前言
-------------------------------------------------
这篇教程旨在网游的基址查找和如何用python去查找64位进程的模块,获取模块基址,可以算是我上一个帖子的进阶版。在上一个教程中提过的东西在这篇教程中我会一笔带过以避免帖子太长,以是最好先看我上一篇帖子再来看这篇,以避免有不适!!以下贴出上一篇帖子的地址:
https://www.52pojie.cn/thread-913032-1-1.html
我会把我找到的程序的代码段都放上来,以是第一眼看起来这个帖子会很长,实在并不是,都是那些代码段太长了!!!!!实际操纵并不复杂的!!真的!!!
视频教程地址:
-------------------------------------------------
顺便附上个人录制的视频教程地址,看到下面太长不想看的同学可以去观看视频版,以下是视频地址:
https://www.bilibili.com/video/av47453086/?p=2
视频里有个地方说错了,我在视频的置顶评论中举行更正了,对不起我有罪,我下次不三点爬起来录视频了
说些碎碎念:
网游基址的存在也要比单机游戏复杂许多,鬼泣五中我们找了一层调用就找到了基址,这在网游中是非常非常少的。而网游找基址究竟有没有用,仁者见仁智者见智了口巴,我也只是分享个方法。 网游的基址会随着安全更新而变动,这个题目,嗯,我现在也不知道怎么解决,抛砖引玉的时刻到了,假如有大牛愿意教我的话先五体投地了!!!!
这一次我不说骚话了,真的!
然后,你们千万别去跟上个帖子一样对搜索效果举行修改啊!!会被封号的!!!
必要用到的软件
-------------------------------------------------------------------------------
CE
X64DBG
Notepad++(选修课)
*这里讨论的python是32位的,假如使用64位python的情况下实在可以直接通过kernel32.dll中的相干函数举行操纵的,这里重要是打破32程序与64位程序的壁垒,许多插件都是32位的,以是你懂的,使用64位python调用会产生一些莫名其妙的题目,慎用
查找基址阶段
-------------------------------------------------------------------------------
起首打开我们的游戏和CE这里CE必要更改一下设置,就是打开他的VEH模式,否则的话很轻易被检测出来,假如VEH模式这里是灰色的,不能选中的话,可以关闭CE,然后用管理员运行就可以修改了
游戏设置,打开茗伊插件里的我的位置,这样可以清楚的显示出你的坐标了,坐标的位置在我们一开始的小扳手上方。第一项代表的是当前地图,第二项代表的是X轴,第三项代表的是Y轴,第四项代表的是Z轴,也就是高度轴。
然后我们用CE搜索X坐标,别忘记用CE打开游戏进程!!!
效果非常多对不度,不要紧,我们让人物动一动,饭后走一走,活到九十九,x坐标改变事后再次搜索,一直到只剩下100个左右的时候,我们会发现,现在无论我们怎么搜索,这个值都不会变少了。不要紧,网游就是这个样子的,坑比力多,我们一个一个的逐步找就好了,挨个的找出是什么改写了这个地址。万不要直接像第一期那样,直接上手改!!!肯定要注意,因为这是个网游,你随便改他的客户端数据,假如被检测到了,你是大概会被当做外挂封号的,千万要记住啊!!!!
我们要找什么样的指令呢?在上一篇帖子里已经说过了:找出对一个内存单位举行修改的类型,而不是对寄存器举行修改的类型。我们一个一个找出是什么改写了这个地址事后,会发现实在许多都是这样的:7FFEF7B9C3B6 - 49 8B C8 - mov rcx,r8很显然这种对一个寄存器举行赋值的并不是我们要找的类型,因为这只是像我们上期说过的那样,这只是一个中间商而已,并不是巢穴,而我们是要捣毁巢穴的男子!!!必要耐烦,继续找,直到找到这样的:7FFEDD30A47D - 89 87 34040000 - mov [rdi+00000434],eax显然这就是我们要找的线索了!他将eax的值写入了rdi+00000434这个内存地址中。我们把这一句复制出来,存到notepa++中。然后关闭CE,打开x64dbg对游戏举行附加。这里千万记住,假如是在游戏刚刚登录成功事后大概是刚刚过图事后,千万等一会再附加,否则会被反调试检测到,附加完成事后游戏会暂停一下,不用管他,我们先隐藏调试器,否则过不了多久就会被检测到调试器然后游戏自毁,实在从这里可以推断出来这个游戏肯定是有一个时钟在检测你的调试的,如何隐藏调试器看下图,这里没有快捷键了,以是手速要快,动作要骚,避免刚好碰到检测游戏直接自毁了
隐藏好调试器事后,我们转到上面找到的指令所对应的汇编地址7FFEDD30A47D,转到事后我们向上找,找到函数的头部,也就是找到ret大概int,这里我们找到了一个ret,按住shift单击ret下面的指令,选中事后复制到notepad++中。这里我们先别急着做别的操纵,注意X64DBG的标题栏,我们会发现途中箭头所指的模块后面显示我们并不是在exe模块中,而是在jx3representx64.dll这个模块里,也就是说我们要找的这条指令实在是在jx3representx64.dll模块当中的,这个时候我们必要再去做一件事情,就是记录下模块的基址,为什么要这么操纵呢?因为你每次打开游戏大概登录游戏的时候,游戏会重新动态加载这些模块,这些模块的位置会发生改变,以是你必要记录下模块的基址,然后将指令的地址减去模块的基址,就可以得到这条指令在模块当中的偏移,这样假如不慎游戏崩溃大概掉线的话,我们就不必要重新去用CE找指令在哪里了,只用找到模块的基址,然后加上我们盘算得到的偏移而重新定位到指令,这与我们平时找基址的道理是一样的。如何获取jx3representx64.dll的基址呢,很简单,打开模块界面(ALT+E)然后找到jx3representx64.dll模块,右键-复制-基址,然后找个地方生存下来:
这里我复制到的效果是:jx3representx64.dll 7FFEDD090000现在我们盘算我们用ce找到的7FFEDD1FA47D - 89 87 34040000 - mov [rdi+00000434],eax这条指令的偏移值:偏移=指令当前地址(7FFEDD30A47D)-模块当前基址(7FFEDD090000)=27A47D
*这个值会随着游戏的更新而改变,以是大家去找的时候大概会与我盘算得到的值并不雷同,记住方法就可以了
然后我们重新回到我们刚才复制的代码当中去:[Asm] 纯文本查看 复制代码00007FFEDD30A1D0 | 0FB643 34 | movzx eax,byte ptr ds:[rbx+34] |00007FFEDD30A1D4 | 0F29B424 80000000 | movaps xmmword ptr ss:[rsp+80],xmm6 |00007FFEDD30A1DC | 0F297C24 70 | movaps xmmword ptr ss:[rsp+70],xmm7 |00007FFEDD30A1E1 | 24 FC | and al,FC |00007FFEDD30A1E3 | 3C 68 | cmp al,68 | 68:'h'00007FFEDD30A1E5 | 74 17 | je jx3representx64.7FFEDD30A1FE |00007FFEDD30A1E7 | 48:8D53 18 | lea rdx,qword ptr ds:[rbx+18] |00007FFEDD30A1EB | 48:8BCF | mov rcx,rdi |00007FFEDD30A1EE | E8 B67DD9FF | call jx3representx64.7FFEDD0A1FA9 |00007FFEDD30A1F3 | 85C0 | test eax,eax |00007FFEDD30A1F5 | 0F95C0 | setne al |00007FFEDD30A1F8 | 8887 14040000 | mov byte ptr ds:[rdi+414],al |00007FFEDD30A1FE | 48:8B0D FBFB2800 | mov rcx,qword ptr ds:[7FFEDD599E00] |00007FFEDD30A205 | 48:8D15 44441D00 | lea rdx,qword ptr ds:[7FFEDD4DE650] | 00007FFEDD4DE650:"nNpcAdjustSlipOffsetY"00007FFEDD30A20C | 48:81C1 38020000 | add rcx,238 |00007FFEDD30A213 | E8 425ED9FF | call jx3representx64.7FFEDD0A005A |00007FFEDD30A218 | 48:8B0D E1FB2800 | mov rcx,qword ptr ds:[7FFEDD599E00] |00007FFEDD30A21F | 48:8D15 4A441D00 | lea rdx,qword ptr ds:[7FFEDD4DE670] | 00007FFEDD4DE670:"nNpcAdjustOffsetY"00007FFEDD30A226 | 48:81C1 38020000 | add rcx,238 |00007FFEDD30A22D | 0F28F0 | movaps xmm6,xmm0 |00007FFEDD30A230 | E8 255ED9FF | call jx3representx64.7FFEDD0A005A |00007FFEDD30A235 | 48:8B0D C4FB2800 | mov rcx,qword ptr ds:[7FFEDD599E00] |00007FFEDD30A23C | 48:81C1 888F0100 | add rcx,18F88 |00007FFEDD30A243 | 0F28F8 | movaps xmm7,xmm0 |00007FFEDD30A246 | 48:8B01 | mov rax,qword ptr ds:[rcx] |00007FFEDD30A249 | FF90 B0070000 | call qword ptr ds:[rax+7B0] |00007FFEDD30A24F | F787 7C020000 0000004 | test dword ptr ds:[rdi+27C],40000000 |00007FFEDD30A259 | 75 74 | jne jx3representx64.7FFEDD30A2CF |00007FFEDD30A25B | 80BF 14040000 00 | cmp byte ptr ds:[rdi+414],0 |00007FFEDD30A262 | 74 10 | je jx3representx64.7FFEDD30A274 |00007FFEDD30A264 | 45:85F6 | test r14d,r14d |00007FFEDD30A267 | 74 0B | je jx3representx64.7FFEDD30A274 |00007FFEDD30A269 | 85C0 | test eax,eax |00007FFEDD30A26B | 74 07 | je jx3representx64.7FFEDD30A274 |00007FFEDD30A26D | B9 01000000 | mov ecx,1 |00007FFEDD30A272 | EB 02 | jmp jx3representx64.7FFEDD30A276 |00007FFEDD30A274 | 33C9 | xor ecx,ecx |00007FFEDD30A276 | 66:0F6E53 20 | movd xmm2,dword ptr ds:[rbx+20] |00007FFEDD30A27B | 66:0F6E63 1C | movd xmm4,dword ptr ds:[rbx+1C] |00007FFEDD30A280 | 0FB643 34 | movzx eax,byte ptr ds:[rbx+34] |00007FFEDD30A284 | F3:0F1005 D0F81A00 | movss xmm0,dword ptr ds:[7FFEDD4B9B5C] |00007FFEDD30A28C | F3:0F100D C0F81A00 | movss xmm1,dword ptr ds:[7FFEDD4B9B54] |00007FFEDD30A294 | 83E0 01 | and eax,1 |00007FFEDD30A297 | F3:0F114424 58 | movss dword ptr ss:[rsp+58],xmm0 |00007FFEDD30A29D | F3:0F114C24 50 | movss dword ptr ss:[rsp+50],xmm1 |00007FFEDD30A2A3 | 0F5BD2 | cvtdq2ps xmm2,xmm2 |00007FFEDD30A2A6 | C74424 48 00000000 | mov dword ptr ss:[rsp+48],0 |00007FFEDD30A2AE | C74424 40 01000000 | mov dword ptr ss:[rsp+40],1 |00007FFEDD30A2B6 | 894424 38 | mov dword ptr ss:[rsp+38],eax |00007FFEDD30A2BA | 894C24 30 | mov dword ptr ss:[rsp+30],ecx |00007FFEDD30A2BE | 0F5BE4 | cvtdq2ps xmm4,xmm4 |00007FFEDD30A2C1 | F3:0F115424 28 | movss dword ptr ss:[rsp+28],xmm2 |00007FFEDD30A2C7 | F3:0F116424 20 | movss dword ptr ss:[rsp+20],xmm4 |00007FFEDD30A2CD | EB 7C | jmp jx3representx64.7FFEDD30A34B |00007FFEDD30A2CF | F3:0F1005 65891A00 | movss xmm0,dword ptr ds:[7FFEDD4B2C3C] |00007FFEDD30A2D7 | 0F2FF0 | comiss xmm6,xmm0 |00007FFEDD30A2DA | 76 0D | jbe jx3representx64.7FFEDD30A2E9 |00007FFEDD30A2DC | 0F2FF8 | comiss xmm7,xmm0 |00007FFEDD30A2DF | 76 08 | jbe jx3representx64.7FFEDD30A2E9 |00007FFEDD30A2E1 | 41:B8 01000000 | mov r8d,1 |00007FFEDD30A2E7 | EB 03 | jmp jx3representx64.7FFEDD30A2EC |00007FFEDD30A2E9 | 45:33C0 | xor r8d,r8d |00007FFEDD30A2EC | 80BF 14040000 00 | cmp byte ptr ds:[rdi+414],0 |00007FFEDD30A2F3 | 74 10 | je jx3representx64.7FFEDD30A305 |00007FFEDD30A2F5 | 45:85F6 | test r14d,r14d |00007FFEDD30A2F8 | 74 0B | je jx3representx64.7FFEDD30A305 |00007FFEDD30A2FA | 85C0 | test eax,eax |00007FFEDD30A2FC | 74 07 | je jx3representx64.7FFEDD30A305 |00007FFEDD30A2FE | B9 01000000 | mov ecx,1 |00007FFEDD30A303 | EB 02 | jmp jx3representx64.7FFEDD30A307 |00007FFEDD30A305 | 33C9 | xor ecx,ecx |00007FFEDD30A307 | 66:0F6E43 20 | movd xmm0,dword ptr ds:[rbx+20] |00007FFEDD30A30C | 66:0F6E4B 1C | movd xmm1,dword ptr ds:[rbx+1C] |00007FFEDD30A311 | 0FB643 34 | movzx eax,byte ptr ds:[rbx+34] |00007FFEDD30A315 | F3:0F117C24 58 | movss dword ptr ss:[rsp+58],xmm7 |00007FFEDD30A31B | F3:0F117424 50 | movss dword ptr ss:[rsp+50],xmm6 |00007FFEDD30A321 | C74424 48 00000000 | mov dword ptr ss:[rsp+48],0 |00007FFEDD30A329 | 44:894424 40 | mov dword ptr ss:[rsp+40],r8d |00007FFEDD30A32E | 83E0 01 | and eax,1 |00007FFEDD30A331 | 0F5BC0 | cvtdq2ps xmm0,xmm0 |00007FFEDD30A334 | 0F5BC9 | cvtdq2ps xmm1,xmm1 |00007FFEDD30A337 | 894424 38 | mov dword ptr ss:[rsp+38],eax |00007FFEDD30A33B | 894C24 30 | mov dword ptr ss:[rsp+30],ecx |00007FFEDD30A33F | F3:0F114424 28 | movss dword ptr ss:[rsp+28],xmm0 |00007FFEDD30A345 | F3:0F114C24 20 | movss dword ptr ss:[rsp+20],xmm1 |00007FFEDD30A34B | 66:0F6E5B 18 | movd xmm3,dword ptr ds:[rbx+18] |00007FFEDD30A350 | 48:8B15 A9FA2800 | mov rdx,qword ptr ds:[7FFEDD599E00] |00007FFEDD30A357 | 48:8B8D C00C0000 | mov rcx,qword ptr ss:[rbp+CC0] |00007FFEDD30A35E | 4C:8D4424 60 | lea r8,qword ptr ss:[rsp+60] |00007FFEDD30A363 | 48:81C2 A0A80100 | add rdx,1A8A0 |00007FFEDD30A36A | 0F5BDB | cvtdq2ps xmm3,xmm3 |00007FFEDD30A36D | E8 A4DDD8FF | call jx3representx64.7FFEDD098116 |00007FFEDD30A372 | F3:0F104424 60 | movss xmm0,dword ptr ss:[rsp+60] |00007FFEDD30A378 | F3:0F104C24 64 | movss xmm1,dword ptr ss:[rsp+64] |00007FFEDD30A37E | 0F287C24 70 | movaps xmm7,xmmword ptr ss:[rsp+70] |00007FFEDD30A383 | 0F28B424 80000000 | movaps xmm6,xmmword ptr ss:[rsp+80] |00007FFEDD30A38B | F3:0F1143 0C | movss dword ptr ds:[rbx+C],xmm0 |00007FFEDD30A390 | F3:0F104424 68 | movss xmm0,dword ptr ss:[rsp+68] |00007FFEDD30A396 | F3:0F1143 14 | movss dword ptr ds:[rbx+14],xmm0 |00007FFEDD30A39B | F3:0F114B 10 | movss dword ptr ds:[rbx+10],xmm1 |00007FFEDD30A3A0 | 85C0 | test eax,eax |00007FFEDD30A3A2 | 79 35 | jns jx3representx64.7FFEDD30A3D9 |00007FFEDD30A3A4 | 48:8D0D 4D421D00 | lea rcx,qword ptr ds:[7FFEDD4DE5F8] | 00007FFEDD4DE5F8:"KRLCharacterFrameData::ConvertFramePosition"00007FFEDD30A3AB | 4C:8D05 86791A00 | lea r8,qword ptr ds:[7FFEDD4B1D38] | 00007FFEDD4B1D38:"KGLOG_COM_PROCESS_ERROR(0x%X) at line %d in %s\n"00007FFEDD30A3B2 | 44:8BC8 | mov r9d,eax |00007FFEDD30A3B5 | 48:894C24 28 | mov qword ptr ss:[rsp+28],rcx |00007FFEDD30A3BA | 48:8D0D 3F5CD8FF | lea rcx,qword ptr ds:[7FFEDD090000] |00007FFEDD30A3C1 | BA 07000000 | mov edx,7 |00007FFEDD30A3C6 | C74424 20 22030000 | mov dword ptr ss:[rsp+20],322 |00007FFEDD30A3CE | FF15 14BD2D00 | call qword ptr ds:[ |
|Archiver|手机版|小黑屋|12558网页游戏私服论坛
|网站地图
发表于 2022-1-28 19:50:51