RoAddr.iniのアドレスの求め方メモ 逆アセンブル編 [[下準備]]------------------------------------------------------------------------------ 逆アセンブラはStringDataがコード中に展開されているものが望ましい 最低限APIとは何かとアセンブラの基礎知識(レジスタ/スタック/ポインタとは何かなど)は必要 プログラムを組んだ経験は有った方が良いと思う。 [[ヒント]]------------------------------------------------------------------------------ 基本は関連するStringDataやAPIを目印として検索すること 1コード1コードを注意深くトレースする必要はなし、目印付近以外さらーと流し読むことが大切 この文章中のアセンブラコードは2003-10-08aRagexe.rgz(jRO)のもの 断りが無い限り0xから始まって無くても16進法です 以下に関してはアセンブラから求められるが面倒なのでメモリからサーチした方が速い CharName [[HPIndex/HPTable/SPIndex/SPTable/MaxHPIndex/MaxHPTable/MaxSPIndex/MaxSPTable]]--------- 目印は"HP %3d / %3d"と"SP %3d / %3d" //////////////////////////////////////////////////////////////////////////////////////// * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0045D877(U) | :0045D8A8 6A02 push 00000002 :0045D8AA 6A11 push 00000011 :0045D8AC 8BCE mov ecx, esi :0045D8AE E86D940400 call 004A6D20 :0045D8B3 8B0D2C866900 mov ecx, dword ptr [0069862C] // 旧XorIndex :0045D8B9 A130866900 mov eax, dword ptr [00698630] // MaxHPIndex :0045D8BE 8B148DF8866900 mov edx, dword ptr [4*ecx+006986F8] // 旧XorTable :0045D8C5 8B0C8538866900 mov ecx, dword ptr [4*eax+00698638] // MaxHPTable :0045D8CC 52 push edx :0045D8CD 51 push ecx :0045D8CE B9F86E6900 mov ecx, 00696EF8 :0045D8D3 E848491400 call 005A2220 :0045D8D8 8B152C866900 mov edx, dword ptr [0069862C] :0045D8DE 8B0D24866900 mov ecx, dword ptr [00698624] // HPIndex :0045D8E4 8BF8 mov edi, eax :0045D8E6 8B0495F8866900 mov eax, dword ptr [4*edx+006986F8] :0045D8ED 8B148D98866900 mov edx, dword ptr [4*ecx+00698698] // HPTable :0045D8F4 50 push eax :0045D8F5 52 push edx :0045D8F6 B9F86E6900 mov ecx, 00696EF8 :0045D8FB E820491400 call 005A2220 :0045D900 57 push edi :0045D901 50 push eax :0045D902 8D8578FFFFFF lea eax, dword ptr [ebp+FFFFFF78] * Possible StringData Ref from Data Obj ->"HP %3d / %3d" | :0045D908 68D4016100 push 006101D4 :0045D90D 50 push eax :0045D90E E8F5AD1600 call 005C8708 // c runtime sprintf :0045D913 83C410 add esp, 00000010 :0045D916 8D8D78FFFFFF lea ecx, dword ptr [ebp+FFFFFF78] :0045D91C 6A00 push 00000000 :0045D91E 6A0E push 0000000E :0045D920 53 push ebx :0045D921 6A00 push 00000000 :0045D923 51 push ecx :0045D924 6A1E push 0000001E :0045D926 6A5F push 0000005F :0045D928 8BCE mov ecx, esi :0045D92A E8F1930400 call 004A6D20 :0045D92F 8B152C866900 mov edx, dword ptr [0069862C] :0045D935 8B0D34866900 mov ecx, dword ptr [00698634] // MaxSPIndex :0045D93B 8B0495F8866900 mov eax, dword ptr [4*edx+006986F8] :0045D942 8B148D68866900 mov edx, dword ptr [4*ecx+00698668] // MaxSPTable :0045D949 50 push eax :0045D94A 52 push edx :0045D94B B9F86E6900 mov ecx, 00696EF8 :0045D950 E8CB481400 call 005A2220 :0045D955 8B1528866900 mov edx, dword ptr [00698628] // SPIndex :0045D95B 8BF8 mov edi, eax :0045D95D A12C866900 mov eax, dword ptr [0069862C] :0045D962 8B0C85F8866900 mov ecx, dword ptr [4*eax+006986F8] :0045D969 8B0495C8866900 mov eax, dword ptr [4*edx+006986C8] // SPTable :0045D970 51 push ecx :0045D971 50 push eax :0045D972 B9F86E6900 mov ecx, 00696EF8 :0045D977 E8A4481400 call 005A2220 :0045D97C 57 push edi :0045D97D 50 push eax :0045D97E 8D8D78FFFFFF lea ecx, dword ptr [ebp+FFFFFF78] * Possible StringData Ref from Data Obj ->"SP %3d / %3d" | :0045D984 68C0016100 push 006101C0 :0045D989 51 push ecx :0045D98A E879AD1600 call 005C8708 // c runtime sprintf //////////////////////////////////////////////////////////////////////////////////////// [[BaseLv]]------------------------------------------------------------------------------ 目印は"Base Lv. %d" //////////////////////////////////////////////////////////////////////////////////////// :0045D9AB A1F07B6900 mov eax, dword ptr [00697BF0] // BaseLv :0045D9B0 8D8D78FFFFFF lea ecx, dword ptr [ebp+FFFFFF78] :0045D9B6 50 push eax * Possible StringData Ref from Data Obj ->"Base Lv. %d" | :0045D9B7 68B4016100 push 006101B4 :0045D9BC 51 push ecx :0045D9BD E846AD1600 call 005C8708 // c runtime sprintf //////////////////////////////////////////////////////////////////////////////////////// [[JobLv]]------------------------------------------------------------------------------- 目印は"Job Lv. %d" //////////////////////////////////////////////////////////////////////////////////////// :0045D9DE A1FC7B6900 mov eax, dword ptr [00697BFC] // JobLv :0045D9E3 8D8D78FFFFFF lea ecx, dword ptr [ebp+FFFFFF78] :0045D9E9 50 push eax * Possible StringData Ref from Data Obj ->"Job Lv. %d" | :0045D9EA 68A8016100 push 006101A8 :0045D9EF 51 push ecx :0045D9F0 E813AD1600 call 005C8708 // c runtime sprintf //////////////////////////////////////////////////////////////////////////////////////// [[Weight/WeightMax]]-------------------------------------------------------------------- 目印は"Weight : %3d / %3d" //////////////////////////////////////////////////////////////////////////////////////// :0045DA11 8B0DA47C6900 mov ecx, dword ptr [00697CA4] // WeightMax :0045DA17 3BCB cmp ecx, ebx :0045DA19 7E02 jle 0045DA1D :0045DA1B 8BD9 mov ebx, ecx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0045DA19(C) | :0045DA1D 8B3D9C7C6900 mov edi, dword ptr [00697C9C] // Weight :0045DA23 51 push ecx :0045DA24 57 push edi * Possible StringData Ref from Data Obj ->"Weight : %3d / %3d" | :0045DA25 6894016100 push 00610194 //////////////////////////////////////////////////////////////////////////////////////// [[Zeny]]-------------------------------------------------------------------------------- 目印は"Zeny : %s" //////////////////////////////////////////////////////////////////////////////////////// :0045DA87 8B158C7C6900 mov edx, dword ptr [00697C8C] // Zeny :0045DA8D 8D8D38FFFFFF lea ecx, dword ptr [ebp+FFFFFF38] :0045DA93 51 push ecx :0045DA94 52 push edx :0045DA95 E896810800 call 004E5C30 // 3桁ごとにかカンマを入れる関数 :0045DA9A 83C408 add esp, 00000008 :0045DA9D 8D8538FFFFFF lea eax, dword ptr [ebp+FFFFFF38] :0045DAA3 8D8D78FFFFFF lea ecx, dword ptr [ebp+FFFFFF78] :0045DAA9 50 push eax * Possible StringData Ref from Data Obj ->"Zeny : %s" | :0045DAAA 6888016100 push 00610188 :0045DAAF 51 push ecx :0045DAB0 E853AC1600 call 005C8708 // c runtime sprintf //////////////////////////////////////////////////////////////////////////////////////// [[BaseExp/BaseExpNext/BaseLv/JobLv/JobClass/EffectState]]------------------------------- 目印は"Lv. %2d / %s / Lv. %2d / Exp. %d %%" //////////////////////////////////////////////////////////////////////////////////////// :0045DB01 A1EC7B6900 mov eax, dword ptr [00697BEC] // BaseExp :0045DB06 8B0DF87B6900 mov ecx, dword ptr [00697BF8] // BaseExpNext :0045DB0C 85C0 test eax, eax :0045DB0E 8945F8 mov dword ptr [ebp-08], eax :0045DB11 894DFC mov dword ptr [ebp-04], ecx :0045DB14 7D05 jge 0045DB1B :0045DB16 33C0 xor eax, eax :0045DB18 8945F8 mov dword ptr [ebp-08], eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0045DB14(C) | :0045DB1B 85C9 test ecx, ecx :0045DB1D 7F04 jg 0045DB23 :0045DB1F 40 inc eax :0045DB20 8945FC mov dword ptr [ebp-04], eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0045DB1D(C) | :0045DB23 A1F07B6900 mov eax, dword ptr [00697BF0] // BaseLv :0045DB28 83F863 cmp eax, 00000063 :0045DB2B 7508 jne 0045DB35 :0045DB2D DD05A8955E00 fld qword ptr [005E95A8] :0045DB33 EB06 jmp 0045DB3B * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0045DB2B(C) | :0045DB35 DB45F8 fild dword ptr [ebp-08] :0045DB38 DA75FC ffidiv dword ptr [ebp-04] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0045DB33(U) | :0045DB3B DC0DB0AB5E00 fmul qword ptr [005EABB0] :0045DB41 8B3DFC7B6900 mov edi, dword ptr [00697BFC] // JobLv :0045DB47 8B1D54766900 mov ebx, dword ptr [00697654] :0045DB4D 8945FC mov dword ptr [ebp-04], eax // BaseLvを退避 :0045DB50 E82FB31600 call 005C8E84 :0045DB55 50 push eax :0045DB56 57 push edi :0045DB57 B9F86E6900 mov ecx, 00696EF8 // BaseAddress :0045DB5C E8CF551400 call 005A3130 // JobClassを呼び出す :0045DB61 8B0483 mov eax, dword ptr [ebx+4*eax] // JobClassからクラス文字列に :0045DB64 8B4DFC mov ecx, dword ptr [ebp-04] // BaseLvをecxに :0045DB67 50 push eax :0045DB68 51 push ecx :0045DB69 8D9578FFFFFF lea edx, dword ptr [ebp+FFFFFF78] * Possible StringData Ref from Data Obj ->"Lv. %2d / %s / Lv. %2d / Exp. " ->"%d %%" | :0045DB6F 6834016100 push 00610134 :0045DB74 52 push edx :0045DB75 E88EAB1600 call 005C8708 // c runtime sprintf //////////////////////////////////////////////////////////////////////////////////////// //JobClassからキャラクターのジョブを求める関数 :005A3130 56 push esi :005A3131 8BF1 mov esi, ecx // BaseAddress :005A3133 83BEF00C000007 cmp dword ptr [esi+00000CF0], 00000007 // JobClass=BaseAdress+CF0=0x00696EF8+CF0=0x00697BE8 :005A313A 7519 jne 005A3155 :005A313C A118756900 mov eax, dword ptr [00697518] // EffectState :005A3141 50 push eax :005A3142 E8D9000000 call 005A3220 :005A3147 83C404 add esp, 00000004 :005A314A 84C0 test al, al :005A314C 7407 je 005A3155 :005A314E B80D000000 mov eax, 0000000D :005A3153 5E pop esi :005A3154 C3 ret //////////////////////////////////////////////////////////////////////////////////////// [[CartNum/CartNumMax/CartWeight/CartWeightMax]]----------------------------------------- 目印は"Num: %d/%d Weight: %d/%d" //////////////////////////////////////////////////////////////////////////////////////// :004935EB A134756900 mov eax, dword ptr [00697534] // CartWeightMax :004935F0 8B0D30756900 mov ecx, dword ptr [00697530] // CartWeight :004935F6 8B152C756900 mov edx, dword ptr [0069752C] // CartNumMax :004935FC 50 push eax :004935FD A128756900 mov eax, dword ptr [00697528] // CartNum :00493602 51 push ecx :00493603 52 push edx :00493604 50 push eax :00493605 8D8D24FFFFFF lea ecx, dword ptr [ebp+FFFFFF24] * Possible StringData Ref from Data Obj ->"Num: %d/%d Weight: %d/%d" | :0049360B 68F8196100 push 006119F8 :00493610 51 push ecx :00493611 E8F2501300 call 005C8708 // c runtime sprintf //////////////////////////////////////////////////////////////////////////////////////// [[JobExp/JobExpMax]]-------------------------------------------------------------------- ここはこじつけに近いかもしれない。 先にBaseExp/BaseExpNextは求めておいた方がよい 目印は"%d : %d/%d More : %d" //////////////////////////////////////////////////////////////////////////////////////// * Possible StringData Ref from Data Obj ->"%d : %d/%d More : %d" | :0052D82A 6890D26100 push 0061D290 :0052D82F 50 push eax :0052D830 E8D3AE0900 call 005C8708 :0052D835 83C418 add esp, 00000018 :0052D838 8D8D00FFFFFF lea ecx, dword ptr [ebp+FFFFFF00] :0052D83E 6A00 push 00000000 :0052D840 68F51EF500 push 00F51EF5 :0052D845 51 push ecx :0052D846 6A01 push 00000001 :0052D848 B928B06400 mov ecx, 0064B028 :0052D84D E8EE72F8FF call 004B4B40 :0052D852 5F pop edi * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0052D7FB(C), :0052D80C(C), :0052D810(C) | :0052D853 8B5304 mov edx, dword ptr [ebx+04] :0052D856 B9F86E6900 mov ecx, 00696EF8 :0052D85B 8915EC7B6900 mov dword ptr [00697BEC], edx // BaseExp :0052D861 E83AB50600 call 00598DA0 :0052D866 5E pop esi :0052D867 5B pop ebx :0052D868 8BE5 mov esp, ebp :0052D86A 5D pop ebp :0052D86B C20400 ret 0004 :0052D86E 8B4304 mov eax, dword ptr [ebx+04] :0052D871 B9F86E6900 mov ecx, 00696EF8 :0052D876 A3987C6900 mov dword ptr [00697C98], eax // JobExp :0052D87B E820B50600 call 00598DA0 :0052D880 5B pop ebx :0052D881 8BE5 mov esp, ebp :0052D883 5D pop ebp :0052D884 C20400 ret 0004 :0052D887 8B8100010000 mov eax, dword ptr [ecx+00000100] :0052D88D 85C0 test eax, eax :0052D88F 7414 je 0052D8A5 :0052D891 C7810001000000000000 mov dword ptr [ebx+00000100], 00000000 :0052D89B B9F86E6900 mov ecx, 00696EF8 :0052D8A0 E81B670600 call 00593FC0 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0052D88F(C) | :0052D8A5 8B4B04 mov ecx, dword ptr [ebx+04] :0052D8A8 890D8C7C6900 mov dword ptr [00697C8C], ecx // Zeny :0052D8AE B9F86E6900 mov ecx, 00696EF8 :0052D8B3 E8E8B40600 call 00598DA0 :0052D8B8 5B pop ebx :0052D8B9 8BE5 mov esp, ebp :0052D8BB 5D pop ebp :0052D8BC C20400 ret 0004 :0052D8BF 8B5304 mov edx, dword ptr [ebx+04] :0052D8C2 B9F86E6900 mov ecx, 00696EF8 :0052D8C7 8915F87B6900 mov dword ptr [00697BF8], edx // BaseExpNext :0052D8CD E8CEB40600 call 00598DA0 :0052D8D2 5B pop ebx :0052D8D3 8BE5 mov esp, ebp :0052D8D5 5D pop ebp :0052D8D6 C20400 ret 0004 :0052D8D9 8B4304 mov eax, dword ptr [ebx+04] :0052D8DC B9F86E6900 mov ecx, 00696EF8 :0052D8E1 A3A87C6900 mov dword ptr [00697CA8], eaxx // JobExpNext :0052D8E6 E8B5B40600 call 00598DA0 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0052D7D7(C) | :0052D8EB 5B pop ebx :0052D8EC 8BE5 mov esp, ebp :0052D8EE 5D pop ebp :0052D8EF C20400 ret 0004 :0052D8F2 8BFF mov edi, edi :0052D8F4 ECD75200 DWORD 0052D7EC // switch 各caseのアドレス群 :0052D8F8 6ED85200 DWORD 0052D86E :0052D8FC 87D85200 DWORD 0052D887 :0052D900 BFD85200 DWORD 0052D8BF :0052D904 D9D85200 DWORD 0052D8D9 :0052D908 EBD85200 DWORD 0052D8EB //////////////////////////////////////////////////////////////////////////////////////// [[BGMVolume]]--------------------------------------------------------------------------- 目印はレジストリーのキー名である"streamVolume" //////////////////////////////////////////////////////////////////////////////////////// * Possible StringData Ref from Data Obj ->"isSoundOn" | :0058D527 6854286200 push 00622854 :0058D52C 51 push ecx :0058D52D FFD3 call ebx :0058D52F 8B55FC mov edx, dword ptr [ebp-04] :0058D532 6A04 push 00000004 :0058D534 6844756900 push 00697544 // BGMVolume :0058D539 6A04 push 00000004 :0058D53B 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"streamVolume" | :0058D53D 6844286200 push 00622844 :0058D542 52 push edx :0058D543 FFD3 call ebx // ちなみにebxはRegSetValueExAのアドレス //////////////////////////////////////////////////////////////////////////////////////// [[SNBase/SLBase/SCPage]]----------------------------------------------------------------------- 目印はレジストリのキーである"ShortcutItem"/"SITEM%d%d%d"/"S_SKILL_USE_LEVEL%d%d%d"とレジストリ処理API 2個所見つかるがどちらでもかまわない。今回は最初の方 //////////////////////////////////////////////////////////////////////////////////////// * Possible StringData Ref from Data Obj ->"\ShortcutItem" // ここから解析開始 | :004ABAAD 8B3DB0206100 mov edi, dword ptr [006120B0] :004ABAB3 83C9FF or ecx, FFFFFFFF :004ABAB6 F2 repnz *** (中略) 次の目印までさらーと流す *** :004ABB6C 50 push eax :004ABB6D F3 repz :004ABB6E A4 movsb * Reference To: ADVAPI32.RegOpenKeyExA, Ord:0172h // レジストリOpenAPI | :004ABB6F 8B3508905E00 mov esi, dword ptr [005E9008] :004ABB75 6A01 push 00000001 :004ABB77 8D8DA4FDFFFF lea ecx, dword ptr [ebp+FFFFFDA4] :004ABB7D 6A00 push 00000000 :004ABB7F 51 push ecx :004ABB80 6802000080 push 80000002 :004ABB85 FFD6 call esi :004ABB87 85C0 test eax, eax :004ABB89 0F8574010000 jne 004ABD03 :004ABB8F 8B55EC mov edx, dword ptr [ebp-14] :004ABB92 52 push edx * Reference To: ADVAPI32.RegCloseKey, Ord:015Bh | :004ABB93 FF1504905E00 Call dword ptr [005E9004] :004ABB99 8D45F8 lea eax, dword ptr [ebp-08] :004ABB9C 8D8DA4FDFFFF lea ecx, dword ptr [ebp+FFFFFDA4] :004ABBA2 50 push eax :004ABBA3 6A01 push 00000001 :004ABBA5 6A00 push 00000000 :004ABBA7 51 push ecx :004ABBA8 6802000080 push 80000002 :004ABBAD FFD6 call esi :004ABBAF 85C0 test eax, eax :004ABBB1 0F854C010000 jne 004ABD03 :004ABBB7 B9F86E6900 mov ecx, 00696EF8 :004ABBBC E8DF7E0E00 call 00593AA0 :004ABBC1 B9F86E6900 mov ecx, 00696EF8 :004ABBC6 E865EE0F00 call 005AAA30 * Reference To: ADVAPI32.RegQueryValueExA, Ord:017Bh // ここで↓レジストリから読み込むAPIのアドレスを格納 | :004ABBCB 8B1D00905E00 mov ebx, dword ptr [005E9000] // ebxに注意 :004ABBD1 33F6 xor esi, esi * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004ABCF3(C) | :004ABBD3 8B1540756900 mov edx, dword ptr [00697540] :004ABBD9 A15C5A6800 mov eax, dword ptr [00685A5C] :004ABBDE 52 push edx :004ABBDF 50 push eax :004ABBE0 56 push esi :004ABBE1 8D4DA4 lea ecx, dword ptr [ebp-5C] * Possible StringData Ref from Data Obj ->"SITEM%d%d%d" // ここでアイテム/スキル名を入れるキー名生成のsprintfフォーマット | :004ABBE4 68342F6100 push 00612F34 :004ABBE9 51 push ecx :004ABBEA C745F401000000 mov [ebp-0C], 00000001 :004ABBF1 C745F020000000 mov [ebp-10], 00000020 :004ABBF8 E80BCB1100 call 005C8708 // c runtime sprintf :004ABBFD B908000000 mov ecx, 00000008 :004ABC02 33C0 xor eax, eax :004ABC04 8D7DC8 lea edi, dword ptr [ebp-38] :004ABC07 83C414 add esp, 00000014 :004ABC0A F3 repz :004ABC0B AB stosd :004ABC0C AA stosb :004ABC0D 8D55F0 lea edx, dword ptr [ebp-10] :004ABC10 8D45C8 lea eax, dword ptr [ebp-38] :004ABC13 52 push edx :004ABC14 8D4DF4 lea ecx, dword ptr [ebp-0C] :004ABC17 50 push eax :004ABC18 8B45F8 mov eax, dword ptr [ebp-08] :004ABC1B 51 push ecx :004ABC1C 8D55A4 lea edx, dword ptr [ebp-5C] :004ABC1F 6A00 push 00000000 :004ABC21 52 push edx :004ABC22 50 push eax :004ABC23 FFD3 call ebx // ここでレジストリから読み込む :004ABC25 8BC8 mov ecx, eax :004ABC27 B8398EE338 mov eax, 38E38E39 // ここから :004ABC2C F7EE imul esi // esi(セット1のF1からの通し番号、つまりセット2のF1は9、セット3のF1は18) :004ABC2E D1FA sar edx, 1 :004ABC30 8BC2 mov eax, edx :004ABC32 33FF xor edi, edi :004ABC34 C1E81F shr eax, 1F :004ABC37 03D0 add edx, eax // ここまではedx=esi/9の最適化されたもの(edxはint扱いで) :004ABC39 85C9 test ecx, ecx :004ABC3B 8815D8706900 mov byte ptr [006970D8], dl // SCPage :004ABC41 7514 jne 004ABC57 :004ABC43 807DC823 cmp byte ptr [ebp-38], 23 :004ABC47 7407 je 004ABC50 :004ABC49 8D4DC8 lea ecx, dword ptr [ebp-38] :004ABC4C 56 push esi // 何番目のショートカットか(F?) :004ABC4D 51 push ecx // 得たスキル/アイテム名をpush :004ABC4E EB0D jmp 004ABC5D * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004ABC47(C) | :004ABC50 BF01000000 mov edi, 00000001 :004ABC55 EB10 jmp 004ABC67 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004ABC41(C) | :004ABC57 56 push esi * Possible StringData Ref from Data Obj ->"nothing" // 登録されていないショートカットのスキル名の代わり | :004ABC58 680C036100 push 0061030C * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004ABC4E(U) | :004ABC5D B9F86E6900 mov ecx, 00696EF8 // BaseAddress :004ABC62 E8097F0E00 call 00593B70 // ここで登録(このルーチンの先でSNBaseがわかる) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004ABC55(U) | :004ABC67 8B1540756900 mov edx, dword ptr [00697540] :004ABC6D B804000000 mov eax, 00000004 :004ABC72 8945F4 mov dword ptr [ebp-0C], eax :004ABC75 8945F0 mov dword ptr [ebp-10], eax :004ABC78 A15C5A6800 mov eax, dword ptr [00685A5C] :004ABC7D 52 push edx :004ABC7E 50 push eax :004ABC7F 56 push esi :004ABC80 8D4DA4 lea ecx, dword ptr [ebp-5C] * Possible StringData Ref from Data Obj ->"S_SKILL_USE_LEVEL%d%d%d" // ここでレベルを入れるキー名生成のsprintfフォーマット | :004ABC83 681C2F6100 push 00612F1C :004ABC88 51 push ecx :004ABC89 E87ACA1100 call 005C8708 // c runtime sprintf :004ABC8E 83C414 add esp, 00000014 :004ABC91 8D55F0 lea edx, dword ptr [ebp-10] :004ABC94 8D45FC lea eax, dword ptr [ebp-04] :004ABC97 8D4DF4 lea ecx, dword ptr [ebp-0C] :004ABC9A 52 push edx :004ABC9B 50 push eax :004ABC9C 8B45F8 mov eax, dword ptr [ebp-08] :004ABC9F 51 push ecx :004ABCA0 8D55A4 lea edx, dword ptr [ebp-5C] :004ABCA3 6A00 push 00000000 :004ABCA5 52 push edx :004ABCA6 50 push eax :004ABCA7 C745FC00000000 mov [ebp-04], 00000000 :004ABCAE FFD3 call ebx // ここでレジストリから読み込む :004ABCB0 85C0 test eax, eax // RegQueryValueExAの戻り値が :004ABCB2 56 push esi :004ABCB3 7510 jne 004ABCC5 // 0ならばキーは存在しなかった。 :004ABCB5 8B4DFC mov ecx, dword ptr [ebp-04] :004ABCB8 51 push ecx // 得たレベルを代入 :004ABCB9 B9F86E6900 mov ecx, 00696EF8 :004ABCBE E88DED0F00 call 005AAA50 // ここでレベルを登録 :004ABCC3 EB13 jmp 004ABCD8 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004ABCB3(C) | :004ABCC5 6A00 push 00000000 // レジストリが存在しなかったから0を代入 :004ABCC7 B9F86E6900 mov ecx, 00696EF8 // BaseAddress :004ABCCC E87FED0F00 call 005AAA50 // ここでレベルを登録 :004ABCD1 C745FC00000000 mov [ebp-04], 00000000 //////////////////////////////////////////////////////////////////////////////////////// //SNBaseに登録する関数 //処理的に見づらいかもしれない。 //スキルのキーが基本は[BaseAddress+***]と言うところを重点的に見ればOK。 :00593B70 55 push ebp :00593B71 8BEC mov ebp, esp :00593B73 83EC0C sub esp, 0000000C :00593B76 8BD1 mov edx, ecx //この関数にくる前にBaseAddressを入れたのはecx edx=ecxだからedxに注意 :00593B78 33C0 xor eax, eax :00593B7A 53 push ebx :00593B7B 56 push esi :00593B7C 8A82E0010000 mov al, byte ptr [edx+000001E0] // SCPage :00593B82 57 push edi :00593B83 8955F8 mov dword ptr [ebp-08], edx :00593B86 8D0CC0 lea ecx, dword ptr [eax+8*eax] :00593B89 8D44C009 lea eax, dword ptr [eax+8*eax+09] :00593B8D 3BC8 cmp ecx, eax :00593B8F 894DFC mov dword ptr [ebp-04], ecx :00593B92 0F8DAF000000 jnl 00593C47 :00593B98 C1E104 shl ecx, 04 :00593B9B 8D9C11EC010000 lea ebx, dword ptr [ecx+edx+000001EC] // edx!! ebxにも注意を払う * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00593C41(C) | :00593BA2 8B5508 mov edx, dword ptr [ebp+08] // stackから得たスキル/アイテム名のアドレスを取り出し :00593BA5 83C9FF or ecx, FFFFFFFF :00593BA8 8BFA mov edi, edx // そのアドレスをediに代入 :00593BAA 33C0 xor eax, eax // eaxを0に :00593BAC F2 repnz // :00593BAD AE scasb // di==alになるまで検索つまりNULLまでカウント(つまり文字数を数える) *** //ここまでで[ecx+edx+00000254]は文字数を入れる変数。 (中略) 次の目印までさらーと流す *** :00593C47 8B7508 mov esi, dword ptr [ebp+08] // stackから得たスキル/アイテム名のアドレスを取り出し :00593C4A 83C9FF or ecx, FFFFFFFF :00593C4D 8BFE mov edi, esi :00593C4F 33C0 xor eax, eax :00593C51 F2 repnz // di==alになるまで検索つまりNULLまでカウント(つまり文字数を数える) :00593C52 AE scasb // :00593C53 F7D1 not ecx :00593C55 49 dec ecx :00593C56 755E jne 00593CB6 // 文字数が0以上なら00593CB6にジャンプ(でも今回はそっちを無視) :00593C58 8B4D0C mov ecx, dword ptr [ebp+0C] * Possible StringData Ref from Data Obj ->"nothing" | :00593C5B BF0C036100 mov edi, 0061030C // "nothing"は未登録のショートカット スキル/アイテム名が無ければこれを登録 :00593C60 C1E104 shl ecx, 04 :00593C63 6A01 push 00000001 :00593C65 8D9C11E4010000 lea ebx, dword ptr [ecx+edx+000001E4] // edx!! dwordだしアドレスぽい :00593C6C 83C9FF or ecx, FFFFFFFF :00593C6F F2 repnz // nothingの文字数をカウント :00593C70 AE scasb // :00593C71 F7D1 not ecx :00593C73 49 dec ecx :00593C74 8BF1 mov esi, ecx :00593C76 8BCB mov ecx, ebx :00593C78 56 push esi :00593C79 897508 mov dword ptr [ebp+08], esi :00593C7C E8FF13E9FF call 00425080 // おそらくメモリー確保 :00593C81 84C0 test al, al :00593C83 0F84D7000000 je 00593D60 :00593C89 8B7B04 mov edi, dword ptr [ebx+04] :00593C8C 8BCE mov ecx, esi :00593C8E 8BD1 mov edx, ecx * Possible StringData Ref from Data Obj ->"nothing" | :00593C90 BE0C036100 mov esi, 0061030C :00593C95 C1E902 shr ecx, 02 :00593C98 F3 repz :00593C99 A5 movsd // ここで指定された分メモリーをコピーしている。 :00593C9A 8BCA mov ecx, edx //つまり[ecx+edx+000001E4]がSNBaseである。 //edxがBaseAddress。ecxは説明を省いているが何番目のショートカットかを表している。 //よってSNBase=edx+1E4=0x00696EF8+1E4=0x006970DC //(補足)00593CB6以降、同様にnothingではなくスキル名のほうをコピーしている。 //////////////////////////////////////////////////////////////////////////////////////// //SLBaseに登録する関数 //こっちは簡単 :005AAA50 55 push ebp :005AAA51 8BEC mov ebp, esp :005AAA53 8B450C mov eax, dword ptr [ebp+0C] :005AAA56 8B5508 mov edx, dword ptr [ebp+08] :005AAA59 89948194030000 mov dword ptr [ecx+4*eax+00000394], edx // ここで登録 :005AAA60 5D pop ebp :005AAA61 C20800 ret 0008 //[ecx+4*eax+00000394] //ecxがBaseAddress、eaxは何番目のショートカットかを表している。 //SLBase=ecx+394=00696EF8+394=0x0069728C //////////////////////////////////////////////////////////////////////////////////////// [[EmotionTable]]------------------------------------------------------------------------ 目印は"Alt + %d" //////////////////////////////////////////////////////////////////////////////////////// // ショートカットリスト表示関数 :00447F0B C7405832000000 mov [eax+58], 00000032 :00447F12 8B0E mov ecx, dword ptr [esi] :00447F14 E82767FFFF call 0043E640 :00447F19 A1C0766900 mov eax, dword ptr [006976C0] // EmotionTable :00447F1E 8B4DEC mov ecx, dword ptr [ebp-14] // カウンター :00447F21 8B440804 mov eax, dword ptr [eax+ecx+04] :00447F25 85C0 test eax, eax :00447F27 7505 jne 00447F2E :00447F29 B810985E00 mov eax, 005E9810 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00447F27(C) | :00447F2E 8B0E mov ecx, dword ptr [esi] :00447F30 50 push eax :00447F31 8B11 mov edx, dword ptr [ecx] :00447F33 FF9298000000 call dword ptr [edx+00000098] :00447F39 8B06 mov eax, dword ptr [esi] :00447F3B 8BCB mov ecx, ebx :00447F3D 50 push eax :00447F3E E8BDE80500 call 004A6800 :00447F43 8B4DE8 mov ecx, dword ptr [ebp-18] :00447F46 8D5594 lea edx, dword ptr [ebp-6C] :00447F49 8D4101 lea eax, dword ptr [ecx+01] :00447F4C 50 push eax * Possible StringData Ref from Data Obj ->"Alt + %d"// ショートカットリストの左側に表示される | :00447F4D 6898F36000 push 0060F398 :00447F52 52 push edx :00447F53 8945E8 mov dword ptr [ebp-18], eax :00447F56 E8AD071800 call 005C8708 :00447F5B 6890000000 push 00000090 :00447F60 E8D6061800 call 005C863B :00447F65 83C410 add esp, 00000010 :00447F68 8945E4 mov dword ptr [ebp-1C], eax :00447F6B 85C0 test eax, eax :00447F6D C745FC01000000 mov [ebp-04], 00000001 :00447F74 7409 je 00447F7F :00447F76 8BC8 mov ecx, eax :00447F78 E86320FFFF call 00439FE0 :00447F7D EB02 jmp 00447F81 //////////////////////////////////////////////////////////////////////////////////////// [[CharIPAddress]]----------------------------------------------------------------------- 目印は"%d.%d.%d.%d" //////////////////////////////////////////////////////////////////////////////////////// :00541645 8D45E4 lea eax, dword ptr [ebp-1C] * Possible StringData Ref from Data Obj ->"%d.%d.%d.%d" | :00541648 683CD96100 push 0061D93C :0054164D 50 push eax * Reference To: USER32.wsprintfA, Ord:02ACh | :0054164E FF1540935E00 Call dword ptr [005E9340] :00541654 8B8BA4010000 mov ecx, dword ptr [ebx+000001A4] :0054165A 8D75E4 lea esi, dword ptr [ebp-1C] :0054165D C1E105 shl ecx, 05 :00541660 BFC02C6900 mov edi, 00692CC0 // CharIPAddress :00541665 83C418 add esp, 00000018 :00541668 0FBF9419B4010000 movsx edx, word ptr [ecx+ebx+000001B4] :00541670 B905000000 mov ecx, 00000005 :00541675 8955F4 mov dword ptr [ebp-0C], edx :00541678 F3 repz :00541679 A5 movsd :0054167A 8B83A4010000 mov eax, dword ptr [ebx+000001A4] :00541680 83C9FF or ecx, FFFFFFFF :00541683 C1E005 shl eax, 05 :00541686 8DB418B6010000 lea esi, dword ptr [eax+ebx+000001B6] :0054168D 33C0 xor eax, eax :0054168F 8BFE mov edi, esi :00541691 F2 repnz :00541692 AE scasb //////////////////////////////////////////////////////////////////////////////////////// [[ZoneIPAddress/MapName]]--------------------------------------------------------------- 目印は"ip:%s"と"map:%s.dat" //////////////////////////////////////////////////////////////////////////////////////// :00542821 50 push eax * Possible StringData Ref from Data Obj ->"server:%s" | :00542822 689CD16100 push 0061D19C :00542827 56 push esi :00542828 E88B7B0800 call 005CA3B8 :0054282D 83C40C add esp, 0000000C :00542830 68D82C6900 push 00692CD8 // ZoneIPAddress * Possible StringData Ref from Data Obj ->"ip:%s" | :00542835 6894D16100 push 0061D194 :0054283A 56 push esi :0054283B E8787B0800 call 005CA3B8 :00542840 83C40C add esp, 0000000C :00542843 6804746900 push 00697404 // MapName * Possible StringData Ref from Data Obj ->"map:%s.gat" | :00542848 6888D16100 push 0061D188 :0054284D 56 push esi :0054284E E8657B0800 call 005CA3B8 //////////////////////////////////////////////////////////////////////////////////////// [[MapNameRsw]]-------------------------------------------------------------------------- 目印は"login.rsw" //////////////////////////////////////////////////////////////////////////////////////// * Possible StringData Ref from Data Obj ->"login.rsw" | :005B96E2 68A0D06100 push 0061D0A0 :005B96E7 6A00 push 00000000 :005B96E9 B9705A6800 mov ecx, 00685A70 // MapNameRsw=00685A70+0x8 :005B96EE E8ED39F1FF call 004CD0E0 //////////////////////////////////////////////////////////////////////////////////////// [[AID]]--------------------------------------------------------------------------------- 目印は"p->AID(%d) playerAid(%d)" //////////////////////////////////////////////////////////////////////////////////////// * Possible StringData Ref from Data Obj ->"PACKET_ZC_RESURRECTION" | :00536308 68A4D56100 push 0061D5A4 :0053630D E8DEFDECFF call 004060F0 :00536312 8B5D08 mov ebx, dword ptr [ebp+08] :00536315 A1D87B6900 mov eax, dword ptr [00697BD8] // AID :0053631A 83C404 add esp, 00000004 :0053631D 8B4B02 mov ecx, dword ptr [ebx+02] :00536320 50 push eax :00536321 51 push ecx * Possible StringData Ref from Data Obj ->"p->AID(%d) playerAid(%d)" | :00536322 6888D56100 push 0061D588 :00536327 E8C4FDECFF call 004060F0 //////////////////////////////////////////////////////////////////////////////////////// [[ZoneBIPAddress]]---------------------------------------------------------------------- 目印はconnectAPI //////////////////////////////////////////////////////////////////////////////////////// * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00418CB1(C) | :00418CCB 8D7E10 lea edi, dword ptr [esi+10] // ここでediに代入 さらにさかのぼってesiを検索 :00418CCE 33D2 xor edx, edx :00418CD0 8BC7 mov eax, edi :00418CD2 8B4D08 mov ecx, dword ptr [ebp+08] :00418CD5 51 push ecx :00418CD6 8910 mov dword ptr [eax], edx :00418CD8 895004 mov dword ptr [eax+04], edx :00418CDB 895008 mov dword ptr [eax+08], edx :00418CDE 89500C mov dword ptr [eax+0C], edx * Reference To: WS2_32.inet_addr, Ord:000Bh | :00418CE1 E8CA101A00 Call 005B9DB0 :00418CE6 8B550C mov edx, dword ptr [ebp+0C] :00418CE9 894614 mov dword ptr [esi+14], eax :00418CEC 52 push edx :00418CED 66C7070200 mov word ptr [edi], 0002 // AF_INET :00418CF2 E873041B00 call 005C916A :00418CF7 83C404 add esp, 00000004 :00418CFA 50 push eax * Reference To: WS2_32.htons, Ord:0009h | :00418CFB E8AA101A00 Call 005B9DAA :00418D00 66894612 mov word ptr [esi+12], ax :00418D04 8B460C mov eax, dword ptr [esi+0C] :00418D07 6A10 push 00000010 :00418D09 57 push edi // sockaddr構造体のポインタ つまり ZoneBIPAddress :00418D0A 50 push eax * Reference To: WS2_32.connect, Ord:0004h | :00418D0B E894101A00 Call 005B9DA4 ***** esiを検索しながらさかのぼる ***** * Referenced by a CALL at Address: |:005B9361 | :00418C30 55 push ebp :00418C31 8BEC mov ebp, esp :00418C33 83EC1C sub esp, 0000001C :00418C36 53 push ebx :00418C37 56 push esi :00418C38 8BF1 mov esi, ecx // 発見 ecxから代入されているようだ。ecxはスコープ外 :00418C3A 57 push edi :00418C3B 8B06 mov eax, dword ptr [esi] :00418C3D FF5008 call [eax+08] ***** 呼び出し元である005B9361へジャンプ ***** * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:005B9349(U) | :005B9350 85C0 test eax, eax :005B9352 7524 jne 005B9378 :005B9354 8D45F8 lea eax, dword ptr [ebp-08] :005B9357 8D4DD4 lea ecx, dword ptr [ebp-2C] :005B935A 50 push eax :005B935B 51 push ecx :005B935C B9F01A6300 mov ecx, 00631AF0 // ecx発見(NetBaseAddress) :005B9361 E8CAF8E5FF call 00418C30 // 呼び出し元 // つまりZoneBIPAddress=00631AF0+10=0x00631B00 // なぜ+10なのかは00418CCBに注目 //////////////////////////////////////////////////////////////////////////////////////// [[WS2_32Recv]]-------------------------------------------------------------------------- 目印は"recv" //////////////////////////////////////////////////////////////////////////////////////// * Possible StringData Ref from Data Obj ->"recv" | :00418BB1 68CCD96000 push 0060D9CC :00418BB6 50 push eax :00418BB7 FFD6 call esi * Reference To: USER32.MessageBoxA, Ord:01BEh | :00418BB9 8B3598925E00 mov esi, dword ptr [005E9298] :00418BBF A350196300 mov dword ptr [00631950], eax // WS2_32Recv :00418BC4 A154196300 mov eax, dword ptr [00631954] //////////////////////////////////////////////////////////////////////////////////////// [[PETID/PetFullness/PetRelation/PetSpriteType]]----------------------------------------- 目印は"levelup.wav" これはペットがレベルアップ時にパフォーマンスすることから 残りのペット関連のアドレスは差分で求めメモリで確認を取った方が楽 PetModified PETID=PetModified+0x4 PetName=PetModified+0x8 (char[0x20]) PetAccessory=PetModified+0x28 or PetSpriteType-0x4 PetSpriteType PetLv=PetSpriteType+0x4 PetFullness PetRelation //////////////////////////////////////////////////////////////////////////////////////// * Possible StringData Ref from Data Obj ->"levelup.wav" | :0052D08B 6884D26100 push 0061D284 :0052D090 E86B86F0FF call 00435700 :0052D095 83C41C add esp, 0000001C :0052D098 C745F400000000 mov [ebp-0C], 00000000 :0052D09F 8B45F4 mov eax, dword ptr [ebp-0C] :0052D0A2 C745F800000000 mov [ebp-08], 00000000 :0052D0A9 6A00 push 00000000 :0052D0AB 8B4DF8 mov ecx, dword ptr [ebp-08] :0052D0AE 83EC0C sub esp, 0000000C :0052D0B1 C745FC00000000 mov [ebp-04], 00000000 :0052D0B8 8BD4 mov edx, esp :0052D0BA 6851010000 push 00000151 :0052D0BF 8902 mov dword ptr [edx], eax :0052D0C1 8B45FC mov eax, dword ptr [ebp-04] :0052D0C4 894A04 mov dword ptr [edx+04], ecx :0052D0C7 8B8FB4000000 mov ecx, dword ptr [edi+000000B4] :0052D0CD 8B493C mov ecx, dword ptr [ecx+3C] :0052D0D0 894208 mov dword ptr [edx+08], eax :0052D0D3 E8B860FDFF call 00503190 :0052D0D8 6A15 push 00000015 :0052D0DA B928B06400 mov ecx, 0064B028 :0052D0DF E86C16F8FF call 004AE750 :0052D0E4 8B15CC766900 mov edx, dword ptr [006976CC] // PetModified :0052D0EA 8B8FB4000000 mov ecx, dword ptr [edi+000000B4] :0052D0F0 52 push edx :0052D0F1 E8CA8DF9FF call 004C5EC0 :0052D0F6 85C0 test eax, eax :0052D0F8 0F849D050000 je 0052D69B :0052D0FE A100776900 mov eax, dword ptr [00697700] // PetFullness :0052D103 B9F86E6900 mov ecx, 00696EF8 :0052D108 50 push eax :0052D109 E8523A0800 call 005B0B60 :0052D10E 8B0D04776900 mov ecx, dword ptr [00697704] // PetRelation :0052D114 8BF0 mov esi, eax :0052D116 51 push ecx :0052D117 B9F86E6900 mov ecx, 00696EF8 :0052D11C E89F3A0800 call 005B0BC0 :0052D121 8B15F8766900 mov edx, dword ptr [006976F8] // PetSpriteType :0052D127 56 push esi :0052D128 6A06 push 00000006 :0052D12A 52 push edx :0052D12B B9F86E6900 mov ecx, 00696EF8 :0052D130 8BD8 mov ebx, eax :0052D132 E8C93E0800 call 005B1000 //////////////////////////////////////////////////////////////////////////////////////// [[Packetlength]]------------------------------------------------------------------------ Packetlengthは説明が複雑になるのでパス Packetlength=NetBaseAddress+0x80と差分で判断。もちろんメモリで確認すること。 (※NetBaseAddressに関してはZoneBIPAddressを項を参照のこと) # いくつかパケットを検索して、ある種独特の2分木登録ルーチンをさかのぼることで調べることが出来る # このVerなら00419400から始まるルーチン //////////////////////////////////////////////////////////////////////////////////////// [EOF]