Email is often used for remote transactions, which saves transaction time and reduces data requirements. The analysis of mail traversal is generally based on the name of the mail and the number of mails. However, the email name of some games is not stored in the email object, or the local display of the email will not be changed in the object, and there is no storage address for the specific number of emails, such as "Tianya Mingyue Knife", so we can use the currently selected The mail is a breakthrough, to check whether there is any mail-related traversal information around.
First, we scan the information related to the currently selected email through CE, such as the email object, email ID, and so on. If you have no way to start with an unknown initial value, you can consider sending out the ID of the observation email in plain text. After scanning, two results are obtained (as shown in the figure).
Observe the memory around the first address in OD, and find that there are three addresses at the -24 offset that look like an array. By repeatedly opening the mail, it can be confirmed that this is the mail array (as shown in the figure)
Access the breakpoint at the selected mail ID, and find that it can only break to the VM code segment (as shown in the figure),
so we access the breakpoint at the above array. After the game is disconnected, we find that there is no VM here, and we can get + 30 offset (as shown in the figure) and
the base address can be obtained after the execution returns (as shown in the figure).
Next, observe and analyze the attributes in the mail array, and get the following formula
[429D3B4]+30 Array start address
[429D3B4]+34 Array end address
[[[429D3B4]+30]+n*4]+0 mail ID1
[[[429D3B4]+30]+n*4]+4 mail ID2
[[[429D3B4]+30]+n*4]+18 email name UTF-8