一款游戏的背包数据非常规查找处理方法
首先背包中数据跟物品无法找到很好的对应,用CE查找物品数量入手
EAX=00000056
EBX=12000630
ECX=1203CCBC
EDX=00000005
ESI=1203CCBC
EDI=00000008
EBP=12000534
ESP=0018F4BC
EIP=0051EDB5
Probable base pointer =1203CCBC
0051EDAC - cmp [ecx+08],eax
0051EDAF - jne Moon.CoreGetShell+D7E80
0051EDB1 - movzx edx,word ptr [ecx+30]
0051EDB5 - mov eax,[esp+08]
0051EDB9 - push esi
EAX=00000056
EBX=12000630
ECX=11F80590
EDX=121C0020
ESI=00000008
EDI=1203CCBC
EBP=FFFFFFFF
ESP=0018F400
EIP=0051E73C
Probable base pointer =11F80590
0051E735 - jnl Moon.CoreGetShell+D7822
0051E737 - mov ecx,[ecx]
0051E739 - mov edi,[ecx+eax*4] //
0051E73C - test edi,edi
0051E73E - je Moon.CoreGetShell+D7822
EAX=00000056
EBX=0018F258
ECX=11C39C70
EDX=11F80590
ESI=0018F258
EDI=00000000
EBP=00000000
ESP=0018C218
EIP=004CE113
Probable base pointer =11C39C70
004CE10C - cmp eax,[ecx+04]
004CE10F - jnl Moon.CoreGetShell+871EB
004CE111 - mov edx,[ecx]
004CE113 - mov ecx,[edx+eax*4]
004CE116 - test ecx,ecx
EAX=00000056
EBX=12000630
ECX=11C39C70
EDX=00000002
ESI=1203CCBC
EDI=00000008
EBP=12000534
ESP=0018F4BC
EIP=0051ED9C
Probable base pointer =121C0020
0051ED8E - test eax,eax
0051ED90 - mov ecx,[Moon.exe+75D424]
0051ED96 - mov ecx,[ecx+Lua5.dll+24170]
0051ED9C - jnge Moon.CoreGetShell+D7E80
0051ED9E - cmp eax,[ecx+04]
EAX=255B426F
EBX=121C0024
ECX=121C0020
EDX=005079A0
ESI=121C0024
EDI=FFFFFFD0
EBP=0018F4D4
ESP=0018F088
EIP=005079C3
Probable base pointer =0075D424
005079BA - push ebx
005079BB - mov ebx,ecx
005079BD - mov ecx,[Moon.exe+75D424]
005079C3 - mov eax,[ecx+Lua5.dll+24168]
005079C9 - push esi
汇总一下:
背包物品数量基址 :
[[[[[Moon.exe+75D424] +Lua5.dll+24170] +0] +eax*4] +30] eax=0x56
[[[[[00B5D424] +00264170]+0 ] +eax*4] +30] eax=0x56
再来一遍
EAX=0000003C
EBX=12000630
ECX=120312AC
EDX=0000000D
ESI=120312AC
EDI=0000003C
EBP=12000534
ESP=0018F4BC
EIP=0051EDB5
Probable base pointer =120312AC
0051EDAC - cmp [ecx+08],eax
0051EDAF - jne Moon.CoreGetShell+D7E80
0051EDB1 - movzx edx,word ptr [ecx+30]
0051EDB5 - mov eax,[esp+08]
0051EDB9 - push esi
EAX=0000003C
EBX=12000630
ECX=120312AC
EDX=11F80590
ESI=120312AC
EDI=0000003C
EBP=12000534
ESP=0018F4BC
EIP=0051EDA8
Probable base pointer =11F80590
0051EDA1 - jnl Moon.CoreGetShell+D7E80
0051EDA3 - mov edx,[ecx]
0051EDA5 - mov ecx,[edx+eax*4]
0051EDA8 - test ecx,ecx
0051EDAA - je Moon.CoreGetShell+D7E80
EAX=0000003C
EBX=12000630
ECX=11C39C70
EDX=11F80590
ESI=120312AC
EDI=0000003C
EBP=12000534
ESP=0018F4BC
EIP=0051EDA5
Probable base pointer =11C39C70
0051ED9E - cmp eax,[ecx+04]
0051EDA1 - jnl Moon.CoreGetShell+D7E80
0051EDA3 - mov edx,[ecx]
0051EDA5 - mov ecx,[edx+eax*4]
0051EDA8 - test ecx,ecx
EAX=00000000
EBX=0018F234
ECX=11C39C70
EDX=00000065
ESI=12000534
EDI=121C0020
EBP=0018F1F8
ESP=0018C1B8
EIP=00440286
Probable base pointer =121C0020
0044027C - mov ecx,[ebx+04]
0044027F - push ecx
00440280 - mov ecx,[edi+Lua5.dll+24170]
00440286 - call Moon.CoreGetShell+76B10
0044028B - mov edi,eax
EAX=00004650
EBX=0018F104
ECX=121C0020
EDX=121C0020
ESI=12000534
EDI=00000000
EBP=0018F0EC
ESP=0018BB7C
EIP=0043866A
Probable base pointer =0075D424
0043865B - mov eax,[edx+Lua5.dll+1E6C0]
00438661 - mov [ebx+10],eax
00438664 - mov ecx,[Moon.exe+75D424]
0043866A - mov edi,[ecx+Lua5.dll+1E6B8]
00438670 - jmp Moon.g_GameLoadingSetPart+24E4B
总结一下:
[[[[[Moon.exe+75D424] +Lua5.dll+24170]+0 ] +eax*4] +30]
[[[[[00B5D424] +00264170]+0 ] +eax*4] +30]
--- 找背包物品名称 --
EAX=0018ADF8
EBX=121C0020
ECX=FDD6FAC9
EDX=139BC728
ESI=0018ADF8
EDI=1C216610
EBP=120376DC
ESP=0018ADCC
EIP=005152BD
Probable base pointer =139BC728
005152B6 - mov ecx,[edx]
005152B8 - mov [eax],ecx
005152BA - mov ecx,[edx+04]
005152BD - mov [eax+04],ecx
005152C0 - mov ecx,[edx+08]
EAX=009CD4D0
EBX=120376DC
ECX=12713E02
EDX=139BC728
ESI=139BC728
EDI=7505775D
EBP=1C2188FC
ESP=0018B210
EIP=0046B88F
Probable base pointer =120376DC
0046B882 - jmp Moon.CoreGetShell+24929
0046B884 - mov eax,Moon.exe+5CD4D0
0046B889 - mov edx,[ebx+00000724]
0046B88F - push eax
0046B890 - add edx,79
EAX=11C39C70
EBX=120376DC
ECX=11F80590
EDX=00000000
ESI=00000000
EDI=0000004A
EBP=0000004A
ESP=0018C48C
EIP=00526127
Probable base pointer =11F80590
00526121 - mov ecx,[eax]
00526123 - push ebx
00526124 - mov ebx,[ecx+ebp*4]
00526127 - test ebx,ebx
00526129 - je Moon.CoreGetShell+DF264
EAX=00000018
EBX=12000630
ECX=11C39C70
EDX=11F80590
ESI=00000009
EDI=0000001B
EBP=12000684
ESP=0018C410
EIP=0051EFB3
Probable base pointer =11C39C70
0051EFAC - cmp eax,[ecx+04]
0051EFAF - jnl Moon.CoreGetShell+D805F
0051EFB1 - mov edx,[ecx]
0051EFB3 - mov esi,[edx+eax*4]
0051EFB6 - test esi,esi
EAX=0000004C
EBX=00000000
ECX=11C39C70
EDX=12000534
ESI=00000000
EDI=1C2188FC
EBP=0018F0A8
ESP=0018B2D8
EIP=004F6384
Probable base pointer =121C0020
004F6375 - mov eax,[ebp+04]
004F6378 - mov ecx,[Moon.exe+75D424]
004F637E - mov ecx,[ecx+Lua5.dll+24170]
004F6384 - push eax
004F6385 - call Moon.CoreGetShell+76B10
EAX=0018F498
EBX=75835F74
ECX=121C0020
EDX=121C0020
ESI=00000000
EDI=00000000
EBP=009E26C0
ESP=0018EFEC
EIP=0042FC65
Probable base pointer =0075D424
0042FC59 - xor edi,edi
0042FC5B - mov [esp+18],edi
0042FC5F - mov edx,[Moon.exe+75D424]
0042FC65 - mov [esp+14],edi
0042FC69 - mov eax,[edx+Lua5.dll+24168]
总结一下:
[[[[[[Moon.exe+75D424] +Lua5.dll+24170]+0] +ebp*4] +00000724] +04] ebp = 4A(=74)
[[[[[[00B5D424] +00264170] +0]+ebp*4] +00000724] +04] ebp = 4A(=74)
使用内存遍历工具,遍历数据,可以找到若干值
注意:这款游戏的背包数组有点儿奇怪,下标是不固定的,跟背包的位置没有任何关系,比较麻烦读取
最后总结一下找到的数据:
背包物品数组下标 [[[[[00B5D424] +00264170]+0 ] +eax*4] +10]
背包物品最大数量、耐久最大值 [[[[[00B5D424] +00264170]+0 ] +eax*4] +24]
背包物品当前数量、耐久当前值 [[[[[00B5D424] +00264170]+0 ] +eax*4] +30]
背包物品名称 [[[[[00B5D424] +00264170]+0 ] +eax*4] +6CC] 或者
[[[[[[00B5D424] +00264170] +0]+ebp*4] +00000724] +04]
用易语言写出来
运行效果:
这里的背包数据是包含了人物的背包+储物箱+人物装备+仆人装备的所有信息