使用de4dot-cex反编译原版的hearthbuddy得到的
链接: https://pan.baidu.com/s/1hT79LpIjbyvODsjnkSe_5A 提取码: iemx
class276里面的指针是通过class247得到的
internal Class276(ExternalProcessMemory memory) { this.externalProcessMemory_0 = memory; this.intptr_0 = this.method_18("mono.dll"); this.intptr_31 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_9; this.intptr_28 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_17; this.intptr_13 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_22; this.intptr_16 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_16; this.intptr_6 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_7; this.intptr_1 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_15; this.intptr_15 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_24; this.intptr_14 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_21; this.intptr_7 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_5; this.intptr_19 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_10; this.intptr_29 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_35; this.intptr_17 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_1; this.intptr_25 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_30; this.intptr_24 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_25; this.intptr_32 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_31; this.intptr_34 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_28; this.intptr_36 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_0; this.intptr_35 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_29; this.intptr_23 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_34; this.intptr_33 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_33; this.intptr_27 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_32; this.intptr_12 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_4; this.intptr_10 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_3; this.intptr_4 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_6; this.intptr_8 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_11; this.intptr_21 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_23; this.intptr_18 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_8; this.intptr_5 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_2; this.intptr_30 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_19; this.intptr_2 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_12; this.intptr_9 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_18; this.intptr_3 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_14; this.intptr_26 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_27; this.intptr_22 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_26; this.intptr_20 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_13; this.intptr_11 = this.intptr_0 + TritonHs.class247_0.struct106_0.int_20; this.method_15<bool>("boolean"); this.method_15<object>("object"); this.method_15<sbyte>("sbyte"); this.method_15<byte>("byte"); this.method_15<short>("int16"); this.method_15<ushort>("uint16"); this.method_15<int>("int32"); this.method_15<uint>("uint32"); this.method_15<long>("int64"); this.method_15<ulong>("uint64"); this.method_15<float>("single"); this.method_15<double>("double"); this.method_15<char>("char"); this.method_15<string>("string"); this.method_15<Enum>("enum"); }
赋值处理
try { TritonHs.class247_0 = new Class247(); TritonHs.class247_0.method_1(array, TritonHs.Memory.ImageBase); } catch (Exception) { string_0 = string.Format("The data required to run the bot is corrupted. Please make sure your key is still valid at the Buddy Auth Portal: http://buddyauth.com/User/Keys {0}{0}For any further assistance, please contact support: https://bosslandgmbh.zendesk.com/home", Environment.NewLine); return false; } TritonHs.class276_0 = new Class276(TritonHs.externalProcessMemory_0); using (TritonHs.AcquireFrame()) { TritonHs.intptr_1 = TritonHs.Class276_0.method_2(); }
直接new一个class247的实例对象,然后调用method_1。传递的参数是array和TritonHs.Memory.ImageBase
public static ExternalProcessMemory Memory
{
get
{
return TritonHs.externalProcessMemory_0;
}
}
array参数的获取,delegate6_0貌似是从服务器获取地址数据
byte[] array = delegate6_0(TritonHs.String_0, out string_0); if (array == null) { if (string.IsNullOrEmpty(string_0)) { string_0 = string.Format("The data required to run the bot was not successfully obtained. Please make sure your key is still valid at the Buddy Auth Portal: http://buddyauth.com/User/Keys {0}{0}For any further assistance, please contact support: https://bosslandgmbh.zendesk.com/home", Environment.NewLine); } return false; }
class247里面的method1方法
// ns25.Class247 // Token: 0x06001990 RID: 6544 RVA: 0x000DAF40 File Offset: 0x000D9140 internal unsafe void method_1(byte[] byte_0, IntPtr intptr_1) { this.intptr_0 = new IntPtr[byte_0.Length / 4]; byte b = 1; byte* ptr; if (byte_0 != null && byte_0.Length != 0) { fixed (byte* ptr = &byte_0[0]) { } } else { ptr = null; } uint* ptr2 = (uint*)ptr; for (int i = 0; i < this.intptr_0.Length; i++) { uint uint_ = ptr2[i]; IntPtr intPtr = new IntPtr((long)((ulong)Class247.smethod_0(uint_, b))); this.intptr_0[i] = intPtr; b = ((b + 1) ?? 0); } ptr = null; this.method_0(intptr_1); }
method0方法在对struct106_0 进行赋值
if (ptr4 != null)
{
this.struct106_0 = *(Struct106*)ptr4;
}
// ns25.Class247 // Token: 0x0600198F RID: 6543 RVA: 0x000DAE44 File Offset: 0x000D9044 internal unsafe void method_0(IntPtr intptr_1) { IntPtr[] array = new IntPtr[this.intptr_0.Length]; this.intptr_0.CopyTo(array, 0); ArraySegment<IntPtr> arraySegment_; ArraySegment<IntPtr> arraySegment_2; this.method_4(array, out arraySegment_, out arraySegment_2); for (int i = arraySegment_.Offset; i < arraySegment_.Count; i++) { if (arraySegment_.Array[i].ToInt32() > 4194304) { array[i] = array[i] - 4194304 + intptr_1.ToInt32(); } } IntPtr[] array2; IntPtr* ptr; if ((array2 = this.method_2<IntPtr>(arraySegment_)) != null && array2.Length != 0) { fixed (IntPtr* ptr = &array2[0]) { } } else { ptr = null; } byte* ptr2 = (byte*)ptr; if (ptr2 != null) { this.struct105_0 = *(Struct105*)ptr2; } ptr = null; IntPtr* ptr3; if ((array2 = this.method_2<IntPtr>(arraySegment_2)) != null && array2.Length != 0) { fixed (IntPtr* ptr3 = &array2[0]) { } } else { ptr3 = null; } byte* ptr4 = (byte*)ptr3; if (ptr4 != null) { this.struct106_0 = *(Struct106*)ptr4; } ptr3 = null; }
所以之前的工作原理,是从服务器获取mono的偏移地址,然后进行后续操作的。