1 游戏主窗口句柄
#define Base_GameWndHandle 0x1196F88 //游戏主窗口句柄8B086A1652508B4134——游戏主窗口句柄 = ndLocateAddr - 40044F770 68 1812AA00 push Client.00AA1218 ; ASCII "m_pKeyboard->SetDataFormat( &c_dfDIKeyboard )"0044F775 E8 76E40C00 call Client.0051DBF00044F77A E9 5C010000 jmp Client.0044F8DB0044F77F A1 946F1901 mov eax,dword ptr ds:[0x1196F94]0044F784 8B15 886F1901 mov edx,dword ptr ds:[0x1196F88] ; 游戏主窗口句柄基址0044F78A 8B08 mov ecx,dword ptr ds:[eax]0044F78C 6A 16 push 0x160044F78E 52 push edx0044F78F 50 push eax0044F790 8B41 34 mov eax,dword ptr ds:[ecx+0x34]0044F793 FFD0 call eax0044F795 8BF0 mov esi,eax0044F797 33C0 xor eax,eax0044F799 3BF0 cmp esi,eax
2 所有对象列表基址
#define Base_AllObjList 0x02E65A28 //所有对象列表基址83C404A308C0C0008B018B50045757——所有对象列表基址 = ndLocateAddr - 40040D802 6A 3C push 0x3C0040D804 E8 E7B74800 call Client.00898FF00040D809 8B40 0C mov eax,dword ptr ds:[eax+0xC]0040D80C 8B0C85 285AE602 mov ecx,dword ptr ds:[eax*4+0x2E65A28] ; 所有对象列表基址0040D813 83C4 04 add esp,0x40040D816 A3 08C0C000 mov dword ptr ds:[0xC0C008],eax0040D81B 8B01 mov eax,dword ptr ds:[ecx]0040D81D 8B50 04 mov edx,dword ptr ds:[eax+0x4]0040D820 57 push edi0040D821 57 push edi0040D822 68 03040000 push 0x4030040D827 FFD2 call edx0040D829 89BB 00010000 mov dword ptr ds:[ebx+0x100],edi0040D82F 897B 60 mov dword ptr ds:[ebx+0x60],edi0040D832 B8 01000000 mov eax,0x1
3 人物属性基址
#define Base_RoleProperty 0x02C186D8 //人物属性基址558BEC83EC085356B8——人物属性基址 = ndLocateAddr + 90066AB70 55 push ebp0066AB71 8BEC mov ebp,esp0066AB73 83EC 08 sub esp,0x80066AB76 53 push ebx0066AB77 56 push esi0066AB78 B8 D886C102 mov eax,Client.02C186D8 ; 人物属性基址0066AB7D 57 push edi0066AB7E C705 9C05BC00 FFFFFFFF mov dword ptr ds:[0xBC059C],-0x10066AB88 33DB xor ebx,ebx0066AB8A 8D50 01 lea edx,dword ptr ds:[eax+0x1]0066AB8D 8D49 00 lea ecx,dword ptr ds:[ecx]0066AB90 8A08 mov cl,byte ptr ds:[eax]0066AB92 40 inc eax0066AB93 84C9 test cl,cl
4 装备列表基址
#define Base_EquipList 0x02E3D3E0 //装备列表基址BF3C0400008D9B00000000833C070074**8B0C07——装备列表基址 = ndLocateAddr - 400417F3D |. 8B8E 540B0000 mov ecx,dword ptr ds:[esi+0xB54]00417F43 |. 8988 98010000 mov dword ptr ds:[eax+0x198],ecx00417F49 |. 8B96 580B0000 mov edx,dword ptr ds:[esi+0xB58]00417F4F |. 8990 9C010000 mov dword ptr ds:[eax+0x19C],edx00417F55 |. 0FB707 movzx eax,word ptr ds:[edi]00417F58 |. 3B05 185AE602 cmp eax,dword ptr ds:[0x2E65A18]00417F5E |. 75 39 jnz XClient.00417F9900417F60 |. A1 E0D3E302 mov eax,dword ptr ds:[0x2E3D3E0] ; 装备列表基址00417F65 |. BF 3C040000 mov edi,0x43C00417F6A |. 8D9B 00000000 lea ebx,dword ptr ds:[ebx]00417F70 |> 833C07 00 /cmp dword ptr ds:[edi+eax],0x000417F74 |. 74 18 |je XClient.00417F8E00417F76 |. 8B0C07 |mov ecx,dword ptr ds:[edi+eax]00417F79 |. 83B9 A80D0000 02 |cmp dword ptr ds:[ecx+0xDA8],0x200417F80 |. 75 0C |jnz XClient.00417F8E00417F82 |. 56 |push esi00417F83 |. 51 |push ecx
5 商店列表基址
#define Base_ShopList 0x119B7B0 //商店列表基址6A0050E8********8B4F0883C40C51B9——商店列表基址 = ndLocateAddr + 16004F769D |> \3D FFFFFF0F cmp eax,0xFFFFFFF004F76A2 |. 75 60 jnz XClient.004F7704004F76A4 |> 68 80000000 push 0x80004F76A9 |. 8D85 70FFFFFF lea eax,[local.36]004F76AF |. 6A 00 push 0x0004F76B1 |. 50 push eax004F76B2 |. E8 B9984F00 call Client.009F0F70004F76B7 |. 8B4F 08 mov ecx,dword ptr ds:[edi+0x8]004F76BA |. 83C4 0C add esp,0xC004F76BD |. 51 push ecx004F76BE |. B9 B0B71901 mov ecx,Client.0119B7B0004F76C3 |. E8 080C0000 call Client.004F82D0004F76C8 |. 50 push eax004F76C9 |. 68 F0BDAA00 push Client.00AABDF0 ; ASCII "keyhandler full! lstHandler count = %d, ClassID = %d"004F76CE |. 8D95 70FFFFFF lea edx,[local.36]004F76D4 |. 68 80000000 push 0x80004F76D9 |. 52 push edx004F76DA |. E8 D16D0600 call Client.0055E4B0004F76DF |. 8D85 70FFFFFF lea eax,[local.36]004F76E5 |. 50 push eax
6 仓库列表基址
#define Base_DepotList 0x02E4692C //仓库列表基址C78134160000080000008B152C69E402899A6C020000——仓库列表基址 = ndLocateAddr - 4007EFA23 |. 68 802EBC00 push Client.00BC2E80007EFA28 |. 885D FC mov byte ptr ss:[ebp-0x4],bl007EFA2B |. E8 10F20300 call Client.0082EC40007EFA30 |. 8B0D 2C69E402 mov ecx,dword ptr ds:[0x2E4692C] ; 仓库列表基址007EFA36 |. C781 34160000 08000000 mov dword ptr ds:[ecx+0x1634],0x8007EFA40 |. 8B15 2C69E402 mov edx,dword ptr ds:[0x2E4692C]007EFA46 |. 899A 6C020000 mov dword ptr ds:[edx+0x26C],ebx007EFA4C |. 8B86 30020000 mov eax,dword ptr ds:[esi+0x230]007EFA52 |. 8B0D 2C69E402 mov ecx,dword ptr ds:[0x2E4692C]007EFA58 |. 8981 68020000 mov dword ptr ds:[ecx+0x268],eax007EFA5E |. 8B15 5C30BC00 mov edx,dword ptr ds:[0xBC305C]007EFA64 |. A1 842EBC00 mov eax,dword ptr ds:[0xBC2E84]007EFA69 |. 8B0D 2C69E402 mov ecx,dword ptr ds:[0x2E4692C]007EFA6F |. 83C2 21 add edx,0x21007EFA72 |. 52 push edx007EFA73 |. 48 dec eax007EFA74 |. 50 push eax
7 背包列表基址
#define Base_BackPackList 0x02E3D3E4 //背包列表基址8B848A3C0400008BB0E40C00008BB8E80C00008BC60BC7——背包基址 = ndLocateAddr - 400838E22 /75 32 jnz short Client.00838E5600838E24 |A1 F0D3E302 mov eax,dword ptr ds:[0x2E3D3F0]00838E29 |8B8488 3C040000 mov eax,dword ptr ds:[eax+ecx*4+0x43C]00838E30 |8B48 58 mov ecx,dword ptr ds:[eax+0x58]00838E33 |8B50 54 mov edx,dword ptr ds:[eax+0x54]00838E36 |A1 5C452501 mov eax,dword ptr ds:[0x125455C]00838E3B |51 push ecx00838E3C |8B88 30020000 mov ecx,dword ptr ds:[eax+0x230]00838E42 |52 push edx00838E43 |E8 F8D8FDFF call Client.0081674000838E48 |85C0 test eax,eax00838E4A |0F85 925C0000 jnz Client.0083EAE200838E50 |8B8D 200FFFFF mov ecx,dword ptr ss:[ebp+0xFFFF0F20]00838E56 \83FB 01 cmp ebx,0x100838E59 0F85 FA000000 jnz Client.00838F5900838E5F 8B15 E4D3E302 mov edx,dword ptr ds:[0x2E3D3E4] ; 背包基址00838E65 8B848A 3C040000 mov eax,dword ptr ds:[edx+ecx*4+0x43C] ; 背包列表00838E6C 8BB0 E40C0000 mov esi,dword ptr ds:[eax+0xCE4]00838E72 8BB8 E80C0000 mov edi,dword ptr ds:[eax+0xCE8]00838E78 8BC6 mov eax,esi00838E7A 0BC7 or eax,edi00838E7C 0F84 97010000 je Client.0083901900838E82 837D 08 00 cmp dword ptr ss:[ebp+0x8],0x000838E86 0F85 36030000 jnz Client.008391C2
8 背包物品使用CALL
#define Call_UseObjForIndex 0x00838EA0 //背包物品使用CALL8B87601C00005651508BCFE8——物品使用CALL = ndLocateAddr+12 + ndLocateAddr+16 (即 偏移+EIP)00854E7F 8B84B7 3C040000 mov eax,dword ptr ds:[edi+esi*4+0x43C]00854E86 85C0 test eax,eax00854E88 74 3F je short Client.00854EC900854E8A BA C6E1143C mov edx,0x3C14E1C600854E8F 3950 54 cmp dword ptr ds:[eax+0x54],edx00854E92 75 35 jnz short Client.00854EC900854E94 8378 58 00 cmp dword ptr ds:[eax+0x58],0x000854E98 75 2F jnz short Client.00854EC900854E9A 56 push esi00854E9B 51 push ecx00854E9C 8995 38AFFFFF mov dword ptr ss:[ebp+0xFFFFAF38],edx00854EA2 8B15 6C452501 mov edx,dword ptr ds:[0x125456C]00854EA8 8D8D 38AFFFFF lea ecx,dword ptr ss:[ebp+0xFFFFAF38]00854EAE C785 3CAFFFFF 0>mov dword ptr ss:[ebp+0xFFFFAF3C],0x000854EB8 51 push ecx00854EB9 8B8A 94020000 mov ecx,dword ptr ds:[edx+0x294]00854EBF E8 ECE9F4FF call Client.007A38B000854EC4 E9 B5000000 jmp Client.00854F7E00854EC9 8B87 601C0000 mov eax,dword ptr ds:[edi+0x1C60]00854ECF 56 push esi ; 下标00854ED0 51 push ecx ; 100854ED1 50 push eax ; 000854ED2 8BCF mov ecx,edi ; [背包列表基址]00854ED4 E8 C73FFEFF call Client.00838EA0 ; 背包物品使用CALL00854ED9 83BF 34160000 3>cmp dword ptr ds:[edi+0x1634],0x3500854EE0 75 20 jnz short Client.00854F0200854EE2 8B84B7 3C040000 mov eax,dword ptr ds:[edi+esi*4+0x43C]00854EE9 85C0 test eax,eax00854EEB 74 15 je short Client.00854F0200854EED 8B48 54 mov ecx,dword ptr ds:[eax+0x54]00854EF0 8B15 6C452501 mov edx,dword ptr ds:[0x125456C]00854EF6 51 push ecx00854EF7 8B8A 8C020000 mov ecx,dword ptr ds:[edx+0x28C]00854EFD E8 1EF3EBFF call Client.00714220printf("找到特征码,所在虚拟地址为: %X\n", ndAddr);//读出偏移ndAddr += 12;DWORD ndBaseBuffer = 0;ReadProcessMemory(hProcess, (LPCVOID)ndAddr, (LPVOID)&ndBaseBuffer, 4, NULL);//读出EIPndAddr += 4;printf("执行完CALL语句的EIP为:%X\n", ndAddr);//获取真正的基址ndAddr += ndBaseBuffer;printf("基址为:%X\n", ndAddr);
9 发送数据CALL
#define Call_SendData 0x004F8740 //发送数据CALL6689B5FED7FFFF66899500D8FFFF66898502D8FFFFE8——发送数据CALL = ndLocateAddr+22 + ndLocateAddr+26 (即 偏移+EIP)00409828 |> \66:8B55 0C mov dx,word ptr ss:[ebp+0xC]0040982C |. 56 push esi0040982D |. 8B75 08 mov esi,[arg.1]00409830 |. 6A 12 push 0x1200409832 |. 8D8D F4D7FFFF lea ecx,[local.2563]00409838 |. 33C0 xor eax,eax0040983A |. 51 push ecx0040983B |. 8B0D 00701901 mov ecx,dword ptr ds:[0x1197000]00409841 |. 66:89B5 FED7FFFF mov word ptr ss:[ebp-0x2802],si00409848 |. 66:8995 00D8FFFF mov word ptr ss:[ebp-0x2800],dx0040984F |. 66:8985 02D8FFFF mov word ptr ss:[ebp-0x27FE],ax00409856 |. E8 E5EE0E00 call Client.004F87400040985B |. 56 push esi0040985C |. 68 2CD0A900 push Client.00A9D02C ; ASCII "SZONE REQ : %d"00409861 |. E8 6A451100 call Client.0051DDD000409866 |. 8B4D FC mov ecx,[local.1]00409869 |. 83C4 08 add esp,0x80040986C |. 33CD xor ecx,ebp0040986E |. 5E pop esi
#define Call_SendData_Ecx 0x1197000 //发送数据CALL的Ecx6689B5FED7FFFF66899500D8FFFF66898502D8FFFFE8——发送数据CALL的Ecx = ndLocateAddr-4同上
10 周围对象列表基址
#define Base_NearObjList 0x04280BA0 //周围对象列表基址8B118B420453536A02FFD003F7——周围对象列表基址 = ndLocateAddr - 4008A1FC0 8B11 mov edx,dword ptr ds:[ecx]008A1FC2 8B42 04 mov eax,dword ptr ds:[edx+0x4]008A1FC5 53 push ebx008A1FC6 53 push ebx008A1FC7 6A 02 push 0x2008A1FC9 FFD0 call eax008A1FCB 33F6 xor esi,esi008A1FCD 391D B044E702 cmp dword ptr ds:[0x2E744B0],ebx008A1FD3 7E 27 jle XClient.008A1FFC008A1FD5 EB 09 jmp XClient.008A1FE0008A1FD7 8DA424 00000000 lea esp,dword ptr ss:[esp]008A1FDE 8BFF mov edi,edi008A1FE0 8B0CB5 A00B2804 mov ecx,dword ptr ds:[esi*4+0x4280BA0] ; 周围对象列表基址008A1FE7 8B11 mov edx,dword ptr ds:[ecx]008A1FE9 8B42 04 mov eax,dword ptr ds:[edx+0x4]008A1FEC 53 push ebx008A1FED 53 push ebx008A1FEE 6A 02 push 0x2008A1FF0 FFD0 call eax008A1FF2 03F7 add esi,edi008A1FF4 3B35 B044E702 cmp esi,dword ptr ds:[0x2E744B0]008A1FFA ^ 7C E4 jl XClient.008A1FE0008A1FFC A1 C0701501 mov eax,dword ptr ds:[0x11570C0]008A2001 3BC3 cmp eax,ebx008A2003 74 12 je XClient.008A2017008A2005 8B0D 8C842401 mov ecx,dword ptr ds:[0x124848C]008A200B 53 push ebx008A200C 50 push eax008A200D 68 40C71101 push Client.0111C740
11 玩家对象基址
#define Base_PlayerObj 0x02E65A24 //玩家对象基址85C074**83B8880100000074**8D8D30FCFFFF——玩家对象基址 = ndLocateAddr - 400402FD2 83C4 04 add esp,0x400402FD5 3946 28 cmp dword ptr ds:[esi+0x28],eax00402FD8 74 5A je XClient.0040303400402FDA 8BB5 00F8FFFF mov esi,dword ptr ss:[ebp-0x800]00402FE0 C786 F8290000 01000000 mov dword ptr ds:[esi+0x29F8],0x100402FEA A1 245AE602 mov eax,dword ptr ds:[0x2E65A24] ; 玩家对象基址00402FEF 85C0 test eax,eax00402FF1 74 47 je XClient.0040303A00402FF3 83B8 88010000 00 cmp dword ptr ds:[eax+0x188],0x000402FFA 74 3E je XClient.0040303A00402FFC 8D8D 30FCFFFF lea ecx,dword ptr ss:[ebp-0x3D0]00403002 51 push ecx00403003 68 1CCAA900 push Client.00A9CA1C ; ASCII "falseAni=%s"00403008 8D95 B0FBFFFF lea edx,dword ptr ss:[ebp-0x450]0040300E 68 80000000 push 0x8000403013 52 push edx00403014 E8 97B41500 call Client.0055E4B000403019 83C4 10 add esp,0x100040301C 6A 00 push 0x0
12 未知基址1
#define Base_Unknown 0x0125456C //未知对象基址6A09E8********5F5E5B8BE55DC2——未知对象基址 = ndLocateAddr - 40040938B 83FA 03 cmp edx,0x30040938E 75 12 jnz XClient.004093A200409390 68 680B0000 push 0xB6800409395 8B0D 6C452501 mov ecx,dword ptr ds:[0x125456C] ; 未知对象基址0040939B 6A 09 push 0x90040939D E8 FE902600 call Client.006724A0004093A2 5F pop edi004093A3 5E pop esi004093A4 5B pop ebx004093A5 8BE5 mov esp,ebp004093A7 5D pop ebp004093A8 C2 0400 retn 0x4
13 未知对象基址2
#define Base_Unknown2 0x02C1EA6C //未知对象基址28B15********3BC274**8B083BCB——未知对象基址 = ndLocateAddr - 40048EE39 |> \83C7 15 add edi,0x150048EE3C |> 89BE F0020000 mov dword ptr ds:[esi+0x2F0],edi0048EE42 |. E9 F0000000 jmp Client.0048EF370048EE47 |> A1 6CEAC102 mov eax,dword ptr ds:[0x2C1EA6C] ; 未知对象基址20048EE4C |. 8B15 70EAC102 mov edx,dword ptr ds:[0x2C1EA70]0048EE52 |. 3BC2 cmp eax,edx0048EE54 |. 74 18 je XClient.0048EE6E0048EE56 |> 8B08 /mov ecx,dword ptr ds:[eax]0048EE58 |. 3BCB |cmp ecx,ebx0048EE5A |. 74 09 |je XClient.0048EE650048EE5C |. 3B8CBE F0020000 |cmp ecx,dword ptr ds:[esi+edi*4+0x2F0]0048EE63 |. 74 1F |je XClient.0048EE840048EE65 |> 05 D4000000 |add eax,0xD40048EE6A |. 3BC2 |cmp eax,edx
14 动作列表基址
#define Base_ActionList 0x02E3DD58 //动作列表基址833C0600743C8B04068B50548B7858——动作列表基址 = ndLocateAddr - 400702541 56 push esi00702542 57 push edi00702543 BE 3C040000 mov esi,0x43C00702548 EB 06 jmp XClient.007025500070254A 8D9B 00000000 lea ebx,dword ptr ds:[ebx]00702550 A1 58DDE302 mov eax,dword ptr ds:[0x2E3DD58] ; 动作列表基址00702555 833C06 00 cmp dword ptr ds:[esi+eax],0x000702559 74 3C je XClient.007025970070255B 8B0406 mov eax,dword ptr ds:[esi+eax]0070255E 8B50 54 mov edx,dword ptr ds:[eax+0x54]00702561 8B78 58 mov edi,dword ptr ds:[eax+0x58]00702564 81FA 06127A00 cmp edx,Client.007A12060070256A 75 04 jnz XClient.007025700070256C 85FF test edi,edi
15 动作使用CALL
#define Call_ActionUse 0x00714220 //动作使用CALL83BF341600003675**8B84B73C04000085C0——物品使用CALL = ndLocateAddr - 4 + ndLocateAddr (偏移+EIP)00854EED 8B48 54 mov ecx,dword ptr ds:[eax+0x54]00854EF0 8B15 6C452501 mov edx,dword ptr ds:[0x125456C]00854EF6 51 push ecx00854EF7 8B8A 8C020000 mov ecx,dword ptr ds:[edx+0x28C]00854EFD E8 1EF3EBFF call Client.00714220 ; 动作使用CALL00854F02 83BF 34160000 36 cmp dword ptr ds:[edi+0x1634],0x3600854F09 75 20 jnz XClient.00854F2B00854F0B 8B84B7 3C040000 mov eax,dword ptr ds:[edi+esi*4+0x43C]00854F12 85C0 test eax,eax00854F14 74 15 je XClient.00854F2B00854F16 8B40 54 mov eax,dword ptr ds:[eax+0x54]00854F19 8B0D 6C452501 mov ecx,dword ptr ds:[0x125456C]00854F1F 8B89 8C020000 mov ecx,dword ptr ds:[ecx+0x28C]00854F25 50 push eax00854F26 E8 05F9EBFF call Client.0071483000854F2B 83BF 34160000 46 cmp dword ptr ds:[edi+0x1634],0x46printf("找到特征码,所在虚拟地址为: %X\n", ndAddr);//读出偏移ndAddr += 12;DWORD ndBaseBuffer = 0;ReadProcessMemory(hProcess, (LPCVOID)ndAddr, (LPVOID)&ndBaseBuffer, 4, NULL);//读出EIPndAddr += 4;printf("执行完CALL语句的EIP为:%X\n", ndAddr);//获取真正的基址ndAddr += ndBaseBuffer;printf("基址为:%X\n", ndAddr);
16 技能列表基址
#define Base_SkillList 0x02E3EF64 //技能列表基址33C0A3********8B96C00B000083C2288950388B86C00B00008B0D——技能列表基址 = ndLocateAddr + 3004A5B46 56 push esi004A5B47 6A 19 push 0x19004A5B49 6A 02 push 0x2004A5B4B 8BC8 mov ecx,eax004A5B4D E8 4EF13800 call Client.00834CA0004A5B52 EB 02 jmp XClient.004A5B56004A5B54 33C0 xor eax,eax004A5B56 A3 64EFE302 mov dword ptr ds:[0x2E3EF64],eax ; 技能列表基址004A5B5B 8B96 C00B0000 mov edx,dword ptr ds:[esi+0xBC0]004A5B61 83C2 28 add edx,0x28004A5B64 8950 38 mov dword ptr ds:[eax+0x38],edx004A5B67 8B86 C00B0000 mov eax,dword ptr ds:[esi+0xBC0]004A5B6D 8B0D 64EFE302 mov ecx,dword ptr ds:[0x2E3EF64]004A5B73 83C0 2C add eax,0x2C004A5B76 8941 3C mov dword ptr ds:[ecx+0x3C],eax004A5B79 8B15 64EFE302 mov edx,dword ptr ds:[0x2E3EF64]004A5B7F 6A 19 push 0x19004A5B81 89BA 34160000 mov dword ptr ds:[edx+0x1634],edi004A5B87 8B0D 64EFE302 mov ecx,dword ptr ds:[0x2E3EF64]
17 修炼技能CALL
#define Call_LearnSkill 0x00555B80 //修炼技能CALL8B94B78C0300008B0D********8B425451508D8DF4D7FFFF518B0D——修炼技能CALL = ndLocateAddr+32 + ndLocateAddr+36 (即 偏移+EIP)00751B5C 8B94B7 8C030000 mov edx,dword ptr ds:[edi+esi*4+0x38C]00751B63 8B0D 8487C102 mov ecx,dword ptr ds:[0x2C18784]00751B69 8B42 54 mov eax,dword ptr ds:[edx+0x54]00751B6C 51 push ecx00751B6D 50 push eax00751B6E 8D8D F4D7FFFF lea ecx,dword ptr ss:[ebp-0x280C]00751B74 51 push ecx00751B75 8B0D 245AE602 mov ecx,dword ptr ds:[0x2E65A24]00751B7B E8 0040E0FF call Client.00555B80 ; 修炼技能CALL00751B80 E9 53020000 jmp Client.00751DD800751B85 83FE 48 cmp esi,0x4800751B88 0F8C E3000000 jl Client.00751C7100751B8E 83FE 68 cmp esi,0x68printf("找到特征码,所在虚拟地址为: %X\n", ndAddr);//读出偏移ndAddr += 32;DWORD ndBaseBuffer = 0;ReadProcessMemory(hProcess, (LPCVOID)ndAddr, (LPVOID)&ndBaseBuffer, 4, NULL);//读出EIPndAddr += 4;printf("执行完CALL语句的EIP为:%X\n", ndAddr);//获取真正的基址ndAddr += ndBaseBuffer;printf("基址为:%X\n", ndAddr);
18 修炼技能CALL的ECX
#define Call_LearnSkill_Ecx 0x2C18784 //修炼技能CALL的ECX5068********8D4DBC6A4051E8********8B8E2C0F0000——修炼技能CALL的ECX = ndLocateAddr - 4004A4E76 8B8E 280F0000 mov ecx,dword ptr ds:[esi+0xF28]004A4E7C 83C4 1C add esp,0x1C004A4E7F 6A 00 push 0x0004A4E81 8D55 BC lea edx,dword ptr ss:[ebp-0x44]004A4E84 52 push edx004A4E85 E8 86AD3B00 call Client.0085FC10004A4E8A A1 8487C102 mov eax,dword ptr ds:[0x2C18784] ; 修炼技能CALL的ECX004A4E8F 50 push eax004A4E90 68 F019AA00 push Client.00AA19F0 ; ASCII "%d"004A4E95 8D4D BC lea ecx,dword ptr ss:[ebp-0x44]004A4E98 6A 40 push 0x40004A4E9A 51 push ecx004A4E9B E8 10960B00 call Client.0055E4B0004A4EA0 8B8E 2C0F0000 mov ecx,dword ptr ds:[esi+0xF2C]
19 鼠标拖起的对象基址
#define Base_MouseSelObj 0x0125455C //鼠标拖起的对象基址 鼠标拖起的对象:[0x0125455C]+23085D274**833C070074**8B0C078B59588B49548B400C——鼠标拖起的对象基址 = ndLocateAddr - 4004A6D9F 49 dec ecx004A6DA0 83C9 FC or ecx,0xFFFFFFFC004A6DA3 41 inc ecx004A6DA4 0F84 71010000 je Client.004A6F1B004A6DAA 8B15 5C452501 mov edx,dword ptr ds:[0x125455C] ; 鼠标拖起的对象基址004A6DB0 85D2 test edx,edx004A6DB2 74 21 je XClient.004A6DD5004A6DB4 833C07 00 cmp dword ptr ds:[edi+eax],0x0004A6DB8 74 1B je XClient.004A6DD5004A6DBA 8B0C07 mov ecx,dword ptr ds:[edi+eax]004A6DBD 8B59 58 mov ebx,dword ptr ds:[ecx+0x58]004A6DC0 8B49 54 mov ecx,dword ptr ds:[ecx+0x54]004A6DC3 8B40 0C mov eax,dword ptr ds:[eax+0xC]004A6DC6 53 push ebx004A6DC7 51 push ecx004A6DC8 50 push eax004A6DC9 8BCA mov ecx,edx004A6DCB E8 90FEF7FF call Client.00426C60
20 快捷栏基址
#define Base_ShortcutBar 0x02E3EF08 //快捷栏基址33C08D8E3C040000EB**8D490083390074——快捷栏基址 = ndLocateAddr - 400413EDD 6A 01 push 0x100413EDF 8D55 F8 lea edx,dword ptr ss:[ebp-0x8]00413EE2 C745 F8 88130000 mov dword ptr ss:[ebp-0x8],0x138800413EE9 C745 FC 00000000 mov dword ptr ss:[ebp-0x4],0x000413EF0 8B8C8E 3C040000 mov ecx,dword ptr ds:[esi+ecx*4+0x43C]00413EF7 52 push edx00413EF8 E8 C35E4000 call Client.00819DC000413EFD 8B35 08EFE302 mov esi,dword ptr ds:[0x2E3EF08] ; 快捷栏基址00413F03 33C0 xor eax,eax00413F05 8D8E 3C040000 lea ecx,dword ptr ds:[esi+0x43C]00413F0B EB 03 jmp XClient.00413F1000413F0D 8D49 00 lea ecx,dword ptr ds:[ecx]00413F10 8339 00 cmp dword ptr ds:[ecx],0x000413F13 74 0D je XClient.00413F2200413F15 8B11 mov edx,dword ptr ds:[ecx]00413F17 397A 54 cmp dword ptr ds:[edx+0x54],edi
21 移动对象到列表CALL
#define Call_MoveObjToList 0x84A180 //移动对象到列表CALL8B86900200008B0D********8B9134160000508B81601C00005250E8——移动对象到列表CALL = ndLocateAddr+28 + ndLocateAddr+32 (偏移+EIP)006F59A5 8B86 90020000 mov eax,dword ptr ds:[esi+0x290]006F59AB 8B0D E4D3E302 mov ecx,dword ptr ds:[0x2E3D3E4]006F59B1 8B91 34160000 mov edx,dword ptr ds:[ecx+0x1634]006F59B7 50 push eax006F59B8 8B81 601C0000 mov eax,dword ptr ds:[ecx+0x1C60]006F59BE 52 push edx006F59BF 50 push eax006F59C0 E8 BB471500 call Client.0084A180 ; 移动对象到列表CALL006F59C5 5F pop edi006F59C6 C786 90020000 FFFFFFFF mov dword ptr ds:[esi+0x290],-0x1006F59D0 5E pop esi006F59D1 B8 01000000 mov eax,0x1006F59D6 5B pop ebx006F59D7 5D pop ebpprintf("找到特征码,所在虚拟地址为: %X\n", ndAddr);//读出偏移ndAddr += 28;DWORD ndBaseBuffer = 0;ReadProcessMemory(hProcess, (LPCVOID)ndAddr, (LPVOID)&ndBaseBuffer, 4, NULL);//读出EIPndAddr += 4;printf("执行完CALL语句的EIP为:%X\n", ndAddr);//获取真正的基址ndAddr += ndBaseBuffer;printf("基址为:%X\n", ndAddr);
22 快捷栏使用CALL
83BC8A3C040000000F84********A16C452501518B888C020000E8——快捷栏使用CALL = ndLocateAddr+27 + ndLocateAddr+31 (偏移+EIP)008391F4 8B95 180FFFFF mov edx,dword ptr ss:[ebp+0xFFFF0F18]008391FA 83BC8A 3C040000 00 cmp dword ptr ds:[edx+ecx*4+0x43C],0x000839202 0F84 DA590000 je Client.0083EBE200839208 A1 6C452501 mov eax,dword ptr ds:[0x125456C]0083920D 51 push ecx0083920E 8B88 8C020000 mov ecx,dword ptr ds:[eax+0x28C]00839214 E8 07A2EEFF call Client.00723420 ; 快捷栏使用CALL00839219 E9 C4590000 jmp Client.0083EBE20083921E 83FB 01 cmp ebx,0x100839221 0F85 AF000000 jnz Client.008392D600839227 8B0D 6C452501 mov ecx,dword ptr ds:[0x125456C]0083922D 8B89 2C030000 mov ecx,dword ptr ds:[ecx+0x32C]printf("找到特征码,所在虚拟地址为: %X\n", ndAddr);//读出偏移ndAddr += 27;DWORD ndBaseBuffer = 0;ReadProcessMemory(hProcess, (LPCVOID)ndAddr, (LPVOID)&ndBaseBuffer, 4, NULL);//读出EIPndAddr += 4;printf("执行完CALL语句的EIP为:%X\n", ndAddr);//获取真正的基址ndAddr += ndBaseBuffer;printf("基址为:%X\n", ndAddr);
23 寻路CALL
#define Call_RunToXY 0x0051FFE0 //寻路CALL8B8E641C000083EC0C8BC489108B96681C00008948048BCE895008E8——寻路CALL = ndLocateAddr+28 + ndLocateAddr+32 (偏移+EIP)0052228B 33C2 xor eax,edx0052228D 2BC2 sub eax,edx0052228F 3D DC050000 cmp eax,0x5DC00522294 7E 3B jle XClient.005222D100522296 6A 03 push 0x300522298 8B96 601C0000 mov edx,dword ptr ds:[esi+0x1C60] ; esi=[02E65A24]0052229E 8B8E 641C0000 mov ecx,dword ptr ds:[esi+0x1C64]005222A4 83EC 0C sub esp,0xC005222A7 8BC4 mov eax,esp005222A9 8910 mov dword ptr ds:[eax],edx005222AB 8B96 681C0000 mov edx,dword ptr ds:[esi+0x1C68]005222B1 8948 04 mov dword ptr ds:[eax+0x4],ecx005222B4 8BCE mov ecx,esi005222B6 8950 08 mov dword ptr ds:[eax+0x8],edx005222B9 E8 22DDFFFF call Client.0051FFE0 ; 寻路CALL005222BE FFD7 call ediprintf("找到特征码,所在虚拟地址为: %X\n", ndAddr);//读出偏移ndAddr += 28;DWORD ndBaseBuffer = 0;ReadProcessMemory(hProcess, (LPCVOID)ndAddr, (LPVOID)&ndBaseBuffer, 4, NULL);//读出EIPndAddr += 4;printf("执行完CALL语句的EIP为:%X\n", ndAddr);//获取真正的基址ndAddr += ndBaseBuffer;printf("基址为:%X\n", ndAddr);
24 与NPC对话CALL
#define Call_ChatWithNPC 0x50D3F0 //与NPC对话CALL33C05DC20C008B5510528B550C5250E8——与NPC对话CALL = ndLocateAddr+16 + ndLocateAddr+20 (偏移+EIP)00512BD6 |. 33C0 xor eax,eax00512BD8 |. 5D pop ebp00512BD9 |. C2 0C00 retn 0xC00512BDC |> 8B55 10 mov edx,[arg.3]00512BDF |. 52 push edx00512BE0 |. 8B55 0C mov edx,[arg.2]00512BE3 |. 52 push edx00512BE4 |. 50 push eax00512BE5 |. E8 06A8FFFF call Client.0050D3F000512BEA |. 5D pop ebp00512BEB \. C2 0C00 retn 0xC
25 点击对话菜单选项CALL
#define Call_ClickChatMenuOption 0x007D5B30 //点击对话菜单选项CALL8B9C9EA801000081FB3C0100000F8D********538BCEE8——点击对话菜单选项CALL = ndLocateAddr+23 + ndLocateAddr+27 (偏移+EIP)007DC438 .^\0F84 16FFFFFF je Client.007DC354007DC43E . 8B9C9E A8010000 mov ebx,dword ptr ds:[esi+ebx*4+0x1A8]007DC445 . 81FB 3C010000 cmp ebx,0x13C007DC44B .^ 0F8D 03FFFFFF jge Client.007DC354007DC451 . 53 push ebx ; 打开仓库=5007DC452 . 8BCE mov ecx,esi ; 0FA98BA8007DC454 . E8 D796FFFF call Client.007D5B30 ; 打开仓库3 点击对话菜单选项CALL007DC459 .^ E9 F6FEFFFF jmp Client.007DC354007DC45E > 2D 30040000 sub eax,0x430007DC463 . 0F84 13030000 je Client.007DC77C007DC469 . 83E8 1A sub eax,0x1A007DC46C .^ 0F85 E2FEFFFF jnz Client.007DC354007DC472 . 8D55 E0 lea edx,dword ptr ss:[ebp-0x20] ; Case 44A of switch 007DBDC8007DC475 . 52 push edx007DC476 . 68 1865AA00 push Client.00AA6518 ; ASCII "..\datas\interface\DATA\window_npc\window_exchangebox.bmp"
26 玩家可视范围基址
#define Base_ViewRange 0x00AA1DBC //玩家可视范围基址6A016A006A006A006A0068********525056E8********D905——玩家可视范围基址 = ndLocateAddr+250046FF16 |. 6A 01 push 0x10046FF18 |. 6A 00 push 0x00046FF1A |. 6A 00 push 0x00046FF1C |. 6A 00 push 0x00046FF1E |. 6A 00 push 0x00046FF20 |. 68 1C2FAA00 push Client.00AA2F1C ; ASCII "..\datas\interface\DATA\window_npc\system_m02.bmp"0046FF25 |. 52 push edx0046FF26 |. 50 push eax0046FF27 |. 56 push esi0046FF28 |. E8 3392FEFF call Client.004591600046FF2D |. D905 BC1DAA00 fld dword ptr ds:[0xAA1DBC] ; 玩家可视范围0046FF33 |. 6A 01 push 0x10046FF35 |. D95D DC fstp dword ptr ss:[ebp-0x24]0046FF38 |. D905 24D3A900 fld dword ptr ds:[0xA9D324]0046FF3E |. 8B55 DC mov edx,dword ptr ss:[ebp-0x24]
若有收获,就点个赞吧
0 人点赞
