大航海时代ol台服找Call记(十四) 酒馆吃饭数据分析
虽然现在的台服料理便宜,一般也不太会去酒馆吃饭喝酒,但总是想分析下数据,就当练习吧。
思考:搜索食物名称,通过名称,找到食物节点内容,再通过分析,得到酒馆食物列表的数据结构
搜索“契洽酒”,得2个地址,0x134FB640 0x134FB840
再搜索对应地址 0x134FB640,得地址0x058B4D90
对地址0x058B4D90 “find who access this address”,
中断在 00B92804 - 8B 46 0C - mov eax,[esi+0C]
GVOnline.exe+792660 - 55 - push ebp
GVOnline.exe+792661 - 8B EC - mov ebp,esp
GVOnline.exe+792663 - 6A FF - push -01 { 255 }
GVOnline.exe+792665 - 68 27D0F100 - push GVOnline.exe+B1D027 { (184) }
GVOnline.exe+79266A - 64 A1 00000000 - mov eax,fs:[00000000] { 0 }
GVOnline.exe+792670 - 50 - push eax
GVOnline.exe+792671 - 64 89 25 00000000 - mov fs:[00000000],esp { 0 }
GVOnline.exe+792678 - 83 EC 64 - sub esp,64 { 100 }
GVOnline.exe+79267B - 53 - push ebx
GVOnline.exe+79267C - 56 - push esi
GVOnline.exe+79267D - 8B 75 08 - mov esi,[ebp+08] { =====> esi=[ebp+8] 来自上一层参数1
GVOnline.exe+792680 - 57 - push edi
GVOnline.exe+792681 - 8B CE - mov ecx,esi { ecx=esi }
GVOnline.exe+792683 - E8 4863F1FF - call GVOnline.exe+6A89D0 {===》 eax =[ecx+10] }
GVOnline.exe+792688 - 8B D8 - mov ebx,eax { ebx=eax }
GVOnline.exe+79268A - 89 5D EC - mov [ebp-14],ebx
GVOnline.exe+79268D - C7 45 A4 00000000 - mov [ebp-5C],00000000 { 0 }
GVOnline.exe+792694 - C7 45 A8 00000000 - mov [ebp-58],00000000 { 0 }
GVOnline.exe+79269B - C7 45 A0 00000000 - mov [ebp-60],00000000 { 0 }
GVOnline.exe+7926A2 - C7 45 9C 00000000 - mov [ebp-64],00000000 { 0 }
GVOnline.exe+7926A9 - C7 45 AC 00000000 - mov [ebp-54],00000000 { 0 }
GVOnline.exe+7926B0 - C7 45 B0 0A000000 - mov [ebp-50],0000000A { 10 }
GVOnline.exe+7926B7 - C7 45 98 6435FC00 - mov [ebp-68],GVOnline.exe+BC3564 { (00D89055) }
GVOnline.exe+7926BE - 8D 4D 90 - lea ecx,[ebp-70]
GVOnline.exe+7926C1 - C7 45 FC 00000000 - mov [ebp-04],00000000 { 0 }
GVOnline.exe+7926C8 - E8 C3E3DAFF - call GVOnline.exe+540A90
GVOnline.exe+7926CD - 80 7B 10 00 - cmp byte ptr [ebx+10],00 { 0 }
GVOnline.exe+7926D1 - 89 45 E8 - mov [ebp-18],eax
GVOnline.exe+7926D4 - C7 45 E0 00000000 - mov [ebp-20],00000000 { 0 }
GVOnline.exe+7926DB - 0F86 43020000 - jbe GVOnline.exe+792924
GVOnline.exe+7926E1 - 8D 73 12 - lea esi,[ebx+12] { esi=ebx+12 }
GVOnline.exe+7926E4 - 89 75 F0 - mov [ebp-10],esi //此处往下就是通用call的算法,以ID通过运算,找到物品节点
GVOnline.exe+7926E7 - E8 949D9CFF - call GVOnline.exe+15C480
GVOnline.exe+7926EC - 0FB7 3E - movzx edi,word ptr [esi] { edi=[esi] }
GVOnline.exe+7926EF - 68 1DF30100 - push 0001F31D { 127773 }
GVOnline.exe+7926F4 - 57 - push edi
GVOnline.exe+7926F5 - 8B D8 - mov ebx,eax
GVOnline.exe+7926F7 - E8 02CD3000 - call GVOnline.exe+A9F3FE { eax = int(edi / 0001f31d) }
GVOnline.exe+7926FC - 69 C0 140B0000 - imul eax,eax,00000B14 { 2836 }
GVOnline.exe+792702 - 8B F2 - mov esi,edx
GVOnline.exe+792704 - 69 F6 A7410000 - imul esi,esi,000041A7 { 16807 }
GVOnline.exe+79270A - 83 C4 08 - add esp,08 { 8 }
GVOnline.exe+79270D - 2B F0 - sub esi,eax
GVOnline.exe+79270F - 79 06 - jns GVOnline.exe+792717
GVOnline.exe+792711 - 81 C6 FFFFFF7F - add esi,7FFFFFFF { 2147483647 }
GVOnline.exe+792717 - 33 D2 - xor edx,edx
GVOnline.exe+792719 - 8B C6 - mov eax,esi
GVOnline.exe+79271B - F7 B3 342D0000 - div [ebx+00002D34] { 余数 edx }
GVOnline.exe+792721 - 8B 83 302D0000 - mov eax,[ebx+00002D30] { eax,[ebx+00002D30] }
GVOnline.exe+792727 - 85 C0 - test eax,eax
GVOnline.exe+792729 - 74 22 - je GVOnline.exe+79274D
GVOnline.exe+79272B - 8B 04 90 - mov eax,[eax+edx*4] { eax,[eax+edx*4] }
GVOnline.exe+79272E - 85 C0 - test eax,eax
GVOnline.exe+792730 - 74 1B - je GVOnline.exe+79274D
GVOnline.exe+792732 - 39 70 0C - cmp [eax+0C],esi
GVOnline.exe+792735 - 75 0F - jne GVOnline.exe+792746
GVOnline.exe+792737 - 33 C9 - xor ecx,ecx
GVOnline.exe+792739 - 39 38 - cmp [eax],edi
GVOnline.exe+79273B - 0F94 C1 - sete cl
GVOnline.exe+79273E - 85 C9 - test ecx,ecx
GVOnline.exe+792740 - 0F85 9E000000 - jne GVOnline.exe+7927E4 { 此处跳 }
GVOnline.exe+792746 - 8B 40 08 - mov eax,[eax+08]
GVOnline.exe+792749 - 85 C0 - test eax,eax
GVOnline.exe+79274B - 75 E5 - jne GVOnline.exe+792732
......
GVOnline.exe+7927DB - 8B 45 EC - mov eax,[ebp-14]
GVOnline.exe+7927DE - F6 40 08 02 - test byte ptr [eax+08],02 { 2 }
GVOnline.exe+7927E2 - EB 2F - jmp GVOnline.exe+792813
GVOnline.exe+7927E4 - 8B 70 04 - mov esi,[eax+04] { esi=[eax+4] }
GVOnline.exe+7927E7 - 85 F6 - test esi,esi
GVOnline.exe+7927E9 - 0F84 5EFFFFFF - je GVOnline.exe+79274D
GVOnline.exe+7927EF - 83 7E 18 00 - cmp dword ptr [esi+18],00 { ==》 与背包物品一样,判断[+18] == 0 ?没有,解密 }
GVOnline.exe+7927F3 - 7E 0F - jle GVOnline.exe+792804
GVOnline.exe+7927F5 - FF 76 04 - push [esi+04]
GVOnline.exe+7927F8 - 8D 46 08 - lea eax,[esi+08] { [esi+8] = ID }
GVOnline.exe+7927FB - 50 - push eax
GVOnline.exe+7927FC - E8 2F891700 - call GVOnline.exe+90B130 { 通用解密call }
GVOnline.exe+792801 - 83 C4 08 - add esp,08 { 8 }
GVOnline.exe+792804 - 8B 46 0C - mov eax,[esi+0C] { ------------------>断在此处
}
GVOnline.exe+792807 - E9 46FFFFFF - jmp GVOnline.exe+792752
GVOnline.exe+79280C - 8B 45 EC - mov eax,[ebp-14]
可以看到断下来时,esi处为食物节点数据,包括:ID、中文名称地址
但一直往上追了好几层,都找不到酒馆食物的数组来源,数组的结构始终是在堆栈里,只要窗口一关闭,就消失了。开始还想着跟踪堆栈内的食物数据,看下最后存放到哪里去,但可能比较复杂了。
思考之后,明白了,酒馆的食物对游戏角色来说不是重要内容,每次都是临时从服务器上传送过来,临时存放下,吃完数据就没用了。
但是酒馆吃喝的窗口打开着,总会临时保存着这个结构。
观察后,考虑每次点击不同的食物,窗口上的价格会相应改变。想到,这个价格应该就是各个食物的单价相加的结果,那必然点击食物后,游戏会从食物数组里取相应的食物价格,进行计算。这应该可以是个切入点。
通过搜索这个价格,得到地址 0x1064ee00 , “find who access this address”,断在:00A6A740 - 89 73 70 - mov [ebx+70],esi
GVOnline.exe+66A727 - 56 - push esi
GVOnline.exe+66A728 - 8B 75 08 - mov esi,[ebp+08] { =====> esi =[ebp+8] 上层参数1 }
GVOnline.exe+66A72B - 57 - push edi
GVOnline.exe+66A72C - 8B D9 - mov ebx,ecx
GVOnline.exe+66A72E - 56 - push esi
GVOnline.exe+66A72F - 8D 7B 7C - lea edi,[ebx+7C]
GVOnline.exe+66A732 - 57 - push edi
GVOnline.exe+66A733 - E8 B8070000 - call GVOnline.exe+66AEF0
GVOnline.exe+66A738 - 8B 07 - mov eax,[edi]
GVOnline.exe+66A73A - 8B 4B 78 - mov ecx,[ebx+78]
GVOnline.exe+66A73D - 83 C4 08 - add esp,08 { 8 }
GVOnline.exe+66A740 - 89 73 70 - mov [ebx+70],esi { --------> 断在此处,esi=总价 }
//----------------返回上层-----------------
GVOnline.exe+641CB3 - FF 75 0C - push [ebp+0C]
GVOnline.exe+641CB6 - FF 75 08 - push [ebp+08] { ==============>上层参数1 }
GVOnline.exe+641CB9 - E8 628A0200 - call GVOnline.exe+66A720
GVOnline.exe+641CBE - 8B 4D F4 - mov ecx,[ebp-0C] {----------------> 返回1 }
//----------------返回上层-----------------
GVOnline.exe+655B48 - 57 - push edi
GVOnline.exe+655B49 - 8B 7D 0C - mov edi,[ebp+0C] { edi=[ebp+0C] ==============>上层第2个参数 }
GVOnline.exe+655B4C - BB 04000000 - mov ebx,00000004 { 4 }
GVOnline.exe+655B51 - 8B 47 04 - mov eax,[edi+04]
GVOnline.exe+655B54 - 85 C0 - test eax,eax
......
GVOnline.exe+655C04 - FF 77 14 - push [edi+14]
GVOnline.exe+655C07 - 8B 0F - mov ecx,[edi] {=============> ecx = [edi] }
GVOnline.exe+655C09 - FF 75 18 - push [ebp+18]
GVOnline.exe+655C0C - B8 00943577 - mov eax,ucrtbase.casinhf+100 { (1574524897) }
GVOnline.exe+655C11 - 3B C8 - cmp ecx,eax
GVOnline.exe+655C13 - 0F4F C8 - cmovg ecx,eax
GVOnline.exe+655C16 - 8D 46 10 - lea eax,[esi+10]
GVOnline.exe+655C19 - 50 - push eax
GVOnline.exe+655C1A - 8D 43 5C - lea eax,[ebx+5C]
GVOnline.exe+655C1D - 50 - push eax
GVOnline.exe+655C1E - 51 - push ecx { =========================> 参数1 = ecx }
GVOnline.exe+655C1F - 8B 4D 08 - mov ecx,[ebp+08]
GVOnline.exe+655C22 - E8 29C0FEFF - call GVOnline.exe+641C50 { ---------------->返回2 }
GVOnline.exe+655C27 - 8B 4F 08 - mov ecx,[edi+08]
//-------------------------返回-------------------
GVOnline.exe+655C86 - B9 04000000 - mov ecx,00000004 { 4 }
GVOnline.exe+655C8B - 56 - push esi
GVOnline.exe+655C8C - 8B 75 0C - mov esi,[ebp+0C] { =======> esi=[ebp+0C] 上层第2个参数 }
GVOnline.exe+655C8F - 8B 46 04 - mov eax,[esi+04]
GVOnline.exe+655C92 - 85 C0 - test eax,eax
GVOnline.exe+655C94 - 74 3C - je GVOnline.exe+655CD2
GVOnline.exe+655C96 - 6A 00 - push 00 { 0 }
........
GVOnline.exe+655CD8 - 83 C0 EC - add eax,-14 { 236 }
GVOnline.exe+655CDB - 50 - push eax
GVOnline.exe+655CDC - 8B 45 10 - mov eax,[ebp+10]
GVOnline.exe+655CDF - 2B C1 - sub eax,ecx
GVOnline.exe+655CE1 - 83 E8 70 - sub eax,70 { 112 }
GVOnline.exe+655CE4 - 50 - push eax
GVOnline.exe+655CE5 - 56 - push esi { =======================>第2个参数 =esi }
GVOnline.exe+655CE6 - FF 75 08 - push [ebp+08]
GVOnline.exe+655CE9 - E8 52FEFFFF - call GVOnline.exe+655B40 { ----------------->返回3 }
GVOnline.exe+655CEE - 83 C4 14 - add esp,14 { 20 }
//-------------------------返回-------------------
GVOnline.exe+3A15EB - 81 C6 B4000000 - add esi,000000B4 { 180 }
GVOnline.exe+3A15F1 - 4F - dec edi
GVOnline.exe+3A15F2 - 75 E4 - jne GVOnline.exe+3A15D8
GVOnline.exe+3A15F4 - 8B 4D D8 - mov ecx,[ebp-28]
GVOnline.exe+3A15F7 - 33 C0 - xor eax,eax
GVOnline.exe+3A15F9 - 8D 91 0C0A0000 - lea edx,[ecx+00000A0C] {============> edx=[ecx+00000A0C],edx为选中要吃的饮料食物的首地址 }
GVOnline.exe+3A15FF - 89 7D D4 - mov [ebp-2C],edi
GVOnline.exe+3A1602 - 89 45 C8 - mov [ebp-38],eax
GVOnline.exe+3A1605 - 89 55 B8 - mov [ebp-48],edx { =====》[ebp-48]=edx }
GVOnline.exe+3A1608 - 39 02 - cmp [edx],eax
GVOnline.exe+3A160A - 74 11 - je GVOnline.exe+3A161D
GVOnline.exe+3A160C - 39 81 100A0000 - cmp [ecx+00000A10],eax
......
GVOnline.exe+3A19BE - 89 BD 60FFFFFF - mov [ebp-000000A0],edi
GVOnline.exe+3A19C4 - C7 85 70FFFFFF 01000000 - mov [ebp-00000090],00000001 { 1 }
GVOnline.exe+3A19CE - E8 4D1B2A00 - call GVOnline.exe+643520
GVOnline.exe+3A19D3 - 8B 7D B8 - mov edi,[ebp-48] { ============> edi=[ebp-48] [edi]=8d 点的食物地址}
GVOnline.exe+3A19D6 - C7 40 18 00000080 - mov [eax+18],80000000 { -2147483648 }
GVOnline.exe+3A19DD - 0F57 C0 - xorps xmm0,xmm0
GVOnline.exe+3A19E0 - C7 45 9C 00000000 - mov [ebp-64],00000000 { 0 }
GVOnline.exe+3A19E7 - C7 45 A0 00000000 - mov [ebp-60],00000000 { 0 }
GVOnline.exe+3A19EE - C7 45 A4 00000000 - mov [ebp-5C],00000000 { 0 }
GVOnline.exe+3A19F5 - C7 45 A8 00000000 - mov [ebp-58],00000000 { 0 }
GVOnline.exe+3A19FC - C7 45 AC FFFFFFFF - mov [ebp-54],FFFFFFFF { -1 }
GVOnline.exe+3A1A03 - C7 45 B0 FFFFFFFF - mov [ebp-50],FFFFFFFF { -1 }
GVOnline.exe+3A1A0A - 66 0F13 45 EC - movlpd [ebp-14],xmm0
GVOnline.exe+3A1A0F - BB 02000000 - mov ebx,00000002 { 2 }
GVOnline.exe+3A1A14 - 8B 0F - mov ecx,[edi] {=============> edi = 点的2个餐的地址 }
GVOnline.exe+3A1A16 - 85 C9 - test ecx,ecx
GVOnline.exe+3A1A18 - 74 14 - je GVOnline.exe+3A1A2E
GVOnline.exe+3A1A1A - 8D 45 BC - lea eax,[ebp-44]
GVOnline.exe+3A1A1D - 50 - push eax
GVOnline.exe+3A1A1E - E8 1DF01900 - call GVOnline.exe+540A40 {=========> 返回[eax]取得第N个点的食物的价格 }
GVOnline.exe+3A1A23 - 8B 08 - mov ecx,[eax]
GVOnline.exe+3A1A25 - 01 4D EC - add [ebp-14],ecx {===========> 相加得到总价格存入[ebp-14] }
GVOnline.exe+3A1A28 - 8B 40 04 - mov eax,[eax+04]
GVOnline.exe+3A1A2B - 11 45 F0 - adc [ebp-10],eax
GVOnline.exe+3A1A2E - 83 C7 04 - add edi,04 { 4 }
GVOnline.exe+3A1A31 - 4B - dec ebx
GVOnline.exe+3A1A32 - 75 E0 - jne GVOnline.exe+3A1A14
GVOnline.exe+3A1A34 - 8D 4D EC - lea ecx,[ebp-14] {==========> [ecx] = [ebp-14] =总价 }
GVOnline.exe+3A1A37 - E8 540DD8FF - call GVOnline.exe+122790 {=====> eax在这个call里变化 = [ecx] }
GVOnline.exe+3A1A3C - 68 94030000 - push 00000394 { 916 }
GVOnline.exe+3A1A41 - 89 45 9C - mov [ebp-64],eax { =====> [ebp-64]=eax eax=总价 存入参数中 }
GVOnline.exe+3A1A44 - E8 075ED7FF - call GVOnline.exe+117850
GVOnline.exe+3A1A49 - 8B 7D B8 - mov edi,[ebp-48]
......
GVOnline.exe+3A1A9C - 6A 04 - push 04 { 4 }
GVOnline.exe+3A1A9E - 68 34010000 - push 00000134 { 308 }
GVOnline.exe+3A1AA3 - 3B C7 - cmp eax,edi
GVOnline.exe+3A1AA5 - 68 44020000 - push 00000244 { 580 }
GVOnline.exe+3A1AAA - 8D 45 9C - lea eax,[ebp-64] { eax=ebp-64 }
GVOnline.exe+3A1AAD - BA 8080FFFF - mov edx,FFFF8080 { -32640 }
GVOnline.exe+3A1AB2 - 50 - push eax { =====================>第2个参数 eax }
GVOnline.exe+3A1AB3 - FF 75 DC - push [ebp-24]
GVOnline.exe+3A1AB6 - 0F47 CA - cmova ecx,edx
GVOnline.exe+3A1AB9 - 89 4D B0 - mov [ebp-50],ecx
GVOnline.exe+3A1ABC - E8 BF412B00 - call GVOnline.exe+655C80 { ---------------> 返回4 }
GVOnline.exe+3A1AC1 - 8B 7D D8 - mov edi,[ebp-28]
GVOnline.exe+3A1AC4 - 83 C4 14 - add esp,14 { 20 }
执行到GVOnline.exe+3A1A14 - 8B 0F - mov ecx,[edi] { edi = 点的2个餐的地址 } 时
可以看到,[edi] = 点的2个餐的地址 0x0147dd7c 0x0147dddc
在0x0147dd7c地址可以清晰地看到,有9个节点,对应酒馆提供的9种食物数组结构。
(第2张图为食物节点调整好首地址后的具体内容,地址非本次地址,仅供说明)
从GVOnline.exe+3A1A1E - E8 1DF01900 - call GVOnline.exe+540A40里可以知道价格是在节点的+08处,
因此,食物数组的首地址为0x0147dd7c -8 = 0x0147dd74
有了临时地址,就可以用pointer scan for this address,找出食物地址为:
[1291274]+1c]+198]+EC]+0]
[1291274]+1c]+198]+EC = 第1个食物地址 最后1个食物地址 食物总数
酒馆吃饭call:
gvonline.bin+4AB0C - 56 - push esi
gvonline.bin+4AB0D - 8B 77 34 - mov esi,[edi+34]
gvonline.bin+4AB10 - E8 6B191100 - call gvonline.bin+15C480
gvonline.bin+4AB15 - FF 75 10 - push [ebp+10] //???
gvonline.bin+4AB18 - 8D 88 A81A0000 - lea ecx,[eax+00001AA8] //ecx=1217388
gvonline.bin+4AB1E - FF 75 0C - push [ebp+0C] //食物ID
gvonline.bin+4AB21 - FF 75 08 - push [ebp+08] //饮料ID
gvonline.bin+4AB24 - 56 - push esi //NPC ID
gvonline.bin+4AB25 - FF 75 FC - push [ebp-04] //0
gvonline.bin+4AB28 - FF 77 24 - push [edi+24] //1
gvonline.bin+4AB2B - E8 304B6E00 - call gvonline.bin+72F660
堆栈
0019FDF0(esp+0) - 00000001 - (dword)00000001(1)
0019FDF4(esp+4) - 00000000 - (dword)00000000(0)
0019FDF8(esp+8) - 01800227 - (pointer)01800227
0019FDFC(esp+C) - 0000008F - (dword)0000008F(143)
0019FE00(esp+10) - 00000093 - (dword)00000093(147)
0019FE04(esp+14) - 0000029D - (dword)0000029D(669)
浙公网安备 33010602011771号