Find item object
1. To traverse we need to find an item object first
2. We can first use the quantity to find it. By discarding it, we can quickly find the quantity address of Jin Chuang Yao = 0x2D3AE5D8
3. Use CE to access this address to find the item object ECX ECX=0x2D3AE5A0
4. After finding the object, we use CE to search which addresses store the object 0x2D3AE5A0
5. There are relatively few addresses. When accessing each address, it is found that only 2D24C348 and 2CF54D30 have access codes. Next, put these two addresses in XDBG and set the hardware access breakpoint 0x2D24C348.
6. To find out whether this is traversal, you only need to press F9 here to see if the value of EAX is changing, and EAX is equal to the object of other props.
7. Here EAX=2D3AEC20, put it in the memory window and check whether it is the same as the object structure of Jinchuangyao or whether the +38 offset is the prop quantity address
8. If the verification is successful, we only need to find the EDI source.
9. EDI source [EBX+4A4] and then compared with [EBX+4A8] we have reason to suspect that this is the start and end of the array. Put it in the memory window and check [2CF54D10+4A4]
10. Then we have found the traversal. Next we only need to find the source of EBX. ebx comes from the ecx of the previous layer. As shown in the figure, it is the object array structure.
11. Return after break
12. Walk through the call above and find out
13. Continue to find ESI sources
14.ECX comes from the upper layer, and you can find the base address here.
15. Now let’s summarize the entire traversal formula
[[[[[12D8630]+4]+C]+24]+4A4] = first address of props array
[[[[[12D8630]+4]+C]+24]+4A8] = End address of props array
Can another address be found and traversed?
1. Address 0x2CF54D30, also set the hardware access breakpoint
3. We have been using F9 at the lower end to find that ESI is also a prop object, but EBX adds 4 each time
4. I found a loop jumping up below.
5. Why are we comparing with A5? Do we only have this prop? Continue to press F9 and find that the following objects are 0 and they keep breaking.
6. We have reason to suspect that this is a traversal of all objects, because the previous address was looking for a simple prop traversal, and it could not traverse equipment, props, equipment, mysteries, souls, spiritual beasts, or even souls worn on the body. Equipment, suspected maximum capacity 0xA5
7. Next we look for the EBX source and find ECX=2CF54D10. We directly use the offset found at the previous address to see if there is this data or the character attribute data offset found last time.
8. Characters don’t have
9. Finally found that the offset is similar to the previous traversal, so there is no need to continue searching and just use
10. [[[[12D8630]+4]+C]+24]+1C = array first address
11.[[[[12D8630]+4]+C]+24]+10 =array size
12. The object behind the backpack with exactly 17 items is 0
13. Use the code written at the first address to traverse and test it, no problem!
14. Okay, this backpack traversal is quite simple.
15.Thank you for supporting Di Da 285530835