漏洞百出的国外游戏:WW3

发布于 2019-01-06  179 次阅读


去年十月份玩了一个叫Ww3的游戏 真是让我打开眼界

FakePlayerName: 因游戏在进入游戏时把本地SteamID发送给游戏服务器造成可以伪造 我在逆向中还发现可以直接操作rank榜单emm 过于真实  

//隐藏名字
1号位置
特征码:48 8D 4C 24 30 C7 44 24 28 80 00 00 00 48 89 4C 24 20 48 83 CB FF B9 E9 FD 00 00 44 8B CB 4C 8B C0 33 D2
WW3-Win64-Shipping.exe+380DE9 - 48 8B 48 10 - mov rcx,[rax+10]
WW3-Win64-Shipping.exe+380DED - 48 8B 01 - mov rax,[rcx] (nop掉此处即可实现随机STEAMID)
WW3-Win64-Shipping.exe+380DF0 - FF 50 38 - call qword ptr [rax+38]
WW3-Win64-Shipping.exe+380DF3 - 48 8D 4C 24 30 - lea rcx,[rsp+30]
WW3-Win64-Shipping.exe+380DF8 - C7 44 24 28 80000000 - mov [rsp+28],00000080 { 128 }
WW3-Win64-Shipping.exe+380E00 - 48 89 4C 24 20 - mov [rsp+20],rcx
WW3-Win64-Shipping.exe+380E05 - 48 83 CB FF - or rbx,-01 { 255 }
WW3-Win64-Shipping.exe+380E09 - B9 E9FD0000 - mov ecx,0000FDE9 { 65001 }
WW3-Win64-Shipping.exe+380E0E - 44 8B CB - mov r9d,ebx
WW3-Win64-Shipping.exe+380E11 - 4C 8B C0 - mov r8,rax
WW3-Win64-Shipping.exe+380E14 - 33 D2 - xor edx,edx

CameraHack 初级玩法 和高级玩法:

因服务器未效验的摄像机地址和枪口坐标为当前相机的坐标问题造成了可以实现该功能

道穿墙 hook封包
//Hook点上层特征码 弹道算法特征码
F2 0F 11 44 24 30 F3 0F 2D C6 D1 F8 44 0F B7 C0 F3 0F 2D C7 41 C1 E0 10 D1 F8 0F B7 C8 44 0B C1
//hook点特征码
WW3-Win64-Shipping.exe+190528B - 48 8B 19 - mov rbx,[rcx]
WW3-Win64-Shipping.exe+190528E - F2 0F11 44 24 20 - movsd [rsp+20],xmm0
WW3-Win64-Shipping.exe+1905294 - 89 44 24 28 - mov [rsp+28],eax
WW3-Win64-Shipping.exe+1905298 - 44 89 44 24 2C - mov [rsp+2C],r8d
WW3-Win64-Shipping.exe+190529D - E8 5EF1F2FE - call WW3-Win64-Shipping.exe+834400 劫持处在这个call里面 即可劫持向服务器发送的相机地址改为敌人的头顶

算法计算也是非常的简单

//这里计算发向服务器的弹道
ULONG32 CalcAimRot(D3DXVECTOR3 dec3) {
float y = (dec3.y) * 182.04445;// v4
float x = (dec3.x) * 182.04445;//v5
return ((unsigned __int16)((signed int)(float)((float)(x * 2.0) + 0.5) >> 1) | ((unsigned int)(unsigned __int16)((signed int)(float)((float)(y * 2.0) + 0.5) >> 1) << 16) );

}

关于相机
POS是相机的坐标
ROT是相机观看的方向

子弹可穿墙
摄像机作弊
WW3-Win64-Shipping.exe+168590B - 8B 44 24 38 - mov eax,[rsp+38]
WW3-Win64-Shipping.exe+168590F - 89 8F 90030000 - mov [rdi+00000390],ecx
WW3-Win64-Shipping.exe+1685915 - 48 8D 8F E0030000 - lea rcx,[rdi+000003E0]
WW3-Win64-Shipping.exe+168591C - 83 A7 CC030000 FC - and dword ptr [rdi+000003CC],-04 { 252 }
WW3-Win64-Shipping.exe+1685923 - F2 0F11 87 A0030000 - movsd [rdi+000003A0],xmm0
WW3-Win64-Shipping.exe+168592B - F2 0F10 44 24 3C - movsd xmm0,[rsp+3C]
WW3-Win64-Shipping.exe+1685931 - F2 0F11 87 AC030000 - movsd [rdi+000003AC],xmm0
WW3-Win64-Shipping.exe+1685939 - 0F10 44 24 48 - movups xmm0,[rsp+48]
WW3-Win64-Shipping.exe+168593E - 89 87 A8030000 - mov [rdi+000003A8],eax
WW3-Win64-Shipping.exe+1685944 - 8B 44 24 44 - mov eax,[rsp+44]
WW3-Win64-Shipping.exe+1685948 - 89 87 B4030000 - mov [rdi+000003B4],eax
WW3-Win64-Shipping.exe+168594E - 8B 44 24 5C - mov eax,[rsp+5C]
WW3-Win64-Shipping.exe+1685952 - 0F11 87 B8030000 - movups [rdi+000003B8],xmm0

x/y
WW3-Win64-Shipping.exe+1675303 - 90 - nop
movsd [rdi+000003A0],xmm0
写8个nop
z
WW3-Win64-Shipping.exe+167531E - 90 - nop
mov [rdi+000003A8],eax
写6个nop

子弹无扩散
WW3-Win64-Shipping.exe+2844B6 - 49 89 5B 10 - mov [r11+10],rbx
WW3-Win64-Shipping.exe+2844BA - 49 89 73 18 - mov [r11+18],rsi
WW3-Win64-Shipping.exe+2844BE - 49 89 7B 20 - mov [r11+20],rdi
WW3-Win64-Shipping.exe+2844C2 - 4D 89 63 F0 - mov [r11-10],r12
WW3-Win64-Shipping.exe+2844C6 - 4D 89 6B E8 - mov [r11-18],r13
WW3-Win64-Shipping.exe+2844CA - 4D 89 73 E0 - mov [r11-20],r14
WW3-Win64-Shipping.exe+2844CE - 4C 8B F1 - mov r14,rcx
WW3-Win64-Shipping.exe+2844D1 - 4D 89 7B D8 - mov [r11-28],r15
WW3-Win64-Shipping.exe+2844D5 - 4C 8D B9 D8050000 - lea r15,[rcx+000005D8]
WW3-Win64-Shipping.exe+2844DC - 45 8B 67 08 - mov r12d,[r15+08]
49 89 5B 10 49 89 73 18 49 89 7B 20 4D 89 63 F0 4D 89 6B E8 4D 89 73 E0 4C 8B F1 4D 89 7B D8 4C 8D B9 D8 05 00 00 45 8B 67 08

无后坐力
WW3-Win64-Shipping.exe+2849B9
WW3-Win64-Shipping.exe+284995 - mov eax,88888889 { -2004318071 }
WW3-Win64-Shipping.exe+28499A - inc ecx
WW3-Win64-Shipping.exe+28499C - imul ecx
WW3-Win64-Shipping.exe+28499E - add edx,ecx
WW3-Win64-Shipping.exe+2849A0 - sar edx,05 { 5 }
WW3-Win64-Shipping.exe+2849A3 - mov eax,edx
WW3-Win64-Shipping.exe+2849A5 - shr eax,1F { 31 }
WW3-Win64-Shipping.exe+2849A8 - add edx,eax
WW3-Win64-Shipping.exe+2849AA - imul eax,edx,3C
WW3-Win64-Shipping.exe+2849AD - sub ecx,eax
B8 89 88 88 88 FF C1 F7 E9 03 D1 C1 FA 05 8B C2 C1 E8 1F 03 D0 6B C2 3C 2B C8

本站文章基于国际协议BY-NA-SA 4.0协议共享;
如未特殊说明,本站文章皆为原创文章,请规范转载。

0

博客管理员