【反汇编练习】《破天一剑》服务端:BOSS篇【2】(火刀)
该文章迁移自作者的旧博客站点。
源地址:http://fenying.blog.163.com/blog/static/102055993201542575410843/。
源地址:http://fenying.blog.163.com/blog/static/102055993201542575410843/。
一次逆向练手记录。
火刀的源代码已经大概复原。先看看汇编代码,
boss_call_huodao proc near ; CODE XREF: boss_caller+D3p
var1 = byte ptr -4
push ecx
push ebx
push ebp
push esi
push edi
mov edi, MON_HASH_CODE_HUODAO_S_KULOU ; 刷火刀时会先爆各种骷髅
mov ebp, 3B9D59Fh
mov ebx, 674B78h ; 小怪和火刀的ID、坐标等
on_creating_monster: ; CODE XREF: boss_call_huodao+9Fj
mov eax, [ebx-8]
push eax
mov dword ptr [esp+18h+var1], eax ; 此处参数1被当成一个临时变量用了。
call monster_get_info_by_id
mov esi, eax
mov eax, dword ptr [esp+18h+var1]
add esp, 4
test esi, esi
jnz short on_found_monster
push eax ; Monster id
push offset aMonsterPutEr_5 ; "Monster put error #1 : %d"
call log_write
add esp, 8
jmp short loc_41A116
; ---------------------------------------------------------------------------
on_found_monster: ; CODE XREF: boss_call_huodao+2Cj
mov ecx, [esi+Monster_Info.moveSpeed]
mov edx, [esi+Monster_Info.unknown10]
push 0
push ecx
push 2
push 0
push 2
push edx
push eax
push edi
call monster_call
; 假如用GS修改工具7.3修改过,取消了爆骷髅X小怪,那么这里是
; jmp 004ca900h
; 这段地址IDA无法识别,此处给出真实代码:
; 004ca900 cmp eax, 18h ; 18h 即火刀ID 24
; 004ca903 je 004ca90ah
; 004ca905 jmp loc_41A0D5
; 004ca90a call monster_call
; 004ca90f jmp loc_41A0D5
loc_41A0D5:
mov ecx, [ebx]
mov edx, [ebx-4]
push ecx
push edx
push edi
call monster_pos_set
mov eax, [esi+Monster_Info.unknown14]
mov ecx, [esi+Monster_Info.defense]
mov edx, [esi+Monster_Info.hp]
push 0
push eax
push ecx
push edx
push edi
call monster_set_basic_info
add esp, 40h
mov byte ptr [ebp-496h], 0
mov byte ptr [ebp+0], 0
mov word ptr [ebp-48Dh], 0
add edi, 1
add ebp, 725h
loc_41A116: ; CODE XREF: boss_call_huodao+3Cj
add ebx, 0Ch
cmp ebx, BOSS_TIME_CHUAN
jl on_creating_monster
pop edi
pop esi
pop ebp
mov dword ptr ds:8210430h, 0
pop ebx
pop ecx
retn
boss_call_huodao endp
comments powered by Disqus