本帖最后由 公孙秒秒 于 2019-4-2 18:11 编辑
前言
-------------------------------------------------
这篇教程旨在网游的基址查找和如何用python去查找64位进程的模块,获取模块基址,可以算是我上一个帖子的进阶版。在上一个教程中提过的东西在这篇教程中我会一笔带过以避免帖子太长,所以最好先看我上一篇帖子再来看这篇,以避免有不适!!以下贴出上一篇帖子的地址:
https://www.52pojie.cn/thread-913032-1-1.html
我会把我找到的程序的代码段都放上来,所以第一眼看起来这个帖子会很长,其实并不是,都是那些代码段太长了!!!!!实际操作并不复杂的!!真的!!!
视频教程地址:
-------------------------------------------------
顺便附上个人录制的视频教程地址,看到下面太长不想看的同学可以去观看视频版,以下是视频地址:
https://www.bilibili.com/video/av47453086/?p=2
视频里有个地方说错了,我在视频的置顶评论中进行更正了,对不起我有罪,我下次不三点爬起来录视频了
说些碎碎念:
网游基址的存在也要比单机游戏复杂很多,鬼泣五中我们找了一层调用就找到了基址,这在网游中是非常非常少的。而网游找基址究竟有没有用,仁者见仁智者见智了口巴,我也只是分享个方法。 网游的基址会随着安全更新而变动,这个问题,嗯,我现在也不知道怎么解决,抛砖引玉的时刻到了,如果有大牛愿意教我的话先五体投地了!!!!
这一次我不说骚话了,真的!
然后,你们千万别去跟上个帖子一样对搜索结果进行修改啊!!会被封号的!!!
需要用到的软件
-------------------------------------------------------------------------------
CE
X64DBG
Notepad++(选修课)
*这里讨论的python是32位的,如果使用64位python的情况下其实可以直接通过kernel32.dll中的相关函数进行操作的,这里主要是打破32程序与64位程序的壁垒,很多插件都是32位的,所以你懂的,使用64位python调用会产生一些莫名其妙的问题,慎用
查找基址阶段
-------------------------------------------------------------------------------
首先打开我们的游戏和CE这里CE需要更改一下设置,就是打开他的VEH模式,否则的话很容易被检测出来,如果VEH模式这里是灰色的,不能选中的话,可以关闭CE,然后用管理员运行就可以修改了
游戏设置,打开茗伊插件里的我的位置,这样可以清晰的显示出你的坐标了,坐标的位置在我们一开始的小扳手上方。第一项代表的是当前地图,第二项代表的是X轴,第三项代表的是Y轴,第四项代表的是Z轴,也就是高度轴。
然后我们用CE搜索X坐标,别忘记用CE打开游戏进程!!!
结果非常多对不度,没关系,我们让人物动一动,饭后走一走,活到九十九,x坐标改变过后再次搜索,一直到只剩下100个左右的时候,我们会发现,现在无论我们怎么搜索,这个值都不会变少了。没关系,网游就是这个样子的,坑比较多,我们一个一个的慢慢找就好了,挨个的找出是什么改写了这个地址。万不要直接像第一期那样,直接上手改!!!一定要注意,因为这是个网游,你随便改他的客户端数据,如果被检测到了,你是可能会被当做外挂封号的,千万要记住啊!!!!
我们要找什么样的指令呢?在上一篇帖子里已经说过了:找出对一个内存单元进行修改的类型,而不是对寄存器进行修改的类型。我们一个一个找出是什么改写了这个地址过后,会发现其实很多都是这样的:7FFEF7B9C3B6 - 49 8B C8 - mov rcx,r8很显然这种对一个寄存器进行赋值的并不是我们要找的类型,因为这只是像我们上期说过的那样,这只是一个中间商而已,并不是巢穴,而我们是要捣毁巢穴的男人!!!需要耐心,继续找,直到找到这样的:7FFEDD30A47D - 89 87 34040000 - mov [rdi+00000434],eax显然这就是我们要找的线索了!他将eax的值写入了rdi+00000434这个内存地址中。我们把这一句复制出来,存到notepa++中。然后关闭CE,打开x64dbg对游戏进行附加。这里千万记住,如果是在游戏刚刚登录成功过后或者是刚刚过图过后,千万等一会再附加,否则会被反调试检测到,附加完成过后游戏会暂停一下,不用管他,我们先隐藏调试器,否则过不了多久就会被检测到调试器然后游戏自毁,其实从这里可以推断出来这个游戏肯定是有一个时钟在检测你的调试的,如何隐藏调试器看下图,这里没有快捷键了,所以手速要快,动作要骚,避免刚好碰到检测游戏直接自毁了
隐藏好调试器过后,我们转到上面找到的指令所对应的汇编地址7FFEDD30A47D,转到过后我们向上找,找到函数的头部,也就是找到ret或者int,这里我们找到了一个ret,按住shift单击ret下面的指令,选中过后复制到notepad++中。这里我们先别急着做别的操作,注意X64DBG的标题栏,我们会发现途中箭头所指的模块后面显示我们并不是在exe模块中,而是在jx3representx64.dll这个模块里,也就是说我们要找的这条指令其实是在jx3representx64.dll模块当中的,这个时候我们需要再去做一件事情,就是记录下模块的基址,为什么要这么操作呢?因为你每次打开游戏或者登录游戏的时候,游戏会重新动态加载这些模块,这些模块的位置会发生改变,所以你需要记录下模块的基址,然后将指令的地址减去模块的基址,就可以得到这条指令在模块当中的偏移,这样如果不慎游戏崩溃或者掉线的话,我们就不需要重新去用CE找指令在哪里了,只用找到模块的基址,然后加上我们计算得到的偏移而重新定位到指令,这与我们平时找基址的道理是一样的。如何获取jx3representx64.dll的基址呢,很简单,打开模块界面(ALT+E)然后找到jx3representx64.dll模块,右键-复制-基址,然后找个地方保存下来:
这里我复制到的结果是:jx3representx64.dll 7FFEDD090000现在我们计算我们用ce找到的7FFEDD1FA47D - 89 87 34040000 - mov [rdi+00000434],eax这条指令的偏移值:偏移=指令当前地址(7FFEDD30A47D)-模块当前基址(7FFEDD090000)=27A47D
*这个值会随着游戏的更新而改变,所以大家去找的时候可能会与我计算得到的值并不相同,记住方法就可以了
然后我们重新回到我们刚才复制的代码当中去:[Asm] 纯文本查看 复制代码 00007FFEDD30A1D0 | 0FB643 34 | movzx eax,byte ptr ds:[rbx+34] |
00007FFEDD30A1D4 | 0F29B424 80000000 | movaps xmmword ptr ss:[rsp+80],xmm6 |
00007FFEDD30A1DC | 0F297C24 70 | movaps xmmword ptr ss:[rsp+70],xmm7 |
00007FFEDD30A1E1 | 24 FC | and al,FC |
00007FFEDD30A1E3 | 3C 68 | cmp al,68 | 68:'h'
00007FFEDD30A1E5 | 74 17 | je jx3representx64.7FFEDD30A1FE |
00007FFEDD30A1E7 | 48:8D53 18 | lea rdx,qword ptr ds:[rbx+18] |
00007FFEDD30A1EB | 48:8BCF | mov rcx,rdi |
00007FFEDD30A1EE | E8 B67DD9FF | call jx3representx64.7FFEDD0A1FA9 |
00007FFEDD30A1F3 | 85C0 | test eax,eax |
00007FFEDD30A1F5 | 0F95C0 | setne al |
00007FFEDD30A1F8 | 8887 14040000 | mov byte ptr ds:[rdi+414],al |
00007FFEDD30A1FE | 48:8B0D FBFB2800 | mov rcx,qword ptr ds:[7FFEDD599E00] |
00007FFEDD30A205 | 48:8D15 44441D00 | lea rdx,qword ptr ds:[7FFEDD4DE650] | 00007FFEDD4DE650:"nNpcAdjustSlipOffsetY"
00007FFEDD30A20C | 48:81C1 38020000 | add rcx,238 |
00007FFEDD30A213 | E8 425ED9FF | call jx3representx64.7FFEDD0A005A |
00007FFEDD30A218 | 48:8B0D E1FB2800 | mov rcx,qword ptr ds:[7FFEDD599E00] |
00007FFEDD30A21F | 48:8D15 4A441D00 | lea rdx,qword ptr ds:[7FFEDD4DE670] | 00007FFEDD4DE670:"nNpcAdjustOffsetY"
00007FFEDD30A226 | 48:81C1 38020000 | add rcx,238 |
00007FFEDD30A22D | 0F28F0 | movaps xmm6,xmm0 |
00007FFEDD30A230 | E8 255ED9FF | call jx3representx64.7FFEDD0A005A |
00007FFEDD30A235 | 48:8B0D C4FB2800 | mov rcx,qword ptr ds:[7FFEDD599E00] |
00007FFEDD30A23C | 48:81C1 888F0100 | add rcx,18F88 |
00007FFEDD30A243 | 0F28F8 | movaps xmm7,xmm0 |
00007FFEDD30A246 | 48:8B01 | mov rax,qword ptr ds:[rcx] |
00007FFEDD30A249 | FF90 B0070000 | call qword ptr ds:[rax+7B0] |
00007FFEDD30A24F | F787 7C020000 0000004 | test dword ptr ds:[rdi+27C],40000000 |
00007FFEDD30A259 | 75 74 | jne jx3representx64.7FFEDD30A2CF |
00007FFEDD30A25B | 80BF 14040000 00 | cmp byte ptr ds:[rdi+414],0 |
00007FFEDD30A262 | 74 10 | je jx3representx64.7FFEDD30A274 |
00007FFEDD30A264 | 45:85F6 | test r14d,r14d |
00007FFEDD30A267 | 74 0B | je jx3representx64.7FFEDD30A274 |
00007FFEDD30A269 | 85C0 | test eax,eax |
00007FFEDD30A26B | 74 07 | je jx3representx64.7FFEDD30A274 |
00007FFEDD30A26D | B9 01000000 | mov ecx,1 |
00007FFEDD30A272 | EB 02 | jmp jx3representx64.7FFEDD30A276 |
00007FFEDD30A274 | 33C9 | xor ecx,ecx |
00007FFEDD30A276 | 66:0F6E53 20 | movd xmm2,dword ptr ds:[rbx+20] |
00007FFEDD30A27B | 66:0F6E63 1C | movd xmm4,dword ptr ds:[rbx+1C] |
00007FFEDD30A280 | 0FB643 34 | movzx eax,byte ptr ds:[rbx+34] |
00007FFEDD30A284 | F3:0F1005 D0F81A00 | movss xmm0,dword ptr ds:[7FFEDD4B9B5C] |
00007FFEDD30A28C | F3:0F100D C0F81A00 | movss xmm1,dword ptr ds:[7FFEDD4B9B54] |
00007FFEDD30A294 | 83E0 01 | and eax,1 |
00007FFEDD30A297 | F3:0F114424 58 | movss dword ptr ss:[rsp+58],xmm0 |
00007FFEDD30A29D | F3:0F114C24 50 | movss dword ptr ss:[rsp+50],xmm1 |
00007FFEDD30A2A3 | 0F5BD2 | cvtdq2ps xmm2,xmm2 |
00007FFEDD30A2A6 | C74424 48 00000000 | mov dword ptr ss:[rsp+48],0 |
00007FFEDD30A2AE | C74424 40 01000000 | mov dword ptr ss:[rsp+40],1 |
00007FFEDD30A2B6 | 894424 38 | mov dword ptr ss:[rsp+38],eax |
00007FFEDD30A2BA | 894C24 30 | mov dword ptr ss:[rsp+30],ecx |
00007FFEDD30A2BE | 0F5BE4 | cvtdq2ps xmm4,xmm4 |
00007FFEDD30A2C1 | F3:0F115424 28 | movss dword ptr ss:[rsp+28],xmm2 |
00007FFEDD30A2C7 | F3:0F116424 20 | movss dword ptr ss:[rsp+20],xmm4 |
00007FFEDD30A2CD | EB 7C | jmp jx3representx64.7FFEDD30A34B |
00007FFEDD30A2CF | F3:0F1005 65891A00 | movss xmm0,dword ptr ds:[7FFEDD4B2C3C] |
00007FFEDD30A2D7 | 0F2FF0 | comiss xmm6,xmm0 |
00007FFEDD30A2DA | 76 0D | jbe jx3representx64.7FFEDD30A2E9 |
00007FFEDD30A2DC | 0F2FF8 | comiss xmm7,xmm0 |
00007FFEDD30A2DF | 76 08 | jbe jx3representx64.7FFEDD30A2E9 |
00007FFEDD30A2E1 | 41:B8 01000000 | mov r8d,1 |
00007FFEDD30A2E7 | EB 03 | jmp jx3representx64.7FFEDD30A2EC |
00007FFEDD30A2E9 | 45:33C0 | xor r8d,r8d |
00007FFEDD30A2EC | 80BF 14040000 00 | cmp byte ptr ds:[rdi+414],0 |
00007FFEDD30A2F3 | 74 10 | je jx3representx64.7FFEDD30A305 |
00007FFEDD30A2F5 | 45:85F6 | test r14d,r14d |
00007FFEDD30A2F8 | 74 0B | je jx3representx64.7FFEDD30A305 |
00007FFEDD30A2FA | 85C0 | test eax,eax |
00007FFEDD30A2FC | 74 07 | je jx3representx64.7FFEDD30A305 |
00007FFEDD30A2FE | B9 01000000 | mov ecx,1 |
00007FFEDD30A303 | EB 02 | jmp jx3representx64.7FFEDD30A307 |
00007FFEDD30A305 | 33C9 | xor ecx,ecx |
00007FFEDD30A307 | 66:0F6E43 20 | movd xmm0,dword ptr ds:[rbx+20] |
00007FFEDD30A30C | 66:0F6E4B 1C | movd xmm1,dword ptr ds:[rbx+1C] |
00007FFEDD30A311 | 0FB643 34 | movzx eax,byte ptr ds:[rbx+34] |
00007FFEDD30A315 | F3:0F117C24 58 | movss dword ptr ss:[rsp+58],xmm7 |
00007FFEDD30A31B | F3:0F117424 50 | movss dword ptr ss:[rsp+50],xmm6 |
00007FFEDD30A321 | C74424 48 00000000 | mov dword ptr ss:[rsp+48],0 |
00007FFEDD30A329 | 44:894424 40 | mov dword ptr ss:[rsp+40],r8d |
00007FFEDD30A32E | 83E0 01 | and eax,1 |
00007FFEDD30A331 | 0F5BC0 | cvtdq2ps xmm0,xmm0 |
00007FFEDD30A334 | 0F5BC9 | cvtdq2ps xmm1,xmm1 |
00007FFEDD30A337 | 894424 38 | mov dword ptr ss:[rsp+38],eax |
00007FFEDD30A33B | 894C24 30 | mov dword ptr ss:[rsp+30],ecx |
00007FFEDD30A33F | F3:0F114424 28 | movss dword ptr ss:[rsp+28],xmm0 |
00007FFEDD30A345 | F3:0F114C24 20 | movss dword ptr ss:[rsp+20],xmm1 |
00007FFEDD30A34B | 66:0F6E5B 18 | movd xmm3,dword ptr ds:[rbx+18] |
00007FFEDD30A350 | 48:8B15 A9FA2800 | mov rdx,qword ptr ds:[7FFEDD599E00] |
00007FFEDD30A357 | 48:8B8D C00C0000 | mov rcx,qword ptr ss:[rbp+CC0] |
00007FFEDD30A35E | 4C:8D4424 60 | lea r8,qword ptr ss:[rsp+60] |
00007FFEDD30A363 | 48:81C2 A0A80100 | add rdx,1A8A0 |
00007FFEDD30A36A | 0F5BDB | cvtdq2ps xmm3,xmm3 |
00007FFEDD30A36D | E8 A4DDD8FF | call jx3representx64.7FFEDD098116 |
00007FFEDD30A372 | F3:0F104424 60 | movss xmm0,dword ptr ss:[rsp+60] |
00007FFEDD30A378 | F3:0F104C24 64 | movss xmm1,dword ptr ss:[rsp+64] |
00007FFEDD30A37E | 0F287C24 70 | movaps xmm7,xmmword ptr ss:[rsp+70] |
00007FFEDD30A383 | 0F28B424 80000000 | movaps xmm6,xmmword ptr ss:[rsp+80] |
00007FFEDD30A38B | F3:0F1143 0C | movss dword ptr ds:[rbx+C],xmm0 |
00007FFEDD30A390 | F3:0F104424 68 | movss xmm0,dword ptr ss:[rsp+68] |
00007FFEDD30A396 | F3:0F1143 14 | movss dword ptr ds:[rbx+14],xmm0 |
00007FFEDD30A39B | F3:0F114B 10 | movss dword ptr ds:[rbx+10],xmm1 |
00007FFEDD30A3A0 | 85C0 | test eax,eax |
00007FFEDD30A3A2 | 79 35 | jns jx3representx64.7FFEDD30A3D9 |
00007FFEDD30A3A4 | 48:8D0D 4D421D00 | lea rcx,qword ptr ds:[7FFEDD4DE5F8] | 00007FFEDD4DE5F8:"KRLCharacterFrameData::ConvertFramePosition"
00007FFEDD30A3AB | 4C:8D05 86791A00 | lea r8,qword ptr ds:[7FFEDD4B1D38] | 00007FFEDD4B1D38:"KGLOG_COM_PROCESS_ERROR(0x%X) at line %d in %s\n"
00007FFEDD30A3B2 | 44:8BC8 | mov r9d,eax |
00007FFEDD30A3B5 | 48:894C24 28 | mov qword ptr ss:[rsp+28],rcx |
00007FFEDD30A3BA | 48:8D0D 3F5CD8FF | lea rcx,qword ptr ds:[7FFEDD090000] |
00007FFEDD30A3C1 | BA 07000000 | mov edx,7 |
00007FFEDD30A3C6 | C74424 20 22030000 | mov dword ptr ss:[rsp+20],322 |
00007FFEDD30A3CE | FF15 14BD2D00 | call qword ptr ds:[<&?KGLogPrintf_KGSL@@ |
00007FFEDD30A3D4 | E9 CFFDFFFF | jmp jx3representx64.7FFEDD30A1A8 |
00007FFEDD30A3D9 | F3:0F1043 0C | movss xmm0,dword ptr ds:[rbx+C] |
00007FFEDD30A3DE | F3:0F104B 10 | movss xmm1,dword ptr ds:[rbx+10] |
00007FFEDD30A3E3 | 44:8B8F BC000000 | mov r9d,dword ptr ds:[rdi+BC] |
00007FFEDD30A3EA | 4C:8D4424 60 | lea r8,qword ptr ss:[rsp+60] |
00007FFEDD30A3EF | 48:8D4B 18 | lea rcx,qword ptr ds:[rbx+18] |
00007FFEDD30A3F3 | F3:0F114424 60 | movss dword ptr ss:[rsp+60],xmm0 |
00007FFEDD30A3F9 | F3:0F1043 14 | movss xmm0,dword ptr ds:[rbx+14] |
00007FFEDD30A3FE | F3:0F114C24 64 | movss dword ptr ss:[rsp+64],xmm1 |
00007FFEDD30A404 | 66:0F6E4B 18 | movd xmm1,dword ptr ds:[rbx+18] |
00007FFEDD30A409 | F3:0F114424 68 | movss dword ptr ss:[rsp+68],xmm0 |
00007FFEDD30A40F | 0F5BC9 | cvtdq2ps xmm1,xmm1 |
00007FFEDD30A412 | 66:0F6E43 1C | movd xmm0,dword ptr ds:[rbx+1C] |
00007FFEDD30A417 | 48:8B95 C00C0000 | mov rdx,qword ptr ss:[rbp+CC0] |
00007FFEDD30A41E | 0F5BC0 | cvtdq2ps xmm0,xmm0 |
00007FFEDD30A421 | F3:0F114424 28 | movss dword ptr ss:[rsp+28],xmm0 |
00007FFEDD30A427 | F3:0F114C24 20 | movss dword ptr ss:[rsp+20],xmm1 |
00007FFEDD30A42D | E8 E232DAFF | call jx3representx64.7FFEDD0AD714 |
00007FFEDD30A432 | F3:0F1143 08 | movss dword ptr ds:[rbx+8],xmm0 |
00007FFEDD30A437 | 8B87 7C020000 | mov eax,dword ptr ds:[rdi+27C] |
00007FFEDD30A43D | 44:89B7 1C040000 | mov dword ptr ds:[rdi+41C],r14d |
00007FFEDD30A444 | 8987 20040000 | mov dword ptr ds:[rdi+420],eax |
00007FFEDD30A44A | 8B87 98000000 | mov eax,dword ptr ds:[rdi+98] |
00007FFEDD30A450 | 8987 18040000 | mov dword ptr ds:[rdi+418],eax |
00007FFEDD30A456 | 8B43 08 | mov eax,dword ptr ds:[rbx+8] |
00007FFEDD30A459 | 8987 24040000 | mov dword ptr ds:[rdi+424],eax |
00007FFEDD30A45F | 8B43 0C | mov eax,dword ptr ds:[rbx+C] |
00007FFEDD30A462 | 8987 28040000 | mov dword ptr ds:[rdi+428],eax |
00007FFEDD30A468 | 8B43 10 | mov eax,dword ptr ds:[rbx+10] |
00007FFEDD30A46B | 8987 2C040000 | mov dword ptr ds:[rdi+42C],eax |
00007FFEDD30A471 | 8B43 14 | mov eax,dword ptr ds:[rbx+14] |
00007FFEDD30A474 | 8987 30040000 | mov dword ptr ds:[rdi+430],eax |
00007FFEDD30A47A | 8B43 18 | mov eax,dword ptr ds:[rbx+18] |
00007FFEDD30A47D | 8987 34040000 | mov dword ptr ds:[rdi+434],eax |
对rdi进行追踪,我们在notepad中对rdi进行标记,会发现我们并不能找到任何有用的线索,这段程序并没有在任何地方对rdi的值进行修改。没关系,我们继续向上层寻找。回到X64DBG,按ALT+C,或者单击CPU标签,回到CPU标签页中,找到我们刚刚复制的函数头部,向上滚动一下窗口也就是ret下面的那一条,向上滚动一下窗口,让这条指令相对靠下一点,这个时候我们会在左侧发现一条箭头指向了这条指令,按F2下断点,然后会发现程序停下来了,这个时候要快速的取消断点,但不要让程序重新跑起来
请看我的截图中,箭头变成了红色,代表跳转实现了,堆栈中的第一条也没有返回到,说明程序并不是通过CALL来到我们当前这句代码的,而是通过上面的跳转来到了这个我们复制的代码段的首部,我们跟踪到跳转的位置,也就是红色箭头的出发端,从这里开始向上找,找到这段代码的起始位置,然后复制出这段代码,在notepad中另起一页保存这段代码:
[Asm] 纯文本查看 复制代码 00007FFEDD30A000 | 48:8BC4 | mov rax,rsp |
00007FFEDD30A003 | 48:8958 18 | mov qword ptr ds:[rax+18],rbx |
00007FFEDD30A007 | 48:8978 20 | mov qword ptr ds:[rax+20],rdi |
00007FFEDD30A00B | 41:56 | push r14 |
00007FFEDD30A00D | 48:81EC 90000000 | sub rsp,90 |
00007FFEDD30A014 | 45:8BF0 | mov r14d,r8d |
00007FFEDD30A017 | 48:8BDA | mov rbx,rdx |
00007FFEDD30A01A | 48:8BF9 | mov rdi,rcx |
00007FFEDD30A01D | 48:C740 C8 00000000 | mov qword ptr ds:[rax-38],0 |
00007FFEDD30A025 | C740 D0 00000000 | mov dword ptr ds:[rax-30],0 |
00007FFEDD30A02C | 48:85D2 | test rdx,rdx |
00007FFEDD30A02F | 0F84 A1040000 | je jx3representx64.7FFEDD30A4D6 |
00007FFEDD30A035 | 803A 00 | cmp byte ptr ds:[rdx],0 |
00007FFEDD30A038 | 0F85 98040000 | jne jx3representx64.7FFEDD30A4D6 |
00007FFEDD30A03E | 48:8968 08 | mov qword ptr ds:[rax+8],rbp |
00007FFEDD30A042 | 48:8970 10 | mov qword ptr ds:[rax+10],rsi |
00007FFEDD30A046 | 8B42 18 | mov eax,dword ptr ds:[rdx+18] |
00007FFEDD30A049 | 3981 34040000 | cmp dword ptr ds:[rcx+434],eax |
00007FFEDD30A04F | 0F85 D0000000 | jne jx3representx64.7FFEDD30A125 |
00007FFEDD30A055 | 8B42 1C | mov eax,dword ptr ds:[rdx+1C] |
00007FFEDD30A058 | 3981 38040000 | cmp dword ptr ds:[rcx+438],eax |
00007FFEDD30A05E | 0F85 C1000000 | jne jx3representx64.7FFEDD30A125 |
00007FFEDD30A064 | 8B42 20 | mov eax,dword ptr ds:[rdx+20] |
00007FFEDD30A067 | 3981 3C040000 | cmp dword ptr ds:[rcx+43C],eax |
00007FFEDD30A06D | 0F85 B2000000 | jne jx3representx64.7FFEDD30A125 |
00007FFEDD30A073 | 80B9 15040000 00 | cmp byte ptr ds:[rcx+415],0 |
00007FFEDD30A07A | 0F84 A5000000 | je jx3representx64.7FFEDD30A125 |
00007FFEDD30A080 | 44:8B81 7C020000 | mov r8d,dword ptr ds:[rcx+27C] |
00007FFEDD30A087 | 41:0FBAE0 1E | bt r8d,1E |
00007FFEDD30A08C | 72 31 | jb jx3representx64.7FFEDD30A0BF |
00007FFEDD30A08E | 41:0FBAE0 1D | bt r8d,1D |
00007FFEDD30A093 | 0F83 8C000000 | jae jx3representx64.7FFEDD30A125 |
00007FFEDD30A099 | 8B4B 04 | mov ecx,dword ptr ds:[rbx+4] |
00007FFEDD30A09C | B8 ABAAAAAA | mov eax,AAAAAAAB |
00007FFEDD30A0A1 | 41:F7E0 | mul r8d |
00007FFEDD30A0A4 | D1EA | shr edx,1 |
00007FFEDD30A0A6 | 8D0452 | lea eax,qword ptr ds:[rdx+rdx*2] |
00007FFEDD30A0A9 | 44:2BC0 | sub r8d,eax |
00007FFEDD30A0AC | B8 56555555 | mov eax,55555556 |
00007FFEDD30A0B1 | F7E9 | imul ecx |
00007FFEDD30A0B3 | 8BC2 | mov eax,edx |
00007FFEDD30A0B5 | C1E8 1F | shr eax,1F |
00007FFEDD30A0B8 | 03D0 | add edx,eax |
00007FFEDD30A0BA | 8D0452 | lea eax,qword ptr ds:[rdx+rdx*2] |
00007FFEDD30A0BD | EB 27 | jmp jx3representx64.7FFEDD30A0E6 |
00007FFEDD30A0BF | 8B4B 04 | mov ecx,dword ptr ds:[rbx+4] |
00007FFEDD30A0C2 | B8 CDCCCCCC | mov eax,CCCCCCCD |
00007FFEDD30A0C7 | 41:F7E0 | mul r8d |
00007FFEDD30A0CA | C1EA 02 | shr edx,2 |
00007FFEDD30A0CD | 8D0492 | lea eax,qword ptr ds:[rdx+rdx*4] |
00007FFEDD30A0D0 | 44:2BC0 | sub r8d,eax |
00007FFEDD30A0D3 | B8 67666666 | mov eax,66666667 |
00007FFEDD30A0D8 | F7E9 | imul ecx |
00007FFEDD30A0DA | D1FA | sar edx,1 |
00007FFEDD30A0DC | 8BC2 | mov eax,edx |
00007FFEDD30A0DE | C1E8 1F | shr eax,1F |
00007FFEDD30A0E1 | 03D0 | add edx,eax |
00007FFEDD30A0E3 | 8D0492 | lea eax,qword ptr ds:[rdx+rdx*4] |
00007FFEDD30A0E6 | 2BC8 | sub ecx,eax |
00007FFEDD30A0E8 | 33C0 | xor eax,eax |
00007FFEDD30A0EA | 44:3BC1 | cmp r8d,ecx |
00007FFEDD30A0ED | 0F94C0 | sete al |
00007FFEDD30A0F0 | 85C0 | test eax,eax |
00007FFEDD30A0F2 | 75 31 | jne jx3representx64.7FFEDD30A125 |
00007FFEDD30A0F4 | 8B87 24040000 | mov eax,dword ptr ds:[rdi+424] |
00007FFEDD30A0FA | 8943 08 | mov dword ptr ds:[rbx+8],eax |
00007FFEDD30A0FD | 8B87 28040000 | mov eax,dword ptr ds:[rdi+428] |
00007FFEDD30A103 | 8943 0C | mov dword ptr ds:[rbx+C],eax |
00007FFEDD30A106 | 8B87 2C040000 | mov eax,dword ptr ds:[rdi+42C] |
00007FFEDD30A10C | 8943 10 | mov dword ptr ds:[rbx+10],eax |
00007FFEDD30A10F | 8B87 30040000 | mov eax,dword ptr ds:[rdi+430] |
00007FFEDD30A115 | 8943 14 | mov dword ptr ds:[rbx+14],eax |
00007FFEDD30A118 | C603 01 | mov byte ptr ds:[rbx],1 |
00007FFEDD30A11B | B8 01000000 | mov eax,1 |
00007FFEDD30A120 | E9 85000000 | jmp jx3representx64.7FFEDD30A1AA |
00007FFEDD30A125 | 8B97 98000000 | mov edx,dword ptr ds:[rdi+98] |
00007FFEDD30A12B | C687 15040000 00 | mov byte ptr ds:[rdi+415],0 |
00007FFEDD30A132 | 48:8B0D C7FC2800 | mov rcx,qword ptr ds:[7FFEDD599E00] |
00007FFEDD30A139 | 48:81C1 28AA0100 | add rcx,1AA28 |
00007FFEDD30A140 | E8 11EAD9FF | call jx3representx64.7FFEDD0A8B56 |
00007FFEDD30A145 | 48:8BE8 | mov rbp,rax |
00007FFEDD30A148 | 48:85C0 | test rax,rax |
00007FFEDD30A14B | 75 1D | jne jx3representx64.7FFEDD30A16A |
00007FFEDD30A14D | 48:8D0D A4441D00 | lea rcx,qword ptr ds:[7FFEDD4DE5F8] | 00007FFEDD4DE5F8:"KRLCharacterFrameData::ConvertFramePosition"
00007FFEDD30A154 | 4C:8D0D FDDB1A00 | lea r9,qword ptr ds:[7FFEDD4B7D58] | 00007FFEDD4B7D58:"pRLScene"
00007FFEDD30A15B | 48:894C24 28 | mov qword ptr ss:[rsp+28],rcx |
00007FFEDD30A160 | C74424 20 F7020000 | mov dword ptr ss:[rsp+20],2F7 |
00007FFEDD30A168 | EB 25 | jmp jx3representx64.7FFEDD30A18F |
00007FFEDD30A16A | 48:83B8 C00C0000 00 | cmp qword ptr ds:[rax+CC0],0 |
00007FFEDD30A172 | 75 5C | jne jx3representx64.7FFEDD30A1D0 |
然后在其中搜索rdi,从代码段的最下面向上找,在接近代码段开始的地方我们找到了这么一条:00007FFEDD30A01A | 48:8BF9 | mov rdi,rcx 得知rdi的值是由rcx赋予的,我们先复制出这一条代码与我们一开始用CE找到的指令放到一起:[Asm] 纯文本查看 复制代码 7FFEDD30A47D - 89 87 34040000 - mov [rdi+00000434],eax00007FFEDD30A01A | 48:8BF9 | mov rdi,rcx
现在我们的任务就变成了寻找rcx的值得来源,我们搜索rcx,发现在这段代码中我们已经无法找到RCX的来源,所以我们还需要回到x64DBG中向上追溯,同样来到刚刚复制的代码段的头部,下断点,取消断点,在堆栈中的返回到XXXX这一条指令上右击,选择在汇编窗口中跟随就好了,这个时候会转到调用该函数的地方,这是方法一。我们还有另一种方法去追踪他,也就是常量法,我们来到我们刚刚下断点的地方,右键复制,选择地址,然后右击,搜索,当前模块,搜索常数,弹出的窗口中在表达式一栏填入我们刚刚复制的地址,然后开始搜索,这里只有一条搜索结果,那么必然是调用我们的代码的地方了,双击即可转到。
当然如果搜索结果有好几个的话,我们还是采取一开始断点,然后通过堆栈返回的方式。两种方法大家自行筛选。这里如果用的是方法二的话,会发现我们到了一堆jmp中,很难确定我们是如何从上层到达这堆jmp当中的,所以我们采用方法一,堆栈回溯。切记,使用堆栈回溯的方法的话,我们转到了调用的地方过后,立刻让程序运行起来,不然你的游戏会掉线的,重新登录过后,模块的基址有可能会发生改变,那样你就需要去计算相应代码的位置才能定位到刚刚的代码段了,所以如果不想这么做的话,请记得转到了函数调用的地方过后,立刻把游戏运行起来。然后和前面一样,向上翻到代码段的头部,然后复制出来,并在notepad中新建一页保存他们:
[Asm] 纯文本查看 复制代码 00007FFEDD30DA50 | 48:8BC4 | mov rax,rsp |
00007FFEDD30DA53 | 48:8958 08 | mov qword ptr ds:[rax+8],rbx |
00007FFEDD30DA57 | 48:8970 10 | mov qword ptr ds:[rax+10],rsi |
00007FFEDD30DA5B | 48:8978 20 | mov qword ptr ds:[rax+20],rdi |
00007FFEDD30DA5F | 44:8940 18 | mov dword ptr ds:[rax+18],r8d |
00007FFEDD30DA63 | 55 | push rbp |
00007FFEDD30DA64 | 41:54 | push r12 |
00007FFEDD30DA66 | 41:55 | push r13 |
00007FFEDD30DA68 | 41:56 | push r14 |
00007FFEDD30DA6A | 41:57 | push r15 |
00007FFEDD30DA6C | 48:8D68 A9 | lea rbp,qword ptr ds:[rax-57] |
00007FFEDD30DA70 | 48:81EC E0000000 | sub rsp,E0 |
00007FFEDD30DA77 | 0F2970 C8 | movaps xmmword ptr ds:[rax-38],xmm6 |
00007FFEDD30DA7B | 33C0 | xor eax,eax |
00007FFEDD30DA7D | 4D:8BE1 | mov r12,r9 |
00007FFEDD30DA80 | 8945 F7 | mov dword ptr ss:[rbp-9],eax |
00007FFEDD30DA83 | 8945 F3 | mov dword ptr ss:[rbp-D],eax |
00007FFEDD30DA86 | 8945 FB | mov dword ptr ss:[rbp-5],eax |
00007FFEDD30DA89 | 8945 EF | mov dword ptr ss:[rbp-11],eax |
00007FFEDD30DA8C | 48:8945 AF | mov qword ptr ss:[rbp-51],rax |
00007FFEDD30DA90 | 8945 B7 | mov dword ptr ss:[rbp-49],eax |
00007FFEDD30DA93 | 48:8945 BF | mov qword ptr ss:[rbp-41],rax |
00007FFEDD30DA97 | 8945 C7 | mov dword ptr ss:[rbp-39],eax |
00007FFEDD30DA9A | 48:8945 CF | mov qword ptr ss:[rbp-31],rax |
00007FFEDD30DA9E | 8945 D7 | mov dword ptr ss:[rbp-29],eax |
00007FFEDD30DAA1 | 48:8B05 58C32800 | mov rax,qword ptr ds:[7FFEDD599E00] |
00007FFEDD30DAA8 | 44:8BFA | mov r15d,edx |
00007FFEDD30DAAB | 8378 08 00 | cmp dword ptr ds:[rax+8],0 |
00007FFEDD30DAAF | 48:8BD9 | mov rbx,rcx |
00007FFEDD30DAB2 | 0F84 05060000 | je jx3representx64.7FFEDD30E0BD |
00007FFEDD30DAB8 | F2:0F1070 48 | movsd xmm6,qword ptr ds:[rax+48] |
00007FFEDD30DABD | F2:0F5C70 68 | subsd xmm6,qword ptr ds:[rax+68] |
00007FFEDD30DAC2 | 0F28C6 | movaps xmm0,xmm6 |
00007FFEDD30DAC5 | E8 2413DAFF | call jx3representx64.7FFEDD0AEDEE |
00007FFEDD30DACA | 48:8BCB | mov rcx,rbx |
00007FFEDD30DACD | 8BD0 | mov edx,eax |
00007FFEDD30DACF | 44:8BF0 | mov r14d,eax |
00007FFEDD30DAD2 | E8 3AA0D9FF | call jx3representx64.7FFEDD0A7B11 |
00007FFEDD30DAD7 | 4C:63C0 | movsxd r8,eax |
00007FFEDD30DADA | 49:8BC0 | mov rax,r8 |
00007FFEDD30DADD | 48:6BC0 38 | imul rax,rax,38 |
00007FFEDD30DAE1 | 44:8B8C18 68040000 | mov r9d,dword ptr ds:[rax+rbx+468] |
00007FFEDD30DAE9 | 41:83F9 FF | cmp r9d,FFFFFFFF |
00007FFEDD30DAED | 0F84 CA050000 | je jx3representx64.7FFEDD30E0BD |
00007FFEDD30DAF3 | 45:3BCE | cmp r9d,r14d |
00007FFEDD30DAF6 | 74 0F | je jx3representx64.7FFEDD30DB07 |
00007FFEDD30DAF8 | 48:8BCB | mov rcx,rbx |
00007FFEDD30DAFB | E8 0AC0D9FF | call jx3representx64.7FFEDD0A9B0A |
00007FFEDD30DB00 | 44:8BC0 | mov r8d,eax |
00007FFEDD30DB03 | 8BF0 | mov esi,eax |
00007FFEDD30DB05 | EB 39 | jmp jx3representx64.7FFEDD30DB40 |
00007FFEDD30DB07 | 41:8D40 01 | lea eax,qword ptr ds:[r8+1] |
00007FFEDD30DB0B | 48:63F0 | movsxd rsi,eax |
00007FFEDD30DB0E | 48:B8 ABAAAAAAAAAAAAA | mov rax,AAAAAAAAAAAAAAAB |
00007FFEDD30DB18 | 48:F7E6 | mul rsi |
00007FFEDD30DB1B | 48:C1EA 06 | shr rdx,6 |
00007FFEDD30DB1F | 48:8D0452 | lea rax,qword ptr ds:[rdx+rdx*2] |
00007FFEDD30DB23 | 48:C1E0 05 | shl rax,5 |
00007FFEDD30DB27 | 48:2BF0 | sub rsi,rax |
00007FFEDD30DB2A | 41:8D41 01 | lea eax,qword ptr ds:[r9+1] |
00007FFEDD30DB2E | 48:63CE | movsxd rcx,esi |
00007FFEDD30DB31 | 48:6BC9 38 | imul rcx,rcx,38 |
00007FFEDD30DB35 | 398419 68040000 | cmp dword ptr ds:[rcx+rbx+468],eax |
00007FFEDD30DB3C | 41:0F45F0 | cmovne esi,r8d |
00007FFEDD30DB40 | 49:63C0 | movsxd rax,r8d |
00007FFEDD30DB43 | 48:8D93 64040000 | lea rdx,qword ptr ds:[rbx+464] |
00007FFEDD30DB4A | 48:8BF8 | mov rdi,rax |
00007FFEDD30DB4D | 48:8945 FF | mov qword ptr ss:[rbp-1],rax |
00007FFEDD30DB51 | 48:6BFF 38 | imul rdi,rdi,38 |
00007FFEDD30DB55 | 48:03D7 | add rdx,rdi |
00007FFEDD30DB58 | 803A 00 | cmp byte ptr ds:[rdx],0 |
00007FFEDD30DB5B | 75 0B | jne jx3representx64.7FFEDD30DB68 |
00007FFEDD30DB5D | 45:8BC7 | mov r8d,r15d |
00007FFEDD30DB60 | 48:8BCB | mov rcx,rbx |
00007FFEDD30DB63 | E8 A863DAFF | call jx3representx64.7FFEDD0B3F10 |
00007FFEDD30DB68 | 48:63C6 | movsxd rax,esi |
00007FFEDD30DB6B | 48:8D93 64040000 | lea rdx,qword ptr ds:[rbx+464] |
00007FFEDD30DB72 | 48:8BF0 | mov rsi,rax |
00007FFEDD30DB75 | 48:8945 DF | mov qword ptr ss:[rbp-21],rax |
00007FFEDD30DB79 | 48:6BF6 38 | imul rsi,rsi,38 |
00007FFEDD30DB7D | 48:03D6 | add rdx,rsi |
00007FFEDD30DB80 | 803A 00 | cmp byte ptr ds:[rdx],0 |
00007FFEDD30DB83 | 75 0B | jne jx3representx64.7FFEDD30DB90 |
00007FFEDD30DB85 | 45:8BC7 | mov r8d,r15d |
00007FFEDD30DB88 | 48:8BCB | mov rcx,rbx |
00007FFEDD30DB8B | E8 8063DAFF | call jx3representx64.7FFEDD0B3F10 |
00007FFEDD30DB90 | 4C:8D3C1F | lea r15,qword ptr ds:[rdi+rbx] |
并在其中搜索rcx,寻找rcx的来源
[Asm] 纯文本查看 复制代码 00007FFEDD30DB88 | 48:8BCB | mov rcx,rbx
我们很轻易的找到了这一条,得知rcx的值是rbx赋予的,但是当我们追溯rbx时,会发现[Asm] 纯文本查看 复制代码 00007FFEDD30DAAF | 48:8BD9 | mov rbx,rcx
rbx的值其实是rcx赋予的,这里其实是程序需要用到rcx寄存器,所以先将rcx进行了备份,备份到rbx中,最后又还原回去,也就是这段代码中并没有有用的信息,我们还需要继续向更上一层去寻找rcx的来源,通过断点回溯我们找到上层调用,并复制出代码段:[Asm] 纯文本查看 复制代码 00007FFEDD27B590 | 48:895C24 18 | mov qword ptr ss:[rsp+18],rbx |
00007FFEDD27B595 | 55 | push rbp |
00007FFEDD27B596 | 56 | push rsi |
00007FFEDD27B597 | 57 | push rdi |
00007FFEDD27B598 | 41:54 | push r12 |
00007FFEDD27B59A | 41:55 | push r13 |
00007FFEDD27B59C | 41:56 | push r14 |
00007FFEDD27B59E | 41:57 | push r15 |
00007FFEDD27B5A0 | B8 50110000 | mov eax,1150 |
00007FFEDD27B5A5 | E8 06072000 | call jx3representx64.7FFEDD47BCB0 |
00007FFEDD27B5AA | 48:2BE0 | sub rsp,rax |
00007FFEDD27B5AD | 0F29B424 40110000 | movaps xmmword ptr ss:[rsp+1140],xmm6 |
00007FFEDD27B5B5 | 48:8B05 E4D33100 | mov rax,qword ptr ds:[7FFEDD5989A0] |
00007FFEDD27B5BC | 48:33C4 | xor rax,rsp |
00007FFEDD27B5BF | 48:898424 30110000 | mov qword ptr ss:[rsp+1130],rax |
00007FFEDD27B5C7 | 4C:8BF9 | mov r15,rcx |
00007FFEDD27B5CA | 48:8D8C24 90000000 | lea rcx,qword ptr ss:[rsp+90] |
00007FFEDD27B5D2 | 33ED | xor ebp,ebp |
00007FFEDD27B5D4 | 0F28F1 | movaps xmm6,xmm1 |
00007FFEDD27B5D7 | 896C24 60 | mov dword ptr ss:[rsp+60],ebp |
00007FFEDD27B5DB | E8 38E6E2FF | call jx3representx64.7FFEDD0A9C18 |
00007FFEDD27B5E0 | 49:8B8F F0000000 | mov rcx,qword ptr ds:[r15+F0] |
00007FFEDD27B5E7 | 8BB424 B0110000 | mov esi,dword ptr ss:[rsp+11B0] |
00007FFEDD27B5EE | 4C:8D25 1B5C2500 | lea r12,qword ptr ds:[7FFEDD4D1210] | 00007FFEDD4D1210:"KRLLocalCharacter::Update"
00007FFEDD27B5F5 | 48:85C9 | test rcx,rcx |
00007FFEDD27B5F8 | 0F84 F50A0000 | je jx3representx64.7FFEDD27C0F3 |
00007FFEDD27B5FE | 48:8B01 | mov rax,qword ptr ds:[rcx] |
00007FFEDD27B601 | 48:8B15 40323100 | mov rdx,qword ptr ds:[7FFEDD58E848] | 00007FFEDD58E848:&"model"
00007FFEDD27B608 | FF50 58 | call qword ptr ds:[rax+58] |
00007FFEDD27B60B | 48:85C0 | test rax,rax |
00007FFEDD27B60E | 0F84 DF0A0000 | je jx3representx64.7FFEDD27C0F3 |
00007FFEDD27B614 | 40:3828 | cmp byte ptr ds:[rax],bpl |
00007FFEDD27B617 | 0F84 D60A0000 | je jx3representx64.7FFEDD27C0F3 |
00007FFEDD27B61D | 49:8D4F 40 | lea rcx,qword ptr ds:[r15+40] |
00007FFEDD27B621 | E8 1113E2FF | call jx3representx64.7FFEDD09C937 |
00007FFEDD27B626 | 48:8B0D D3E73100 | mov rcx,qword ptr ds:[7FFEDD599E00] |
00007FFEDD27B62D | 8BD8 | mov ebx,eax |
00007FFEDD27B62F | E8 EA71E2FF | call jx3representx64.7FFEDD0A281E |
00007FFEDD27B634 | 4C:8BF0 | mov r14,rax |
00007FFEDD27B637 | 48:894424 68 | mov qword ptr ss:[rsp+68],rax |
00007FFEDD27B63C | 85F6 | test esi,esi |
00007FFEDD27B63E | 0F84 0E020000 | je jx3representx64.7FFEDD27B852 |
00007FFEDD27B644 | 49:8DB7 D0320000 | lea rsi,qword ptr ds:[r15+32D0] |
00007FFEDD27B64B | 8BD3 | mov edx,ebx |
00007FFEDD27B64D | 48:8BCE | mov rcx,rsi |
00007FFEDD27B650 | E8 BB84E2FF | call jx3representx64.7FFEDD0A3B10 |
00007FFEDD27B655 | 4D:85F6 | test r14,r14 |
00007FFEDD27B658 | 0F84 E9000000 | je jx3representx64.7FFEDD27B747 |
00007FFEDD27B65E | 48:8BCE | mov rcx,rsi |
00007FFEDD27B661 | 48:896C24 70 | mov qword ptr ss:[rsp+70],rbp |
00007FFEDD27B666 | 896C24 78 | mov dword ptr ss:[rsp+78],ebp |
00007FFEDD27B66A | E8 6228E2FF | call jx3representx64.7FFEDD09DED1 |
00007FFEDD27B66F | 48:8BCE | mov rcx,rsi |
00007FFEDD27B672 | 8BF8 | mov edi,eax |
00007FFEDD27B674 | E8 8C17E2FF | call jx3representx64.7FFEDD09CE05 |
00007FFEDD27B679 | 48:8BCE | mov rcx,rsi |
00007FFEDD27B67C | 8BD8 | mov ebx,eax |
00007FFEDD27B67E | E8 7AF6E2FF | call jx3representx64.7FFEDD0AACFD |
00007FFEDD27B683 | 48:8B15 76E73100 | mov rdx,qword ptr ds:[7FFEDD599E00] |
00007FFEDD27B68A | F3:0F1005 CAE42300 | movss xmm0,dword ptr ds:[7FFEDD4B9B5C] |
00007FFEDD27B692 | F3:0F100D BAE42300 | movss xmm1,dword ptr ds:[7FFEDD4B9B54] |
00007FFEDD27B69A | 66:0F6EE3 | movd xmm4,ebx |
00007FFEDD27B69E | 49:8B8E C00C0000 | mov rcx,qword ptr ds:[r14+CC0] |
00007FFEDD27B6A5 | 4C:8D4424 70 | lea r8,qword ptr ss:[rsp+70] |
00007FFEDD27B6AA | 48:81C2 A0A80100 | add rdx,1A8A0 |
00007FFEDD27B6B1 | F3:0F114424 58 | movss dword ptr ss:[rsp+58],xmm0 |
00007FFEDD27B6B7 | F3:0F114C24 50 | movss dword ptr ss:[rsp+50],xmm1 |
00007FFEDD27B6BD | 66:0F6ED0 | movd xmm2,eax |
00007FFEDD27B6C1 | 66:0F6EDF | movd xmm3,edi |
00007FFEDD27B6C5 | 0F5BE4 | cvtdq2ps xmm4,xmm4 |
00007FFEDD27B6C8 | 896C24 48 | mov dword ptr ss:[rsp+48],ebp |
00007FFEDD27B6CC | 896C24 40 | mov dword ptr ss:[rsp+40],ebp |
00007FFEDD27B6D0 | 896C24 38 | mov dword ptr ss:[rsp+38],ebp |
00007FFEDD27B6D4 | 0F5BD2 | cvtdq2ps xmm2,xmm2 |
00007FFEDD27B6D7 | 0F5BDB | cvtdq2ps xmm3,xmm3 |
00007FFEDD27B6DA | 896C24 30 | mov dword ptr ss:[rsp+30],ebp |
00007FFEDD27B6DE | F3:0F115424 28 | movss dword ptr ss:[rsp+28],xmm2 |
00007FFEDD27B6E4 | F3:0F116424 20 | movss dword ptr ss:[rsp+20],xmm4 |
00007FFEDD27B6EA | E8 27CAE1FF | call jx3representx64.7FFEDD098116 |
00007FFEDD27B6EF | 85C0 | test eax,eax |
00007FFEDD27B6F1 | 79 35 | jns jx3representx64.7FFEDD27B728 |
00007FFEDD27B6F3 | 4C:8D25 165B2500 | lea r12,qword ptr ds:[7FFEDD4D1210] | 00007FFEDD4D1210:"KRLLocalCharacter::Update"
00007FFEDD27B6FA | 4C:8D05 37662300 | lea r8,qword ptr ds:[7FFEDD4B1D38] | 00007FFEDD4B1D38:"KGLOG_COM_PROCESS_ERROR(0x%X) at line %d in %s\n"
00007FFEDD27B701 | 8D55 07 | lea edx,qword ptr ss:[rbp+7] |
00007FFEDD27B704 | 48:8D0D F548E1FF | lea rcx,qword ptr ds:[7FFEDD090000] |
00007FFEDD27B70B | 44:8BC8 | mov r9d,eax |
00007FFEDD27B70E | 4C:896424 28 | mov qword ptr ss:[rsp+28],r12 |
00007FFEDD27B713 | C74424 20 29050000 | mov dword ptr ss:[rsp+20],529 |
00007FFEDD27B71B | FF15 C7A93600 | call qword ptr ds:[<&?KGLogPrintf_KGSL@@ |
00007FFEDD27B721 | 8BC5 | mov eax,ebp |
00007FFEDD27B723 | E9 DE0A0000 | jmp jx3representx64.7FFEDD27C206 |
00007FFEDD27B728 | 48:8D5424 70 | lea rdx,qword ptr ss:[rsp+70] |
00007FFEDD27B72D | 49:8BCE | mov rcx,r14 |
00007FFEDD27B730 | E8 60EFE2FF | call jx3representx64.7FFEDD0AA695 |
00007FFEDD27B735 | E8 2BE9E1FF | call jx3representx64.7FFEDD09A065 |
00007FFEDD27B73A | 48:8D5424 70 | lea rdx,qword ptr ss:[rsp+70] |
00007FFEDD27B73F | 48:8BC8 | mov rcx,rax |
00007FFEDD27B742 | E8 D04FE2FF | call jx3representx64.7FFEDD0A0717 |
00007FFEDD27B747 | 48:8BCE | mov rcx,rsi |
00007FFEDD27B74A | E8 8C35E3FF | call jx3representx64.7FFEDD0AECDB |
00007FFEDD27B74F | 8BD8 | mov ebx,eax |
00007FFEDD27B751 | FFC8 | dec eax |
00007FFEDD27B753 | 83F8 02 | cmp eax,2 |
00007FFEDD27B756 | 77 1A | ja jx3representx64.7FFEDD27B772 |
00007FFEDD27B758 | 49:8D8F 80220000 | lea rcx,qword ptr ds:[r15+2280] |
00007FFEDD27B75F | E8 68F4E2FF | call jx3representx64.7FFEDD0AABCC |
00007FFEDD27B764 | 83F8 01 | cmp eax,1 |
00007FFEDD27B767 | 75 09 | jne jx3representx64.7FFEDD27B772 |
00007FFEDD27B769 | 49:8D4F 40 | lea rcx,qword ptr ds:[r15+40] |
00007FFEDD27B76D | E8 426BE3FF | call jx3representx64.7FFEDD0B22B4 |
00007FFEDD27B772 | 48:8BCE | mov rcx,rsi |
00007FFEDD27B775 | E8 AA96E3FF | call jx3representx64.7FFEDD0B4E24 |
00007FFEDD27B77A | 83FB 21 | cmp ebx,21 | 21:'!'
00007FFEDD27B77D | 75 0E | jne jx3representx64.7FFEDD27B78D |
00007FFEDD27B77F | 3BC3 | cmp eax,ebx |
00007FFEDD27B781 | 74 1C | je jx3representx64.7FFEDD27B79F |
00007FFEDD27B783 | 49:8BCF | mov rcx,r15 |
00007FFEDD27B786 | E8 8584E1FF | call jx3representx64.7FFEDD093C10 |
00007FFEDD27B78B | EB 12 | jmp jx3representx64.7FFEDD27B79F |
00007FFEDD27B78D | 83F8 21 | cmp eax,21 | 21:'!'
00007FFEDD27B790 | 74 05 | je jx3representx64.7FFEDD27B797 |
00007FFEDD27B792 | 83FB 10 | cmp ebx,10 |
00007FFEDD27B795 | 75 08 | jne jx3representx64.7FFEDD27B79F |
00007FFEDD27B797 | 49:8BCF | mov rcx,r15 |
00007FFEDD27B79A | E8 6561E3FF | call jx3representx64.7FFEDD0B1904 |
00007FFEDD27B79F | 48:8BCE | mov rcx,rsi |
00007FFEDD27B7A2 | E8 EE80E2FF | call jx3representx64.7FFEDD0A3895 |
00007FFEDD27B7A7 | 8BD8 | mov ebx,eax |
00007FFEDD27B7A9 | 85C0 | test eax,eax |
00007FFEDD27B7AB | 74 29 | je jx3representx64.7FFEDD27B7D6 |
00007FFEDD27B7AD | 48:8BCE | mov rcx,rsi |
00007FFEDD27B7B0 | E8 54C1E2FF | call jx3representx64.7FFEDD0A7909 |
00007FFEDD27B7B5 | 85C0 | test eax,eax |
00007FFEDD27B7B7 | 74 1D | je jx3representx64.7FFEDD27B7D6 |
00007FFEDD27B7B9 | 8BCB | mov ecx,ebx |
00007FFEDD27B7BB | E8 16F9E2FF | call jx3representx64.7FFEDD0AB0D6 |
00007FFEDD27B7C0 | 85C0 | test eax,eax |
00007FFEDD27B7C2 | 75 12 | jne jx3representx64.7FFEDD27B7D6 |
00007FFEDD27B7C4 | 8BCB | mov ecx,ebx |
00007FFEDD27B7C6 | E8 0167E3FF | call jx3representx64.7FFEDD0B1ECC |
00007FFEDD27B7CB | 85C0 | test eax,eax |
00007FFEDD27B7CD | 74 07 | je jx3representx64.7FFEDD27B7D6 |
00007FFEDD27B7CF | BA 01000000 | mov edx,1 |
00007FFEDD27B7D4 | EB 02 | jmp jx3representx64.7FFEDD27B7D8 |
00007FFEDD27B7D6 | 33D2 | xor edx,edx |
00007FFEDD27B7D8 | 49:8B0E | mov rcx,qword ptr ds:[r14] |
00007FFEDD27B7DB | E8 188CE2FF | call jx3representx64.7FFEDD0A43F8 |
00007FFEDD27B7E0 | 49:8D4F 40 | lea rcx,qword ptr ds:[r15+40] |
00007FFEDD27B7E4 | E8 CF6DE1FF | call jx3representx64.7FFEDD0925B8 |
00007FFEDD27B7E9 | 85C0 | test eax,eax |
00007FFEDD27B7EB | 75 5E | jne jx3representx64.7FFEDD27B84B |
00007FFEDD27B7ED | 49:8D4F 40 | lea rcx,qword ptr ds:[r15+40] |
00007FFEDD27B7F1 | E8 8B95E1FF | call jx3representx64.7FFEDD094D81 |
00007FFEDD27B7F6 | 85C0 | test eax,eax |
00007FFEDD27B7F8 | 75 51 | jne jx3representx64.7FFEDD27B84B |
00007FFEDD27B7FA | 49:8BCF | mov rcx,r15 |
00007FFEDD27B7FD | 41:89AF C8000000 | mov dword ptr ds:[r15+C8],ebp |
00007FFEDD27B804 | E8 7645E3FF | call jx3representx64.7FFEDD0AFD7F |
00007FFEDD27B809 | 85C0 | test eax,eax |
00007FFEDD27B80B | 75 19 | jne jx3representx64.7FFEDD27B826 |
00007FFEDD27B80D | 4C:8D25 FC592500 | lea r12,qword ptr ds:[7FFEDD4D1210] | 00007FFEDD4D1210:"KRLLocalCharacter::Update"
00007FFEDD27B814 | 4C:896424 28 | mov qword ptr ss:[rsp+28],r12 |
00007FFEDD27B819 | C74424 20 51050000 | mov dword ptr ss:[rsp+20],551 |
00007FFEDD27B821 | E9 3B020000 | jmp jx3representx64.7FFEDD27BA61 |
00007FFEDD27B826 | 49:8BCF | mov rcx,r15 |
00007FFEDD27B829 | E8 63CAE2FF | call jx3representx64.7FFEDD0A8291 |
00007FFEDD27B82E | 85C0 | test eax,eax |
00007FFEDD27B830 | 75 19 | jne jx3representx64.7FFEDD27B84B |
00007FFEDD27B832 | 4C:8D25 D7592500 | lea r12,qword ptr ds:[7FFEDD4D1210] | 00007FFEDD4D1210:"KRLLocalCharacter::Update"
00007FFEDD27B839 | 4C:896424 28 | mov qword ptr ss:[rsp+28],r12 |
00007FFEDD27B83E | C74424 20 54050000 | mov dword ptr ss:[rsp+20],554 |
00007FFEDD27B846 | E9 16020000 | jmp jx3representx64.7FFEDD27BA61 |
00007FFEDD27B84B | 8BB424 B0110000 | mov esi,dword ptr ss:[rsp+11B0] |
00007FFEDD27B852 | 49:8B87 28230000 | mov rax,qword ptr ds:[r15+2328] |
00007FFEDD27B859 | 4D:8B8F 08230000 | mov r9,qword ptr ds:[r15+2308] |
00007FFEDD27B860 | 45:33C0 | xor r8d,r8d |
00007FFEDD27B863 | 49:8DBF D0320000 | lea rdi,qword ptr ds:[r15+32D0] |
00007FFEDD27B86A | 41:8D50 01 | lea edx,qword ptr ds:[r8+1] |
00007FFEDD27B86E | 48:894424 20 | mov qword ptr ss:[rsp+20],rax |
00007FFEDD27B873 | 48:8BCF | mov rcx,rdi |
00007FFEDD27B876 | E8 46A4E2FF | call jx3representx64.7FFEDD0A5CC1 |
00007FFEDD27B87B | 85C0 | test eax,eax |
然后再代码段中查找rcx的值,很轻易的找到了:[Asm] 纯文本查看 复制代码 00007FFEDD27B873 | 48:8BCF | mov rcx,rdi 得知rcx的值来源于rdi,继续向上寻找rdi的来源[Asm] 纯文本查看 复制代码 00007FFEDD27B863 | 49:8DBF D0320000 | lea rdi,qword ptr ds:[r15+32D0] 搜索RDI我们会发现,我们找到这么一句,这里解释一下lea指令的作用,他与MOV类似,是一个赋值的指令,但是与MOV不同,mov赋值的是后面的中括号内的地址所对应的内存单元中的数据,而lea是将后面中括号中所对应的偏移量赋给前面,这里也就可以理解为rdi=r15+32d0我们把这两句保存到一开始我们找到的代码,放到一起去,然后继续搜索r15,找到了这一条:[Asm] 纯文本查看 复制代码 00007FFEDD27B5C7 | 4C:8BF9 | mov r15,rcx 所以我们要继续向上需要rcx的值,这一条保存起来放到一起,向上会发现又到了代码段的头部,没关系,我们继续回溯,并复制:[Asm] 纯文本查看 复制代码 00007FFEDD22F1C0 | 48:896C24 18 | mov qword ptr ss:[rsp+18],rbp |
00007FFEDD22F1C5 | 56 | push rsi |
00007FFEDD22F1C6 | 57 | push rdi |
00007FFEDD22F1C7 | 41:54 | push r12 |
00007FFEDD22F1C9 | 41:55 | push r13 |
00007FFEDD22F1CB | 41:57 | push r15 |
00007FFEDD22F1CD | 48:81EC B0000000 | sub rsp,B0 |
00007FFEDD22F1D4 | 48:8BB424 08010000 | mov rsi,qword ptr ss:[rsp+108] |
00007FFEDD22F1DC | 45:33ED | xor r13d,r13d |
00007FFEDD22F1DF | 44:0F298424 80000000 | movaps xmmword ptr ss:[rsp+80],xmm8 |
00007FFEDD22F1E8 | 44:0F294C24 70 | movaps xmmword ptr ss:[rsp+70],xmm9 |
00007FFEDD22F1EE | 45:8BE1 | mov r12d,r9d |
00007FFEDD22F1F1 | 44:0F28C2 | movaps xmm8,xmm2 |
00007FFEDD22F1F5 | 48:8BF9 | mov rdi,rcx |
00007FFEDD22F1F8 | 41:BF 05400080 | mov r15d,80004005 |
00007FFEDD22F1FE | 44:896C24 34 | mov dword ptr ss:[rsp+34],r13d |
00007FFEDD22F203 | 44:0F28C9 | movaps xmm9,xmm1 |
00007FFEDD22F207 | 44:896C24 30 | mov dword ptr ss:[rsp+30],r13d |
00007FFEDD22F20C | 41:8BED | mov ebp,r13d |
00007FFEDD22F20F | 48:85F6 | test rsi,rsi |
00007FFEDD22F212 | 75 37 | jne jx3representx64.7FFEDD22F24B |
00007FFEDD22F214 | 48:8D05 45BD2900 | lea rax,qword ptr ds:[7FFEDD4CAF60] | 00007FFEDD4CAF60:"KRLCharacterCamera::Update"
00007FFEDD22F21B | 4C:8D0D 5EBD2900 | lea r9,qword ptr ds:[7FFEDD4CAF80] | 00007FFEDD4CAF80:"pCameraCommonInfo"
00007FFEDD22F222 | 4C:8D05 670B2800 | lea r8,qword ptr ds:[7FFEDD4AFD90] | 00007FFEDD4AFD90:"KGLOG_PROCESS_ERROR(%s) at line %d in %s\n"
00007FFEDD22F229 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD22F22E | 8D56 07 | lea edx,qword ptr ds:[rsi+7] |
00007FFEDD22F231 | 48:8D0D C80DE6FF | lea rcx,qword ptr ds:[7FFEDD090000] |
00007FFEDD22F238 | C74424 20 13020000 | mov dword ptr ss:[rsp+20],213 |
00007FFEDD22F240 | FF15 A26E3B00 | call qword ptr ds:[<&?KGLogPrintf_KGSL@@ |
00007FFEDD22F246 | E9 3F040000 | jmp jx3representx64.7FFEDD22F68A |
00007FFEDD22F24B | 48:899C24 E0000000 | mov qword ptr ss:[rsp+E0],rbx |
00007FFEDD22F253 | 4C:89B424 E8000000 | mov qword ptr ss:[rsp+E8],r14 |
00007FFEDD22F25B | 0F29B424 A0000000 | movaps xmmword ptr ss:[rsp+A0],xmm6 |
00007FFEDD22F263 | 39A9 CC5F0000 | cmp dword ptr ds:[rcx+5FCC],ebp |
00007FFEDD22F269 | 0F84 04010000 | je jx3representx64.7FFEDD22F373 |
00007FFEDD22F26F | 39A9 E45F0000 | cmp dword ptr ds:[rcx+5FE4],ebp |
00007FFEDD22F275 | 0F84 F8000000 | je jx3representx64.7FFEDD22F373 |
00007FFEDD22F27B | 48:8B89 C84C0000 | mov rcx,qword ptr ds:[rcx+4CC8] |
00007FFEDD22F282 | 48:85C9 | test rcx,rcx |
00007FFEDD22F285 | 74 06 | je jx3representx64.7FFEDD22F28D |
00007FFEDD22F287 | 48:83C1 58 | add rcx,58 |
00007FFEDD22F28B | EB 04 | jmp jx3representx64.7FFEDD22F291 |
00007FFEDD22F28D | 48:8D4F 48 | lea rcx,qword ptr ds:[rdi+48] |
00007FFEDD22F291 | 48:85C9 | test rcx,rcx |
00007FFEDD22F294 | 0F84 D2000000 | je jx3representx64.7FFEDD22F36C |
00007FFEDD22F29A | F3:0F1005 EADA2800 | movss xmm0,dword ptr ds:[7FFEDD4BCD8C] |
00007FFEDD22F2A2 | 48:8D5424 58 | lea rdx,qword ptr ss:[rsp+58] |
00007FFEDD22F2A7 | 0F29BC24 90000000 | movaps xmmword ptr ss:[rsp+90],xmm7 |
00007FFEDD22F2AF | 0F57FF | xorps xmm7,xmm7 |
00007FFEDD22F2B2 | 48:896C24 58 | mov qword ptr ss:[rsp+58],rbp |
00007FFEDD22F2B7 | 896C24 60 | mov dword ptr ss:[rsp+60],ebp |
00007FFEDD22F2BB | F3:0F114424 50 | movss dword ptr ss:[rsp+50],xmm0 |
00007FFEDD22F2C1 | C74424 64 0000803F | mov dword ptr ss:[rsp+64],3F800000 |
00007FFEDD22F2C9 | 48:896C24 48 | mov qword ptr ss:[rsp+48],rbp |
00007FFEDD22F2CE | 48:896C24 38 | mov qword ptr ss:[rsp+38],rbp |
00007FFEDD22F2D3 | 896C24 40 | mov dword ptr ss:[rsp+40],ebp |
00007FFEDD22F2D7 | E8 911DE7FF | call jx3representx64.7FFEDD0A106D |
00007FFEDD22F2DC | 4C:8D4424 38 | lea r8,qword ptr ss:[rsp+38] |
00007FFEDD22F2E1 | 48:8D5424 48 | lea rdx,qword ptr ss:[rsp+48] |
00007FFEDD22F2E6 | 48:8D4C24 58 | lea rcx,qword ptr ss:[rsp+58] |
00007FFEDD22F2EB | E8 556DE7FF | call jx3representx64.7FFEDD0A6045 |
00007FFEDD22F2F0 | F3:0F104424 3C | movss xmm0,dword ptr ss:[rsp+3C] |
00007FFEDD22F2F6 | F3:0F107424 38 | movss xmm6,dword ptr ss:[rsp+38] |
00007FFEDD22F2FC | 0F28CE | movaps xmm1,xmm6 |
00007FFEDD22F2FF | F3:0F59C7 | mulss xmm0,xmm7 |
00007FFEDD22F303 | F3:0F59CF | mulss xmm1,xmm7 |
00007FFEDD22F307 | F3:0F58C1 | addss xmm0,xmm1 |
00007FFEDD22F30B | F3:0F104C24 40 | movss xmm1,dword ptr ss:[rsp+40] |
00007FFEDD22F311 | F3:0F590D 4F102800 | mulss xmm1,dword ptr ds:[7FFEDD4B0368] |
00007FFEDD22F319 | F3:0F5CC1 | subss xmm0,xmm1 |
00007FFEDD22F31D | E8 54CA2400 | call <JMP.&acosf> |
00007FFEDD22F322 | 0F2FF7 | comiss xmm6,xmm7 |
00007FFEDD22F325 | 72 07 | jb jx3representx64.7FFEDD22F32E |
00007FFEDD22F327 | 0F5705 A2152800 | xorps xmm0,xmmword ptr ds:[7FFEDD4B08D0] |
00007FFEDD22F32E | F3:0F5887 D05F0000 | addss xmm0,dword ptr ds:[rdi+5FD0] |
00007FFEDD22F336 | F3:0F1097 E05F0000 | movss xmm2,dword ptr ds:[rdi+5FE0] |
00007FFEDD22F33E | 48:8D8E 9C040000 | lea rcx,qword ptr ds:[rsi+49C] |
00007FFEDD22F345 | 0F28C8 | movaps xmm1,xmm0 |
00007FFEDD22F348 | E8 06A0E7FF | call jx3representx64.7FFEDD0A9353 |
00007FFEDD22F34D | F3:0F108F D45F0000 | movss xmm1,dword ptr ds:[rdi+5FD4] |
00007FFEDD22F355 | 48:8D8E 9C040000 | lea rcx,qword ptr ds:[rsi+49C] |
00007FFEDD22F35C | 0F28D7 | movaps xmm2,xmm7 |
00007FFEDD22F35F | E8 3759E6FF | call jx3representx64.7FFEDD094C9B |
00007FFEDD22F364 | 0F28BC24 90000000 | movaps xmm7,xmmword ptr ss:[rsp+90] |
00007FFEDD22F36C | 44:89AF E45F0000 | mov dword ptr ds:[rdi+5FE4],r13d |
00007FFEDD22F373 | 41:0F28C1 | movaps xmm0,xmm9 |
00007FFEDD22F377 | 0F57F6 | xorps xmm6,xmm6 |
00007FFEDD22F37A | 48:8D8F F85D0000 | lea rcx,qword ptr ds:[rdi+5DF8] |
00007FFEDD22F381 | F241:0F5CC0 | subsd xmm0,xmm8 |
00007FFEDD22F386 | F2:0F5AF0 | cvtsd2ss xmm6,xmm0 |
00007FFEDD22F38A | 0F28CE | movaps xmm1,xmm6 |
00007FFEDD22F38D | E8 C0FFE7FF | call jx3representx64.7FFEDD0AF352 |
00007FFEDD22F392 | 48:8D8F F85D0000 | lea rcx,qword ptr ds:[rdi+5DF8] |
00007FFEDD22F399 | 0F28CE | movaps xmm1,xmm6 |
00007FFEDD22F39C | E8 7898E7FF | call jx3representx64.7FFEDD0A8C19 |
00007FFEDD22F3A1 | 48:8D8F F85D0000 | lea rcx,qword ptr ds:[rdi+5DF8] |
00007FFEDD22F3A8 | 0F28CE | movaps xmm1,xmm6 |
00007FFEDD22F3AB | E8 26F9E7FF | call jx3representx64.7FFEDD0AECD6 |
00007FFEDD22F3B0 | 4C:8B05 49AA3600 | mov r8,qword ptr ds:[7FFEDD599E00] |
00007FFEDD22F3B7 | 44:8BB424 00010000 | mov r14d,dword ptr ss:[rsp+100] |
00007FFEDD22F3BF | 48:8D96 F8040000 | lea rdx,qword ptr ds:[rsi+4F8] |
00007FFEDD22F3C6 | 48:8BCF | mov rcx,rdi |
00007FFEDD22F3C9 | 49:81C0 D0B50100 | add r8,1B5D0 |
00007FFEDD22F3D0 | 45:8BCE | mov r9d,r14d |
00007FFEDD22F3D3 | E8 FF07E7FF | call jx3representx64.7FFEDD09FBD7 |
00007FFEDD22F3D8 | 0F28B424 A0000000 | movaps xmm6,xmmword ptr ss:[rsp+A0] |
00007FFEDD22F3E0 | 85C0 | test eax,eax |
00007FFEDD22F3E2 | 75 19 | jne jx3representx64.7FFEDD22F3FD |
00007FFEDD22F3E4 | 48:8D05 75BB2900 | lea rax,qword ptr ds:[7FFEDD4CAF60] | 00007FFEDD4CAF60:"KRLCharacterCamera::Update"
00007FFEDD22F3EB | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD22F3F0 | C74424 20 2C020000 | mov dword ptr ss:[rsp+20],22C |
00007FFEDD22F3F8 | E9 17020000 | jmp jx3representx64.7FFEDD22F614 |
00007FFEDD22F3FD | B9 06000000 | mov ecx,6 |
00007FFEDD22F402 | 44:89AF 0C5F0000 | mov dword ptr ds:[rdi+5F0C],r13d |
00007FFEDD22F409 | E8 272BE8FF | call jx3representx64.7FFEDD0B1F35 |
00007FFEDD22F40E | 85C0 | test eax,eax |
00007FFEDD22F410 | 0F85 08010000 | jne jx3representx64.7FFEDD22F51E |
00007FFEDD22F416 | 39AE 00050000 | cmp dword ptr ds:[rsi+500],ebp |
00007FFEDD22F41C | 0F84 FC000000 | je jx3representx64.7FFEDD22F51E |
00007FFEDD22F422 | 8D48 01 | lea ecx,qword ptr ds:[rax+1] |
00007FFEDD22F425 | E8 0B2BE8FF | call jx3representx64.7FFEDD0B1F35 |
00007FFEDD22F42A | 85C0 | test eax,eax |
00007FFEDD22F42C | 74 12 | je jx3representx64.7FFEDD22F440 |
00007FFEDD22F42E | B9 08000000 | mov ecx,8 |
00007FFEDD22F433 | E8 FD2AE8FF | call jx3representx64.7FFEDD0B1F35 |
00007FFEDD22F438 | 85C0 | test eax,eax |
00007FFEDD22F43A | 0F84 DE000000 | je jx3representx64.7FFEDD22F51E |
00007FFEDD22F440 | 48:8B0D B9A93600 | mov rcx,qword ptr ds:[7FFEDD599E00] |
00007FFEDD22F447 | 0FB781 30B70100 | movzx eax,word ptr ds:[rcx+1B730] |
00007FFEDD22F44E | 85C0 | test eax,eax |
00007FFEDD22F450 | 74 3F | je jx3representx64.7FFEDD22F491 |
00007FFEDD22F452 | 48:8D91 D0B50100 | lea rdx,qword ptr ds:[rcx+1B5D0] |
00007FFEDD22F459 | 4C:8D87 0C5F0000 | lea r8,qword ptr ds:[rdi+5F0C] |
00007FFEDD22F460 | 48:8BCF | mov rcx,rdi |
00007FFEDD22F463 | BD 01000000 | mov ebp,1 |
00007FFEDD22F468 | E8 C17DE7FF | call jx3representx64.7FFEDD0A722E |
00007FFEDD22F46D | 85C0 | test eax,eax |
00007FFEDD22F46F | 75 19 | jne jx3representx64.7FFEDD22F48A |
00007FFEDD22F471 | 48:8D05 E8BA2900 | lea rax,qword ptr ds:[7FFEDD4CAF60] | 00007FFEDD4CAF60:"KRLCharacterCamera::Update"
00007FFEDD22F478 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD22F47D | C74424 20 37020000 | mov dword ptr ss:[rsp+20],237 |
00007FFEDD22F485 | E9 8A010000 | jmp jx3representx64.7FFEDD22F614 |
00007FFEDD22F48A | 48:8B0D 6FA93600 | mov rcx,qword ptr ds:[7FFEDD599E00] |
00007FFEDD22F491 | 0FB781 90B70100 | movzx eax,word ptr ds:[rcx+1B790] |
00007FFEDD22F498 | 85C0 | test eax,eax |
00007FFEDD22F49A | 74 3F | je jx3representx64.7FFEDD22F4DB |
00007FFEDD22F49C | 48:8D91 D0B50100 | lea rdx,qword ptr ds:[rcx+1B5D0] |
00007FFEDD22F4A3 | 4C:8D87 0C5F0000 | lea r8,qword ptr ds:[rdi+5F0C] |
00007FFEDD22F4AA | 48:8BCF | mov rcx,rdi |
00007FFEDD22F4AD | BD 01000000 | mov ebp,1 |
00007FFEDD22F4B2 | E8 8381E6FF | call jx3representx64.7FFEDD09763A |
00007FFEDD22F4B7 | 85C0 | test eax,eax |
00007FFEDD22F4B9 | 75 19 | jne jx3representx64.7FFEDD22F4D4 |
00007FFEDD22F4BB | 48:8D05 9EBA2900 | lea rax,qword ptr ds:[7FFEDD4CAF60] | 00007FFEDD4CAF60:"KRLCharacterCamera::Update"
00007FFEDD22F4C2 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD22F4C7 | C74424 20 3E020000 | mov dword ptr ss:[rsp+20],23E |
00007FFEDD22F4CF | E9 40010000 | jmp jx3representx64.7FFEDD22F614 |
00007FFEDD22F4D4 | 48:8B0D 25A93600 | mov rcx,qword ptr ds:[7FFEDD599E00] |
00007FFEDD22F4DB | 0FB781 B0B70100 | movzx eax,word ptr ds:[rcx+1B7B0] |
00007FFEDD22F4E2 | 85C0 | test eax,eax |
00007FFEDD22F4E4 | 74 3F | je jx3representx64.7FFEDD22F525 |
00007FFEDD22F4E6 | 48:8D91 D0B50100 | lea rdx,qword ptr ds:[rcx+1B5D0] |
00007FFEDD22F4ED | 4C:8D87 0C5F0000 | lea r8,qword ptr ds:[rdi+5F0C] |
00007FFEDD22F4F4 | 48:8BCF | mov rcx,rdi |
00007FFEDD22F4F7 | BD 01000000 | mov ebp,1 |
00007FFEDD22F4FC | E8 4B32E7FF | call jx3representx64.7FFEDD0A274C |
00007FFEDD22F501 | 85C0 | test eax,eax |
00007FFEDD22F503 | 75 19 | jne jx3representx64.7FFEDD22F51E |
00007FFEDD22F505 | 48:8D05 54BA2900 | lea rax,qword ptr ds:[7FFEDD4CAF60] | 00007FFEDD4CAF60:"KRLCharacterCamera::Update"
00007FFEDD22F50C | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD22F511 | C74424 20 45020000 | mov dword ptr ss:[rsp+20],245 |
00007FFEDD22F519 | E9 F6000000 | jmp jx3representx64.7FFEDD22F614 |
00007FFEDD22F51E | 48:8B0D DBA83600 | mov rcx,qword ptr ds:[7FFEDD599E00] |
00007FFEDD22F525 | 44:3969 0C | cmp dword ptr ds:[rcx+C],r13d |
00007FFEDD22F529 | 75 04 | jne jx3representx64.7FFEDD22F52F |
00007FFEDD22F52B | 85ED | test ebp,ebp |
00007FFEDD22F52D | 74 79 | je jx3representx64.7FFEDD22F5A8 |
00007FFEDD22F52F | 44:3969 08 | cmp dword ptr ds:[rcx+8],r13d |
00007FFEDD22F533 | 74 73 | je jx3representx64.7FFEDD22F5A8 |
00007FFEDD22F535 | 44:39AE 00050000 | cmp dword ptr ds:[rsi+500],r13d |
00007FFEDD22F53C | 74 6A | je jx3representx64.7FFEDD22F5A8 |
00007FFEDD22F53E | 44:39AF D85F0000 | cmp dword ptr ds:[rdi+5FD8],r13d |
00007FFEDD22F545 | 74 61 | je jx3representx64.7FFEDD22F5A8 |
00007FFEDD22F547 | 4C:8D4C24 30 | lea r9,qword ptr ss:[rsp+30] |
00007FFEDD22F54C | 4C:8D4424 34 | lea r8,qword ptr ss:[rsp+34] |
00007FFEDD22F551 | 48:8BD6 | mov rdx,rsi |
00007FFEDD22F554 | 48:8BCF | mov rcx,rdi |
00007FFEDD22F557 | E8 42DBE6FF | call jx3representx64.7FFEDD09D09E |
00007FFEDD22F55C | 85C0 | test eax,eax |
00007FFEDD22F55E | 75 19 | jne jx3representx64.7FFEDD22F579 |
00007FFEDD22F560 | 48:8D05 F9B92900 | lea rax,qword ptr ds:[7FFEDD4CAF60] | 00007FFEDD4CAF60:"KRLCharacterCamera::Update"
00007FFEDD22F567 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD22F56C | C74424 20 4C020000 | mov dword ptr ss:[rsp+20],24C |
00007FFEDD22F574 | E9 9B000000 | jmp jx3representx64.7FFEDD22F614 |
00007FFEDD22F579 | 44:8B4C24 30 | mov r9d,dword ptr ss:[rsp+30] |
00007FFEDD22F57E | 44:8B4424 34 | mov r8d,dword ptr ss:[rsp+34] |
00007FFEDD22F583 | 48:8BD6 | mov rdx,rsi |
00007FFEDD22F586 | 48:8BCF | mov rcx,rdi |
00007FFEDD22F589 | E8 23E1E6FF | call jx3representx64.7FFEDD09D6B1 |
00007FFEDD22F58E | 85C0 | test eax,eax |
00007FFEDD22F590 | 75 16 | jne jx3representx64.7FFEDD22F5A8 |
00007FFEDD22F592 | 48:8D05 C7B92900 | lea rax,qword ptr ds:[7FFEDD4CAF60] | 00007FFEDD4CAF60:"KRLCharacterCamera::Update"
00007FFEDD22F599 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD22F59E | C74424 20 4F020000 | mov dword ptr ss:[rsp+20],24F |
00007FFEDD22F5A6 | EB 6C | jmp jx3representx64.7FFEDD22F614 |
00007FFEDD22F5A8 | 48:8D4F 08 | lea rcx,qword ptr ds:[rdi+8] |
00007FFEDD22F5AC | 41:0F28D0 | movaps xmm2,xmm8 |
00007FFEDD22F5B0 | 41:0F28C9 | movaps xmm1,xmm9 |
00007FFEDD22F5B4 | 45:8BCC | mov r9d,r12d |
00007FFEDD22F5B7 | 44:897424 20 | mov dword ptr ss:[rsp+20],r14d |
00007FFEDD22F5BC | E8 6138E7FF | call jx3representx64.7FFEDD0A2E22 |
00007FFEDD22F5C1 | 85C0 | test eax,eax |
我们在其中搜索rcx,找到了:[Asm] 纯文本查看 复制代码 00007FFEDD22F5A8 | 48:8D4F 08 | lea rcx,qword ptr ds:[rdi+8] 与其他找到的命令放到一起,这里我们得到:rcx= rdi + 8我们向上寻找rdi的来源,在接近代码段头部的地方发现了:[Asm] 纯文本查看 复制代码 00007FFEDD22F1F5 | 48:8BF9 | mov rdi,rcx 所以我们要继续向上追溯rcx的值,断点回溯到上层调用,复制出代码段:[Asm] 纯文本查看 复制代码 00007FFEDD220E20 | 48:8BC4 | mov rax,rsp |
00007FFEDD220E23 | 55 | push rbp |
00007FFEDD220E24 | 53 | push rbx |
00007FFEDD220E25 | 56 | push rsi |
00007FFEDD220E26 | 57 | push rdi |
00007FFEDD220E27 | 41:54 | push r12 |
00007FFEDD220E29 | 41:55 | push r13 |
00007FFEDD220E2B | 41:56 | push r14 |
00007FFEDD220E2D | 41:57 | push r15 |
00007FFEDD220E2F | 48:8D6C24 98 | lea rbp,qword ptr ss:[rsp-68] |
00007FFEDD220E34 | 48:81EC 68010000 | sub rsp,168 |
00007FFEDD220E3B | 0F2970 A8 | movaps xmmword ptr ds:[rax-58],xmm6 |
00007FFEDD220E3F | 0F2978 98 | movaps xmmword ptr ds:[rax-68],xmm7 |
00007FFEDD220E43 | 44:0F2940 88 | movaps xmmword ptr ds:[rax-78],xmm8 |
00007FFEDD220E48 | 44:0F2988 78FFFFFF | movaps xmmword ptr ds:[rax-88],xmm9 |
00007FFEDD220E50 | 44:0F2990 68FFFFFF | movaps xmmword ptr ds:[rax-98],xmm10 |
00007FFEDD220E58 | 48:8B05 417B3700 | mov rax,qword ptr ds:[7FFEDD5989A0] |
00007FFEDD220E5F | 48:33C4 | xor rax,rsp |
00007FFEDD220E62 | 48:8945 00 | mov qword ptr ss:[rbp],rax |
00007FFEDD220E66 | 33D2 | xor edx,edx |
00007FFEDD220E68 | 48:8BD9 | mov rbx,rcx |
00007FFEDD220E6B | 48:8D4D B0 | lea rcx,qword ptr ss:[rbp-50] |
00007FFEDD220E6F | 44:8D42 40 | lea r8d,qword ptr ds:[rdx+40] |
00007FFEDD220E73 | 44:894C24 60 | mov dword ptr ss:[rsp+60],r9d |
00007FFEDD220E78 | 44:0F28CA | movaps xmm9,xmm2 |
00007FFEDD220E7C | 44:0F28C1 | movaps xmm8,xmm1 |
00007FFEDD220E80 | 48:C745 88 00000000 | mov qword ptr ss:[rbp-78],0 |
00007FFEDD220E88 | C745 90 00000000 | mov dword ptr ss:[rbp-70],0 |
00007FFEDD220E8F | 48:C745 98 00000000 | mov qword ptr ss:[rbp-68],0 |
00007FFEDD220E97 | C745 A0 00000000 | mov dword ptr ss:[rbp-60],0 |
00007FFEDD220E9E | 48:C74424 68 00000000 | mov qword ptr ss:[rsp+68],0 |
00007FFEDD220EA7 | C74424 70 00000000 | mov dword ptr ss:[rsp+70],0 |
00007FFEDD220EAF | 48:C74424 78 00000000 | mov qword ptr ss:[rsp+78],0 |
00007FFEDD220EB8 | C745 80 00000000 | mov dword ptr ss:[rbp-80],0 |
00007FFEDD220EBF | E8 B0AA2500 | call <JMP.&memset> |
00007FFEDD220EC4 | 83BB D8650000 00 | cmp dword ptr ds:[rbx+65D8],0 |
00007FFEDD220ECB | C74424 50 00000000 | mov dword ptr ss:[rsp+50],0 |
00007FFEDD220ED3 | C74424 58 00000000 | mov dword ptr ss:[rsp+58],0 |
00007FFEDD220EDB | C74424 5C 00000000 | mov dword ptr ss:[rsp+5C],0 |
00007FFEDD220EE3 | C74424 54 00000000 | mov dword ptr ss:[rsp+54],0 |
00007FFEDD220EEB | 0F84 170A0000 | je jx3representx64.7FFEDD221908 |
00007FFEDD220EF1 | 41:0F28C0 | movaps xmm0,xmm8 |
00007FFEDD220EF5 | 45:0F57D2 | xorps xmm10,xmm10 |
00007FFEDD220EF9 | 48:8D8B 34650000 | lea rcx,qword ptr ds:[rbx+6534] |
00007FFEDD220F00 | F241:0F5CC1 | subsd xmm0,xmm9 |
00007FFEDD220F05 | F244:0F5AD0 | cvtsd2ss xmm10,xmm0 |
00007FFEDD220F0A | 41:0F28CA | movaps xmm1,xmm10 |
00007FFEDD220F0E | E8 3FE4E8FF | call jx3representx64.7FFEDD0AF352 |
00007FFEDD220F13 | 48:8D8B 34650000 | lea rcx,qword ptr ds:[rbx+6534] |
00007FFEDD220F1A | 41:0F28CA | movaps xmm1,xmm10 |
00007FFEDD220F1E | E8 F67CE8FF | call jx3representx64.7FFEDD0A8C19 |
00007FFEDD220F23 | 48:8D8B 34650000 | lea rcx,qword ptr ds:[rbx+6534] |
00007FFEDD220F2A | 41:0F28CA | movaps xmm1,xmm10 |
00007FFEDD220F2E | E8 A3DDE8FF | call jx3representx64.7FFEDD0AECD6 |
00007FFEDD220F33 | 48:8D4B 48 | lea rcx,qword ptr ds:[rbx+48] |
00007FFEDD220F37 | E8 92BDE8FF | call jx3representx64.7FFEDD0ACCCE |
00007FFEDD220F3C | 48:8D8B D8320000 | lea rcx,qword ptr ds:[rbx+32D8] |
00007FFEDD220F43 | 8BF8 | mov edi,eax |
00007FFEDD220F45 | E8 AF83E8FF | call jx3representx64.7FFEDD0A92F9 |
00007FFEDD220F4A | 48:8D8B C8620000 | lea rcx,qword ptr ds:[rbx+62C8] |
00007FFEDD220F51 | 8BF0 | mov esi,eax |
00007FFEDD220F53 | E8 C889E8FF | call jx3representx64.7FFEDD0A9920 |
00007FFEDD220F58 | 85C0 | test eax,eax |
00007FFEDD220F5A | 74 35 | je jx3representx64.7FFEDD220F91 |
00007FFEDD220F5C | 48:8D8B C8620000 | lea rcx,qword ptr ds:[rbx+62C8] |
00007FFEDD220F63 | E8 4A2EE9FF | call jx3representx64.7FFEDD0B3DB2 |
00007FFEDD220F68 | 3BC7 | cmp eax,edi |
00007FFEDD220F6A | 74 25 | je jx3representx64.7FFEDD220F91 |
00007FFEDD220F6C | 48:8BCB | mov rcx,rbx |
00007FFEDD220F6F | E8 840DE7FF | call jx3representx64.7FFEDD091CF8 |
00007FFEDD220F74 | 85C0 | test eax,eax |
00007FFEDD220F76 | 75 19 | jne jx3representx64.7FFEDD220F91 |
00007FFEDD220F78 | 48:8D05 A9922A00 | lea rax,qword ptr ds:[7FFEDD4CA228] | 00007FFEDD4CA228:"KRLCamera::UpdateLocal"
00007FFEDD220F7F | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD220F84 | C74424 20 F3020000 | mov dword ptr ss:[rsp+20],2F3 |
00007FFEDD220F8C | E9 99070000 | jmp jx3representx64.7FFEDD22172A |
00007FFEDD220F91 | 85FF | test edi,edi |
00007FFEDD220F93 | 74 37 | je jx3representx64.7FFEDD220FCC |
00007FFEDD220F95 | 48:8D8B C8620000 | lea rcx,qword ptr ds:[rbx+62C8] |
00007FFEDD220F9C | E8 7F89E8FF | call jx3representx64.7FFEDD0A9920 |
00007FFEDD220FA1 | 85C0 | test eax,eax |
00007FFEDD220FA3 | 75 27 | jne jx3representx64.7FFEDD220FCC |
00007FFEDD220FA5 | 8BD7 | mov edx,edi |
00007FFEDD220FA7 | 48:8BCB | mov rcx,rbx |
00007FFEDD220FAA | E8 A515E7FF | call jx3representx64.7FFEDD092554 |
00007FFEDD220FAF | 85C0 | test eax,eax |
00007FFEDD220FB1 | 75 19 | jne jx3representx64.7FFEDD220FCC |
00007FFEDD220FB3 | 48:8D05 6E922A00 | lea rax,qword ptr ds:[7FFEDD4CA228] | 00007FFEDD4CA228:"KRLCamera::UpdateLocal"
00007FFEDD220FBA | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD220FBF | C74424 20 F8020000 | mov dword ptr ss:[rsp+20],2F8 |
00007FFEDD220FC7 | E9 5E070000 | jmp jx3representx64.7FFEDD22172A |
00007FFEDD220FCC | 48:8D8B 68610000 | lea rcx,qword ptr ds:[rbx+6168] |
00007FFEDD220FD3 | E8 5FBEE7FF | call jx3representx64.7FFEDD09CE37 |
00007FFEDD220FD8 | 85C0 | test eax,eax |
00007FFEDD220FDA | 74 39 | je jx3representx64.7FFEDD221015 |
00007FFEDD220FDC | 48:8D8B 68610000 | lea rcx,qword ptr ds:[rbx+6168] |
00007FFEDD220FE3 | E8 BB1AE8FF | call jx3representx64.7FFEDD0A2AA3 |
00007FFEDD220FE8 | 3B83 F4650000 | cmp eax,dword ptr ds:[rbx+65F4] |
00007FFEDD220FEE | 74 25 | je jx3representx64.7FFEDD221015 |
00007FFEDD220FF0 | 48:8BCB | mov rcx,rbx |
00007FFEDD220FF3 | E8 621CE9FF | call jx3representx64.7FFEDD0B2C5A |
00007FFEDD220FF8 | 85C0 | test eax,eax |
00007FFEDD220FFA | 75 19 | jne jx3representx64.7FFEDD221015 |
00007FFEDD220FFC | 48:8D05 25922A00 | lea rax,qword ptr ds:[7FFEDD4CA228] | 00007FFEDD4CA228:"KRLCamera::UpdateLocal"
00007FFEDD221003 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD221008 | C74424 20 FF020000 | mov dword ptr ss:[rsp+20],2FF |
00007FFEDD221010 | E9 15070000 | jmp jx3representx64.7FFEDD22172A |
00007FFEDD221015 | 83BB F4650000 00 | cmp dword ptr ds:[rbx+65F4],0 |
00007FFEDD22101C | 74 3B | je jx3representx64.7FFEDD221059 |
00007FFEDD22101E | 48:8D8B 68610000 | lea rcx,qword ptr ds:[rbx+6168] |
00007FFEDD221025 | E8 0DBEE7FF | call jx3representx64.7FFEDD09CE37 |
00007FFEDD22102A | 85C0 | test eax,eax |
00007FFEDD22102C | 75 2B | jne jx3representx64.7FFEDD221059 |
00007FFEDD22102E | 8B93 F4650000 | mov edx,dword ptr ds:[rbx+65F4] |
00007FFEDD221034 | 48:8BCB | mov rcx,rbx |
00007FFEDD221037 | E8 B45FE7FF | call jx3representx64.7FFEDD096FF0 |
00007FFEDD22103C | 85C0 | test eax,eax |
00007FFEDD22103E | 75 19 | jne jx3representx64.7FFEDD221059 |
00007FFEDD221040 | 48:8D05 E1912A00 | lea rax,qword ptr ds:[7FFEDD4CA228] | 00007FFEDD4CA228:"KRLCamera::UpdateLocal"
00007FFEDD221047 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD22104C | C74424 20 04030000 | mov dword ptr ss:[rsp+20],304 |
00007FFEDD221054 | E9 D1060000 | jmp jx3representx64.7FFEDD22172A |
00007FFEDD221059 | 48:8D8B 18630000 | lea rcx,qword ptr ds:[rbx+6318] |
00007FFEDD221060 | E8 201AE8FF | call jx3representx64.7FFEDD0A2A85 |
00007FFEDD221065 | 85C0 | test eax,eax |
00007FFEDD221067 | 74 39 | je jx3representx64.7FFEDD2210A2 |
00007FFEDD221069 | 48:8D8B 18630000 | lea rcx,qword ptr ds:[rbx+6318] |
00007FFEDD221070 | E8 1E80E7FF | call jx3representx64.7FFEDD099093 |
00007FFEDD221075 | 3B83 F8650000 | cmp eax,dword ptr ds:[rbx+65F8] |
00007FFEDD22107B | 74 25 | je jx3representx64.7FFEDD2210A2 |
00007FFEDD22107D | 48:8BCB | mov rcx,rbx |
00007FFEDD221080 | E8 148EE7FF | call jx3representx64.7FFEDD099E99 |
00007FFEDD221085 | 85C0 | test eax,eax |
00007FFEDD221087 | 75 19 | jne jx3representx64.7FFEDD2210A2 |
00007FFEDD221089 | 48:8D05 98912A00 | lea rax,qword ptr ds:[7FFEDD4CA228] | 00007FFEDD4CA228:"KRLCamera::UpdateLocal"
00007FFEDD221090 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD221095 | C74424 20 0B030000 | mov dword ptr ss:[rsp+20],30B |
00007FFEDD22109D | E9 88060000 | jmp jx3representx64.7FFEDD22172A |
00007FFEDD2210A2 | 83BB F8650000 00 | cmp dword ptr ds:[rbx+65F8],0 |
00007FFEDD2210A9 | 74 3B | je jx3representx64.7FFEDD2210E6 |
00007FFEDD2210AB | 48:8D8B 18630000 | lea rcx,qword ptr ds:[rbx+6318] |
00007FFEDD2210B2 | E8 CE19E8FF | call jx3representx64.7FFEDD0A2A85 |
00007FFEDD2210B7 | 85C0 | test eax,eax |
00007FFEDD2210B9 | 75 2B | jne jx3representx64.7FFEDD2210E6 |
00007FFEDD2210BB | 8B93 F8650000 | mov edx,dword ptr ds:[rbx+65F8] |
00007FFEDD2210C1 | 48:8BCB | mov rcx,rbx |
00007FFEDD2210C4 | E8 23D5E8FF | call jx3representx64.7FFEDD0AE5EC |
00007FFEDD2210C9 | 85C0 | test eax,eax |
00007FFEDD2210CB | 75 19 | jne jx3representx64.7FFEDD2210E6 |
00007FFEDD2210CD | 48:8D05 54912A00 | lea rax,qword ptr ds:[7FFEDD4CA228] | 00007FFEDD4CA228:"KRLCamera::UpdateLocal"
00007FFEDD2210D4 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD2210D9 | C74424 20 10030000 | mov dword ptr ss:[rsp+20],310 |
00007FFEDD2210E1 | E9 44060000 | jmp jx3representx64.7FFEDD22172A |
00007FFEDD2210E6 | 48:8D8B 18610000 | lea rcx,qword ptr ds:[rbx+6118] |
00007FFEDD2210ED | E8 7C21E8FF | call jx3representx64.7FFEDD0A326E |
00007FFEDD2210F2 | 85C0 | test eax,eax |
00007FFEDD2210F4 | 74 29 | je jx3representx64.7FFEDD22111F |
00007FFEDD2210F6 | 85F6 | test esi,esi |
00007FFEDD2210F8 | 75 29 | jne jx3representx64.7FFEDD221123 |
00007FFEDD2210FA | 48:8BCB | mov rcx,rbx |
00007FFEDD2210FD | E8 2EC3E8FF | call jx3representx64.7FFEDD0AD430 |
00007FFEDD221102 | 85C0 | test eax,eax |
00007FFEDD221104 | 75 52 | jne jx3representx64.7FFEDD221158 |
00007FFEDD221106 | 48:8D05 1B912A00 | lea rax,qword ptr ds:[7FFEDD4CA228] | 00007FFEDD4CA228:"KRLCamera::UpdateLocal"
00007FFEDD22110D | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD221112 | C74424 20 17030000 | mov dword ptr ss:[rsp+20],317 |
00007FFEDD22111A | E9 0B060000 | jmp jx3representx64.7FFEDD22172A |
00007FFEDD22111F | 85F6 | test esi,esi |
00007FFEDD221121 | 74 35 | je jx3representx64.7FFEDD221158 |
00007FFEDD221123 | 48:8D8B 18610000 | lea rcx,qword ptr ds:[rbx+6118] |
00007FFEDD22112A | E8 3F21E8FF | call jx3representx64.7FFEDD0A326E |
00007FFEDD22112F | 85C0 | test eax,eax |
00007FFEDD221131 | 75 25 | jne jx3representx64.7FFEDD221158 |
00007FFEDD221133 | 48:8BCB | mov rcx,rbx |
00007FFEDD221136 | E8 F93DE7FF | call jx3representx64.7FFEDD094F34 |
00007FFEDD22113B | 85C0 | test eax,eax |
00007FFEDD22113D | 75 19 | jne jx3representx64.7FFEDD221158 |
00007FFEDD22113F | 48:8D05 E2902A00 | lea rax,qword ptr ds:[7FFEDD4CA228] | 00007FFEDD4CA228:"KRLCamera::UpdateLocal"
00007FFEDD221146 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD22114B | C74424 20 1C030000 | mov dword ptr ss:[rsp+20],31C |
00007FFEDD221153 | E9 D2050000 | jmp jx3representx64.7FFEDD22172A |
00007FFEDD221158 | 48:8D8B 70630000 | lea rcx,qword ptr ds:[rbx+6370] |
00007FFEDD22115F | E8 1D81E8FF | call jx3representx64.7FFEDD0A9281 |
00007FFEDD221164 | 85C0 | test eax,eax |
00007FFEDD221166 | 74 39 | je jx3representx64.7FFEDD2211A1 |
00007FFEDD221168 | 48:8D8B 70630000 | lea rcx,qword ptr ds:[rbx+6370] |
00007FFEDD22116F | E8 6D2BE8FF | call jx3representx64.7FFEDD0A3CE1 |
00007FFEDD221174 | 3B83 FC650000 | cmp eax,dword ptr ds:[rbx+65FC] |
00007FFEDD22117A | 74 25 | je jx3representx64.7FFEDD2211A1 |
00007FFEDD22117C | 48:8BCB | mov rcx,rbx |
00007FFEDD22117F | E8 D0F3E8FF | call jx3representx64.7FFEDD0B0554 |
00007FFEDD221184 | 85C0 | test eax,eax |
00007FFEDD221186 | 75 19 | jne jx3representx64.7FFEDD2211A1 |
00007FFEDD221188 | 48:8D05 99902A00 | lea rax,qword ptr ds:[7FFEDD4CA228] | 00007FFEDD4CA228:"KRLCamera::UpdateLocal"
00007FFEDD22118F | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD221194 | C74424 20 23030000 | mov dword ptr ss:[rsp+20],323 |
00007FFEDD22119C | E9 89050000 | jmp jx3representx64.7FFEDD22172A |
00007FFEDD2211A1 | 83BB FC650000 00 | cmp dword ptr ds:[rbx+65FC],0 |
00007FFEDD2211A8 | 74 3B | je jx3representx64.7FFEDD2211E5 |
00007FFEDD2211AA | 48:8D8B 70630000 | lea rcx,qword ptr ds:[rbx+6370] |
00007FFEDD2211B1 | E8 CB80E8FF | call jx3representx64.7FFEDD0A9281 |
00007FFEDD2211B6 | 85C0 | test eax,eax |
00007FFEDD2211B8 | 75 2B | jne jx3representx64.7FFEDD2211E5 |
00007FFEDD2211BA | 8B93 FC650000 | mov edx,dword ptr ds:[rbx+65FC] |
00007FFEDD2211C0 | 48:8BCB | mov rcx,rbx |
00007FFEDD2211C3 | E8 0DD8E7FF | call jx3representx64.7FFEDD09E9D5 |
00007FFEDD2211C8 | 85C0 | test eax,eax |
00007FFEDD2211CA | 75 19 | jne jx3representx64.7FFEDD2211E5 |
00007FFEDD2211CC | 48:8D05 55902A00 | lea rax,qword ptr ds:[7FFEDD4CA228] | 00007FFEDD4CA228:"KRLCamera::UpdateLocal"
00007FFEDD2211D3 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD2211D8 | C74424 20 28030000 | mov dword ptr ss:[rsp+20],328 |
00007FFEDD2211E0 | E9 45050000 | jmp jx3representx64.7FFEDD22172A |
00007FFEDD2211E5 | 48:8D8B 84630000 | lea rcx,qword ptr ds:[rbx+6384] |
00007FFEDD2211EC | E8 B0CEE8FF | call jx3representx64.7FFEDD0AE0A1 |
00007FFEDD2211F1 | 85C0 | test eax,eax |
00007FFEDD2211F3 | 74 39 | je jx3representx64.7FFEDD22122E |
00007FFEDD2211F5 | 48:8D8B 84630000 | lea rcx,qword ptr ds:[rbx+6384] |
00007FFEDD2211FC | E8 0EACE8FF | call jx3representx64.7FFEDD0ABE0F |
00007FFEDD221201 | 3B83 00660000 | cmp eax,dword ptr ds:[rbx+6600] |
00007FFEDD221207 | 74 25 | je jx3representx64.7FFEDD22122E |
00007FFEDD221209 | 48:8BCB | mov rcx,rbx |
00007FFEDD22120C | E8 1A0FE7FF | call jx3representx64.7FFEDD09212B |
00007FFEDD221211 | 85C0 | test eax,eax |
00007FFEDD221213 | 75 19 | jne jx3representx64.7FFEDD22122E |
00007FFEDD221215 | 48:8D05 0C902A00 | lea rax,qword ptr ds:[7FFEDD4CA228] | 00007FFEDD4CA228:"KRLCamera::UpdateLocal"
00007FFEDD22121C | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD221221 | C74424 20 2F030000 | mov dword ptr ss:[rsp+20],32F |
00007FFEDD221229 | E9 FC040000 | jmp jx3representx64.7FFEDD22172A |
00007FFEDD22122E | 83BB 00660000 00 | cmp dword ptr ds:[rbx+6600],0 |
00007FFEDD221235 | 74 3B | je jx3representx64.7FFEDD221272 |
00007FFEDD221237 | 48:8D8B 84630000 | lea rcx,qword ptr ds:[rbx+6384] |
00007FFEDD22123E | E8 5ECEE8FF | call jx3representx64.7FFEDD0AE0A1 |
00007FFEDD221243 | 85C0 | test eax,eax |
00007FFEDD221245 | 75 2B | jne jx3representx64.7FFEDD221272 |
00007FFEDD221247 | 8B93 00660000 | mov edx,dword ptr ds:[rbx+6600] |
00007FFEDD22124D | 48:8BCB | mov rcx,rbx |
00007FFEDD221250 | E8 609CE8FF | call jx3representx64.7FFEDD0AAEB5 |
00007FFEDD221255 | 85C0 | test eax,eax |
00007FFEDD221257 | 75 19 | jne jx3representx64.7FFEDD221272 |
00007FFEDD221259 | 48:8D05 C88F2A00 | lea rax,qword ptr ds:[7FFEDD4CA228] | 00007FFEDD4CA228:"KRLCamera::UpdateLocal"
00007FFEDD221260 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD221265 | C74424 20 34030000 | mov dword ptr ss:[rsp+20],334 |
00007FFEDD22126D | E9 B8040000 | jmp jx3representx64.7FFEDD22172A |
00007FFEDD221272 | 48:8D8B AC640000 | lea rcx,qword ptr ds:[rbx+64AC] |
00007FFEDD221279 | E8 B871E7FF | call jx3representx64.7FFEDD098436 |
00007FFEDD22127E | 85C0 | test eax,eax |
00007FFEDD221280 | 74 39 | je jx3representx64.7FFEDD2212BB |
00007FFEDD221282 | 48:8D8B AC640000 | lea rcx,qword ptr ds:[rbx+64AC] |
00007FFEDD221289 | E8 16DFE8FF | call jx3representx64.7FFEDD0AF1A4 |
00007FFEDD22128E | 3B83 08660000 | cmp eax,dword ptr ds:[rbx+6608] |
00007FFEDD221294 | 74 25 | je jx3representx64.7FFEDD2212BB |
00007FFEDD221296 | 48:8BCB | mov rcx,rbx |
00007FFEDD221299 | E8 ACC5E8FF | call jx3representx64.7FFEDD0AD84A |
00007FFEDD22129E | 85C0 | test eax,eax |
00007FFEDD2212A0 | 75 19 | jne jx3representx64.7FFEDD2212BB |
00007FFEDD2212A2 | 48:8D05 7F8F2A00 | lea rax,qword ptr ds:[7FFEDD4CA228] | 00007FFEDD4CA228:"KRLCamera::UpdateLocal"
00007FFEDD2212A9 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD2212AE | C74424 20 3B030000 | mov dword ptr ss:[rsp+20],33B |
00007FFEDD2212B6 | E9 6F040000 | jmp jx3representx64.7FFEDD22172A |
00007FFEDD2212BB | 83BB 08660000 00 | cmp dword ptr ds:[rbx+6608],0 |
00007FFEDD2212C2 | 74 3B | je jx3representx64.7FFEDD2212FF |
00007FFEDD2212C4 | 48:8D8B AC640000 | lea rcx,qword ptr ds:[rbx+64AC] |
00007FFEDD2212CB | E8 6671E7FF | call jx3representx64.7FFEDD098436 |
00007FFEDD2212D0 | 85C0 | test eax,eax |
00007FFEDD2212D2 | 75 2B | jne jx3representx64.7FFEDD2212FF |
00007FFEDD2212D4 | 8B93 08660000 | mov edx,dword ptr ds:[rbx+6608] |
00007FFEDD2212DA | 48:8BCB | mov rcx,rbx |
00007FFEDD2212DD | E8 2D88E8FF | call jx3representx64.7FFEDD0A9B0F |
00007FFEDD2212E2 | 85C0 | test eax,eax |
00007FFEDD2212E4 | 75 19 | jne jx3representx64.7FFEDD2212FF |
00007FFEDD2212E6 | 48:8D05 3B8F2A00 | lea rax,qword ptr ds:[7FFEDD4CA228] | 00007FFEDD4CA228:"KRLCamera::UpdateLocal"
00007FFEDD2212ED | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD2212F2 | C74424 20 40030000 | mov dword ptr ss:[rsp+20],340 |
00007FFEDD2212FA | E9 2B040000 | jmp jx3representx64.7FFEDD22172A |
00007FFEDD2212FF | 83BB 0C660000 00 | cmp dword ptr ds:[rbx+660C],0 |
00007FFEDD221306 | 74 3B | je jx3representx64.7FFEDD221343 |
00007FFEDD221308 | 48:8D8B C0630000 | lea rcx,qword ptr ds:[rbx+63C0] |
00007FFEDD22130F | E8 2ED2E8FF | call jx3representx64.7FFEDD0AE542 |
00007FFEDD221314 | 85C0 | test eax,eax |
00007FFEDD221316 | 75 2B | jne jx3representx64.7FFEDD221343 |
00007FFEDD221318 | 8B93 04660000 | mov edx,dword ptr ds:[rbx+6604] |
00007FFEDD22131E | 48:8BCB | mov rcx,rbx |
00007FFEDD221321 | E8 3612E9FF | call jx3representx64.7FFEDD0B255C |
00007FFEDD221326 | 85C0 | test eax,eax |
00007FFEDD221328 | 75 19 | jne jx3representx64.7FFEDD221343 |
00007FFEDD22132A | 48:8D05 F78E2A00 | lea rax,qword ptr ds:[7FFEDD4CA228] | 00007FFEDD4CA228:"KRLCamera::UpdateLocal"
00007FFEDD221331 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD221336 | C74424 20 47030000 | mov dword ptr ss:[rsp+20],347 |
00007FFEDD22133E | E9 E7030000 | jmp jx3representx64.7FFEDD22172A |
00007FFEDD221343 | 83BB 14660000 00 | cmp dword ptr ds:[rbx+6614],0 |
00007FFEDD22134A | 74 1D | je jx3representx64.7FFEDD221369 |
00007FFEDD22134C | 48:8DBB 00650000 | lea rdi,qword ptr ds:[rbx+6500] |
00007FFEDD221353 | 48:8BCF | mov rcx,rdi |
00007FFEDD221356 | E8 A3C1E7FF | call jx3representx64.7FFEDD09D4FE |
00007FFEDD22135B | 85C0 | test eax,eax |
00007FFEDD22135D | 75 0A | jne jx3representx64.7FFEDD221369 |
00007FFEDD22135F | 48:8BCB | mov rcx,rbx |
00007FFEDD221362 | E8 7EF3E7FF | call jx3representx64.7FFEDD0A06E5 |
00007FFEDD221367 | EB 24 | jmp jx3representx64.7FFEDD22138D |
00007FFEDD221369 | 48:8DBB 00650000 | lea rdi,qword ptr ds:[rbx+6500] |
00007FFEDD221370 | 48:8BCF | mov rcx,rdi |
00007FFEDD221373 | E8 86C1E7FF | call jx3representx64.7FFEDD09D4FE |
00007FFEDD221378 | 85C0 | test eax,eax |
00007FFEDD22137A | 74 11 | je jx3representx64.7FFEDD22138D |
00007FFEDD22137C | 83BB 14660000 00 | cmp dword ptr ds:[rbx+6614],0 |
00007FFEDD221383 | 75 08 | jne jx3representx64.7FFEDD22138D |
00007FFEDD221385 | 48:8BCB | mov rcx,rbx |
00007FFEDD221388 | E8 4411E8FF | call jx3representx64.7FFEDD0A24D1 |
00007FFEDD22138D | 48:8D8B 70630000 | lea rcx,qword ptr ds:[rbx+6370] |
00007FFEDD221394 | E8 EDF2E7FF | call jx3representx64.7FFEDD0A0686 |
00007FFEDD221399 | 85C0 | test eax,eax |
00007FFEDD22139B | 74 08 | je jx3representx64.7FFEDD2213A5 |
00007FFEDD22139D | 48:8BCB | mov rcx,rbx |
00007FFEDD2213A0 | E8 2819E9FF | call jx3representx64.7FFEDD0B2CCD |
00007FFEDD2213A5 | 48:8D8B 84630000 | lea rcx,qword ptr ds:[rbx+6384] |
00007FFEDD2213AC | E8 0320E7FF | call jx3representx64.7FFEDD0933B4 |
00007FFEDD2213B1 | 85C0 | test eax,eax |
00007FFEDD2213B3 | 74 08 | je jx3representx64.7FFEDD2213BD |
00007FFEDD2213B5 | 48:8BCB | mov rcx,rbx |
00007FFEDD2213B8 | E8 9706E8FF | call jx3representx64.7FFEDD0A1A54 |
00007FFEDD2213BD | 48:8D8B 18610000 | lea rcx,qword ptr ds:[rbx+6118] |
00007FFEDD2213C4 | E8 0C17E8FF | call jx3representx64.7FFEDD0A2AD5 |
00007FFEDD2213C9 | 85C0 | test eax,eax |
00007FFEDD2213CB | 74 08 | je jx3representx64.7FFEDD2213D5 |
00007FFEDD2213CD | 48:8BCB | mov rcx,rbx |
00007FFEDD2213D0 | E8 DC25E9FF | call jx3representx64.7FFEDD0B39B1 |
00007FFEDD2213D5 | 48:8D8B C8620000 | lea rcx,qword ptr ds:[rbx+62C8] |
00007FFEDD2213DC | E8 E251E7FF | call jx3representx64.7FFEDD0965C3 |
00007FFEDD2213E1 | 85C0 | test eax,eax |
00007FFEDD2213E3 | 74 08 | je jx3representx64.7FFEDD2213ED |
00007FFEDD2213E5 | 48:8BCB | mov rcx,rbx |
00007FFEDD2213E8 | E8 1F62E8FF | call jx3representx64.7FFEDD0A760C |
00007FFEDD2213ED | 48:8D8B 68610000 | lea rcx,qword ptr ds:[rbx+6168] |
00007FFEDD2213F4 | E8 67E0E8FF | call jx3representx64.7FFEDD0AF460 |
00007FFEDD2213F9 | 85C0 | test eax,eax |
00007FFEDD2213FB | 74 08 | je jx3representx64.7FFEDD221405 |
00007FFEDD2213FD | 48:8BCB | mov rcx,rbx |
00007FFEDD221400 | E8 A5DDE7FF | call jx3representx64.7FFEDD09F1AA |
00007FFEDD221405 | 48:8D8B 18630000 | lea rcx,qword ptr ds:[rbx+6318] |
00007FFEDD22140C | E8 C849E8FF | call jx3representx64.7FFEDD0A5DD9 |
00007FFEDD221411 | 85C0 | test eax,eax |
00007FFEDD221413 | 74 08 | je jx3representx64.7FFEDD22141D |
00007FFEDD221415 | 48:8BCB | mov rcx,rbx |
00007FFEDD221418 | E8 CF00E7FF | call jx3representx64.7FFEDD0914EC |
00007FFEDD22141D | 48:8D8B 9C630000 | lea rcx,qword ptr ds:[rbx+639C] |
00007FFEDD221424 | E8 A3D8E8FF | call jx3representx64.7FFEDD0AECCC |
00007FFEDD221429 | 85C0 | test eax,eax |
00007FFEDD22142B | 74 08 | je jx3representx64.7FFEDD221435 |
00007FFEDD22142D | 48:8BCB | mov rcx,rbx |
00007FFEDD221430 | E8 2CBDE7FF | call jx3representx64.7FFEDD09D161 |
00007FFEDD221435 | 48:8D8B C0630000 | lea rcx,qword ptr ds:[rbx+63C0] |
00007FFEDD22143C | E8 A90AE9FF | call jx3representx64.7FFEDD0B1EEA |
00007FFEDD221441 | 85C0 | test eax,eax |
00007FFEDD221443 | 74 08 | je jx3representx64.7FFEDD22144D |
00007FFEDD221445 | 48:8BCB | mov rcx,rbx |
00007FFEDD221448 | E8 3704E7FF | call jx3representx64.7FFEDD091884 |
00007FFEDD22144D | 48:8D8B AC640000 | lea rcx,qword ptr ds:[rbx+64AC] |
00007FFEDD221454 | E8 5957E8FF | call jx3representx64.7FFEDD0A6BB2 |
00007FFEDD221459 | 85C0 | test eax,eax |
00007FFEDD22145B | 74 08 | je jx3representx64.7FFEDD221465 |
00007FFEDD22145D | 48:8BCB | mov rcx,rbx |
00007FFEDD221460 | E8 3119E8FF | call jx3representx64.7FFEDD0A2D96 |
00007FFEDD221465 | 48:8BCF | mov rcx,rdi |
00007FFEDD221468 | E8 95D0E7FF | call jx3representx64.7FFEDD09E502 |
00007FFEDD22146D | 85C0 | test eax,eax |
00007FFEDD22146F | 74 08 | je jx3representx64.7FFEDD221479 |
00007FFEDD221471 | 48:8BCB | mov rcx,rbx |
00007FFEDD221474 | E8 6A8FE8FF | call jx3representx64.7FFEDD0AA3E3 |
00007FFEDD221479 | 8B83 F0650000 | mov eax,dword ptr ds:[rbx+65F0] |
00007FFEDD22147F | 8BBD D0000000 | mov edi,dword ptr ss:[rbp+D0] |
00007FFEDD221485 | 44:8B7C24 60 | mov r15d,dword ptr ss:[rsp+60] |
00007FFEDD22148A | 8983 9C650000 | mov dword ptr ds:[rbx+659C],eax |
00007FFEDD221490 | 83F8 04 | cmp eax,4 |
00007FFEDD221493 | 75 44 | jne jx3representx64.7FFEDD2214D9 |
00007FFEDD221495 | 48:8B13 | mov rdx,qword ptr ds:[rbx] |
00007FFEDD221498 | 48:8D83 98600000 | lea rax,qword ptr ds:[rbx+6098] |
00007FFEDD22149F | 41:0F28D1 | movaps xmm2,xmm9 |
00007FFEDD2214A3 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD2214A8 | 41:0F28C8 | movaps xmm1,xmm8 |
00007FFEDD2214AC | 45:8BCF | mov r9d,r15d |
00007FFEDD2214AF | 48:8BCB | mov rcx,rbx |
00007FFEDD2214B2 | 897C24 20 | mov dword ptr ss:[rsp+20],edi |
00007FFEDD2214B6 | FF52 68 | call qword ptr ds:[rdx+68] |
00007FFEDD2214B9 | 44:8BC8 | mov r9d,eax |
00007FFEDD2214BC | 85C0 | test eax,eax |
00007FFEDD2214BE | 79 19 | jns jx3representx64.7FFEDD2214D9 |
00007FFEDD2214C0 | 48:8D05 618D2A00 | lea rax,qword ptr ds:[7FFEDD4CA228] | 00007FFEDD4CA228:"KRLCamera::UpdateLocal"
00007FFEDD2214C7 | 48:894424 28 | mov qword ptr ss:[rsp+28],rax |
00007FFEDD2214CC | C74424 20 78030000 | mov dword ptr ss:[rsp+20],378 |
00007FFEDD2214D4 | E9 96010000 | jmp jx3representx64.7FFEDD22166F |
00007FFEDD2214D9 | 48:8B8B D0650000 | mov rcx,qword ptr ds:[rbx+65D0] |
00007FFEDD2214E0 | 4C:8DB3 98600000 | lea r14,qword ptr ds:[rbx+6098] |
00007FFEDD2214E7 | 41:0F28D1 | movaps xmm2,xmm9 |
00007FFEDD2214EB | 48:8B01 | mov rax,qword ptr ds:[rcx] |
00007FFEDD2214EE | 41:0F28C8 | movaps xmm1,xmm8 |
00007FFEDD2214F2 | 45:8BCF | mov r9d,r15d |
00007FFEDD2214F5 | 4C:897424 28 | mov qword ptr ss:[rsp+28],r14 |
00007FFEDD2214FA | 897C24 20 | mov dword ptr ss:[rsp+20],edi |
00007FFEDD2214FE | FF50 68 | call qword ptr ds:[rax+68] |
00007FFEDD221501 | 44:8BC8 | mov r9d,eax |
我们搜索rcx,找到了:[Asm] 纯文本查看 复制代码 00007FFEDD2214D9 | 48:8B8B D0650000 | mov rcx,qword ptr ds:[rbx+65D0] 即rcx= [rbx+65D0]向上寻找rbx,,找到了这么一句:[Asm] 纯文本查看 复制代码 00007FFEDD220E68 | 48:8BD9 | mov rbx,rcx rbx=rcx,所以还要继续向上找rcx,又到了代码头部,继续回溯,复制代码:[Asm] 纯文本查看 复制代码 00007FFEDD2C5350 | 48:895C24 18 | mov qword ptr ss:[rsp+18],rbx |
00007FFEDD2C5355 | 48:897424 20 | mov qword ptr ss:[rsp+20],rsi |
00007FFEDD2C535A | 57 | push rdi |
00007FFEDD2C535B | 48:83EC 70 | sub rsp,70 |
00007FFEDD2C535F | 48:8BF9 | mov rdi,rcx |
00007FFEDD2C5362 | 48:8B0D 974A2D00 | mov rcx,qword ptr ds:[7FFEDD599E00] |
00007FFEDD2C5369 | 0F297424 60 | movaps xmmword ptr ss:[rsp+60],xmm6 |
00007FFEDD2C536E | 48:81C1 18AB0100 | add rcx,1AB18 |
00007FFEDD2C5375 | 0F297C24 50 | movaps xmmword ptr ss:[rsp+50],xmm7 |
00007FFEDD2C537A | 41:8BF1 | mov esi,r9d |
00007FFEDD2C537D | 0F28F2 | movaps xmm6,xmm2 |
00007FFEDD2C5380 | 0F28F9 | movaps xmm7,xmm1 |
00007FFEDD2C5383 | E8 E5D5DDFF | call jx3representx64.7FFEDD0A296D |
00007FFEDD2C5388 | 48:8D8F F80C0000 | lea rcx,qword ptr ds:[rdi+CF8] |
00007FFEDD2C538F | 0F28CF | movaps xmm1,xmm7 |
00007FFEDD2C5392 | E8 9648DDFF | call jx3representx64.7FFEDD099C2D |
00007FFEDD2C5397 | 48:8D8F F80C0000 | lea rcx,qword ptr ds:[rdi+CF8] |
00007FFEDD2C539E | E8 DDD0DEFF | call jx3representx64.7FFEDD0B2480 |
00007FFEDD2C53A3 | 85C0 | test eax,eax |
00007FFEDD2C53A5 | 0F85 97040000 | jne jx3representx64.7FFEDD2C5842 |
00007FFEDD2C53AB | 8B87 24120000 | mov eax,dword ptr ds:[rdi+1224] |
00007FFEDD2C53B1 | 85C0 | test eax,eax |
00007FFEDD2C53B3 | 74 44 | je jx3representx64.7FFEDD2C53F9 |
00007FFEDD2C53B5 | 83BF 2C120000 00 | cmp dword ptr ds:[rdi+122C],0 |
00007FFEDD2C53BC | 0F85 80040000 | jne jx3representx64.7FFEDD2C5842 |
00007FFEDD2C53C2 | 85C0 | test eax,eax |
00007FFEDD2C53C4 | 74 33 | je jx3representx64.7FFEDD2C53F9 |
00007FFEDD2C53C6 | 83BF 2C120000 00 | cmp dword ptr ds:[rdi+122C],0 |
00007FFEDD2C53CD | 75 2A | jne jx3representx64.7FFEDD2C53F9 |
00007FFEDD2C53CF | 48:8B0F | mov rcx,qword ptr ds:[rdi] |
00007FFEDD2C53D2 | 48:85C9 | test rcx,rcx |
00007FFEDD2C53D5 | 0F84 67040000 | je jx3representx64.7FFEDD2C5842 |
00007FFEDD2C53DB | 8B8424 A0000000 | mov eax,dword ptr ss:[rsp+A0] |
00007FFEDD2C53E2 | 0F28D6 | movaps xmm2,xmm6 |
00007FFEDD2C53E5 | 0F28CF | movaps xmm1,xmm7 |
00007FFEDD2C53E8 | 44:8BCE | mov r9d,esi |
00007FFEDD2C53EB | 894424 20 | mov dword ptr ss:[rsp+20],eax |
00007FFEDD2C53EF | E8 2119DEFF | call jx3representx64.7FFEDD0A6D15 |
00007FFEDD2C53F4 | E9 49040000 | jmp jx3representx64.7FFEDD2C5842 |
00007FFEDD2C53F9 | 48:8B0F | mov rcx,qword ptr ds:[rdi] |
00007FFEDD2C53FC | 8B9C24 A0000000 | mov ebx,dword ptr ss:[rsp+A0] |
00007FFEDD2C5403 | 48:89AC24 88000000 | mov qword ptr ss:[rsp+88],rbp |
00007FFEDD2C540B | 48:85C9 | test rcx,rcx |
00007FFEDD2C540E | 74 2B | je jx3representx64.7FFEDD2C543B |
00007FFEDD2C5410 | 48:83C1 48 | add rcx,48 |
00007FFEDD2C5414 | E8 CEFBDDFF | call jx3representx64.7FFEDD0A4FE7 |
00007FFEDD2C5419 | 85C0 | test eax,eax |
00007FFEDD2C541B | 0F85 C3000000 | jne jx3representx64.7FFEDD2C54E4 |
00007FFEDD2C5421 | 48:8B0F | mov rcx,qword ptr ds:[rdi] |
00007FFEDD2C5424 | 48:85C9 | test rcx,rcx |
00007FFEDD2C5427 | 74 12 | je jx3representx64.7FFEDD2C543B |
00007FFEDD2C5429 | 0F28D6 | movaps xmm2,xmm6 |
00007FFEDD2C542C | 0F28CF | movaps xmm1,xmm7 |
00007FFEDD2C542F | 44:8BCE | mov r9d,esi |
00007FFEDD2C5432 | 895C24 20 | mov dword ptr ss:[rsp+20],ebx |
00007FFEDD2C5436 | E8 DA18DEFF | call jx3representx64.7FFEDD0A6D15 |
00007FFEDD2C543B | 48:8DAF C0060000 | lea rbp,qword ptr ds:[rdi+6C0] |
搜索rcx:[Asm] 纯文本查看 复制代码 00007FFEDD2C5421 | 48:8B0F | mov rcx,qword ptr ds:[rdi] 得到rcx=[rdi]的,向上找rdi:[Asm] 纯文本查看 复制代码 00007FFEDD2C535F | 48:8BF9 | mov rdi,rcx 发现rdi来自于rcx,继续向上找rcx,回溯复制:[Asm] 纯文本查看 复制代码 00007FFEDD2CA600 | 48:895C24 08 | mov qword ptr ss:[rsp+8],rbx |
00007FFEDD2CA605 | 48:896C24 10 | mov qword ptr ss:[rsp+10],rbp |
00007FFEDD2CA60A | 48:897424 18 | mov qword ptr ss:[rsp+18],rsi |
00007FFEDD2CA60F | 57 | push rdi |
00007FFEDD2CA610 | 48:83EC 50 | sub rsp,50 |
00007FFEDD2CA614 | 48:8B59 10 | mov rbx,qword ptr ds:[rcx+10] |
00007FFEDD2CA618 | 48:8B79 18 | mov rdi,qword ptr ds:[rcx+18] |
00007FFEDD2CA61C | 0F297424 40 | movaps xmmword ptr ss:[rsp+40],xmm6 |
00007FFEDD2CA621 | 0F297C24 30 | movaps xmmword ptr ss:[rsp+30],xmm7 |
00007FFEDD2CA626 | 41:8BE9 | mov ebp,r9d |
00007FFEDD2CA629 | 0F28F2 | movaps xmm6,xmm2 |
00007FFEDD2CA62C | 0F28F9 | movaps xmm7,xmm1 |
00007FFEDD2CA62F | 48:3BDF | cmp rbx,rdi |
00007FFEDD2CA632 | 74 33 | je jx3representx64.7FFEDD2CA667 |
00007FFEDD2CA634 | 8BB424 80000000 | mov esi,dword ptr ss:[rsp+80] |
00007FFEDD2CA63B | 0F1F4400 00 | nop dword ptr ds:[rax+rax],eax |
00007FFEDD2CA640 | 48:8B0B | mov rcx,qword ptr ds:[rbx] |
00007FFEDD2CA643 | 48:85C9 | test rcx,rcx |
00007FFEDD2CA646 | 74 77 | je jx3representx64.7FFEDD2CA6BF |
00007FFEDD2CA648 | 0F28D6 | movaps xmm2,xmm6 |
00007FFEDD2CA64B | 0F28CF | movaps xmm1,xmm7 |
00007FFEDD2CA64E | 44:8BCD | mov r9d,ebp |
00007FFEDD2CA651 | 897424 20 | mov dword ptr ss:[rsp+20],esi |
00007FFEDD2CA655 | E8 898FDDFF | call jx3representx64.7FFEDD0A35E3 |
00007FFEDD2CA65A | 85C0 | test eax,eax |
查找rcx,找到:[Asm] 纯文本查看 复制代码 00007FFEDD2CA640 | 48:8B0B | mov rcx,qword ptr ds:[rbx] 即rcx = [rbx]的,向上查找rbx:[Asm] 纯文本查看 复制代码 00007FFEDD2CA614 | 48:8B59 10 | mov rbx,qword ptr ds:[rcx+10] 即rbx = [rcx+10],向上找rcx,又到头了,继续回溯:
[Asm] 纯文本查看 复制代码 00007FFEDD2E9A30 | 40:57 | push rdi |
00007FFEDD2E9A32 | 48:83EC 50 | sub rsp,50 |
00007FFEDD2E9A36 | 48:C74424 30 FEFFFFFF | mov qword ptr ss:[rsp+30],FFFFFFFFFFFFFF |
00007FFEDD2E9A3F | 48:895C24 60 | mov qword ptr ss:[rsp+60],rbx |
00007FFEDD2E9A44 | 48:897424 68 | mov qword ptr ss:[rsp+68],rsi |
00007FFEDD2E9A49 | 0F297424 40 | movaps xmmword ptr ss:[rsp+40],xmm6 |
00007FFEDD2E9A4E | 48:8BD9 | mov rbx,rcx |
00007FFEDD2E9A51 | 48:8D0D 78131F00 | lea rcx,qword ptr ds:[7FFEDD4DADD0] | 00007FFEDD4DADD0:"GameHandler::Activate"
00007FFEDD2E9A58 | E8 553ADCFF | call jx3representx64.7FFEDD0AD4B2 |
00007FFEDD2E9A5D | 33F6 | xor esi,esi |
00007FFEDD2E9A5F | 48:8B05 9A032B00 | mov rax,qword ptr ds:[7FFEDD599E00] |
00007FFEDD2E9A66 | 48:39B0 C8000000 | cmp qword ptr ds:[rax+C8],rsi |
00007FFEDD2E9A6D | 75 3E | jne jx3representx64.7FFEDD2E9AAD |
00007FFEDD2E9A6F | 48:8D0D 7A131F00 | lea rcx,qword ptr ds:[7FFEDD4DADF0] | 00007FFEDD4DADF0:"KGameWorldHandler::Activate"
00007FFEDD2E9A76 | 48:894C24 28 | mov qword ptr ss:[rsp+28],rcx |
00007FFEDD2E9A7B | C74424 20 E5000000 | mov dword ptr ss:[rsp+20],E5 |
00007FFEDD2E9A83 | 4C:8D0D 7EBD1C00 | lea r9,qword ptr ds:[7FFEDD4B5808] | 00007FFEDD4B5808:"g_pRL->m_pSO3World"
00007FFEDD2E9A8A | 4C:8D05 FF621C00 | lea r8,qword ptr ds:[7FFEDD4AFD90] | 00007FFEDD4AFD90:"KGLOG_PROCESS_ERROR(%s) at line %d in %s\n"
00007FFEDD2E9A91 | BA 07000000 | mov edx,7 |
00007FFEDD2E9A96 | 48:8D0D 6365DAFF | lea rcx,qword ptr ds:[7FFEDD090000] |
00007FFEDD2E9A9D | FF15 45C62F00 | call qword ptr ds:[<&?KGLogPrintf_KGSL@@ |
00007FFEDD2E9AA3 | B8 05400080 | mov eax,80004005 |
00007FFEDD2E9AA8 | E9 29030000 | jmp jx3representx64.7FFEDD2E9DD6 |
00007FFEDD2E9AAD | E8 64AFDAFF | call jx3representx64.7FFEDD094A16 |
00007FFEDD2E9AB2 | 48:8BC8 | mov rcx,rax |
00007FFEDD2E9AB5 | E8 3981DBFF | call jx3representx64.7FFEDD0A1BF3 |
00007FFEDD2E9ABA | 8BF8 | mov edi,eax |
00007FFEDD2E9ABC | 3B43 28 | cmp eax,dword ptr ds:[rbx+28] |
00007FFEDD2E9ABF | 74 15 | je jx3representx64.7FFEDD2E9AD6 |
00007FFEDD2E9AC1 | 48:8B0D 60072B00 | mov rcx,qword ptr ds:[7FFEDD59A228] |
00007FFEDD2E9AC8 | 48:85C9 | test rcx,rcx |
00007FFEDD2E9ACB | 74 06 | je jx3representx64.7FFEDD2E9AD3 |
00007FFEDD2E9ACD | FF15 E5C72F00 | call qword ptr ds:[<&SetEvent>] |
00007FFEDD2E9AD3 | 897B 28 | mov dword ptr ds:[rbx+28],edi |
00007FFEDD2E9AD6 | 48:8D0D 3B131F00 | lea rcx,qword ptr ds:[7FFEDD4DAE18] | 00007FFEDD4DAE18:"UpdatePerformFrame"
00007FFEDD2E9ADD | E8 E844DCFF | call jx3representx64.7FFEDD0ADFCA |
00007FFEDD2E9AE2 | E8 F704DBFF | call jx3representx64.7FFEDD099FDE |
00007FFEDD2E9AE7 | 0F28F0 | movaps xmm6,xmm0 |
00007FFEDD2E9AEA | 48:8B0D 0F032B00 | mov rcx,qword ptr ds:[7FFEDD599E00] |
00007FFEDD2E9AF1 | 3979 44 | cmp dword ptr ds:[rcx+44],edi |
00007FFEDD2E9AF4 | 74 1C | je jx3representx64.7FFEDD2E9B12 |
00007FFEDD2E9AF6 | 48:8B41 58 | mov rax,qword ptr ds:[rcx+58] |
00007FFEDD2E9AFA | 48:8941 60 | mov qword ptr ds:[rcx+60],rax |
00007FFEDD2E9AFE | F2:0F1141 58 | movsd qword ptr ds:[rcx+58],xmm0 |
00007FFEDD2E9B03 | 8979 44 | mov dword ptr ds:[rcx+44],edi |
00007FFEDD2E9B06 | BE 01000000 | mov esi,1 |
00007FFEDD2E9B0B | 48:8B0D EE022B00 | mov rcx,qword ptr ds:[7FFEDD599E00] |
00007FFEDD2E9B12 | 48:8B41 48 | mov rax,qword ptr ds:[rcx+48] |
00007FFEDD2E9B16 | 48:8941 50 | mov qword ptr ds:[rcx+50],rax |
00007FFEDD2E9B1A | F2:0F1141 48 | movsd qword ptr ds:[rcx+48],xmm0 |
00007FFEDD2E9B1F | 48:8B0D 9AFE2A00 | mov rcx,qword ptr ds:[7FFEDD5999C0] |
00007FFEDD2E9B26 | E8 D26BDCFF | call jx3representx64.7FFEDD0B06FD |
00007FFEDD2E9B2B | 48:8D0D FE121F00 | lea rcx,qword ptr ds:[7FFEDD4DAE30] | 00007FFEDD4DAE30:"g_prlRecord->FrameMove()"
00007FFEDD2E9B32 | E8 9344DCFF | call jx3representx64.7FFEDD0ADFCA |
00007FFEDD2E9B37 | 833D 2EB82B00 00 | cmp dword ptr ds:[7FFEDD5A536C],0 |
00007FFEDD2E9B3E | 74 0F | je jx3representx64.7FFEDD2E9B4F |
00007FFEDD2E9B40 | 0F28CE | movaps xmm1,xmm6 |
00007FFEDD2E9B43 | 48:8D0D DEE72A00 | lea rcx,qword ptr ds:[7FFEDD598328] |
00007FFEDD2E9B4A | E8 EC88DBFF | call jx3representx64.7FFEDD0A243B |
00007FFEDD2E9B4F | 48:8D0D FA121F00 | lea rcx,qword ptr ds:[7FFEDD4DAE50] | 00007FFEDD4DAE50:"g_performanceMgr.Activate"
00007FFEDD2E9B56 | E8 6F44DCFF | call jx3representx64.7FFEDD0ADFCA |
00007FFEDD2E9B5B | 48:8B0D 9E022B00 | mov rcx,qword ptr ds:[7FFEDD599E00] |
00007FFEDD2E9B62 | 48:81C1 00AC0100 | add rcx,1AC00 |
00007FFEDD2E9B69 | E8 00D8DBFF | call jx3representx64.7FFEDD0A736E |
00007FFEDD2E9B6E | 48:8D0D FB121F00 | lea rcx,qword ptr ds:[7FFEDD4DAE70] | 00007FFEDD4DAE70:"m_ActorMgr.FrameMove"
00007FFEDD2E9B75 | E8 5044DCFF | call jx3representx64.7FFEDD0ADFCA |
00007FFEDD2E9B7A | 48:8B05 7F022B00 | mov rax,qword ptr ds:[7FFEDD599E00] |
00007FFEDD2E9B81 | 48:8D88 28AA0100 | lea rcx,qword ptr ds:[rax+1AA28] |
00007FFEDD2E9B88 | 897424 20 | mov dword ptr ss:[rsp+20],esi |
00007FFEDD2E9B8C | 44:8BCF | mov r9d,edi |
00007FFEDD2E9B8F | F2:0F1050 50 | movsd xmm2,qword ptr ds:[rax+50] |
00007FFEDD2E9B94 | F2:0F1048 48 | movsd xmm1,qword ptr ds:[rax+48] |
00007FFEDD2E9B99 | E8 ADC4DAFF | call jx3representx64.7FFEDD09604B |
00007FFEDD2E9B9E | 48:8D0D EB121F00 | lea rcx,qword ptr ds:[7FFEDD4DAE90] | 00007FFEDD4DAE90:"m_SceneMgr.Activate"
查找rcx:[Asm] 纯文本查看 复制代码 00007FFEDD2E9B81 | 48:8D88 28AA0100 | lea rcx,qword ptr ds:[rax+1AA28] 即 rcx = rax+1aa28,向上查找rax的值,就在这一条的上方,我们找到了:[Asm] 纯文本查看 复制代码 00007FFEDD2E9B7A | 48:8B05 7F022B00 | mov rax,qword ptr ds:[7FFEDD599E00] 众里寻他千百度,看到这一句了吗,由这一句我们可以得知,rax=[7FFEDD599E00],这里我们得到了一个常量,也就是我们要找的基址了,当然这个基址我们现在还并不能使用,还记得一开始我们说过的吗,我们所有的指令都是在jx3representx64.dll这个模块当中的,所以这个常数(7FFEDD599E00)其实是相对于常数他所在模块的一个偏移而已,也就是我们真正的基址是模块的基址,现在我们用这个常数,减去模块的基址,就可以得到第一个便宜量了。第一级偏移=常数(7FFEDD599E00)- jx3representx64模块基址(7FFEDD090000)=509E00我们把这个值和我们特意找出来的所有代码放到一起去,得到了下面这些代码:
[Asm] 纯文本查看 复制代码 7FFEDD30A47D - 89 87 34040000 - mov [rdi+00000434],eax
00007FFEDD30A01A | 48:8BF9 | mov rdi,rcx
00007FFEDD27B873 | 48:8BCF | mov rcx,rdi
00007FFEDD27B863 | 49:8DBF D0320000 | lea rdi,qword ptr ds:[r15+32D0]
00007FFEDD27B5C7 | 4C:8BF9 | mov r15,rcx
00007FFEDD22F5A8 | 48:8D4F 08 | lea rcx,qword ptr ds:[rdi+8]
00007FFEDD22F1F5 | 48:8BF9 | mov rdi,rcx
00007FFEDD2214D9 | 48:8B8B D0650000 | mov rcx,qword ptr ds:[rbx+65D0]
00007FFEDD220E68 | 48:8BD9 | mov rbx,rcx
00007FFEDD2C5421 | 48:8B0F | mov rcx,qword ptr ds:[rdi]
00007FFEDD2CA640 | 48:8B0B | mov rcx,qword ptr ds:[rbx]
00007FFEDD2CA614 | 48:8B59 10 | mov rbx,qword ptr ds:[rcx+10]
00007FFEDD2E9B81 | 48:8D88 28AA0100 | lea rcx,qword ptr ds:[rax+1AA28]
00007FFEDD2E9B7A | 48:8B05 7F022B00 | mov rax,qword ptr ds:[7FFEDD599E00]
509E00
我们从最下面开始,就可以一句一句向上计算我们x坐标的存放地址了:
[Asm] 纯文本查看 复制代码 00007FFEDD2E9B7A | 48:8B05 7F022B00 | mov rax,qword ptr ds:[7FFEDD599E00]
addr=[jx3representx64+509E00]
00007FFEDD2E9B81 | 48:8D88 28AA0100 | lea rcx,qword ptr ds:[rax+1AA28]
00007FFEDD2CA614 | 48:8B59 10 | mov rbx,qword ptr ds:[rcx+10]
addr =[addr+1AA28+10]
00007FFEDD2CA640 | 48:8B0B | mov rcx,qword ptr ds:[rbx]
addr = [addr]
00007FFEDD2C5421 | 48:8B0F | mov rcx,qword ptr ds:[rdi]
addr=[addr]
00007FFEDD220E68 | 48:8BD9 | mov rbx,rcx
00007FFEDD2214D9 | 48:8B8B D0650000 | mov rcx,qword ptr ds:[rbx+65D0]
addr=[addr+65D0]
00007FFEDD22F5A8 | 48:8D4F 08 | lea rcx,qword ptr ds:[rdi+8]
00007FFEDD27B5C7 | 4C:8BF9 | mov r15,rcx
00007FFEDD27B863 | 49:8DBF D0320000 | lea rdi,qword ptr ds:[r15+32D0]
7FFEDD30A47D - 89 87 34040000 - mov [rdi+00000434],eax
addr= addr+32D0+00000434+8
这样我们最终得到的addr其实就是我们存放x坐标的值得内存地址了
python代码
-------------------------------------------------------------------------------
这样我们最终得到的addr其实就是我们存放x坐标的值得内存地址了,下面可以开始验证了。还记得我在鬼泣五中定义的ReadVirtualMemory64函数么, 我们将要再次用到他,不过同时我们还需要一个新的读取内存的函数,因为在ReadVirtualMemory64中,我们只能够读取数值而无法读取字符串。而在前面寻寻址的过程中我们已经明白我们不光需要知道程序自身的基址了,同事还需要获取到程序的某个模块的基址,因为我们所寻找数据时放在这些模块中的,而并非存放在程序的exe模块中。所以我们需要定义一个能够遍历程序中的模块,并获取到模块的名称与基址的函数。这样我们才能够通过模块的名称去找到模块的基址,即jx3representx64模块的基址。同时在这里,我会将所有的函数放在一起,封装成类,因为这才是我们实际使用时更好的方法。其他的废话我写在源码的注释里了,下面附上源码:[Python] 纯文本查看 复制代码 from win32gui import FindWindow #获取窗口句柄
from win32api import OpenProcess, CloseHandle #创建进程句柄与关闭进程句柄
from win32con import PROCESS_VM_READ, PROCESS_VM_WRITE,PROCESS_QUERY_INFORMATION #win32con里面放的是一些pywin32中的常量,我们导入我们需要的进程权限
from win32process import GetWindowThreadProcessId #通过窗口句柄获取进程ID
from ctypes import WinDLL, c_ulonglong, byref,c_wchar_p,c_ulong,Structure
"""
WinDLL这个函数是导入系统的动态链接库,因为pywin32中并没有直接可以对内存进行读取和写入操作的函数,对于32位的程序,我们可以用kernel32.dll中的readmemor这些,
但是到了64位程序我们发现没有用了,这也是主要难点,所以需要通过ntdll.dll中的某些未公开的api来达到小青龙们不可告人的秘密
64位地址的长度是8字节,python中调用api时默认的int只有4个字节,所以用ctypes中的c_ulonglong类型来存放我们的数据,避免精度的丢失
byref python本身是没有指针的概念的,所以我们需要通过这个参数来传递指针
c_wchar_p 创建一个wchar类型的指针变量
c_ulong 参考c_ulonglong
Structure 在python中进行结构体的定义的话,需要继承这个类
"""
class PROCESS_BASIC_INFORMATION(Structure):
"""
这里我们通过python定义一个C中的结构体,这个结构体是用来存放我们在下面的函数中获取的进程相关信息的
结构体中每个参数中存放的内容见如下备注
"""
_fields_ = [('ExitStatus',c_ulonglong),#接收进程终止状态
('PebBaseAddress', c_ulonglong),#接收进程环境块地址
('AffinityMask', c_ulonglong),#接收进程关联掩码
('BasePriority', c_ulonglong),#接收进程的优先级类
('UniqueProcessId', c_ulonglong),#接收进程ID
('InheritedFromUniqueProcessId', c_ulonglong)]#接收父进程ID
class Memory64():
"""定义一个类,方便我们的调用"""
def __init__(self, hwnd):#这里我们在类创建的时候,接受一个窗口句柄,然后通过窗口句柄让类自己去创建相应的进程
self.ntdll = WinDLL("ntdll.dll")
pid = GetWindowThreadProcessId(hwnd)
self.hProcess = OpenProcess(PROCESS_VM_READ | PROCESS_QUERY_INFORMATION | PROCESS_VM_WRITE, False, pid[1])
""" 这个函数有三个参数,第一个参数是你需要的权限,我不是很喜欢这种直接获取全部权限,因为有的时候权限太高并不是好事情
容易被检测GG,当然这里是单机无所谓可以随便来
第二个参数是是否继承,一般都是选False,第三个参数是线程的ID,python里一定要记得取第1位的值,也就是第二个值,因为python里
GetWindowThreadProcessId这个函数返回的值有两个"""
def CloseHandle(self):#一定要记得释放资源
CloseHandle(self.hProcess)#因为这里还要调用原始的hProcess类型去关闭进程句柄,所以我们没有一开始对self.hProcess直接转换成int
def __del__(self): # 这里在类被清除时,尝试释放资源,防止忘记释放资源而引起不必要的占用
try:
self.CloseHandle(self.hProcess)
except:
pass
def ReadVirtualMemory64(self,addr, n=8):
# 这里定义一个函数来读取,传入三个参数,第一个是进程句柄,第二个是我们要读取的地址,我们可以默认为8,可以偷懒,第三个是要读取的长度
addr = c_ulonglong(addr)
ret = c_ulonglong()
BufferLength = c_ulonglong(n)
self.ntdll.NtWow64ReadVirtualMemory64(int(self.hProcess), addr, byref(ret), BufferLength, 0)
"""
这个函数并不是一个公开的API,找了很多文献才研究出来怎么用python去调用它,他一共有五个参数
第一个参数是我们通过OpenProcess获取的进程句柄,在python中要记得把这个句柄转换成int类型,默认其实是个句柄类型,不
转换会出错,
第二个参数其实就是我们要读取的地址,我们辛苦找到的基址和便宜终于有了用武之地
第三个参数是一个指针,我们通过ctypes中的byref方法可以将一个指针传进去,函数会把读取到的参数放进这个指针指向的地方,
在这里也就是我们的ret中
第四个参数是我们需要读取的长度
第五个参数也是一个指针,存放实际读取的长度,需要的话可以传一个参数,这里我偷懒填的0
"""
return ret.value # c_ulonglong的类型中,他的数值是放在他的属性value中的,所以返回的时候我们只需要获取value中存放的数值就好了
def ReadProcessMemory64_Wchar(self, addr, n,length):#这个函数用以读取模块名称,与ReadVirtualMemory64不同的点还有一个是我们会传入一个缓冲区的长度length,用于定义一个c_wchar_p的缓冲区
addr = c_ulonglong(addr)
ret = c_wchar_p("0" * length)#这里选用wchar其实与编码有关,感兴趣的同学自行百度wchar,宽字符等关键字学习
BufferLength = c_ulonglong(n)
self.ntdll.NtWow64ReadVirtualMemory64(int(self.hProcess), addr, ret, BufferLength, 0)
return ret.value
def WriteVirtualMemory64(self,addr, s, n=8): # 这个函数与读取的其实是一样的,区别只是一个是读一个写,不作介绍了,参考读取的函数,s参数是我们要写入的数据
addr = c_ulonglong(addr)
ret = c_ulonglong(s)
BufferLength = c_ulonglong(n)
self.ntdll.NtWow64WriteVirtualMemory64(int(self.hProcess), addr, byref(ret), BufferLength, 0)
def GetBaseAddr(self, ModuleName):#传入需要查找的模块的名称,就可以返回相应的模块基址了
NumberOfBytesRead = c_ulong()
Buffer = PROCESS_BASIC_INFORMATION()
Size = c_ulong(48)
name_len = len(ModuleName)
self.ntdll.NtWow64QueryInformationProcess64(int(self.hProcess), 0, byref(Buffer), Size,
byref(NumberOfBytesRead))
"""
这同样是一个未公开的api,可以通过他获取进程的信息,然后存入我们一开始定义的结构体中,他的五个参数分别是:
进程句柄,信息类型,缓冲指针,以字节为单位的缓冲大小, 写入缓冲的字节数
而至于下面为什么要这么写,其实涉及到了程序的PE结构,这里不做赘述,因为这个东西不是一会会说的清楚的,可以自行百度
"""
ret = self.ReadVirtualMemory64(Buffer.PebBaseAddress + 24, 8)
ret = self.ReadVirtualMemory64(ret + 24, 8)
for i in range(100000):#这里用for循环其实是怕程序卡死,下面如果出了问题不能退出的话,循环结束一样可以退出
modulehandle = self.ReadVirtualMemory64(ret + 48, 8)
if modulehandle == 0:
break
nameaddr = self.ReadVirtualMemory64(ret + 96, 8)
name = self.ReadProcessMemory64_Wchar(nameaddr, name_len * 2 + 1, name_len)
if name == ModuleName:
return modulehandle
ret = self.ReadVirtualMemory64(ret + 8, 8)
if __name__ == '__main__':
hwnd = FindWindow("KGWin32App", None) # 获取窗口句柄
m = Memory64(hwnd)#我们创建一个内存的操作类
ModuleBaseAddr = m.GetBaseAddr("JX3RepresentX64.dll")
print("ModuleBaseAddr",ModuleBaseAddr)
"""
然后通过调用我们定义的GetBaseAddr的方法来获取模块的基址,这里需要注意,我们要区分大小写
也可以在修改GetBaseAddr方法,在进行比名称的对比之前,对他们进行强行转码,全部转成大写或者小写,从而忽略大小写的问题
获取到模块基址过后,我们就可以通过我们刚刚找到的基址与偏离开始对游戏的数据进行读取了
"""
addr = m.ReadVirtualMemory64(ModuleBaseAddr+0x509E00) #addr = [jx3representx64 + 0x509E00]
addr = m.ReadVirtualMemory64(addr + 0x1AA28 + 0x10)#addr = [addr + 0x1AA28 + 0x10]
addr = m.ReadVirtualMemory64(addr)#addr = [addr]
addr = m.ReadVirtualMemory64(addr) # addr = [addr]
addr = m.ReadVirtualMemory64(addr+0x65D0) #addr = [addr+0x65D0]
addr = addr + 0x32D0 + 0x00000434 +0x8 #这个时候我们的addr其实已经是存放x坐标的地址了,我们可以在下面进行测试
ret = m.ReadVirtualMemory64(addr,4)#这里记得只读取四个字节,多了的话读取到的数据肯定就是错误的了
print("x坐标",ret)
我们先让任务进行移动,改变x坐标的值,然后运行程序,查看结果,程序正确的返回了模块的基址与x坐标的值:
(这里我忘记转换了,所以输出模块基址与我们前面找到的7FFEDD090000并不相等,但其实他们是相同的,只是python默认输出的是十进制,而我们找到的是十六进制地址,我们将十六进制地址转换为十进制可以得到140732606775296,也就是程序运行后输出的结果)
|