|
|
提醒:若下载的软件是收费的"请不要付款",可能是骗子,请立即联系本站举报,执意要付款被骗后本站概不负责。(任何交易请走第三方中介,请勿直接付款交易以免被骗!切记).
程序版本 2015年4月3日, 7:01:50 可能不是最新的...
游戏有一些检测,调试很麻烦...贴一些代码,大牛就不用看了。
00780A30 /$ 53 push ebx ; Ret,FuckCheckAddr
00780A31 |. BB 01000000 mov ebx,0x1
00780A36 |. 56 push esi
00780A37 |. 841D BC978900 test byte ptr ds:[0x8997BC],bl
00780A3D |. 75 0B jnz short Game.00780A4A
00780A3F |. 091D BC978900 or dword ptr ds:[0x8997BC],ebx
00780A45 |. E8 8699E8FF call Game.0060A3D0
00780A4A |> 8B35 AC978900 mov esi,dword ptr ds:[0x8997AC] ; Game.00B36BE2
00780A50 |. FF15 00EB7C00 call dword ptr ds:[0x7CEB00] ; [GetTickCount
00780A56 |. 3BF0 cmp esi,eax
00780A58 |. 76 06 jbe short Game.00780A60
00780A5A |. 2BC6 sub eax,esi
00780A5C |. 2BC3 sub eax,ebx
00780A5E |. EB 02 jmp short Game.00780A62
00780A60 |> 2BC6 sub eax,esi
00780A62 |> 8BF0 mov esi,eax
00780A64 |. 841D BC978900 test byte ptr ds:[0x8997BC],bl
00780A6A |. 75 0B jnz short Game.00780A77
00780A6C |. 091D BC978900 or dword ptr ds:[0x8997BC],ebx
00780A72 |. E8 5999E8FF call Game.0060A3D0
00780A77 |> 8B47 08 mov eax,dword ptr ds:[edi+0x8]
00780A7A |. 3BC6 cmp eax,esi
00780A7C |. 76 06 jbe short Game.00780A84
00780A7E |. 2BF0 sub esi,eax
00780A80 |. 2BF3 sub esi,ebx
00780A82 |. EB 02 jmp short Game.00780A86
00780A84 |> 2BF0 sub esi,eax
00780A86 |> 8BC6 mov eax,esi
00780A88 |. 3B47 04 cmp eax,dword ptr ds:[edi+0x4]
00780A8B |. 5E pop esi
00780A8C |. 5B pop ebx
00780A8D |. 7E 03 jle short Game.00780A92
00780A8F |. 8947 04 mov dword ptr ds:[edi+0x4],eax
00780A92 |> 0147 10 add dword ptr ds:[edi+0x10],eax
00780A95 |. 8907 mov dword ptr ds:[edi],eax
00780A97 \. C3 retn
此call 和谐后,调试会安静很多...
客户端有很多信息搜集的地方,尤其是进入游戏,还有进入游戏后,会还有1个系统遍历信息和客户端数量等上传,和他的封号都有关...
此CALL 负责组包,内部关键CALL 都有VM,往上追踪都可以各CALL的调用。。
0061E6E0 /$ 55 push ebp ; 组包CALL
0061E6E1 |. 8BEC mov ebp,esp
0061E6E3 |. 56 push esi
0061E6E4 |. 57 push edi
0061E6E5 |. 8BF9 mov edi,ecx
0061E6E7 |. 8B45 04 mov eax,dword ptr ss:[ebp+0x4]
0061E6EA |. 3D 59C2CE02 cmp eax,0x2CEC259
0061E6EF |. 73 09 jnb short Game.0061E6FA
0061E6F1 |. 8BC4 mov eax,esp
0061E6F3 |. 3D 2D6C5600 cmp eax,Game.00566C2D
0061E6F8 |. 76 02 jbe short Game.0061E6FC
0061E6FA |>- EB FE jmp short Game.0061E6FA
0061E6FC |> 83BF 44030000 00 cmp dword ptr ds:[edi+0x344],0x0
0061E703 |. 74 63 je short Game.0061E768
0061E705 |. 8B75 08 mov esi,[arg.1]
0061E708 |. 8B06 mov eax,dword ptr ds:[esi]
0061E70A |. 8B50 14 mov edx,dword ptr ds:[eax+0x14]
0061E70D |. 8BCE mov ecx,esi
0061E70F |. FFD2 call edx
0061E711 |. 3C 0C cmp al,0xC
0061E713 |. 75 0C jnz short Game.0061E721
0061E715 |. 8B87 44030000 mov eax,dword ptr ds:[edi+0x344]
0061E71B |. 8378 30 00 cmp dword ptr ds:[eax+0x30],0x0
0061E71F |. 74 47 je short Game.0061E768
0061E721 |> 8B16 mov edx,dword ptr ds:[esi]
0061E723 |. 8B42 14 mov eax,dword ptr ds:[edx+0x14]
0061E726 |. 8BCE mov ecx,esi
0061E728 |. FFD0 call eax
0061E72A |. 3C 0C cmp al,0xC
0061E72C |. 74 0C je short Game.0061E73A
0061E72E |. 8B8F 44030000 mov ecx,dword ptr ds:[edi+0x344]
0061E734 |. 8379 30 01 cmp dword ptr ds:[ecx+0x30],0x1
0061E738 |. 74 2E je short Game.0061E768
0061E73A |> 8B87 44030000 mov eax,dword ptr ds:[edi+0x344] ; +344], edi = IdxSendBase]
0061E740 |. 8B48 10 mov ecx,dword ptr ds:[eax+0x10] ; 得到index
0061E743 |. 8B50 14 mov edx,dword ptr ds:[eax+0x14]
0061E746 |. 85C9 test ecx,ecx
0061E748 |. 75 04 jnz short Game.0061E74E
0061E74A |. 85D2 test edx,edx
0061E74C |. 74 1A je short Game.0061E768
0061E74E |> 83F9 FF cmp ecx,-0x1
0061E751 |. 74 15 je short Game.0061E768
0061E753 |. 52 push edx
0061E754 |. 51 push ecx
0061E755 |. 8BF9 mov edi,ecx
0061E757 |. 8BC2 mov eax,edx
0061E759 |. 56 push esi
0061E75A |. 897E 04 mov dword ptr ds:[esi+0x4],edi
0061E75D |. 8946 08 mov dword ptr ds:[esi+0x8],eax
0061E760 |. E8 2BC41300 call Game.0075AB90 ; 内部vm.....
0061E765 |. 83C4 0C add esp,0xC
0061E768 |> 5F pop edi
0061E769 |. 5E pop esi
0061E76A |. 5D pop ebp
0061E76B \. C2 0800 retn 0x8
//加密CALL,此CALL 被VM, hook可以得到组包完成后的明文数据...
00758A30 .- E9 AE96CB00 jmp Game.014120E3 ; 加密call,,EncBufCall
00758A35 . 66:D3DF rcr di,cl
00758A38 . 81EC 90000000 sub esp,0x90
00758A3E . E8 BCDDAE00 call Game.012467FF
00758A43 > 886C24 04 mov byte ptr ss:[esp+0x4],ch
00758A47 . E8 6A44AD00 call Game.0122CEB6
00758A4C > 9C pushfd
00758A4D . 8F4424 2C pop dword ptr ss:[esp+0x2C]
00758A51 . E8 2D36AD00 call Game.0122C083
00758A56 . E8 0DA7AE00 call Game.01243168
00758A5B > 897424 1C mov dword ptr ss:[esp+0x1C],esi
00758A5F . 66:87EE xchg si,bp
00758A62 . 60 pushad
00758A63 .- E9 9F3CAF00 jmp Game.0124C707
00758A68 > 60 pushad
00758A69 . 50 push eax
00758A6A . 66:890424 mov word ptr ss:[esp],ax
00758A6E . 8955 00 mov dword ptr ss:[ebp],edx
00758A71 .- E9 B5C2AE00 jmp Game.01244D2B
00758A76 > 60 pushad
00758A77 . C70424 1428CBF1 mov dword ptr ss:[esp],0xF1CB2814
00758A7E . 880C24 mov byte ptr ss:[esp],cl
00758A81 . 8945 08 mov dword ptr ss:[ebp+0x8],eax
00758A84 . 880424 mov byte ptr ss:[esp],al
00758A87 . 9C pushfd
00758A88 . 8F4424 1C pop dword ptr ss:[esp+0x1C]
00758A8C . E8 A3AFAE00 call Game.01243A34
00758A91 .- E9 5C24AD00 jmp Game.0122AEF2
00758A96 . E8 C863AD00 call Game.0122EE63
00758A9B . 9C pushfd
00758A9C . F3: prefix rep:
00758A9D . 9C pushfd
00758A9E . 8F0424 pop dword ptr ss:[esp]
00758AA1 . 9C pushfd
00758AA2 . E8 C0D8AE00 call Game.01246367
00758AA7 .^ E9 CAFFFFFF jmp Game.00758A76
00758AAC . 9C pushfd
00758AAD . 68 D582FE4E push 0x4EFE82D5
00758AB2 . FF7424 30 push dword ptr ss:[esp+0x30]
00758AB6 . 8F45 00 pop dword ptr ss:[ebp]
00758AB9 . C64424 0C E3 mov byte ptr ss:[esp+0xC],0xE3
00758ABE . 9C pushfd
00758ABF . 50 push eax
00758AC0 . 8D6424 3C lea esp,dword ptr ss:[esp+0x3C]
00758AC4 .^ E9 D298EDFF jmp Game.0063239B
00758AC9 . F8 clc
00758ACA . 28C3 sub bl,al
00758ACC .- E9 3C84AD00 jmp Game.01230F0D
00758AD1 66 db 66 ; CHAR 'f'
00758AD2 98 db 98
00758AD3 56 db 56 ; CHAR 'V'
00758AD4 68 db 68 ; CHAR 'h'
00758AD5 96 db 96
00758AD6 AE db AE
00758AD7 9B db 9B
00758AD8 E9 db E9
00758AD9 9C db 9C
00758ADA F5 db F5
00758ADB 98 db 98
00758ADC > 80F9 40 cmp cl,0x40
00758ADF . 83EE 01 sub esi,0x1
00758AE2 . 54 push esp
00758AE3 . 83ED 04 sub ebp,0x4
00758AE6 . 68 F094869B push 0x9B8694F0
00758AEB . E8 9279EDFF call Game.00630482
调用
SendIndex:= GetSendIndex;
if SendIndex = 0 then Exit;
asm
pushad
mov edx,$01122F30
mov edi,SendIndex
mov eax,dword ptr ds:[edx+$8914]
mov esi,dword ptr ds:[eax+edi*4]
mov dwbase,esi
push len
push buf
mov ecx,dwbase
call EncBufCall
popad
end;
加密后的buf,就可以调用游戏的套接字直接丢给服务端了,目前服务端的对数据的安全性等校验几乎为零,主要手段还是依靠信息搜集,然后IP(包括注册IP连带)有一些人工干预。
联系我时,请说是在 挂海论坛 上看到的,谢谢! |
上一篇: C#写的魔兽世界类库,拿去直接调用。可以做魔兽大部分的功能!下一篇: 分享自己用的delphi发包函数请大家指正
免责声明:
1、本主题所有言论和图片纯属会员个人意见,与本论坛立场无关。一切关于该内容及资源商业行为与www.52ghai.com无关。
2、本站提供的一切资源内容信息仅限用于学习和研究目的;不得将上述内容用于商业或者非法用途,否则,一切后果请用户自负。
3、本站信息来自第三方用户,非本站自制,版权归原作者享有,版权争议与本站无关。您必须在下载后的24个小时之内,从您的电脑或手机中彻底删除上述内容。
4、如果您喜欢该程序,请支持正版,购买注册,得到更好的正版服务。如有侵犯你版权的,请邮件与我们联系删除(邮箱:xhzlw@foxmail.com),本站将立即改正。
|
好评
贡献
海币
交易币
发表于 2015-5-2 14:22:02
收藏
转播
淘帖
支持
反对
提升卡
置顶卡
变色卡
千斤顶
照妖镜