大航海时代ol台服找Call记(十七)交易商货物数据分析 - 2 (出售货物Call)
根据万能call断点,获得出售货物call
GVOnline.exe+4AEFD - 66 89 46 10 - mov [esi+10],ax
GVOnline.exe+4AF01 - 89 4D 08 - mov [ebp+08],ecx
GVOnline.exe+4AF04 - 85 DB - test ebx,ebx
GVOnline.exe+4AF06 - 0F85 54FFFFFF - jne GVOnline.exe+4AE60
GVOnline.exe+4AF0C - 8B 5D EC - mov ebx,[ebp-14]
GVOnline.exe+4AF0F - 8B 73 34 - mov esi,[ebx+34]
GVOnline.exe+4AF12 - 8B 7B 30 - mov edi,[ebx+30]
GVOnline.exe+4AF15 - E8 66151100 - call GVOnline.exe+15C480
GVOnline.exe+4AF1A - 8D 4D D0 - lea ecx,[ebp-30]
GVOnline.exe+4AF1D - 51 - push ecx
GVOnline.exe+4AF1E - 56 - push esi
GVOnline.exe+4AF1F - 57 - push edi
GVOnline.exe+4AF20 - FF 73 24 - push [ebx+24]
GVOnline.exe+4AF23 - 8D 88 A81A0000 - lea ecx,[eax+00001AA8]
GVOnline.exe+4AF29 - E8 225C6E00 - call GVOnline.exe+730B50 //出售物品call
GVOnline.exe+4AF2E - 8B F0 - mov esi,eax
进入call时的堆栈如下:(共4个参数)
001AFDC8(esp+0) - 00000017 - (dword)00000017(23) 参数1:窗口id
001AFDCC(esp+4) - 00000000 - (dword)00000000(0) 参数2:固定0
001AFDD0(esp+8) - 018006E8 - (pointer)018006E8 参数3:npc ID
001AFDD4(esp+C) - 001AFDE4 - (pointer)001AFDE4 参数4:出售货物数据地址
001AFDD8(esp+10) - 06868178 - (pointer)06868178
001AFDDC(esp+14) - 00002EE0 - (dword)00002EE0(12000) 按钮ID
001AFDE0(esp+18) - 199E46E0 - (pointer)199E46E0
001AFDE4(esp+1C) - 00F3972C - (pointer)GVOnline.exe+B3972C
内存数据如下图:
经过测试,出售货物数据中的物品ID为物品的动态ID,每次重新获得该物品时,均会重置。可以参考下面的持有物品内存数据:
出售物品call (CE Autoassemble)
alloc(newmem,2048)
newmem:
pushad
sub esp, $100 //堆栈里分配$100个字节
mov edx,esp
mov eax,edx // 出售物品数组地址
mov [edx],0x4e93a487 // 动态物品ID (每次新获得物品均会重置)
mov [edx+4],0x00010001 //固定值
mov [edx+8],0x00000002 //出售数量
mov [edx+c],0x19 //出售单价
add edx,0x10
mov [edx],0x00f3972c //固定值
mov [edx+4],eax
mov [edx+8],0x00000001 //出售物品种类
push edx //参数4
push 0x0018006e8 //参数3
push 0 //参数2
push 0x17 //参数1
mov ecx,0x01217388
call 00B30B50 //
add esp , $100
popad
ret
createthread(newmem)
//----------------------------------
浙公网安备 33010602011771号