追逐自己的梦想----------辅助制作第十一课:选怪功能分析
本节课中,我们要分析的是选怪功能
要实现选怪,肯定是往某个变量中写个一个值
如下:
选怪变量= XXX
首先打开ce,通过选中不同的怪物来确定地址,最后得到下面的6个地址
00182d98
00182db8
00182dc4
00187bc4
00187c10
2e21e4a8
得到这6个地址,然后通过CE中是什么访问了这个地址 可以得到如下的数据:
001F7292 - 89 55 B8 - mov [ebp-48],edx
004A66B6 - 56 - push esi
004A6AD8 - 5E - pop esi
001F72B6 - 89 55 D8 - mov [ebp-28],edx
0094F188 - 66 0F7F 01 - movdqa [ecx],xmm0
009383C8 - 89 44 8F FC - mov [edi+ecx*4-04],eax
0098C333 - 8A 06 - mov al,[esi]
0098C337 - 88 06 - mov [esi],al
0098C3A9 - 8A 07 - mov al,[edi]
0098C3B0 - 88 07 - mov [edi],al
004E2C0F - 8B 87 B8140000 - mov eax,[edi+000014B8]
004E3D36 - 8B 87 B8140000 - mov eax,[edi+000014B8]
004E43F9 - 8B 8F B8140000 - mov ecx,[edi+000014B8]
004E4566 - 8B 87 B8140000 - mov eax,[edi+000014B8]//最有可能的地址
004E4665 - 89 81 B8140000 - mov [ecx+000014B8],eax
004E3D2A - E9 F84E0000 - jmp Client.exe+E8C27
004E3D2F - 83 3D C802F500 00 - cmp dword ptr [Client.exe+B502C8],00
004E3D36 - 8B 87 B8140000 - mov eax,[edi+000014B8] <<
004E3D3C - 89 85 D4AAFFFF - mov [ebp-0000552C],eax
004E3D42 - 0F85 84490000 - jne Client.exe+E86CC
004E465C - 8B 46 0C - mov eax,[esi+0C]
004E465F - 8B 0D 3C561E03 - mov ecx,[Client.exe+2DE563C]
004E4665 - 89 81 B8140000 - mov [ecx+000014B8],eax << //写入数据 很有可能的地方
004E466B - EB 2C - jmp Client.exe+E4699
004E466D - 83 BF D4140000 01 - cmp dword ptr [edi+000014D4],01
打开OD,转到这个地址 得到代码
004E4654 50 PUSH EAX
004E4655 6A 05 PUSH 0x5
004E4657 E8 04DDF9FF CALL Client.00482360
004E465C 8B46 0C MOV EAX,DWORD PTR DS:[ESI+0xC]
004E465F 8B0D 3C561E03 MOV ECX,DWORD PTR DS:[0x31E563C] //基址
004E4665 8981 B8140000 MOV DWORD PTR DS:[ECX+0x14B8],EAX
004E466B EB 2C JMP SHORT Client.004E4699
004E466D 83BF D4140000 0>CMP DWORD PTR DS:[EDI+0x14D4],0x1
004E4674 C785 FCAAFFFF F>MOV DWORD PTR SS:[EBP+0xFFFFAAFC],0xFFFF
004E467E 74 06 JE SHORT Client.004E4686
004E4680 8997 D4140000 MOV DWORD PTR DS:[EDI+0x14D4],EDX
004E4686 8B15 C088F500 MOV EDX,DWORD PTR DS:[0xF588C0]
利用dd [0x31e563c]//玩家对象的地址
+18 玩家名字5
+0x14b8 在没有选中怪物的时候为 0000FFFF
在选中怪物的时候为126A ,126E等数据 为上节课我们分析的怪物的ID
退出OD,打开ce 在ce中分析玩家选中时的状态
得到地址2EF6F8F4
然后找到访问了这个地址的代码
得到偏移2D0C //玩家的选中状态
然后在OD中分析上面的eax的来源
通过在004E465C 8B46 0C MOV EAX,DWORD PTR DS:[ESI+0xC] 下断点
可以得到以下的数据
2F175F48 009F5AB0 Client.009F5AB0
2F175F4C 00000000
2F175F50 0000002E //怪物标记2E 人物 31 技能56等
2F175F54 0000126A //这个就应该是怪物的ID了
2F175F58 00000002
2F175F5C 000028E0
2F175F60 00000000
2F175F64 00000000
2F175F68 2ED8DF10
2F175F6C 00000000
2F175F70 00000000
2F175F74 00000000
2F175F78 00000000
2F175F7C 00000000
2F175F80 00000000
2F175F84 00000000
2F175F88 00000000
dc [45fb98c + 4*0]+320 //名字
007F13EC 890C85 88B95F04 MOV DWORD PTR DS:[EAX*4+0x45FB988],ECX
dc [45fb988 + 4*7]+320
+314 是否选中血条
+5B4 血量
+5b8 怪物等级
+1018 X
+1020 Y
+1024 X
+102c Y
在OD中分析自己的血条显示:
打开OD dd [0x31e563c]+2d0c
修改值,可以改变选中状态,说明就是这个值
然后下个内存写入断点
004E8436 51 PUSH ECX
004E8437 6A 01 PUSH 0x1
004E8439 E8 52C21E00 CALL Client.006D4690
004E843E 8B95 00ABFFFF MOV EDX,DWORD PTR SS:[EBP+0xFFFFAB00]
004E8444 83C4 0C ADD ESP,0xC
004E8447 8997 0C2D0000 MOV DWORD PTR DS:[EDI+0x2D0C],EDX ; 选中自己
004E844D B8 01000000 MOV EAX,0x1
004E8452 E9 D0070000 JMP Client.004E8C27
004E8457 6A 05 PUSH 0x5
004E8459 DDD8 FSTP ST(0)
004E845B E8 701D3000 CALL Client.007EA1D0
004E8460 A3 E802F500 MOV DWORD PTR DS:[0xF502E8],EAX
004E8465 83C4 04 ADD ESP,0x4
004E8468 B8 01000000 MOV EAX,0x1
004E846D E9 B5070000 JMP Client.004E8C27
004E8472 8B97 A41F0000 MOV EDX,DWORD PTR DS:[EDI+0x1FA4]
004E8381 /74 04 JE SHORT Client.004E8387
004E8383 |6A 00 PUSH 0x0
004E8385 |EB 02 JMP SHORT Client.004E8389
004E8387 \6A 01 PUSH 0x1
004E8389 E8 12D81000 CALL Client.005F5BA0
004E838E 8B87 B8140000 MOV EAX,DWORD PTR DS:[EDI+0x14B8]
004E8394 3D FFFF0000 CMP EAX,0xFFFF
004E8399 74 1B JE SHORT Client.004E83B6
004E839B 8B0C85 40561E03 MOV ECX,DWORD PTR DS:[EAX*4+0x31E5640]
004E83A2 85C9 TEST ECX,ECX
004E83A4 74 10 JE SHORT Client.004E83B6
004E83A6 8B11 MOV EDX,DWORD PTR DS:[ECX]
004E83A8 8B42 04 MOV EAX,DWORD PTR DS:[EDX+0x4]
004E83AB 6A 00 PUSH 0x0
004E83AD 6A 00 PUSH 0x0
004E83AF 68 50040000 PUSH 0x450
004E83B4 FFD0 CALL EAX ; 取消选中
004E83B6 8B4E 0C MOV ECX,DWORD PTR DS:[ESI+0xC]
004E83B9 6A 00 PUSH 0x0
004E83BB 898F B8140000 MOV DWORD PTR DS:[EDI+0x14B8],ECX
004E83C1 8B16 MOV EDX,DWORD PTR DS:[ESI]
004E83C3 8B42 04 MOV EAX,DWORD PTR DS:[EDX+0x4]
004E83C6 6A 01 PUSH 0x1
004E83C8 68 50040000 PUSH 0x450 ; 选中自己
004E83CD 8BCE MOV ECX,ESI
004E83CF FFD0 CALL EAX
004E83D1 B8 01000000 MOV EAX,0x1
004E83D6 E9 4C080000 JMP Client.004E8C27
004E83DB 8B87 7C200000 MOV EAX,DWORD PTR DS:[EDI+0x207C]
004E83E1 DDD8 FSTP ST(0)
004E83E3 E9 3F080000 JMP Client.004E8C27
004E83E8 DDD8 FSTP ST(0)
004E83EA 3997 0C2D0000 CMP DWORD PTR DS:[EDI+0x2D0C],EDX
004E83F0 75 55 JNZ SHORT Client.004E8447
004E83F2 8B87 041D0000 MOV EAX,DWORD PTR DS:[EDI+0x1D04]
004E83F8 3B05 30561E03 CMP EAX,DWORD PTR DS:[0x31E5630]
004E83FE 0F84 C8020000 JE Client.004E86CC
004E8404 83F8 FF CMP EAX,-0x1
004E8407 74 3E JE SHORT Client.004E8447
004E8409 80BF 081D0000 0>CMP BYTE PTR DS:[EDI+0x1D08],0x0
004E8410 74 35 JE SHORT Client.004E8447
004E8412 83FE 02 CMP ESI,0x2
004E8415 75 30 JNZ SHORT Client.004E8447
004E8417 833D C802F500 0>CMP DWORD PTR DS:[0xF502C8],0x0
004E841E 0F85 A8020000 JNZ Client.004E86CC
004E8424 C705 C802F500 0>MOV DWORD PTR DS:[0xF502C8],0x1
004E842E 8B8F 041D0000 MOV ECX,DWORD PTR DS:[EDI+0x1D04]
004E8434 6A 00 PUSH 0x0
004E8436 51 PUSH ECX
004E8437 6A 01 PUSH 0x1
004E8439 E8 52C21E00 CALL Client.006D4690
004E843E 8B95 00ABFFFF MOV EDX,DWORD PTR SS:[EBP+0xFFFFAB00]
004E8444 83C4 0C ADD ESP,0xC
004E8447 8997 0C2D0000 MOV DWORD PTR DS:[EDI+0x2D0C],EDX ; 选中自己
004E844D B8 01000000 MOV EAX,0x1
004E8452 E9 D0070000 JMP Client.004E8C27
004E8457 6A 05 PUSH 0x5
004E8459 DDD8 FSTP ST(0)
004E845B E8 701D3000 CALL Client.007EA1D0
004E8460 A3 E802F500 MOV DWORD PTR DS:[0xF502E8],EAX
004E8465 83C4 04 ADD ESP,0x4
004E8468 B8 01000000 MOV EAX,0x1
004E846D E9 B5070000 JMP Client.004E8C27
004E8472 8B97 A41F0000 MOV EDX,DWORD PTR DS:[EDI+0x1FA4]
004E8478 DDD8 FSTP ST(0)
004E847A 8B87 082D0000 MOV EAX,DWORD PTR DS:[EDI+0x2D08]
004E8480 8D8D 64AAFFFF LEA ECX,DWORD PTR SS:[EBP+0xFFFFAA64]
004E8486 8995 64AAFFFF MOV DWORD PTR SS:[EBP+0xFFFFAA64],EDX
004E848C 8B95 00ABFFFF MOV EDX,DWORD PTR SS:[EBP+0xFFFFAB00]
004E8492 51 PUSH ECX
004E8493 05 50020000 ADD EAX,0x250
004E8498 52 PUSH EDX
004E8499 8BCF MOV ECX,EDI
004E849B C785 6CAAFFFF 0>MOV DWORD PTR SS:[EBP+0xFFFFAA6C],0x1
004E84A5 C785 7CAAFFFF F>MOV DWORD PTR SS:[EBP+0xFFFFAA7C],-0x1
取消选中的汇编代码
mov edi,[0x31e563c]
MOV EAX,DWORD PTR DS:[EDI+0x14B8]
MOV ECX,DWORD PTR DS:[EAX*4+0x31E5640]
MOV EDX,DWORD PTR DS:[ECX]
MOV EAX,DWORD PTR DS:[EDX+0x4]
PUSH 0x0
PUSH 0x0
PUSH 0x450
CALL EAX
取消选怪 和选怪
mov edi,[0x31e563c]
MOV EAX,DWORD PTR DS:[EDI+0x14B8]
MOV ECX,DWORD PTR DS:[EAX*4+0x31E5640]
MOV EDX,DWORD PTR DS:[ECX]
MOV EAX,DWORD PTR DS:[EDX+0x4]
PUSH 0x0
PUSH 0x0
PUSH 0x450
CALL EAX
mov ecx,0x1274
MOV DWORD PTR DS:[EDI+0x14B8],ECX
MOV ECX,DWORD PTR DS:[EAX*4+0x31E5640]
MOV EDX,DWORD PTR DS:[ECX]
MOV EAX,DWORD PTR DS:[EDX+0x4]
PUSH 0x0
PUSH 0x1
PUSH 0x450
要实现选怪,肯定是往某个变量中写个一个值
如下:
选怪变量= XXX
首先打开ce,通过选中不同的怪物来确定地址,最后得到下面的6个地址
00182d98
00182db8
00182dc4
00187bc4
00187c10
2e21e4a8
得到这6个地址,然后通过CE中是什么访问了这个地址 可以得到如下的数据:
001F7292 - 89 55 B8 - mov [ebp-48],edx
004A66B6 - 56 - push esi
004A6AD8 - 5E - pop esi
001F72B6 - 89 55 D8 - mov [ebp-28],edx
0094F188 - 66 0F7F 01 - movdqa [ecx],xmm0
009383C8 - 89 44 8F FC - mov [edi+ecx*4-04],eax
0098C333 - 8A 06 - mov al,[esi]
0098C337 - 88 06 - mov [esi],al
0098C3A9 - 8A 07 - mov al,[edi]
0098C3B0 - 88 07 - mov [edi],al
004E2C0F - 8B 87 B8140000 - mov eax,[edi+000014B8]
004E3D36 - 8B 87 B8140000 - mov eax,[edi+000014B8]
004E43F9 - 8B 8F B8140000 - mov ecx,[edi+000014B8]
004E4566 - 8B 87 B8140000 - mov eax,[edi+000014B8]//最有可能的地址
004E4665 - 89 81 B8140000 - mov [ecx+000014B8],eax
004E3D2A - E9 F84E0000 - jmp Client.exe+E8C27
004E3D2F - 83 3D C802F500 00 - cmp dword ptr [Client.exe+B502C8],00
004E3D36 - 8B 87 B8140000 - mov eax,[edi+000014B8] <<
004E3D3C - 89 85 D4AAFFFF - mov [ebp-0000552C],eax
004E3D42 - 0F85 84490000 - jne Client.exe+E86CC
004E465C - 8B 46 0C - mov eax,[esi+0C]
004E465F - 8B 0D 3C561E03 - mov ecx,[Client.exe+2DE563C]
004E4665 - 89 81 B8140000 - mov [ecx+000014B8],eax << //写入数据 很有可能的地方
004E466B - EB 2C - jmp Client.exe+E4699
004E466D - 83 BF D4140000 01 - cmp dword ptr [edi+000014D4],01
打开OD,转到这个地址 得到代码
004E4654 50 PUSH EAX
004E4655 6A 05 PUSH 0x5
004E4657 E8 04DDF9FF CALL Client.00482360
004E465C 8B46 0C MOV EAX,DWORD PTR DS:[ESI+0xC]
004E465F 8B0D 3C561E03 MOV ECX,DWORD PTR DS:[0x31E563C] //基址
004E4665 8981 B8140000 MOV DWORD PTR DS:[ECX+0x14B8],EAX
004E466B EB 2C JMP SHORT Client.004E4699
004E466D 83BF D4140000 0>CMP DWORD PTR DS:[EDI+0x14D4],0x1
004E4674 C785 FCAAFFFF F>MOV DWORD PTR SS:[EBP+0xFFFFAAFC],0xFFFF
004E467E 74 06 JE SHORT Client.004E4686
004E4680 8997 D4140000 MOV DWORD PTR DS:[EDI+0x14D4],EDX
004E4686 8B15 C088F500 MOV EDX,DWORD PTR DS:[0xF588C0]
利用dd [0x31e563c]//玩家对象的地址
+18 玩家名字5
+0x14b8 在没有选中怪物的时候为 0000FFFF
在选中怪物的时候为126A ,126E等数据 为上节课我们分析的怪物的ID
退出OD,打开ce 在ce中分析玩家选中时的状态
得到地址2EF6F8F4
然后找到访问了这个地址的代码
得到偏移2D0C //玩家的选中状态
然后在OD中分析上面的eax的来源
通过在004E465C 8B46 0C MOV EAX,DWORD PTR DS:[ESI+0xC] 下断点
可以得到以下的数据
2F175F48 009F5AB0 Client.009F5AB0
2F175F4C 00000000
2F175F50 0000002E //怪物标记2E 人物 31 技能56等
2F175F54 0000126A //这个就应该是怪物的ID了
2F175F58 00000002
2F175F5C 000028E0
2F175F60 00000000
2F175F64 00000000
2F175F68 2ED8DF10
2F175F6C 00000000
2F175F70 00000000
2F175F74 00000000
2F175F78 00000000
2F175F7C 00000000
2F175F80 00000000
2F175F84 00000000
2F175F88 00000000
dc [45fb98c + 4*0]+320 //名字
007F13EC 890C85 88B95F04 MOV DWORD PTR DS:[EAX*4+0x45FB988],ECX
dc [45fb988 + 4*7]+320
+314 是否选中血条
+5B4 血量
+5b8 怪物等级
+1018 X
+1020 Y
+1024 X
+102c Y
在OD中分析自己的血条显示:
打开OD dd [0x31e563c]+2d0c
修改值,可以改变选中状态,说明就是这个值
然后下个内存写入断点
004E8436 51 PUSH ECX
004E8437 6A 01 PUSH 0x1
004E8439 E8 52C21E00 CALL Client.006D4690
004E843E 8B95 00ABFFFF MOV EDX,DWORD PTR SS:[EBP+0xFFFFAB00]
004E8444 83C4 0C ADD ESP,0xC
004E8447 8997 0C2D0000 MOV DWORD PTR DS:[EDI+0x2D0C],EDX ; 选中自己
004E844D B8 01000000 MOV EAX,0x1
004E8452 E9 D0070000 JMP Client.004E8C27
004E8457 6A 05 PUSH 0x5
004E8459 DDD8 FSTP ST(0)
004E845B E8 701D3000 CALL Client.007EA1D0
004E8460 A3 E802F500 MOV DWORD PTR DS:[0xF502E8],EAX
004E8465 83C4 04 ADD ESP,0x4
004E8468 B8 01000000 MOV EAX,0x1
004E846D E9 B5070000 JMP Client.004E8C27
004E8472 8B97 A41F0000 MOV EDX,DWORD PTR DS:[EDI+0x1FA4]
004E8381 /74 04 JE SHORT Client.004E8387
004E8383 |6A 00 PUSH 0x0
004E8385 |EB 02 JMP SHORT Client.004E8389
004E8387 \6A 01 PUSH 0x1
004E8389 E8 12D81000 CALL Client.005F5BA0
004E838E 8B87 B8140000 MOV EAX,DWORD PTR DS:[EDI+0x14B8]
004E8394 3D FFFF0000 CMP EAX,0xFFFF
004E8399 74 1B JE SHORT Client.004E83B6
004E839B 8B0C85 40561E03 MOV ECX,DWORD PTR DS:[EAX*4+0x31E5640]
004E83A2 85C9 TEST ECX,ECX
004E83A4 74 10 JE SHORT Client.004E83B6
004E83A6 8B11 MOV EDX,DWORD PTR DS:[ECX]
004E83A8 8B42 04 MOV EAX,DWORD PTR DS:[EDX+0x4]
004E83AB 6A 00 PUSH 0x0
004E83AD 6A 00 PUSH 0x0
004E83AF 68 50040000 PUSH 0x450
004E83B4 FFD0 CALL EAX ; 取消选中
004E83B6 8B4E 0C MOV ECX,DWORD PTR DS:[ESI+0xC]
004E83B9 6A 00 PUSH 0x0
004E83BB 898F B8140000 MOV DWORD PTR DS:[EDI+0x14B8],ECX
004E83C1 8B16 MOV EDX,DWORD PTR DS:[ESI]
004E83C3 8B42 04 MOV EAX,DWORD PTR DS:[EDX+0x4]
004E83C6 6A 01 PUSH 0x1
004E83C8 68 50040000 PUSH 0x450 ; 选中自己
004E83CD 8BCE MOV ECX,ESI
004E83CF FFD0 CALL EAX
004E83D1 B8 01000000 MOV EAX,0x1
004E83D6 E9 4C080000 JMP Client.004E8C27
004E83DB 8B87 7C200000 MOV EAX,DWORD PTR DS:[EDI+0x207C]
004E83E1 DDD8 FSTP ST(0)
004E83E3 E9 3F080000 JMP Client.004E8C27
004E83E8 DDD8 FSTP ST(0)
004E83EA 3997 0C2D0000 CMP DWORD PTR DS:[EDI+0x2D0C],EDX
004E83F0 75 55 JNZ SHORT Client.004E8447
004E83F2 8B87 041D0000 MOV EAX,DWORD PTR DS:[EDI+0x1D04]
004E83F8 3B05 30561E03 CMP EAX,DWORD PTR DS:[0x31E5630]
004E83FE 0F84 C8020000 JE Client.004E86CC
004E8404 83F8 FF CMP EAX,-0x1
004E8407 74 3E JE SHORT Client.004E8447
004E8409 80BF 081D0000 0>CMP BYTE PTR DS:[EDI+0x1D08],0x0
004E8410 74 35 JE SHORT Client.004E8447
004E8412 83FE 02 CMP ESI,0x2
004E8415 75 30 JNZ SHORT Client.004E8447
004E8417 833D C802F500 0>CMP DWORD PTR DS:[0xF502C8],0x0
004E841E 0F85 A8020000 JNZ Client.004E86CC
004E8424 C705 C802F500 0>MOV DWORD PTR DS:[0xF502C8],0x1
004E842E 8B8F 041D0000 MOV ECX,DWORD PTR DS:[EDI+0x1D04]
004E8434 6A 00 PUSH 0x0
004E8436 51 PUSH ECX
004E8437 6A 01 PUSH 0x1
004E8439 E8 52C21E00 CALL Client.006D4690
004E843E 8B95 00ABFFFF MOV EDX,DWORD PTR SS:[EBP+0xFFFFAB00]
004E8444 83C4 0C ADD ESP,0xC
004E8447 8997 0C2D0000 MOV DWORD PTR DS:[EDI+0x2D0C],EDX ; 选中自己
004E844D B8 01000000 MOV EAX,0x1
004E8452 E9 D0070000 JMP Client.004E8C27
004E8457 6A 05 PUSH 0x5
004E8459 DDD8 FSTP ST(0)
004E845B E8 701D3000 CALL Client.007EA1D0
004E8460 A3 E802F500 MOV DWORD PTR DS:[0xF502E8],EAX
004E8465 83C4 04 ADD ESP,0x4
004E8468 B8 01000000 MOV EAX,0x1
004E846D E9 B5070000 JMP Client.004E8C27
004E8472 8B97 A41F0000 MOV EDX,DWORD PTR DS:[EDI+0x1FA4]
004E8478 DDD8 FSTP ST(0)
004E847A 8B87 082D0000 MOV EAX,DWORD PTR DS:[EDI+0x2D08]
004E8480 8D8D 64AAFFFF LEA ECX,DWORD PTR SS:[EBP+0xFFFFAA64]
004E8486 8995 64AAFFFF MOV DWORD PTR SS:[EBP+0xFFFFAA64],EDX
004E848C 8B95 00ABFFFF MOV EDX,DWORD PTR SS:[EBP+0xFFFFAB00]
004E8492 51 PUSH ECX
004E8493 05 50020000 ADD EAX,0x250
004E8498 52 PUSH EDX
004E8499 8BCF MOV ECX,EDI
004E849B C785 6CAAFFFF 0>MOV DWORD PTR SS:[EBP+0xFFFFAA6C],0x1
004E84A5 C785 7CAAFFFF F>MOV DWORD PTR SS:[EBP+0xFFFFAA7C],-0x1
取消选中的汇编代码
mov edi,[0x31e563c]
MOV EAX,DWORD PTR DS:[EDI+0x14B8]
MOV ECX,DWORD PTR DS:[EAX*4+0x31E5640]
MOV EDX,DWORD PTR DS:[ECX]
MOV EAX,DWORD PTR DS:[EDX+0x4]
PUSH 0x0
PUSH 0x0
PUSH 0x450
CALL EAX
取消选怪 和选怪
mov edi,[0x31e563c]
MOV EAX,DWORD PTR DS:[EDI+0x14B8]
MOV ECX,DWORD PTR DS:[EAX*4+0x31E5640]
MOV EDX,DWORD PTR DS:[ECX]
MOV EAX,DWORD PTR DS:[EDX+0x4]
PUSH 0x0
PUSH 0x0
PUSH 0x450
CALL EAX
mov ecx,0x1274
MOV DWORD PTR DS:[EDI+0x14B8],ECX
MOV ECX,DWORD PTR DS:[EAX*4+0x31E5640]
MOV EDX,DWORD PTR DS:[ECX]
MOV EAX,DWORD PTR DS:[EDX+0x4]
PUSH 0x0
PUSH 0x1
PUSH 0x450
CALL EAX
剩下的数据封装就留到下节课来完成