looking for a breakthrough
1. First look for a breakthrough, around a word "change" to find
2. I also told the students in other courses before that we are looking for backpack items to traverse, nothing more than getting the item object first
3. However, to get the item object, you must first get the item attribute, and then reverse analysis to get the item object
4. Then the question comes, how to get the item attributes?
5. At this time, we need to find the data that we can easily search through CE, such as: the number of items
6. Because of the quantity, we are very good at controlling his quantity
CE looking for data
1. We search the quantity of medicine in the backpack
2. Observe that the number of medicines is currently 520. After our modification and precise search, there are still 3 results left
3. How to determine which of these 3 addresses is the real item quantity data?
4. The number of hesitation is small, we can modify them one by one, and then observe the changes in the number of game items, so as to know which is the real data
5. After modification, it is found that it is the third address
6. OK, then get the address, we use XDBG to attach the game, observe the data
looking for someone
1. Next, we need to find the object where the data exists, and write the next hardware breakpoint
2. We go to fight monsters to reduce the blood volume, so as to stop at the assembly code that has been written
3. After breaking down, observe that rax+18 is our quantity address, then rax should be the first address of the structure or the first address of the object
4. At this time rax is equal to this value 0000021FAC59D750
5. We observe this address and find that the value 0x1FC in the address of 0000021FAC59D750+18 is indeed the quantity of our items
find object source
1. Next, we continue to find the source of rax equal to 0000021FAC59D750, and analyze it upwards
2. It turns out that the rax source of this layer is the return value of a CALL
3. At this time, we break under this CALL, in order to confirm whether the returned object is our above object
4. As a result, it is found that the source is rsi in this CALL
5. Continue to find the source of rsi
6. It is found that rsi comes from rbp, and rbp comes from [rdx]. As a result, when we thought the source was rdx, we found that rdx is the stack address, that is, the source is the rdx parameter of this CALL, which is the second parameter
7. Good! At this time, we come to this CALL and see what is stored in the rdx parameter.
8. Observe that, indeed, when this CALL is called, objects are already stored in the rdx stack
9. Next, continue to find the source of the objects in the stack
10. When we looked up, we found that there was a very familiar assembly statement immediately after the above CALL
11.lea rdx, ss:[rsp+0x38]Experienced students will know the meaning of this assembly combined with calling the following CALL and taking rdx as the second parameter
12. In fact, it is to pass the address of a local variable, and then write the required value into the address pointed to by rdx inside CALL
13. Now we verify, we break
14. Hey! We actually found out how the objects we need exist in this stack? In fact, there are, and it will be written only after this CALL, that is, this CALL is likely to be a CALL to obtain an object, and write the object to the rdx stack address, indicating that our guess should be correct, and finally The source of objects in the stack is this CALL
15. Analyze the parameters and find that these two objects are stored in the rdx stack address at this time, and at the same time we found that r8 is similar to an ID
16. After this CALL, rdx is written into two objects from the original no object, and the first object is just the item object we need to find
17. Next, continue to find the two objects written to the stack address when
18. Now it’s easy to handle. Let’s set a breakpoint on this CALL, and then go to the rdx stack address to observe that there is no object we need at this time. At this time, press F7 to enter CALL, and then press F8 to gradually analyze what When writing the value in this rdx stack address
19. When we analyze slowly, we observe a traversal here, and it is still an array of structures, and the size of each structure is 0x60
20. Found a structure array. Students who have understood the concept of arrays know that we only need to find the first address, which is the address of rcx
21. Find the source of the first address of r11 r15, and then find the source rcx in the function header, which is the first parameter of this CALL
22. Let's see what the rcx parameter object stores in memory. Actually, our structure array is in this object
Analyze the object where the structure array is located
1. We found that there is indeed an array of structures
2. Let's observe this structure array, and at the same time we have analyzed above that the size of each structure in this structure array is 0x60
3. At the same time, we found that there is a structure array in each structure of size 0x60
4. Let's go into the analysis and find out that in this structure array, each size is 0x18, and the 2 objects of each structure +8 +10 are the 2 values we wrote in the above rdx stack address
5. That's it, at this point we have found the location of the traversal
6. But! Careful students found that there are 32 of our items, this structure array is only 0xE
7. Yes, this is indeed the case. In fact, as we can see above, there is a 0x60 structure in the rcx object, and there is an item structure 0x18 array in each 0x60 structure +8 +10
8. Then add up the number of 0x18 size structures of all 0x60 structure items, which should be the total number of our items
9. Let's see that the first three 0x60 structures have a total of 32 0x18 size structures, which is right
10. Here again, why are there three 0x60 structures?
11. In fact, students who have observed this game will understand! Let's take a look at this backpack interface, he has 3 types of buttons, and then count the number of items, you will understand! ! !
12. Well, here we have found the whole traversal, it is still relatively simple, but it takes a while to analyze inside this CALL, but experienced students don’t need to analyze the assembly at all, just need to observe this structure array we You can analyze it by looking through the memory!
13. Here we have analyzed the traversal, and know that the traversal is in the rcx object, so where does the rcx object exist??? At this time, we need to analyze and find the source. This step is relatively simple!
Find rcx source
1. Discover rcx source [rcx+38]
2. At this time, rcx is an object, because we saw the first address of the virtual function table at +0
3. Continue to analyze and find the source, find the source rsi, and see the return value of a CALL from the source above.
4. Enter CALL, analyze
5. Easily find the offset expression: [[[0x00007FF798D8E448]+30]+28] is an object array, and the rcx object we need is at the index of this object array at 0x4
6. Where is the source of this 4? In fact, it is the 0xC passed in by the parameter of this CALL, and then it is calculated as 4 inside the CALL. In fact, we can write it to death, because when calling this CALL, the assembly is also written to death.
7. Well, this is the end of our entire backpack item traversal data analysis
8. I typed so many words, I hope everyone likes it, and thank you for supporting Di University College 285530835
9. Like and bookmark a lot