正文
so offset:
0x67cebb0
799
d2c1730 is in libUE
4.
so offset:
0x67ce730
799
d2c
0e24
is in libUE
4.
so offset:
0x67cde24
799
fcecc04 is in libUE
4.
so offset:
0x91f9c04
799
fcea3bc is in libUE
4.
so offset:
0x91f73bc
799
f
82e760
is in libUE
4.
so offset:
0x8d3b760
799
f6f98f0 is in libUE
4.
so offset:
0x8c068f0
799
d93f614 is in libUE
4.
so offset:
0x6e4c614
799
c5ee728 is in libUE
4.
so offset:
0x5afb728
799
c
5e83
bc is in libUE
4.
so offset:
0x5af53bc
799
c
5e6514
is in libUE
4.
so offset:
0x5af3514
[hook_aimbot]
79
a03df660 is in libUE
4.
so offset:
0x98ec660
799
fcf0b8c is in libUE
4.
so offset:
0x91fdb8c
799
d2c1bb0 is in libUE
4.
so offset:
0x67cebb0
799
d2c1730 is in libUE
4.
so offset:
0x67ce730
799
d2c
0e24
is in libUE
4.
so offset:
0x67cde24
799
fcecc04 is in libUE
4.
so offset:
0x91f9c04
799
fcea3bc is in libUE
4.
so offset:
0x91f73bc
799
f
82e760
is in libUE
4.
so offset:
0x8d3b760
799
f6f98f0 is in libUE
4.
so offset:
0x8c068f0
799
d93f614 is in libUE
4.
so offset:
0x6e4c614
799
c5ee728 is in libUE
4.
so offset:
0x5afb728
799
c
5e83
bc is in libUE
4.
so offset:
0x5af53bc
799
c
5e6514
is in libUE
4.
so offset:
0x5af3514
點擊後,多了一個不同的調用棧
0x670f3fc
。
复制代码 隐藏代码
[hook_aimbot]
799d2f83fc is in libUE4.so offset: 0x670f3fc
7a136f0c94 is in libart.so offset: 0x2e6c94
799d2f8eb0 is in libUE4.so offset: 0x670feb0
799fe51e38 is in libUE4.so offset: 0x9268e38
799fe4fe04 is in libUE4.so offset: 0x9266e04
799fb8958c is in libUE4.so offset: 0x8fa058c
799fb886f4 is in libUE4.so offset: 0x8f9f6f4
799d3b9420 is in libUE4.so offset: 0x67d0420
799fb88374 is in libUE4.so offset: 0x8f9f374
799f49b7bc is in libUE4.so offset: 0x88b27bc
799fb90358 is in libUE4.so offset: 0x8fa7358
799fde6b8c is in libUE4.so offset: 0x91fdb8c
799d3b7bb0 is in libUE4.so offset: 0x67cebb0
799d3b7730 is in libUE4.so offset: 0x67ce730
799d3b6e24 is in libUE4.so offset: 0x67cde24
799fde2c04 is in libUE4.so offset: 0x91f9c04
嘗試patch掉
0x670f3fc
所在函數
0x670F110
,雖然點擊後不會再自動瞄到某處,但子彈射不出。
由此猜測
0x670F110
是射擊的回調函數,自瞄邏輯應該就在裡面。
記
0x670F110
為
process_before_shoot
。
复制代码 隐藏代码
Interceptor.replace(base.add(0x670F110), new NativeCallback(() => {
return 1;
}, "int", []))
在
0x670F110
中從調用
mb_aimbot
處向上分析,發現是否調用
mb_aimbot
邏輯是由
sub_680B790(v32, "E")
決定的。
hook
sub_680B790
,打印參數和返回值。
注:
hexdump
後可知是unicode編碼的字符串,因此要用
readUtf16String
。
复制代码 隐藏代码
function hook_680B790() {
Interceptor.attach(base.add(0x680B790), {
onEnter: function(args) {
this.a1 = args[1];
console.log("a0: ", args[0].readUtf16String());
console.log("a1: ", args[1].readUtf16String());
},
onLeave: function(retval) {
console.log("res: ", retval);
}
})
}
輸出如下,可以看出是字符串對比函數,
res
是
a0
、
a1
第1個不相等字符的差值,若相等則為
0
( 不區分大小寫 )。記
sub_680B790
為
utf16_cmp
。
可以看到前面一直在和
EditorCube8
對比,明顯它就是自瞄的目標,
复制代码 隐藏代码
a0: BigWall
a1: EditorCube8
res: 0xfffffffd
a0: BigWall2
a1: EditorCube8
res: 0xfffffffd
a0: EditorCube10
a1: EditorCube8
res: 0xfffffff9
a0: EditorCube11
a1: EditorCube8
res: 0xfffffff9
a0: EditorCube12
a1: EditorCube8
res: 0xfffffff9
a0: EditorCube13
a1: EditorCube8
res: 0xfffffff9
a0: EditorCube14
a1: EditorCube8
res: 0xfffffff9
a0: EditorCube15
a1: EditorCube8
res: 0xfffffff9
a0: EditorCube16
a1: EditorCube8
res: 0xfffffff9
a0: EditorCube17
a1: EditorCube8
res: 0xfffffff9
a0: EditorCube18
a1: EditorCube8
res: 0xfffffff9
a0: EditorCube19
a1: EditorCube8
res: 0xfffffff9
a0: EditorCube20
a1: EditorCube8
res: 0xfffffffa
a0: EditorCube21
a1: EditorCube8
res: 0xfffffffa
a0: EditorCube8
a1: EditorCube8
res: 0x0
a0: EditorCube9
a1: EditorCube8
res: 0x1
a0: Floor_12
a1: EditorCube8
res: 0x1
a0: Wall1
a1: EditorCube8
res: 0x12
a0: Wall2_11
a1: EditorCube8
res: 0x12
a0: Wall3
a1: EditorCube8
res: 0x12
a0: Wall4
a1: EditorCube8
res: 0x12
a0: ../../../MyProject/Saved/Config/Android/Engine.ini
a1: ../../../MyProject/Saved/Config/Android/Engine.ini
res: 0x0
a0: true
a1: True
res: 0x0
a0: Android
a1: Android
res: 0x0
a0: Android
a1: Android
res: 0x0
a0: Android
a1: Android
res: 0x0
嘗試在
a1
為
EditorCube8
時將返回值固定replace為一個大於
0
的值。
复制代码 隐藏代码
Interceptor.attach(base.add(0x680B790), {
onEnter: function(args) {
this.a1 = args[1];
},
onLeave: function(retval) {
if (this.a1.readUtf16String() == "EditorCube8") {
retval.replace(5);
}
}
})
結果是射擊時不再自動瞄到指定目標,但手槍在射完後會向上抬一下,類似後座力?不知是否屬於異常點。
下面簡單看看它的自瞄實現原理:
從
process_before_shoot
開始看,一開始先遍歷自瞄目標。
然後調用
calcTargetOffset
計算自瞄值,然後根據這個值來設置
CameraRotation
( 人物相機的轉向,使它朝向目標以實現自瞄的效果 )。
calcTargetOffset
實現大概像這樣:利用目標location與人物的location向量來計算。
复制代码 隐藏代码
function calcTargetOffset(targetLoc, cameraLoc) {
let x = targetLoc.x - cameraLoc.x;
let y = targetLoc.y - cameraLoc.y;
let z = targetLoc.z - cameraLoc.z;
let angleX = 0;
let angleY = 0;
if (x > 0 && y == 0) angleX = 0;
if (x > 0 && y > 0) angleX = Math.abs(Math.atan(y / x)) / Math.PI * 180;
if (x == 0 && y > 0) angleX = 90;
if (x 0 && y > 0) angleX = 90 + Math.abs(Math.atan(x / y)) / Math.PI * 180;
if (x 0 && y == 0) angleX = 180;
if (x 0 && y 0) angleX = 180 + Math.abs(Math.atan(y / x)) / Math.PI * 180;
if (x == 0 && y 0) angleX = 270;
if (x > 0 && y 0) angleX = 270 + Math.abs(Math.atan(x / y)) / Math.PI * 180;
if (angleX 0) {
angleX += 360;
}
if (angleX > 360) {
angleX -= 360;
}
angleY = Math.atan(z / Math.sqrt(x * x + y * y)) / Math.PI * 180;
if (angleY 0) {
angleY += 360;
}
return [angleY, angleX, 0]
}
子彈發射位置異常
可以明顯看出子彈發射的起始位置是隨機的。
猜測可能與
MyProjectCharacter
的
GunOffset
有關。
复制代码 隐藏代码
Class: MyProjectCharacter.Character.Pawn.Actor.Object
// ...
Vector GunOffset;//[Offset: 0x500, Size: 0xc]
對
GunOffset
下硬斷( 讀 )。
命中如下兩處地址:
复制代码 隐藏代码
// libUE4 base: 6f6c74e000
1. PC: 0x6F7307EA6C (0x6930A6C) LR: 0x6F7307EA68
2. PC: 0x6F7307EA7C (0x6930A7C) LR: 0x6F7307EA68
0x6930A6C
所在函數是
sub_6930A3C
。
hook
sub_6930A3C
打印調用棧。
其中
0x670f658
位於
0x670F110
函數( 即
process_before_shoot
)。
复制代码
