外挂辅助技术-寻路CALL测试
学习目标:
之分析寻路CALL 测试
1、通过目的地坐标回溯<通过关键的数据 逆向 分析>
2、通过发包函数回溯 <通过发包函数回溯>
FLDZ
FILD 地址
FSTP 地址
思路:
FindWay(参数1,参数2,参数3,...)//里边肯定有一个是指向坐标
//1
006AEDFC 895D B4 MOV DWORD PTR SS:[EBP-0x4C],EBX
006AEDFF 885D B8 MOV BYTE PTR SS:[EBP-0x48],BL
006AEE02 0FAFC8 IMUL ECX,EAX
006AEE05 894D 98 MOV DWORD PTR SS:[EBP-0x68],ECX
006AEE08 8B0D 3C661E03 MOV ECX,DWORD PTR DS:[0x31E663C]
006AEE0E 8D45 9C LEA EAX,DWORD PTR SS:[EBP-0x64]
006AEE11 DA65 98 FISUB DWORD PTR SS:[EBP-0x68]
006AEE14 50 PUSH EAX
006AEE15 68 EF030000 PUSH 0x3EF
006AEE1A D95D A4 FSTP DWORD PTR SS:[EBP-0x5C]
006AEE1D D95D C8 FSTP DWORD PTR SS:[EBP-0x38]
006AEE20 8B11 MOV EDX,DWORD PTR DS:[ECX]
006AEE22 8B52 04 MOV EDX,DWORD PTR DS:[EDX+0x4]
006AEE25 FFD2 CALL EDX
006AEE27 5F POP EDI
006AEE28 5B POP EBX
006AEE29 8B4D FC MOV ECX,DWORD PTR SS:[EBP-0x4]
-153,1545
-0x99,609
$ ==> >C2A30F5C
$+4 >00000000
$+8 >44DC2AE2
$+C >00000000
$+10 >00000000
$+14 >0000FFFF
$+18 >00000001
$+1C >0F5E7301
$+20 >00000000
$+24 >0018CCF0 UNICODE "x"
$+28 >00000000
$+2C >00000000
sub esp,30
mov eax,esp
mov dword ptr ss:[eax+0],0C2A30F5C
mov dword ptr ss:[eax+4],0
mov dword ptr ss:[eax+08],0C2A30F5C
mov dword ptr ss:[eax+0c],0
mov dword ptr ss:[eax+10],0
mov dword ptr ss:[eax+14],0FFFF
mov dword ptr ss:[eax+18],1
mov dword ptr ss:[eax+1c],0F5E7301
mov dword ptr ss:[eax+20],0
mov dword ptr ss:[eax+24],018CCF0
mov dword ptr ss:[eax+28],0
mov dword ptr ss:[eax+2c],0
push 0x54
push eax
push 0x3EF
MOV ECX,DWORD PTR DS:[0x31E663C]
MOV EDX,DWORD PTR DS:[ECX]
MOV EDX,DWORD PTR DS:[EDX+0x4]
CALL EDX
add esp,30
sub esp,30
mov eax,esp
mov dword ptr ss:[eax+0],-99
fild dword ptr ss:[eax+0]
fstp dword ptr ss:[eax+0]
mov dword ptr ss:[eax+4],0
mov dword ptr ss:[eax+08],709
fild dword ptr ss:[eax+8]
fstp dword ptr ss:[eax+8]
mov dword ptr ss:[eax+0c],0
mov dword ptr ss:[eax+10],0
mov dword ptr ss:[eax+14],0FFFF
mov dword ptr ss:[eax+18],1
mov dword ptr ss:[eax+1c],1
mov dword ptr ss:[eax+20],0
mov dword ptr ss:[eax+24],0
mov dword ptr ss:[eax+28],10
mov dword ptr ss:[eax+2c],10
push 0x54
push eax
push 0x3EF
MOV ECX,DWORD PTR DS:[0x31E663C]
MOV EDX,DWORD PTR DS:[ECX]
MOV EDX,DWORD PTR DS:[EDX+0x4]
CALL EDX
add esp,30
sub esp,30
mov eax,esp
mov dword ptr ss:[eax+0],0C2A30F5C
mov dword ptr ss:[eax+4],0
mov dword ptr ss:[eax+08],0C2A30F5C
mov dword ptr ss:[eax+0c],0
mov dword ptr ss:[eax+10],0
mov dword ptr ss:[eax+14],0FFFF
mov dword ptr ss:[eax+18],1
mov dword ptr ss:[eax+1c],1
mov dword ptr ss:[eax+20],0
mov dword ptr ss:[eax+24],0
mov dword ptr ss:[eax+28],10
mov dword ptr ss:[eax+2c],10
push 0x54
push eax
push 0x3EF
MOV ECX,DWORD PTR DS:[0x31E663C]
MOV EDX,DWORD PTR DS:[ECX]
MOV EDX,DWORD PTR DS:[EDX+0x4]
CALL EDX
add esp,30
//2
004E77A9 8D85 9CFDFFFF LEA EAX,DWORD PTR SS:[EBP-0x264]
004E77AF 50 PUSH EAX
004E77B0 83EC 1C SUB ESP,0x1C
004E77B3 8BFC MOV EDI,ESP
004E77B5 B9 07000000 MOV ECX,0x7
004E77BA 8DB5 9CAAFFFF LEA ESI,DWORD PTR SS:[EBP+0xFFFFAA9C]
004E77C0 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
004E77C2 8B0D 88A7E200 MOV ECX,DWORD PTR DS:[0xE2A788]
004E77C8 E8 E389F8FF CALL Client.004701B0 ; 可能是寻路CALL 2
004E77CD 8BBD F4AAFFFF MOV EDI,DWORD PTR SS:[EBP+0xFFFFAAF4]
004E77D3 8BB5 ECAAFFFF MOV ESI,DWORD PTR SS:[EBP+0xFFFFAAEC]
004E77D9 EB 2E JMP SHORT Client.004E7809
004E77DB 8B8D D4AAFFFF MOV ECX,DWORD PTR SS:[EBP+0xFFFFAAD4]
//3
00470A27 8BF3 MOV ESI,EBX
00470A29 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00470A2B 83EC 1C SUB ESP,0x1C
00470A2E 8BFC MOV EDI,ESP
00470A30 B9 07000000 MOV ECX,0x7
00470A35 8D75 08 LEA ESI,DWORD PTR SS:[EBP+0x8]
00470A38 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00470A3A 8B4D C4 MOV ECX,DWORD PTR SS:[EBP-0x3C]
00470A3D E8 7EEDFFFF CALL Client.0046F7C0
00470A42 8B55 C0 MOV EDX,DWORD PTR SS:[EBP-0x40]
00470A45 8B42 04 MOV EAX,DWORD PTR DS:[EDX+0x4]
00470A48 D940 E4 FLD DWORD PTR DS:[EAX-0x1C]
00470A4B D91B FSTP DWORD PTR DS:[EBX]
之分析寻路CALL 测试
1、通过目的地坐标回溯<通过关键的数据 逆向 分析>
2、通过发包函数回溯 <通过发包函数回溯>
FLDZ
FILD 地址
FSTP 地址
思路:
FindWay(参数1,参数2,参数3,...)//里边肯定有一个是指向坐标
//1
006AEDFC 895D B4 MOV DWORD PTR SS:[EBP-0x4C],EBX
006AEDFF 885D B8 MOV BYTE PTR SS:[EBP-0x48],BL
006AEE02 0FAFC8 IMUL ECX,EAX
006AEE05 894D 98 MOV DWORD PTR SS:[EBP-0x68],ECX
006AEE08 8B0D 3C661E03 MOV ECX,DWORD PTR DS:[0x31E663C]
006AEE0E 8D45 9C LEA EAX,DWORD PTR SS:[EBP-0x64]
006AEE11 DA65 98 FISUB DWORD PTR SS:[EBP-0x68]
006AEE14 50 PUSH EAX
006AEE15 68 EF030000 PUSH 0x3EF
006AEE1A D95D A4 FSTP DWORD PTR SS:[EBP-0x5C]
006AEE1D D95D C8 FSTP DWORD PTR SS:[EBP-0x38]
006AEE20 8B11 MOV EDX,DWORD PTR DS:[ECX]
006AEE22 8B52 04 MOV EDX,DWORD PTR DS:[EDX+0x4]
006AEE25 FFD2 CALL EDX
006AEE27 5F POP EDI
006AEE28 5B POP EBX
006AEE29 8B4D FC MOV ECX,DWORD PTR SS:[EBP-0x4]
-153,1545
-0x99,609
$ ==> >C2A30F5C
$+4 >00000000
$+8 >44DC2AE2
$+C >00000000
$+10 >00000000
$+14 >0000FFFF
$+18 >00000001
$+1C >0F5E7301
$+20 >00000000
$+24 >0018CCF0 UNICODE "x"
$+28 >00000000
$+2C >00000000
sub esp,30
mov eax,esp
mov dword ptr ss:[eax+0],0C2A30F5C
mov dword ptr ss:[eax+4],0
mov dword ptr ss:[eax+08],0C2A30F5C
mov dword ptr ss:[eax+0c],0
mov dword ptr ss:[eax+10],0
mov dword ptr ss:[eax+14],0FFFF
mov dword ptr ss:[eax+18],1
mov dword ptr ss:[eax+1c],0F5E7301
mov dword ptr ss:[eax+20],0
mov dword ptr ss:[eax+24],018CCF0
mov dword ptr ss:[eax+28],0
mov dword ptr ss:[eax+2c],0
push 0x54
push eax
push 0x3EF
MOV ECX,DWORD PTR DS:[0x31E663C]
MOV EDX,DWORD PTR DS:[ECX]
MOV EDX,DWORD PTR DS:[EDX+0x4]
CALL EDX
add esp,30
sub esp,30
mov eax,esp
mov dword ptr ss:[eax+0],-99
fild dword ptr ss:[eax+0]
fstp dword ptr ss:[eax+0]
mov dword ptr ss:[eax+4],0
mov dword ptr ss:[eax+08],709
fild dword ptr ss:[eax+8]
fstp dword ptr ss:[eax+8]
mov dword ptr ss:[eax+0c],0
mov dword ptr ss:[eax+10],0
mov dword ptr ss:[eax+14],0FFFF
mov dword ptr ss:[eax+18],1
mov dword ptr ss:[eax+1c],1
mov dword ptr ss:[eax+20],0
mov dword ptr ss:[eax+24],0
mov dword ptr ss:[eax+28],10
mov dword ptr ss:[eax+2c],10
push 0x54
push eax
push 0x3EF
MOV ECX,DWORD PTR DS:[0x31E663C]
MOV EDX,DWORD PTR DS:[ECX]
MOV EDX,DWORD PTR DS:[EDX+0x4]
CALL EDX
add esp,30
sub esp,30
mov eax,esp
mov dword ptr ss:[eax+0],0C2A30F5C
mov dword ptr ss:[eax+4],0
mov dword ptr ss:[eax+08],0C2A30F5C
mov dword ptr ss:[eax+0c],0
mov dword ptr ss:[eax+10],0
mov dword ptr ss:[eax+14],0FFFF
mov dword ptr ss:[eax+18],1
mov dword ptr ss:[eax+1c],1
mov dword ptr ss:[eax+20],0
mov dword ptr ss:[eax+24],0
mov dword ptr ss:[eax+28],10
mov dword ptr ss:[eax+2c],10
push 0x54
push eax
push 0x3EF
MOV ECX,DWORD PTR DS:[0x31E663C]
MOV EDX,DWORD PTR DS:[ECX]
MOV EDX,DWORD PTR DS:[EDX+0x4]
CALL EDX
add esp,30
//2
004E77A9 8D85 9CFDFFFF LEA EAX,DWORD PTR SS:[EBP-0x264]
004E77AF 50 PUSH EAX
004E77B0 83EC 1C SUB ESP,0x1C
004E77B3 8BFC MOV EDI,ESP
004E77B5 B9 07000000 MOV ECX,0x7
004E77BA 8DB5 9CAAFFFF LEA ESI,DWORD PTR SS:[EBP+0xFFFFAA9C]
004E77C0 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
004E77C2 8B0D 88A7E200 MOV ECX,DWORD PTR DS:[0xE2A788]
004E77C8 E8 E389F8FF CALL Client.004701B0 ; 可能是寻路CALL 2
004E77CD 8BBD F4AAFFFF MOV EDI,DWORD PTR SS:[EBP+0xFFFFAAF4]
004E77D3 8BB5 ECAAFFFF MOV ESI,DWORD PTR SS:[EBP+0xFFFFAAEC]
004E77D9 EB 2E JMP SHORT Client.004E7809
004E77DB 8B8D D4AAFFFF MOV ECX,DWORD PTR SS:[EBP+0xFFFFAAD4]
//3
00470A27 8BF3 MOV ESI,EBX
00470A29 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00470A2B 83EC 1C SUB ESP,0x1C
00470A2E 8BFC MOV EDI,ESP
00470A30 B9 07000000 MOV ECX,0x7
00470A35 8D75 08 LEA ESI,DWORD PTR SS:[EBP+0x8]
00470A38 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
00470A3A 8B4D C4 MOV ECX,DWORD PTR SS:[EBP-0x3C]
00470A3D E8 7EEDFFFF CALL Client.0046F7C0
00470A42 8B55 C0 MOV EDX,DWORD PTR SS:[EBP-0x40]
00470A45 8B42 04 MOV EAX,DWORD PTR DS:[EDX+0x4]
00470A48 D940 E4 FLD DWORD PTR DS:[EAX-0x1C]
00470A4B D91B FSTP DWORD PTR DS:[EBX]