学习目标:
分析寻路CALL相关数据
分析寻路CALL思路
1、通过目的地坐标回溯<通过关键的数据逆向分析>
2、通过发包函数回溯 <通过发包函数回溯>
分析:
寻路一般是一个循环走路的过程,大致有如下架构
作业:
根据本课收集的数据尝试寻路分析
//走路状态 0和1 //11,33
//寻路状态
dd [[0F598C0]+298]
+228 //1BYTE 寻路状态
+234 //X 目的地X坐标
+238 //Y 目的地Y坐标
dd [[0x31E663C]+1D64]
//寻路也会存在一个 坐标数组序列
void 寻路函数()
{
//1检测当前与目的地坐标的距离
if(dw距离<10) //也可能是坐标数组最大下标为判断
{
//停止寻路 置寻路状态=FALSE;// 人物属性 人物对象
}else
{
//继续寻路 置寻路状态=TRUE;
移动到下一个坐标点,同时会向服务器发包.
}
}
1、目的地坐标 XYZ XZY XY
2、人物角色对象
3、寻路状态
//目的地坐标分析
//标记一下 执行寻路动作时 只访问了一次
0046F8CB - D9 40 E4 - fld dword ptr [eax-1C]
0046F8CE - 8B 91 98020000 - mov edx,[ecx+00000298]
0046F8D4 - D9 9A 34020000 - fstp dword ptr [edx+00000234] <<
0046F8DA - 8B 7F 04 - mov edi,[edi+04]
0046F8DD - A1 C098F500 - mov eax,[Client.exe+B598C0]
004D2DE0 - C2 0C00 - ret 000C
004D2DE3 - 8B 86 641D0000 - mov eax,[esi+00001D64]
004D2DE9 - 8B 08 - mov ecx,[eax] <<
004D2DEB - 53 - push ebx
004D2DEC - 57 - push edi
00443BE4 - D9 41 F8 - fld dword ptr [ecx-08]
00443BE7 - 83 C1 1C - add ecx,1C
00443BEA - D9 18 - fstp dword ptr [eax] <<
00443BEC - 83 C0 1C - add eax,1C
00443BEF - D9 41 E0 - fld dword ptr [ecx-20]
//走路CALL会循环执行
006B1B96 - D9C9 - fxch st(1)
006B1B98 - 89 45 B4 - mov [ebp-4C],eax
006B1B9B - D8 AE 34020000 - fsubr dword ptr [esi+00000234] <<
006B1BA1 - DA 45 B4 - fiadd [ebp-4C]
006B1BA4 - DA 8E BC020000 - fimul [esi+000002BC]
0046AE7B - 56 - push esi
0046AE7C - 8B 75 10 - mov esi,[ebp+10]
0046AE7F - B9 07000000 - mov ecx,00000007 <<
0046AE84 - F3 A5 - repe movsd
0046AE86 - 5E - pop esi
//寻路时 人物对象访问 一次
00410BC3 - 3B 1D 30661E03 - cmp ebx,[Client.exe+2DE6630]
00410BC9 - 0F85 AB000000 - jne Client.exe+10C7A
00410BCF - A1 3C661E03 - mov eax,[Client.exe+2DE663C] <<
00410BD4 - C6 80 CC1D0000 00 - mov byte ptr [eax+00001DCC],00
00410BDB - A1 3C661E03 - mov eax,[Client.exe+2DE663C]
005FF49D - E8 6E40EFFF - call Client.exe+F3510
005FF4A2 - 8B 0D 30661E03 - mov ecx,[Client.exe+2DE6630]
005FF4A8 - 8B 1D 3C661E03 - mov ebx,[Client.exe+2DE663C] <<
005FF4AE - 8B 95 B8C7FFFF - mov edx,[ebp-00003848]
005FF4B4 - 8A 42 04 - mov al,[edx+04]
004B0E15 - 85 C0 - test eax,eax
004B0E17 - 74 4A - je Client.exe+B0E63
004B0E19 - 8B 0D 3C661E03 - mov ecx,[Client.exe+2DE663C] <<
004B0E1F - 85 C9 - test ecx,ecx
004B0E21 - 74 40 - je Client.exe+B0E63
006B3F45 - 83 B8 2C020000 00 - cmp dword ptr [eax+0000022C],00
006B3F4C - 0F84 E9080000 - je Client.exe+2B483B
006B3F52 - A1 3C661E03 - mov eax,[Client.exe+2DE663C] <<
006B3F57 - 85 C0 - test eax,eax
006B3F59 - 0F84 88000000 - je Client.exe+2B3FE7
006AEBE6 - 83 BE 28030000 00 - cmp dword ptr [esi+00000328],00
006AEBED - 0F84 36020000 - je Client.exe+2AEE29
006AEBF3 - 8B 0D 3C661E03 - mov ecx,[Client.exe+2DE663C] <<
006AEBF9 - 85 C9 - test ecx,ecx
006AEBFB - 0F84 28020000 - je Client.exe+2AEE29
006AED74 - 6A 00 - push 00
006AED76 - 89 96 30020000 - mov [esi+00000230],edx
006AED7C - 8B 0D 3C661E03 - mov ecx,[Client.exe+2DE663C] <<
006AED82 - 8B 01 - mov eax,[ecx]
006AED84 - 8B 50 04 - mov edx,[eax+04]
006AEE02 - 0FAF C8 - imul ecx,eax
006AEE05 - 89 4D 98 - mov [ebp-68],ecx
006AEE08 - 8B 0D 3C661E03 - mov ecx,[Client.exe+2DE663C] <<
006AEE0E - 8D 45 9C - lea eax,[ebp-64]
006AEE11 - DA 65 98 - fisub [ebp-68]
//走路状态 0和1 //11,33
//寻路状态
dd [[0F598C0]+298]
+228 //1BYTE 寻路状态
+234 //X 目的地X坐标
+238 //Y 目的地Y坐标
006AED42 - BB 01000000 - mov ebx,00000001
006AED47 - 8B CE - mov ecx,esi
006AED49 - 88 9E 28020000 - mov [esi+00000228],bl <<
006AED4F - E8 7CEEFFFF - call Client.exe+2ADBD0
006AED54 - 8B 0D 7885F200 - mov ecx,[Client.exe+B28578]
004E776F - 91 - xchg eax,ecx
004E7770 - 28 02 - sub [edx],al
004E7772 - 00 00 - add [eax],al <<
004E7774 - 74 65 - je Client.exe+E77DB
004E7776 - A1 88A7E200 - mov eax,[Client.exe+A2A788]
///
004702B6 - 8B 0D C098F500 - mov ecx,[Client.exe+B598C0]
004702BC - D9 06 - fld dword ptr [esi]
004702BE - 8B 91 98020000 - mov edx,[ecx+00000298] <<
004702C4 - D9 9A 34020000 - fstp dword ptr [edx+00000234]
004702CA - A1 C098F500 - mov eax,[Client.exe+B598C0]
EAX=00000001
EBX=0C2C77F8
ECX=19F11070