 已绑定手机
|
尘。
2014-12-26 13:53:16
|
显示全部楼层
|阅读模式
昨天大号因为刷道具被封在等解封有点无聊,闲着没事干有种想写分析帖子的感觉,就写一个吧
因为我是64位系统,我之前用的能过HS的OD不能用,开虚拟机又感觉比较卡不舒服,所以就用一个脱机版的跑跑来写开发教材了,找法网络版本也适用
小打小闹,大手就不要笑话我了
游戏有两个道具槽,在漂移过程中可以获得加速器,那么本地肯定有一个对应的call用于获取这个加速器的.
但是手里没有任何参考资料,那就只能先模糊化搜索了,用CE搜改变,搜有加速器和没加速器的改变.(苦力活而已)
有些人估计会习惯于搜1搜0,但是经过我测试是不行的,不信的可以自己搜搜看
地址搜出来了,是29C4773C有加速器的时候是6.那么我们猜测这个6可能是加速器这个道具的代码
查找修改这个地址的代码.
007C2A46 - E8 054CC5FF - call 00417650
007C2A4B - 8B 45 98 - mov eax,[ebp-68]
007C2A4E - C6 80 66010000 00 - mov byte ptr [eax+00000166],00 <<
007C2A55 - 8D 4D F4 - lea ecx,[ebp-0C]
007C2A58 - E8 F34BC5FF - call 00417650
EAX=29C475D8
EBX=002BD397
ECX=355157F8
EDX=00003111
ESI=0DA73460
EDI=00EA6C78
ESP=0018ED64
EBP=0018EDD0
EIP=007C2A55
007C2690 55 push ebp
007C2691 8BEC mov ebp,esp
007C2693 83EC 6C sub esp,0x6C
007C2696 894D 98 mov dword ptr ss:[ebp-0x68],ecx
007C2699 8B45 98 mov eax,dword ptr ss:[ebp-0x68]
007C269C 0FB688 6C010000 movzx ecx,byte ptr ds:[eax+0x16C]
007C26A3 85C9 test ecx,ecx
007C26A5 0F84 D0030000 je KartRide.007C2A7B
007C26AB 8B55 98 mov edx,dword ptr ss:[ebp-0x68]
007C26AE 0FB782 64010000 movzx eax,word ptr ds:[edx+0x164]
007C26B5 0FB74D 08 movzx ecx,word ptr ss:[ebp+0x8]
007C26B9 3BC1 cmp eax,ecx
007C26BB 0F84 BA030000 je KartRide.007C2A7B
007C26C1 8B4D 98 mov ecx,dword ptr ss:[ebp-0x68]
007C26C4 81C1 60010000 add ecx,0x160
007C26CA E8 A161F5FF call KartRide.00718870
007C26*F 83F8 FF cmp eax,-0x1
007C26D2 0F84 95030000 je KartRide.007C2A6D
007C26D8 0FB755 08 movzx edx,word ptr ss:[ebp+0x8]
007C26DC 81FA FFFF0000 cmp edx,0xFFFF
007C26E2 0F85 60010000 jnz KartRide.007C2848
007C26E8 8B45 98 mov eax,dword ptr ss:[ebp-0x68]
007C26EB 0FB688 66010000 movzx ecx,byte ptr ds:[eax+0x166]
007C26F2 85C9 test ecx,ecx
007C26F4 0F84 32010000 je KartRide.007C282C
007C26FA 6A 01 push 0x1
007C26FC 8B4D 98 mov ecx,dword ptr ss:[ebp-0x68]
007C26FF 81C1 60010000 add ecx,0x160
007C2705 E8 96351A00 call KartRide.00965CA0
007C270A 8BC8 mov ecx,eax
007C270C E8 7F98D7FF call KartRide.0053BF90
007C2711 68 4C26C900 push KartRide.00C9264C ; UNICODE "ctrl"
007C2716 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
007C2719 E8 026FC5FF call KartRide.00419620
007C271E 8D55 E8 lea edx,dword ptr ss:[ebp-0x18]
007C2721 52 push edx
007C2722 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C]
007C2725 50 push eax
007C2726 8B4D 98 mov ecx,dword ptr ss:[ebp-0x68]
007C2729 81C1 60010000 add ecx,0x160
007C272F E8 6C351A00 call KartRide.00965CA0
007C2734 8BC8 mov ecx,eax
007C2736 E8 6597D3FF call KartRide.004FBEA0
007C273B 50 push eax
007C273C 8D4D FC lea ecx,dword ptr ss:[ebp-0x4]
007C273F 51 push ecx
007C2740 E8 8B96D3FF call KartRide.004FBDD0
007C2745 83C4 08 add esp,0x8
007C2748 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
007C274B E8 4029E6FF call KartRide.00625090
007C2750 8D4D E8 lea ecx,dword ptr ss:[ebp-0x18]
007C2753 E8 F84EC5FF call KartRide.00417650
007C2758 68 A064D800 push KartRide.00D864A0
007C275D 8D4D FC lea ecx,dword ptr ss:[ebp-0x4]
007C2760 E8 3B351A00 call KartRide.00965CA0
007C2765 8BC8 mov ecx,eax
007C2767 E8 D497D3FF call KartRide.004FBF40
007C276C 68 6005C800 push KartRide.00C80560 ; UNICODE "itemName"
007C2771 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
007C2774 E8 A76EC5FF call KartRide.00419620
007C2779 68 B48BC700 push KartRide.00C78BB4 ; UNICODE "first"
007C277E 8D55 E0 lea edx,dword ptr ss:[ebp-0x20]
007C2781 52 push edx
007C2782 8B4D 98 mov ecx,dword ptr ss:[ebp-0x68]
007C2785 81C1 5C010000 add ecx,0x15C
007C278B E8 10351A00 call KartRide.00965CA0
007C2790 8BC8 mov ecx,eax
007C2792 E8 392A3400 call KartRide.00B051D0
007C2797 50 push eax
007C2798 8D45 DC lea eax,dword ptr ss:[ebp-0x24]
007C279B 50 push eax
007C279C 8B4D 98 mov ecx,dword ptr ss:[ebp-0x68]
007C279F 81C1 60010000 add ecx,0x160
007C27A5 51 push ecx
007C27A6 8BD4 mov edx,esp
007C27A8 51 push ecx
007C27A9 8BCA mov ecx,edx
007C27AB E8 3064FBFF call KartRide.00778BE0
007C27B0 E8 3B3DDAFF call KartRide.005664F0
007C27B5 83C4 0C add esp,0xC
007C27B8 8D4D E0 lea ecx,dword ptr ss:[ebp-0x20]
007C27BB E8 904EC5FF call KartRide.00417650
007C27C0 8D4D DC lea ecx,dword ptr ss:[ebp-0x24]
007C27C3 E8 884EC5FF call KartRide.00417650
007C27C8 68 4C05C800 push KartRide.00C8054C ; UNICODE "itemDesc"
007C27CD 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
007C27D0 E8 4B6EC5FF call KartRide.00419620
007C27D5 68 3426C900 push KartRide.00C92634 ; UNICODE "first_desc"
007C27DA 8D45 D4 lea eax,dword ptr ss:[ebp-0x2C]
007C27DD 50 push eax
007C27DE 8B4D 98 mov ecx,dword ptr ss:[ebp-0x68]
007C27E1 81C1 5C010000 add ecx,0x15C
007C27E7 E8 B4341A00 call KartRide.00965CA0
007C27EC 8BC8 mov ecx,eax
007C27EE E8 DD293400 call KartRide.00B051D0
007C27F3 50 push eax
007C27F4 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
007C27F7 51 push ecx
007C27F8 8B55 98 mov edx,dword ptr ss:[ebp-0x68]
007C27FB 81C2 60010000 add edx,0x160
007C2801 51 push ecx
007C2802 8BCC mov ecx,esp
007C2804 52 push edx
007C2805 E8 D663FBFF call KartRide.00778BE0
007C280A E8 E13CDAFF call KartRide.005664F0
007C280F 83C4 0C add esp,0xC
007C2812 8D4D D4 lea ecx,dword ptr ss:[ebp-0x2C]
007C2815 E8 364EC5FF call KartRide.00417650
007C281A 8D4D D0 lea ecx,dword ptr ss:[ebp-0x30]
007C281D E8 2E4EC5FF call KartRide.00417650
007C2822 8D4D FC lea ecx,dword ptr ss:[ebp-0x4]
007C2825 E8 6628E6FF call KartRide.00625090
007C282A EB 17 jmp short KartRide.007C2843
007C282C 6A 00 push 0x0
007C282E 8B4D 98 mov ecx,dword ptr ss:[ebp-0x68]
007C2831 81C1 60010000 add ecx,0x160
007C2837 E8 64341A00 call KartRide.00965CA0
007C283C 8BC8 mov ecx,eax
007C283E E8 4D97D7FF call KartRide.0053BF90
007C2843 E9 25020000 jmp KartRide.007C2A6D
007C2848 0FB745 08 movzx eax,word ptr ss:[ebp+0x8]
007C284C 83F8 68 cmp eax,0x68
007C284F 0F8D 18020000 jge KartRide.007C2A6D
007C2855 6A 01 push 0x1
007C2857 8B4D 98 mov ecx,dword ptr ss:[ebp-0x68]
007C285A 81C1 60010000 add ecx,0x160
007C2860 E8 3B341A00 call KartRide.00965CA0
007C2865 8BC8 mov ecx,eax
007C2867 E8 2497D7FF call KartRide.0053BF90
007C286C 68 2026C900 push KartRide.00C92620 ; UNICODE "itemIcon"
007C2871 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38]
007C2874 E8 A76DC5FF call KartRide.00419620
007C2879 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38]
007C287C 51 push ecx
007C287D 8D55 EC lea edx,dword ptr ss:[ebp-0x14]
007C2880 52 push edx
007C2881 8B4D 98 mov ecx,dword ptr ss:[ebp-0x68]
007C2884 81C1 60010000 add ecx,0x160
007C288A E8 11341A00 call KartRide.00965CA0
007C288F 8BC8 mov ecx,eax
007C2891 E8 0A96D3FF call KartRide.004FBEA0
007C2896 8D4D C8 lea ecx,dword ptr ss:[ebp-0x38]
007C2899 E8 B24DC5FF call KartRide.00417650
007C289E 8D4D EC lea ecx,dword ptr ss:[ebp-0x14]
007C28A1 E8 FA331A00 call KartRide.00965CA0
007C28A6 8945 94 mov dword ptr ss:[ebp-0x6C],eax
007C28A9 51 push ecx
007C28AA 8BC4 mov eax,esp
007C28AC 0FB74D 08 movzx ecx,word ptr ss:[ebp+0x8]
007C28B0 51 push ecx
007C28B1 50 push eax
007C28B2 6A 00 push 0x0
007C28B4 8B4D 98 mov ecx,dword ptr ss:[ebp-0x68]
007C28B7 83C1 74 add ecx,0x74
007C28BA E8 7166E1FF call KartRide.005D8F30
007C28BF 8BC8 mov ecx,eax
007C28C1 E8 DA331A00 call KartRide.00965CA0
007C28C6 8BC8 mov ecx,eax
007C28C8 E8 53472400 call KartRide.00A07020
007C28CD 8B55 94 mov edx,dword ptr ss:[ebp-0x6C]
007C28D0 8B02 mov eax,dword ptr ds:[edx]
007C28D2 8B4D 94 mov ecx,dword ptr ss:[ebp-0x6C]
007C28D5 8B50 50 mov edx,dword ptr ds:[eax+0x50]
007C28D8 FFD2 call edx
007C28DA 0FB745 08 movzx eax,word ptr ss:[ebp+0x8]
007C28DE 50 push eax
007C28DF B9 A464D800 mov ecx,KartRide.00D864A4
007C28E4 E8 6767C5FF call KartRide.00419050
007C28E9 8BC8 mov ecx,eax
007C28EB E8 5031D0FF call KartRide.004C5A40
007C28F0 8845 FB mov byte ptr ss:[ebp-0x5],al
007C28F3 68 4C26C900 push KartRide.00C9264C ; UNICODE "ctrl"
007C28F8 8D4D C0 lea ecx,dword ptr ss:[ebp-0x40]
007C28FB E8 206DC5FF call KartRide.00419620
007C2900 8D4D C0 lea ecx,dword ptr ss:[ebp-0x40]
007C2903 51 push ecx
007C2904 8D55 BC lea edx,dword ptr ss:[ebp-0x44]
007C2907 52 push edx
007C2908 8B4D 98 mov ecx,dword ptr ss:[ebp-0x68]
007C290B 81C1 60010000 add ecx,0x160
007C2911 E8 8A331A00 call KartRide.00965CA0
007C2916 8BC8 mov ecx,eax
007C2918 E8 8395D3FF call KartRide.004FBEA0
007C291D 50 push eax
007C291E 8D45 F0 lea eax,dword ptr ss:[ebp-0x10]
007C2921 50 push eax
007C2922 E8 A994D3FF call KartRide.004FBDD0
007C2927 83C4 08 add esp,0x8
007C292A 8D4D BC lea ecx,dword ptr ss:[ebp-0x44]
007C292D E8 5E27E6FF call KartRide.00625090
007C2932 8D4D C0 lea ecx,dword ptr ss:[ebp-0x40]
007C2935 E8 164DC5FF call KartRide.00417650
007C293A 0FB64D FB movzx ecx,byte ptr ss:[ebp-0x5]
007C293E 51 push ecx
007C293F 8D55 B8 lea edx,dword ptr ss:[ebp-0x48]
007C2942 52 push edx
007C2943 E8 F83E3300 call KartRide.00AF6840
007C2948 83C4 08 add esp,0x8
007C294B 50 push eax
007C294C 8D4D F0 lea ecx,dword ptr ss:[ebp-0x10]
007C294F E8 4C331A00 call KartRide.00965CA0
007C2954 8BC8 mov ecx,eax
007C2956 E8 E595D3FF call KartRide.004FBF40
007C295B 8D4D B8 lea ecx,dword ptr ss:[ebp-0x48]
007C295E E8 ED4CC5FF call KartRide.00417650
007C2963 0FB745 08 movzx eax,word ptr ss:[ebp+0x8]
007C2967 50 push eax
007C2968 8D4D F4 lea ecx,dword ptr ss:[ebp-0xC]
007C296B 51 push ecx
007C296C B9 A464D800 mov ecx,KartRide.00D864A4
007C2971 E8 DA66C5FF call KartRide.00419050
007C2976 8BC8 mov ecx,eax
007C2978 E8 D3FF*FFF call KartRide.004C2950
007C297D 68 6005C800 push KartRide.00C80560 ; UNICODE "itemName"
007C2982 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
007C2985 E8 966CC5FF call KartRide.00419620
007C298A 8D55 F4 lea edx,dword ptr ss:[ebp-0xC]
007C298D 52 push edx
007C298E 8D45 B4 lea eax,dword ptr ss:[ebp-0x4C]
007C2991 50 push eax
007C2992 8B4D 98 mov ecx,dword ptr ss:[ebp-0x68]
007C2995 81C1 5C010000 add ecx,0x15C
007C299B E8 00331A00 call KartRide.00965CA0
007C29A0 8BC8 mov ecx,eax
007C29A2 E8 E9283400 call KartRide.00B05290
007C29A7 50 push eax
007C29A8 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
007C29AB 51 push ecx
007C29AC 8B55 98 mov edx,dword ptr ss:[ebp-0x68]
007C29AF 81C2 60010000 add edx,0x160
007C29B5 51 push ecx
007C29B6 8BCC mov ecx,esp
007C29B8 52 push edx
007C29B9 E8 2262FBFF call KartRide.00778BE0
007C29BE E8 2D3BDAFF call KartRide.005664F0
007C29C3 83C4 0C add esp,0xC
007C29C6 8D4D B4 lea ecx,dword ptr ss:[ebp-0x4C]
007C29C9 E8 824CC5FF call KartRide.00417650
007C29CE 8D4D B0 lea ecx,dword ptr ss:[ebp-0x50]
007C29D1 E8 7A4CC5FF call KartRide.00417650
007C29D6 68 4C05C800 push KartRide.00C8054C ; UNICODE "itemDesc"
007C29DB 8D4D A0 lea ecx,dword ptr ss:[ebp-0x60]
007C29DE E8 3D6CC5FF call KartRide.00419620
007C29E3 68 1426C900 push KartRide.00C92614 ; UNICODE "_desc"
007C29E8 8D45 F4 lea eax,dword ptr ss:[ebp-0xC]
007C29EB 50 push eax
007C29EC 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
007C29EF 51 push ecx
007C29F0 E8 0BB4C8FF call KartRide.0044DE00
007C29F5 83C4 0C add esp,0xC
007C29F8 50 push eax
007C29F9 8D55 A4 lea edx,dword ptr ss:[ebp-0x5C]
007C29FC 52 push edx
007C29FD 8B4D 98 mov ecx,dword ptr ss:[ebp-0x68]
007C2A00 81C1 5C010000 add ecx,0x15C
007C2A06 E8 95321A00 call KartRide.00965CA0
007C2A0B 8BC8 mov ecx,eax
007C2A0D E8 7E283400 call KartRide.00B05290
007C2A12 50 push eax
007C2A13 8D45 A0 lea eax,dword ptr ss:[ebp-0x60]
007C2A16 50 push eax
007C2A17 8B4D 98 mov ecx,dword ptr ss:[ebp-0x68]
007C2A1A 81C1 60010000 add ecx,0x160
007C2A20 51 push ecx
007C2A21 8BD4 mov edx,esp
007C2A23 51 push ecx
007C2A24 8BCA mov ecx,edx
007C2A26 E8 B561FBFF call KartRide.00778BE0
007C2A2B E8 C03ADAFF call KartRide.005664F0
007C2A30 83C4 0C add esp,0xC
007C2A33 8D4D A4 lea ecx,dword ptr ss:[ebp-0x5C]
007C2A36 E8 154CC5FF call KartRide.00417650
007C2A3B 8D4D A8 lea ecx,dword ptr ss:[ebp-0x58]
007C2A3E E8 0D4CC5FF call KartRide.00417650
007C2A43 8D4D A0 lea ecx,dword ptr ss:[ebp-0x60]
007C2A46 E8 054CC5FF call KartRide.00417650
007C2A4B 8B45 98 mov eax,dword ptr ss:[ebp-0x68]
007C2A4E C680 66010000 0>mov byte ptr ds:[eax+0x166],0x0
007C2A55 8D4D F4 lea ecx,dword ptr ss:[ebp-0xC]
007C2A58 E8 F34BC5FF call KartRide.00417650
007C2A5D 8D4D F0 lea ecx,dword ptr ss:[ebp-0x10]
007C2A60 E8 2B26E6FF call KartRide.00625090
007C2A65 8D4D EC lea ecx,dword ptr ss:[ebp-0x14]
007C2A68 E8 2326E6FF call KartRide.00625090
007C2A6D 8B4D 98 mov ecx,dword ptr ss:[ebp-0x68]
007C2A70 66:8B55 08 mov dx,word ptr ss:[ebp+0x8]
007C2A74 66:8991 6401000>mov word ptr ds:[ecx+0x164],dx
007C2A7B 8BE5 mov esp,ebp
007C2A7D 5D pop ebp
007C2A7E C2 0400 retn 0x4
007C2A4E - C6 80 66010000 00 - mov byte ptr [eax+00000166],00 <<
这行代码猜测只是修改一个标识符而已,真正的call估计会在这整个函数内
在函数头部下断,发现直接就被触发了.那么换个思路,在007C2A4E下断看看
发现之后在获得加速的时候触发.Ctrl+F9回到函数尾部,单步一下回到上层函数
00843F2B 0FB7C8 movzx ecx,ax
00843F2E 51 push ecx
00843F2F 8B4D F8 mov ecx,dword ptr ss:[ebp-0x8]
00843F32 E8 59E7F7FF call KartRide.007C2690
00843F37 6A 00 push 0x0
断在这.但是一直被触发.只有一个参数.push ecx ecx==6.看起来应该是对的.可惜一直被触发,那么这里如果一直被调用为何不会一直获得加速呢.那么我们还是往上层看看
我们上面猜测6是加速器的代码.那么可以猜测那个call估计有一个参数是6.这个函数没有,我们往上一层.
00846720 55 push ebp
00846721 8BEC mov ebp,esp
00846723 83EC 3C sub esp,0x3C
00846726 894D D0 mov dword ptr ss:[ebp-0x30],ecx
00846729 8B45 08 mov eax,dword ptr ss:[ebp+0x8]
0084672C 50 push eax
0084672D 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
00846730 E8 EBD0F8FF call KartRide.007D3820
00846735 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
00846738 E8 131EF9FF call KartRide.007D8550
0084673D 8945 FC mov dword ptr ss:[ebp-0x4],eax
00846740 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
00846743 81C1 80010000 add ecx,0x180
00846749 E8 52F51100 call KartRide.00965CA0
0084674E 50 push eax
0084674F 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
00846752 51 push ecx
00846753 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
00846756 E8 3598F7FF call KartRide.007BFF90
0084675B 8B55 D0 mov edx,dword ptr ss:[ebp-0x30]
0084675E 83BA D8070000 0>cmp dword ptr ds:[edx+0x7D8],0x2
00846765 0F85 BA000000 jnz KartRide.00846825
0084676B C745 F8 0000000>mov dword ptr ss:[ebp-0x8],0x0
00846772 8B45 D0 mov eax,dword ptr ss:[ebp-0x30]
00846775 83B8 DC070000 0>cmp dword ptr ds:[eax+0x7DC],0x0
0084677C 74 51 je short KartRide.008467*F
0084677E 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
00846781 81C1 C0070000 add ecx,0x7C0
00846787 E8 146FBDFF call KartRide.0041D6A0
0084678C 85C0 test eax,eax
0084678E 74 13 je short KartRide.008467A3
00846790 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
00846793 81C1 C0070000 add ecx,0x7C0
00846799 E8 026FBDFF call KartRide.0041D6A0
0084679E 8945 F8 mov dword ptr ss:[ebp-0x8],eax
008467A1 EB 2C jmp short KartRide.008467*F
008467A3 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
008467A6 8B91 DC070000 mov edx,dword ptr ds:[ecx+0x7DC]
008467AC 3B55 08 cmp edx,dword ptr ss:[ebp+0x8]
008467AF 73 11 jnb short KartRide.008467C2
008467B1 8B45 D0 mov eax,dword ptr ss:[ebp-0x30]
008467B4 8B4D 08 mov ecx,dword ptr ss:[ebp+0x8]
008467B7 2B88 DC070000 sub ecx,dword ptr ds:[eax+0x7DC]
008467BD 894D CC mov dword ptr ss:[ebp-0x34],ecx
008467C0 EB 07 jmp short KartRide.008467C9
008467C2 C745 CC 0000000>mov dword ptr ss:[ebp-0x34],0x0
008467C9 8B55 CC mov edx,dword ptr ss:[ebp-0x34]
008467CC 8955 F8 mov dword ptr ss:[ebp-0x8],edx
008467*F 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
008467D2 81C1 80010000 add ecx,0x180
008467D8 E8 C3F41100 call KartRide.00965CA0
008467DD 50 push eax
008467DE 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
008467E1 81C1 70010000 add ecx,0x170
008467E7 E8 B4F41100 call KartRide.00965CA0
008467EC 8BC8 mov ecx,eax
008467EE E8 CD9FE0FF call KartRide.006507C0
008467F3 50 push eax
008467F4 8B45 F8 mov eax,dword ptr ss:[ebp-0x8]
008467F7 50 push eax
008467F8 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
008467FB 81C1 80010000 add ecx,0x180
00846801 E8 9AF41100 call KartRide.00965CA0
00846806 50 push eax
00846807 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
0084680A 81C1 70010000 add ecx,0x170
00846810 E8 8BF41100 call KartRide.00965CA0
00846815 8BC8 mov ecx,eax
00846817 E8 D49DE0FF call KartRide.006505F0
0084681C 50 push eax
0084681D 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
00846820 E8 BB99F7FF call KartRide.007C01E0
00846825 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
00846828 81C1 80010000 add ecx,0x180
0084682E E8 6DF41100 call KartRide.00965CA0
00846833 8945 E8 mov dword ptr ss:[ebp-0x18],eax
00846836 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
00846839 E8 12CAEEFF call KartRide.00733250
0084683E D95D EC fstp dword ptr ss:[ebp-0x14]
00846841 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
00846844 E8 570FF5FF call KartRide.007977A0
00846849 D95D F0 fstp dword ptr ss:[ebp-0x10]
0084684C 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
0084684F E8 2C0FF5FF call KartRide.00797780
00846854 D95D F4 fstp dword ptr ss:[ebp-0xC]
00846857 D945 F0 fld dword ptr ss:[ebp-0x10]
0084685A D875 EC fdiv dword ptr ss:[ebp-0x14]
0084685D D95D C8 fstp dword ptr ss:[ebp-0x38]
00846860 D945 C8 fld dword ptr ss:[ebp-0x38]
00846863 51 push ecx
00846864 D91C24 fstp dword ptr ss:[esp]
00846867 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
0084686A E8 2186F7FF call KartRide.007BEE90
0084686F 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
00846872 E8 29BCEEFF call KartRide.007324A0
00846877 0FB6C8 movzx ecx,al
0084687A 85C9 test ecx,ecx
0084687C 74 08 je short KartRide.00846886
0084687E 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
00846881 E8 FAB4F7FF call KartRide.007C1D80
00846886 D945 F4 fld dword ptr ss:[ebp-0xC]
00846889 D945 EC fld dword ptr ss:[ebp-0x14]
0084688C DAE9 fucompp
0084688E DFE0 fstsw ax
00846890 F6C4 44 test ah,0x44
00846893 0F8A AC000000 jpe KartRide.00846945
00846899 6A 01 push 0x1
0084689B B9 A6ABE900 mov ecx,KartRide.00E9ABA6
008468A0 E8 6B6EBDFF call KartRide.0041D710
008468A5 8BC8 mov ecx,eax
008468A7 E8 848ADAFF call KartRide.005EF330
008468AC 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
008468AF E8 9CC9EEFF call KartRide.00733250
008468B4 51 push ecx
008468B5 D91C24 fstp dword ptr ss:[esp]
008468B8 8B4D E8 mov ecx,dword ptr ss:[ebp-0x18]
008468BB E8 10CEEDFF call KartRide.007236D0
008468C0 8B55 08 mov edx,dword ptr ss:[ebp+0x8]
008468C3 52 push edx
008468C4 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
008468C7 E8 0486F7FF call KartRide.007BEED0
008468CC 6A 00 push 0x0
008468CE 6A 01 push 0x1
008468D0 6A 06 push 0x6
008468D2 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
008468D5 E8 168DF7FF call KartRide.007BF5F0
008468DA 6A 10 push 0x10
008468DC E8 C77F2700 call KartRide.00ABE8A8
008468E1 83C4 04 add esp,0x4
008468E4 8945 DC mov dword ptr ss:[ebp-0x24],eax
008468E7 837D DC 00 cmp dword ptr ss:[ebp-0x24],0x0
008468EB 74 0D je short KartRide.008468FA
008468ED 8B4D DC mov ecx,dword ptr ss:[ebp-0x24]
008468F0 E8 1BECC2FF call KartRide.00475510
008468F5 8945 C4 mov dword ptr ss:[ebp-0x3C],eax
008468F8 EB 07 jmp short KartRide.00846901
008468FA C745 C4 0000000>mov dword ptr ss:[ebp-0x3C],0x0
00846901 6A 01 push 0x1
00846903 8B45 C4 mov eax,dword ptr ss:[ebp-0x3C]
00846906 50 push eax
00846907 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
0084690A E8 A1BD0700 call KartRide.008C26B0
0084690F 33C9 xor ecx,ecx
00846911 884D D7 mov byte ptr ss:[ebp-0x29],cl
00846914 51 push ecx
00846915 8BCC mov ecx,esp
00846917 0FB655 D7 movzx edx,byte ptr ss:[ebp-0x29]
0084691B 52 push edx
0084691C 8D45 E4 lea eax,dword ptr ss:[ebp-0x1C]
0084691F 50 push eax
00846920 E8 CBED1100 call KartRide.009656F0
00846925 B9 A5ABE900 mov ecx,KartRide.00E9ABA5
0084692A E8 F16DBDFF call KartRide.0041D720
0084692F 8BC8 mov ecx,eax
00846931 E8 BA2CD2FF call KartRide.005695F0
00846936 8BC8 mov ecx,eax
00846938 E8 E3583400 call KartRide.00B8C220
0084693D 8D4D E4 lea ecx,dword ptr ss:[ebp-0x1C]
00846940 E8 4BE7DDFF call KartRide.00625090
00846945 6A 00 push 0x0
00846947 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
0084694A 8B11 mov edx,dword ptr ds:[ecx]
0084694C 8B4D D0 mov ecx,dword ptr ss:[ebp-0x30]
0084694F 8B82 14010000 mov eax,dword ptr ds:[edx+0x114]
00846955 FFD0 call eax
00846957 C745 E0 0000000>mov dword ptr ss:[ebp-0x20],0x0
0084695E EB 09 jmp short KartRide.00846969
00846960 8B4D E0 mov ecx,dword ptr ss:[ebp-0x20]
00846963 83C1 01 add ecx,0x1
00846966 894D E0 mov dword ptr ss:[ebp-0x20],ecx
00846969 8B55 D0 mov edx,dword ptr ss:[ebp-0x30]
0084696C 8B45 E0 mov eax,dword ptr ss:[ebp-0x20]
0084696F 3B82 7C010000 cmp eax,dword ptr ds:[edx+0x17C]
00846975 73 51 jnb short KartRide.008469C8
00846977 8B4D E0 mov ecx,dword ptr ss:[ebp-0x20]
0084697A 8B55 D0 mov edx,dword ptr ss:[ebp-0x30]
0084697D 8D8C8A 80010000 lea ecx,dword ptr ds:[edx+ecx*4+0x180]
00846984 E8 17F31100 call KartRide.00965CA0
00846989 8BC8 mov ecx,eax
0084698B E8 C0D3DFFF call KartRide.00643D50
00846990 85C0 test eax,eax
00846992 0F95C0 setne al
00846995 0FB6C8 movzx ecx,al
00846998 51 push ecx
00846999 6A 00 push 0x0
0084699B 8B55 E0 mov edx,dword ptr ss:[ebp-0x20]
0084699E 8B45 D0 mov eax,dword ptr ss:[ebp-0x30]
008469A1 8D8C90 80010000 lea ecx,dword ptr ds:[eax+edx*4+0x180]
008469A8 E8 F3F21100 call KartRide.00965CA0
008469AD 8BC8 mov ecx,eax
008469AF E8 1CD3DFFF call KartRide.00643CD0
008469B4 50 push eax
008469B5 8B4D E0 mov ecx,dword ptr ss:[ebp-0x20]
008469B8 51 push ecx
008469B9 8B55 FC mov edx,dword ptr ss:[ebp-0x4]
008469BC 8B02 mov eax,dword ptr ds:[edx]
008469BE 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
008469C1 8B50 34 mov edx,dword ptr ds:[eax+0x34]
008469C4 FFD2 call edx
008469C6 ^ EB 98 jmp short KartRide.00846960
008469C8 8BE5 mov esp,ebp
008469CA 5D pop ebp
008469CB C2 0400 retn 0x4
我们检查下这个函数
很明显发现有一个call
008468CC 6A 00 push 0x0
008468CE 6A 01 push 0x1
008468D0 6A 06 push 0x6
008468D2 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
008468D5 E8 168DF7FF call KartRide.007BF5F0
push了一个参数是6,这是我们之前找到的加速器的代码,下断看看,发现之后加速器获得的时候才会断下,很好.大概就是这了
而且每次ecx都是固定的.我们用代码注入器试试.发现的确可以实现提取加速.好了,追ecx吧
现在ecx==29C475D8
搜一下,[29AF2448]==ecx
那么下访问断看看(用od比较好.为什么自己找找看就知道了)
端在这.函数一直被不同地方call.知道我为何要用od的原因了吧,这里是一个读内存的函数,很多地方会调用
00965CA0 55 push ebp
00965CA1 8BEC mov ebp,esp
00965CA3 51 push ecx
00965CA4 894D FC mov dword ptr ss:[ebp-0x4],ecx
00965CA7 8B45 FC mov eax,dword ptr ss:[ebp-0x4]
00965CAA 8B00 mov eax,dword ptr ds:[eax]
00965CAC 8BE5 mov esp,ebp
00965CAE 5D pop ebp
00965CAF C3 retn
继续执行,让他回到上一层
007D8550 55 push ebp
007D8551 8BEC mov ebp,esp
007D8553 51 push ecx
007D8554 894D FC mov dword ptr ss:[ebp-0x4],ecx
007D8557 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
007D855A 81C1 68010000 add ecx,0x168
007D8560 E8 3BD71800 call KartRide.00965CA0
007D8565 8BE5 mov esp,ebp
007D8567 5D pop ebp
007D8568 C3 retn
这里明显也是一个偏移的而已,继续上一层
可以看到上面两个函数都是读取ecx的值,第二个还有的功能计算偏移.
007F4C30 8B4D FC mov ecx,dword ptr ss:[ebp-0x4]
007F4C33 E8 1839FEFF call KartRide.007D8550
端在这,这时候ecx==[KartRider.exe+A9CEFC]
那么就是说我们前面找到的call的ecx==[[KartRider.exe+A9CEFC]+0x168]
其他代码编写就不用我说了吧,直接置入代码也行,用内联支持库也行
我个人是不大喜欢远程call,毕竟还要申请内存,还要启动线程.处理量肯定是远大于内联的
最后附上KartRider.exe方便对着来研究吧
链接: 密码:j3mf
转载请注明原作者
|
本帖子中包含更多资源
您需要 登录 才可以下载或查看,没有账号?立即注册
×
评分
-
| 参与人数 1 | 易币 +20 |
金钱 +50 |
贡献 +10 |
收起
理由
|
 揰掵佲
| + 20 |
+ 50 |
+ 10 |
很给力! |
查看全部评分
|
/5 
变色卡
已实名认证
学习了