大航海时代ol台服找Call记(七)继续优化海上跟随Call,无意间发现万能CALL.
一、海上跟随终极优化--------------------
...
gvonline.bin+454B9 - 56 - push esi
gvonline.bin+454BA - 6A 00 - push 00 { 0 }
gvonline.bin+454BC - 6A 3C - push 3C { 60 }
gvonline.bin+454BE - 8B CB - mov ecx,ebx
gvonline.bin+454C0 - E8 AB9F6E00 - call gvonline.bin+72F470 //海上跟随call
gvonline.bin+454C5 - E9 0B030000 - jmp gvonline.bin+457D5
...
上面是第(五)篇中的海上跟随call已经可以完美实现海上跟随了,但后来发现直接点海上跟随的按钮 (罗盘旁边),居然不是调用这个call,那就只能进一步追踪,看看情况了。
...进入海上跟随call
gvonline.bin+72F470 - 55 - push ebp // 此处系统菜单上的大部分点击均经过这儿
gvonline.bin+72F471 - 8B EC - mov ebp,esp
gvonline.bin+72F473 - 81 EC 04010000 - sub esp,00000104 { 260 }
gvonline.bin+72F479 - 57 - push edi
gvonline.bin+72F47A - 8B F9 - mov edi,ecx
gvonline.bin+72F47C - E8 BF1CFBFF - call gvonline.bin+6E1140
gvonline.bin+72F481 - 83 7D 0C 02 - cmp dword ptr [ebp+0C],02 { 2 }
gvonline.bin+72F485 - 0FB7 C0 - movzx eax,ax
gvonline.bin+72F488 - 89 45 FC - mov [ebp-04],eax
gvonline.bin+72F48B - 7D 76 - jnl gvonline.bin+72F503
gvonline.bin+72F48D - 83 7D 10 00 - cmp dword ptr [ebp+10],00 { 0 }
gvonline.bin+72F491 - 74 70 - je gvonline.bin+72F503
gvonline.bin+72F493 - FF 75 08 - push [ebp+08]
gvonline.bin+72F496 - 66 C7 85 FCFEFFFF 1101 - mov word ptr [ebp-00000104],0111 { 273 }
gvonline.bin+72F49F - FF 15 E47AF300 - call dword ptr [gvonline.bin+B37AE4] { ->WS2_32.ntohs }
//这些ntohs函数应该是对封包内容的序列化(不太了解,只是猜测)
gvonline.bin+72F4A5 - FF 75 FC - push [ebp-04]
gvonline.bin+72F4A8 - 66 89 85 FEFEFFFF - mov [ebp-00000102],ax
gvonline.bin+72F4AF - FF 15 E47AF300 - call dword ptr [gvonline.bin+B37AE4] { ->WS2_32.ntohs }
gvonline.bin+72F4B5 - FF 75 10 - push [ebp+10]
gvonline.bin+72F4B8 - 66 89 85 00FFFFFF - mov [ebp-00000100],ax
gvonline.bin+72F4BF - 8B 45 0C - mov eax,[ebp+0C]
gvonline.bin+72F4C2 - 88 85 02FFFFFF - mov [ebp-000000FE],al
gvonline.bin+72F4C8 - FF 15 EC7AF300 - call dword ptr [gvonline.bin+B37AEC] { ->WS2_32.htonl }
gvonline.bin+72F4CE - 6A 00 - push 00 { 0 }
gvonline.bin+72F4D0 - 89 85 03FFFFFF - mov [ebp-000000FD],eax
gvonline.bin+72F4D6 - E8 FD1C3700 - call gvonline.bin+AA11D8
gvonline.bin+72F4DB - 83 C4 04 - add esp,04 { 4 }
gvonline.bin+72F4DE - 8D 8D FCFEFFFF - lea ecx,[ebp-00000104]
gvonline.bin+72F4E4 - 6A 0B - push 0B { 11 }
gvonline.bin+72F4E6 - 89 47 60 - mov [edi+60],eax
gvonline.bin+72F4E9 - 8B 07 - mov eax,[edi]
gvonline.bin+72F4EB - 51 - push ecx
gvonline.bin+72F4EC - 8B CF - mov ecx,edi
gvonline.bin+72F4EE - 89 57 64 - mov [edi+64],edx
gvonline.bin+72F4F1 - FF 50 40 - call dword ptr [eax+40]//------------>惯例从最后面的call进去看下
gvonline.bin+72F4F4 - 85 C0 - test eax,eax
gvonline.bin+72F4F6 - 74 0B - je gvonline.bin+72F503
gvonline.bin+72F4F8 - 8B 45 FC - mov eax,[ebp-04]
gvonline.bin+72F4FB - 98 - cwde
gvonline.bin+72F4FC - 5F - pop edi
gvonline.bin+72F4FD - 8B E5 - mov esp,ebp
gvonline.bin+72F4FF - 5D - pop ebp
gvonline.bin+72F500 - C2 0C00 - ret 000C { 12 }
gvonline.bin+72F503 - 83 C8 FF - or eax,-01 { 255 }
gvonline.bin+72F506 - 5F - pop edi
//----call dword ptr [eax+40]----------------------------
gvonline.bin+826A10 - 55 - push ebp
gvonline.bin+826A11 - 8B EC - mov ebp,esp
gvonline.bin+826A13 - 56 - push esi
gvonline.bin+826A14 - 8B F1 - mov esi,ecx
gvonline.bin+826A16 - 8B 46 08 - mov eax,[esi+08]
gvonline.bin+826A19 - 83 F8 02 - cmp eax,02 { 2 }
gvonline.bin+826A1C - 74 22 - je gvonline.bin+826A40
gvonline.bin+826A1E - 83 F8 03 - cmp eax,03 { 3 }
gvonline.bin+826A21 - 74 1D - je gvonline.bin+826A40
gvonline.bin+826A23 - 83 7E 34 00 - cmp dword ptr [esi+34],00 { 0 }
gvonline.bin+826A27 - 74 10 - je gvonline.bin+826A39
gvonline.bin+826A29 - 8B 06 - mov eax,[esi]
gvonline.bin+826A2B - 6A 02 - push 02 { 2 }
gvonline.bin+826A2D - 6A 00 - push 00 { 0 }
gvonline.bin+826A2F - C7 46 34 00000000 - mov [esi+34],00000000 { 0 }
gvonline.bin+826A36 - FF 50 70 - call dword ptr [eax+70]
gvonline.bin+826A39 - 33 C0 - xor eax,eax
gvonline.bin+826A3B - 5E - pop esi
gvonline.bin+826A3C - 5D - pop ebp
gvonline.bin+826A3D - C2 0800 - ret 0008 { 8 }
gvonline.bin+826A40 - 8A 46 10 - mov al,[esi+10]
gvonline.bin+826A43 - 24 0F - and al,0F { 15 }
gvonline.bin+826A45 - 3C 01 - cmp al,01 { 1 }
gvonline.bin+826A47 - 0F84 A1000000 - je gvonline.bin+826AEE
gvonline.bin+826A4D - 3C 03 - cmp al,03 { 3 }
gvonline.bin+826A4F - 0F84 99000000 - je gvonline.bin+826AEE
gvonline.bin+826A55 - 8B 06 - mov eax,[esi]
gvonline.bin+826A57 - 53 - push ebx
gvonline.bin+826A58 - 8B 5E 3C - mov ebx,[esi+3C]
gvonline.bin+826A5B - 57 - push edi
gvonline.bin+826A5C - FF 90 90000000 - call dword ptr [eax+00000090]
gvonline.bin+826A62 - 8B 7D 0C - mov edi,[ebp+0C]
gvonline.bin+826A65 - 8D 0C 3B - lea ecx,[ebx+edi]
gvonline.bin+826A68 - 3B C8 - cmp ecx,eax
gvonline.bin+826A6A - 7E 16 - jle gvonline.bin+826A82
gvonline.bin+826A6C - 53 - push ebx
gvonline.bin+826A6D - FF 76 38 - push [esi+38]
gvonline.bin+826A70 - 8B CE - mov ecx,esi
gvonline.bin+826A72 - E8 59220000 - call gvonline.bin+828CD0
gvonline.bin+826A77 - 85 C0 - test eax,eax
gvonline.bin+826A79 - 74 4D - je gvonline.bin+826AC8
gvonline.bin+826A7B - C7 46 3C 00000000 - mov [esi+3C],00000000 { 0 }
gvonline.bin+826A82 - 8B 06 - mov eax,[esi]
gvonline.bin+826A84 - 8B CE - mov ecx,esi
gvonline.bin+826A86 - FF 90 90000000 - call dword ptr [eax+00000090]
gvonline.bin+826A8C - 83 E8 04 - sub eax,04 { 4 }
gvonline.bin+826A8F - 8B CE - mov ecx,esi
gvonline.bin+826A91 - 3B F8 - cmp edi,eax
gvonline.bin+826A93 - 7E 10 - jle gvonline.bin+826AA5
gvonline.bin+826A95 - 57 - push edi
gvonline.bin+826A96 - FF 75 08 - push [ebp+08]
gvonline.bin+826A99 - E8 32220000 - call gvonline.bin+828CD0
gvonline.bin+826A9E - 5F - pop edi
gvonline.bin+826A9F - 5B - pop ebx
gvonline.bin+826AA0 - 5E - pop esi
gvonline.bin+826AA1 - 5D - pop ebp
gvonline.bin+826AA2 - C2 0800 - ret 0008 { 8 }
gvonline.bin+826AA5 - 83 7E 3C 00 - cmp dword ptr [esi+3C],00 { 0 }
gvonline.bin+826AA9 - 8B 06 - mov eax,[esi]
gvonline.bin+826AAB - 75 30 - jne gvonline.bin+826ADD
gvonline.bin+826AAD - FF 90 94000000 - call dword ptr [eax+00000094]
gvonline.bin+826AB3 - 8B 06 - mov eax,[esi]
gvonline.bin+826AB5 - 57 - push edi
gvonline.bin+826AB6 - FF 75 08 - push [ebp+08]
gvonline.bin+826AB9 - 8B CE - mov ecx,esi
gvonline.bin+826ABB - FF 90 98000000 - call dword ptr [eax+00000098] --------->此处加断点时,会不时被断下来(基本所有的发包均会被断下,包括心跳包),直接点正牌的海上跟随也会被断下来。 无意间发现找call终极断点。
gvonline.bin+826AC1 - 85 C0 - test eax,eax
gvonline.bin+826AC3 - 75 0C - jne gvonline.bin+826AD1
gvonline.bin+826AC5 - 89 46 3C - mov [esi+3C],eax
gvonline.bin+826AC8 - 5F - pop edi
gvonline.bin+826AC9 - 5B - pop ebx
gvonline.bin+826ACA - 33 C0 - xor eax,eax
gvonline.bin+826ACC - 5E - pop esi
gvonline.bin+826ACD - 5D - pop ebp
gvonline.bin+826ACE - C2 0800 - ret 0008 { 8 }
gvonline.bin+826AD1 - 5F - pop edi
//--------正版海上跟随call(罗盘旁边的海上跟随按钮)------------------------
gvonline.bin+826ABB - FF 90 98000000 - call dword ptr [eax+00000098]
//---------此处点正牌跟随断下后,返回上一层
gvonline.bin+6CE7E6 - 51 - push ecx
gvonline.bin+6CE7E7 - 8B CE - mov ecx,esi
gvonline.bin+6CE7E9 - 89 56 64 - mov [esi+64],edx
gvonline.bin+6CE7EC - FF 50 40 - call dword ptr [eax+40] -------->此处结构与点td跟随返回的gvonline.bin+72F4F1类似
不同功能,在gvonline.bin+826ABB处返回到不同的类似结构。
gvonline.bin+6CE7EF - 5E - pop esi
//-----------再返回一层----------------------------------------------
gvonline.bin+7F387C - E8 7FAFEDFF - call gvonline.bin+6CE800
gvonline.bin+7F3881 - EB 10 - jmp gvonline.bin+7F3893
gvonline.bin+7F3883 - E8 888796FF - call gvonline.bin+15C010
gvonline.bin+7F3888 - 8D 88 A81A0000 - lea ecx,[eax+00001AA8]
gvonline.bin+7F388E - E8 1DAFEDFF - call gvonline.bin+6CE7B0 //正宗海上跟随call
gvonline.bin+7F3893 - C7 46 34 0000803F - mov [esi+34],3F800000 { 1.00 }
...
//----------------海上跟随最优Call 2026/01/04/21:50----------------------
alloc(newmem,2048)
newmem:
mov ecx,0x1217388
call 00ACE7B0 //call 00ACE800 取消跟随
ret
createthread(newmem)
//---------------------------------------
发现万能的CALL断点:gvonline.bin+826ABB - FF 90 98000000 - call dword ptr [eax+00000098]
浙公网安备 33010602011771号