打开星星CALL
0012E8A0 00894FC1 返回到 elementc.00894FC1
0012E8C8 00681A02 返回到 elementc.00681A02 来自 elementc.00681A10
0012E8DC 006843C5 返回到 elementc.006843C5 来自 elementc.006819D0
0012E914 005734F6 返回到 elementc.005734F6 来自 elementc.00684350////
0012E944 0082A99C 返回到 elementc.0082A99C 来自 elementc.0088666
0012E94C 0082A9B5 返回到 elementc.0082A9B5
0012E96C 0082A90C 返回到 elementc.0082A90C 来自 elementc.0082A940
0012E984 0084427E 返回到 elementc.0084427E 来自 elementc.0082A8F0
0012E9B8 00894FC1 返回到 elementc.00894FC1
0012E9C0 00894FED 返回到 elementc.00894FED 来自
0012E9CC 00894F6E 返回到 elementc.00894F6E 来自 elementc.00894FE0
0012E9EC 008956E5 返回到 elementc.008956E5 来自 elementc.008955F0
0012EA10 0081951E 返回到 elementc.0081951E
0012EA18 0062F7B2 返回到 elementc.0062F7B2 来自 elementc.00819510 ////
0012EA30 0082525B 返回到 elementc.0082525B
0012EA48 0082560D 返回到 elementc.0082560D
0012EA64 00895075 返回到 elementc.00895075 来自 elementc.00894FE0
0012EA84 0089533F 返回到 elementc.0089533F 来自 elementc.00894FF0
0012EA8C 00819B30 返回到 elementc.00819B30 来自 elementc.00825270
0012EB20 0081DB82 返回到 elementc.0081DB82 来自 elementc.00819560
MOV EDX,[ESI+200]
MOV EAX,[ESI+1FC]
MOV ECX,[ESI+1F8]
PUSH EBP //ID
PUSH EDX
PUSH EAX
PUSH ECX
MOV ECX,ESI
CALL 004E8270
完美国际171答题Call原型与delphi编程实现
原型:
ESI为答题基址
004F8EA3 . 8B96 6C010000 MOV EDX,DWORD PTR DS:[ESI+16C]
004F8EA9 . 8B8E 64010000 MOV ECX,DWORD PTR DS:[ESI+164]
004F8EAF . 50 PUSH EAX
004F8EB0 . 8B86 68010000 MOV EAX,DWORD PTR DS:[ESI+168]
004F8EB6 . 52 PUSH EDX
004F8EB7 . 50 PUSH EAX
004F8EB8 . 51 PUSH ECX
004F8EB9 . 8BCE MOV ECX,ESI
004F8EBB . E8 306EFBFF CALL ElementC.004AFCF0
004F8EC0 . 8BC8 MOV ECX,EAX ; |
004F8EC2 . E8 B9C10900 CALL ElementC.00595080 ; \ElementC.00595080
004F8EC7 . 6A 01 PUSH 1 ; /Arg3 = 00000001
004F8EC9 . 6A 00 PUSH 0 ; |Arg2 = 00000000
004F8ECB . 6A 00 PUSH 0 ; |Arg1 = 00000000
004F8ECD . 8BCE MOV ECX,ESI ; |
004F8ECF . E8 BCAE1E00 CALL ElementC.006E3D90 ; \ElementC.006E3D90
004AFCEF 90 NOP
004AFCF0 /$ A1 74929300 MOV EAX,DWORD PTR DS:[939274]
004AFCF5 |. 8B40 20 MOV EAX,DWORD PTR DS:[EAX+20]
004AFCF8 \. C3 RETN
delphi7.0代码实现:
procedure AnswerCall(aPParams:PParams);stdcall;
var
Address1,Address2:pointer;
P1: DWORD;
begin
Address1:=Pointer(W2I_Answer1_Call);//$00595080
Address2:=Pointer(W2I_Answer2_Call);//$006E3D90
P1:=aPParams^.Param1; // //选择1,2,4,8,16,32
asm
pushad
mov eax,dword ptr [W2I_BASE_Call]//$00939274
mov eax,dword ptr [eax+$1c]
mov eax,dword ptr [eax+$4]
mov eax,dword ptr [eax+$8]
mov eax,dword ptr [eax+$270]
mov esi,eax // =mov esi,答题基址
mov edx,dword ptr ds:[esi+$16c]
mov ecx,dword ptr ds:[esi+$164]
push P1 //选择1,2,4,8,16,32
mov eax,dword ptr ds:[esi+$168] //题目ID
push edx
push eax
push ecx
MOV ECX,ESI
MOV EAX,DWORD PTR [W2I_BASE_Call]//$00939274
MOV EAX,DWORD PTR [EAX+$20]
mov ecx,eax
CALL Address1//答题Call
PUSH 1
PUSH 0
PUSH 0
MOV ECX,ESI
CALL Address2//关闭答题窗口
popad
end;
end;
procedure Tpeople.Answer(answerId: cardinal);
var
aParams : TParams;
aParamsSize: DWORD;
begin
aParams.Param1:=answerId;
aParamsSize:=SizeOf(aParams);
if GHwnd<>0 then
begin
injectfunc(@AnswerCall, @aParams, aParamsSize);
end;
end;