大航海时代ol台服找Call记(十三) 丢弃背包物品
前几篇已经找到背包物品及中文名称的数据了,这篇探寻下丢弃物品call。
先在万能断点下断,丢弃物品后断下来,返回2层后来到
GVOnline.exe+4E5B9 - E8 D24F6E00 - call GVOnline.exe+733590
GVOnline.exe+4E5A8 - E8 D3DE1000 - call GVOnline.exe+15C480
GVOnline.exe+4E5AD - FF 75 0C - push [ebp+0C] 上层传入参数2
GVOnline.exe+4E5B0 - 8D 88 A81A0000 - lea ecx,[eax+00001AA8]
GVOnline.exe+4E5B6 - FF 75 08 - push [ebp+08] 上层传入参数1
GVOnline.exe+4E5B9 - E8 D24F6E00 - call GVOnline.exe+733590 { -----> 中断后返回2层call }
GVOnline.exe+4E5BE - 8B F8 - mov edi,eax
GVOnline.exe+4E5C0 - 83 FF FF - cmp edi,-01 { 255 }
GVOnline.exe+4E5C3 - 74 16 - je GVOnline.exe+4E5DB
GVOnline.exe+4E5C5 - 68 10270000 - push 00002710 { 10000 }
GVOnline.exe+4E5CA - 8D 4E 28 - lea ecx,[esi+28]
GVOnline.exe+4E5CD - C7 06 01000000 - mov [esi],00000001 { 1 }
GVOnline.exe+4E5D3 - E8 18075400 - call GVOnline.exe+58ECF0
GVOnline.exe+4E5D8 - 89 7E 10 - mov [esi+10],edi
GVOnline.exe+4E5DB - 5F - pop edi
下断 GVOnline.exe+4E5B9 call GVOnline.exe+733590 断下时堆栈如下:
001AFD88(esp+0) - 001AFDE8 - (pointer)001AFDE8 参数1
001AFD8C(esp+4) - 001AFDC0 - (pointer)001AFDC0 参数2
001AFD90(esp+8) - 05F2BF40 - (pointer)05F2BF40
可以看到
参数1
[+0]=0x00F418E8未知,[+4]= 064e7f70 = 丢弃物品的内容指针
经与背包物品数组比对,[064e7f70]内容为丢弃物品数组,每个物品0X14字节。
[+0-b]=背包物品节点数据的前12位,[+c]=丢弃物品数量,[+10]=0xd0 未知
参数2
0x0105D4C8 未知
参数为 [ebp+8]和[ebp+0c],为上一层的参数1和参数2 ,那返回到上一层看一下。
GVOnline.exe+474805 - E8 66A4BCFF - call GVOnline.exe+3EC70 --->返回到这里
GVOnline.exe+474640 - 55 - push ebp
GVOnline.exe+474641 - 8B EC - mov ebp,esp
GVOnline.exe+474643 - 6A FF - push -01 { 255 }
GVOnline.exe+474645 - 68 5B39F000 - push GVOnline.exe+B0395B { (184) }
GVOnline.exe+47464A - 64 A1 00000000 - mov eax,fs:[00000000] { 0 }
GVOnline.exe+474650 - 50 - push eax
GVOnline.exe+474651 - 64 89 25 00000000 - mov fs:[00000000],esp { 0 }
GVOnline.exe+474658 - 83 EC 5C - sub esp,5C { 92 }
GVOnline.exe+47465B - 56 - push esi
GVOnline.exe+47465C - 8B F1 - mov esi,ecx
GVOnline.exe+47465E - C7 45 C0 E818F400 - mov [ebp-40],GVOnline.exe+B418E8 { E8 18 F4 00
}
GVOnline.exe+474665 - C7 45 C4 00000000 - mov [ebp-3C],00000000 { 0 }
GVOnline.exe+47466C - C7 45 D0 00000000 - mov [ebp-30],00000000 { 0 }
GVOnline.exe+474673 - C7 45 CC 00000000 - mov [ebp-34],00000000 { 0 }
GVOnline.exe+47467A - C7 45 C8 00000000 - mov [ebp-38],00000000 { 0 }
GVOnline.exe+474681 - C7 45 FC 00000000 - mov [ebp-04],00000000 { 0 }
GVOnline.exe+474688 - C7 45 D4 E818F400 - mov [ebp-2C],GVOnline.exe+B418E8 { -------------参数1赋值(前4个字节) = 00F418E8 为固定值 }
GVOnline.exe+47468F - C7 45 D8 00000000 - mov [ebp-28],00000000 { 0 }
GVOnline.exe+474696 - C7 45 E4 00000000 - mov [ebp-1C],00000000 { 0 }
GVOnline.exe+47469D - C7 45 E0 00000000 - mov [ebp-20],00000000 { 0 }
GVOnline.exe+4746A4 - C7 45 DC 00000000 - mov [ebp-24],00000000 { 0 }
GVOnline.exe+4746AB - 8D 4D AC - lea ecx,[ebp-54] { 参数2 }
GVOnline.exe+4746AE - C6 45 FC 01 - mov byte ptr [ebp-04],01 { 1 }
GVOnline.exe+4746B2 - E8 9F8C5100 - call GVOnline.exe+98D356 { -------------------进去看下 mov [19FDBC],0105D4C8 参数2 赋值,为固定值 }
GVOnline.exe+4746B7 - 8B B6 AC070000 - mov esi,[esi+000007AC] { -------------------- esi = 丢弃物品数组地址 [[base]+7ac] } base=0x01212120
GVOnline.exe+4746BD - C6 45 FC 02 - mov byte ptr [ebp-04],02 { 2 }
GVOnline.exe+4746C1 - 85 F6 - test esi,esi
GVOnline.exe+4746C3 - 0F84 34010000 - je GVOnline.exe+4747FD
GVOnline.exe+4746C9 - 53 - push ebx
GVOnline.exe+4746CA - 57 - push edi
GVOnline.exe+4746CB - EB 03 - jmp GVOnline.exe+4746D0
GVOnline.exe+4746CD - 8D 49 00 - lea ecx,[ecx+00]
GVOnline.exe+4746D0 - 8B FE - mov edi,esi
GVOnline.exe+4746D2 - 85 F6 - test esi,esi
GVOnline.exe+4746D4 - 0F84 74010000 - je GVOnline.exe+47484E
GVOnline.exe+4746DA - 8B 7F 08 - mov edi,[edi+08] { 丢弃数组 }
GVOnline.exe+4746DD - 8B 36 - mov esi,[esi]
GVOnline.exe+4746DF - 8B CF - mov ecx,edi
GVOnline.exe+4746E1 - E8 2A900E00 - call GVOnline.exe+55D710
GVOnline.exe+4746E6 - 83 F8 04 - cmp eax,04 { eax=3 }
GVOnline.exe+4746E9 - 0F87 04010000 - ja GVOnline.exe+4747F3
GVOnline.exe+4746EF - FF 24 85 54488700 - jmp dword ptr [eax*4+GVOnline.exe+474854]
GVOnline.exe+4746F6 - 0F57 C0 - xorps xmm0,xmm0
GVOnline.exe+4746F9 - 8B CF - mov ecx,edi
GVOnline.exe+4746FB - 66 0FD6 45 98 - movq [ebp-68],xmm0
GVOnline.exe+474700 - E8 5B8E0E00 - call GVOnline.exe+55D560 { }
GVOnline.exe+474705 - 8B CF - mov ecx,edi { eax = ID }
GVOnline.exe+474707 - 8B D8 - mov ebx,eax
GVOnline.exe+474709 - E8 428E0E00 - call GVOnline.exe+55D550
GVOnline.exe+47470E - 8B 08 - mov ecx,[eax]
GVOnline.exe+474710 - 8B 40 04 - mov eax,[eax+04]
GVOnline.exe+474713 - 89 4D F0 - mov [ebp-10],ecx { eax=00010001 }
GVOnline.exe+474716 - 8B CF - mov ecx,edi
GVOnline.exe+474718 - 89 45 EC - mov [ebp-14],eax
GVOnline.exe+47471B - E8 E08E0E00 - call GVOnline.exe+55D600 { eax=1 }
GVOnline.exe+474720 - 8B 7D DC - mov edi,[ebp-24]
GVOnline.exe+474723 - 89 45 E8 - mov [ebp-18],eax
GVOnline.exe+474726 - 85 FF - test edi,edi
GVOnline.exe+474728 - 0F88 20010000 - js GVOnline.exe+47484E
GVOnline.exe+47472E - 6A FF - push -01 { 255 }
GVOnline.exe+474730 - 8D 4F 01 - lea ecx,[edi+01]
GVOnline.exe+474733 - 51 - push ecx
GVOnline.exe+474734 - 8D 4D D4 - lea ecx,[ebp-2C] { 19FDE4 }
GVOnline.exe+474737 - E8 D4B8C4FF - call GVOnline.exe+C0010
GVOnline.exe+47473C - 8B 45 D8 - mov eax,[ebp-28] { eax=堆指针 }
GVOnline.exe+47473F - 8D 0C BF - lea ecx,[edi+edi*4]
GVOnline.exe+474742 - 8D 0C 88 - lea ecx,[eax+ecx*4]
GVOnline.exe+474745 - 8B 45 F0 - mov eax,[ebp-10] { eax=743be32(丢弃物品节点内容的前4个字节) }
GVOnline.exe+474748 - 89 01 - mov [ecx],eax
GVOnline.exe+47474A - 8B 45 EC - mov eax,[ebp-14]
GVOnline.exe+47474D - 89 41 04 - mov [ecx+04],eax
GVOnline.exe+474750 - 8B 45 E8 - mov eax,[ebp-18]
GVOnline.exe+474753 - 89 41 0C - mov [ecx+0C],eax
GVOnline.exe+474756 - 8A 45 A8 - mov al,[ebp-58] { 64 }
GVOnline.exe+474759 - 89 59 08 - mov [ecx+08],ebx { ID }
GVOnline.exe+47475C - 88 41 10 - mov [ecx+10],al
GVOnline.exe+47475F - E9 8F000000 - jmp GVOnline.exe+4747F3
GVOnline.exe+474764 - 8B CF - mov ecx,edi
GVOnline.exe+474766 - E8 958F0E00 - call GVOnline.exe+55D700
GVOnline.exe+47476B - 8B CF - mov ecx,edi
GVOnline.exe+47476D - 83 F8 0C - cmp eax,0C { 12 }
GVOnline.exe+474770 - 74 69 - je GVOnline.exe+4747DB
GVOnline.exe+474772 - 0F57 C0 - xorps xmm0,xmm0
GVOnline.exe+474775 - 66 0FD6 45 98 - movq [ebp-68],xmm0
GVOnline.exe+47477A - E8 E18D0E00 - call GVOnline.exe+55D560
GVOnline.exe+47477F - 8B CF - mov ecx,edi
GVOnline.exe+474781 - 8B D8 - mov ebx,eax
GVOnline.exe+474783 - E8 C88D0E00 - call GVOnline.exe+55D550
GVOnline.exe+474788 - 8B 08 - mov ecx,[eax]
GVOnline.exe+47478A - 8B 40 04 - mov eax,[eax+04]
GVOnline.exe+47478D - 89 4D E8 - mov [ebp-18],ecx
GVOnline.exe+474790 - 8B CF - mov ecx,edi
GVOnline.exe+474792 - 89 45 EC - mov [ebp-14],eax
GVOnline.exe+474795 - E8 668E0E00 - call GVOnline.exe+55D600
GVOnline.exe+47479A - 8B 7D DC - mov edi,[ebp-24]
GVOnline.exe+47479D - 89 45 F0 - mov [ebp-10],eax
GVOnline.exe+4747A0 - 85 FF - test edi,edi
GVOnline.exe+4747A2 - 0F88 A6000000 - js GVOnline.exe+47484E
GVOnline.exe+4747A8 - 6A FF - push -01 { 255 }
GVOnline.exe+4747AA - 8D 4F 01 - lea ecx,[edi+01]
GVOnline.exe+4747AD - 51 - push ecx
GVOnline.exe+4747AE - 8D 4D D4 - lea ecx,[ebp-2C]
GVOnline.exe+4747B1 - E8 5AB8C4FF - call GVOnline.exe+C0010
GVOnline.exe+4747B6 - 8B 45 D8 - mov eax,[ebp-28]
GVOnline.exe+4747B9 - 8D 0C BF - lea ecx,[edi+edi*4]
GVOnline.exe+4747BC - 8D 0C 88 - lea ecx,[eax+ecx*4]
GVOnline.exe+4747BF - 8B 45 E8 - mov eax,[ebp-18]
GVOnline.exe+4747C2 - 89 01 - mov [ecx],eax
GVOnline.exe+4747C4 - 8B 45 EC - mov eax,[ebp-14]
GVOnline.exe+4747C7 - 89 41 04 - mov [ecx+04],eax
GVOnline.exe+4747CA - 8B 45 F0 - mov eax,[ebp-10]
GVOnline.exe+4747CD - 89 41 0C - mov [ecx+0C],eax
GVOnline.exe+4747D0 - 8A 45 A8 - mov al,[ebp-58]
GVOnline.exe+4747D3 - 89 59 08 - mov [ecx+08],ebx
GVOnline.exe+4747D6 - 88 41 10 - mov [ecx+10],al
GVOnline.exe+4747D9 - EB 18 - jmp GVOnline.exe+4747F3
GVOnline.exe+4747DB - E8 908E0E00 - call GVOnline.exe+55D670
GVOnline.exe+4747E0 - 8B C8 - mov ecx,eax
GVOnline.exe+4747E2 - E8 F9850E00 - call GVOnline.exe+55CDE0
GVOnline.exe+4747E7 - 50 - push eax
GVOnline.exe+4747E8 - FF 75 B4 - push [ebp-4C]
GVOnline.exe+4747EB - 8D 4D AC - lea ecx,[ebp-54]
GVOnline.exe+4747EE - E8 F78B5100 - call GVOnline.exe+98D3EA
GVOnline.exe+4747F3 - 85 F6 - test esi,esi
GVOnline.exe+4747F5 - 0F85 D5FEFFFF - jne GVOnline.exe+4746D0
GVOnline.exe+4747FB - 5F - pop edi
GVOnline.exe+4747FC - 5B - pop ebx
GVOnline.exe+4747FD - 8D 45 AC - lea eax,[ebp-54] ---------参数2
GVOnline.exe+474800 - 50 - push eax
GVOnline.exe+474801 - 8D 45 D4 - lea eax,[ebp-2C] ---------参数1
GVOnline.exe+474804 - 50 - push eax
GVOnline.exe+474805 - E8 66A4BCFF - call GVOnline.exe+3EC70 { ------------》3层返回 }
GVOnline.exe+47480A - 8B C8 - mov ecx,eax
GVOnline.exe+47480C - E8 6F9DBDFF - call GVOnline.exe+4E580
GVOnline.exe+474811 - 8D 4D AC - lea ecx,[ebp-54]
经分析可以看到,参数1的前4个字节和参数2的前4个字节均为固定值 ,最后4个字节0xD0经过测试,基本固定无影响。
推断丢弃物品call构造如下:
//----------------------------------
push param2 // 地址指针 [param2 ]=0x0105d4c8(固定值)
push discardAddr //丢弃物品指针,指向丢弃物品数组 (共12字节):
call 0043EC70 //堆栈没变化,返回值eax = 0x1212120为固定基址,应该可以忽略,直接以0x01212120赋值
mov ecx,eax //eax= 0x01212120
call 0044E580 //丢弃物品call
//----------------------------------
因此需要构造3个内存块
内存块1:
(参数1):discardAddr = 丢弃物品指针(12字节):
+0:0x00F418E8固定值
+4: discardNode【丢弃物品数组】
+8: Num丢弃物品品种数量
内存块2:
discardNode = 丢弃物品数组(0x14*N):
第1个物品的节点数组前0c位字节 + 数量(4字节)+64(?4字节)=0x14字节
..
第N个物品
内存块3:
(参数2):param2 = 内存指针
+0:0x0105d4c8(固定值)
构造 CE Autoassemble如下:
//-------------------------------
alloc(newmem,2048)
newmem:
pushad
sub esp, $100 //堆栈里分配$100个字节
mov edx,esp
//------构造内存块3: 参数2 param2---
mov [edx],0x0105D4C8
push edx //----参数2 入栈
add edx,0x14
//------构造内存块2:丢弃物品数组iscardNode地址存入eax--------
mov eax,edx //
mov [edx],0x0743be32 //手工构造“记号用丝带”的节点数据
mov [edx+4],0x00010001
mov [edx+8],0x0016e419
mov [edx+c],0x00000001 //数量1
mov [edx+0x10],0x000000D0 //固定为0xD0
//------构造内存块1:参数1 discardAddr-------------
add edx,0x14
mov [edx],0x00F418E8 //固定值
mov [edx+4],eax
mov [edx+8],0x00000001 //丢弃物品种类
push edx //参数1 入栈
//call 0043EC70 //堆栈没变化,经测试可以不用
mov ecx,0x01217388
call 00B33590 //丢弃物品call
add esp , $100
popad
ret
createthread(newmem)
//----------------------------------
Bingo!
这样就可以调用call直接实现 DiscardItems('鱼肉','草',...)
浙公网安备 33010602011771号