|
发表于 2023-2-20 01:08:46
|
查看: 6755 |
回复: 0
#include "stdafx.h"
//需要先 选中销毁的物品
//WowClassic.exe+D4D690 - 40 57 - push rdi
//WowClassic.exe+D4D692 - 48 83 EC 70 - sub rsp,70
//WowClassic.exe+D4D696 - E8 A58042FF - call WowClassic.exe+175740
//WowClassic.exe+D4D69B - 48 85 C0 - test rax,rax
//WowClassic.exe+D4D69E - 0F84 07010000 - je WowClassic.exe+D4D7AB
//WowClassic.exe+D4D6A4 - 0F10 0D B5B58501 - movups xmm1,[WowClassic.exe+25A8C60] //要扔掉的物品 ID1,ID2
//WowClassic.exe+D4D6AB - 8B 3D ABB58501 - mov edi,[WowClassic.exe+25A8C5C] //所在背包下标
//WowClassic.exe+D4D6B1 - 0F10 05 B8B58501 - movups xmm0,[WowClassic.exe+25A8C70] // 要扔掉的物品所属背包ID1,ID2
//WowClassic.exe+D4D6B8 - 0F11 4C 24 20 - movups [rsp+20],xmm1
//WowClassic.exe+D4D6BD - 66 0F73 D9 08 - psrldq xmm1,08
//WowClassic.exe+D4D6C2 - 66 48 0F7E C9 - movq rcx,xmm1
//WowClassic.exe+D4D6C7 - 48 C1 E9 3A - shr rcx,3A
//WowClassic.exe+D4D6CB - 0F11 44 24 30 - movups [rsp+30],xmm0
//WowClassic.exe+D4D6D0 - 84 C9 - test cl,cl
//WowClassic.exe+D4D6D2 - 0F84 D3000000 - je WowClassic.exe+D4D7AB
//WowClassic.exe+D4D6D8 - 48 89 9C 24 80000000 - mov [rsp+00000080],rbx
//WowClassic.exe+D4D6E0 - 48 8D 54 24 30 - lea rdx,[rsp+30] //要扔掉的物品所属背包ID1,ID2
//WowClassic.exe+D4D6E5 - 48 8B C8 - mov rcx,rax //角色对象
//WowClassic.exe+D4D6E8 - 48 89 B4 24 88000000 - mov [rsp+00000088],rsi
//WowClassic.exe+D4D6F0 - E8 0B0BC0FF - call WowClassic.exe+94E200 //返回 物品所属背包对象 在总背包里的下标 扩展13-16,行囊=FF
//WowClassic.exe+D4D6F5 - 41 B9 47080000 - mov r9d,00000847
//WowClassic.exe+D4D6FB - 4C 8D 05 BEB3F600 - lea r8,[WowClassic.exe+1CB8AC0] : ["d:\buildserver\wow\1\work\shared-checkout\branches\wow-classic-1_13_4-branch-fastpatch-2\wow\source\ui\gameui.cpp"]
//WowClassic.exe+D4D702 - BA 02000000 - mov edx,00000002
//WowClassic.exe+D4D707 - 48 8D 4C 24 20 - lea rcx,[rsp+20]
//WowClassic.exe+D4D70C - 0FB6 F0 - movzx esi,al //背包所处下标
//WowClassic.exe+D4D70F - E8 8C80E1FF - call WowClassic.exe+B657A0
//WowClassic.exe+D4D714 - 48 85 C0 - test rax,rax
//WowClassic.exe+D4D717 - 74 34 - je WowClassic.exe+D4D74D
//WowClassic.exe+D4D719 - 48 8D 98 80010000 - lea rbx,[rax+00000180]
//WowClassic.exe+D4D720 - 33 D2 - xor edx,edx
//WowClassic.exe+D4D722 - 4C 8B 03 - mov r8,[rbx]
//WowClassic.exe+D4D725 - 48 8B CB - mov rcx,rbx
//WowClassic.exe+D4D728 - 41 FF 10 - call qword ptr [r8]
//WowClassic.exe+D4D72B - C1 E8 05 - shr eax,05
//WowClassic.exe+D4D72E - A8 01 - test al,01
//WowClassic.exe+D4D730 - 75 0F - jne WowClassic.exe+D4D741
//WowClassic.exe+D4D732 - 48 8B 43 08 - mov rax,[rbx+08] 48 8B 43 08 8B 48 5C C1 E9 13 F6 C1 01 74 ** B9 91010000
//WowClassic.exe+D4D736 - 8B 48 5C - mov ecx,[rax+5C]
//WowClassic.exe+D4D739 - C1 E9 13 - shr ecx,13
//WowClassic.exe+D4D73C - F6 C1 01 - test cl,01
//WowClassic.exe+D4D73F - 74 0C - je WowClassic.exe+D4D74D
//WowClassic.exe+D4D741 - B9 91010000 - mov ecx,00000191
//WowClassic.exe+D4D746 - E8 C53A0100 - call WowClassic.exe+D61210
//WowClassic.exe+D4D74B - EB 4E - jmp WowClassic.exe+D4D79B
//WowClassic.exe+D4D74D - 48 8D 4C 24 40 - lea rcx,[rsp+40]
//WowClassic.exe+D4D752 - E8 C9416DFF - call WowClassic.exe+421920 //g_CALL1销毁物品
//WowClassic.exe+D4D757 - 48 8B 44 24 60 - mov rax,[rsp+60] //rax=[包对象+20]
//WowClassic.exe+D4D75C - 40 88 70 04 - mov [rax+04],sil //
//WowClassic.exe+D4D760 - 48 8B 44 24 60 - mov rax,[rsp+60] //rax=[包对象+20]
//WowClassic.exe+D4D765 - 40 88 78 05 - mov [rax+05],dil //所在背包下标
//WowClassic.exe+D4D769 - 48 8B 4C 24 60 - mov rcx,[rsp+60] //rcx=[包对象+20]
//WowClassic.exe+D4D76E - 8B 05 E4B48501 - mov eax,[WowClassic.exe+25A8C58]
//WowClassic.exe+D4D774 - 89 01 - mov [rcx],eax
//WowClassic.exe+D4D776 - 48 8D 4C 24 40 - lea rcx,[rsp+40]
//WowClassic.exe+D4D77B - E8 30175D00 - call WowClassic.exe+131EEB0
//WowClassic.exe+D4D780 - BA 01000000 - mov edx,00000001
//WowClassic.exe+D4D785 - 8B CA - mov ecx,edx
//WowClassic.exe+D4D787 - E8 34180100 - call WowClassic.exe+D5EFC0
//WowClassic.exe+D4D78C - BA 01000000 - mov edx,00000001
//WowClassic.exe+D4D791 - 48 8D 4C 24 20 - lea rcx,[rsp+20]
//WowClassic.exe+D4D796 - E8 A53F0200 - call WowClassic.exe+D71740
//WowClassic.exe+D4D79B - 48 8B 9C 24 80000000 - mov rbx,[rsp+00000080]
//WowClassic.exe+D4D7A3 - 48 8B B4 24 88000000 - mov rsi,[rsp+00000088]
//WowClassic.exe+D4D7AB - 33 C0 - xor eax,eax
//WowClassic.exe+D4D7AD - 48 83 C4 70 - add rsp,70
//WowClassic.exe+D4D7B1 - 5F - pop rdi
//WowClassic.exe+D4D7B2 - C3 - ret
//因为有全局变量 作参数 所以此功能CALL 只能在一个线程里 运行
//WowClassic.exe+D4D690 - 40 57 - push rdi
//WowClassic.exe+D4D692 - 48 83 EC 70 - sub rsp,70
//WowClassic.exe+D4D696 - E8 A58042FF - call WowClassic.exe+175740
//WowClassic.exe+D4D69B - 48 85 C0 - test rax,rax
//WowClassic.exe+D4D69E - 0F84 07010000 - je WowClassic.exe+D4D7AB
//WowClassic.exe+D4D6A4 - 0F10 0D B5B58501 - movups xmm1,[WowClassic.exe+25A8C60] //要扔掉的物品 ID1,ID2
//WowClassic.exe+D4D6AB - 8B 3D ABB58501 - mov edi,[WowClassic.exe+25A8C5C]
//WowClassic.exe+D4D6B1 - 0F10 05 B8B58501 - movups xmm0,[WowClassic.exe+25A8C70] // 要扔掉的物品所属背包ID1,ID2
//00000001409FD74D | 48 8D 4C 24 40 | lea rcx,qword ptr ss:[rsp+40] |
//00000001409FD752 | E8 C9 41 6D FF | call wowclassic.1400D1920 |WowClassic.exe+421920
//00000001409FD757 | 48 8B 44 24 60 | mov rax,qword ptr ss:[rsp+60] |
//00000001409FD75C | 40 88 70 04 | mov byte ptr ds:[rax+4],sil |行囊=FF,扩展背包13-16
//00000001409FD760 | 48 8B 44 24 60 | mov rax,qword ptr ss:[rsp+60] |
//00000001409FD765 | 40 88 78 05 | mov byte ptr ds:[rax+5],dil |行囊下标0x17-0x26 //扩展背包从0开始
//00000001409FD769 | 48 8B 4C 24 60 | mov rcx,qword ptr ss:[rsp+60] |
//00000001409FD76E | 8B 05 E4 B4 85 01 | mov eax,dword ptr ds:[142258C58] | 0
//00000001409FD774 | 89 01 | mov dword ptr ds:[rcx],eax | 0000000030CDD8B4
//00000001409FD776 | 48 8D 4C 24 40 | lea rcx,qword ptr ss:[rsp+40] |
//00000001409FD77B | E8 30 17 5D 00 | call <wowclassic.mwsend> | WowClassic.exe+131EEB0
//print(DeleteCursorItem) --25c24068
//static const UINT_PTR g_Call查询背包下标=0x0942A50; //4.7
//static const UINT_PTR g_CALL1销毁物品=0x041CE00; //4.7
UINT64 TCALL::CALL销毁物品(UINT64 物品ID1,UINT64 物品ID2,BYTE 在背包里的下标,UINT64 所属背包ID1,UINT64 所属背包ID2)
{
//WowClassic.exe+94E200
UINT64 所属背包ID[10]={所属背包ID1,所属背包ID2};
UINT64 pcall=TBASE::GetExeBase()+g_Call查询背包下标;//0x094E200;
BYTE 所属背包下标=(BYTE)call2_x64(pcall,TCALL::角色对象(),(UINT64)&所属背包ID); //sil
UINT64 nret64=0;
//调用销毁CALL
{
UINT64 pcall1=TBASE::GetExeBase()+g_CALL1销毁物品;// ;
UINT64 pcall2=TBASE::GetExeBase()+g_CALL2修理所有装备;//
UINT64 nrcxbuf[10]={0};
UINT64 arg1=(UINT64)&nrcxbuf;
call1_x64(pcall1,arg1);
W4(R8(arg1+0x20),0);
W1(R8(arg1+0x20)+4,所属背包下标);
W1(R8(arg1+0x20)+5,在背包里的下标);
nret64=call2_sendx64(pcall2,arg1,0);
}
return nret64;
}
BOOL TCALL::CALL销毁物品(const char*背包物品名字)
{
BOOL br=0;
br=遍历行囊销毁(背包物品名字);
br|=遍历扩展背包销毁(背包物品名字);
return br;
};
//可用
//static const UINT64 g_CALL销毁物品=0xD4D690;
// BOOL CALL销毁选中物品()
//{
//static const UINT64 g_CALL销毁物品=0xD4D690;
// UINT64 pcall=TBASE::GetExeBase()+g_CALL销毁物品; //
//UINT64 nret64=call1_x64(pcall,0);
//return nret64;
//}
// 48 83 EC 18 44 8B 89 98 0F 02 00 45 32 C0 4C 8B D9 45 85 C9
//WowClassic.exe+D4D6F0 - E8 0B0BC0FF - call WowClassic.exe+94E200 //返回 物品所属背包对象 在总背包里的下标 扩展13-16,行囊=FF
//WowClassic.exe+94E200
//000000013FDEE200 | 48 83 EC 18 | sub rsp,18 | 主背包
//000000013FDEE204 | 44 8B 89 98 0F 02 00 | mov r9d,dword ptr ds:[rcx+20F98] | 7C 可能是背包容量
//000000013FDEE20B | 45 32 C0 | xor r8b,r8b |
//000000013FDEE20E | 4C 8B D9 | mov r11,rcx |
//000000013FDEE211 | 45 85 C9 | test r9d,r9d |
//000000013FDEE214 | 74 49 | je wowclassic.13FDEE25F |
//000000013FDEE216 | 4C 8B 12 | mov r10,qword ptr ds:[rdx] |
//000000013FDEE219 | 33 C0 | xor eax,eax |
//000000013FDEE21B | 0F 1F 44 00 00 | nop dword ptr ds:[rax+rax] |
//000000013FDEE220 | 41 3B C1 | cmp eax,r9d |
//000000013FDEE223 | 72 06 | jb wowclassic.13FDEE22B |
//000000013FDEE225 | 33 C0 | xor eax,eax |
//000000013FDEE227 | 33 C9 | xor ecx,ecx |
//000000013FDEE229 | EB 1D | jmp wowclassic.13FDEE248 |
//000000013FDEE22B | 8B C8 | mov ecx,eax |
//000000013FDEE22D | 49 8B 83 A0 0F 02 00 | mov rax,qword ptr ds:[r11+20FA0] | [角色对象+20FA0] 主背包ID数组
//000000013FDEE234 | 48 03 C9 | add rcx,rcx |
//000000013FDEE237 | 0F 10 04 C8 | movups xmm0,xmmword ptr ds:[rax+rcx*8] |
//000000013FDEE23B | 0F 11 04 24 | movups xmmword ptr ss:[rsp],xmm0 |
//000000013FDEE23F | 48 8B 4C 24 08 | mov rcx,qword ptr ss:[rsp+8] |
//000000013FDEE244 | 48 8B 04 24 | mov rax,qword ptr ss:[rsp] |
//000000013FDEE248 | 4C 3B D0 | cmp r10,rax | r10==ID1=95EC4CF200000001
//000000013FDEE24B | 75 06 | jne wowclassic.13FDEE253 |
//000000013FDEE24D | 48 39 4A 08 | cmp qword ptr ds:[rdx+8],rcx |
//000000013FDEE251 | 74 13 | je wowclassic.13FDEE266 |
//000000013FDEE253 | 41 FE C0 | inc r8b |
//000000013FDEE256 | 41 0F B6 C0 | movzx eax,r8b |
//000000013FDEE25A | 41 3B C1 | cmp eax,r9d |
//000000013FDEE25D | 72 C1 | jb wowclassic.13FDEE220 |
//000000013FDEE25F | B0 FF | mov al,FF |
//000000013FDEE261 | 48 83 C4 18 | add rsp,18 |
//000000013FDEE265 | C3 | ret |
//000000013FDEE266 | 41 0F B6 C0 | movzx eax,r8b |
//000000013FDEE26A | 48 83 C4 18 | add rsp,18 |
//000000013FDEE26E | C3 | ret |
|
游戏安全课程 学员办理咨询联系QQ150330575 手机 139 9636 2600 免费课程 在 www.bilibili.com 搜 郁金香灬老师
|
|