大航海时代ol台服找Call记(九)查找背包物品信息
打开持有物品界面,搜索第一个物品名称“寬鬆衫”(搜索类型为string utf-16),得地址唯一 183c4f48 再重新搜索这个地址,得唯一地址的地址 0493EB28,在此地址上:
find who access this address 关闭背包再重新打开:
0095D878 - 8B 46 0C - mov eax,[esi+0C] 中断在此句上
| 查找序号 | 地址 | 描述 |
|---|---|---|
| 下断点: | GVOnline.exe+55D878 | [esi+0c]=中文名称地址,[esi+08]=ID |
| 返回1: | GVOnline.exe+47C1D3 | esi=ecx=edi=[eax+0c] |
| 进入2: | GVOnline.exe+621D50 | esi=ecx=edi=[eax+0c] =[[eax+08]+0c] |
| 进入3: | GVOnline.exe+9AAE03 | esi=ecx=edi=[eax+0c] =[[eax+08]+0c] =[ecx+04]+0]+0]+...+0]+08]+0c] |
///-----------------------------------------------------------------------------
GVOnline.exe+55D7E0 - 55 - push ebp
GVOnline.exe+55D7E1 - 8B EC - mov ebp,esp
GVOnline.exe+55D7E3 - 83 EC 08 - sub esp,08 { 8 }
GVOnline.exe+55D7E6 - 56 - push esi
GVOnline.exe+55D7E7 - 8B F1 - mov esi,ecx { esi = ecx }
GVOnline.exe+55D7E9 - 8B 46 08 - mov eax,[esi+08]
GVOnline.exe+55D7EC - 85 C0 - test eax,eax
GVOnline.exe+55D7EE - 75 1A - jne GVOnline.exe+55D80A
GVOnline.exe+55D7F0 - 38 86 3D010000 - cmp [esi+0000013D],al
GVOnline.exe+55D7F6 - 74 12 - je GVOnline.exe+55D80A
GVOnline.exe+55D7F8 - 68 85030000 - push 00000385 { 901 }
GVOnline.exe+55D7FD - E8 4EA0BBFF - call GVOnline.exe+117850
GVOnline.exe+55D802 - 83 C4 04 - add esp,04 { 4 }
GVOnline.exe+55D805 - 5E - pop esi
GVOnline.exe+55D806 - 8B E5 - mov esp,ebp
GVOnline.exe+55D808 - 5D - pop ebp
GVOnline.exe+55D809 - C3 - ret
GVOnline.exe+55D80A - 80 BE 3E010000 00 - cmp byte ptr [esi+0000013E],00 { 0 }
GVOnline.exe+55D811 - 74 0B - je GVOnline.exe+55D81E
GVOnline.exe+55D813 - 8B 86 9C000000 - mov eax,[esi+0000009C]
GVOnline.exe+55D819 - 5E - pop esi
GVOnline.exe+55D81A - 8B E5 - mov esp,ebp
GVOnline.exe+55D81C - 5D - pop ebp
GVOnline.exe+55D81D - C3 - ret
GVOnline.exe+55D81E - 50 - push eax
GVOnline.exe+55D81F - E8 CC0CC0FF - call GVOnline.exe+15E4F0
GVOnline.exe+55D824 - 83 C4 04 - add esp,04 { 4 }
GVOnline.exe+55D827 - 83 F8 04 - cmp eax,04 { 4 }
GVOnline.exe+55D82A - 77 54 - ja GVOnline.exe+55D880
GVOnline.exe+55D82C - FF 76 08 - push [esi+08]
GVOnline.exe+55D82F - E8 9C0CC0FF - call GVOnline.exe+15E4D0
GVOnline.exe+55D834 - 83 C4 04 - add esp,04 { 4 }
GVOnline.exe+55D837 - 83 F8 0C - cmp eax,0C { 12 }
GVOnline.exe+55D83A - 74 D7 - je GVOnline.exe+55D813
GVOnline.exe+55D83C - 8B 76 08 - mov esi,[esi+08] [esi+8] = ID
GVOnline.exe+55D83F - E8 3CECBFFF - call GVOnline.exe+15C480
GVOnline.exe+55D844 - 8D 4D FC - lea ecx,[ebp-04]
GVOnline.exe+55D847 - 51 - push ecx
GVOnline.exe+55D848 - 8D 4D F8 - lea ecx,[ebp-08]
GVOnline.exe+55D84B - 51 - push ecx
GVOnline.exe+55D84C - 56 - push esi { esi = ID }
GVOnline.exe+55D84D - 8D 88 843D0000 - lea ecx,[eax+00003D84] { ecx = 物品名称基址 1219664 }
GVOnline.exe+55D853 - E8 38DCBEFF - call GVOnline.exe+14B490 // >Tab选中NPC、活动场景等获取名称均从此call取得) 通用名称call
GVOnline.exe+55D858 - 85 C0 - test eax,eax
GVOnline.exe+55D85A - 74 24 - je GVOnline.exe+55D880
GVOnline.exe+55D85C - 8B 70 04 - mov esi,[eax+04] -------------> esi = [eax+04]
GVOnline.exe+55D85F - 85 F6 - test esi,esi
GVOnline.exe+55D861 - 74 1D - je GVOnline.exe+55D880
GVOnline.exe+55D863 - 83 7E 18 00 - cmp dword ptr [esi+18],00 { 0 }
GVOnline.exe+55D867 - 7E 0F - jle GVOnline.exe+55D878
GVOnline.exe+55D869 - FF 76 04 - push [esi+04]
GVOnline.exe+55D86C - 8D 46 08 - lea eax,[esi+08]
GVOnline.exe+55D86F - 50 - push eax
GVOnline.exe+55D870 - E8 BBD83A00 - call GVOnline.exe+90B130
GVOnline.exe+55D875 - 83 C4 08 - add esp,08 { 8 }
GVOnline.exe+55D878 - 8B 46 0C - mov eax,[esi+0C] { --------------> 断在此处 [esi+0C]= 宽松衫
GVOnline.exe+55D87B - 5E - pop esi
GVOnline.exe+55D87C - 8B E5 - mov esp,ebp
GVOnline.exe+55D87E - 5D - pop ebp
GVOnline.exe+55D87F - C3 - ret
//---------------------------------------------------------------
动态调试后 [esi+0c]=中文名称和[esi+8]=物品ID 中的esi不一致,按照ID来分析esi的来源。
esi = ecx , ecx上层函数调用的参数,返回1
//--返回1===================================
GVOnline.exe+47C090 - 83 C4 14 - add esp,14 { 20 }
GVOnline.exe+47C093 - 8D 89 18080000 - lea ecx,[ecx+00000818]
GVOnline.exe+47C099 - E8 B25C1A00 - call GVOnline.exe+621D50 { 修改eax }-->进去看看
GVOnline.exe+47C09E - 85 C0 - test eax,eax
GVOnline.exe+47C0A0 - 0F84 5E050000 - je GVOnline.exe+47C604
GVOnline.exe+47C0A6 - 8B 78 0C - mov edi,[eax+0C] { edi = [eax+0c]} [ecx+04]+0]+0]+...+0]+08]+c]
GVOnline.exe+47C0A9 - 89 7D E8 - mov [ebp-18],edi
.....
.....
GVOnline.exe+47C1BF - 6A FF - push -01 { 255 }
GVOnline.exe+47C1C1 - 6A FF - push -01 { 255 }
GVOnline.exe+47C1C3 - 6A 04 - push 04 { 4 }
GVOnline.exe+47C1C5 - 6A 16 - push 16 { 22 }
GVOnline.exe+47C1C7 - 68 98010000 - push 00000198 { 408 }
GVOnline.exe+47C1CC - 8B CF - mov ecx,edi { ecx = edi ( [ecx+8]=id) }
GVOnline.exe+47C1CE - E8 0D160E00 - call GVOnline.exe+55D7E0
GVOnline.exe+47C1D3 - 50 - push eax ------------------------------>返回1
//---------------------------------------------------------------
esi=ecx=edi=[eax+0c] ,eax为call GVOnline.exe+621D50的返回值 ,追 进去看下
//=====进入call GVOnline.exe+621D50 ======================================
GVOnline.exe+621D50 - FF B1 94000000 - push [ecx+00000094] { 物品在背包中的序号 }
GVOnline.exe+621D56 - 81 C1 EC020000 - add ecx,000002EC { ecx为使用背包基址,链表一串。
GVOnline.exe+621D5C - E8 A2903800 - call GVOnline.exe+9AAE03 进去看看 eax = [ecx+04]+0]+0]+...+0]
GVOnline.exe+621D61 - 85 C0 - test eax,eax { eax = 物品ID }
GVOnline.exe+621D63 - 74 04 - je GVOnline.exe+621D69
GVOnline.exe+621D65 - 8B 40 08 - mov eax,[eax+08] eax = [eax+08] = [ecx+04]+0]+0]+...+0]+08]
GVOnline.exe+621D68 - C3 - ret
GVOnline.exe+621D69 - 33 C0 - xor eax,eax
GVOnline.exe+621D6B - C3 - ret
//-------------------------------------
esi=ecx=edi=[eax+0c] =[[eax+08]+0c] , eax 为 call GVOnline.exe+9AAE03的返回值,追进去看下:
//-------------call GVOnline.exe+9AAE03-----------------------
GVOnline.exe+9AAE03 - 55 - push ebp
GVOnline.exe+9AAE04 - 8B EC - mov ebp,esp
GVOnline.exe+9AAE06 - 8B 55 08 - mov edx,[ebp+08] { 序号 }
GVOnline.exe+9AAE09 - 3B 51 0C - cmp edx,[ecx+0C] { 背包(可使用物品)总数量 }
GVOnline.exe+9AAE0C - 7D 10 - jnl GVOnline.exe+9AAE1E
GVOnline.exe+9AAE0E - 85 D2 - test edx,edx
GVOnline.exe+9AAE10 - 78 0C - js GVOnline.exe+9AAE1E
GVOnline.exe+9AAE12 - 8B 41 04 - mov eax,[ecx+04] eax = [ecx+4]
GVOnline.exe+9AAE15 - 74 09 - je GVOnline.exe+9AAE20
GVOnline.exe+9AAE17 - 8B 00 - mov eax,[eax] eax=[eax]指向下一个物品
GVOnline.exe+9AAE19 - 4A - dec edx
GVOnline.exe+9AAE1A - 75 FB - jne GVOnline.exe+9AAE17
GVOnline.exe+9AAE1C - EB 02 - jmp GVOnline.exe+9AAE20
GVOnline.exe+9AAE1E - 33 C0 - xor eax,eax
GVOnline.exe+9AAE20 - 5D - pop ebp
GVOnline.exe+9AAE21 - C2 0400 - ret 0004 { 4 }
//-------------------------------------------------------------------
经过调试,eax =[ecx+04]+0]+0]+...+0]
因此,esi=ecx=edi=[eax+0c] =[[eax+08]+0c] =[ecx+04]+0]+0]+...+0]+08]+0c]
,ECX再往上追了下,难度有点大,就直接Pointer scan for this address (add ecx,000002EC 之后的ECX地址)
最终:esi = [1291274]+2EC+04]+0]+...+0]+08]+0c] (背包物品信息)
物品ID = [esi+8]
物品Cnt = [esi+28]
物品name := GetObjName(2, id); (Call GVOnline.exe+55D853 ,方法和NPC中文名称一样,基址为001219664)
浙公网安备 33010602011771号