。ecx =1212120
gvonline.bin+3D619 - 6A 00 - push 00 { 0 }
gvonline.bin+3D61B - FF 90 E8000000 - call dword ptr [eax+000000E8] // ----------不同意组队
gvonline.bin+3D621 - 5D - pop ebp
gvonline.bin+3D622 - C2 0C00 - ret 000C { 12 }
//-----------接受组队邀请call------------------
alloc(newmem,2048)
newmem:
mov ecx,0x1212358
push 01
call 0043F200---这个call可以不用,是取ecx =0x1212358的函数
mov ecx,eax
call gvonline.bin+6FDC0
ret
createthread(newmem)
//-----------优化后:------------------
alloc(newmem,2048)
newmem:
push 01
mov eax,0x1212358
mov ecx,eax
call gvonline.bin+6FDC0
ret
createthread(newmem)
//拒绝组队邀请call=
alloc(newmem,2048)
newmem:
mov eax,[0x1212358]
push 00 //跟随id
call dword ptr [eax+000000E8]
ret
createthread(newmem)
//======================
继续优化下同意组队邀请:(优化掉点击铃铛后出现的确认窗口,直接确认)
call gvonline.bin+6FDC0 ---->进入
//------------------------------------
gvonline.bin+6FDC0 - 55 - push ebp
gvonline.bin+6FDC1 - 8B EC - mov ebp,esp
gvonline.bin+6FDC3 - 56 - push esi
gvonline.bin+6FDC4 - 8B F1 - mov esi,ecx
gvonline.bin+6FDC6 - 8B 86 80040000 - mov eax,[esi+00000480] //此,[esi+00000480]为出现的
窗口handle?ID?基址?点击铃铛后出现的确认窗口 = 0x46fec0
gvonline.bin+6FDCC - 85 C0 - test eax,eax
gvonline.bin+6FDCE - 74 05 - je gvonline.bin+6FDD5
gvonline.bin+6FDD0 - FF 75 08 - push [ebp+08]
gvonline.bin+6FDD3 - FF D0 - call eax ----------->进入
gvonline.bin+6FDD5 - C7 86 80040000 00000000 - mov [esi+00000480],00000000 { 0 }
gvonline.bin+6FDDF - 5E - pop esi
gvonline.bin+6FDE0 - 5D - pop ebp
gvonline.bin+6FDE1 - C2 0400 - ret 0004 { 4 }
//----------------------------
gvonline.bin+6FEC0 - 55 - push ebp
gvonline.bin+6FEC1 - 8B EC - mov ebp,esp
gvonline.bin+6FEC3 - 64 A1 00000000 - mov eax,fs:[00000000] { 0 }
gvonline.bin+6FEC9 - 6A FF - push -01 { 255 }
gvonline.bin+6FECB - 68 8B88ED00 - push gvonline.bin+AD888B { (184) }
gvonline.bin+6FED0 - 50 - push eax
gvonline.bin+6FED1 - 64 89 25 00000000 - mov fs:[00000000],esp { 0 }
gvonline.bin+6FED8 - 81 EC A4000000 - sub esp,000000A4 { 164 }
gvonline.bin+6FEDE - 57 - push edi
gvonline.bin+6FEDF - 8B F9 - mov edi,ecx
gvonline.bin+6FEE1 - 83 BF 44010000 00 - cmp dword ptr [edi+00000144],00 { 0 }
gvonline.bin+6FEE8 - 75 0D - jne gvonline.bin+6FEF7
gvonline.bin+6FEEA - 83 BF 54010000 00 - cmp dword ptr [edi+00000154],00 { 0 }
gvonline.bin+6FEF1 - 0F84 01010000 - je gvonline.bin+6FFF8
gvonline.bin+6FEF7 - 53 - push ebx
gvonline.bin+6FEF8 - 56 - push esi
gvonline.bin+6FEF9 - 6A 00 - push 00 { 0 }
gvonline.bin+6FEFB - C7 47 10 FFFFFFFF - mov [edi+10],FFFFFFFF { -1 }
gvonline.bin+6FF02 - E8 C908FDFF - call gvonline.bin+407D0
gvonline.bin+6FF07 - 8B B7 70040000 - mov esi,[edi+00000470]
gvonline.bin+6FF0D - 8D 8D 50FFFFFF - lea ecx,[ebp-000000B0]
gvonline.bin+6FF13 - E8 A82FFDFF - call gvonline.bin+42EC0
gvonline.bin+6FF18 - 56 - push esi
gvonline.bin+6FF19 - 8D 85 50FFFFFF - lea eax,[ebp-000000B0]
gvonline.bin+6FF1F - 50 - push eax
gvonline.bin+6FF20 - 8D 8F 94040000 - lea ecx,[edi+00000494]
gvonline.bin+6FF26 - C7 45 FC 00000000 - mov [ebp-04],00000000 { 0 }
gvonline.bin+6FF2D - E8 4EF35100 - call gvonline.bin+58F280
gvonline.bin+6FF32 - 85 C0 - test eax,eax
gvonline.bin+6FF34 - 74 64 - je gvonline.bin+6FF9A
gvonline.bin+6FF36 - 83 7D 08 00 - cmp dword ptr [ebp+08],00 { 0 }
gvonline.bin+6FF3A - 8D 8D 50FFFFFF - lea ecx,[ebp-000000B0]
gvonline.bin+6FF40 - 74 07 - je gvonline.bin+6FF49
gvonline.bin+6FF42 - E8 E9E45100 - call gvonline.bin+58E430 //从前面各个call的分析,怀疑此为重点----->
gvonline.bin+6FF47 - EB 05 - jmp gvonline.bin+6FF4E
//------------------
gvonline.bin+58E430 - 56 - push esi
gvonline.bin+58E431 - 8B F1 - mov esi,ecx
gvonline.bin+58E433 - 83 CA FF - or edx,-01 { 255 }
gvonline.bin+58E436 - 8B 46 04 - mov eax,[esi+04]
gvonline.bin+58E439 - 48 - dec eax
gvonline.bin+58E43A - 83 F8 09 - cmp eax,09 { 9 }
gvonline.bin+58E43D - 0F87 ED000000 - ja gvonline.bin+58E530
gvonline.bin+58E443 - FF 24 85 34E59800 - jmp dword ptr [eax4+gvonline.bin+58E534] //眼熟的语句,此处eax = 2 ---->
//-----------------------------------------------
gvonline.bin+58E477 - C3 - ret
gvonline.bin+58E478 - E8 93DBBCFF - call gvonline.bin+15C010 <-----上面跳到这儿,此call也很熟悉,
gvonline.bin+58E47D - FF 76 24 - push [esi+24] //[esi+24] = 1060a4(队长ID) esi= 19fd68
gvonline.bin+58E480 - 8D 88 A81A0000 - lea ecx,[eax+00001AA8] //eax = 12158e0也是常客,ecx = 1217388
gvonline.bin+58E486 - E8 C5941500 - call gvonline.bin+6E7950 //!!!!!!此即为接受邀请组人call
gvonline.bin+58E48B - 8B D0 - mov edx,eax
gvonline.bin+58E48D - 5E - pop esi
gvonline.bin+58E48E - C3 - ret

//==============================
alloc(newmem,2048)
newmem:
push 0x1060a4
mov ecx,0x1217388
call 00AE7950
ret
createthread(newmem)
//------------------------

posted on 2026-02-09 10:20  wangbeng  阅读(42)  评论(0)    收藏  举报