25-10-2022, 08:35 PM
السلام عليكم ورحمه الله وبركاته
لدى مشكله فى فهم buffer كيف تم تكوينه وارساله للداله thiscall
ماذا يفعل هذا struct
ولماذا هذا BYTE Filler[0x200]
200 ولم تكن 500 مثلا
الكود كامل
لدى مشكله فى فهم buffer كيف تم تكوينه وارساله للداله thiscall
ماذا يفعل هذا struct
ولماذا هذا BYTE Filler[0x200]
200 ولم تكن 500 مثلا
struct sAABuffer_Helper
{
DWORD SecondDword;
BYTE Filler[0x200];
};
struct sAABuffer
{
DWORD FirstDword;
BYTE Filler[0x400]; // NOT ACTUALLY A FILLER, ITS THE SERIALIZED MSG BUFFER.
sAABuffer_Helper* pBuffer;
sAABuffer(DWORD First, DWORD Second)
{
FirstDword = First;
pBuffer = new sAABuffer_Helper{};
memset(Filler, 0, 0x400);
pBuffer->SecondDword = Second;
memset(pBuffer->Filler, 0, 0x200);
}
~sAABuffer()
{
delete pBuffer;
}
};
الكود كامل
#include <Windows.h>
#include <iostream>
#include <string>
#include <TCHAR.H>
#include <vector>
#include "pscan.h"
#define _CRT_SECURE_NO_WARNINGS
using namespace std;
#pragma comment( lib, "psapi.lib" )
sAABuffer* m_AABuffer = 0x0;
LPVOID m_lpAAPacketFirstDword = 0xF6FEE0;
LPVOID m_lpAAPacketSecondDword = 0xF6FEF8;
struct sAABuffer_Helper
{
DWORD SecondDword;
BYTE Filler[0x200];
};
struct sAABuffer
{
DWORD FirstDword;
BYTE Filler[0x400]; // NOT ACTUALLY A FILLER, ITS THE SERIALIZED MSG BUFFER.
sAABuffer_Helper* pBuffer;
sAABuffer(DWORD First, DWORD Second)
{
FirstDword = First;
pBuffer = new sAABuffer_Helper{};
memset(Filler, 0, 0x400);
pBuffer->SecondDword = Second;
memset(pBuffer->Filler, 0, 0x200);
}
~sAABuffer()
{
delete pBuffer;
}
};
typedef bool(__thiscall* p_AAFunction)(DWORD __this, DWORD __Two, DWORD __ID, DWORD __MobID, DWORD __X, DWORD __Y, DWORD __Zero);
p_AAFunction Org_AAPacketFunction;
DWORD WINAPI MainThread(LPVOID param)
{
uintptr_t moduleBase = (uintptr_t)GetModuleHandle("comax.exe");
Org_AAPacketFunction = (p_AAFunction)(moduleBase + 0x6F1AD5);
m_AABuffer = new sAABuffer((DWORD)m_lpAAPacketFirstDword, (DWORD)m_lpAAPacketSecondDword);
while (true)
{
Sleep(5000);
auto AAPacketBuffer = reinterpret_cast<DWORD>(m_AABuffer);
Org_AAPacketFunction(AAPacketBuffer, 2, 3363133, 0x67681, 756, 567, 0);
}
FreeLibraryAndExitThread((HMODULE)param, 0);
return 0;
}
BOOL WINAPI DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpReserved) {
switch (dwReason) {
case DLL_PROCESS_ATTACH:
CreateThread(0, 0, MainThread, hModule, 0, 0);
break;
}
return TRUE;
}
asm function
`55 push ebp <---------thiscall function
8BEC mov ebp,esp
53 push ebx
8B5D 0C mov ebx,dword ptr ss:[ebp+C]
56 push esi
57 push edi
8BF1 mov esi,ecx -------------> ecx = m_lpAAPacketFirstDword
85DB test ebx,ebx
0F84 BA000000 je co_game.98E82E
8B7D 10 mov edi,dword ptr ss:[ebp+10]
85FF test edi,edi
0F84 AF000000 je co_game.98E82E
E8 9870F4FF call <JMP.&timeGetTime>
8B8E 04040000 mov ecx,dword ptr ds:[esi+404]
8349 20 01 or dword ptr ds:[ecx+20],1
8941 28 mov dword ptr ds:[ecx+28],eax
8B86 04040000 mov eax,dword ptr ds:[esi+404]
8348 20 08 or dword ptr ds:[eax+20],8
0FB74D 14 movzx ecx,word ptr ss:[ebp+14]
8958 34 mov dword ptr ds:[eax+34],ebx
8B86 04040000 mov eax,dword ptr ds:[esi+404]
8348 20 10 or dword ptr ds:[eax+20],10
8978 38 mov dword ptr ds:[eax+38],edi
8B86 04040000 mov eax,dword ptr ds:[esi+404]
8348 20 40 or dword ptr ds:[eax+20],40
8948 40 mov dword ptr ds:[eax+40],ecx
8B86 04040000 mov eax,dword ptr ds:[esi+404]
8148 20 80000000 or dword ptr ds:[eax+20],80
0FB74D 18 movzx ecx,word ptr ss:[ebp+18]
8948 44 mov dword ptr ds:[eax+44],ecx
8B86 04040000 mov eax,dword ptr ds:[esi+404]
8148 20 00100000 or dword ptr ds:[eax+20],1000
0FB74D 08 movzx ecx,word ptr ss:[ebp+8]
8948 58 mov dword ptr ds:[eax+58],ecx
8B86 04040000 mov eax,dword ptr ds:[esi+404]
8B4D 1C mov ecx,dword ptr ss:[ebp+1C]
8148 20 00400000 or dword ptr ds:[eax+20],4000
8948 60 mov dword ptr ds:[eax+60],ecx
8B8E 04040000 mov ecx,dword ptr ds:[esi+404] -------------> ecx = m_lpAAPacketSecondDword
68 FC030000 push 3FC
8D46 08 lea eax,dword ptr ds:[esi+8]
50 push eax
E8 05E13B00 call <co_game.sub_D4C910> <----------- thiscall function
84C0 test al,al
74 1F je co_game.98E82E
8B8E 04040000 mov ecx,dword ptr ds:[esi+404]
B8 57080000 mov eax,857
66:8946 06 mov word ptr ds:[esi+6],ax
8B01 mov eax,dword ptr ds:[ecx]
FF50 20 call dword ptr ds:[eax+20]
83C0 04 add eax,4
66:8946 04 mov word ptr ds:[esi+4],ax
B0 01 mov al,1
EB 02 jmp co_game.98E830
32C0 xor al,al
5F pop edi
5E pop esi
5B pop ebx
5D pop ebp
C2 1800 ret 18`
ida pro
`
char __thiscall sub_98E761(
int this,
unsigned __int16 a2,
int a3,
int a4,
unsigned __int16 a5,
unsigned __int16 a6,
int a7)
- {
DWORD v8; // eax
int v9; // ecx
int v10; // eax
int v11; // eax
int v12; // eax
int v13; // eax
int v14; // eax
int v15; // eax
int v16; // ecx
if ( !a3 )
return 0;
if ( !a4 )
return 0;
v8 = sub_8D581C();
v9 = *(_DWORD *)(this + 1028);
*(_DWORD *)(v9 + 32) |= 1u;
*(_DWORD *)(v9 + 40) = v8;
v10 = *(_DWORD *)(this + 1028);
*(_DWORD *)(v10 + 32) |= 8u;
*(_DWORD *)(v10 + 52) = a3;
v11 = *(_DWORD *)(this + 1028);
*(_DWORD *)(v11 + 32) |= 0x10u;
*(_DWORD *)(v11 + 56) = a4;
v12 = *(_DWORD *)(this + 1028);
*(_DWORD *)(v12 + 32) |= 0x40u;
*(_DWORD *)(v12 + 64) = a5;
v13 = *(_DWORD *)(this + 1028);
*(_DWORD *)(v13 + 32) |= 0x80u;
*(_DWORD *)(v13 + 68) = a6;
v14 = *(_DWORD *)(this + 1028);
*(_DWORD *)(v14 + 32) |= 0x1000u;
*(_DWORD *)(v14 + 88) = a2;
v15 = *(_DWORD *)(this + 1028);
*(_DWORD *)(v15 + 32) |= 0x4000u;
*(_DWORD *)(v15 + 96) = a7;
if ( !(unsigned __int8)sub_D4C910(this + 8, 1020) )
return 0;
v16 = *(_DWORD *)(this + 1028);
*(_WORD *)(this + 6) = 2135;
*(_WORD *)(this + 4) = (*(int (__thiscall **)(int))(*(_DWORD *)v16 + 32))(v16) + 4;
return 1;
}