程序中其他call测试都没有问题,这个call在测试工具上执行成功,但是程序却无任何反应,另外其他call都没问题
程序中call的汇编代码截图,红色处即是如下
这是拷贝出来的汇编代
0081E7CF E8 0CF9CAFF call woool.004CE0E0
0081E7D4 8D4C24 1C lea ecx,dword ptr ss:[esp+0x1C]
0081E7D8 51 push ecx ; 19edf8
0081E7D9 8B0D B0603801 mov ecx,dword ptr ds:[0x13860B0] ; 093D5828
0081E7DF 81C6 6C020000 add esi,0x26C
0081E7E5 56 push esi
0081E7E6 6A 01 push 0x1
0081E7E8 68 6C51F400 push woool.00F4516C ; ASCII "baodi2021"
0081E7ED E8 2EBCEFFF call woool.0071A420
0081E7F2 C78424 44020000>mov dword ptr ss:[esp+0x244],-0x1
0081E7FD 8B4424 20 mov eax,dword ptr ss:[esp+0x20]
0081E801 3BC5 cmp eax,ebp
0081E803 74 09 je short woool.0081E80E
0081E805 50 push eax
0081E806 E8 9DE54F00 call woool.00D1CDA8
执行动作,在程序发包断下时的堆栈信息如下图
下面是当时的堆栈信息文本信息
EAX 0019EDCC
ECX 0951CFB0
EDX 3677EFDC
EBX 00000201
ESP 0019EDCC
EBP 00000000
ESI 230D6534
EDI 1F59B8C0
下面是当时od右下区的堆栈信息
0019EDCC 00F4516C ASCII "baodi2021"
0019EDD0 00000001
0019EDD4 230D6534
0019EDD8 0019EDF8
0019EDDC 86F5391A
0019EDE0 00000003
0019EDE4 1F59B8C0
0019EDE8 0019F084
0019EDEC 00000107
0019EDF0 00000001
该call具体信息如下
0071A420 6A FF push -0x1
0071A422 68 C6D7EA00 push woool.00EAD7C6
0071A427 64:A1 00000000 mov eax,dword ptr fs:[0]
0071A42D 50 push eax
0071A42E 81EC 98000000 sub esp,0x98
0071A434 A1 98CB0C01 mov eax,dword ptr ds:[0x10CCB98]
0071A439 33C4 xor eax,esp
0071A43B 898424 94000000 mov dword ptr ss:[esp+0x94],eax
0071A442 53 push ebx
0071A443 55 push ebp
0071A444 56 push esi
0071A445 57 push edi
0071A446 A1 98CB0C01 mov eax,dword ptr ds:[0x10CCB98]
0071A44B 33C4 xor eax,esp
0071A44D 50 push eax
0071A44E 8D8424 AC000000 lea eax,dword ptr ss:[esp+0xAC]
0071A455 64:A3 00000000 mov dword ptr fs:[0],eax
0071A45B 8B8424 C8000000 mov eax,dword ptr ss:[esp+0xC8] ; user32.7569BB2A
0071A462 8BB424 BC000000 mov esi,dword ptr ss:[esp+0xBC]
0071A469 8B9C24 C4000000 mov ebx,dword ptr ss:[esp+0xC4] ; win32u.7564101C
0071A470 8D69 14 lea ebp,dword ptr ds:[ecx+0x14]
0071A473 894424 14 mov dword ptr ss:[esp+0x14],eax
0071A477 33C0 xor eax,eax
0071A479 8945 00 mov dword ptr ss:[ebp],eax
0071A47C 8945 04 mov dword ptr ss:[ebp+0x4],eax
0071A47F 8945 08 mov dword ptr ss:[ebp+0x8],eax
0071A482 8D4C24 34 lea ecx,dword ptr ss:[esp+0x34]
0071A486 66:C745 04 020A mov word ptr ss:[ebp+0x4],0xA02
0071A48C E8 6F3AF0FF call woool.0061DF00
0071A491 C78424 B4000000>mov dword ptr ss:[esp+0xB4],0x0
0071A49C 8BC6 mov eax,esi
0071A49E 8D50 01 lea edx,dword ptr ds:[eax+0x1]
0071A4A1 8A08 mov cl,byte ptr ds:[eax]
0071A4A3 83C0 01 add eax,0x1
0071A4A6 84C9 test cl,cl
0071A4A8 ^ 75 F7 jnz short woool.0071A4A1
0071A4AA 2BC2 sub eax,edx
0071A4AC 50 push eax
0071A4AD 56 push esi
0071A4AE 8D4C24 4C lea ecx,dword ptr ss:[esp+0x4C]
0071A4B2 E8 4974CEFF call woool.00401900
0071A4B7 8A8C24 C0000000 mov cl,byte ptr ss:[esp+0xC0]
0071A4BE 884C24 60 mov byte ptr ss:[esp+0x60],cl
0071A4C2 BF 5093F300 mov edi,woool.00F39350 ; ASCII "guildmgr"
0071A4C7 B9 09000000 mov ecx,0x9
0071A4CC 33D2 xor edx,edx
0071A4CE F3:A6 repe cmps byte ptr es:[edi],byte ptr ds:>
0071A4D0 75 05 jnz short woool.0071A4D7
0071A4D2 3953 14 cmp dword ptr ds:[ebx+0x14],edx
0071A4D5 74 0A je short woool.0071A4E1
0071A4D7 53 push ebx
0071A4D8 8D4C24 68 lea ecx,dword ptr ss:[esp+0x68]
0071A4DC E8 8FE1CEFF call woool.00408670
0071A4E1 8B4424 14 mov eax,dword ptr ss:[esp+0x14] ; user32.7569830F
0071A4E5 50 push eax
0071A4E6 8D4C24 78 lea ecx,dword ptr ss:[esp+0x78]
0071A4EA E8 51601A00 call woool.008C0540
0071A4EF 8D4C24 18 lea ecx,dword ptr ss:[esp+0x18]
0071A4F3 51 push ecx
0071A4F4 8D4C24 38 lea ecx,dword ptr ss:[esp+0x38]
0071A4F8 E8 7350F8FF call woool.0069F570
0071A4FD C68424 B4000000>mov byte ptr ss:[esp+0xB4],0x1
0071A505 8B7424 2C mov esi,dword ptr ss:[esp+0x2C] ; d3d9.6E4F4240
0071A509 81FE F4FF0000 cmp esi,0xFFF4
0071A50F 76 05 jbe short woool.0071A516
0071A511 BE F4FF0000 mov esi,0xFFF4
0071A516 8B4424 1C mov eax,dword ptr ss:[esp+0x1C]
0071A51A BF 10000000 mov edi,0x10
0071A51F 397C24 30 cmp dword ptr ss:[esp+0x30],edi
0071A523 73 04 jnb short woool.0071A529
0071A525 8D4424 1C lea eax,dword ptr ss:[esp+0x1C]
0071A529 56 push esi
0071A52A 50 push eax
0071A52B 8D55 0C lea edx,dword ptr ss:[ebp+0xC]
0071A52E 52 push edx
0071A52F E8 EC686000 call woool.00D20E20
0071A534 8B0D A4603801 mov ecx,dword ptr ds:[0x13860A4] ; 16C33020
0071A53A 83C4 0C add esp,0xC
0071A53D 6A 00 push 0x0
0071A53F 6A 01 push 0x1
0071A541 6A 01 push 0x1
0071A543 8D46 0C lea eax,dword ptr ds:[esi+0xC]
0071A546 50 push eax ; 37
0071A547 55 push ebp ; 093D583C
0071A548 6A 00 push 0x0
0071A54A E8 F1EFEDFF call woool.005F9540
0071A54F C68424 B4000000>mov byte ptr ss:[esp+0xB4],0x0
0071A557 397C24 30 cmp dword ptr ss:[esp+0x30],edi
0071A55B 72 0D jb short woool.0071A56A
0071A55D 8B4424 1C mov eax,dword ptr ss:[esp+0x1C]
0071A561 50 push eax
0071A562 E8 41286000 call woool.00D1CDA8
0071A567 83C4 04 add esp,0x4
0071A56A C74424 30 0F000>mov dword ptr ss:[esp+0x30],0xF
0071A572 C74424 2C 00000>mov dword ptr ss:[esp+0x2C],0x0
0071A57A C64424 1C 00 mov byte ptr ss:[esp+0x1C],0x0
0071A57F C78424 B4000000>mov dword ptr ss:[esp+0xB4],-0x1
0071A58A 8D4C24 34 lea ecx,dword ptr ss:[esp+0x34]
0071A58E E8 5D38F0FF call woool.0061DDF0
0071A593 8B8C24 AC000000 mov ecx,dword ptr ss:[esp+0xAC]
0071A59A 64:890D 0000000>mov dword ptr fs:[0],ecx
0071A5A1 59 pop ecx ; 0019FC70
0071A5A2 5F pop edi ; 0019FC70
0071A5A3 5E pop esi ; 0019FC70
0071A5A4 5D pop ebp ; 0019FC70
0071A5A5 5B pop ebx ; 0019FC70
0071A5A6 8B8C24 94000000 mov ecx,dword ptr ss:[esp+0x94]
0071A5AD 33CC xor ecx,esp
0071A5AF E8 902E6000 call woool.00D1D444
0071A5B4 81C4 A4000000 add esp,0xA4
0071A5BA C2 1000 retn 0x10
准备构造的call原型如下
push ecx
mov ecx,dword ptr ds:[0x13860B0]
push esi
push 0x1
push 00F4516C
call 0071A420
根据当前堆栈压数据,如下是堆栈信息
0019EDCC 00F4516C ASCII "baodi2021"
0019EDD0 00000001
0019EDD4 230D6534
0019EDD8 0019EDF8
esi是构造地图标识的,如下
230D6534 00 00 00 00 62 6B 6D 63 5F 62 64 00 00 00 00 00 ....bkmc_bd.....
所以esi是6b90000
因此最终在德玛西亚测试时的代码如下
push 0019EDF8
mov ecx,dword ptr ds:[0x13860B0]
push 6b90000
push 0x1
push 00F4516C
call 0071A420
运行结果,直接蹦了
再尝试push的ecx参数不按堆栈传,直接
先构造地图标识如下:
所以最终德玛西亚测试call如下
push 0947EEC0
mov ecx,dword ptr ds:[0x13860B0]
push 37780000
push 0x1
push 00F4516C
call 0071A420
执行结果是执行成功,但是游戏没有反应如下
所以疑惑是
- ecx的值是参考od右下角栈的信息,还是参考od的右上角信息
- 构造esi的内容,我是这样的如下图
而游戏里的esi的值如下图
我构造的只有16个字节,是否是这里出了问题?
另外,这个游戏的其他call测试都没有问题,是不是能说明这个call不会被游戏屏蔽,应该是测试call写的不对吧。
2022年7月27日11:31:35
我晚上这样看行不行
lea ecx,dword ptr ss:[esp+0x1C]
push ecx
mov ecx,dword ptr ds:[0x13860B0]
push 37780000 //这里是构造地图的数据的地址
push 0x1
push 00F4516C
call 0071A420
可以看下cpp参考手册中的 c++-call_once<>()
可以看下C++-call_once<>()