|
发表于 2024-1-25 21:10:46
|
查看: 946 |
回复: 0
郁金香灬游戏外挂技术
欢迎大家参加 游戏安全与外挂的研究学习。
本教程视频1920*1080分辩率下观看最佳
VS2017+win10 64位 环境
郁金香灬老师:QQ -> 150330575
https://www.yjxsoft.com/
兴趣是我们最好的老师
兴趣+坚持+时间+优秀老师会帮助你快速成功
学习目标:
018-通过选中怪对象分析怪物对象数组
思路:
1、通过选中怪ID分析出选中怪对象
2、通过选中怪对象分析怪物对象数组
Base_TLTargetHelper = TL.exe+90187E0
[[Base_TLTargetHelper]+8] // [[Base_TLTargetHelper]+8]+140
+13C //鼠标指向的ID FFFFFFF 表示没选中 [[Base_TLTargetHelper]+8]+13C
+140 //选中对象ID FFFFFFF 表示没选中 [[ TL.exe+90187E0 ]+8]+140
+168 //选中ID? FFFFFFF 表示没选中
怪物对象+2F0 // ID DWORD
TL.exe+19C2E00
7FF739512DFB - 45 3B E7 - cmp r12d,r15d
7FF739512DFE - 74 07 - je TL.exe+19C2E07
7FF739512E00 - 44 89 BE 40010000 - mov [rsi+00000140],r15d <<
7FF739512E07 - 41 80 FD 07 - cmp r13b,07
7FF739512E0B - 0F84 62010000 - je TL.exe+19C2F73
$-50 | 40:88AB D8280000 | mov byte ptr ds:[rbx+28D8],bpl |
$-49 | 89AB DC280000 | mov dword ptr ds:[rbx+28DC],ebp |
$-43 | E8 10040000 | call tl.7FF7395112A0 |
$-3E | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] |
$-39 | 40:886C24 2C | mov byte ptr ss:[rsp+2C],bpl |
$-34 | 49:8BCE | mov rcx,r14 |
$-31 | E8 FED1F5FF | call tl.7FF73946E0A0 |
$-2C | 8B05 987DAE06 | mov eax,dword ptr ds:[7FF73FFF8C40] |
$-26 | 8983 E0280000 | mov dword ptr ds:[rbx+28E0],eax |
$-20 | 8B05 907DAE06 | mov eax,dword ptr ds:[7FF73FFF8C44] |
$-1A | 8983 E4280000 | mov dword ptr ds:[rbx+28E4],eax |
$-14 | 44:88BB 64010000 | mov byte ptr ds:[rbx+164],r15b |
$-D | 45:0FB6C7 | movzx r8d,r15b |
$-9 | 8B97 F0020000 | mov edx,dword ptr ds:[rdi+2F0] | C++怪物对象 + 2F0 // ID
$-3 | 48:8BCB | mov rcx,rbx |
$ ==> | E8 DD1E0000 | call tl.7FF739512DB0 |
$+5 | 41:80FF 07 | cmp r15b,7 |
$+9 | 0F84 DD010000 | je tl.7FF7395110BA |
$+F | 48:8B07 | mov rax,qword ptr ds:[rdi] |
$+12 | 48:8BCF | mov rcx,rdi |
$+15 | FF90 68020000 | call qword ptr ds:[rax+268] |
$+1B | 48:8BCF | mov rcx,rdi |
$+1E | E8 EF25FEFF | call tl.7FF7394F34E0 |
$+23 | 48:8D5424 20 | lea rdx,qword ptr ss:[rsp+20] |
$+28 | C64424 2C 01 | mov byte ptr ss:[rsp+2C],1 |
$+2D | 49:8BCC | mov rcx,r12 |
$+30 | F2:0F1000 | movsd xmm0,qword ptr ds:[rax] |
$+34 | 8B40 08 | mov eax,dword ptr ds:[rax+8] |
$+37 | F2:0F114424 20 | movsd qword ptr ss:[rsp+20],xmm0 |
$+3D | 894424 28 | mov dword ptr ss:[rsp+28],eax |
TL.exe+7737CA0 vftable
$ ==> 0 00007FF73F3EB248 H²>?÷...
$+8 0 0000E2E100000040 @...áâ..
$+10 0 000001477A1DB300 .³.zG...
$+18 0 7FFFDF62 00A9 694C [GName+00A9*8+10]+694C*2+2 //BP_TLGameInstance_C = [[[RoleInfoBase]+8]+20]
$ ==> 0 00007FF73F29A648 H¦)?÷...
$+8 0 0000014793524680 .FR.G...
$+10 0 0000014793524680 .FR.G...
$+18 0 00000000 01B1 A901 [GName+01B1*8+10]+A901*2+2 // TLGame = [[[[RoleInfoBase]+8]+20]+418]
$ ==> 0 00007FF73F288A58 X.(?÷...
$+8 0 0000E39000000040 @....ã..
$+10 0 000001471CFD6B80 .ký.G...
$+18 0 7FFFDEC8 000B D71E [GName+000B*8+10]+D71E*2+2
$ ==> 0 00007FF73F29A648 H¦)?÷...
$+8 0 0000014793524680 .FR.G...
$+10 0 0000014793524680 .FR.G...
$+18 0 00000000 01B1 A901 [GName+000B*8+10]+D71E*2+2
$-A3 | 48:895C24 08 | mov qword ptr ss:[rsp+8],rbx |
$-9E | 48:896C24 10 | mov qword ptr ss:[rsp+10],rbp |
$-99 | 48:897424 18 | mov qword ptr ss:[rsp+18],rsi |
$-94 | 48:897C24 20 | mov qword ptr ss:[rsp+20],rdi |
$-8F | 41:56 | push r14 |
$-8D | 48:83EC 30 | sub rsp,30 |
$-89 | 41:0FB6E9 | movzx ebp,r9b |
$-85 | 45:0FB6F0 | movzx r14d,r8b |
$-81 | 48:8BD9 | mov rbx,rcx |
$-7E | E8 16C8C6FF | call tl.7FF73917B670 |
$-79 | 48:8BD0 | mov rdx,rax |
$-76 | 48:8BCB | mov rcx,rbx |
$-73 | E8 1BD71402 | call tl.7FF73B65C580 | rax BP_TLGameInstance_C
$-6E | 48:8B90 18040000 | mov rdx,qword ptr ds:[rax+418] | TLGame = [[[[RoleInfoBase]+8]+20]+418]
$-67 | 48:8BBA C0000000 | mov rdi,qword ptr ds:[rdx+C0] | [[[[[RoleInfoBase]+8]+20]+418] +C0]
$-60 | 48:8DB7 00020000 | lea rsi,qword ptr ds:[rdi+200] |
$-59 | 837E 08 00 | cmp dword ptr ds:[rsi+8],0 |
$-55 | 7F 04 | jg tl.7FF73950EE84 |
$-53 | 32C0 | xor al,al |
$-51 | EB 69 | jmp tl.7FF73950EEED |
$-4F | E8 E7C7C6FF | call tl.7FF73917B670 |
$-4A | 48:8BD0 | mov rdx,rax |
$-47 | 48:8BCB | mov rcx,rbx |
$-44 | E8 ECD61402 | call tl.7FF73B65C580 |
$-3F | 44:8B83 40010000 | mov r8d,dword ptr ds:[rbx+140] | ID = [[[Base_TLTargetHelper]+8]+140]
$-38 | 41:B9 01000000 | mov r9d,1 |
$-32 | 48:8B8B 202A0000 | mov rcx,qword ptr ds:[rbx+2A20] | arg1
$-2B | 41:83F8 FF | cmp r8d,FFFFFFFF | 之前的怪物ID
$-27 | 48:8B90 18040000 | mov rdx,qword ptr ds:[rax+418] | TLGame = [[[[RoleInfoBase]+8]+20]+418]
$-20 | 44:0F45CD | cmovne r9d,ebp |
$-1C | 44:884C24 28 | mov byte ptr ss:[rsp+28],r9b |
$-17 | 45:0FB6CE | movzx r9d,r14b |
$-13 | 48:897424 20 | mov qword ptr ss:[rsp+20],rsi |
$-E | E8 764FFFFF | call <tl.获取一个新的怪物ID(,TlGame,之前的ID,1)>
$-9 | 85C0 | test eax,eax |返回一个新的 ID
$-7 | 7E 1D | jle tl.7FF73950EEEB |
$-5 | 8BD0 | mov edx,eax | 0722DF2
$-3 | 48:8BCF | mov rcx,rdi | [[[[[RoleInfoBase]+8]+20]+418]+C0]
$ ==> | E8 0829FBFF | call <tl.返回怪物对象([TLGame+C0],怪物ID)> |
$+5 | 48:85C0 | test rax,rax |
$+8 | 74 0E | je tl.7FF73950EEEB |
$+A | 41:B0 01 | mov r8b,1 |
$ ==> 00000000 00723756 V7r.....
$+8 0000014864523400 0000014864523400+2F0
$+10 00000056FFFFFFFF ÿÿÿÿV...
$+18 9FAAAA2B 00649B20 .d.+ªª.
$+20 00000147DE8A9A00 [00000147DE8A9A00+2F0]=00649B20
$+28 00000020FFFFFFFF ÿÿÿÿ ...
$+30 2C050F0300731DD6 Ö.s....,
$+38 0000014837E30100 ..ã7H...
$+40 0000005600000038 8...V...
返回怪物对象([TLGame+C0],怪物ID)
$ ==> | 40:53 | push rbx |
$+2 | 48:83EC 20 | sub rsp,20 |
$+6 | 83FA FF | cmp edx,FFFFFFFF |
$+9 | 74 5C | je tl.7FF7394C1847 |
$+B | 8B81 58010000 | mov eax,dword ptr ds:[rcx+158] | rcx = [[[[[RoleInfoBase]+8]+20]+418]+C0]
$+11 | 3B81 84010000 | cmp eax,dword ptr ds:[rcx+184] |
$+17 | 74 4E | je tl.7FF7394C1847 |
$+19 | 4C:6389 98010000 | movsxd r9,dword ptr ds:[rcx+198] | 80
$+20 | 4C:8D91 88010000 | lea r10,qword ptr ds:[rcx+188] | [[[[[RoleInfoBase]+8]+20]+418]+C0]+188
$+27 | 4D:8B42 08 | mov r8,qword ptr ds:[r10+8] | r8:"u賤"
$+2B | 49:FFC9 | dec r9 | ID
$+2E | 48:63C2 | movsxd rax,edx |
$+31 | 4C:23C8 | and r9,rax |
$+34 | 4D:85C0 | test r8,r8 | r8:"u賤"
$+37 | 4D:0F45D0 | cmovne r10,r8 | r8:"u賤"
$+3B | 43:8B048A | mov eax,dword ptr ds:[r10+r9*4] |
$+3F | 83F8 FF | cmp eax,FFFFFFFF |
$+42 | 74 23 | je tl.7FF7394C1847 |
$+44 | 4C:8B81 50010000 | mov r8,qword ptr ds:[rcx+150] | [[[[[RoleInfoBase]+8]+20]+418]+C0]+150
$+4B | 0F1F4400 00 | nop dword ptr ds:[rax+rax],eax |
$+50 | 48:63C8 | movsxd rcx,eax |
$+53 | 48:8D0449 | lea rax,qword ptr ds:[rcx+rcx*2] |
$+57 | 41:3914C0 | cmp dword ptr ds:[r8+rax*8],edx | ID = 723756
$+5B | 74 12 | je tl.7FF7394C184F |
$+5D | 41:8B44C0 10 | mov eax,dword ptr ds:[r8+rax*8+10] |
$+62 | 83F8 FF | cmp eax,FFFFFFFF |
$+65 | 75 E9 | jne tl.7FF7394C1830 |
$+67 | 33C0 | xor eax,eax | 0
$+69 | 48:83C4 20 | add rsp,20 |
$+6D | 5B | pop rbx |
$+6E | C3 | ret |
$+6F | 48:8D0449 | lea rax,qword ptr ds:[rcx+rcx*2] | rax=rcx*3
$+73 | 49:8D1CC0 | lea rbx,qword ptr ds:[r8+rax*8] | [[[[[[RoleInfoBase]+8]+20]+418]+C0]+150]+18*38
$+77 | 48:85DB | test rbx,rbx |
$+7A | 74 EB | je tl.7FF7394C1847 |
$+7C | 48:8B5B 08 | mov rbx,qword ptr ds:[rbx+8] | [[rdi+150]+rax*8+8]
$+80 | 48:85DB | test rbx,rbx |
$+83 | 74 E2 | je tl.7FF7394C1847 |
$+85 | 48:8BCB | mov rcx,rbx | [[rdi+150]+BA*8+8]
$+88 | E8 A3C10200 | call tl.7FF7394EDA10 |
$+8D | 48:85C0 | test rax,rax |
$+90 | 74 D5 | je tl.7FF7394C1847 |
$+92 | 48:8BC3 | mov rax,rbx |
$+95 | 48:83C4 20 | add rsp,20 |
$+99 | 5B | pop rbx |
$+9A | C3 | ret |
论坛网址 www.yjxsoft.com
郁金香老师:QQ-150330575 手机 139 9636 2600
QQ交流群 9569245 158280115
|
游戏安全课程 学员办理咨询联系QQ150330575 手机 139 9636 2600 免费课程 在 www.bilibili.com 搜 郁金香灬老师
|
|