目录
{00,00,01,00}(这里的1是NPC的代码)(详见怪物数值)
死亡保护窗口=[Client.exe+1ED2CB8]+208]+40
金F复活窗口=[Client.exe+1ED0FAC]+40
热血江湖2.0基址
过保护
007422DB | B8 00000000 | mov eax,0x0 |
007422E0 | 50 | push eax |
007422E1 | FF15 24837B00 | call dword ptr ds:[<&CloseHandle>] |
称号居中
------------------------------
00451E42 - 39 BE 480F0000 - cmp [esi+00000F48],edi插件
004531B0 - 8B BF 480F0000 - mov edi,[edi+00000F48]插件2
00408588 - 89 96 480F0000 - mov [esi+00000F48],edx开启关闭VIP七彩称号
---------------------------
开启关闭VIP七彩称号=[Client.exe+1ED4D50]+F4A(字节型)0开启 1关闭
VIP称号高度=[0x007B8778]
总体高度(超过35影响最高视距)=[0x007B8728]
名字和称号高度=[0x007B8AE0]
VIP称号左移右移=[0x007B8C38]
结婚称号左移右移=[0x007B86F8]
其他位置暂存
[0x007B8C5C]
[0x007B8C58]
[0x007B8C60]
人物信息
----------------------------------------------------------------------------------------
当前选中角色名=client.exe+5048420
第一个角色名=client.exe+504C440
第二个角色名=client.exe+504C488
第三个角色名=client.exe+504C4D0
第四个角色名=client.exe+504C518
角色ID=[00E43EC8]
角色库ID=[22D0BE8]
角色等级(等级+10)*10=client.exe+50484B4
当前血量=client.exe+50484A0
血量最大值=client.exe+50484AC
当前蓝量=client.exe+50484A4
蓝量最大值=client.exe+50484B0
攻击力=client.exe+50484E8
防御力=client.exe+50484EC
武勋=client.exe+50484E0
加入门派名=client.exe+5048434
坐标X=[Client.exe+1ED4D50]+1118
坐标Y=[Client.exe+1ED4D50]+1120
模型坐标X=[[Client.exe+1ED4D50]+19E4]+23C
模型坐标Y=[[Client.exe+1ED4D50]+19E4]+244
点击坐标X=Client.exe+1EDA3C8
点击坐标Y=client.exe+1EDA3D0
地图名基址=[Client.exe+1ED1EF8]+204
喊话基址=[Client.exe+1ED0D54]+13C
是否在走路=[Client.exe+1ED3238]+845
---------------------------------------------------------------------------------------
攻击锁
攻击判断=[Client.exe+1ED4D50]+f98 ==角色怪物ID 或 65535(未攻击)
移动位置控制锁
1坐标锁=[Client.exe+1ED4D50]+f9c ==1
2坐标锁=[Client.exe+1ED4D50]+FA0 ==1
3坐标锁=[Client.exe+1ED4D5]+FA4 ==0
坐标图标=[Client.exe+1ED334C]+194
---------------------------------------------------------------------------------------
人物模型
模型锁(3个模型锁1实现瞬移)=[Client.exe+A43ED0]+199
模型锁2=[Client.exe+1ED4D50]+19B8
模型锁3=[Client.exe+1ED4D50]+19B
快捷物品栏
--------------------------------------------------------------------------------------
物品栏1名称=[[client.exe+504B27C]0*4+33C]+58
物品栏1数量=[[client.exe+504B27C]0*4+33C]+204
物品栏1冷却时间=[[client.exe+504B27C]0*4+33C]+228
物品栏1物品标识=[[client.exe+504B27C]0*4+33C]+4C
物品栏2名称=[[client.exe+504B27C]1*4+340]+58
物品栏2数量=[[client.exe+504B27C]1*4+340]+204
物品栏2冷却时间=[[client.exe+504B27C]1*4+340]+228
物品栏2物品标识=[[client.exe+504B27C]1*4+33C]+4C
每级物品栏一级偏移加4
-------------------------------------------------------------------------------------
状态栏
-------------------------------------------------------------------------------------------
状态栏1名称=[0544B278]0*4+33C]+58
状态栏1冷却时间=[0544B278]0*4+33C]+228
状态栏1物品标识=[0544B278]0*4+33C]+4C
--------------------------------------------------------------------------------------
背包
-------------------------------------------------------------------------------------
拿起物品开关=[Client.exe+1ED0D5C]+20C
拿起物品开关2=[Client.exe+1EDD630]+20C
物品属性指针=[物品ID*4+022D0D50]
背包1物品石头属性=[[client.exe+1ED14B0]+33C]+528
背包1物品石头属性类型=[[client.exe+1ED14B0]+33C]+530
背包1疑似装备属性第一条=[[client.exe+1ED14B0]+33C]+4A4
背包1物品类型=[[client.exe+1ED14B0]+33C]+8
背包1物品ID=[[client.exe+1ED14B0]+33C]+c
背包1名称=[[client.exe+1ED14B0]+33C]+58
背包1数量=[[client.exe+1ED14B0]+33C]+49C
背包1物品信息=[[client.exe+1ED14B0]+33C]+ED
背包1武器名声=[[client.exe+1ED14B0]+33C]+AE
背包1武器属性最小值=[[client.exe+1ED14B0]+33C]+4BC
背包1武器属性最大值=[[client.exe+1ED14B0]+33C]+4B8
背包1物品标识=[22D14B0]0*4+33C]+4C
背包2名称=[[client.exe+1ED14B0]+340]+58
背包2数量=[[client.exe+1ED14B0]+340]+49C
背包2物品信息=[[client.exe+1ED14B0]+340]+ED
每级背包一级偏移加4
属性石属性=[22D14B0]+背包位置*4+33C]+528
--------------------------------
属性原石 800000027
属性石 800000028
属性石属性代码:2001000
火 1000
水 2000
风 3000
内功 4000
外功 5000
毒 6000
-------------------------------
拾取物品
鼠标指向基址=[00DD4310]
拾取物品指针=[98b*4+022D0D50]
拾取物品类型(0x32地上物品)=[90D*4+022D0D50]+8
拾取物品名称=[90D*4+022D0D50]+90
拾取物品地上ID=[90D*4+022D0D50]+6C
拾取物品ID=[90D*4+022D0D50]+C
拾取物品库ID=[90D*4+022D0D50]+78
拾取物品距离=[90D*4+022D0D50]+64
------------------------------------------------------------------------------------
组队信息
组队窗口=[22D1898]+40
队长库ID=[Client.exe+1ED1898]+25C
队长名=[Client.exe+1ED1898]+260
组队位置1名称=[0*4+0544B360]+20c
组队位置1库ID=[0*4+0544B360]+208
组队位置2名称=[1*4+0544B360]+20c
组队位置2库ID=[1*4+0544B360]+208
NPC怪物信息
------------------------------------------------------------------------------------
鼠标点击怪物ID=[client.exe+1ED4D50]+FC4
怪物属性指针=[怪物ID*4+022D0D50]
怪物ID=[怪物ID*4+022D0D50]+C
怪物类型(怪物2D)(人物30)(NPC 2D)=[怪物ID*4+022D0D50]+8
怪物名称=[怪物ID*4+022D0D50]+2cC
怪物等级=[怪物ID*4+022D0D50]+338
怪物的目标ID=[怪物ID*4+022D0D50]+320
怪物当前血量=[怪物ID*4+022D0D50]+334
怪物最大血量=[怪物ID*4+022D0D50]+350
怪物与人物距离=[怪物ID*4+022D0D50]+2C8
怪物坐标X=[怪物ID*4+022D0D50]+580
怪物坐标Y=[怪物ID*4+022D0D50]+588
怪物复活时间(秒)=[怪物ID*4+022D0D50]+328
怪物当前是否存活(存活0)(死了1)=[怪物ID*4+022D0D50]+32C
怪物库ID=[选中怪物ID*4+022D0D50]+14
NPC和怪物类型是一样的所以基址都是一样的 只是ID不一样 NPC等级一般为0 可以和野怪区分
------------------------------------------------------------------------------------
选中人物信息
------------------------------------------------------------------------------------
选中人物ID=[client.exe+1ED4D50]+FC4
人物ID=[人物ID*4+022D0D50]+c
人物名称=[人物ID*4+022D0D50]+8BC
人物等级=[人物ID*4+022D0D50]+98
人物门派=[人物ID*4+022D0D50]+90C
人物坐标X=[人物ID*4+022D0D50]+F84
人物坐标Y=[人物ID*4+022D0D50]+F8C
人物职业=[人物ID*4+022D0D50]+1164
------------------------------------------------------------------------------------
喊话基址
喊话基址=[Client.exe+1ED0D54]+13C
辅助功能等等
待测试 穿墙攻击=00454366
待测试 正邪不分=00521D19
X坐标基址=022DA3C8
Y坐标基址=022DA3D0
装备栏基址=5974F681
任务包基址=5974F68D
快捷栏基址=0544B27C
状态栏基址=0544B278
NPC商店调用
关联打开关闭商店call使用
--------------------------------------------------------------------------------------------------------------------------------
是否打开过买卖窗口=[Client.exe+506C800]+5B*4+E4
是否打开NPC选项卡=[Client.exe+1ED1F5C]+40
是否打开商店窗口=[Client.exe+1ED1F8C]+40
打开商店位置=[Client.exe+1ED1F64]+224
关闭商店位置=[Client.exe+1ED1FE0]+224
打开商店=Client.exe+1ED1F58
关闭商店=Client.exe+1ED1F88
----------------------------------------------------------------------------------------------------------------------------------
窗口基址
死亡保护窗口=[Client.exe+1ED2CB8]+208]+40
窗口位置=005D880A C741 40 01000000 mov dword ptr ds:[ecx+0x40],0x1(不想显示填充此段代码7个字节)
金F复活窗口=[Client.exe+1ED0FAC]+40
窗口位置=0056B838 C740 40 01000000 mov dword ptr ds:[eax+0x40],0x1(不想显示填充此段代码7个字节)
关于技能
技能库遍历ID=[23010A4]+技能位置*4+33C]+4C(技能位置每排4个)
物品栏技能库ID=[544B27C]+物品栏位置*4+33C]+4C
技能库遍历技能名称=[544B27C]+物品栏位置*4+33C]+58
对应技能表(目前还不知道获取方式)
CA CB CC
CE CF D0
D1 2C01 2D01
2E01 2F01 3001
3101 3201 3301
3401 3501 3601
对应10到97级技能
--------------------------------------------------------------------------------------------------------------------------------------------------------------
=========================================================================================================
技能优化
------------------------------------------------------------------------------------------------
特征码
004547BB |. /75 1F |jnz short Client.004547DC
004547BD |> |8B45 CC |mov eax,[local.13]
004547C0 |. |8B8B E4190000 |mov ecx,dword ptr ds:[ebx+0x19E4]
004547C6 |. |03C7 |add eax,edi
004547C8 |. |DB0410 |fild dword ptr ds:[eax+edx]
004547CB |. |D899 E8020000 |fcomp dword ptr ds:[ecx+0x2E8]
004547D1 |. |DFE0 |fstsw ax
004547D3 |. |F6C4 01 |test ah,0x1
004547D6 |0F84 71040000 |je Client.00454C4D //NOP位置
004547DC |> \833F 00 |cmp dword ptr ds:[edi],0x0
004547DF |. 0F85 68040000 |jnz Client.00454C4D
004547E5 |. 8B43 0C |mov eax,dword ptr ds:[ebx+0xC]
004547E8 |. 8B93 780F0000 |mov edx,dword ptr ds:[ebx+0xF78]
004547EE |. 8945 B8 |mov [local.18],eax
004547F1 |. 8B46 30 |mov eax,dword ptr ds:[esi+0x30]------------------------------------------------------------------------------------------------
NOP位置
004547D6 0F84 71040000 |je Client.00454C4D 技能优化(六个字节)
===============================================================
穿墙打怪
00454366 | 75 22 | jne client.45438A |
(改2个字节 EB 22)
Jne改jmp
==================================================================
无限视野
00406367 | 75 0A | jne client.406373 |
(改2个字节 EB 0A)
Jne改jmp
========================================================================================================
正邪不分
00521D19 | 74 20 | je client.521D3B |
(改2个字节 EB 20)
Je改jmp
========================================================================================================
定点打怪NOP
00454281 | 0F84 4D250000 | je client.4567D4 |NOP(6个字节)
004542BA | 0F84 14250000 | je client.4567D4 |NOP(6个字节)
定点远攻NOP (定点打怪类似)这个好点 自带距离加强
00452ADE | 75 09 | jne client.452AE9 |
=========================================================================================================
穿墙
004BE273 | 0F84 DD000000 | je client.4BE356 |(6个字节)
{15,132,221,0,0,0}
(改6个字节 0F84 DD000000)
Je改jmp
004BE273 | E9 DE00000090 | jmp client.4BE356 |
要补一个字节144
{233,222,0,0,0,144}
=========================================================================================================
Call目录
======================================================================================================
使用物品Call
======================================================================================================
调用堆栈: 主线程
地址 堆栈 函数过程 / 参数 调用来自 结构
0018A48C 005553D6 Client.00559990 Client.005553D1 0018A488
----------------------------------------------------------------------------------------------------
005553A6 E8 25640700 call Client.005CB7D0
005553AB 84C0 test al,al
005553AD 0F85 93000000 jnz Client.00555446
005553B3 803D 54964405 0>cmp byte ptr ds:[0x5449654],0x1
005553BA 0F84 86000000 je Client.00555446
005553C0 8B8F 1C0F0000 mov ecx,dword ptr ds:[edi+0xF1C]
005553C6 8B97 B4120000 mov edx,dword ptr ds:[edi+0x12B4]
005553CC 53 push ebx ; 0使用物品的位置
005553CD 51 push ecx ; 19235CB8==使用物品 192344B0==卸下装备
005553CE 52 push edx ; 使用背包 物品栏等等 0==背包 4==物品栏
005553CF 8BCF mov ecx,edi
005553D1 E8 BA450000 call Client.00559990
005553D6 83BF 1C0F0000 3>cmp dword ptr ds:[edi+0xF1C],0x35
005553DD 75 20 jnz short Client.005553FF
005553DF 8B849F 3C030000 mov eax,dword ptr ds:[edi+ebx*4+0x33C]
005553E6 85C0 test eax,eax
005553E8 74 15 je short Client.005553FF----------------------------------------------------------------------------------------------------
push 0 使用物品在背包的位置
push 1 19235CB8==使用物品 192344B0==卸下装备
push 0 使用的背包或物品栏等等 0==背包 4==物品栏
mov ecx,19235CB8 这里给赋值
call 00559990 使用物品Call 使用技能
----------------------
19235CB8的基址
client.exe+1ED14B0
-----------------------
例
push 2
push 1
push 4
mov ecx,19235CB8
call 00559990
======================================================================================================
==================================================================================
拿起物品Call
-----------------------------------------------------------------------------------------------------------------
00554FE4 |. 8BE5 mov esp,ebp
00554FE6 |. 5D pop ebp
00554FE7 |. C2 0800 retn 0x8
00554FEA |> 8B0D 30D62D02 mov ecx,dword ptr ds:[0x22DD630] ; 开始
00554FF0 |. 8B849F 3C0300>mov eax,dword ptr ds:[edi+ebx*4+0x33C]
00554FF7 |. 8981 04020000 mov dword ptr ds:[ecx+0x204],eax
00554FFD |. 8B15 30D62D02 mov edx,dword ptr ds:[0x22DD630]
00555003 |. C682 0C020000>mov byte ptr ds:[edx+0x20C],0x1 ; 拿起
0055500A |. A1 30D62D02 mov eax,dword ptr ds:[0x22DD630]
0055500F |. 8B88 04020000 mov ecx,dword ptr ds:[eax+0x204]
00555015 |. 39B1 00020000 cmp dword ptr ds:[ecx+0x200],esi
0055501B |. 75 43 jnz short Client.00555060
0055501D |. 8B71 4C mov esi,dword ptr ds:[ecx+0x4C]
00555020 |. BB A0860100 mov ebx,0x186A0
00555025 |. 8BC6 mov eax,esi
00555027 |. 99 cdq
00555028 |. F7FB idiv ebx
-----------------------------------------------------------------------------------------------------------------------------------------
mov edi,[22D14B0]
mov ebx,背包位置
mov ecx,dword ptr ds:[0x22DD630]
mov eax,dword ptr ds:[edi+ebx*4+0x33C]
mov dword ptr ds:[ecx+0x204],eax
mov edx,dword ptr ds:[0x22DD630]
mov byte ptr ds:[edx+0x20C],0x1移动物品Call
======================================================================================================
0018A48C 00555393 Client.005565C0 Client.0055538E 0018A488
---------------------------------------------------------------------------------------------------------
0055535D 6A 09 push 0x9
0055535F 68 42050000 push 0x542
00555364 8B0D 40D62D02 mov ecx,dword ptr ds:[0x22DD640]
0055536A E8 715E0100 call Client.0056B1E0
0055536F A1 30D62D02 mov eax,dword ptr ds:[0x22DD630]
00555374 C780 04020000 0>mov dword ptr ds:[eax+0x204],0x0
0055537E ^ E9 0CF0FFFF jmp Client.0055438F
00555383 8B87 B4120000 mov eax,dword ptr ds:[edi+0x12B4]
00555389 53 push ebx ; 放物品的位置
0055538A 51 push ecx ; 00000001
0055538B 50 push eax ; 00000000
0055538C 8BCF mov ecx,edi ; 1536EDA8
0055538E E8 2D120000 call Client.005565C0
00555393 5F pop edi
00555394 5E pop esi
00555395 5B pop ebx
00555396 8B4D F4 mov ecx,dword ptr ss:[ebp-0xC]
00555399 64:890D 0000000>mov dword ptr fs:[0],ecx
005553A0 8BE5 mov esp,ebp
005553A2 5D pop ebp
005553A3 C2 0800 retn 0x8
--------------------------------------------------------------------------------------------------------
mov edi,[22D14B0]
mov eax,[edi+0x12B4]
push 0 物品放到背包的位置
push 1 放到商店还是物品栏 1放背包里面 7为商店里面 D为物品栏 8为仓库里
push eax
mov ecx,0x1536EDA8 应该是个基址地址 [22D14B0]
call 005565C0 放下物品CALL 买卖东西物品
-----------
0x1536EDA8基址应该是
Client.exe+1ED1F90 卖出
Client.exe+1ED14B0 买入
----------
例:
mov edi,[22D14B0]
mov eax,[edi+0x12B4]
push 0
push 1
push eax
mov ecx,edi
call 005565C0
======================================================================================================
使用快捷物品栏Call
======================================================================================================
00180090 0055B30E Client.004362F0 Client.0055B309 11 0018008C
001850E4 005B2F1E Client.00559990 Client.005B2F19 11 001850E0
0018A1C0 005AF18D Client.005B2E30 Client.005AF188 11 0018A1BC
--------------------------------------------------------------------------------------------------------
005AF155 |. 83FF 44 cmp edi,0x44
005AF158 |. 7F 33 jg short Client.005AF18D
005AF15A |. 833D 1095B500>cmp dword ptr ds:[0xB59510],-0x1
005AF161 |. 0F85 4E0F0000 jnz Client.005B00B5
005AF167 |. A0 84B34405 mov al,byte ptr ds:[0x544B384]
005AF16C |. 84C0 test al,al
005AF16E |. 0F85 410F0000 jnz Client.005B00B5
005AF174 |. A1 74B24405 mov eax,dword ptr ds:[0x544B274]
005AF179 |. 25 FFFF0000 and eax,0xFFFF
005AF17E |. 8D0C80 lea ecx,dword ptr ds:[eax+eax*4]
005AF181 |. 8D544F C5 lea edx,dword ptr ds:[edi+ecx*2-0x3B]
005AF185 |. 8BCB mov ecx,ebx
005AF187 |. 52 push edx
005AF188 |. E8 A33C0000 call Client.005B2E30 /////////////////快捷键物品栏
005AF18D |> 83FF 38 cmp edi,0x38 ; Switch (cases 2..38)
005AF190 |. 75 15 jnz short Client.005AF1A7
005AF192 |. 5F pop edi ; Case 38 of switch 005AF18D
005AF193 |. C683 64030000>mov byte ptr ds:[ebx+0x364],0x1
005AF19A |. 5E pop esi
005AF19B |. B8 01000000 mov eax,0x1
005AF1A0 |. 5B pop ebx
005AF1A1 |. 8BE5 mov esp,ebp
---------------------------------------------------------------------------------------------------
快捷键物品栏
push 4 物品栏位置
call 005B2E30
======================================================================================================
======================================================================================================
00180090 0055B30E Client.004362F0 Client.0055B309 11 0018008C
001850E4 005B2F1E Client.00559990 Client.005B2F19 11 001850E0
0018A1C0 005AF18D Client.005B2E30 Client.005AF188 11 0018A1BC
--------------------------------------------------------------------------------------------------------
005AF155 |. 83FF 44 cmp edi,0x44
005AF158 |. 7F 33 jg short Client.005AF18D
005AF15A |. 833D 1095B500>cmp dword ptr ds:[0xB59510],-0x1
005AF161 |. 0F85 4E0F0000 jnz Client.005B00B5
005AF167 |. A0 84B34405 mov al,byte ptr ds:[0x544B384]
005AF16C |. 84C0 test al,al
005AF16E |. 0F85 410F0000 jnz Client.005B00B5
005AF174 |. A1 74B24405 mov eax,dword ptr ds:[0x544B274]
005AF179 |. 25 FFFF0000 and eax,0xFFFF
005AF17E |. 8D0C80 lea ecx,dword ptr ds:[eax+eax*4]
005AF181 |. 8D544F C5 lea edx,dword ptr ds:[edi+ecx*2-0x3B]
005AF185 |. 8BCB mov ecx,ebx
005AF187 |. 52 push edx
005AF188 |. E8 A33C0000 call Client.005B2E30
005AF18D |> 83FF 38 cmp edi,0x38 ; Switch (cases 2..38)
005AF190 |. 75 15 jnz short Client.005AF1A7
005AF192 |. 5F pop edi ; Case 38 of switch 005AF18D
005AF193 |. C683 64030000>mov byte ptr ds:[ebx+0x364],0x1
005AF19A |. 5E pop esi
005AF19B |. B8 01000000 mov eax,0x1
005AF1A0 |. 5B pop ebx
005AF1A1 |. 8BE5 mov esp,ebp
---------------------------------------------------------------------------------------------------
快捷键物品栏
push 4 物品栏位置
call 005B2E30
选怪Call
===================================================================================================
---------------------------------------------------------------------------------------------------
0044A93A |. 8B01 mov eax,dword ptr ds:[ecx] ; 上一个怪物属性指针
0044A93C |. 6A 00 push 0x0
0044A93E |. 6A 00 push 0x0
0044A940 |. 68 4C040000 push 0x44C
0044A945 |. FF50 04 call dword ptr ds:[eax+0x4]
0044A948 |> 3977 08 cmp dword ptr ds:[edi+0x8],esi
0044A94B |. 75 56 jnz short Client.0044A9A3
0044A94D |. 8B47 14 mov eax,dword ptr ds:[edi+0x14]
0044A950 |. 8B17 mov edx,dword ptr ds:[edi]
0044A952 |. 8B35 504D2D02 mov esi,dword ptr ds:[0x22D4D50]
0044A958 |. 6A 00 push 0x0
0044A95A |. 50 push eax
0044A95B |. 68 32040000 push 0x432
0044A960 |. 8BCF mov ecx,edi
0044A962 |. FF52 04 call dword ptr ds:[edx+0x4]
0044A965 |. 8B4F 14 mov ecx,dword ptr ds:[edi+0x14]
0044A968 |. 898E 40270000 mov dword ptr ds:[esi+0x2740],ecx
0044A96E |. 8B57 14 mov edx,dword ptr ds:[edi+0x14]
0044A971 |. 8B0D 40D62D02 mov ecx,dword ptr ds:[0x22DD640]
0044A977 |. 52 push edx
0044A978 |. E8 C31A1200 call Client.0056C440
0044A97D |. 84C0 test al,al
0044A97F |. 74 32 je short Client.0044A9B3
0044A981 |. 8B0D 40D62D02 mov ecx,dword ptr ds:[0x22DD640]
0044A987 |. 8B47 14 mov eax,dword ptr ds:[edi+0x14]
0044A98A |. 6A 00 push 0x0
0044A98C |. 50 push eax
0044A98D |. 8B91 60020000 mov edx,dword ptr ds:[ecx+0x260]
0044A993 |. 68 36040000 push 0x436
0044A998 |. 52 push edx
0044A999 |. E8 727BFFFF call Client.00442510
0044A99E |. 83C4 10 add esp,0x10
0044A9A1 |. EB 10 jmp short Client.0044A9B3
0044A9A3 |> 8B07 mov eax,dword ptr ds:[edi] ; edi==怪物指针
0044A9A5 |. 6A 00 push 0x0
0044A9A7 |. 6A 01 push 0x1
0044A9A9 |. 68 4C040000 push 0x44C
0044A9AE |. 8BCF mov ecx,edi
0044A9B0 |. FF50 04 call dword ptr ds:[eax+0x4]
0044A9B3 |> 8B15 504D2D02 mov edx,dword ptr ds:[0x22D4D50] ; 选怪基址
0044A9B9 |. 8B4F 0C mov ecx,dword ptr ds:[edi+0xC] ; edi==选中怪指针 传递怪物ID
0044A9BC |. 898A C40F0000 mov dword ptr ds:[edx+0xFC4],ecx ; 怪物ID传递到指针选中怪
----------------------------------------------------------------------------------------------------
mov ecx,(现在选中怪物属性指针)1C1B6618 [97C*4+022D0D50]
mov eax,[ecx]
push 0x0
push 0x0
push 0x44C
call [eax+0x4] (取消之前选择的怪物)
mov edi,(要选中怪物属性指针)1C151178 [977*4+022D0D50]
mov eax,[edi]
push 0x0
push 0x1
push 0x44C
mov ecx,edi
call [eax+0x4] (显示现在想选中得怪)
mov edx,[0x22D4D50]
mov ecx,[edi+0xC]
mov [edx+0xFC4],ecx (改变选中怪的基址)
------------------------------------------------------------------------------------------------------
例:
mov ecx,0x1C151178
mov eax,[ecx]
push 0x0
push 0x0
push 0x44C
call [eax+0x4]
mov edi,0x19D2D560
mov eax,[edi]
push 0x0
push 0x1
push 0x44C
mov ecx,edi
call [eax+0x4]
mov edx,[0x22D4D50]
mov ecx,[edi+0xC]
mov [edx+0xFC4],ecx
===================================================================================================
走路Call
===============================================================================================================
00453B79 |> \89BB 3C080000 mov dword ptr ds:[ebx+0x83C],edi
00453B7F |. 89BB 38080000 mov dword ptr ds:[ebx+0x838],edi
00453B85 |. 89BB BC010000 mov dword ptr ds:[ebx+0x1BC],edi
00453B8B |. 89BB B8010000 mov dword ptr ds:[ebx+0x1B8],edi
00453B91 |. C683 F5010000>mov byte ptr ds:[ebx+0x1F5],0x0
00453B98 |> C683 C4260000>mov byte ptr ds:[ebx+0x26C4],0x0
00453B9F |. 66:89BB D0100>mov word ptr ds:[ebx+0x10D0],di
00453BA6 |. C683 F4000000>mov byte ptr ds:[ebx+0xF4],0x0
00453BAD |. 8B13 mov edx,dword ptr ds:[ebx] ; edx==坐标指针基址
00453BAF |. 57 push edi ; edi==0
00453BB0 |. 56 push esi ; esi==目标坐标指针
00453BB1 |. 68 F2030000 push 0x3F2
00453BB6 |. 8BCB mov ecx,ebx
00453BB8 |. FF52 04 call dword ptr ds:[edx+0x4] //本地移动Call------------------------------------------------------------------------------------------------------------------------------------
二进制坐标数据
1D449D4C F6 79 D7 C5 3E 3B E3 C2 6C 24 B0 41 00 00 00 00 鰕着>;懵l$癆....
-------------------------------------------------------------------------------------------------------------------------------------
004583A6 |. 8B86 C0190000 mov eax,dword ptr ds:[esi+0x19C0] ; esi=目标坐标指针
004583AC |. 6A 02 push 0x2
004583AE |. 8B8E C4190000 mov ecx,dword ptr ds:[esi+0x19C4]
004583B4 |. 83EC 0C sub esp,0xC
004583B7 |. 8BD4 mov edx,esp
004583B9 |. 8902 mov dword ptr ds:[edx],eax
004583BB |. 8B86 C8190000 mov eax,dword ptr ds:[esi+0x19C8]
004583C1 |. 894A 04 mov dword ptr ds:[edx+0x4],ecx
004583C4 |. 8BCE mov ecx,esi ; esi=坐标指针基址
004583C6 |. 8942 08 mov dword ptr ds:[edx+0x8],eax
004583C9 |. E8 C29AFFFF call Client.00451E90 //发包移动Call
-------------------------------------------------------------------------------------------------------------------------------------------------
00453BEA |. 66:898B CA100>mov word ptr ds:[ebx+0x10CA],cx
00453BF1 |> 8B93 E4190000 mov edx,dword ptr ds:[ebx+0x19E4]
00453BF7 |. 8B83 780F0000 mov eax,dword ptr ds:[ebx+0xF78]
00453BFD |. 8B8B 700F0000 mov ecx,dword ptr ds:[ebx+0xF70]
00453C03 |. 57 push edi ; edi=0
00453C04 |. 52 push edx ; edx==1B62D7E0
00453C05 |. 33D2 xor edx,edx
00453C07 |. 8A9441 54D22D>mov dl,byte ptr ds:[ecx+eax*2+0x22DD25>
00453C0E |. 8BCB mov ecx,ebx
00453C10 |. 52 push edx ; edx==1F
00453C11 |. E8 DABCFFFF call Client.0044F8F0 模型开关Call
--------------------------------------------------------------------------------------------------------------------------------------------------
坐标指针基址=[Client.exe+1ED4D50]
目标坐标指针基址X=[Client.exe+1ED4D50]+F84
目标坐标指针基址Z=[Client.exe+1ED4D50]+F88
目标坐标指针基址Y=[Client.exe+1ED4D50]+F8C
坐标开关1基址=[Client.exe+1ED4D50]+F9C
坐标开关2基址=[Client.exe+1ED4D50]+FA0
坐标开关2基址=[Client.exe+1ED4D50]+FA4
----------------------------------------------------------------------------------------------------------------------------------------------------
在坐标中内存写入X,Z,Y
Mov ebx,[0x22D4D50]
mov byte ptr ds:[ebx+0xF9C],0x1 (坐标开关1)
mov byte ptr ds:[ebx+0xFA0],0x1 (坐标开关2)
mov dword ptr ds:[ebx+0xFA4],0x0(坐标开关3)
mov ebx,[0x22D4D50](坐标指针基址)
lea esi,[ebx+0xF84](目标坐标指针)
mov edx,[ebx]
PUSH 0
PUSH esi
push 0x3F2
mov ecx,ebx
call [edx+0x4]//本地移动Call
mov esi,[0x22D4D50](坐标指针基址)
mov eax,[esi+0xF84](目标坐标指针)(坐标X)
push 0x2
mov ecx,[esi+0xF88](目标坐标指针+4)(坐标Z)
sub esp,0xC
mov edx,esp
mov [edx],eax
mov eax,[esi+0xF8C](坐标Y)
mov [edx+0x4],ecx
mov ecx,esi
mov [edx+8],eax
call 0x00451E90 //发包移动Call
-------------------------------------------------------------------------------
按需添加
mov edx,dword ptr ds:[ebx+0x19E4] ebx==[0x22D4D50] 坐标指针基址
push 0
push edx
mov ecx,ebx
push 0x1F
call 0044F8F0(//模块开关Call)
======================================================================================================================
走路Call(新)
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
00453B79 | 89BB 3C080000 | mov dword ptr ds:[ebx+0x83C],edi |
00453B7F | 89BB 38080000 | mov dword ptr ds:[ebx+0x838],edi |
00453B85 | 89BB BC010000 | mov dword ptr ds:[ebx+0x1BC],edi |
00453B8B | 89BB B8010000 | mov dword ptr ds:[ebx+0x1B8],edi |
00453B91 | C683 F5010000 00 | mov byte ptr ds:[ebx+0x1F5],0x0 |
00453B98 | C683 C4260000 00 | mov byte ptr ds:[ebx+0x26C4],0x0 |
00453B9F | 66:89BB D0100000 | mov word ptr ds:[ebx+0x10D0],di |
00453BA6 | C683 F4000000 00 | mov byte ptr ds:[ebx+0xF4],0x0 |
00453BAD | 8B13 | mov edx,dword ptr ds:[ebx] |
00453BAF | 57 | push edi |
00453BB0 | 56 | push esi |
00453BB1 | 68 F2030000 | push 0x3F2 |
00453BB6 | 8BCB | mov ecx,ebx |
00453BB8 | FF52 04 | call dword ptr ds:[edx+0x4] 走路CALL|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
坐标写入位置
坐标指针基址=[22D4D50]
目标坐标指针基址X=[22D4D50]+F84
目标坐标指针基址Z=[22D4D50]+F88
目标坐标指针基址Y=[22D4D50]+F8C
-----------------------------------------------------------------------------------------------------------------------------------------------------
Call
mov ebx,[22D4D50]
mov dword ptr ds:[ebx+0xf9c],0x1 坐标锁1
mov dword ptr ds:[ebx+0xFA0],0x1 坐标锁2
mov dword ptr ds:[ebx+0xFA4],0x0 坐标锁3
mov dword ptr ds:[ebx+0x83C],0x0
mov dword ptr ds:[ebx+0x838],0x0
mov dword ptr ds:[ebx+0x1BC],0x0
mov dword ptr ds:[ebx+0x1B8],0x0
mov byte ptr ds:[ebx+0x1F5],0x0
mov byte ptr ds:[ebx+0x26C4],0x0
mov word ptr ds:[ebx+0x10D0],0x0
mov byte ptr ds:[ebx+0xF4],0x0
mov edx,dword ptr ds:[ebx]
push 0x0
push esi esi==(ebx+F84)
push 0x3F2
mov ecx,ebx
call dword ptr ds:[edx+0x4]
====================================================================================================================
======================================================================================
打开关闭商店Call
----------------------------------------------------------------------------------------------------------------------------------------------
00537A7F |> \8B0D 30D62D02 mov ecx,dword ptr ds:[0x22DD630]
00537A85 |. 8B81 04020000 mov eax,dword ptr ds:[ecx+0x204]
00537A8B |. 85C0 test eax,eax
00537A8D |. 75 63 jnz short Client.00537AF2
00537A8F |. 8B46 40 mov eax,dword ptr ds:[esi+0x40]
00537A92 |. 85C0 test eax,eax
00537A94 |. 74 5C je short Client.00537AF2
00537A96 |. 8A86 04020000 mov al,byte ptr ds:[esi+0x204]
00537A9C |. 84C0 test al,al
00537A9E |. 74 1A je short Client.00537ABA
00537AA0 |. 8B4E 04 mov ecx,dword ptr ds:[esi+0x4]
00537AA3 |. 85C9 test ecx,ecx
00537AA5 |. 74 13 je short Client.00537ABA
00537AA7 |. 8B86 24020000 mov eax,dword ptr ds:[esi+0x224] ; esi=位置基址 打开==[22D1F64] 关闭==[22D2074]
00537AAD |. 8B11 mov edx,dword ptr ds:[ecx] ; edx==打开关闭基址 打开==[22D1F58] 关闭==[22D1FE4]
00537AAF |. 6A 00 push 0x0
00537AB1 |. 50 push eax ; eax==第几个选项 1==5B 2==5C 3==5D 4==5E
00537AB2 68 F4030000 push 0x3F4
00537AB7 |. FF52 04 call dword ptr ds:[edx+0x4] ; 打开关闭商店Call
----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
mov ecx,[22D1F58] edx==打开关闭基址 打开==[22D1F58] 打开选项卡后关闭==[22D1FE4]
mov edx,[ecx]
push 0x0
push 第几个1==5B 2==5C 3==5D 4==5E 选项卡页面关闭==5A 打开选项卡后关闭==62
push 0x3F4
call [edx+0x4] //打开关闭商店Call
======================================================================================
打开商店Call (备用只能打开)
00521D76 |. E8 151B0000 call Client.00523890
------------------------------------------------------------------------------------------------------------------------------------------
mov esi,[0x22D1F58] 基址
mov edi,0x5C (第几个选项5B 5C 5D 5E)
mov ecx,[esi+edi*4+0xE4]
push ecx (类型自动计算) (1买卖 2任务 3打开仓库 4合成 6强化 D移动银币 F移动村庄 11赋予属性)
mov ecx,esi
call 00523890
===============================================================================
实用的卡商店关闭代码
----------------------------------------------------------------------------------------------
mov ebx,[22D1F5C]’强制打开选项卡
mov dword ptr ds:[ebx+40],0x1
mov ebx,[22D1F8C]’强制打开商店
mov dword ptr ds:[ebx+40],0x1
mov esi,[22D1FE0]
mov ecx,[22D1F88]
mov eax,[esi+0x224]
mov edx,[ecx]
push 0x0
push eax
push 0x3F4
call [edx+0x4]
--------------------------------------------------------------------------------------------------------------------
===========================================================================
打开NPC的Call
--------------------------------------------------------------------------------------------------------------------------------------
0043FA30 |. 8BF1 mov esi,ecx
0043FA32 |. 33DB xor ebx,ebx
0043FA34 |. 57 push edi
0043FA35 |. 53 push ebx
0043FA36 |. 8B7E 24 mov edi,dword ptr ds:[esi+0x24]
0043FA39 |. 8B46 08 mov eax,dword ptr ds:[esi+0x8]
0043FA3C |. 8D4E 08 lea ecx,dword ptr ds:[esi+0x8]
0043FA3F |. 53 push ebx
0043FA40 |. 68 1F040000 push 0x41F
0043FA45 |. 897D E0 mov [local.8],edi
0043FA48 |. FF50 04 call dword ptr ds:[eax+0x4]
0043FA4B |. 83F8 01 cmp eax,0x1
0043FA4E |. 75 2A jnz short Client.0043FA7A
0043FA50 |. 8B0D 40D62D02 mov ecx,dword ptr ds:[0x22DD640]
0043FA56 |. 8B86 24030000 mov eax,dword ptr ds:[esi+0x324]
0043FA5C |. 50 push eax
0043FA5D |. 68 FFFF0000 push 0xFFFF
0043FA62 |. 8B11 mov edx,dword ptr ds:[ecx]
0043FA64 |. 6A 08 push 0x8
0043FA66 |. FF52 04 call dword ptr ds:[edx+0x4]--------------------------------------------------------------------------------------------------------------------------------------------------------------------------
mov ecx,[0x22DD640]
mov eax,0x94(怪物数值)(详见下面)
push eax
push 0xFFFF
mov edx,[ecx]
push 0x8
call [edx+0x4]
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
联合使用(打开NPC 直接选取第几个)
mov ecx,[0x22DD640]
mov eax,0x94(怪物数值)
push eax
push 0xFFFF
mov edx,[ecx]
push 0x8
call [edx+0x4]
mov esi,[0x22D1F58]
mov edi,0x5B(选第几个)
mov ecx,[esi+edi*4+0xE4]
push ecx
mov ecx,esi
call 00523890
=======================================================
打开NPC的Call(发包类)
-------------------------------------------------------------------------------------------------
00566DF2 B9 000A0000 mov ecx,0xA00
00566DF7 33C0 xor eax,eax
00566DF9 8DBD FED7FFFF lea edi,dword ptr ss:[ebp-0x2802]
00566DFF 66:C785 F8D7FFF>mov word ptr ss:[ebp-0x2808],0x0
00566E08 F3:AB rep stos dword ptr es:[edi]
00566E0A 8B7D 10 mov edi,dword ptr ss:[ebp+0x10]
00566E0D 8B0D 68F7EA00 mov ecx,dword ptr ds:[0xEAF768]
00566E13 8D85 F8D7FFFF lea eax,dword ptr ss:[ebp-0x2808]
00566E19 6A 16 push 0x16
00566E1B 50 push eax ; 数据内存地址
00566E1C 66:C785 FAD7FFF>mov word ptr ss:[ebp-0x2806],0x90
00566E25 66:C785 FCD7FFF>mov word ptr ss:[ebp-0x2804],0x10
00566E2E C785 FED7FFFF 0>mov dword ptr ss:[ebp-0x2802],0x1
00566E38 89BD 06D8FFFF mov dword ptr ss:[ebp-0x27FA],edi
00566E3E E8 ADF4ECFF call Client.004362F0 ; 打开NPC Call-------------------------------------------------------------------------------------------------
Call自己申请内存里的数据
00184CC8 00 00 90 00 10 00 01 00 00 00 00 00 ......?_x0010_......
00184CD8 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
{00,00,90,00}(固定数据)
{10,00,01,00}(固定数据)
{00,00,00,00}(固定数据)
{00,00,01,00}(这里的1是NPC的代码)(详见怪物数值)
这里代码都是16进制
-------------------------------------------------------------------------------------------------
push 0x16
push 0x0FA50004 (这里自己申请内存地址)
mov ecx,[0xEAF768]
mov edx,0x4362F0 (放进去CALL)
call edx
==============================================================
打开关闭商店(发包)
----------------------------------------------------------------------------------------------------
关闭
00533345 | 6A 16 | push 0x16 |
00533347 | F3:AB | rep stosd |
00533349 | 8B8A 08020000 | mov ecx,dword ptr ds:[edx+0x208] |
0053334F | 8D95 F8D7FFFF | lea edx,dword ptr ss:[ebp-0x2808] |
00533355 | 898D 06D8FFFF | mov dword ptr ss:[ebp-0x27FA],ecx |
0053335B | 8B0D 68F7EA00 | mov ecx,dword ptr ds:[0xEAF768] | 00EAF768:&"L妠"
00533361 | 52 | push edx |
00533362 | 66:C785 FAD7FFFF 9000 | mov word ptr ss:[ebp-0x2806],0x90 |
0053336B | 66:C785 FCD7FFFF 1000 | mov word ptr ss:[ebp-0x2804],0x10 |
00533374 | C785 FED7FFFF 02000000 | mov dword ptr ss:[ebp-0x2802],0x2 |
0053337E | E8 6D2FF0FF | call <client.sub_4362F0> |----------------------------------------------------------------------------------------------------
打开
-------------------------------------------------------------------------------------------------
00523901 | 6A 16 | push 0x16 |
00523903 | 52 | push edx |
00523904 | 66:C785 FAD7FFFF 9000 | mov word ptr ss:[ebp-0x2806],0x90 |
0052390D | 66:C785 FCD7FFFF 1000 | mov word ptr ss:[ebp-0x2804],0x10 |
00523916 | 89B5 FED7FFFF | mov dword ptr ss:[ebp-0x2802],esi |
0052391C | E8 CF29F1FF | call <client.sub_4362F0> |--------------------------------------------------------------------------------------------------
重要数据
00 00 90 00 10 00 03 00 00 00 00 00 00 00 4E 00
------------------------------------------------------------------------------------------------
目录参数
02界面关闭
03买卖
04任务
05仓库
06合成
08强化
13赋予属性
1C灵兽仓库
0E再造合成石
---------------------------------------------------------------------------------------------------
call
push 0x16
push edx
mov ecx, dword ptr ds:[0x00EAF768]
call 0x004362F0
=======================================================
怪物数值
------------------------------------------------------------------------
泫勃派
1 韦大宝
2 刀剑笑
3 平十指
4 银娇龙
5 金香玉
6 泫勃派门主
7 花有缺
8 温小余
4E 小香
---------------------------------------------------------------------------------------
九泉之下
91 张大成 1层 1000层
92 殷梨亭
93 张大成 长子 100层 200层 300层
94 张大成 次子 400层 500层 600层
95 张大成 长子 800层
96 张大成 长子 50层 100层
97 张大成 长子 200层 1层
98 张大成 长子 300层 100层
99 张大成 长子 400层 200层
9A 张大成 长子 500层 300层
9B 张大成 长子 600层 400层
9C 张大成 长子 700层 500层
9D 张大成 长子 800层 600层
9E 张大成 长子 900层 700层
9F 张大成 长子 800层
-----------------------------------------------------------------------------------------------------------
柳正关
10 胡银花(正塔)
1B 楚留情(正林)
C 柳正关关主柳絮
D 萧春水
E 红凤凰
-------------------------------------------------------------------------------------------------------------
三邪关
9 三邪关关主翅娟
A 陆小凰
B 周叔通
F 千晓生(邪塔)
1C 裘千米(邪林)
50 南宫絮
------------------------------------------------------------------------------------------
北海冰宫
7D 船夫金氏
==========================================================================
喊话Call
喊话基址=[Client.exe+1ED0D54]+13C
------------------------------------------------------------------------------------------------------------------------
00433825 |. 8BCB mov ecx,ebx
00433827 |. C645 0F 00 mov byte ptr ss:[ebp+0xF],0x0
0043382B |. E8 10020000 call Client.00433A40
00433830 |. 8B55 08 mov edx,[arg.1]
00433833 |. E9 DF010000 jmp Client.00433A17
00433838 |> 817D 0C 01003>cmp [arg.2],0x320001 ; Cases 9,D of switch 004337EE
0043383F |. 74 15 je short Client.00433856
00433841 |. 8B8B 2C030000 mov ecx,dword ptr ds:[ebx+0x32C] ; ebx==[22D0D54]
00433847 |. 52 push edx ; 0xD
00433848 |. 52 push edx ; 0xD
00433849 |. 68 ED030000 push 0x3ED ; 0x3ED
0043384E |. 8B01 mov eax,dword ptr ds:[ecx]
00433850 |. FF50 04 call dword ptr ds:[eax+0x4] ; 喊话Call
mov ebx,[22D0D54](基址)
mov ecx,[ebx+0x32C]
push 0xD
push 0XD
push 0x3ED
mov eax,[ecx]
call [eax+0x4]
--------------------------------------------------------------------------------------------------------------------------
喊话间隔限制
00588967 |. 85C9 test ecx,ecx
00588969 |. 74 13 je short Client.0058897E
0058896B |. 2B86 A0080000 sub eax,dword ptr ds:[esi+0x8A0]
00588971 |. 99 cdq
00588972 |. 33C2 xor eax,edx
00588974 |. 2BC2 sub eax,edx
00588976 |. 3BC1 cmp eax,ecx
→00588978 0F82 98020000 jb Client.00588C16 ; 喊话间隔
0058897E 8A86 0D020000 mov al,byte ptr ds:[esi+0x20D]
00588984 |. 8A0D 54844405 mov cl,byte ptr ds:[0x5448454]
0058898A |. 3C 01 cmp al,0x1
0058898C |. 75 1E jnz short Client.005889AC
0058898E |. 80F9 19 cmp cl,0x19
00588991 |. 73 19 jnb short Client.005889AC
------------------------------------------------------------------------------------------------------------------
喊话相同控制位置
00588A54 |. 83C6 02 |add esi,0x2
00588A57 |. 84C9 |test cl,cl
00588A59 |.^ 75 E0 \jnz short Client.00588A3B
00588A5B |> 33C0 xor eax,eax
→00588A5D EB 05 jmp short Client.00588A64’’’’’喊话相同控制位置
00588A5F |> 1BC0 sbb eax,eax
00588A61 |. 83D8 FF sbb eax,-0x1
00588A64 |> 85C0 test eax,eax
00588A66 |. 75 24 jnz short Client.00588A8C
00588A68 |. 8B4D FC mov ecx,[local.1]
00588A6B |. 8B45 DC mov eax,[local.9]
00588A6E |. 2B81 A0080000 sub eax,dword ptr ds:[ecx+0x8A0]
00588A74 |. 99 cdq
==================================================================
喊话Call(发包)
------------------------------------------------------------------------------------------------------------------------
00588B70 | C6843D 41D2FFFF 00 | mov byte ptr ss:[ebp+edi-0x2DBF],0x0 |
00588B78 | 8A85 40D2FFFF | mov al,byte ptr ss:[ebp-0x2DC0] |
00588B7E | FEC0 | inc al |
00588B80 | 8D95 24D2FFFF | lea edx,dword ptr ss:[ebp-0x2DDC] |
00588B86 | 8885 40D2FFFF | mov byte ptr ss:[ebp-0x2DC0],al |
00588B8C | 0FBEC0 | movsx eax,al |
00588B8F | 8D48 17 | lea ecx,dword ptr ds:[eax+0x17] |
00588B92 | 83C0 1D | add eax,0x1D |
00588B95 | 66:898D 28D2FFFF | mov word ptr ss:[ebp-0x2DD8],cx |
00588B9C | 8B0D 68F7EA00 | mov ecx,dword ptr ds:[0xEAF768] | 00EAF768:&"L妠"
00588BA2 | 50 | push eax |
00588BA3 | 52 | push edx |
00588BA4 | E8 47D7EAFF | call <client.sub_4362F0> |
00588BA9 | 8B5D FC | mov ebx,dword ptr ss:[ebp-0x4] | [ebp-4]:&"€骔"----------------------------------------------------------------------------------------------------------------------
重要数据
00 00 08 00 44 00 01 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 2D 31 31 31
31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31
31 31 31 31 31 31 31 31 31 31 31 31 31 31 31 31
31 31 31 31 31 31 31 31 31 00 00 00 00 00 00 00
---------------------------------------------------------------------------------------------------------------
Call
push eax==1F → eax==eax+0x1D(29)+1 → eax==内容长度+29+1
push 自己申请内存
mov ecx, dword ptr ds:[0x00EAF768]
call 0x004362F0
====================================================================
原地复活CALL(发包)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0045200B 66:8955 FC mov word ptr ss:[ebp-0x4],dx
0045200F D9C0 fld st
00452011 D8C9 fmul st,st(1)
00452013 D9C2 fld st(2)
00452015 D8CB fmul st,st(3)
00452017 66:8B46 14 mov ax,word ptr ds:[esi+0x14]
0045201B B9 0A000000 mov ecx,0xA
00452020 8D75 D8 lea esi,dword ptr ss:[ebp-0x28]
00452023 8DBD D6D7FFFF lea edi,dword ptr ss:[ebp-0x282A]
00452029 DEC1 faddp st(1),st
0045202B 66:8985 D0D7FFFF mov word ptr ss:[ebp-0x2830],ax
00452032 66:C785 D4D7FFFF 2800 mov word ptr ss:[ebp-0x282C],0x28
0045203B 6A 2E push 0x2E
0045203D D9FA fsqrt
0045203F DDDA fstp st(2)
00452041 DDD8 fstp st
00452043 D95D F8 fstp dword ptr ss:[ebp-0x8]
00452046 F3:A5 rep movs dword ptr es:[edi],dword ptr ds>
00452048 8D8D D0D7FFFF lea ecx,dword ptr ss:[ebp-0x2830]
0045204E 51 push ecx ; ecx==00187B64
0045204F 8B0D 68F7EA00 mov ecx,dword ptr ds:[0xEAF768]
00452055 E8 9642FEFF call Client.004362F0 //原地复活Call
------------------------------------------------------------------------------------------------------------------------------------------------------
复活数据(偷取来的和实际有差别)
08DA0000 0A 00 48 00 04 00 64 00 00 00 00 80 18 C4 59 D9 ..H..d....€腨?
08DA0010 3C C3 00 80 9A 43 35 08 00 00 00 00 00 00 00 00 <?€欳5........
08DA0020 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
------------------------------------------------------------------------------------------------------------------------------------------------------
CALL
push 0x2E(偷取的参数== push 0x1A)(这个参数应该是数据量+2字节)
push 0x0FCF0000(自己申请内存)
mov ecx,dword ptr ds:[0xEAF768]
mov edx,0x4362F0
call edx
------------------------------------------------------------------------------------------------------------------------------------------------------------
死亡保护窗口=[Client.exe+1ED2CB8]+208]+40
窗口位置=005D880A C741 40 01000000 mov dword ptr ds:[ecx+0x40],0x1(不想显示填充此段代码7个字节)
金F复活窗口=[Client.exe+1ED0FAC]+40
窗口位置=0056B838 C740 40 01000000 mov dword ptr ds:[eax+0x40],0x1(不想显示填充此段代码7个字节)
=====================================================
复活CALL
--------------------------------------------------------------------------------------------------------------------------------------
005AFE85 | E8 B62DEAFF | call client.452C40 |
------------------------------------------------------------------------------------------------------------------------------------
Call(关于窗口,直接内存关闭,或汇编关闭数值即可)
mov ecx,[0x022D4D50]
call 0x00452C40
=====================================================
=======================================================================================================
买卖物品Call(发包)
------------------------------------------------------------------------------------------------
列举其中一个
00553331 |. /76 39 jbe short Client.0055336C
00553333 |> |8DB3 340F0000 lea esi,dword ptr ds:[ebx+0xF34]
00553339 |. |B9 0C000000 mov ecx,0xC
0055333E |. |8DBD FED7FFFF lea edi,dword ptr ss:[ebp-0x2802]
00553344 |. |66:C785 FAD7FFFF 0E>mov word ptr ss:[ebp-0x2806],0xE
0055334D |. |66:C785 FCD7FFFF 30>mov word ptr ss:[ebp-0x2804],0x30
00553356 |. |6A 36 push 0x36
00553358 |. |F3:A5 rep movs dword ptr es:[edi],dword ptr ds:[esi]
0055335A |> |8D8D F8D7FFFF lea ecx,[local.2562]
00553360 |. |51 push ecx
00553361 |> |8B0D 68F7EA00 mov ecx,dword ptr ds:[0xEAF768] // 买卖有数量物品Call
00553367 |. |E8 842FEEFF call Client.004362F0
0055336C |> \8BCB mov ecx,ebx ; Default case of switch 00552CAF
0055336E |. E8 3D9D0000 call Client.0055D0B0------------------------------------------------------------------------------------------------
卖出物品
push 0x4E 卖有数量的物品
跳转位置==00552F83 |. /E9 D9030000 jmp Client.00553361
卖有数量的物品call==00553367 |. E8 842FEEFF call Client.004362F0
卖数量为1的物品call==005580D5 |. E8 16E2EDFF call Client.004362F0
物品单独标识==[22D1F90]+商店位置*4+33C]+50(字节型==E7)
物品单独标识==[22D1F90]+商店位置*4+33C]+50+1(字节型==00)
物品标识==[22D1F90]+商店位置*4+33C]+4c(字节型==61)
物品标识==[22D1F90]+商店位置*4+33C]+4c+1(字节型==0B)
物品标识==[22D1F90]+商店位置*4+33C]+4c+2(字节型==93)
物品标识==[22D1F90]+商店位置*4+33C]+4c+3(字节型==06)
(背包基址)
关键数据
0A 00 92 00 00 00 02 00 00 00 00 00 00 00 65 CA
9A 3B 01 00 00 00 00 00 00 00 00 00 00 00 E7 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 16 00 00 00 00 00 00 00 00 00 00 00 00
---------------------------------------------------------------------------------------------------------------------------------------------
买入物品
push 0x4E 买入有数量的
买入有数量的跳转位置==00552FE2 |. /E9 7A030000 jmp Client.00553361
买有数量物品call==00553367 |. E8 842FEEFF call Client.004362F0
买数量为1的物品Call==005583BC |. E8 2FDFEDFF call Client.004362F0
物品单独标识==[22D1F90]+商店位置*4+33C]+50(字节型==E7)
物品单独标识==[22D1F90]+商店位置*4+33C]+50+1(字节型==00)
物品标识==[22D1F90]+商店位置*4+33C]+4c(字节型==61)
物品标识==[22D1F90]+商店位置*4+33C]+4c+1(字节型==0B)
物品标识==[22D1F90]+商店位置*4+33C]+4c+2(字节型==93)
物品标识==[22D1F90]+商店位置*4+33C]+4c+3(字节型==06)
(买卖商店物品栏基址)
关键数据
00 00 92 00 48 00 01 00 00 00 00 00 00 00 69 CA
9A 3B 01 00 00 00 00 00 00 00 00 00 00 00 E7 00
-----------------------------------------------------------------------------
Call
push 0x4E
push 0x07F40000(自己申请地址 数据在上面)
mov ecx,dword ptr ds:[0xEAF768]
call 004362F0
=====================================================================
存放仓库(发包)
---------------------------------------------------------------------
存仓
存入call==00558FDA |. E8 11D3EDFF call Client.004362F0
综合仓库基址=22D2078
个人仓库基址=22D1FEC
仓库物品单独标识==[仓库基址]+背包位置*4+33C]+50(字节型==00)
仓库物品单独标识==[仓库基址]+背包位置*4+33C]+50(字节型==00)
仓库物品标识==[仓库基址]+背包位置*4+33C]+49C(字节型==24)
仓库物品标识==[仓库基址]+背包位置*4+33C]+49C(字节型==A1)
仓库物品标识==[仓库基址]+背包位置*4+33C]+49C(字节型==07)
仓库物品标识==[仓库基址]+背包位置*4+33C]+49C(字节型==00)
0A 00 94 00 00 00 03 00 00 00 00 00 00 00 24 A1
07 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 01 0F 00 00 00 00 00 00 00 00 00 00 00 00
------------------------------------------------------------------------
出仓
出仓call=00558899 |. E8 52DAEDFF call Client.004362F0
综合仓库基址=22D2078
个人仓库基址=22D1FEC
仓库物品单独标识==[仓库基址]+背包位置*4+33C]+50(字节型==00)
仓库物品单独标识==[仓库基址]+背包位置*4+33C]+50(字节型==00)
仓库物品标识==[仓库基址]+背包位置*4+33C]+49C(字节型==24)
仓库物品标识==[仓库基址]+背包位置*4+33C]+49C(字节型==A1)
仓库物品标识==[仓库基址]+背包位置*4+33C]+49C(字节型==07)
仓库物品标识==[仓库基址]+背包位置*4+33C]+49C(字节型==00)
0A 00 94 00 00 00 05 00 00 00 00 00 00 00 61 0B
93 06 01 00 00 00 00 00 00 00 00 00 00 00 1A 01
00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 08 08 00 00 00 00 00 00 00 00 00 00 00 00
------------------------------------------------------------------------------------
Call
push 0x4E
push 0x07F40000(自己申请地址 数据在上面)
mov ecx,dword ptr ds:[0xEAF768]
call 004362F0
==============================================================================================================
九泉移动CALL
-------------------------------------------------------------------------------------
004DB484 |. 894D 10 mov [arg.3],ecx
004DB487 |. 8955 14 mov [arg.4],edx
004DB48A |> 8B4D 0C mov ecx,[arg.2]
004DB48D |. 8B55 10 mov edx,[arg.3]
004DB490 |. 8B45 08 mov eax,[arg.1] ; EAX==58
004DB493 |. 898D 02D8FFFF mov dword ptr ss:[ebp-0x27FE],ecx
004DB499 |. 8B4D 18 mov ecx,[arg.5] ; ECX==1
004DB49C |. 8995 06D8FFFF mov dword ptr ss:[ebp-0x27FA],edx
004DB4A2 |. 8985 FED7FFFF mov dword ptr ss:[ebp-0x2802],eax
004DB4A8 |. 8B45 14 mov eax,[arg.4] ; EAX==[0x22EF598]
004DB4AB |. 8D95 F8D7FFFF lea edx,[local.2562]
004DB4B1 |. 898D 0ED8FFFF mov dword ptr ss:[ebp-0x27F2],ecx
004DB4B7 |. 8B0D 68F7EA00 mov ecx,dword ptr ds:[0xEAF768]
004DB4BD |. 6A 1A push 0x1A
004DB4BF |. 52 push edx
004DB4C0 |. 66:C785 FAD7F>mov word ptr ss:[ebp-0x2806],0x48
004DB4C9 |. 66:C785 FCD7F>mov word ptr ss:[ebp-0x2804],0x14
004DB4D2 |. 8985 0AD8FFFF mov dword ptr ss:[ebp-0x27F6],eax
004DB4D8 |. E8 13AEF5FF call Client.004362F0 //发包Call
--------------------------------------------------------------------------------------------
关键数据
0A 00 48 00 14 00 58 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00
------------------------------------------------------------------------------------------
push 0x1A
push 0x097F0000(自己申请内存)
mov ecx,dword ptr ds:[0xEAF768]
call 004362F0
=====================================================
九泉跳层CALL(还能打开某些窗口和泫勃派)
-----------------------------------------------------------------------------------------------------------------------------------------
005238C3 |. 8B88 E8020000 mov ecx,dword ptr ds:[eax+0x2E8]
005238C9 |. E8 025C0B00 call Client.005D94D0
005238CE |. B9 000A0000 mov ecx,0xA00
005238D3 |. 33C0 xor eax,eax ; mss32.21110210
005238D5 |. 8DBD FED7FFFF lea edi,dword ptr ss:[ebp-0x2802]
005238DB |. 66:C785 F8D7F>mov word ptr ss:[ebp-0x2808],0x0
005238E4 |. F3:AB rep stos dword ptr es:[edi]
005238E6 |. 8B0D A8103002 mov ecx,dword ptr ds:[0x23010A8]
005238EC |. 8D95 F8D7FFFF lea edx,[local.2562]
005238F2 |. 83C6 02 add esi,0x2
005238F5 |. 898D 06D8FFFF mov dword ptr ss:[ebp-0x27FA],ecx
005238FB |. 8B0D 68F7EA00 mov ecx,dword ptr ds:[0xEAF768]
00523901 |. 6A 16 push 0x16
00523903 |. 52 push edx
00523904 |. 66:C785 FAD7F>mov word ptr ss:[ebp-0x2806],0x90
0052390D |. 66:C785 FCD7F>mov word ptr ss:[ebp-0x2804],0x10
00523916 |. 89B5 FED7FFFF mov dword ptr ss:[ebp-0x2802],esi
0052391C |. E8 CF29F1FF call Client.004362F0//九泉Call
-------------------------------------------------------------------------------------------------------------------------------
Call
push 0x16
push 0x09160000
mov ecx,dword ptr ds:[0xEAF768]
call 004362F0
-----------------------------------------------------------------------------------------------------------------------------
关键数据
00 00 90 00 10 00 43 00
---------------------------------------------------------------------------------------------------------------------------
位置数据
仓库窗口 5(十进制)
创建门派窗口 7
合成石头窗口 14
赋予属性窗口 19
对练场 21
合成窗口 26
伏魔洞 45
北海冰宫幻影 52
北海冰宫 53
泫勃派 63
-------------------
1层 42(十六进制) 66(十进制)
50层 5C 92
100层 41 65
200层 43 67
300层 45 69
400层 47 71
500层 49 73
600层 4B 75
700层 4D 77
800层 4F 79
900层 51 81
1000层5D 93
------
=================================================================================================
攻击怪物Call(发包打怪)
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
004599A6 |. 66:8B85 E8D7F>mov ax,word ptr ss:[ebp-0x2818]
004599AD |. 66:05 0200 add ax,0x2
004599B1 |. 8B0D 68F7EA00 mov ecx,dword ptr ds:[0xEAF768]
004599B7 |. 0FBFD0 movsx edx,ax
004599BA |. 66:8985 E8D7F>mov word ptr ss:[ebp-0x2818],ax
004599C1 |. 83C2 06 add edx,0x6
004599C4 |. 8D85 E4D7FFFF lea eax,[local.2567]
004599CA |. 52 push edx
004599CB |. 50 push eax
004599CC |. E8 1FC9FDFF call Client.004362F0
004599D1 |. 5F pop edi
004599D2 |. 5E pop esi
004599D3 |. 5B pop ebx
004599D4 |. 8BE5 mov esp,ebp
004599D6 |. 5D pop ebp
004599D7 |. C2 0800 retn 0x8
004599DA |> 0FBF8D E8D7FF>movsx ecx,word ptr ss:[ebp-0x2818]
004599E1 |. 83C1 06 add ecx,0x6
004599E4 |. 8D95 E4D7FFFF lea edx,[local.2567]
004599EA |. 51 push ecx ; ecx==1A
004599EB |. 8B0D 68F7EA00 mov ecx,dword ptr ds:[0xEAF768]
004599F1 |. 52 push edx
004599F2 |. E8 F9C8FDFF call Client.004362F0 //攻击前的发包------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0043FB4D |. 66:8915 A8E02>mov word ptr ds:[0x22CE0A8],dx
0043FB54 |. EB 0E jmp short Client.0043FB64
0043FB56 |> 3BC3 cmp eax,ebx
0043FB58 |. 75 66 jnz short Client.0043FBC0
0043FB5A |. 66:8B42 14 mov ax,word ptr ds:[edx+0x14]
0043FB5E |. 66:A3 A8E02C0>mov word ptr ds:[0x22CE0A8],ax
0043FB64 |> 66:C705 AAE02>mov word ptr ds:[0x22CE0AA],0x25
0043FB6D |. 66:C705 ACE02>mov word ptr ds:[0x22CE0AC],0x6
0043FB76 |. C705 A0E02C02>mov dword ptr ds:[0x22CE0A0],Client.022C>
0043FB80 |. 66:8B4E 1C mov cx,word ptr ds:[esi+0x1C]
0043FB84 |. 66:890D AEE02>mov word ptr ds:[0x22CE0AE],cx
0043FB8B |. 66:8B57 34 mov dx,word ptr ds:[edi+0x34]
0043FB8F |. 8B0D 68F7EA00 mov ecx,dword ptr ds:[0xEAF768]
0043FB95 |. 66:8915 B0E02>mov word ptr ds:[0x22CE0B0],dx
0043FB9C |. 66:0FB647 39 movzx ax,byte ptr ds:[edi+0x39]
0043FBA1 |. 6A 0C push 0xC
0043FBA3 |. 68 A8E02C02 push Client.022CE0A8 ; ASCII "\n"
0043FBA8 |. 66:A3 B2E02C0>mov word ptr ds:[0x22CE0B2],ax
0043FBAE |. E8 3D67FFFF call Client.004362F0 //攻击怪物Call(要先发包才能使用)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
CALL
push 0x1A
push 0x10220000(自己申请内存)(数据1)
mov ecx,dword ptr ds:[0xEAF768]
call 004362F0 //攻击前发包CALL
push 0xC
push 0x102200A0(自己申请内存)(数据2)
mov ecx,dword ptr ds:[0xEAF768]
call 004362F0 //开始攻击CALL
------------------------------------------------------------------------------------------------------
获取信息基址
选中怪物ID=[client.exe+1ED4D50]+FC4
怪物库ID=[选中怪物ID*4+022D0D50]+14
技能库遍历ID=[23010A4]+技能位置*4+33C]+4C(技能位置每排4个)
物品栏技能库ID=[544B27C]+物品栏位置*4+33C]+4C
坐标X=[Client.exe+1ED4D50]+1118
坐标Y=[Client.exe+1ED4D50]+1120
坐标Z=不重要
--------------------------------------------------------------------------------------------------------
重要数据
数据(1)
0A 00 09 00 14 00 41 27 45 00 7A AE 01 00 7E 6B
52 C3 00 00 70 41 27 CA 14 C4 00 00 00 00 00 00
数据(2)
3C 27 25 00 06 00 3C 27 7E 00 00 00 00 00 00 00
数据(2)附加(对应技能表)
CA CB CC
CE CF D0
D1 2C01 2D01
2E01 2F01 3001
3101 3201 3301
3401 3501 3601
对应10到97级技能
------------------------------------------------------------------
=========================================================
使用背包物品CALL
0055B309 E8 E2AFEDFF call client.004362F0 //使用背包物品CALL
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Call
push 0x1A
push 0x001E0000
mov ecx,dword ptr ds:[0xEAF768]
call 004362F0
----------------------------------------------------------------------------
重要数据
00 00 3A 00 14 00 01 17 00 00 2D DC 14 3C 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
============================================================
使用武功CALL(轻功发包)
---------------------------------------------------------------------------------------------------
005B33FD | E8 EE2EE8FF | call client.4362F0 |
-------------------------------------------------------------------------------------------------------------------------
CALL
push 1E
push ecx
mov ecx,dword ptr ds:[EAF768]
call client.4362F0
-----------------------------------------------------------------------------------------------------------------------
重要数据
00 00 3C 00 18 00 0D 2C 09 00 00 00 00 00 00 00
========================================================================
关闭窗口CALL
-----------------------------------------------------------------------------------------------------------------------
00533029 | E8 E2020000 | call client.533310 |
-----------------------------------------------------------------------------------------------------------------------
Call
mov ecx,[22D1F88]
call 533310
========================================================================
打坐Call
-----------------------------------------------------------------------------------------------------------------------
00567681 | E8 4AAB0400 | call client.5B21D0 |
-----------------------------------------------------------------------------------------------------------------------
Call
mov ecx,[22D0E00]
call 5B21D0
========================================================================
NOP(6个字节)
======================================================================================================
召唤宠物CALL
======================================================================================================
0059AE57 | E8 14000000 | call client.59AE70 |
======================================================================================================
Call
mov ecx,[22D0E00]
call 59AE70
======================================================================================================
使用技能CALL(发包)
--------------------------------------------------------------------------------------
004599DA | 0FBF8D E8D7FFFF | movsx ecx,word ptr ss:[ebp-0x2818] |
004599E1 | 83C1 06 | add ecx,0x6 |
004599E4 | 8D95 E4D7FFFF | lea edx,dword ptr ss:[ebp-0x281C] |
004599EA | 51 | push ecx |
004599EB | 8B0D 68F7EA00 | mov ecx,dword ptr ds:[0xEAF768] | 00EAF768:&"L妠"
004599F1 | 52 | push edx |
004599F2 | E8 F9C8FDFF | call <client.sub_4362F0> /使用技能CAll |--------------------------------------------------------------------------------------
Call
push 1A
push (自己申请内存地址)
mov ecx, dword ptr ds:[0x00EAF768]
call 0x004362F0
--------------------------------------------------------------------------------------
重要数据
0A 00 09 00 14 00 0A 00 44 00 37 A6 07 00 81 4D
F9 C3 00 00 70 41 16 CB 65 C3 00 00 00 00 00 00
===============================================================
组队Call(发包)
------------------------------------------------------------------------------------------------------------
005B240C | A0 82B34405 | mov al,byte ptr ds:[0x544B382] |
005B2411 | 3AC3 | cmp al,bl |
005B2413 | 66:898D 02D8FFFF | mov word ptr ss:[ebp-0x27FE],cx |
005B241A | 66:C785 FCD7FFFF 0600 | mov word ptr ss:[ebp-0x2804],0x6 |
005B2423 | 75 23 | jne client.5B2448 |
005B2425 | 381D 81B34405 | cmp byte ptr ds:[0x544B381],bl |
005B242B | 75 1B | jne client.5B2448 |
005B242D | 8D8D F8D7FFFF | lea ecx,dword ptr ss:[ebp-0x2808] |
005B2433 | 6A 20 | push 0x20 |
005B2435 | 51 | push ecx |
005B2436 | 8B0D 68F7EA00 | mov ecx,dword ptr ds:[0xEAF768] | 00EAF768:&"L妠"
005B243C | E8 AF3EE8FF | call <client.sub_4362F0> /组队CALL |
------------------------------------------------------------------------------------------------------------
重要数据
00 00 30 00 06 00 01 00 01 00 0B 00 00 00 00 00
------------------------------------------------------------------------------------------------------------
Call
push 0x20
push 自己申请内存
mov ecx, dword ptr ds:[0xEAF768]
call 0x4362F0
==================================================================
组队接组(发包)外带组人返回
-----------------------------------------------------------------------------------------------------------
005C4677 | 50 | push eax |
005C4678 | EB 77 | jmp client.5C46F1 |
005C467A | 83F9 62 | cmp ecx,0x62 | 62:'b'
005C467D | 0F85 85000000 | jne client.5C4708 |
005C4683 | 83B8 F4020000 01 | cmp dword ptr ds:[eax+0x2F4],0x1 |
005C468A | 0F85 6C050000 | jne client.5C4BFC |
005C4690 | B9 000A0000 | mov ecx,0xA00 |
005C4695 | 33C0 | xor eax,eax |
005C4697 | 8DBD 52D7FFFF | lea edi,dword ptr ss:[ebp-0x28AE] |
005C469D | 66:C785 4CD7FFFF 0000 | mov word ptr ss:[ebp-0x28B4],0x0 |
005C46A6 | F3:AB | rep stosd |
005C46A8 | 66:8B8B 4C020000 | mov cx,word ptr ds:[ebx+0x24C] |
005C46AF | B8 01000000 | mov eax,0x1 |
005C46B4 | 66:8985 52D7FFFF | mov word ptr ss:[ebp-0x28AE],ax |
005C46BB | 66:8985 54D7FFFF | mov word ptr ss:[ebp-0x28AC],ax |
005C46C2 | A0 82B34405 | mov al,byte ptr ds:[0x544B382] |
005C46C7 | 66:C785 4ED7FFFF 3400 | mov word ptr ss:[ebp-0x28B2],0x34 | 34:'4'
005C46D0 | 84C0 | test al,al |
005C46D2 | 66:898D 56D7FFFF | mov word ptr ss:[ebp-0x28AA],cx |
005C46D9 | 66:C785 50D7FFFF 0600 | mov word ptr ss:[ebp-0x28B0],0x6 |
005C46E2 | 0F85 14050000 | jne client.5C4BFC |
005C46E8 | 8D95 4CD7FFFF | lea edx,dword ptr ss:[ebp-0x28B4] |
005C46EE | 6A 0C | push 0xC |
005C46F0 | 52 | push edx //接受调用 |
005C46F1 | 8B0D 68F7EA00 | mov ecx,dword ptr ds:[0xEAF768] | 00EAF768:&"L妠"
005C46F7 | E8 F41BE7FF | call <client.sub_4362F0> //接组CALL |
005C46FC | C605 82B34405 01 | mov byte ptr ds:[0x544B382],0x1 |
005C4703 | E9 F4040000 | jmp client.5C4BFC |
005C4708 | 83F9 63 | cmp ecx,0x63 | 63:'c'
005C470B | 0F85 EB040000 | jne client.5C4BFC |
005C4711 | 83B8 F4020000 01 | cmp dword ptr ds:[eax+0x2F4],0x1 |
005C4718 | 0F85 DE040000 | jne client.5C4BFC |
005C471E | B9 000A0000 | mov ecx,0xA00 |
005C4723 | 33C0 | xor eax,eax |
005C4725 | 8DBD 52D7FFFF | lea edi,dword ptr ss:[ebp-0x28AE] |
005C472B | 66:C785 4CD7FFFF 0000 | mov word ptr ss:[ebp-0x28B4],0x0 |
005C4734 | F3:AB | rep stosd |
005C4736 | 66:8B83 4C020000 | mov ax,word ptr ds:[ebx+0x24C] |
005C473D | 66:C785 4ED7FFFF 3400 | mov word ptr ss:[ebp-0x28B2],0x34 | 34:'4'
005C4746 | 66:8985 56D7FFFF | mov word ptr ss:[ebp-0x28AA],ax |
005C474D | A0 82B34405 | mov al,byte ptr ds:[0x544B382] |
005C4752 | 84C0 | test al,al |
005C4754 | 66:C785 52D7FFFF 0100 | mov word ptr ss:[ebp-0x28AE],0x1 |
005C475D | 66:C785 54D7FFFF 0200 | mov word ptr ss:[ebp-0x28AC],0x2 |
005C4766 | 66:C785 50D7FFFF 0600 | mov word ptr ss:[ebp-0x28B0],0x6 |
005C476F | 0F85 87040000 | jne client.5C4BFC |
005C4775 | 8D8D 4CD7FFFF | lea ecx,dword ptr ss:[ebp-0x28B4] |
005C477B | 6A 0C | push 0xC |
005C477D | 51 | push ecx //拒绝调用 |
005C477E | E9 6EFFFFFF | jmp client.5C46F1 |---------------------------------------------------------------------------------------------
重要数据
00 00 34 00 06 00 01 00 01 00 0B 00 00 00 00 00 接受 push C
00 00 34 00 06 00 01 00 02 00 0B 00 00 00 00 00 拒绝 push C
00 00 32 00 04 00 01 00 0A 00 00 00 00 00 00 00 发送组队返回 push A
----------------------------------------------------------------------------------------------
CALL
push 0xC(根据情况)
push 自己申请内存
mov ecx,dword ptr ds:[0xEAF768]
call <client.sub_4362F0>
=================================================================
组队委任队长(发包)
---------------------------------------------------------------------------------------------------
005B7FB8 | 81FF 80B34405 | cmp edi,client.544B380 |
005B7FBE | 7C D2 | jl client.5B7F92 |
005B7FC0 | 66:898D FCD7FFFF | mov word ptr ss:[ebp-0x2804],cx |
005B7FC7 | 83C1 06 | add ecx,0x6 |
005B7FCA | 8D85 F8D7FFFF | lea eax,dword ptr ss:[ebp-0x2808] |
005B7FD0 | 51 | push ecx |
005B7FD1 | 8B0D 68F7EA00 | mov ecx,dword ptr ds:[0xEAF768] | 00EAF768:&"L妠"
005B7FD7 | 50 | push eax |
005B7FD8 | E8 13E3E7FF | call <client.sub_4362F0> |--------------------------------------------------------------------------------------------------
重要数据
00 00 28 00 12 00 01 00 0B 00 B5 D8 B7 BD CE EF
C8 A8 B7 A8 00 00 00 00 00 00 00 00 00 00 00 00
---------------------------------------------------------------------------------------------------
CALL
push 0x18
push 自己申请内存
mov ecx, dword ptr ds:[0x00EAF768]
call 0x004362F0
==============================================================
拾取物品(发包)
---------------------------------------------------------------------------------------------------------
00434DE6 | E8 05150000 | call <client.sub_4362F0> |
----------------------------------------------------------------------------------------------------------
重要数据
00 00 0B 00 08 00 1C 35 00 00 00 00 00 00 00 00
----------------------------------------------------------------------------------------------------------
CALL
push 0xE
push 自己申请内存
mov ecx, dword ptr ds:[0x00EAF768]
call 0x004362F0
=============================================================
使用土灵符Call(发包)
-----------------------------------------------------------------------------------------------------------------------
005DAAAC | 66:8B86 18040000 | mov ax,word ptr ds:[esi+0x418] |
005DAAB3 | 66:8996 46020000 | mov word ptr ds:[esi+0x246],dx |
005DAABA | 66:C785 7AD7FFFF 0510 | mov word ptr ss:[ebp-0x2886],0x1005 |
005DAAC3 | 66:8985 7ED7FFFF | mov word ptr ss:[ebp-0x2882],ax |
005DAACA | 66:8995 80D7FFFF | mov word ptr ss:[ebp-0x2880],dx |
005DAAD1 | 66:C785 7CD7FFFF 0400 | mov word ptr ss:[ebp-0x2884],0x4 |
005DAADA | 6A 0A | push 0xA |
005DAADC | 8D8D 78D7FFFF | lea ecx,dword ptr ss:[ebp-0x2888] |
005DAAE2 | 51 | push ecx |
005DAAE3 | 8B0D 68F7EA00 | mov ecx,dword ptr ds:[0xEAF768] | 00EAF768:&"L妠"
005DAAE9 | E8 02B8E5FF | call <client.sub_4362F0> |-------------------------------------------------------------------------------------------------------------
重要数据
00 00 05 10 04 00 06 00 0B 00 00 00 00 00 00 00
--------------------------------------------------------------------------------------------------------
保存1 == 0A
保存2 == 0B
保存3 == 0C
保存4 == 0D
保存5 == 0E
保存6 == 0F
保存7 == 10
保存8 == 11
保存9 == 12
保存0 == 13
--------------------------------------------------------------------------------------------------------
Call
push 0xA
push ecx
mov ecx, dword ptr ds:[0x00EAF768]
call 0x004362F0
==============================================================
热血江湖关于登录
==============================================================
账号密码登录内存
-----------------------------------------------------------------------------------------------
账号显示=[EB0760]
输入位置内存=[22D0D54]+13C
账号内存存储位置=[22D0D84]+214
密码内存存储位置=[22D0D84]+49C
----------------------------------------------------------------
角色登录call
=================================================================
需要ebx==[0x05469200] eax==角色序号 [0544C604]==角色序号
005E6ED4 - 8D 8B 04020000 - lea ecx,[ebx+00000204]
005E6EDA - 8D 14 C0 - lea edx,[eax+eax*8]
005E6EDD - 8D 04 D5 40C44405 - lea eax,[edx*8+0544C440]
005E6EE4 - 8B 14 D5 40C44405 - mov edx,[edx*8+0544C440]
005E6EEB - 89 11 - mov [ecx],edx
005E6EED - 8B 50 04 - mov edx,[eax+04]
005E6EF0 - 89 51 04 - mov [ecx+04],edx
005E6EF3 - 8B 50 08 - mov edx,[eax+08]
005E6EF6 - 89 51 08 - mov [ecx+08],edx
005E6EF9 - 66 8B 50 0C - mov dx,[eax+0C]
005E6EFD - 66 89 51 0C - mov [ecx+0C],dx
005E6F01 - 8A 40 0E - mov al,[eax+0E]
005E6F04 - 88 41 0E - mov [ecx+0E],al
005E6F07 - A1 04C64405 - mov eax,[0544C604]//内存值为角色序号0,1,2,3
005E6F0C - 8D 0C C0 - lea ecx,[eax+eax*8]
005E6F0F - 0FBE 14 CD 72C44405 - movsx edx,byte ptr [ecx*8+0544C472]
005E6F17 - 89 15 00C64405 - mov [0544C600],edx
005E6F1D - C7 83 10040000 01000000 - mov [ebx+00000410],00000001
005E6F27 - C7 83 14040000 00000000 - mov [ebx+00000414],00000000-----------------------------------------------------------------------------------------------------
序号位置=[0544C604]
---------------------------------------------------------------------------------------------------
CALL
mov ebx,[0x05469200]
mov eax,0(角色序号)
mov dword ptr ds:[0x0544C604],eax
lea ecx, ds:[ebx+0x204]
lea edx, ds:[eax+eax*8]
lea eax, ds:[edx*8+0x544C440]
mov edx, dword ptr ds:[edx*8+0x544C440]
mov dword ptr ds:[ecx], edx
mov edx, dword ptr ds:[eax+0x4]
mov dword ptr ds:[ecx+0x4], edx
mov edx, dword ptr ds:[eax+0x8]
mov dword ptr ds:[ecx+0x8], edx
mov dx, word ptr ds:[eax+0xC]
mov word ptr ds:[ecx+0xC], dx
mov al, byte ptr ds:[eax+0xE]
mov byte ptr ds:[ecx+0xE], al
mov eax, dword ptr ds:[0x0544C604]
lea ecx, ds:[eax+eax*8]
movsx edx, byte ptr ds:[ecx*8+0x544C472]
mov dword ptr ds:[0x0544C600],edx
mov dword ptr ds:[ebx+0x410], 0x1
mov dword ptr ds:[ebx+0x414], 0x0
‘’’’’’’’’’’’lea ecx, ds:[ebx+0x204] ----开始
{141,139,4,2,0,0,141,20,192,141,4,213,64,196,68,5,139,20,213,64,196,68,5,137,17,139,80,4,137,81,4,139,80,8,137,81,8,102,139,80,12,102,137,81,12,138,64,14,136,65,14,161,4,198,68,5,141,12,192,15,190,20,205,114,196,68,5,137,21,0,198,68,5,199,131,16,4,0,0,1,0,0,0,199,131,20,4,0,0,0,0,0,0}
‘’’’’’’’’’’’mov dword ptr ds:[ebx+0x414], 0x0 ---结束
===============================================================
2.0 5.0 8.0
角色登录界面特征码
八个星位置为选择角色的基地址
8B**6A006A016A02FF**04A1********3DFFFF0000
两个jne改为je (会直接进入游戏读条界面)
4683C70483C1**83FE04
===============================================================
send封包登录账号密码
-------------------------------------------------------------------------------------------------------
00000000000000000000000000000000
-----------------------------------------------------------------------------------------------------------
注意:发包前需要套接字的支持
Pc:关于账号密码未文本到十六进制的格式
=====================================================================
send封包选线
-------------------------------------------------------------------------------------------------------------
0C800900010000000100000001
----------------------------------------------------------------------------------------------------------------
Ps:关于加密猜想应该是加密文件替换发送选线包后自动发送封包会进行数据加密
=====================================================================
Send封包游戏角色小腿
--------------------------------------------------------------------------------------------------
AA550F00012C015600000000000000000
======================================
评论区