89辅助FC六件梦幻西游装备特技怎么分配特技比较好呢

c++(229)
0069EFF1 - 8B 15 54851B03 &- mov edx,[Client.exe+2DB8554]
0069EFF7 - A1 58851B03 - mov eax,[Client.exe+2DB8558]
0069EFFC - 39 9C B8
&- cmp [eax+edi*4+],ebx && A
- 0F84 DE030000 - je Client.exe+29F3E7
- 8B C8 &- mov ecx,eax
- 0F84 DE030000 - je Client.exe+29F3E7
- 8B C8 &- mov ecx,eax
0069F00B - 8B 84 B9
&- mov eax,[ecx+edi*4+] && B&
- 89 85 D0D7FFFF &- mov [ebp-],eax
&- cmp [eax+],bl
通过A得到基址
0069392A - 83 FE 72 - cmp esi,72
0069392D - 0F87 E9160000 - ja Client.exe+29501C
- A1 58851B03 - mov eax,[Client.exe+2DB8558] && &基址
- 85 C0 &- test eax,eax
0069393A - 0F84
- je Client.exe+293F85
007FA9A8 - 33 C0 &- xor eax,eax
007FA9AA - 8D 9B
&- lea ebx,[ebx+]
007FA9B0 - 39 1C 85 B0BE1D03 &- cmp [eax*4+Client.exe+2DDBEB0],ebx && &所有对象的基址
007FA9B7 - 0F84 AE010000 - je Client.exe+3FAB6B
007FA9BD - 40 - inc eax
通过转到基址 &
可以得到真正的基址为:
0069392A & &83FE 72 & & & & CMP ESI,72
0069392D & &0F87 E9160000 & JA Client.0069501C
& &A1 58851B03 & & MOV EAX,DWORD PTR DS:[31B8558]
& &85C0 & & & & & &TEST EAX,EAX
0069393A & &0F84
& JE Client.00693F85
& &83BCB0 &CMP DWORD PTR DS:[EAX+ESI*4+410],0
& JE Client.00693F85
0069394E & &833D ACBE1D03 0&CMP DWORD PTR DS:[31DBEAC],0
& &0F84 2A060000 & JE Client.00693F85
dc [[31B8558]+410+4*0]
+5c技能名字
+08 对象属性1E
+0C 所有对象的ID
找F1-F10call
首先通过访问了快捷栏中第一个技能 &得到以下的数据
- 85 C0 &- test eax,eax
0069393A - 0F84
- je Client.exe+293F85
- 83 BC B0
- cmp dword ptr [eax+esi*4+ &&
- je Client.exe+293F85
0069394E - 83 3D ACBE1D03 00 - cmp dword ptr [Client.exe+2DDBEAC],00
- 89 99 2C020000 &- mov [ecx+0000022C],ebx
006939AA - 8B 0D 58851B03 &- mov ecx,[Client.exe+2DB8558]
- 83 BC B1
- cmp dword ptr [ecx+esi*4+ &&
- 0F84 C6050000 - je Client.exe+293F84
006939BE - 8B 94 B1
&- mov edx,[ecx+esi*4+]
- 83 BC B1
- cmp dword ptr [ecx+esi*4+
- 0F84 C6050000 - je Client.exe+293F84
006939BE - 8B 94 B1
&- mov edx,[ecx+esi*4+] &&
- 83 BA F - cmp dword ptr [edx+],00
006939CC - 89 95 C486FFFF &- mov [ebp-0000793C],edx
- 0F84 AC050000 - je Client.exe+293F84
- 8B C6 &- mov eax,esi
006939DA - 8B 84 81
&- mov eax,[ecx+eax*4+] &&
- 8B 70 4C &- mov esi,[eax+4C]
- 8B 40 48 &- mov eax,[eax+48]
- 0F8C 71FCFFFF - jl Client.exe+294060
006943EF - 8B 85 DC86FFFF &- mov eax,[ebp-]
- 8B 8C 83
&- mov ecx,[ebx+eax*4+] &&
006943FC - 80 B9 FD - cmp byte ptr [ecx+000003FD],00
- 8B BD B886FFFF &- mov edi,[ebp-]
- 6A 01 - push 01
- 51 - push ecx
- 8B 8C 86
&- mov ecx,[esi+eax*4+] &&
0069C76B - 52 - push edx
0069C76C - E8 3FC71100 - call Client.exe+3B8EB0
然后在OD中找call
006938FF & &C3 & & & & & & &RETN
& &55 & & & & & & &PUSH EBP &//EBP来自上层
& &8BEC & & & & & &MOV EBP,ESP
& & MOV EAX,7998
& &E8 F3102B00 & & CALL Client.00944A00
0069390D & &A1
& & MOV EAX,DWORD PTR DS:[B13408]
& &33C5 & & & & & &XOR EAX,EBP
& &8945 FC & & & & MOV DWORD PTR SS:[EBP-4],EAX
& &56 & & & & & & &PUSH ESI
& &8B75 08 & & & & MOV ESI,DWORD PTR SS:[EBP+8] //ESI-&EBP
0069391B & &57 & & & & & & &PUSH EDI
0069391C & &8BF9 & & & & & &MOV EDI,ECX
0069391E & &89BD B486FFFF & MOV DWORD PTR SS:[EBP+FFFF86B4],EDI
& &89B5 DC86FFFF & MOV DWORD PTR SS:[EBP+FFFF86DC],ESI
0069392A & &83FE 72 & & & & CMP ESI,72
0069392D & &0F87 E9160000 & JA Client.0069501C
& &A1 58851B03 & & MOV EAX,DWORD PTR DS:[31B8558] & //EAX
& &85C0 & & & & & &TEST EAX,EAX
0069393A & &0F84
& JE Client.00693F85
& &83BCB0 &CMP DWORD PTR DS:[EAX+ESI*4+410],0 &//EAX+ESI*4+410
得到以上的一段代码
在EBP下断点
可以看到寄存器中EAX中存放的就是 快捷栏数据中的下标
然后在反汇编窗口中跟随
就可以得到以下数据&
0079D40F & &83BC9A &CMP DWORD PTR DS:[EDX+EBX*4+410],0
& &0F84 E24B0000 & JE Client.007A1FFF
0079D41D & &8B0D 20A4F500 & MOV ECX,DWORD PTR DS:[F5A420]
& &8B89 7C020000 & MOV ECX,DWORD PTR DS:[ECX+27C]
& &53 & & & & & & &PUSH EBX
0079D42A & &E8 D164EFFF & & CALL Client.
0079D42F & &E9 CB4B0000 & & JMP Client.007A1FFF
& &83F9 01 & & & & CMP ECX,1
& &0F85 9F000000 & JNZ Client.0079D4DC
0079D43D & &8B15 20A4F500 & MOV EDX,DWORD PTR DS:[F5A420]
也许就是快捷栏使用的call
用代码注入器测试便知
MOV ECX,DWORD PTR DS:[0xF5A420]
MOV ECX,DWORD PTR DS:[ECX+27C]
最后得到的快捷栏使用call就是以上的汇编代码了
&&相关文章推荐
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
访问:202864次
积分:4389
积分:4389
排名:第7190名
原创:246篇
转载:14篇
(1)(1)(1)(1)(1)(5)(8)(7)(3)(32)(25)(1)(27)(13)(20)(27)(1)(18)(9)(10)(14)(3)(1)(12)(4)(1)(14)
(window.slotbydup = window.slotbydup || []).push({
id: '4740881',
container: s,
size: '200,200',
display: 'inlay-fix'抱歉,指定的主题不存在或已被删除或正在被审核
Powered by

参考资料

 

随机推荐