通过NPC名称找NPC数组

扫描 NPC名字  ASIC型

发现全部都有后缀

那么采用 字节集的方式去扫描

也是扫不到

说明:不是ASIC型字符串

扫描 NPC名字  Unicode型

没有结果

那么转换成字节集去扫描

终于发现结果了

把结果挨个修改字符串

 

发现   其中两个是可以用的     22和23    分别是人物头顶字符串和血条字符串

那么都可以使用

对名称下访问断

7692D335 >  8BFF            mov     edi, edi

7692D337    55              push    ebp

7692D338    8BEC            mov     ebp, esp

7692D33A    8B45 08         mov     eax, dword ptr [ebp+8]

7692D33D    66:8B08         mov     cx, word ptr [eax]               ; eax

7692D340    40              inc     eax

7692D341    40              inc     eax

7692D342    66:85C9         test    cx, cx

7692D345  ^ 75 F6           jnz     short 7692D33D

7692D347    2B45 08         sub     eax, dword ptr [ebp+8]

7692D34A    D1F8            sar     eax, 1

7692D34C    48              dec     eax

7692D34D    5D              pop     ebp

7692D34E    C3              retn

 

断到非游戏领空 ，并且该位置下断即断，其实是系统模块,所有字符串都会进行访问

那么我们只能通过堆栈跳回游戏领空

在断下的情况堆栈搜索 字符串指针   CTRL+L找到字符串最早出现的位置

来源某层CALL 的第一个参数

追第一个参数EAX即可

005D7074    8B93 50020000   mov     edx, dword ptr [ebx+250]

005D707A    8BBB 4C020000   mov     edi, dword ptr [ebx+24C]

005D7080    03D7            add     edx, edi

005D7082    52              push    edx

005D7083    55              push    ebp

005D7084    68 209A4B00     push    004B9A20

005D7089    EB 06           jmp     short 005D7091

005D708B    6A 00           push    0

005D708D    6A 00           push    0

005D708F    6A 00           push    0

005D7091    8B8B 0C020000   mov     ecx, dword ptr [ebx+20C]

005D7097    E8 94FB3300     call    00916C30

005D709C    8D4C24 5C       lea     ecx, dword ptr [esp+5C]

005D70A0    C68424 8C010000>mov     byte ptr [esp+18C], 1

005D70A8    E8 F3B93200     call    00902AA0

005D70AD    C78424 8C010000>mov     dword ptr [esp+18C], -1

005D70B8    8D4C24 1C       lea     ecx, dword ptr [esp+1C]

005D70BC    E9 42120000     jmp     005D8303

005D70C1    F7C7 00000080   test    edi, 80000000

005D70C7    0F84 3B120000   je      005D8308

005D70CD    F7C7 00000040   test    edi, 40000000

005D70D3    0F85 2F120000   jnz     005D8308

005D70D9    8BCB            mov     ecx, ebx

005D70DB    E8 E03BF2FF     call    004FACC0

005D70E0    8B40 20         mov     eax, dword ptr [eax+20]

005D70E3    6A 00           push    0

005D70E5    57              push    edi

005D70E6    8BC8            mov     ecx, eax

005D70E8    E8 D3CD0700     call    00653EC0                         ; eax CALL的返回值

005D70ED    8BE8            mov     ebp, eax                         ; [eax+314]

005D70EF    85ED            test    ebp, ebp

005D70F1    896C24 20       mov     dword ptr [esp+20], ebp

005D70F5    75 10           jnz     short 005D7107

005D70F7    8B03            mov     eax, dword ptr [ebx]

005D70F9    6A 01           push    1

005D70FB    55              push    ebp

005D70FC    55              push    ebp

005D70FD    8BCB            mov     ecx, ebx

005D70FF    FF50 20         call    dword ptr [eax+20]

005D7102    E9 01120000     jmp     005D8308

005D7107    8B85 14030000   mov     eax, dword ptr [ebp+314]         ; ebp 是非堆栈地址  [ebp+314]

005D710D    8D8C24 34010000 lea     ecx, dword ptr [esp+134]

005D7114    6A 01           push    1

005D7116    51              push    ecx

005D7117    50              push    eax                              ; 第一个参数

005D7118    E8 33522F00     call    008CC350

005D711D    8B8B 20020000   mov     ecx, dword ptr [ebx+220]

005D7123    83C4 0C         add     esp, 0C

005D7126    85C9            test    ecx, ecx

005D7128    74 2A           je      short 005D7154

005D712A    8B11            mov     edx, dword ptr [ecx]

005D712C    8D8424 34010000 lea     eax, dword ptr [esp+134]

005D7133    50              push    eax

005D7134    FF52 44         call    dword ptr [edx+44]

005D7137    8B8B 20020000   mov     ecx, dword ptr [ebx+220]

005D713D    8B55 00         mov     edx, dword ptr [ebp]

005D7140    8B31            mov     esi, dword ptr [ecx]

 

其中  [ebp+318]并非参数

分析ebp发现   其不是堆栈地址，那么318只是一个正常偏移而已

 

 

追到这里 我们需要进CALL 找EAX 的来源

但是 CALL里有很多代码  和跳转  那么我们需要 F7 走一遍 知道 CALL里面的跳转是怎么执行的

然后再-号逆向追寄存器即可

 

00653EC0    83EC 08         sub     esp, 8

00653EC3    56              push    esi

00653EC4    8B71 28         mov     esi, dword ptr [ecx+28]

00653EC7    85F6            test    esi, esi

00653EC9    57              push    edi

00653ECA    75 0C           jnz     short 00653ED8                   ; 跳

00653ECC    33C9            xor     ecx, ecx

00653ECE    884C24 0C       mov     byte ptr [esp+C], cl

00653ED2    8B4424 0C       mov     eax, dword ptr [esp+C]

00653ED6    EB 29           jmp     short 00653F01

00653ED8    8B7C24 14       mov     edi, dword ptr [esp+14]

00653EDC    33D2            xor     edx, edx

00653EDE    8BC7            mov     eax, edi

00653EE0    F7F6            div     esi

00653EE2    8B41 1C         mov     eax, dword ptr [ecx+1C]

00653EE5    8B0490          mov     eax, dword ptr [eax+edx*4]

00653EE8    85C0            test    eax, eax

00653EEA    74 0B           je      short 00653EF7

00653EEC    3978 08         cmp     dword ptr [eax+8], edi

00653EEF    74 1E           je      short 00653F0F                   ; 跳

00653EF1    8B00            mov     eax, dword ptr [eax]

00653EF3    85C0            test    eax, eax

00653EF5  ^ 75 F5           jnz     short 00653EEC

00653EF7    33C9            xor     ecx, ecx

00653EF9    884C24 0C       mov     byte ptr [esp+C], cl

00653EFD    8B4424 0C       mov     eax, dword ptr [esp+C]

00653F01    84C0            test    al, al

00653F03    75 18           jnz     short 00653F1D                   ; 跳

00653F05    5F              pop     edi

00653F06    33C0            xor     eax, eax

00653F08    5E              pop     esi

00653F09    83C4 08         add     esp, 8

00653F0C    C2 0800         retn    8

00653F0F    8D48 04         lea     ecx, dword ptr [eax+4]           ; [[ecx+4]+318]

00653F12    C64424 0C 01    mov     byte ptr [esp+C], 1

00653F17    8B4424 0C       mov     eax, dword ptr [esp+C]

00653F1B  ^ EB E4           jmp     short 00653F01                   ; 跳

00653F1D    8B4424 18       mov     eax, dword ptr [esp+18]

00653F21    85C0            test    eax, eax

00653F23    74 14           je      short 00653F39

00653F25    8B11            mov     edx, dword ptr [ecx]

00653F27    3982 E8000000   cmp     dword ptr [edx+E8], eax

00653F2D    74 0A           je      short 00653F39

00653F2F    5F              pop     edi

00653F30    33C0            xor     eax, eax

00653F32    5E              pop     esi

00653F33    83C4 08         add     esp, 8

00653F36    C2 0800         retn    8

00653F39    8B01            mov     eax, dword ptr [ecx]             ; [[ecx]+318]

00653F3B    5F              pop     edi

00653F3C    5E              pop     esi

00653F3D    83C4 08         add     esp, 8

00653F40    C2 0800         retn    8

 

 

 

NPC数组 偏移表达式如下：

[[[[[[[0D0DF1C]+1c]+8]+20]+1c]+edx*4]+4]+314