首页 > 代码库 > 暗黑3逆向分析走路CALL特征码与代码编写

暗黑3逆向分析走路CALL特征码与代码编写

//寻路

typedef struct _Move_Struct
{
    float x;
    float y;
    float z;
    ULONG MapId; //?

}Move_Struct, *PMove_Struct;

void MoveToCoord(float x, float y, float z)
{
    __try
    {    

        Move_Struct Move = {0};
        
        Move.x = x;
        Move.y = y;
        Move.z = z;
        
        __asm
        {    
            mov eax, dwCoordBase
            mov eax, [eax]
            mov eax, [eax + 778h]
            mov eax, [eax + 38h]
            mov Move.MapId, eax
        }

        PVOID pMove = (PVOID)&Move;
        ULONG u1;

        __asm
        {    
            mov eax, dwCoordBase
            mov eax, [eax]
            mov eax, [eax + 8B0h]
            mov eax, [eax + 148h]
            mov eax, [eax]
            add eax, 10A0h        
            mov edi, eax        //dwMySelfObject ?
            mov ecx, [edi + 380h]
            mov esi, [ecx]
            mov eax, [esi + 4]
            push 0
            push 42C80000h
            push -1
            push 0
            push 0000777Ch
            push -1
            push 0
            push 200010h
            push 00011060h
            push 0
            push 0
            push pMove
            mov u1, eax
            call eax
        }


        
        
push 41BF900B
push 45325FD0
push 45324896
mov edx,esp
push 0
push 0A9E402C
push 0FFFFFFFF
push 0
push 0000777C
push 0FFFFFFFF
push 0A9E402C
push 00200010
push 00011068
push edx
call 00B4A550
add esp,0c



50 8B 46 04 83 EC 08 D9 5C 24 04 8D 55 E0 D9 45 18 D9 1C 24 52
下1
0097998A        |.  51                    push    ecx
0097998B        |.  D91C24                fstp    dword ptr ss:[esp]
0097998E        |.  6A FF                 push    -1
00979990        |.  D945 14               fld     [arg.4]
00979993        |.  6A 00                 push    0
00979995        |.  53                    push    ebx
00979996        |.  6A FF                 push    -1
00979998        |.  51                    push    ecx
00979999        |.  D91C24                fstp    dword ptr ss:[esp]
0097999C        |.  52                    push    edx
0097999D        |.  D9EE                  fldz
0097999F        |.  50                    push    eax                                    ;  Diablo_I.00B4A410
009799A0        |.  8B46 04               mov     eax, dword ptr ds:[esi+4]              ;  Diablo_I.00B4A410
009799A3        |.  83EC 08               sub     esp, 8
009799A6        |.  D95C24 04             fstp    dword ptr ss:[esp+4]
009799AA        |.  8D55 E0               lea     edx, [local.8]
009799AD        |.  D945 18               fld     [arg.5]
009799B0        |.  D91C24                fstp    dword ptr ss:[esp]
009799B3        |.  52                    push    edx                                   
009799B4        |.  FFD0                  call    near eax      00B4A410              ;  //走路call2  nop不能走eax=00B4A410
009799B6        |.  E8 3511FCFF           call    0093AAF0
009799BB        |.  5F                    pop     edi                                    ;  d3d9.4B68F4A4
009799BC        |.  5E                    pop     esi                                    ;  d3d9.4B68F4A4
009799BD        |.  B8 01000000           mov     eax, 1
009799C2        |.  5B                    pop     ebx                                    ;  d3d9.4B68F4A4
009799C3        |.  8BE5                  mov     esp, ebp
009799C5        |.  5D                    pop     ebp                                    ;  d3d9.4B68F4A4
009799C6        \.  C3                    retn

83 EC 08 D9 5C 24 04 8B CF D9 45 0C D9 1C 24 50
下6 //走路call nop不会走路
00B4A503         |.  8B4D 2C               mov     ecx, [arg.10]
00B4A506         |.  D91C24                fstp    dword ptr ss:[esp]
00B4A509         |.  D945 1C               fld     [arg.6]
00B4A50C         |.  51                    push    ecx
00B4A50D         |.  8B4D 20               mov     ecx, [arg.7]                           ;  Diablo_I.013E4458
00B4A510         |.  52                    push    edx
00B4A511         |.  8B55 18               mov     edx, [arg.5]                           ;  Diablo_I.01572994
00B4A514         |.  50                    push    eax                                    ;  Diablo_I.00B4A410
00B4A515         |.  8B45 08               mov     eax, [arg.1]
00B4A518         |.  51                    push    ecx
00B4A519         |.  51                    push    ecx
00B4A51A         |.  D91C24                fstp    dword ptr ss:[esp]
00B4A51D         |.  52                    push    edx
00B4A51E         |.  D945 10               fld     [arg.3]
00B4A521         |.  53                    push    ebx
00B4A522         |.  83EC 08               sub     esp, 8
00B4A525         |.  D95C24 04             fstp    dword ptr ss:[esp+4]
00B4A529         |.  8BCF                  mov     ecx, edi
00B4A52B         |.  D945 0C               fld     [arg.2]
00B4A52E         |.  D91C24                fstp    dword ptr ss:[esp]
00B4A531         |.  50                    push    eax                                    ;  Diablo_I.00B4A410
00B4A532         |.  E8 792AD9FF           call    008DCFB0                               ;  //走路call nop不会走路
00B4A537         |.  C787 68010000 0000000>mov     dword ptr ds:[edi+168], 0
00B4A541         |.  5F                    pop     edi                                    ;  d3d9.4B68F4A4
00B4A542         |.  5E                    pop     esi                                    ;  d3d9.4B68F4A4
00B4A543         |.  5B                    pop     ebx                                    ;  d3d9.4B68F4A4
00B4A544         |.  8BE5                  mov     esp, ebp
00B4A546         |.  5D                    pop     ebp                                    ;  d3d9.4B68F4A4
00B4A547         \.  C2 3000               retn    30

==========================


仅供技术研究交流 切勿用于非法用途 

暗黑3逆向分析走路CALL特征码与代码编写