jdLite Goz 逆向+IDA伪代码+追踪+飞车

jiaochuan · 发表于 2020-4-29 22:30:09

本帖最后由 jiaochuan 于 2020-4-29 22:53 编辑

一个菜B项目天天装13装nm呢？

120秒逆向垃圾代码看的脑壳疼

垃圾追踪

Hook点

jdLite-Win64-Shipping.exe+0x1A808B4

ShellCode

.text:0000000000011090 sub_11090    proc near             ; DATA XREF: sub_2110+3B3↑o
.text:0000000000011090
.text:0000000000011090 arg_60       = qword ptr  68h
.text:0000000000011090
.text:0000000000011090                cmp    cs:byte_6DDFF, 0
.text:0000000000011097                jz    short loc_110BA
.text:0000000000011099                push rdx
.text:000000000001109A                push rcx
.text:000000000001109B                mov    rcx, rax       ; //（敌 - 我坐标） / 1000.f 带瞬击
.text:000000000001109E                mov    edx, cs:追踪X
.text:00000000000110A4                mov    [rcx], edx
.text:00000000000110A6                mov    edx, cs:追踪Y
.text:00000000000110AC                mov    [rcx+4], edx
.text:00000000000110AF                mov    edx, cs:追踪Z
.text:00000000000110B5                mov    [rcx+8], edx
.text:00000000000110B8                pop    rcx
.text:00000000000110B9                pop    rdx
.text:00000000000110BA
.text:00000000000110BA loc_110BA:                            ; CODE XREF: sub_11090+7↑j
.text:00000000000110BA                movsd xmm0, qword ptr [rax]
.text:00000000000110BE                mov    eax, [rax+8]
.text:00000000000110C1                movaps  xmm6, xmm0
.text:00000000000110C4                movsd [rsp+arg_60], xmm0
.text:00000000000110CA                movss xmm7, dword ptr [rsp+arg_60]
.text:00000000000110D0                jmp    cs:qword_5DDD8
.text:00000000000110D0 sub_11090    endp

逼佬使用的垃圾飞车

代码直接贴出来

偏移量

uint64_t offset_vehicle_mesh = 0x04D8;
      uint64_t offset_set_all_physics_linear_velocify = 0x5B0;
      uint64_t offset_set_all_physics_angular_velocify = 0x708;
      uint64_t offset_set_enable_gravity = 0x738;
      uint64_t offset_set_aactor_enable_collision = 0x4BC430;

void FlyCar(uint64_t pawn, FVector local_rotation, int FlyCarType)
{
      auto VehicleMesh = Read<uint64_t>(pawn + offset_vehicle_mesh);

      if (!(VehicleMesh > 0xFFFFF && VehicleMesh < 0xFFFFFFFFFFF))
            return;

      uint64_t p_VehicleMesh = Read<uint64_t>(VehicleMesh);

      typedef void(__fastcall *SetAllPhysicsLinearVelocity_t)(int64_t mesh, struct FVector NewVel, bool bAddToCurrent);
      SetAllPhysicsLinearVelocity_t pSetAllPhysicsLinearVelocity = reinterpret_cast<SetAllPhysicsLinearVelocity_t>(Read<int64_t>(Read<int64_t>(VehicleMesh) + offset_set_all_physics_linear_velocify));

      typedef void(__fastcall *SetAllPhysicsAngularVelocity_t)(int64_t mesh, struct FVector NewVel, bool bAddToCurrent);
      SetAllPhysicsAngularVelocity_t pSetAllPhysicsAngularVelocity = reinterpret_cast<SetAllPhysicsAngularVelocity_t>(Read<int64_t>(Read<int64_t>(VehicleMesh) + offset_set_all_physics_angular_velocify));

      typedef void(__fastcall *SetActorEnableCollision_t)(int64_t aactor, bool bNewActorEnableCollision);
      SetActorEnableCollision_t pSetActorEnableCollision = reinterpret_cast<SetActorEnableCollision_t>(_base + offset_set_aactor_enable_collision);

      typedef void(__fastcall *SetEnableGravity_t)(int64_t mesh, bool bGravityEnabled);
      SetEnableGravity_t pSetEnableGravity = reinterpret_cast<SetEnableGravity_t>(Read<int64_t>(Read<int64_t>(VehicleMesh) + offset_set_enable_gravity));

      if (FlyCarType >= 2) {
            pSetEnableGravity(VehicleMesh, false); // Closing gravity
      }
      else {
            pSetEnableGravity(VehicleMesh, true);  // Start-up gravity

      }

      if (FlyCarType == 3) {
            pSetActorEnableCollision(pawn, false); // Ignore the wall
      }
      else {
            pSetActorEnableCollision(pawn, true);  // wall
      }

      if (FlyCarType == 0) return;

      int speed = 60 * 2; //spped
      float coeff = (60.f * 60.f) * speed * 0.01f;  // Here control speed 60 * 60 fixed modification 10.f

      if (GetAsyncKeyState2(VK_SHIFT))
      {
            coeff *= 2;
      }

      bool bKp = false;
      pSetAllPhysicsAngularVelocity(VehicleMesh, { 0.f, 0.f, 0.f }, false);
      pSetAllPhysicsLinearVelocity(VehicleMesh, { 0.f, 0.f, 0.f }, false);

      if (/* Q */ GetAsyncKeyState2(0x51)) {
            pSetAllPhysicsLinearVelocity(VehicleMesh, { 0.f, 0.f, coeff / 4 }, true);  // Rising speed can be modified by itself
            bKp = true;
      }
      if (/* E */ GetAsyncKeyState2(0x45)) {
            pSetAllPhysicsLinearVelocity(VehicleMesh, { 0.f, 0.f, -(coeff / 4) }, true);  // Decline can be modified by itself
            bKp = true;
      }

      if (/* W */ GetAsyncKeyState2(0x57)) {
            FVector vel;
            auto yaw = local_rotation.Y;
            float theta = 2.f * PI * (yaw / 360.f);

            vel.X = (coeff * cosf(theta));
            vel.Y = (coeff * sinf(theta));

            pSetAllPhysicsLinearVelocity(VehicleMesh, vel, true);
            bKp = true;
      }
      if (/* S */ GetAsyncKeyState2(0x53)) {
            FVector vel;
            auto yaw = local_rotation.Y;
            float theta = 2.f * PI * (yaw / 360.f);

            vel.X = -(coeff * cosf(theta));
            vel.Y = -(coeff * sinf(theta));
            pSetAllPhysicsLinearVelocity(VehicleMesh, { vel }, true);
            bKp = true;
      }
      if (/* A */ GetAsyncKeyState2(0x41)) {
            pSetAllPhysicsAngularVelocity(VehicleMesh, { 0.f, 0.f, -60.f }, true);  // Left turn speed - 20 self-modifying
            bKp = true;
      }
      if (/* D */ GetAsyncKeyState2(0x44)) {
            pSetAllPhysicsAngularVelocity(VehicleMesh, { 0.f, 0.f, 60.f }, true); // Right Turn Speed 20 Self-modifying
            bKp = true;
      }

      if (!bKp || GetAsyncKeyState2(VK_SPACE))
      {
            pSetAllPhysicsLinearVelocity(VehicleMesh, { 0.f, 0.f, 0.f }, false);
      }
}

美图欣赏

这里是追踪HOOK：