光通传奇3 永恒传奇3(GSR版本) 追踪小记(一)
基本概况
光通传奇3 https://www.gtgame.com/ 1.45版13魔法一倍经验爆率的传奇3,
永恒传奇3 https://www.145mir3.cn/ 是完全一样的版本。
CE7.6能查找数据,但附加不了 ,一附加游戏就崩溃闪退。
debugger option 选择 VEH Debugger,则可以附加分析。
基本的基址查找就不再详细写了:
人物基址 0x00EA81C0
+614血量
+618 最大血量
+4968 蓝量
+72 X
+74 Y
+625角色名称
+4b54 选中怪物ID
+72 X
+74 Y
+614 HP
+625 名称
周边人物、怪物、NPC查找
双开游戏窗口,查找另一窗口人物(周围人物)的坐标X,找到2个地址
52BDA15E
52BDA75C
在地址1上“find who access this address”, 有以下3个地方:
0040DBF1 - 0FB7 46 72 - movzx eax,word ptr [esi+72] <----就选这个地方吧
00477D57 - 66 8B 46 72 - mov ax,[esi+72]
004A145D - 0FB7 47 72 - movzx eax,word ptr [edi+72]
Mir3Game.exe+DB10 - 55 - push ebp
Mir3Game.exe+DB11 - 8B EC - mov ebp,esp
Mir3Game.exe+DB13 - 64 A1 00000000 - mov eax,fs:[00000000] { 0 }
Mir3Game.exe+DB19 - 6A FF - push -01 { 255 }
Mir3Game.exe+DB1B - 68 0A865400 - push Mir3Game.exe+14860A { (184) }
Mir3Game.exe+DB20 - 50 - push eax
Mir3Game.exe+DB21 - 64 89 25 00000000 - mov fs:[00000000],esp { 0 }
Mir3Game.exe+DB28 - 83 EC 20 - sub esp,20 { 32 }
Mir3Game.exe+DB2B - 53 - push ebx
Mir3Game.exe+DB2C - 8B 5D 08 - mov ebx,[ebp+08] 'ebx = [ebp+08] ebp+08即为上层函数的第1个参数 '
Mir3Game.exe+DB2F - BA 01000000 - mov edx,00000001 { 1 }
Mir3Game.exe+DB34 - 01 93 84558400 - add [ebx+Mir3Game.exe+445584],edx
Mir3Game.exe+DB3A - 8B 83 84558400 - mov eax,[ebx+Mir3Game.exe+445584]
Mir3Game.exe+DB40 - 33 C9 - xor ecx,ecx
Mir3Game.exe+DB42 - 89 83 88558400 - mov [ebx+Mir3Game.exe+445588],eax
Mir3Game.exe+DB48 - 8A 83 F8FE8300 - mov al,[ebx+Mir3Game.exe+43FEF8]
Mir3Game.exe+DB4E - 56 - push esi
Mir3Game.exe+DB4F - 57 - push edi
Mir3Game.exe+DB50 - 89 8B C44D8400 - mov [ebx+Mir3Game.exe+444DC4],ecx
Mir3Game.exe+DB56 - 89 8B CC460000 - mov [ebx+000046CC],ecx
Mir3Game.exe+DB5C - 3C 0E - cmp al,0E { 14 }
Mir3Game.exe+DB5E - 74 07 - je Mir3Game.exe+DB67
Mir3Game.exe+DB60 - 89 4D E8 - mov [ebp-18],ecx
Mir3Game.exe+DB63 - 3C 03 - cmp al,03 { 3 }
Mir3Game.exe+DB65 - 75 03 - jne Mir3Game.exe+DB6A
Mir3Game.exe+DB67 - 89 55 E8 - mov [ebp-18],edx
Mir3Game.exe+DB6A - 8B 83 CC450000 - mov eax,[ebx+000045CC]
Mir3Game.exe+DB70 - 89 8B 94518400 - mov [ebx+Mir3Game.exe+445194],ecx
Mir3Game.exe+DB76 - 3B C1 - cmp eax,ecx
Mir3Game.exe+DB78 - 0F8E A1050000 - jng Mir3Game.exe+E11F
Mir3Game.exe+DB7E - 8B 83 B8450000 - mov eax,[ebx+000045B8] ' eax =[ebx+000045B8] 此即为周边怪物的基址,ID=eax+fffff9b80'
Mir3Game.exe+DB84 - 89 4D E4 - mov [ebp-1C],ecx
Mir3Game.exe+DB87 - C7 45 08 FFFF0000 - mov [ebp+08],0000FFFF
Mir3Game.exe+DB8E - 89 45 E0 - mov [ebp-20],eax '循环开始,第1个怪物基址放入临时变量[ebp-20]'
Mir3Game.exe+DB91 - 89 4D FC - mov [ebp-04],ecx
Mir3Game.exe+DB94 - 8B 45 E0 - mov eax,[ebp-20]
Mir3Game.exe+DB97 - 8B F0 - mov esi,eax
Mir3Game.exe+DB99 - 85 C0 - test eax,eax 'eax = 0 ?循环结束'
Mir3Game.exe+DB9B - 0F84 72050000 - je Mir3Game.exe+E113
Mir3Game.exe+DBA1 - 8B 40 04 - mov eax,[eax+04]
Mir3Game.exe+DBA4 - 89 45 E0 - mov [ebp-20],eax
Mir3Game.exe+DBA7 - 85 C0 - test eax,eax
Mir3Game.exe+DBA9 - 0F84 64050000 - je Mir3Game.exe+E113
Mir3Game.exe+DBAF - 81 C6 F0F9FFFF - add esi,FFFFF9F0 ' esi = esi+fffff9b8 (-0x610)'
Mir3Game.exe+DBB5 - 0F84 58050000 - je Mir3Game.exe+E113
Mir3Game.exe+DBBB - 80 BE 67060000 00 - cmp byte ptr [esi+00000667],00 { 0 }
Mir3Game.exe+DBC2 - 74 18 - je Mir3Game.exe+DBDC
Mir3Game.exe+DBC4 - 8B 0D 9CF25B00 - mov ecx,[Mir3Game.exe+1BF29C]
Mir3Game.exe+DBCA - 3B 8E D0000000 - cmp ecx,[esi+000000D0]
Mir3Game.exe+DBD0 - 72 0A - jb Mir3Game.exe+DBDC
Mir3Game.exe+DBD2 - 6A 00 - push 00 { 0 }
Mir3Game.exe+DBD4 - 56 - push esi
Mir3Game.exe+DBD5 - E8 664E0400 - call Mir3Game.exe+52A40
Mir3Game.exe+DBDA - EB B8 - jmp Mir3Game.exe+DB94
Mir3Game.exe+DBDC - 3B B3 CC4D8400 - cmp esi,[ebx+Mir3Game.exe+444DCC]
Mir3Game.exe+DBE2 - 74 0D - je Mir3Game.exe+DBF1
Mir3Game.exe+DBE4 - 8B 16 - mov edx,[esi] 'esi即为 怪物的(ID)'
Mir3Game.exe+DBE6 - 8B 45 0C - mov eax,[ebp+0C]
Mir3Game.exe+DBE9 - 8B 52 1C - mov edx,[edx+1C]
Mir3Game.exe+DBEC - 50 - push eax
Mir3Game.exe+DBED - 8B CE - mov ecx,esi
Mir3Game.exe+DBEF - FF D2 - call edx
Mir3Game.exe+DBF1 - 0FB7 46 72 - movzx eax,word ptr [esi+72] '<--- 就是这儿 x = [esi+72] , 怪物基址为[esi]'
Mir3Game.exe+DBF5 - 0FBF 8B E4324D00 - movsx ecx,word ptr [ebx+Mir3Game.exe+D32E4]
Mir3Game.exe+DBFC - 0FBF 93 E6324D00 - movsx edx,word ptr [ebx+Mir3Game.exe+D32E6]
Mir3Game.exe+DC03 - 0FBF F8 - movsx edi,ax
返回上一层函数;
Mir3Game.exe+E8F0 - 55 - push ebp
Mir3Game.exe+E8F1 - 8B EC - mov ebp,esp
Mir3Game.exe+E8F3 - 83 EC 1C - sub esp,1C { 28 }
Mir3Game.exe+E8F6 - 53 - push ebx
Mir3Game.exe+E8F7 - 8B 1D 14D55B00 - mov ebx,[Mir3Game.exe+1BD514] { (5) }
Mir3Game.exe+E8FD - 56 - push esi
Mir3Game.exe+E8FE - 57 - push edi
Mir3Game.exe+E8FF - 8B F8 - mov edi,eax ' <----edi = eax ==> esi = [eax+000045B8] ,eax上级函数带入。'
Mir3Game.exe+E901 - A1 9CF25B00 - mov eax,[Mir3Game.exe+1BF29C]
Mir3Game.exe+E906 - 89 5D F8 - mov [ebp-08],ebx
Mir3Game.exe+E909 - 3B 05 7428F100 - cmp eax,[Mir3Game.exe+B12874]
Mir3Game.exe+E90F - 72 24 - jb Mir3Game.exe+E935
Mir3Game.exe+E911 - 83 BF CC4A8A00 00 - cmp dword ptr [edi+Mir3Game.exe+4A4ACC],00
Mir3Game.exe+E918 - 75 1B - jne Mir3Game.exe+E935
Mir3Game.exe+E91A - 8B 0D 0CD55B00 - mov ecx,[Mir3Game.exe+1BD50C] { (17) }
...(省略)
Mir3Game.exe+E9D3 - E8 D8290000 - call Mir3Game.exe+113B0
Mir3Game.exe+E9D8 - 53 - push ebx
Mir3Game.exe+E9D9 - 57 - push edi
Mir3Game.exe+E9DA - E8 D12A0000 - call Mir3Game.exe+114B0
Mir3Game.exe+E9DF - 53 - push ebx
Mir3Game.exe+E9E0 - 57 - push edi ' <----第1个参数 => esi = '[edi+000045B8]
Mir3Game.exe+E9E1 - E8 2AF1FFFF - call Mir3Game.exe+DB10
Mir3Game.exe+E9E6 - 53 - push ebx ' <---返回这儿'
继续返回上一层函数;
Mir3Game.exe+F1026 - E8 B56AFFFF - call Mir3Game.exe+E7AE0
Mir3Game.exe+F102B - EB 0B - jmp Mir3Game.exe+F1038
Mir3Game.exe+F102D - B8 30836600 - mov eax,Mir3Game.exe+268330 'eax=0x668330'
Mir3Game.exe+F1032 - 47 - inc edi
Mir3Game.exe+F1033 - E8 B8D8F1FF - call Mir3Game.exe+E8F0
Mir3Game.exe+F1038 - E8 93110000 - call Mir3Game.exe+F21D0 '<---返回这儿'
最终可得
monsterAddr = [Mir3Game.exe+268330+000045B8]
ID= monsterAddr + fffff9f0 ( +fffff9f0 = -648)
X = [ID +72]
Y = [ID +74]
下一个怪物基址 = [monsterAddr +4]+4]+..4]
CE lua script 函数:
function findMonster()
local monster={}
local baseAddr = readInteger(addrGoodsMonsBase+0x45b8)
while(baseAddr>0)
do
id =baseAddr-0x610
x = readSmallInteger(id+0x72)
y = readSmallInteger(id+0x74)
hp = readSmallInteger(id+0x620)
addr1 = readString(id+0x631)
addr2 = ansiToUtf8(addr1) --name
idType =readInteger(id)
if(hp>0) then --获取周边每个怪物内存数据 100个字节,用于分析
s="bytes:"
MonsterBytes= readBytes(id,0x100,true)
for i, v in ipairs(MonsterBytes) do
s=s..string.format("%02x",v).." "
end
logF("[Monst] "..addr2.."["..x..","..y.."] hp:"..hp.." - "..s)
end
baseAddr = readInteger(baseAddr+4)
if (idType == humanTdType) then --有人类出现
findHuman = 1
logF("发现有人类出现,"..ansiToUtf8(addr1))
monster = {} --清空怪物数组
return
else
findHuman =0
end
if (hp>0) and (hp<2000) and (idType == monstIdType) then
local mon={}
mon["id"] = id
mon["x"] = x
mon["y"] = y
mon["hp"] = hp
mon["name"] = ansiToUtf8(addr1)
if(mon["name"] ~="神兽" and mon["name"]~="超强骷髅" and mon["name"]~="栗子树") then
table.insert(monster,mon)
else
logF("发现神兽或超中骷髅或栗子树"..mon["name"])
end
end
end
return monster
end
浙公网安备 33010602011771号