逆向分析打開NPC 對話菜單

學習目标：

分析NPC對話CALL

分析思路：

1、打開NPC對話時一般會通路NPC對象資料，可以用CE嘗試找出對NPC對象通路的代碼，然後回溯。

2、打開NPC對話時可能會與伺服器通訊。那麼可以嘗試發包函數處下斷點回溯。

#define BaseAllObjList 0x31E6640//所有對象數組 dd [031CE740+4*0]

#define BaseRoleObj 0x31E663C //角色對象基址<自己>

所有對象基址+4*[[個色對象基址]+14b8]

dd [45E4A88+4*0]

+008 //對象類型分類編号 0X2E 0x31是玩家 0x55 動作對象

+314 //選中狀态，是否顯示了血條

+320 //怪物名字

+380 //死亡狀态死亡為1 未死亡為0

+768 //

+5b4 //怪物血量

+5B8 //怪物等級

+1018 //X

+1020 //Y

+1024 //X

+102c //Y

[[0x31E663C]+14B8] //下标

dd [0x31E6640+4*0]

dd [0x31E6640+4*[[0x31E663C]+14B8]]

dc [0x31E6640+4*[[0x31E663C]+14B8]]+320 //0x2E怪物類型選中名字

mov edi,dword ptr ds:[0x31E663C]

MOV EAX,DWORD PTR DS:[EDI+0x14B8]

push eax

mov ecx,edi

CALL 004CBFC0 //不是的

004CBFC8 - 81 FA 0F270000 - cmp edx,0000270F

004CBFCE - 0F87 C8000000 - ja Client.exe+CC09C

004CBFD4 - 8B 0C 95 40661E03 - mov ecx,[edx*4+Client.exe+2DE6640] <<

004CBFDB - 85 C9 - test ecx,ecx

004CBFDD - 0F84 B9000000 - je Client.exe+CC09C

004E4506 - E8 A50E1100 - call Client.exe+1F53B0

004E450B - 8B 97 B8140000 - mov edx,[edi+000014B8]

004E4511 - 8B 04 95 40661E03 - mov eax,[edx*4+Client.exe+2DE6640] <<

004E4518 - 85 C0 - test eax,eax

004E451A - 74 4A - je Client.exe+E4566

004E456C - 3D 10270000 - cmp eax,00002710

004E4571 - 73 1B - jae Client.exe+E458E

004E4573 - 8B 0C 85 40661E03 - mov ecx,[eax*4+Client.exe+2DE6640] <<

004E457A - 85 C9 - test ecx,ecx

004E457C - 74 10 - je Client.exe+E458E

004E46AE - 81 FE FFFF0000 - cmp esi,0000FFFF

004E46B4 - 74 47 - je Client.exe+E46FD

004E46B6 - 8B 0C B5 40661E03 - mov ecx,[esi*4+Client.exe+2DE6640] <<

004E46BD - 85 C9 - test ecx,ecx

004E46BF - 74 28 - je Client.exe+E46E9

mov edi,dword ptr ds:[0x31E663C]

MOV EAX,DWORD PTR DS:[EDI+0x14B8]

push eax

mov ecx,edi

CALL 004C5160 不是

004C5166 - 3D 0F270000 - cmp eax,0000270F

004C516B - 77 2B - ja Client.exe+C5198

004C516D - 8B 04 85 40661E03 - mov eax,[eax*4+Client.exe+2DE6640] <<5

004C5174 - 85 C0 - test eax,eax

004C5176 - 74 20 - je Client.exe+C5198

004CB796 - 81 FA 0F270000 - cmp edx,0000270F

004CB79C - 0F87 BB000000 - ja Client.exe+CB85D

004CB7A2 - 8B 0C 95 40661E03 - mov ecx,[edx*4+Client.exe+2DE6640] <<

004CB7A9 - 85 C9 - test ecx,ecx

004CB7AB - 0F84 AC000000 - je Client.exe+CB85D

004E481A - 3D FFFF0000 - cmp eax,0000FFFF

004E481F - 0F84 AF000000 - je Client.exe+E48D4

004E4825 - 8B 0C 85 40661E03 - mov ecx,[eax*4+Client.exe+2DE6640] <<

004E482C - 85 C9 - test ecx,ecx

004E482E - 0F84 A0000000 - je Client.exe+E48D4

004E4878 - D9 5E 2C - fstp dword ptr [esi+2C]

004E487B - 8B 95 FCAAFFFF - mov edx,[ebp-00005504]

004E4881 - 8B 04 95 40661E03 - mov eax,[edx*4+Client.exe+2DE6640] <<

004E4888 - 50 - push eax

004E4889 - 56 - push esi

004DCCC2 - D9 46 2C - fld dword ptr [esi+2C]

004DCCC5 - E8 F6D34500 - call Client.exe+53A0C0

004DCCCA - 8B 0C BD 40661E03 - mov ecx,[edi*4+Client.exe+2DE6640] << 9

004DCCD1 - 50 - push eax

004DCCD2 - 51 - push ecx

004DD018 - DC 05 30C49E00 - fadd qword ptr [Client.exe+5EC430]

004DD01E - E8 9DD04500 - call Client.exe+53A0C0

004DD023 - 8B 0C BD 40661E03 - mov ecx,[edi*4+Client.exe+2DE6640] <<

004DD02A - 50 - push eax

004DD02B - 51 - push ecx

004DD035 - 0F84 D6090000 - je Client.exe+DDA11

004DD03B - 8B 56 14 - mov edx,[esi+14]

004DD03E - 8B 3C 95 40661E03 - mov edi,[edx*4+Client.exe+2DE6640] <<

004DD045 - 8B 07 - mov eax,[edi]

004DD047 - 8B 50 04 - mov edx,[eax+04]

004DD729 - 0F85 B9020000 - jne Client.exe+DD9E8

004DD72F - 8B 46 14 - mov eax,[esi+14]

004DD732 - 8B 0C 85 40661E03 - mov ecx,[eax*4+Client.exe+2DE6640] <<

004DD739 - 85 C9 - test ecx,ecx

004DD73B - 74 7F - je Client.exe+DD7BC

004DD7AE - 74 49 - je Client.exe+DD7F9

004DD7B0 - 8B 46 14 - mov eax,[esi+14]

004DD7B3 - 8B 0C 85 40661E03 - mov ecx,[eax*4+Client.exe+2DE6640] <<

004DD7BA - EB 2D - jmp Client.exe+DD7E9

004DD7BC - 8B 4E 14 - mov ecx,[esi+14]

00735A1D - 8B 15 3C661E03 - mov edx,[Client.exe+2DE663C]

00735A23 - 8B 82 B8140000 - mov eax,[edx+000014B8]

00735A29 - 8B 0C 85 40661E03 - mov ecx,[eax*4+Client.exe+2DE6640] <<

00735A30 - 51 - push ecx

00735A31 - 8B 0D 586DCF00 - mov ecx,[Client.exe+8F6D58]

007F04D6 - 8D A4 24 00000000 - lea esp,[esp+00000000]

007F04DD - 8D 49 00 - lea ecx,[ecx+00]

007F04E0 - 39 1C 85 40661E03 - cmp [eax*4+Client.exe+2DE6640],ebx <<

007F04E7 - 0F84 3E010000 - je Client.exe+3F062B

007F04ED - 40 - inc eax

0073A685 /74 2A JE SHORT Client.0073A6B1

0073A687 |83E8 77 SUB EAX,0x77

0073A68A |74 11 JE SHORT Client.0073A69D

0073A68C |83E8 1A SUB EAX,0x1A

0073A68F |75 39 JNZ SHORT Client.0073A6CA

0073A691 |57 PUSH EDI

0073A692 |E8 99DFFFFF CALL Client.00738630 ; 打開關閉NPC

0073A697 |5F POP EDI

0073A698 |5E POP ESI

0073A699 |5D POP EBP

0073A20C E8 EFF2D1FF CALL Client.00459500

0073A211 EB 07 JMP SHORT Client.0073A21A

0073A213 6A 00 PUSH 0x0

0073A215 E8 2618D2FF CALL Client.0045BA40

0073A21A 8B15 C098F500 MOV EDX,DWORD PTR DS:[0xF598C0]

0073A220 6A 00 PUSH 0x0

0073A222 C705 C812F500 0>MOV DWORD PTR DS:[0xF512C8],0x0

0073A22C 8B82 A0020000 MOV EAX,DWORD PTR DS:[EDX+0x2A0]

0073A232 FF88 28020000 DEC DWORD PTR DS:[EAX+0x228]

0073A238 6A 01 PUSH 0x1

0073A23A 68 31040000 PUSH 0x431

0073A23F E8 2C060B00 CALL Client.007EA870

0073A244 83C4 0C ADD ESP,0xC

0073A247 C686 B5020000 0>MOV BYTE PTR DS:[ESI+0x2B5],0x0

0073A24E EB 3B JMP SHORT Client.0073A28B

0073A250 394B 04 CMP DWORD PTR DS:[EBX+0x4],ECX

0073A253 75 12 JNZ SHORT Client.0073A267

0073A255 8B0D C098F500 MOV ECX,DWORD PTR DS:[0xF598C0]

0073A25B 6A 09 PUSH 0x9

0073A25D 68 B5030000 PUSH 0x3B5

0073A262 E8 49B1EBFF CALL Client.005F53B0

0073A267 837B 04 01 CMP DWORD PTR DS:[EBX+0x4],0x1

0073A26B 75 1E JNZ SHORT Client.0073A28B

0073A26D 8B43 08 MOV EAX,DWORD PTR DS:[EBX+0x8] ; 00F4363E==EBX

0073A270 6A 01 PUSH 0x1

0073A272 50 PUSH EAX ; 27，1 NPC編号

0073A273 8BCE MOV ECX,ESI ; 0990D828

0073A275 E8 46D9FFFF CALL Client.00737BC0 ; 打開NPC 對話的CALL

0073A27A C705 C812F500 0>MOV DWORD PTR DS:[0xF512C8],0x1

0073A284 C686 B5020000 0>MOV BYTE PTR DS:[ESI+0x2B5],0x1

0073A28B 8B03 MOV EAX,DWORD PTR DS:[EBX]

0073A28D 83C0 FE ADD EAX,-0x2

0073A290 83F8 2F CMP EAX,0x2F

0073A293 74 10 JE SHORT Client.0073A2A5

0073A295 83F8 34 CMP EAX,0x34

0073A298 74 0B JE SHORT Client.0073A2A5

0073A29A 3D 9A000000 CMP EAX,0x9A

0073A29F 0F85 DE000000 JNZ Client.0073A383

0073A2A5 817B 0C C800000>CMP DWORD PTR DS:[EBX+0xC],0xC8

0073A2AC 0F85 D1000000 JNZ Client.0073A383

0073A2B2 A1 44A3AF00 MOV EAX,DWORD PTR DS:[0xAFA344]

0073A2B7 8985 E49EFFFF MOV DWORD PTR SS:[EBP+0xFFFF9EE4],EAX

0073A2BD C745 FC 0000000>MOV DWORD PTR SS:[EBP-0x4],0x0

0073A2C4 8985 E89EFFFF MOV DWORD PTR SS:[EBP+0xFFFF9EE8],EAX

逆向分析打開NPC 對話菜單

繼續閱讀

15PB可樂杯CrackMe01分析

iOS逆向之自動化重簽名iOS逆向之自動化重簽名

iOS逆向之手動重簽名AppiOS逆向之手動重簽名App

ShellServiceObjectDelayLoad系統資料庫鍵值作用

[第五空間]re nop題目詳解

DDMS 無法顯示程序解決方案

編寫Win32病毒的幾個關鍵

利用檔案系統漏洞阻止 apktool,baksmali 反彙編apk

apk檔案結構

逆向入門--第一次的HelloWorld

一次簡單的逆向逆向初體驗

Android逆向之旅---動态方式破解apk進階篇(IDA調試so源碼) 一、前言二、知識準備三、構造so案例四、開始破解so檔案五、使用IDA來解決反調試問題六、技術總結七、總結

解決：sublime text ctags 不能正常跳轉 can't find any relevent tags file 【附ctags插件完整安裝步驟】

NSCTF web200-實驗吧

常用彙編指令（七大類）常用彙編指令

IDA pro 不能F5之Decompilation failure；positive sp value has been found