本文主要是介绍83.网络游戏逆向分析与漏洞攻防-移动系统分析-游戏瞬移漏洞的测试与分析,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
免责声明:内容仅供学习参考,请合法利用知识,禁止进行违法犯罪活动!
如果看不懂、不知道现在做的什么,那就跟着做完看效果,代码看不懂是正常的,只要会抄就行,抄着抄着就能懂了
内容参考于:易道云信息技术研究院
上一个内容:82.坐标修正数据包的处理与模拟
码云版本号:2057942aba862cbc9f9db7037948d921af42993a
代码下载地址,在 titan 目录下,文件名为:titan-游戏瞬移漏洞的测试与分析.zip
链接:https://pan.baidu.com/s/1W-JpUcGOWbSJmMdmtMzYZg
提取码:q9n5
--来自百度网盘超级会员V4的分享
HOOK引擎,文件名为:黑兔sdk升级版.zip
链接:https://pan.baidu.com/s/1IB-Zs6hi3yU8LC2f-8hIEw
提取码:78h8
--来自百度网盘超级会员V4的分享
以 82.坐标修正数据包的处理与模拟 它的代码为基础进行修改
上一个内容里实现了无限水下游、模拟1F数据包(可以实现自动移动刷新我们的客户端画面),本次就来分析一下游戏瞬移漏洞的这个事情。
首先游戏瞬移漏洞是怎样产生的?第一种服务端是弱服务端,服务端没有校验客户端发什么就是什么,第二种在设计逻辑上面没有问题,但是逻辑给它岔开了用,这中岔开了用出现的问题很可能之前就没有考虑过,有的只做开发没有做安全,它不知道还可以这样玩,然后我这样玩逻辑就出现问题了,比如titan这游戏的数据包消息在NetClient类里把它还原成了函数比如OnMoveStop、OnMoveJump、OnMoveWJump这些还有在水下走路,这些东西岔开来用,就有可能找到它逻辑上的漏洞,就是它以前没相关它还会岔开来用,比如先OnMoveStop更新坐标然后OnMoveWalk向前走然后停下来OnMoveStop,这也就实现了走了,之前也这样欺骗的服务端实现了跟随,但也可以这样先OnMoveWalk然后OnMoveJump最后OnMoveStop,就是岔开了用以后,它的逻辑处不过来或者它本来的逻辑设定的就造成瞬移,但这种情况要大量的去测,也比较麻烦,这种的相对来说是比较低级的错误,犯的人也不是很多,所以成功率不是特别高,然后第三种是跟技能或者某些活动或者传送点有关,这种属于功能性的漏洞,这种相对来讲也不好搞,然后
第四种:
如下图,代码逻辑没有问题,但是进行 0 / 0之后float的值就出现问题了,然后就导致坐标设置成功,0/0是一个无效值,int类型会有检查而浮点数没有检查
它的结果是nan,nan==nan这样的比较结果是false,并不是true,nan与任何数字作比较都是false,只有 nan!=nan这样才会是true,这就导致了可以成功设置坐标,这是一个冷门的问题有的人不知道,就会出现漏洞
修复方式,加上一个浮点数最大值的判断就可以了,很多软件都会有这个漏洞,这种漏洞是很危险的,如果涉及到了金钱,这将是灾难,这个东西很危险,不要乱用,如果乱用出了事我不负责的
代码:
java代码解决方式,调用Double类的isNaN方法
class Untitled {public static void main(String[] args) {double d = Double.NaN;System.out.println(Double.isNaN(d));} }
下方是c++代码
#include <iostream>float NextX, NextY; void Init() {float i = 1;i--;NextX = i / i;NextY = i / i; }float 人物x坐标, 人物y坐标, 移动速度 = 5.0f;bool 检测坐标是否合格(float 坐标, float 移动大小) {if (坐标 <= DBL_MAX || 坐标 >= -DBL_MAX) {return (坐标 > 移动大小);}return true;}void 移动(float xNext, float yNext) {// 为了防止负数这里求绝对值float xDis = fabs(xNext - 人物x坐标);float yDis = fabs(xNext - 人物y坐标);if (检测坐标是否合格(xDis, 移动速度)) {std::cout << " x坐标不合格,回弹"<<std::endl;return;}if (检测坐标是否合格(yDis, 移动速度)) {std::cout << " y坐标不合格,回弹" << std::endl;return;}人物x坐标 = xNext;人物y坐标 = yNext; }int main() {Init();int* i = (int*)&NextX;std::cout << " " << std::hex << i[0] << std::endl;移动(NextX, NextY);移动(10000, 10000);移动(5, 5);std::cout << " x坐标:" << 人物x坐标 << "y坐标:" << 人物y坐标 << std::endl; }
效果图:瞬移的位置没有地图所以没法走,但是也可以看出移动之后没有被回弹
https://live.csdn.net/v/386890
CUIWnd_0.cpp文件的修改:修改了 OnBnClickedButton2函数
// CUIWnd_0.cpp: 实现文件
//#include "pch.h"
#include "htdMfcDll.h"
#include "CUIWnd_0.h"
#include "afxdialogex.h"
#include "extern_all.h"
#include "GameOBJECTDef.h"// CUIWnd_0 对话框
float _xNext = 0.0f;
float _yNext = 0.0f;
void _stdcall loops(HWND, UINT, UINT_PTR, DWORD) {PAIM aim = Client->GetAimByName(L"r");if (aim == nullptr) {return;}//AfxMessageBox(aim->Name);float xDis = fabs(Client->Player.x - aim->x);float hDis = fabs(Client->Player.h - aim->h);float yDis = fabs(Client->Player.y - aim->y);float xNext, yNext, thisx, thisy;int v[2]{ -1, 1 };if (xDis > 12) {// 强制修改角色x坐标的值thisx = Client->Player.x;Client->Player.x = Client->Player.x + 6 * v[Client->Player.x < aim->x];xNext = Client->Player.x;}else {xNext = aim->x;}if (yDis > 12) {// 强制修改角色y坐标的值thisy = Client->Player.y;Client->Player.y = Client->Player.y + 6 * v[Client->Player.y < aim->y];yNext = Client->Player.y;}else{yNext = aim->y;}if ((xDis < 2)&&(hDis < 2)&&(yDis < 2)) {Client->MoveStop(aim->x, aim->h, aim->y, 0.0f);}else {Client->MoveWalk(Client->Player.x,aim->h, Client->Player.x, 0.0f, 0.0f, xNext, yNext);}
}IMPLEMENT_DYNAMIC(CUIWnd_0, CDialogEx)CUIWnd_0::CUIWnd_0(CWnd* pParent /*=nullptr*/): CDialogEx(IDD_PAGE_0, pParent)
{}CUIWnd_0::~CUIWnd_0()
{
}void CUIWnd_0::DoDataExchange(CDataExchange* pDX)
{CDialogEx::DoDataExchange(pDX);
}BEGIN_MESSAGE_MAP(CUIWnd_0, CDialogEx)ON_BN_CLICKED(IDC_BUTTON1, &CUIWnd_0::OnBnClickedButton1)ON_BN_CLICKED(IDC_BUTTON2, &CUIWnd_0::OnBnClickedButton2)
END_MESSAGE_MAP()// CUIWnd_0 消息处理程序void CUIWnd_0::OnBnClickedButton1()
{// 发送坠落数据包Client->Fall();设置移动速度//float Speed = 50.0;//Client->SetProperty(Client->Player.lId, INDEX_MoveSpeed, &Speed);/*// 修改血量int HP = 10000000;Client->SetProperty(Client->Player.lId, INDEX_HP, &HP);*//*CString txt;txt.Format(L"通过AIM类获取角色信息 名字:%s,x坐标:%f", Client->Player.Name, Client->Player.x);AfxMessageBox(txt);*/// Client->HeartBeep();// Client->TalkTo(L"r", L"打架吗?");// Client->Talk(L"[欢迎来到麟科思]");// Client->SelectRole(L"今晚打老虎");/*Client->CreateRole(L"am4", 1.0, 2.0, 4.0, 8.0, "gui\BG_team\TeamRole\Teamrole_zq_humF_001.PNG","Face,0;Hat,0;Eyes,0;Beard,0;Ears,0;Tail,0;Finger,0;Cloth,0;Pants,0;Gloves,0;Shoes,0;Trait,0;HairColor,0;SkinColor,0;SkinMtl,0;Tattoo,0;TattooColor,16777215;","", 0.0);*///Client->SelectCamp("xuanrenZQ");//Client->StartCreateRole();//Client->DelRole(L"ranzhi11111");/*char buff[] = {0xA, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,0x00, 0x00, 0x00, 0x00, 0x00, 0x4, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00, 0x02, 0x01, 00 ,0x00,0x00, 0x07, 0x0E, 0x00, 0x00, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x31, 0x00, 0x32 ,0x00,0x33, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00};WinSock->OnSend(buff, sizeof(buff));*//*char buff[] = {0x27, 0x46, 0x92, 0x02, 0x00, 0x00, 0x89, 0x02, 0x00, 0x00, 0x06, 0x00, 0x06, 0x05, 0x00, 0x00, 0x00, 0x63, 0x68, 0x61, 0x74, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00, 0x07, 0x0A, 0x00, 0x00, 0x00, 0x34, 0x00, 0x33, 0x00, 0x39, 0x00, 0x39, 0x00, 0x00, 0x00, 0x07, 0x5A, 0x02, 0x00, 0x00, 0x31, 0x00, 0x32, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x32, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33,0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x33, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x35, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x34, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36,0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x36, 0x00, 0x37, 0x00, 0x37, 0x00, 0x37, 0x00, 0x37, 0x00, 0x37, 0x00, 0x37, 0x00, 0x37, 0x00, 0x37, 0x00, 0x37, 0x00, 0x37, 0x00, 0x37, 0x00, 0x37, 0x00, 0x37, 0x00, 0x37, 0x00, 0x37, 0x00, 0x37, 0x00, 0x37, 0x00, 0x38, 0x00, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00, 0x02, 0x01, 0x00, 0x00, 0x00};WinSock->OnRecv(buff, sizeof(buff));*/
}void CUIWnd_0::OnBnClickedButton2()
{// 瞬移float decX = 3843.776123f;float decH = 11.731983f;float decY = -2005.533813f;float face = 0.0f;Client->Teleport(decX, decH, decY, face);//PAIM aim = Client->GetAimByName(L"r");//if (aim == nullptr) {// return;//}//Client->Teleport(aim->x, aim->h, aim->y, aim->face);// 修正坐标/*PAIM aim = Client->GetAimByName(L"r");if (aim == nullptr) {return;}Client->SetCoord(Client->Player.lId, aim->x, aim->h, aim->y, aim->face);*/// 面向// Client->FaceTo(L"r");// 飞天// Client->HideMode = true;// 遁地//Client->MoveStop(Client->Player.x, Client->Player.h - 5, Client->Player.y, 0.0f);// 跟随// ::SetTimer(m_hWnd, 0x1000, 2000, loops);// // Client->Backtoroles();
}
NetClient.cpp文件的修改:新加 Teleport函数、MoveJump函数、MoveWJump函数
#include "pch.h"
#include "NetClient.h"
#include "extern_all.h"bool NetClient::login(const char* Id, const char* Pass)
{const int bufflen = sizeof(DATA_LOGIN) + 1;char buff[bufflen];DATA_LOGIN data;// 有些操作系统这样写会报错,因为内存不对齐,现在Windows下没事//PDATALOGIN _data = (PDATALOGIN)(buff + 1);// 这样写就能解决内存对齐问题PDATALOGIN _data =&data;int len = strlen(Id);memcpy(_data->Id, Id, len);len = strlen(Pass);memcpy(_data->Pass, Pass, len);memcpy(buff+1, _data, sizeof(DATA_LOGIN));buff[0] = I_LOGIN;return WinSock->OnSend(buff, sizeof(buff));}bool NetClient::DelRole(const wchar_t* rolename)
{PROLEDATA _role = GetRoleByName(rolename);if (_role == nullptr) {return false;}else {return DelRole(rolename, _role->name.lenth);}return false;
}bool NetClient::StartCreateRole()
{NET_CREATEROLE_START _data;return WinSock->OnSend(&_data.op, _data.len);
}bool NetClient::SelectCamp(const char* _campname)
{NET_SEND_BUFF _buff;NET_SEND_CHOOSECAMP _data;_data.opcode.Set(SC_CHOOSECAMP);_data.camps.Set(_campname);/* sizeof(_data) / sizeof(EnCode)的原因NET_SEND_CHOOSECAMP结构体里面,没别 东西全是 EnCode 这个结构*/short count = sizeof(_data) / sizeof(EnCode);_buff.count = count;/*CodeMe函数给 _buff.buff里写数据参数的数据也就是给0A开头数据包里写,数据参数个数后面的内容然后返回值是写了多长的数据也就是给0A开头数据包里的数据参数个数后面的数据写了多长*/int ilen = _data.CodeMe(count, _buff.buff);ilen = ilen + sizeof(NET_SEND_HEAD) - 1;return WinSock->OnSend(&_buff.op, ilen);
}bool NetClient::CreateRole(wchar_t* name, double sex, double camp, double face, double occu, const char* photo, const char* infos, const char* txt, double faceShape)
{// rolecount > 4说明角色的数量够了if (rolecount > 4)return false;int index = 0;bool roleindex[5]{true, true, true, true, true };for (int i = 0; i < rolecount; i++) {roleindex[roles[i].index] = false;}for (int i = 0; i < 5; i++){if (roleindex[i]) {index = i;break;}}// wchar_t _name[] = L"am52111";NS_CREATEROLE_HEAD_BUFF _buff;CREATE_ROLE_DATAS _data;_data.sex.Set(sex);_data.camp.Set(camp);_data.face.Set(face);_data.occu.Set(occu);_data.faceSahpe.Set(faceShape);//_data.Photo.Set("gui\BG_team\TeamRole\Teamrole_zq_humF_001.PNG");_data.Photo.Set(photo);//_data.Infos.Set("Face,0;Hat,0;Eyes,0;Beard,0;Ears,0;Tail,0;Finger,0;Cloth,0;Pants,0;Gloves,0;Shoes,0;Trait,0;HairColor,0;SkinColor,0;SkinMtl,0;Tattoo,0;TattooColor,16777215;");_data.Infos.Set(infos);_data.Txt.Set(txt);short count = sizeof(_data) / sizeof(EnCode);_buff.count = count;_buff.index = index;int lenth = wcslen(name) + 1;lenth = lenth * 2;memcpy(_buff.name, name, lenth);int ilen = _data.CodeMe(count, _buff.buff);ilen = ilen + sizeof(NET_SEHD_CREATEROLE_HEAD) - 3;return WinSock->OnSend(&_buff.op, ilen);
}bool NetClient::SelectRole(const wchar_t* rolename)
{PROLEDATA roles = GetRoleByName(rolename);if (roles == nullptr)return false;NS_SELECTROLE _data;memcpy(_data.buff, roles->name.value(), roles->name.lenth);return WinSock->OnSend((char*)&_data, sizeof(_data));
}bool NetClient::Fall()
{NET_SEND_BUFF _buff;FALL_DATA_STOP _data2;_data2.opcode.Set(SC_FALL_HEADER);_data2.Mode.Set(0x2);_data2.StartH.Set(Player.h);_data2.NextH.Set(Player.h - 12);_data2.EndH.Set(Player.h - 120);/*sizeof(_data) / sizeof(EnCode)的原因NET_SEND_CHOOSECAMP结构体里面,没别 东西全是 EnCode 这个结构*/short count = sizeof(_data2) / sizeof(EnCode);_buff.count = count;/*CodeMe函数给 _buff.buff里写数据参数的数据也就是给0A开头数据包里写,数据参数个数后面的内容然后返回值是写了多长的数据也就是给0A开头数据包里的数据参数个数后面的数据写了多长*/int ilen = _data2.CodeMe(count, _buff.buff);ilen = ilen + sizeof(NET_SEND_HEAD) - 1;return WinSock->OnSend(&_buff.op, ilen);}void NetClient::Teleport(float x, float h, float y, float face)
{// 修正坐标//PAIM aim = Client->GetAimByName(L"r");//if (aim == nullptr) {// return;//}// 目的地坐标//float decX = aim->x;//float decH = aim->h;//float decY = aim->y;/* float decX = 3843.776123f;float decH = 11.731983f;float decY = -2005.533813f;float face = 0.0f;*/union {unsigned nt = 0xFFC00000;float fNan;}v;/*这里的参数虽然都是无效值,但不见得就非要全部是无效值可能只设置x坐标就可以,可能值设置y坐标就可以,可能要设置x、y坐标就可以。。。现在全部设置成无效值了,如果游戏服务端有这个漏洞,我们角色的坐标就会全部设置成无效值,然后按照逻辑来讲下一次设置坐标的函数可以任意修改然后还可能有的游戏设置NaN不成功,这种的可以多试几个修改坐标或者其它数据的函数如果还都不行那就没办法了*///Client->MoveWJump(v.fNan, v.fNan, v.fNan, v.fNan, v.fNan, v.fNan, v.fNan); // 可以把坐标设置成nan//Client->MoveWalk(v.fNan, v.fNan, v.fNan, v.fNan, v.fNan, v.fNan, v.fNan); // 可以把坐标设置成nanClient->MoveStop(v.fNan, v.fNan, v.fNan, v.fNan); // 可以把坐标设置成nanClient->MoveStop(x, h, y, face);// 利用修正坐标数据包瞬移Client->SetCoord(Client->Player.lId, x, h, y, face);
}bool NetClient::MoveStop(float x, float h, float y, float face)
{NET_SEND_BUFF _buff;MOVE_DATA_STOP _data;_data.opcode.Set(SC_MOVE_HEADER);_data.Mode.Set(0x0);_data.Count.Set(4);_data.x.Set(x);_data.h.Set(h);_data.y.Set(y);_data.face.Set(face);/*sizeof(_data) / sizeof(EnCode)的原因NET_SEND_CHOOSECAMP结构体里面,没别 东西全是 EnCode 这个结构*/short count = sizeof(_data) / sizeof(EnCode);_buff.count = count;/*CodeMe函数给 _buff.buff里写数据参数的数据也就是给0A开头数据包里写,数据参数个数后面的内容然后返回值是写了多长的数据也就是给0A开头数据包里的数据参数个数后面的数据写了多长*/int ilen = _data.CodeMe(count, _buff.buff);ilen = ilen + sizeof(NET_SEND_HEAD) - 1;return WinSock->OnSend(&_buff.op, ilen);
}bool NetClient::MoveJump(float x, float h, float y, float face, float oldy, float xNext, float yNext)
{NET_SEND_BUFF _buff;MOVE_DATA_JUMP _data;_data.opcode.Set(SC_MOVE_HEADER);_data.Mode.Set(0x2);_data.Count.Set(9);_data.x.Set(x);_data.h.Set(h);_data.y.Set(y);_data.xNext.Set(xNext);_data.yNext.Set(yNext);_data.MoveSpeed.Set(Player.MoveSpeed);_data.JumpSpeed.Set(Player.JumpSpeed);_data.GSpeed.Set(0.0f);_data.face.Set(face);/*sizeof(_data) / sizeof(EnCode)的原因NET_SEND_CHOOSECAMP结构体里面,没别 东西全是 EnCode 这个结构*/short count = sizeof(_data) / sizeof(EnCode);_buff.count = count;/*CodeMe函数给 _buff.buff里写数据参数的数据也就是给0A开头数据包里写,数据参数个数后面的内容然后返回值是写了多长的数据也就是给0A开头数据包里的数据参数个数后面的数据写了多长*/int ilen = _data.CodeMe(count, _buff.buff);ilen = ilen + sizeof(NET_SEND_HEAD) - 1;return WinSock->OnSend(&_buff.op, ilen);
}bool NetClient::MoveWalk(float x, float h, float y, float face, float oldy, float xNext, float yNext)
{NET_SEND_BUFF _buff;MOVE_DATA_WALK _data;_data.opcode.Set(SC_MOVE_HEADER);_data.Mode.Set(0x1);_data.Count.Set(8);_data.x.Set(x);_data.h.Set(h);_data.y.Set(y);_data.xNext.Set(xNext);_data.yNext.Set(yNext);_data.MoveSpeed.Set(Player.MoveSpeed);_data.GSpeed.Set(0.0f);_data.face.Set(face);/*sizeof(_data) / sizeof(EnCode)的原因NET_SEND_CHOOSECAMP结构体里面,没别 东西全是 EnCode 这个结构*/short count = sizeof(_data) / sizeof(EnCode);_buff.count = count;/*CodeMe函数给 _buff.buff里写数据参数的数据也就是给0A开头数据包里写,数据参数个数后面的内容然后返回值是写了多长的数据也就是给0A开头数据包里的数据参数个数后面的数据写了多长*/int ilen = _data.CodeMe(count, _buff.buff);ilen = ilen + sizeof(NET_SEND_HEAD) - 1;return WinSock->OnSend(&_buff.op, ilen);
}bool NetClient::MoveWJump(float x, float h, float y, float face, float oldy, float xNext, float yNext)
{NET_SEND_BUFF _buff;MOVE_DATA_WJUMP _data;_data.opcode.Set(SC_MOVE_HEADER);_data.Mode.Set(0x3);_data.Count.Set(7);_data.x.Set(x);_data.h.Set(h);_data.y.Set(y);_data.xNext.Set(xNext);_data.yNext.Set(yNext);_data.MoveSpeed.Set(Player.MoveSpeed);_data.face.Set(face);/*sizeof(_data) / sizeof(EnCode)的原因NET_SEND_CHOOSECAMP结构体里面,没别 东西全是 EnCode 这个结构*/short count = sizeof(_data) / sizeof(EnCode);_buff.count = count;/*CodeMe函数给 _buff.buff里写数据参数的数据也就是给0A开头数据包里写,数据参数个数后面的内容然后返回值是写了多长的数据也就是给0A开头数据包里的数据参数个数后面的数据写了多长*/int ilen = _data.CodeMe(count, _buff.buff);ilen = ilen + sizeof(NET_SEND_HEAD) - 1;return WinSock->OnSend(&_buff.op, ilen);
}PROLEDATA NetClient::GetRoleByName(const wchar_t* rolename)
{//PROLEDATA result = nullptr;for (int i = 0; i < rolecount; i++){// StrCmpW判断两个字符串是否相同// 比较时区分大小写,如果字符串相同返回0if (StrCmpW(roles[i].name.value(), rolename) == 0) {return &roles[i];}}return nullptr;
}bool NetClient::Talk(wchar_t* txt, int PdId, double un)
{NET_SEND_BUFF _buff;CHAT_PUBLIC _data;_data.opcode.Set(SC_CHAT);_data.ChartId.Set(PdId);_data.txt.Set(txt);_data.un.Set(un);/*sizeof(_data) / sizeof(EnCode)的原因NET_SEND_CHOOSECAMP结构体里面,没别 东西全是 EnCode 这个结构*/short count = sizeof(_data) / sizeof(EnCode);_buff.count = count;/*CodeMe函数给 _buff.buff里写数据参数的数据也就是给0A开头数据包里写,数据参数个数后面的内容然后返回值是写了多长的数据也就是给0A开头数据包里的数据参数个数后面的数据写了多长*/int ilen = _data.CodeMe(count, _buff.buff);ilen = ilen + sizeof(NET_SEND_HEAD) - 1;return WinSock->OnSend(&_buff.op, ilen);
}bool NetClient::TalkTo(wchar_t* name, wchar_t* txt, double un)
{NET_SEND_BUFF _buff;CHAT_PRIVATE _data;_data.opcode.Set(SC_CHAT);_data.ChartId.Set(3);_data.txt.Set(txt);_data.name.Set(name);_data.un.Set(un);/*sizeof(_data) / sizeof(EnCode)的原因NET_SEND_CHOOSECAMP结构体里面,没别 东西全是 EnCode 这个结构*/short count = sizeof(_data) / sizeof(EnCode);_buff.count = count;/*CodeMe函数给 _buff.buff里写数据参数的数据也就是给0A开头数据包里写,数据参数个数后面的内容然后返回值是写了多长的数据也就是给0A开头数据包里的数据参数个数后面的数据写了多长*/int ilen = _data.CodeMe(count, _buff.buff);ilen = ilen + sizeof(NET_SEND_HEAD) - 1;return WinSock->OnSend(&_buff.op, ilen);
}bool NetClient::HeartBeep()
{NET_SEND_BUFF _buff;HEART_BEEP _data;_data.opcode.Set(SC_BEEP);_data.tick.Set(3);/*sizeof(_data) / sizeof(EnCode)的原因NET_SEND_CHOOSECAMP结构体里面,没别 东西全是 EnCode 这个结构*/short count = sizeof(_data) / sizeof(EnCode);_buff.count = count;/*CodeMe函数给 _buff.buff里写数据参数的数据也就是给0A开头数据包里写,数据参数个数后面的内容然后返回值是写了多长的数据也就是给0A开头数据包里的数据参数个数后面的数据写了多长*/int ilen = _data.CodeMe(count, _buff.buff);ilen = ilen + sizeof(NET_SEND_HEAD) - 1;return WinSock->OnSend(&_buff.op, ilen);
}bool NetClient::HeartLoop()
{NET_SEND_BUFF _buff;HEART_LOOP _data;_data.opcode.Set(SC_LOOP);_data.tick.Set(GetTickCount64());_data.txt.Set("");/*sizeof(_data) / sizeof(EnCode)的原因NET_SEND_CHOOSECAMP结构体里面,没别 东西全是 EnCode 这个结构*/short count = sizeof(_data) / sizeof(EnCode);_buff.count = count;/*CodeMe函数给 _buff.buff里写数据参数的数据也就是给0A开头数据包里写,数据参数个数后面的内容然后返回值是写了多长的数据也就是给0A开头数据包里的数据参数个数后面的数据写了多长*/int ilen = _data.CodeMe(count, _buff.buff);ilen = ilen + sizeof(NET_SEND_HEAD) - 1;return WinSock->OnSend(&_buff.op, ilen);
}bool NetClient::Backtoroles()
{// 返回角色NET_SEND_BUFF _buff;NSR_CHEAD _data;_data.opcode.Set(SC_REONLINE);/*sizeof(_data) / sizeof(EnCode)的原因NET_SEND_CHOOSECAMP结构体里面,没别 东西全是 EnCode 这个结构*/short count = sizeof(_data) / sizeof(EnCode);_buff.count = count;/*CodeMe函数给 _buff.buff里写数据参数的数据也就是给0A开头数据包里写,数据参数个数后面的内容然后返回值是写了多长的数据也就是给0A开头数据包里的数据参数个数后面的数据写了多长*/int ilen = _data.CodeMe(count, _buff.buff);ilen = ilen + sizeof(NET_SEND_HEAD) - 1;return WinSock->OnSend(&_buff.op, ilen);
}bool NetClient::DelRole(const wchar_t* rolename, unsigned _len)
{DATA_DELROLE _data;_data.op = 0x06;_data.len = _len;memcpy(_data.buff, rolename, _len);return WinSock->OnSend((char*)&_data, sizeof(DATA_DELROLE) - 1);
}PAIM NetClient::GetAimById(long long lId)
{if (Player.lId == lId)return &Player;for (int i = 0; i < MAX_AIM; i++){if ((Aimlst[i] != nullptr) && (Aimlst[i]->lId == lId)) {return Aimlst[i];}}return CreateAim();
}PAIM NetClient::CreateAim()
{for (int i = 0; i < MAX_AIM; i++){if (Aimlst[i] == nullptr) {Aimlst[i] = new AIM();return Aimlst[i];}else if (Aimlst[i]->Isfree) {return Aimlst[i];}}return nullptr;
}void NetClient::RemoveAimById(long long lId)
{for (int i = 0; i < MAX_AIM; i++){if ((Aimlst[i] != nullptr) && (Aimlst[i]->lId == lId)) {// CString _txt;// _txt.Format(L"附近的 %s 消失", Aimlst[i]->Name);// AfxMessageBox(_txt);Aimlst[i]->Release();}}
}PAIM NetClient::GetAimByName(const wchar_t* name)
{for (int i = 0; i < MAX_AIM; i++){if ((Aimlst[i] != nullptr) && (!Aimlst[i]->Isfree) && (Aimlst[i]->Name == name)) {return Aimlst[i];}}return nullptr;
}// x,y是玩家的坐标,targetX,targetY是目标的坐标
float NetClient::GetFace(float x, float y, float targetX, float targetY)
{// 计算差值x = targetX - x;y = targetY - y;double pi = 3.14159265358979323846;double p = atan2(x, y); // atan2是计算三角形弧度atan2函数返回值-pi ~ pi,负的3.1415926...到正的3.1415926...// 如果x是负数atan2函数返回值必定是在三四象限里,也就是一个负πif (x < 0) {p = pi * 2 + p;}return p;
}void NetClient::FaceTo(const wchar_t* name)
{PAIM _aim = GetAimByName(name);if (_aim) {float _face = GetFace(Player.x, Player.y, _aim->x, _aim->y);MoveStop(Player.x, Player.h, Player.y, _face);}
}void NetClient::Init(GameWinSock* _winSock)
{for (int i = 0; i < 0x100; i++) {SendProc[i] = &NetClient::DefaultProc;RecvProc[i] = &NetClient::DefaultProc;}this->WinSock = _winSock;// 注册登录数据包处理函数SendProc[I_LOGIN] = &NetClient::OnClientlogin;SendProc[I_CREATEROLE_START] = &NetClient::OnClientStartCreateRole;SendProc[I_DELROLE] = &NetClient::OnClientDelRole;SendProc[I_SEND_CUSTOM] = &NetClient::OnClientSendCustom;SendProc[I_CREATEROLE] = &NetClient::OnClientCreateRole;SendProc[I_SELECT_ROLE] = &NetClient::OnClientSelectRole;// 注册数据登录失败数据包处理函数RecvProc[S_TIPS] = &NetClient::OnSvrTips;RecvProc[S_LOGINOK] = &NetClient::OnSverStruct;RecvProc[S_CREATEROLE_START] = &NetClient::OnSvrStartCreateRole;RecvProc[S_NOTICE] = &NetClient::OnSverNotice;RecvProc[S_NOTICE_COM] = &NetClient::OnSverNotice;RecvProc[S_OBJECT] = &NetClient::OnSverObject;RecvProc[S_STRUCT] = &NetClient::OnSverStruct;RecvProc[S_OBJECT_INIT] = &NetClient::OnSvrObjectInit;RecvProc[S_OBJECT_INITEX] = &NetClient::OnSvrObjectInitEx;RecvProc[S_OBJECT_INITEX_UCOM] = &NetClient::OnSvrObjectInitEx;RecvProc[S_UPDATECORD] = &NetClient::OnSvrUpdateCord;RecvProc[S_UPDATEPRO] = &NetClient::OnSvrUpdateProperty;RecvProc[S_UPDATEPROMU] = &NetClient::OnSvrUpdatePropertyMu;RecvProc[S_UPDATEPROMU_COM] = &NetClient::OnSvrUpdatePropertyMu;RecvProc[S_OBJECT_REMOVE] = &NetClient::OnSvrRemoveObjectMu;RecvProc[S_UPDATECORDEX] = &NetClient::OnSvrUpdateCordEx;
}bool NetClient::SetCoord(long long lId, float x, float h, float y, float face)
{NR_UPDATECOORD head;head.lId = lId;head.x = x;head.h = h;head.y = y;head.face = face;return WinSock->Recv(&head.op, head.len);
}bool NetClient::SetProperty(long long lId, int ProType, void* value)
{NR_OBJECT_UPDATEPRO head;head.lId = lId;head.itype = ProType;int valueType = ObjectTable[ProType].type;int valueSize = data_desc[2][valueType].lenth;int bufflen = 14;switch (valueType){case 1:case 2:case 3:case 4:case 5:case 6:case 9:memcpy(head.buff, value, valueSize);bufflen = bufflen + valueSize;break;case 7:head.lenth = strlen((char*)value) + 1;memcpy(head.buffEnd, value, head.lenth);bufflen = bufflen + 4 + head.lenth;break;case 8:head.lenth = wcslen((wchar_t*)value) + 1;head.lenth = head.lenth + 2;memcpy(head.buffEnd, value, head.lenth);bufflen = bufflen + 4 + head.lenth;break;default:break;}return WinSock->Recv(&head.op, bufflen);
}bool NetClient::OnDelRole(wchar_t* rolename, unsigned _len)
{// AfxMessageBox(rolename);return true;
}void NetClient::Onlogin(const char* Id, const char* Pass)
{/*const int bufflen = sizeof(DATA_LOGIN) + 1;char buff[bufflen];DATA_LOGIN data;// 有些操作系统这样写会报错,因为内存不对齐,现在Windows下没事//PDATALOGIN _data = (PDATALOGIN)(buff + 1);// 这样写就能解决内存对齐问题PDATALOGIN _data =&data;int len = strlen(Id);memcpy(_data->Id, Id, len);len = strlen(Pass);memcpy(_data->Pass, Pass, len);memcpy(buff+1, _data, sizeof(DATA_LOGIN));buff[0] = I_LOGIN;return WinSock->OnSend(buff, sizeof(buff));*/
}bool NetClient::OnStartCreateRole(int code)
{return true;
}bool NetClient::OnCreateRole(PNS_CREATEROLE _header, PCREATE_ROLE_DATAS _body)
{return true;
}bool NetClient::OnSendCustom(PNET_SEND_CHEAD _coder, char*& buffer, unsigned& len)
{switch (_coder->opcode.value()){case SC_CHOOSECAMP:return OnChooseCamp((PNS_CHOOSECAMP)_coder);case SC_CHAT:return OnChat((PCHAT_DATA)_coder);case SC_BEEP:return OnHeartBeep((PHEART_BEEP)_coder);case SC_LOOP:return OnHeartLoop((PHEART_LOOP)_coder);//case SC_INITED:case SC_REONLINE://case SC_INIT_START://case SC_HAND://case SC_HAND_IN:// return false;case SC_MOVE_HEADER:return OnMove((PMOVE_DATA)_coder);case SC_FALL_HEADER:return OnFall((PFALL_DATA_START)_coder);case SC_INWATER:return false;default:return true;}return true;
}bool NetClient::OnSelectRole(wchar_t* rolename)
{//AfxMessageBox(rolename);return true;
}bool NetClient::OnChooseCamp(PNS_CHOOSECAMP _coder)
{PNS_CHOOSECAMP _p = (PNS_CHOOSECAMP)_coder;return true;
}bool NetClient::OnChat(PCHAT_DATA _coder)
{switch (_coder->ChartId){case 3:// 私聊return OnChatPrivate((PCHAT_PRV)_coder);case 1:// 附近频道case 2:// 区域频道case 6:// 公会频道case 9:// 阵营频道case 21:// 喊话频道return OnChatPublic((PCHAT_PUB)_coder);break;}return true;
}bool NetClient::OnChatPublic(PCHAT_PUB _coder)
{return true;
}bool NetClient::OnChatPrivate(PCHAT_PRV _coder)
{return true;
}bool NetClient::OnHeartBeep(PHEART_BEEP _coder)
{return true; // 返回false会拦截81心跳包不给服务端发送
}bool NetClient::OnHeartLoop(PHEART_LOOP _coder)
{return true; // 返回false会拦截SC_LOOP心跳包不给服务端发送
}bool NetClient::OnMove(PMOVE_DATA _coder)
{switch (_coder->Mode){case 0:return OnMoveStop((PMOVE_DATA_STOP)_coder);case 1:return OnMoveWalk((PMOVE_DATA_WALK)_coder);case 2:return OnMoveJump((PMOVE_DATA_JUMP)_coder);case 3:return OnMoveWJump((PMOVE_DATA_WJUMP)_coder);}return false;
}// 移动中处理函数
bool NetClient::OnMoveWalk(PMOVE_DATA_WALK _coder)
{/*float* MoveSpeed = (float*)_coder->MoveSpeed.oldPointer;MoveSpeed[0] = 5.0f;*/if (HideMode) {float* f = (float*)_coder->h.oldPointer;f[0] = f[0] + 5;}return true;
}// 停止移动处理函数
bool NetClient::OnMoveStop(PMOVE_DATA_STOP _coder)
{if (HideMode) {float* f = (float*)_coder->h.oldPointer;f[0] = f[0] + 5;}return true;
}// 跳跃处理函数
bool NetClient::OnMoveJump(PMOVE_DATA_JUMP _coder)
{/*float* MoveSpeed = (float*)_coder->MoveSpeed.oldPointer;MoveSpeed[0] = 5.0f;*/if(HideMode) {float* f = (float*)_coder->h.oldPointer;f[0] = f[0] + 5;}return true;
}// 移动时跳跃
bool NetClient::OnMoveWJump(PMOVE_DATA_WJUMP _coder)
{/*float* MoveSpeed = (float*)_coder->MoveSpeed.oldPointer;MoveSpeed[0] = 5.0f;*/if(HideMode) {float* f = (float*)_coder->h.oldPointer;f[0] = f[0] + 5;}return true;
}bool NetClient::OnFall(PFALL_DATA_START _coder)
{return true;
}bool NetClient::OnSvrChat(PCHAT_PRV _coder)
{//AfxMessageBox(_coder->name);//AfxMessageBox(_coder->txt);//switch (_coder->ChartId)//{//case 3:// 私聊// return OnChatPrivate((PCHAT_PRV)_coder);//case 1:// 附近频道//case 2:// 区域频道//case 6:// 公会频道//case 9:// 阵营频道//case 21:// 喊话频道// return OnChatPublic((PCHAT_PUB)_coder);// break;//}return true;
}bool NetClient::Tips(int code)
{
#ifdef AnlyCString txt;if (code == 51001) {txt = L"登陆失败,易道云通行证不存在!";}else if (code == 51002) {txt = L"登录失败,密码错误!";}else if (code == 21101) {txt = L"人物重名!";}else if (code == 21109) {txt = L"名字过长或包含非法字符!";}else {txt.Format(L"未知登录错误:%d", code);}anly->SendData(TTYPE::I_LOG, 0, txt.GetBuffer(), (txt.GetLength() + 1)*2);
#endifreturn true;
}void NetClient::loginok(ROLE_DATA* _roles, int count)
{logined = true;if(roles) delete[] roles;roles = _roles;rolecount = count;
}bool NetClient::OnScrStartCreateRole(short code, wchar_t* _txt)
{return true;
}bool NetClient::OnSvrNotice(PNET_SEND_CHEAD _coder, int count, char*& buffer, unsigned& len)
{if (_coder->msgHeader == "chat") {return OnSvrChat((PCHAT_PRV)_coder);}return true;
}bool NetClient::OnRecvData(char*& buff, unsigned& len)
{
#ifdef Anlyanly->SendData(TTYPE::I_RECV, buff[0], buff, len);
#endifreturn (this->*RecvProc[buff[0]])(buff, len);
}bool NetClient::OnSendData(char*& buff, unsigned& len)
{
#ifdef Anlyanly->SendData(TTYPE::I_SEND, buff[0], buff, len);
#endifreturn (this->*SendProc[buff[0]])(buff, len);
}bool NetClient::OnConnect(char*& ip, unsigned& port)
{
#ifdef Anly// 长度24的原因,它是宽字节要,一个文字要2个字节,一共是10个文字加上结尾的0是11个// 所以 11 乘以2,然后再加2 anly->SendData(TTYPE::I_LOG, 0, L"服务器正在连接。。。", 24);
#endifreturn true;
}// 默认的数据处理函数
bool NetClient::DefaultProc(char*&, unsigned&)
{return true;
}// 复制过来的内容
bool NetClient::OnClientlogin(char*& buff, unsigned& len)
{PDATALOGIN _data = (PDATALOGIN)(buff + 1);char* _id = _data->Id;_data = (PDATALOGIN)(buff + 1 + _data->lenId - 0x10);char* _pass = _data->Pass;Onlogin(_id, _pass);/* 修改账号密码len = sizeof(DATA_LOGIN) + 1;buff = new char[len];DATA_LOGIN data;PDATALOGIN _data = &data;buff[0] = 0x2;CStringA _id = "";// 补充账号CStringA _pass = "";// 补充密码memcpy(_data->Id, _id.GetBuffer(), _id.GetLength());memcpy(_data->Pass, _pass.GetBuffer(), _pass.GetLength());memcpy(buff + 1, _data, len - 1);*//* 监控登录数据PDATALOGIN _data = (PDATALOGIN)buff;CStringA _id = _data->Id;_data = (PDATALOGIN)(buff + _data->lenId - 0x10);CStringA _pass = _data->Pass;CStringA _tmp;// 请求登录 账号[% s]密码[% s] 这个内容别人在逆向的时候就会看到// 所以这种东西需要自己搞个编码来代替它_tmp.Format("请求登录 账号[%s]密码[%s]", _id, _pass);
#ifdef Anlyanly->SendData(TTYPE::I_DIS, 1, _tmp.GetBuffer(), _tmp.GetAllocLength());
#endif*//*返回false,游戏无法发送数据包原因看调用此此函数的位置 OnSend 函数(if (SendDealProc[buff[0]]((buff + 1), len - 1)))*/return true;
}bool NetClient::OnClientStartCreateRole(char*& buff, unsigned& len)
{// 申请进入创建角色界面int* code = (int*)&buff[1];return OnStartCreateRole(code[0]);
}bool NetClient::OnClientCreateRole(char*& buff, unsigned& len) {PNS_CREATEROLE head = (PNS_CREATEROLE)(buff - 3);int icount = head->count;if (icount < 1)return true;char* buffStart = (char*)head + sizeof(NET_SEHD_CREATEROLE_HEAD);
#ifdef AnlyGameAnlyer->AnlyBuff(buffStart, buff + len, buff[0], 1);// 翻译解析约定数据
#endif // AnlyEnCode codes[sizeof(CREATE_ROLE_DATAS) / sizeof(EnCode)]{};int stDecode = 0;while (stDecode < icount) {codes[stDecode++] = buffStart;}/*Client->OnCreateRole(head, (PCREATE_ROLE_DATAS)codes) 数据包传给虚函数如果想对发送创建角色数据包做些什么直接继承NetClient重写OnCreateRole函数既可以了*/return Client->OnCreateRole(head, (PCREATE_ROLE_DATAS)codes);// 返回false屏蔽05开头的数据包,也就是创建角色发送的数据包
}bool NetClient::OnClientSendCustom(char*& buff, unsigned& len) {PNET_SEND_HEAD head = (PNET_SEND_HEAD)(buff - 1);int icount = head->count;if (icount < 1)return true;char* buffStart = (char*)head + sizeof(NET_SEND_HEAD);if (buffStart[0] != 0x02) {#ifdef Anlyif (icount < MAX_SEND_COUNT)anly->SendData(TTYPE::I_DIS, I_SEND_CUSTOM, "SEND_CUSTOM MAX_SEND_COUNT 内存解码器空间不足", 46);anly->SendData(TTYPE::I_DIS, I_SEND_CUSTOM, "SEND_CUSTOM 发现异常数据", 25);
#endifreturn true;}#ifdef AnlyGameAnlyer->AnlyBuff(buffStart, buff + len, buff[0], 1);
#endifint stDecode = 0;EnCode codes[MAX_SEND_COUNT]{};while (stDecode < icount) {codes[stDecode++] = buffStart;}/*Client->OnSendCustom((PNET_SEND_CHEAD)codes, buff, len); 数据包传给虚函数如果想对发送数据的0A开头的据包做些什么直接继承NetClient重写OnSendCustom函数既可以了*/return Client->OnSendCustom((PNET_SEND_CHEAD)codes, buff, len);}bool NetClient::OnClientSelectRole(char*& buff, unsigned& len) {PNS_SELECTROLE p = (PNS_SELECTROLE)buff;return Client->OnSelectRole((wchar_t*)(p->buff));
}bool NetClient::OnClientDelRole(char*& buff, unsigned& len) {PDATADELROLE p = (PDATADELROLE)buff;return Client->OnDelRole((wchar_t*)(p->buff), p->len);// 返回值改为false将拦截发送的删除角色数据包// 详情看注册 OnDelRole 函数的位置,Init函数// return true;
}// 接收数据截取区bool NetClient::OnSvrTips(char*& buff, unsigned& len) {int* code = (int*)&buff[1];return Client->Tips(code[0]);
}bool NetClient::OnSvrloginOk(char*& buff, unsigned& len) {PDATALOGINOK _p = (PDATALOGINOK)&buff[1];ROLE_DATA* roleDatas = nullptr;if (_p->RoleCount > 0) {char* buffStart = buff + 1 + sizeof(DATA_LOGIN_OK);#ifdef AnlyGameAnlyer->AnlyBuff(buffStart, buff + len, buff[0]);
#endif // AnlyroleDatas = new ROLE_DATA[_p->RoleCount];for (int i = 0; i < _p->RoleCount; i++){roleDatas[i].byte.Init(buffStart, 0);roleDatas[i].index.Init(buffStart, 0);roleDatas[i].un1.Init(buffStart, 0);roleDatas[i].name.Init(buffStart, 0);roleDatas[i].infos.Init(buffStart, 0);roleDatas[i].un2.Init(buffStart, 0);roleDatas[i].un3.Init(buffStart, 0);}Client->loginok(roleDatas, _p->RoleCount);}return true;
}bool NetClient::OnSverObject(char*& buff, unsigned& len) {PNR_HEAD head = (PNR_HEAD)(buff - 1);//head->count;if (ObjectTable) {delete[] ObjectTable;}if (ObjectTxt) {delete[] ObjectTxt;}ObjectTable = new OBJECT_DESC[head->count];ObjectTxt = new char[len];memcpy(ObjectTxt, buff, len);// 这里怕 buff 的内容被游戏释放掉,后面我们用的时候没法用,所以把buff的内容复制到我们的变量里char* buffStart = ObjectTxt + sizeof(NR_NOTICE_HEAD)-1;
//#ifdef Anly
// CStringA szTxtA;
// CStringA szTmp;
//#endif // Anly
//#ifdef Anly
// szTmp.Format("[%X]%s:%d\r\n", i, ObjectTable[i].name, ObjectTable[i].type);
// szTxtA += szTmp;
//#endif // Anly
//#ifdef Anly
// anly->SendData(TTYPE::I_DIS, S_OBJECT, szTxtA.GetBuffer(), szTxtA.GetAllocLength() + 1);
//#endif // Anlyfor (int i = 0; i < head->count; i++){ObjectTable[i].name = buffStart;buffStart = buffStart + strlen(ObjectTable[i].name) + 1;ObjectTable[i].type = buffStart[0];buffStart++;}#ifdef AnlyGameAnlyer->CreateObjectfiles(ObjectTable, head->count);
#endif // Anlyreturn true;
}
bool NetClient::OnSverStruct(char*& buff, unsigned& len) {return true;
}
bool NetClient::OnSvrObjectInit(char*& buff, unsigned& len)
{/*00 00 00 00 00 00 00 为了内存对齐补充了7个0,也就是 un1[6] 和 len28 opCD 48 00 01 62 A7 DE 04 PNR_OBJINIT:lIdC1 AA FB C3 PNR_OBJINIT:x;3D FF 22 41 PNR_OBJINIT:h;D7 0B 4A 44 PNR_OBJINIT:y;52 B8 06 40 PNR_OBJINIT:face;C1 AA FB C3 PNR_OBJINIT:tx;3D FF 22 41 PNR_OBJINIT:th;D7 0B 4A 44 PNR_OBJINIT:ty;52 B8 06 40 PNR_OBJINIT:tface;00 00 00 00 PNR_OBJINIT:un2[0]00 00 00 00 PNR_OBJINIT:un2[1]00 00 00 00 PNR_OBJINIT:un2[2]00 00 00 00 PNR_OBJINIT:un2[3]00 00 00 00 PNR_OBJINIT:un2[4]61 00 PNR_OBJINIT:icount;1B 00 (char*)head + sizeof(NR_OBNJECT_INIT) - 2;也就是指向到了 PNR_OBJINIT:type 这个位置0C 00 00 00 CA 4E 5A 66 53 62 01 80 4E 86 00 00 1D 00*/// 初始化对象PNR_OBJINIT head = (PNR_OBJINIT)(buff - 7);char* buffStart = (char*)head + sizeof(NR_OBNJECT_INIT) - 2;//int nStart = (int)&Player.lId;//int nEnd = (int)&Player.endclass;//memcpy(&Player.lId, &head->lId, nEnd - nStart);Player.SetHeadDatas(&head->lId);
#ifdef AnlyGameAnlyer->AnlyData(buffStart, buff + len, head->icount, S_OBJECT_INIT, ObjectTable);
#endifint iProc = 0;while (iProc < head->icount){Player.UpdateData(buffStart);iProc++;}return true;
}
bool NetClient::OnSvrObjectInitEx(char*& buff, unsigned& len)
{// 初始化对象PNR_OBJINITEX head = (PNR_OBJINITEX)(buff - 5);char* buffStart;/*int nStart = (int)&Player.lId;int nEnd = (int)&Player.endclass;memcpy(&Player.lId, &head->lId, nEnd - nStart);*/int iObjectCount = 0;short objCount = head->obj_count; // 可以理解为一共有多少个接收的28数据while (iObjectCount < objCount) {PAIM _paim = GetAimById(head->lId);_paim->SetHeadDatas(&head->lId);buffStart = (char*)head + sizeof(NR_OBNJECT_INITEX) - 2;short refCount = head->icount; // 接收的28数据里的数据参数个数short iref = 0;
#ifdef AnlyGameAnlyer->AnlyData(buffStart, buff + len, refCount, S_OBJECT_INITEX, ObjectTable);
#endifwhile (iref < refCount) {_paim->UpdateData(buffStart);iref++;}head = (PNR_OBJINITEX)(buffStart - 8);iObjectCount++;}return true;
}
bool NetClient::OnSvrUpdateCord(char*& buff, unsigned& len)
{/*00 00 00 00 00 head21 02 00 CD 14 00 01 CD 14 00 00 第一个坐标数据6D BF 54 43 A6 FA C7 3F 8C 52 A9 C1 CB 30 06 40 00 00 00 00 DB 0F C9 41 00 00 00 00 00 00 00 00 01 00 00 00 StateCD 14 00 01 CD 14 00 00 第二个坐标数据61 41 5B 43 A6 FA C7 3F C5 8A C7 C1 CB 30 06 40 9A 99 99 3E DB 0F C9 40 00 00 00 00 00 00 00 00 01 00 00 00 */// 初始化对象PNR_OBJINITEX head = (PNR_OBJINITEX)(buff - 5);/*int nStart = (int)&Player.lId;int nEnd = (int)&Player.endclass;memcpy(&Player.lId, &head->lId, nEnd - nStart);*/int iObjectCount = 0;short objCount = head->obj_count; // 可以理解为一共有多少个接收的28数据while (iObjectCount < objCount) {PAIM _paim = GetAimById(head->lId);_paim->SetHeadDatas(&head->lId);CStringA txtA;txtA.Format("x:%f h:%f y:%f", head->x, head->h, head->y);
#ifdef Anlyanly->SendData(TTYPE::I_DIS, S_UPDATECORD, txtA.GetBuffer(), txtA.GetAllocLength() + 1);
#endifhead = (PNR_OBJINITEX)((char*)&head->State - 4);iObjectCount++;}return true;
}
bool NetClient::OnSvrUpdateProperty(char*& buff, unsigned& len)
{// 初始化对象PNR_OBJECT_UP head = (PNR_OBJECT_UP)(buff - 6);PAIM _paim = GetAimById(head->lId);int iref = 0;short refcount = head->icount;
#ifdef Anlychar* buffStart = (char*)&head->itype;GameAnlyer->AnlyData(buffStart, buff + len, refcount, S_UPDATEPRO, ObjectTable);
#endifwhile (iref < refcount) {_paim->UpdateData(buffStart);iref++;}return true;
}
bool NetClient::OnSvrUpdatePropertyMu(char*& buff, unsigned& len)
{// 初始化对象PNR_OBJECT_UPMU head = (PNR_OBJECT_UPMU)(buff - 5);int iobjCount = 0;short objCount = head->objCount; // 可以理解为一共有多少个接收的28数据char* buffStart;/*数据包是下方的样子,2D 01 00 objCount9B 49 00 01 D5 8C 98 05 GetAimById(head->lId);02 00 25 00 (char*)&head->itype18 00 00 00 29 00 BA 01 00 00 while (iobjCount < objCount) 里获取的是9B 49 00 01 D5 8C 98 0502 0025 00 18 00 00 0029 00 BA 01 00 00 这一块数据while (iref++ < refCount) 里获取的是25 00 18 00 00 00(PNR_OBJECT_UPMU)(buffStart - 8); 移动到下一个9B 49 00 01 D5 8C 98 05 GetAimById(head->lId);02 0025 00 (char*)&head->itype18 00 00 0029 00 BA 01 00 00 这个数据*/while (iobjCount < objCount) {PAIM _paim = GetAimById(head->lId);buffStart = (char*)&head->itype;short refCount = head->icount; // 接收的28数据里的数据参数个数short iref = 0;#ifdef AnlyGameAnlyer->AnlyData(buffStart, buff + len, refCount, S_UPDATEPROMU, ObjectTable);
#endifwhile (iref++ < refCount) {_paim->UpdateData(buffStart);}head = (PNR_OBJECT_UPMU)(buffStart - 8);iobjCount++;}return true;
}
bool NetClient::OnSvrRemoveObjectMu(char*& buff, unsigned& len)
{// 初始化对象PNR_OBJECT_REMOVEMU head = nullptr;head = (PNR_OBJECT_REMOVEMU)(buff - &head->op);int iobjCount = head->objCount;for (int i = 0; i < iobjCount; i++){RemoveAimById(head->lId[i]);}return true;
}/*1F87 44 00 01 7F B0 D6 05FE AD DE C36C F5 46 4207 FD 36 C490 D9 9C 40
*/
bool NetClient::OnSvrUpdateCordEx(char*& buff, unsigned& len)
{// 初始化对象PNR_UPDATECOORD head = nullptr;head = (PNR_UPDATECOORD)(buff - &head->op);PAIM aim = GetAimById(head->lId);if (aim) {return aim->SetHeadCord(&head->lId);}return true;
}
/*OnSverrNotice函数处理的数据包格式如下1E 06 0006 11 00 00 00 70 6C 61 79 5F 70 6F 69 6E 74 5F 73 6F 75 6E 64 0006 01 00 00 00 0004 2C 92 87 C504 FA 03 BF 4204 33 14 BD 4502 00 00 00 001E 06 00 是 PNR_NOTICE_HEAD06 11 00 00 00 70 6C 61 79 5F 70 6F 69 6E 74 5F 73 6F 75 6E 64 00是一个EnCode06 01 00 00 00 00是一个EnCode04 2C 92 87 C5是一个EnCode04 FA 03 BF 42是一个EnCode04 33 14 BD 45是一个EnCode02 00 00 00 00是一个EnCode
*/
bool NetClient::OnSverNotice(char*& buff, unsigned& len) {PNR_NOTICE_HEAD head = (PNR_NOTICE_HEAD)(buff - 1);int icount = head->count;char* buffStart = (char*)head + sizeof(NR_NOTICE_HEAD);if (icount < 1) {return true;}if (icount > MAX_RECV_COUNT) {
#ifdef Anlyanly->SendData(TTYPE::I_DIS, S_NOTICE, "S_NOTICE 解码器内存不足", 24);
#endifreturn true;}#ifdef AnlyGameAnlyer->AnlyBuff(buffStart, buff + len, buff[0], 1);
#endifint stDecode = 0;EnCode codes[MAX_RECV_COUNT]{};while (stDecode < icount) {codes[stDecode++] = buffStart;}return Client->OnSvrNotice((PNET_SEND_CHEAD)codes, icount, buff, len);
}
bool NetClient::OnSvrStartCreateRole(char*& buff, unsigned& len) {short* _st = (short*)&buff[1];wchar_t* _txt = (wchar_t*)&buff[3];
#ifdef AnlyCString txt;CStringA txtA;txt.Format(L"code:%d\r\n%s", _st[0], _txt);txtA = txt;//AfxMessageBox(txtA);anly->SendData(TTYPE::I_DIS, S_CREATEROLE_START, txtA.GetBuffer(), txt.GetAllocLength() + 1);
#endif/*Client->OnSendCustom((PNET_SEND_CHEAD)codes, buff, len); 数据包传给虚函数如果想对0A开头的据包做些什么直接继承NetClient重写OnSendCustom函数既可以了*/return Client->OnScrStartCreateRole(_st[0], _txt);
}
NetClient.h文件的修改:新加 Teleport函数、MoveJump函数、MoveWJump函数
#pragma once
#include "NetClass.h"
#include "GameWinSock.h"
#include "AIM.h"#define CAMP_NAME_QH "xuanrenQH"
#define CAMP_NAME_ZE "xuanrenZQ"#define MAX_AIM 0x200class NetClient // 监视客户端每一个操作
{typedef bool (NetClient::* DATAPROC)(char*&, unsigned&);
public:AIM Player; // 玩家角色/* 怪物列表,最好排序,使用lId排序,然后使用二分查找实现快速查询结构用链表或者数组都可以怪物或附近玩家这种东西不可能会很多如果太多电脑处理不过来,所以数组设置为0x100大小差不多够用*/PAIM Aimlst[MAX_AIM]{};// 用来控制飞天bool HideMode;
protected:POBJ_DESC ObjectTable = nullptr;// 游戏的数据类型表char* ObjectTxt = nullptr;DATAPROC SendProc[0x100];DATAPROC RecvProc[0x100];bool DefaultProc(char*&, unsigned&);
protected: // 消息处理函数-SENDbool OnClientlogin(char*& buff, unsigned& len); // 登录数据包的处理 I_LOGINbool OnClientStartCreateRole(char*& buff, unsigned& len); // 申请进入创建角色界面 I_CREATEROLE_STARTbool OnClientDelRole(char*& buff, unsigned& len);bool OnClientSendCustom(char*& buff, unsigned& len);bool OnClientCreateRole(char*& buff, unsigned& len);bool OnClientSelectRole(char*& buff, unsigned& len);
protected: // 消息处理函数-RECVbool OnSvrTips(char*& buff, unsigned& len);bool OnSvrloginOk(char*& buff, unsigned& len);bool OnSvrStartCreateRole(char*& buff, unsigned& len);bool OnSverNotice(char*& buff, unsigned& len);bool OnSverObject(char*& buff, unsigned& len);bool OnSverStruct(char*& buff, unsigned& len);bool OnSvrObjectInit(char*& buff, unsigned& len);bool OnSvrObjectInitEx(char*& buff, unsigned& len);bool OnSvrUpdateCord(char*& buff, unsigned& len);bool OnSvrUpdateProperty(char*& buff, unsigned& len);bool OnSvrUpdatePropertyMu(char*& buff, unsigned& len);bool OnSvrRemoveObjectMu(char*& buff, unsigned& len);bool OnSvrUpdateCordEx(char*& buff, unsigned& len);private:GameWinSock* WinSock;PROLEDATA roles;unsigned rolecount;bool logined = false;bool DelRole(const wchar_t* rolename, unsigned _len);PAIM GetAimById(long long lId);PAIM CreateAim();void RemoveAimById(long long lId);
public:// 通过角色名获取附近角色的信息PAIM GetAimByName(const wchar_t* name);// 获取面向float GetFace(float x, float y, float targetX, float targetY);// 通过附近角色名获取它的信息,然后通过它的信息里的坐标,再通过我们角色坐标计算面向,效果就是面向 GetAimByName(name); 这个角色void FaceTo(const wchar_t* name);
public:void virtual Init(GameWinSock * _winSock);// 模拟接收的数据包bool SetCoord(long long lId, float x, float h, float y, float face);bool SetProperty(long long lId, int ProType, void* value);/*模拟登陆的方法Id是账号Pass是密码它要基于发送的方法实现,因为我们没有连接socket的操作*/bool login(const char* Id, const char* Pass);bool DelRole(const wchar_t* rolename);bool StartCreateRole();// 用于创建角色bool SelectCamp(const char* _campname);// 选择阵营bool CreateRole(wchar_t* name,double sex, double camp, double face, double occu, const char* photo, const char*infos, const char* txt, double faceShape);// 角色创建// 选择角色并且登录进游戏bool SelectRole(const wchar_t* rolename);// 坠落bool Fall();// 瞬移void Teleport(float x, float h, float y, float face);// 模拟停止bool MoveStop(float x, float h, float y, float face);// 原地跳bool MoveJump(float x, float h, float y, float face, float oldy, float xNext, float yNext);// 移动开始bool MoveWalk(float x, float h, float y, float face, float oldy, float xNext, float yNext);// 应该是移动时跳跃bool MoveWJump(float x, float h, float y, float face, float oldy, float xNext, float yNext);// 根据角色名字获取一个登录成功数据包(选择角色列表里的一个数据)PROLEDATA GetRoleByName(const wchar_t* rolename);bool Talk(wchar_t* txt, int PdId = 1, double un = 0.0);bool TalkTo(wchar_t* name, wchar_t* txt, double un = 0.0);bool HeartBeep();// 心跳数据包(5秒)bool HeartLoop();// 延迟心跳数据包(20秒)bool Backtoroles(); // 返回到选择角色界面
public:// 用于拦截游戏删除角色功能bool virtual OnDelRole(wchar_t* rolename, unsigned _len);// 用于拦截游戏登录功能void virtual Onlogin(const char* Id, const char*Pass);// 用于拦截游戏创建角色功能bool virtual OnStartCreateRole(int code);// 拦截创建角色bool virtual OnCreateRole(PNS_CREATEROLE _header, PCREATE_ROLE_DATAS _body);// opcode意思是操作码,count意思是数量,buffStart意思是解码的内容开始,buffend意思是解码的内容结束,buffer是原始的数据,len是原始数据的长度// char& buffer, int& len这俩参数带&的原因是,在 OnSendCustom 里进行修改之后,通过&的方式传递回去bool virtual OnSendCustom(PNET_SEND_CHEAD _coder, char*& buffer, unsigned& len);bool virtual OnSelectRole(wchar_t* rolename);
public:// 针对SendCustom的单独处理bool virtual OnChooseCamp(PNS_CHOOSECAMP _coder);bool virtual OnChat(PCHAT_DATA _coder);bool virtual OnChatPublic(PCHAT_PUB _coder);bool virtual OnChatPrivate(PCHAT_PRV _coder);bool virtual OnHeartBeep(PHEART_BEEP _coder);bool virtual OnHeartLoop(PHEART_LOOP _coder);// 分发移动处理函数bool virtual OnMove(PMOVE_DATA _coder);// 移动中处理函数bool virtual OnMoveWalk(PMOVE_DATA_WALK _coder);// 停止移动处理函数bool virtual OnMoveStop(PMOVE_DATA_STOP _coder);// 跳跃处理函数bool virtual OnMoveJump(PMOVE_DATA_JUMP _coder);// 移动时跳跃bool virtual OnMoveWJump(PMOVE_DATA_WJUMP _coder);// 分发坠落函数bool virtual OnFall(PFALL_DATA_START _coder);// 针对Notice的单独处理bool virtual OnSvrChat(PCHAT_PRV _coder);public:// 处理失败,参数是错误码bool virtual Tips(int code);void virtual loginok(ROLE_DATA* _roles, int count);bool virtual OnScrStartCreateRole(short code,wchar_t* _txt);bool virtual OnSvrNotice(PNET_SEND_CHEAD _coder, int count, char*& buffer, unsigned& len);
public:bool virtual OnRecvData(char*& buff, unsigned& len);bool virtual OnSendData(char*& buff, unsigned& len);bool virtual OnConnect(char*& ip, unsigned& port);};
这篇关于83.网络游戏逆向分析与漏洞攻防-移动系统分析-游戏瞬移漏洞的测试与分析的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!