学习目标:
分析解密存放物品CALL缓冲区结构
一、分析物品存放功能:一次存放N个物品
+12 //8byte 来源于 物品对象+4C
+1A //存放的物品数量
+2A //12字节 可能是物品ID
+32 //8byte 来源于 物品对象+4C
+3A //物品数量上限 2字节
+43 //物品在背包里的下标
//存放指令 //买出 存 取
//物品ID 告诉服务器 我要存放是什么物品
//物品数量
BYTE nbData[0x90]={
0x00,0x00,0x94,0x00,0x84,0x00,0x01,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x2B,0x0C,
0x17,0x24,0x6A,0xCA,0x9A,0x3B,0x00,0x00,0x00,0x00,0x03,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0xAA,0xE2,0x99,0x00,0x00,0x00,0x00,0x00,0xB7,0xBC,0x14,0x40,0x1A,0x41,
0xED,0x19,0x6A,0xCA,0x9A,0x3B,0x00,0x00,0x00,0x00,0x7A,0x01,0x00,0x00,0x00,0x00,
0x00,0x00,0x01,0x0B,0x00,0x00,0x01,0x00,0x4F,0x90,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0xAB,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x27,0x3A,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x0F,0x1C,0x28,0x00,0x00,
0x00,0x00,0x1C,0x29,0x12,0x20,0x2D,0x0E,0x1A,0x26,0x00,0x00,0x00,0x00,0x00,0x00};
_asm
{
push 0x86
lea ecx,nbData
push ecx
MOV ECX,DWORD PTR DS:[0xF28700]
mov eax,0x04A6690
call eax
}
//金创药(大) 2
$ ==> >00 00 94 00 84 00 01 00 00 00 03 00 00 00 2B 0C ..??......+.
$+10 >17 24 67 CA 9A 3B 00 00 00 00 02 00 00 00 00 00 $g蕷;.........
$+20 >00 00 AA E2 99 00 00 00 00 00 63 4C AA BB 09 44 ..?....cL.D
$+30 >ED 19 67 CA 9A 3B 00 00 00 00 5C 01 00 00 00 00 ?g蕷;....\....
$+40 >00 00 01 1B 00 00 01 00 4F 90 00 00 00 00 00 00 .....O?.....
$+50 >00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
$+60 >00 AB 00 00 00 00 00 00 00 00 00 00 27 3A 00 00 .?.........‘:..
$+70 >00 00 00 00 00 00 00 00 00 00 00 0F 1C 28 00 00 ...........(..
$+80 >00 00 1C 29 12 20 2D 0E 1A 26 00 00 00 00 00 00 ..) -&......
//回城符 泫勃派 3
+44
$ ==> >00 00 94 00 84 00 01 00 00 00 03 00 00 00 2B 0C ..??......+.
$+10 >17 24 6E CA 9A 3B 00 00 00 00 03 00 00 00 00 00 $n蕷;.........
$+20 >00 00 AA E2 99 00 00 00 00 00 39 0F 32 D4 17 46 ..?....92?F
$+30 >ED 19 6E CA 9A 3B 00 00 00 00 10 00 00 00 00 00 ?n蕷;.........
$+40 >00 00 01 1F 00 00 01 00 4F 90 00 00 00 00 00 00 .....O?.....
$+50 >00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
$+60 >00 AB 00 00 00 00 00 00 00 00 00 00 27 3A 00 00 .?.........‘:..
$+70 >00 00 00 00 00 00 00 00 00 00 00 0F 1C 28 00 00 ...........(..
$+80 >00 00 1C 29 12 20 2D 0E 1A 26 00 00 00 00 00 00 ..) -&......
0074F380 |. 8948 38 MOV DWORD PTR DS:[EAX+0x38],ECX
0074F383 |. 8B96 28020000 MOV EDX,DWORD PTR DS:[ESI+0x228]
0074F389 |. A1 249A1C03 MOV EAX,DWORD PTR DS:[0x31C9A24]
0074F38E |. 83C2 2C ADD EDX,0x2C
0074F391 |. 6A 3C PUSH 0x3C
0074F393 |. 8950 3C MOV DWORD PTR DS:[EAX+0x3C],EDX ; dc [[0x31C9A24]+410+4*0]+5c
0074F396 |. 8B0D 249A1C03 MOV ECX,DWORD PTR DS:[0x31C9A24] ; 仓库背包基址
0074F39C |. 68 C097AF00 PUSH Client.00AF97C0 ; UNICODE "*"
0074F3A1 |. 885D FC MOV BYTE PTR SS:[EBP-0x4],BL
0074F3A4 |. E8 57880300 CALL Client.00787C00
007A03C1 |> \8993 9C170000 MOV DWORD PTR DS:[EBX+0x179C],EDX
007A03C7 |. 898B A0170000 MOV DWORD PTR DS:[EBX+0x17A0],ECX
007A03CD |> 8DB3 8C170000 LEA ESI,DWORD PTR DS:[EBX+0x178C] ; 找EBX来源 ebx=[仓库列表基址] dd 0x31C9A24
007A03D3 |> A1 4C9B1C03 MOV EAX,DWORD PTR DS:[0x31C9B4C]
007A03D8 |. 8B15 B4E5F902 MOV EDX,DWORD PTR DS:[0x2F9E5B4] ; Client.0099E2AA
007A03DE |. 8985 EED7FFFF MOV DWORD PTR SS:[EBP-0x2812],EAX ; +06 //4字节 00000001
007A03E4 |. A1 B8E5F902 MOV EAX,DWORD PTR DS:[0x2F9E5B8]
007A03E9 |. B9 20000000 MOV ECX,0x20
007A03EE |. 8DBD F2D7FFFF LEA EDI,DWORD PTR SS:[EBP-0x280E] ; +0A //0x20*4
007A03F4 |. C785 EAD7FFFF>MOV DWORD PTR SS:[EBP-0x2816],Client.00840094 ; +2 //4字节 0x00840094
007A03FE |. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
007A0400 |. 8995 0AD8FFFF MOV DWORD PTR SS:[EBP-0x27F6],EDX ; +22 //4字节 DWORD PTR DS:[0x2F9E5B4]
007A0406 |. 8985 0ED8FFFF MOV DWORD PTR SS:[EBP-0x27F2],EAX ; +26 //4字节 DWORD PTR DS:[0x2F9E5B8]
007A040C |. 68 86000000 PUSH 0x86
007A0411 |> 8D8D E8D7FFFF LEA ECX,DWORD PTR SS:[EBP-0x2818] ; 缓冲结构首地址
007A0417 |. 51 PUSH ECX
007A0418 |> 8B0D 0087F200 MOV ECX,DWORD PTR DS:[0xF28700]
007A041E |. E8 6D62D0FF CALL Client.004A6690 ; 存仓库 N个数量
007A0423 |. 8BCB MOV ECX,EBX
007A0425 |. E8 D69EFEFF CALL Client.0078A300
007A042A |. E9 6E050000 JMP Client.007A099D
007A042F |> 8B15 1C9AF200 MOV EDX,DWORD PTR DS:[0xF29A1C] ; Case 11 of switch 0079FEFE
007A0435 |. 81C2 3C010000 ADD EDX,0x13C
007A043B |. 52 PUSH EDX
007A043C |. E8 599F1900 CALL Client.0093A39A
007A0441 |. 83C4 04 ADD ESP,0x4
007A0444 |. 85C0 TEST EAX,EAX
外挂技术-逆向解密存放物品CALL缓冲区结构
原文:http://blog.csdn.net/mc_cc1/article/details/43449841
