1、申 请 I D :仙木同学
2、个人邮箱:2523749769@qq.com
3、QQ飞车取控件内容思路及方法
控件遍历基址=Top-Kart.dll+2A65488
遍历方法:
1、首先是一个根节点: [Top-Kart.dll+27FAA40]
2、判断该节点有多少个小控件,size=([当前节点+0x24]-[当前节点+0x20])/4
3、对象的表达式就是:[[当前节点+0x2C]+i*4]
4、然后递归的条件是:([当前对象+ 0x4F8]>>7)&1是否不等于0,如果不等于0,那么就进行递归,下一个节点就是 当前对象
控件名=[控件对象+0x78]
控件名长度=[控件对象+0x8C] >16
控件内容=[控件对象+0x60] 长度+0x10
控件名2=[控件对象+0x48]
特征码:8B0D????????85C9744A568B35????????8BC699
基址的代码:
12BDA365 55 PUSH EBP
12BDA366 8BEC MOV EBP,ESP
12BDA368 8B0D 88549413 MOV ECX,DWORD PTR DS:[13945488] ; 控件遍历基址
12BDA36E 85C9 TEST ECX,ECX
12BDA370 74 4A JE SHORT Top-Kart.12BDA3BC
12BDA372 56 PUSH ESI
12BDA373 8B35 F4759413 MOV ESI,DWORD PTR DS:[139475F4]
12BDA379 8BC6 MOV EAX,ESI
12BDA37B 99 CDQ
12BDA37C F77D 0C IDIV DWORD PTR SS:[EBP+C]
12BDA37F F3:0F1005 F8759>MOVSS XMM0,DWORD PTR DS:[139475F8]
12BDA387 F3:0F5845 08 ADDSS XMM0,DWORD PTR SS:[EBP+8]
12BDA38C F3:0F1105 F8759>MOVSS DWORD PTR DS:[139475F8],XMM0
12BDA394 85D2 TEST EDX,EDX
12BDA396 74 06 JE SHORT Top-Kart.12BDA39E
12BDA398 0F2F45 10 COMISS XMM0,DWORD PTR SS:[EBP+10]
12BDA39C 76 16 JBE SHORT Top-Kart.12BDA3B4
12BDA39E 8B01 MOV EAX,DWORD PTR DS:[ECX]
12BDA3A0 51 PUSH ECX
12BDA3A1 F3:0F110424 MOVSS DWORD PTR SS:[ESP],XMM0
12BDA3A6 FF90 38020000 CALL DWORD PTR DS:[EAX+238]
12BDA3AC 33F6 XOR ESI,ESI
12BDA3AE 2135 F8759413 AND DWORD PTR DS:[139475F8],ESI
12BDA3B4 46 INC ESI
12BDA3B5 8935 F4759413 MOV DWORD PTR DS:[139475F4],ESI
12BDA3BB 5E POP ESI
12BDA3BC 5D POP EBP
12BDA3BD C3 RETN
12BDA3BE 55 PUSH EBP
12BDA3BF 8BEC MOV EBP,ESP
12BDA3C1 F3:0F1045 08 MOVSS XMM0,DWORD PTR SS:[EBP+8]
12BDA3C6 51 PUSH ECX
12BDA3C7 8B0D 88549413 MOV ECX,DWORD PTR DS:[13945488]
12BDA3CD F3:0F110424 MOVSS DWORD PTR SS:[ESP],XMM0
12BDA3D2 E8 9EB8FFFF CALL Top-Kart.12BD5C75
12BDA3D7 5D POP EBP
12BDA3D8 C3 RETN
循环的代码:
12BD5B5F 55 PUSH EBP ; 头部
12BD5B60 8BEC MOV EBP,ESP
12BD5B62 803D 25559413 0>CMP BYTE PTR DS:[13945525],0
12BD5B69 56 PUSH ESI
12BD5B6A 8BF1 MOV ESI,ECX
12BD5B6C 74 1D JE SHORT Top-Kart.12BD5B8B
12BD5B6E 8B06 MOV EAX,DWORD PTR DS:[ESI]
12BD5B70 FF50 1C CALL DWORD PTR DS:[EAX+1C]
12BD5B73 84C0 TEST AL,AL
12BD5B75 75 14 JNZ SHORT Top-Kart.12BD5B8B
12BD5B77 3886 C8050000 CMP BYTE PTR DS:[ESI+5C8],AL
12BD5B7D 75 0C JNZ SHORT Top-Kart.12BD5B8B
12BD5B7F 3886 C9050000 CMP BYTE PTR DS:[ESI+5C9],AL
12BD5B85 0F84 C4000000 JE Top-Kart.12BD5C4F
12BD5B8B 8B06 MOV EAX,DWORD PTR DS:[ESI] ; esi=控件对象
12BD5B8D F3:0F1045 08 MOVSS XMM0,DWORD PTR SS:[EBP+8]
12BD5B92 51 PUSH ECX
12BD5B93 8BCE MOV ECX,ESI
12BD5B95 F3:0F110424 MOVSS DWORD PTR SS:[ESP],XMM0
12BD5B9A FF90 BC010000 CALL DWORD PTR DS:[EAX+1BC]
12BD5BA0 A1 88549413 MOV EAX,DWORD PTR DS:[13945488]
12BD5BA5 85C0 TEST EAX,EAX
12BD5BA7 74 13 JE SHORT Top-Kart.12BD5BBC
12BD5BA9 3946 1C CMP DWORD PTR DS:[ESI+1C],EAX
12BD5BAC 75 08 JNZ SHORT Top-Kart.12BD5BB6
12BD5BAE FF80 78090000 INC DWORD PTR DS:[EAX+978]
12BD5BB4 EB 06 JMP SHORT Top-Kart.12BD5BBC
12BD5BB6 FF80 7C090000 INC DWORD PTR DS:[EAX+97C]
12BD5BBC 8B46 24 MOV EAX,DWORD PTR DS:[ESI+24] ; 数组尾
12BD5BBF 8B4E 20 MOV ECX,DWORD PTR DS:[ESI+20] ; 数组头
12BD5BC2 2BC1 SUB EAX,ECX
12BD5BC4 53 PUSH EBX
12BD5BC5 33DB XOR EBX,EBX
12BD5BC7 A9 FCFFFFFF TEST EAX,FFFFFFFC
12BD5BCC 7E 6B JLE SHORT Top-Kart.12BD5C39
12BD5BCE 57 PUSH EDI
12BD5BCF 8B3C99 MOV EDI,DWORD PTR DS:[ECX+EBX*4] ; 循环头
12BD5BD2 85FF TEST EDI,EDI ; 数组结构
12BD5BD4 74 52 JE SHORT Top-Kart.12BD5C28
12BD5BD6 F687 54050000 0>TEST BYTE PTR DS:[EDI+554],1
12BD5BDD 74 13 JE SHORT Top-Kart.12BD5BF2
12BD5BDF 8B07 MOV EAX,DWORD PTR DS:[EDI]
12BD5BE1 8BCF MOV ECX,EDI
12BD5BE3 FF50 1C CALL DWORD PTR DS:[EAX+1C]
12BD5BE6 84C0 TEST AL,AL
12BD5BE8 75 08 JNZ SHORT Top-Kart.12BD5BF2
12BD5BEA 3887 C9050000 CMP BYTE PTR DS:[EDI+5C9],AL
12BD5BF0 74 36 JE SHORT Top-Kart.12BD5C28 ; 判断1
12BD5BF2 803D 25559413 0>CMP BYTE PTR DS:[13945525],0
12BD5BF9 74 1B JE SHORT Top-Kart.12BD5C16
12BD5BFB 8B07 MOV EAX,DWORD PTR DS:[EDI]
12BD5BFD 8BCF MOV ECX,EDI
12BD5BFF FF50 1C CALL DWORD PTR DS:[EAX+1C]
12BD5C02 84C0 TEST AL,AL
12BD5C04 75 10 JNZ SHORT Top-Kart.12BD5C16
12BD5C06 3887 C8050000 CMP BYTE PTR DS:[EDI+5C8],AL
12BD5C0C 75 08 JNZ SHORT Top-Kart.12BD5C16
12BD5C0E 3887 C9050000 CMP BYTE PTR DS:[EDI+5C9],AL
12BD5C14 74 12 JE SHORT Top-Kart.12BD5C28 ; 判断2
12BD5C16 F3:0F1045 08 MOVSS XMM0,DWORD PTR SS:[EBP+8]
12BD5C1B 51 PUSH ECX
12BD5C1C 8BCF MOV ECX,EDI
12BD5C1E F3:0F110424 MOVSS DWORD PTR SS:[ESP],XMM0
12BD5C23 E8 37FFFFFF CALL Top-Kart.12BD5B5F ; 递归
12BD5C28 8B46 24 MOV EAX,DWORD PTR DS:[ESI+24]
12BD5C2B 43 INC EBX
12BD5C2C 8B4E 20 MOV ECX,DWORD PTR DS:[ESI+20]
12BD5C2F 2BC1 SUB EAX,ECX
12BD5C31 C1F8 02 SAR EAX,2
12BD5C34 3BD8 CMP EBX,EAX
12BD5C36 ^ 7C 97 JL SHORT Top-Kart.12BD5BCF ; 循环尾
12BD5C38 5F POP EDI
12BD5C39 8B06 MOV EAX,DWORD PTR DS:[ESI]
12BD5C3B F3:0F1045 08 MOVSS XMM0,DWORD PTR SS:[EBP+8]
12BD5C40 51 PUSH ECX
12BD5C41 8BCE MOV ECX,ESI
12BD5C43 F3:0F110424 MOVSS DWORD PTR SS:[ESP],XMM0
12BD5C48 FF90 C0010000 CALL DWORD PTR DS:[EAX+1C0]
12BD5C4E 5B POP EBX
12BD5C4F 5E POP ESI
12BD5C50 5D POP EBP
12BD5C51 C2 0400 RETN 4
12BD5C54 55 PUSH EBP
12BD5C55 8BEC MOV EBP,ESP
12BD5C57 8B89 C0080000 MOV ECX,DWORD PTR DS:[ECX+8C0]
12BD5C5D 85C9 TEST ECX,ECX
12BD5C5F 74 10 JE SHORT Top-Kart.12BD5C71
12BD5C61 F3:0F1045 08 MOVSS XMM0,DWORD PTR SS:[EBP+8]
12BD5C66 51 PUSH ECX
12BD5C67 F3:0F110424 MOVSS DWORD PTR SS:[ESP],XMM0
12BD5C6C E8 7F7C0000 CALL Top-Kart.12BDD8F0
12BD5C71 5D POP EBP
12BD5C72 C2 0400 RETN 4
12BD5C75 55 PUSH EBP
12BD5C76 8BEC MOV EBP,ESP
12BD5C78 80B9 75090000 0>CMP BYTE PTR DS:[ECX+975],0
12BD5C7F 74 10 JE SHORT Top-Kart.12BD5C91
12BD5C81 F3:0F1045 08 MOVSS XMM0,DWORD PTR SS:[EBP+8]
12BD5C86 51 PUSH ECX
12BD5C87 F3:0F110424 MOVSS DWORD PTR SS:[ESP],XMM0
12BD5C8C E8 C3FFFFFF CALL Top-Kart.12BD5C54
12BD5C91 5D POP EBP
|
吾爱游客
发表于 2023-6-11 11:25
