不懂的话 可以加QQ 150330575 明文包分析方法 下边的接口里 都会调用 明文发包CALL
BuybackItem(index) - 购回售出的物品. UseSoulstone() - 使用激活的灵魂石复活自己.
保护 UseInventoryItem(invSlot) - Use an item in a specific inventory slot. 保护 UseContainerItem(BagId, slot[, onSelf]) - 使用包裹中指定位置物品. (警告: 假如商人窗口开启, 使用包裹物品则为出售!) -
保护 Jump() - The player jumps. 保护 MoveBackwardStart - The player begins moving backward at the specified time. 保护 MoveBackwardStop - The player stops moving backward at the specified time. 保护 MoveForwardStart - The player begins moving forward at the specified time. 保护 MoveForwardStop - The player stops moving forward at the specified time.
以 BuybackItem 这个接口为例 可以在 聊天窗口 输入 /run print(BuybackItem) 即会显示出函数地址 然后通过 BuybackItem的注册函数地址 可以轻松定位到明文包 目前最新的魔兽世界 在这个函数的 最后一个CALL 即是明文 包
/run print(BuybackItem)
25827DAE020
$+F3 | E8 2867AEFF | call wowclassic.7FF741A69F00 此函数 最后一个CALL 即明文发包 几乎所有与服务器通信的指令 都 会调用它 移动 转向 使用技能 物品 进副本等
$ ==> | 40:53 | push rbx |
$+2 | 48:83EC 70 | sub rsp,70 |
$+6 | BA 01000000 | mov edx,1 |
$+B | 48:8BD9 | mov rbx,rcx |
$+E | E8 ADD4A3FE | call wowclassic.7FF7409C0BA0 |
$+13 | 85C0 | test eax,eax |
$+15 | 75 17 | jne wowclassic.7FF741F8370E |
$+17 | 48:8D15 128CD100 | lea rdx,qword ptr ds:[7FF742C9C310] | 00007FF742C9C310:"Usage: BuybackItem(slot)"
$+1E | 48:8BCB | mov rcx,rbx |
$+21 | E8 8A929300 | call wowclassic.7FF7428BC990 |
$+26 | 33C0 | xor eax,eax |
$+28 | 48:83C4 70 | add rsp,70 |
$+2C | 5B | pop rbx |
$+2D | C3 | ret |
$+2E | 0F297424 60 | movaps xmmword ptr ss:[rsp+60],xmm6 |
$+33 | E8 288C37FF | call wowclassic.7FF7412FC340 |
$+38 | 48:8D9424 88000000 | lea rdx,qword ptr ss:[rsp+88] |
$+40 | C68424 8C000000 01 | mov byte ptr ss:[rsp+8C],1 |
$+48 | 48:8BC8 | mov rcx,rax |
$+4B | C78424 88000000 05000000 | mov dword ptr ss:[rsp+88],5 |
$+56 | E8 2559F9FF | call wowclassic.7FF741F19060 |
$+5B | 0F1030 | movups xmm6,xmmword ptr ds:[rax] |
$+5E | 66:0F6FC6 | movdqa xmm0,xmm6 |
$+62 | 66:0F73D8 08 | psrldq xmm0,8 |
$+67 | 6648:0F7EC0 | movq rax,xmm0 |
$+6C | 48:C1E8 3A | shr rax,3A |
$+70 | 84C0 | test al,al |
$+72 | 0F84 80000000 | je wowclassic.7FF741F837D8 |
$+78 | BA 01000000 | mov edx,1 |
$+7D | 48:8BCB | mov rcx,rbx |
$+80 | E8 DBE9A3FE | call wowclassic.7FF7409C2140 |
$+85 | F248:0F2CC0 | cvttsd2si rax,xmm0 |
$+8A | FFC8 | dec eax |
$+8C | 3B05 DE296C01 | cmp eax,dword ptr ds:[7FF743646150] |
$+92 | 73 0C | jae wowclassic.7FF741F83780 |
$+94 | 48:8D0D A5296C01 | lea rcx,qword ptr ds:[7FF743646120] |
$+9B | 8B1C81 | mov ebx,dword ptr ds:[rcx+rax*4] |
$+9E | EB 02 | jmp wowclassic.7FF741F83782 |
$+A0 | 33DB | xor ebx,ebx |
$+A2 | E8 E975C8FF | call wowclassic.7FF741C0AD70 |
$+A7 | 48:8BC8 | mov rcx,rax |
$+AA | 48:85C0 | test rax,rax |
$+AD | 74 49 | je wowclassic.7FF741F837D8 |
$+AF | 85DB | test ebx,ebx |
$+B1 | 74 45 | je wowclassic.7FF741F837D8 |
$+B3 | 3B98 88290100 | cmp ebx,dword ptr ds:[rax+12988] |
$+B9 | 72 07 | jb wowclassic.7FF741F837A2 |
$+BB | E8 B0B0ACFF | call wowclassic.7FF741A4E850 |
$+C0 | EB 0D | jmp wowclassic.7FF741F837AF |
$+C2 | 8BC3 | mov eax,ebx |
$+C4 | 48:C1E0 04 | shl rax,4 |
$+C8 | 48:0381 90290100 | add rax,qword ptr ds:[rcx+12990] |
$+CF | 48:8B40 08 | mov rax,qword ptr ds:[rax+8] |
$+D3 | 48:C1E8 3A | shr rax,3A |
$+D7 | 84C0 | test al,al |
$+D9 | 74 1D | je wowclassic.7FF741F837D8 |
$+DB | 48:8D4C24 20 | lea rcx,qword ptr ss:[rsp+20] |
$+E0 | E8 4B2FE4FE | call wowclassic.7FF740DC6710 |
$+E5 | 48:8D4C24 20 | lea rcx,qword ptr ss:[rsp+20] |
$+EA | 895C24 50 | mov dword ptr ss:[rsp+50],ebx |
$+EE | 0F117424 40 | movups xmmword ptr ss:[rsp+40],xmm6 |
$+F3 | E8 2867AEFF | call wowclassic.7FF741A69F00 此函数 最后一个CALL 即明文发包 几乎所有与服务器通信的指令 都 会调用它 移动 转向 使用技能 物品 进副本等
$+F8 | 0F287424 60 | movaps xmm6,xmmword ptr ss:[rsp+60] |
$+FD | 33C0 | xor eax,eax |
$+FF | 48:83C4 70 | add rsp,70 |
$+103 | 5B | pop rbx |
$+104 | C3 | ret |
/run print(BuybackItem)
25827DAE020
$ ==> | 40:53 | push rbx |
$+2 | 48:83EC 70 | sub rsp,70 |
$+6 | BA 01000000 | mov edx,1 |
$+B | 48:8BD9 | mov rbx,rcx |
$+E | E8 ADD4A3FE | call wowclassic.7FF7409C0BA0 |
$+13 | 85C0 | test eax,eax |
$+15 | 75 17 | jne wowclassic.7FF741F8370E |
$+17 | 48:8D15 128CD100 | lea rdx,qword ptr ds:[7FF742C9C310] | 00007FF742C9C310:"Usage: BuybackItem(slot)"
$+1E | 48:8BCB | mov rcx,rbx |
$+21 | E8 8A929300 | call wowclassic.7FF7428BC990 |
$+26 | 33C0 | xor eax,eax |
$+28 | 48:83C4 70 | add rsp,70 |
$+2C | 5B | pop rbx |
$+2D | C3 | ret |
$+2E | 0F297424 60 | movaps xmmword ptr ss:[rsp+60],xmm6 |
$+33 | E8 288C37FF | call wowclassic.7FF7412FC340 |
$+38 | 48:8D9424 88000000 | lea rdx,qword ptr ss:[rsp+88] |
$+40 | C68424 8C000000 01 | mov byte ptr ss:[rsp+8C],1 |
$+48 | 48:8BC8 | mov rcx,rax |
$+4B | C78424 88000000 05000000 | mov dword ptr ss:[rsp+88],5 |
$+56 | E8 2559F9FF | call wowclassic.7FF741F19060 |
$+5B | 0F1030 | movups xmm6,xmmword ptr ds:[rax] |
$+5E | 66:0F6FC6 | movdqa xmm0,xmm6 |
$+62 | 66:0F73D8 08 | psrldq xmm0,8 |
$+67 | 6648:0F7EC0 | movq rax,xmm0 |
$+6C | 48:C1E8 3A | shr rax,3A |
$+70 | 84C0 | test al,al |
$+72 | 0F84 80000000 | je wowclassic.7FF741F837D8 |
$+78 | BA 01000000 | mov edx,1 |
$+7D | 48:8BCB | mov rcx,rbx |
$+80 | E8 DBE9A3FE | call wowclassic.7FF7409C2140 |
$+85 | F248:0F2CC0 | cvttsd2si rax,xmm0 |
$+8A | FFC8 | dec eax |
$+8C | 3B05 DE296C01 | cmp eax,dword ptr ds:[7FF743646150] |
$+92 | 73 0C | jae wowclassic.7FF741F83780 |
$+94 | 48:8D0D A5296C01 | lea rcx,qword ptr ds:[7FF743646120] |
$+9B | 8B1C81 | mov ebx,dword ptr ds:[rcx+rax*4] |
$+9E | EB 02 | jmp wowclassic.7FF741F83782 |
$+A0 | 33DB | xor ebx,ebx |
$+A2 | E8 E975C8FF | call wowclassic.7FF741C0AD70 |
$+A7 | 48:8BC8 | mov rcx,rax |
$+AA | 48:85C0 | test rax,rax |
$+AD | 74 49 | je wowclassic.7FF741F837D8 |
$+AF | 85DB | test ebx,ebx |
$+B1 | 74 45 | je wowclassic.7FF741F837D8 |
$+B3 | 3B98 88290100 | cmp ebx,dword ptr ds:[rax+12988] |
$+B9 | 72 07 | jb wowclassic.7FF741F837A2 |
$+BB | E8 B0B0ACFF | call wowclassic.7FF741A4E850 |
$+C0 | EB 0D | jmp wowclassic.7FF741F837AF |
$+C2 | 8BC3 | mov eax,ebx |
$+C4 | 48:C1E0 04 | shl rax,4 |
$+C8 | 48:0381 90290100 | add rax,qword ptr ds:[rcx+12990] |
$+CF | 48:8B40 08 | mov rax,qword ptr ds:[rax+8] |
$+D3 | 48:C1E8 3A | shr rax,3A |
$+D7 | 84C0 | test al,al |
$+D9 | 74 1D | je wowclassic.7FF741F837D8 |
$+DB | 48:8D4C24 20 | lea rcx,qword ptr ss:[rsp+20] |
$+E0 | E8 4B2FE4FE | call wowclassic.7FF740DC6710 |
$+E5 | 48:8D4C24 20 | lea rcx,qword ptr ss:[rsp+20] |
$+EA | 895C24 50 | mov dword ptr ss:[rsp+50],ebx |
$+EE | 0F117424 40 | movups xmmword ptr ss:[rsp+40],xmm6 |
$+F3 | E8 2867AEFF | call wowclassic.7FF741A69F00 |
$+F8 | 0F287424 60 | movaps xmm6,xmmword ptr ss:[rsp+60] |
$+FD | 33C0 | xor eax,eax |
$+FF | 48:83C4 70 | add rsp,70 |
$+103 | 5B | pop rbx |
$+104 | C3 | ret |
|
发表于 2023-10-4 23:11:41
