Tibiasock.dll exploits code and data injection in order to inject packets into Tibia's incoming and outgoing buffers. Tibiasock allows Tibia to handle all encryption and checksums - it only requires 5 addresses to update for both incoming and outgoing packet injection. It is written C++ and can be used in any language. The reason I decided to develop this library is because the current Packet.dll is lacking ASLR and is quite old. I feel that a new library with some added functionality is a good thing.

General Export Prototypes

DWORD GetProcessImageBase(HANDLE process)
void SendPacketToServer(HANDLE process, BYTE* dataBuffer, int length)
void SendPacketToClient(HANDLE process, BYTE* dataBuffer, int length)

Extended Export Prototypes

void SendPacketToClientEx(HANDLE process, BYTE* dataBuffer, int length, DWORD RecvStream, DWORD ParserCall)
void SendPacketToServerEx(HANDLE process, BYTE* dataBuffer, int length, DWORD SendStreamData, DWORD SendStreamLength, DWORD SendPacketCall)
Tibiasock can be statically updated or it can be used across versions dynamically using the extended exports. These exports allow you to pass the required addresses (ASLR aligned) into the functions at execution time. Lastly, Tibiasock exports functionality to easily obtain a processes image base.

In order to use Tibiasock, the process handle you pass must have the following access

PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ
Make sure to create your packets wisely - any wrong incoming packets can cause debugs and any wrong outgoing packets can cause bans.

I would appreciate if different users could post different example in different languages of how to use this. A C++ example can be found in the source code, where I also have a test project.
Source code repository: http://code.google.com/p/tibiasock/

I do really love it. I am trying right now to make it work with vb.net. But *byte converted to vb.net is byref buffer() as byte?
EDIT: I am really tired now, so do not flame me :)

Try to use IntPtr and pass AddressOf(Array[0]), I think. It's probably the same way packet.dll worked as far as the buffer goes. Haven't touched VB in ages.

Call it the same way you called packet.dll ... Array(0)

Call it the same way you called packet.dll ... Array(0)


Well I do it and I cant get it to work. Am I just stupid?


Public Declare Sub SendPacketToServer Lib "Tibiasock.dll" (ByVal handle As Integer, ByRef bytes As Byte, ByVal lenght As Integer)
SendPacketToServer(Tibia, packet.Data(0), packet.Length)

What error is it giving you?

Awesome job! ^^

Wrong arguments. :S But as I said I am freaking tired.
EDIT: now the client crashes.

what is "Tibia" ? The first argument.. is that one correct?

what is "Tibia" ? The first argument.. is that one correct?


it is the handle.

Did you try using intptr and addressof as I previously stated?

Yeah.. but could that be the problem?

Did you try using intptr and addressof as I previously stated?


I am sry but I do not really understand that part. :S

Yeah.. but could that be the problem?


Well, in C++ arrays are simply pointers. This means a BYTE* (BYTE[]) is actually an address to a buffer in memory when referenced with no indexer. All the indexer does is increase that address by SizeOf(Type) * Index and read from that address. So, since the DLL is loaded into memory when called, it has access to the memory of Klusberts program. This means that by passing the address of his buffer using AddressOf, he is simulating passing it as a native BYTE*.


@Klusbert: Do both of the following things
Public Declare Sub SendPacketToServer Lib "Tibiasock.dll" (ByVal handle As Integer, ByRef bytes As IntPtr, ByVal lenght As Integer)

SendPacketToServer(Tibia, AddressOf(packet.Data(0)), packet.Length)
SendPacketToServer(Tibia, AddressOf(packet.Data), packet.Length)

One of them should work.

sry they dont, Im trying more tomorow I dead :P

Oh, I may have forgot to mention that you do not begin your packet with the 2-BYTE length. Everything is done for you. You provide a literally RAW packet.

EDIT:
I am also unable to get this working with VB. Tomorrow I will try to update the library and see if I can get it working. I believe it has something to do with the differences in the way memory is managed using the .NET CLR as apposed to native code.

I doubt this is the problem.. but it may have something to do with Safe Arrays, I know they are used in vb6, not sure about vb.net though

Public Declare Sub SendPacketToServer Lib "Tibiasock.dll" (ByVal handle As IntPtr, ByRef bytes As Byte, ByVal lenght As Integer)
or

Public Declare Sub SendPacketToServer Lib "Tibiasock.dll" (ByVal handle As IntPtr, ByRef bytes As Byte(), ByVal lenght As Integer)
or

Public Declare Sub SendPacketToServer Lib "Tibiasock.dll" (ByVal handle As IntPtr, ByRef bytes() As Byte, ByVal lenght As Integer)
I can't remember where the bracket goes lol



dim phandle as IntPtr= openprocess(.....)
dim bpacket(2) as byte
dim plength as integer

bpacket(0) = &H1
bpacket(1) = &H96
bpacket(2) = &H1

plength = bpacket.length - 1


SendPacketToServer(phandle, bpacket(0), pLength)
'or
SendPacketToServer(phandle, bpacket, pLength)


AddressOf is only used for functions.. unlike in vb6.. the other option would be to use Marshall GHAlloc.. etc

I'm not sure if this code will work.. it *should* work.. but yeah..
I was using a similar code and it kept freezing tibia.. so who knows wtf is going on :/

it's 6am here, and I'm a weeeee bit tired :P can't be bothered thinking about this anymore

Yeah like I said any misuse can go quite bad. I may add valid read checks etc.

Ah yeah, in VB.net I tried marshaling raw data and copying the buffer over and passing that intptr, still didn't work. I have a lot to get done by the end of the day so I might not get a fixed version today, but I will soon.

Cool Library Darkstar.I've done a library similar to yours in delphi, using yaboomaster method to send Packets to Server(like you) and RecvStream method(stepler).But i've get some trouble injecting procedures, i really don't remember.

Anyway,i really like this. It was a long time we are needing a library to send packets to client, even if its is implemented in c++(i really don't like it, personal opinion).

The problem is due to passing the buffer by reference which causes the marshaller to pass a pointer to the data pointer instead of the data pointer which is what you want passed, essentially you are marshalling the buffer as a (BYTE**). If you change it to pass by value however it will pass the data pointer, so this should work:


Public Declare Sub SendPacketToServer Lib "Tibiasock.dll" (ByVal clientHandle As IntPtr, ByVal packetBuffer As Byte(), ByVal packetLength As Integer)
(Note - Writing it like "ByVal packetBuffer() As Byte" will also work just fine, I prefer the () after the type though. You also don't need to include the ByVal as VB assumes this by default if left blank.)


Anyway these should be the correct definitions for all 5 functions in both C# and VB.NET -


[DllImport("Tibiasock.dll")]
static extern int GetProcessImageBase(IntPtr clientHandle);

[DllImport("Tibiasock.dll")]
static extern void SendPacketToServer(IntPtr clientHandle, byte[] packetBuffer, int packetLength);

[DllImport("Tibiasock.dll")]
static extern void SendPacketToClient(IntPtr clientHandle, byte[] packetBuffer, int packetLength);

[DllImport("Tibiasock.dll")]
static extern void SendPacketToClientEx(IntPtr clientHandle, byte[] packetBuffer, int packetLength, int RecvStream, int ParserCall);

[DllImport("Tibiasock.dll")]
static extern void SendPacketToServerEx(IntPtr clientHandle, byte[] packetBuffer, int packetLength, int SendStreamData, int SendStreamLength, int SendPacketCall);


Public Declare Function GetProcessImageBase Lib "Tibiasock.dll" (clientHandle as IntPtr) as Integer

Public Declare Sub SendPacketToServer Lib "Tibiasock.dll" (clientHandle As IntPtr, packetBuffer As Byte(), packetLength As Integer)

Public Declare Sub SendPacketToClient Lib "Tibiasock.dll" (clientHandle As IntPtr, packetBuffer As Byte(), packetLength As Integer)

Public Declare Sub SendPacketToClientEx Lib "Tibiasock.dll" (clientHandle As IntPtr, packetBuffer As Byte(), packetLength As Integer, recvStream As Integer, parserCall As Integer)

Public Declare Sub SendPacketToServerEx Lib "Tibiasock.dll" (clientHandle As IntPtr, packetBuffer As Byte(), packetLength As Integer, sendStreamData As Integer, sendStreamLength As Integer, sendPacketCall As Integer)

still not working :/ it just freezes tibia

I am converting the code to vb.net haha.. Tibia is still freezing with my code though >.>

FUCK YEAH! :D I successfully converted it to vb.net :)

Thanks Darkstar! :)

edit: dammit.. well not quite.. I mean, it's sending the packets, but it's not sending the correct packet lol.. but it injects the packet without crashing the client! :D

edit2: Fixed it! I didn't do Marshal.Copy properly hahaha

The definitions I posted do work, I've tested SendPacketToServer in both C# and VB.NET without problems. How were you calling the function and creating your packet? Keep in mind that Dark mentioned they should be raw packets with no header or junk bytes.

This is what I did to make my character walk north:

Public Declare Sub SendPacketToServer Lib "Tibiasock.dll" (clientHandle As IntPtr, packetBuffer As Byte(), packetLength As Integer)

packet = new byte() { &H65 }
SendPacketToServer(process, packet, packet.Length)
Alternatively I figured out that this way works fine for me as well (and I also figured out I do not much like VB.NET, too used to C#):

Public Declare Sub SendPacketToServer Lib "Tibiasock.dll" (clientHandle As IntPtr, ByRef packetBuffer As Byte, packetLength As Integer)

packet = new byte() { &H65 }
SendPacketToServer(process, packet(0), packet.Length)

Your code still crashes my client for some reason :/

Anyway, I've converted the dll to vb.net :P SendToClient & SendToServer

The definitions I posted do work, I've tested SendPacketToServer in both C# and VB.NET without problems. How were you calling the function and creating your packet? Keep in mind that Dark mentioned they should be raw packets with no header or junk bytes.

This is what I did to make my character walk north:

Public Declare Sub SendPacketToServer Lib "Tibiasock.dll" (clientHandle As IntPtr, packetBuffer As Byte(), packetLength As Integer)

packet = new byte() { &H65 }
SendPacketToServer(process, packet, packet.Length)
Alternatively I figured out that this way works fine for me as well (and I also figured out I do not much like VB.NET, too used to C#):

Public Declare Sub SendPacketToServer Lib "Tibiasock.dll" (clientHandle As IntPtr, ByRef packetBuffer As Byte, packetLength As Integer)

packet = new byte() { &H65 }
SendPacketToServer(process, packet(0), packet.Length)


still freezes the client. I dont know what it could be.



Dim proc As Process = Process.GetProcessesByName("tibia").First
handle = OpenProcess(PROCESS_ALL_ACCESS, 0, CUInt(proc.Id))

Cool Library Darkstar.I've done a library similar to yours in delphi, using yaboomaster method to send Packets to Server(like you) and RecvStream method(stepler).But i've get some trouble with synchronization, i really don't remember.

Anyway,i really like this. It was a long time we are needing a library to send packets to client, even if its is implemented in c++(i really don't like it, personal opinion).

Here's the VB.NET implementation of Tibiasock.. I have removed the 'length' parameter from the Send functions, it's unnecessary.
Keep in mind that the code has no error checking whatsoever.. so if you pass in an invalid handle, or packet, Tibia and your program may crash.

Glad you guys got it working and found a use for it.
Dark Pallys, if you would like to create a full .DLL project for .NET applications and add it to the main solution you're more than welcome, I can give you rights to commit. Either that or start your own branch.

Nice DP! But do not credit me for the networkclass it is a ripoff from tibiaApi :)

Glad you guys got it working and found a use for it.
Dark Pallys, if you would like to create a full .DLL project for .NET applications and add it to the main solution you're more than welcome, I can give you rights to commit. Either that or start your own branch.


Lol dont you have to do any encryption, I havent look to the source until now :P

this packet and same to tibiaapi? if

works in VB.Net?

this packet and same to tibiaapi? if

works in VB.Net?


This code/dll is used to send packets to and from the client generated by your program.. Tibia API has a similar implementation of this :)

[portuguese]
Esse dll e o codigo que eu postei na pagina anterior sao para mandar packets no Tibia.. voce pode tentar usar o dll no vb.net, eu tentei, mas dava erro no Tibia.. eu converti o codigo para vb.net (veja a pagina 3)
[/portguse]

but it do not work for me. I was trying to send a message, and sometimes my character moved. And sometimes it open new chat window.

I'm not that good with packets etc, but, would be possible to use it only to read the packets without the need to send the incoming packet to the client or the outgoing packet to the server? Only to read the data and store somewhere.

Its very possible to externally capture packet data, but with a very different method than this.
The method would consist of returning out of Tibia's parser loop pre-maturely. You would then have CreateRemoteThread() call their GetNextPacket() using a small cave and waiting with WaitForsingleObject. You would loop this indefinitely. When a packet was found, you would analyze the data, then pass it to Tibia. This would be done by overwriting your premature RETN and waiting for Tibia to call the function. Modifying the stack to have it return into a codecave which creates a remote thread and jump back to the right spot is how you could ensure you see all the data that passes through.

Its a method that's far above most coders here, but it can easily be done. One day I may write another proof-of-concept which just this.

And so what the state tibiasock works in vb.net?

Taylor, look on the previous pages where I posted the code of this dll converted into vb.net, with examples..

Another idea to externally capture packets that I've just been messing around with today is to create a shared memory buffer that both your program and the client link to, you then completely redirect the client's incoming packet structure (position, length and buffer pointer) and the buffer itself to the shared memory (which is easier said than done). You then create two named events, one used by the client to signal your program of an incoming packet (eg: from within the GetNextPacket function) and the other used by your program to signal the client the current packet has been processed (analysed/modified/discarded).

The thing I like about this idea is the shared memory which both the client and your program have direct access to, this eliminates the need to copy data back and forth using the Read/Write memory APIs and as a result increases its efficiency. And it's just always nice thinking of different ways of doing the same thing :D.

Anyway like I said in the first sentence I've actually been messing around with this idea already today and have successfully created an implementation of this which not only allows me to analyse the incoming packets but completely manipulate or discard them (by adjusting the packet position). It's implemented as an injected DLL which works off 3 addresses (GetNextPacket call, XTEA decryption function and incoming packet structure) so it would be easy to keep updated. I'll probably release it after I refine the code, right now it's not much more than some sloppy proof-of-concept code that I quickly threw together.

Another idea to externally capture packets that I've just been messing around with today is to create a shared memory buffer that both your program and the client link to, you then completely redirect the client's incoming packet structure (position, length and buffer pointer) and the buffer itself to the shared memory (which is easier said than done). You then create two named events, one used by the client to signal your program of an incoming packet (eg: from within the GetNextPacket function) and the other used by your program to signal the client the current packet has been processed (analysed/modified/discarded).

The thing I like about this idea is the shared memory which both the client and your program have direct access to, this eliminates the need to copy data Oback and forth using the Read/Write memory APIs and as a result increases its efficiency. And it's just always nice thinking of different ways of doing the same thing :D.

Anyway like I said in the first sentence I've actually been messing around with this idea already today and have successfully created an implementation of this which not only allows me to analyse the incoming packets but completely manipulate or discard them (by adjusting the packet position). It's implemented as an injected DLL which works off 3 addresses (GetNextPacket call, XTEA decryption function and incoming packet structure) so it would be easy to keep updated. I'll probably release it after I refine the code, right now it's not much more than some sloppy proof-of-concept code that I quickly threw together.


Different ideas for the same function are always nice to see. And I like seeing your code, so I can't wait for you to release it so I can look it over, haha.

That sounds exactly like something DarkstaR tried when he first started working on XenoBot to get around the Windows 7 bug, but, if I'm not mistaken, a lot of users had problems with it. But I could be wrong, I'm sure he'll mention something when he reads it.

I wouldn't be surprised if he (or someone else for that matter) has messed around with something like this, he's that type of programmer :D. I must say you have gotten me curious as to what exactly Dark tried and the problems that he had with it.

Anyway there are a few issues with doing it like this, the biggest would be potential deadlocking of the client (which is always fun to see :D, and is number one of my list of improvements), but nothing that I can think of that cannot be fixed in some way though.

Using shared memory is a good idea, so far I've only used it to communicate via rootkits, never used it for anything within Tibia. The hardest part of what you;re saying is redirecting Tibia's buffers, for some reason it is very highly temperamental about that since the 9.10 update. Even with a fully injected DLL, I cause debugs creating new instances of char arrays and deleting them. I think they converted their whole project to C++11 using shared_ptr and such to reference object/array pointers - this seems like it might be something you want to look at if your using this method.

Also, deadlocking is a huge factor when doing this via shared memory, I would think. This is why I would use remote threads. Also, I found a way to improve my previous method.


Old GetNextPacket gets Codecave which automatically returns out unless a value of 1 is seen in remotely allocated memory, else it executes normally and changes the value to 0 -> CreateRemoteThread -> Thread watches data. When data is seen, it does a CreateRemoteThread with the same entry point as itself, but suspended. Thread exits with code of the suspended threads id -> External program sees the thread exits, processes data, spoofs where needed, and starts the returned thread -> Thread starts, sets value to 1, waits for Tibia to process it and starts over.

Wow, the code would be simpler than the explanation.

idk if in this thread i could post some codes about this beautifull dll, but go:
ps: i retired and converted a bit from this topic: http://tpforums.org/forum/thread-6001.html

turn packet


Public Sub Turn(ByVal direction As String)
Dim packet As New Util.Packet.NetworkMessageP
packet.AddByte(&H1)
packet.AddByte(&H0)
Select Case direction.ToString().ToLower()
Case "up"
packet.AddByte(&H6F)
Case "right"
packet.AddByte(&H70)
Case "down"
packet.AddByte(&H71)
Case "left"
packet.AddByte(&H72)
End Select
SendPacketToServer(packet.RawData)
End Sub


logout packet


Public Sub Logout()
Dim packet As New Util.Packet.NetworkMessageP
packet.AddByte(&H1)
packet.AddByte(&H0)
packet.AddByte(&H14)
SendPacketToServer(packet.RawData)
End Sub


attack packet


Public Sub Attack(ByVal id As Long)
Dim packet As New Util.Packet.NetworkMessageP
packet.AddByte(&H5)
packet.AddByte(&H0)
packet.AddByte(&HA1)

packet.AddUInt32(id)
packet.AddUInt32(id)
packet.AddUInt32(id)
packet.AddUInt32(id)

SendPacketToServer(packet)
End Sub



Attack packet working...

Thanks for all!

attack packet


Public Sub Attack(ByVal id As Long)
Dim packet As New Util.Packet.NetworkMessageP
packet.AddByte(&H5)
packet.AddByte(&H0)
packet.AddByte(&HA1)

packet.AddUInt32(id)
packet.AddUInt32(id)
packet.AddUInt32(id)
packet.AddUInt32(id)

SendPacketToServer(packet)
End Sub




What the fuck?

What the fuck?


My exact words.. haha

Attack packet i've foun on forum...
Changed on 9.31? D:

-
If i'm doing something wrong, please, tell me...

It's because you are adding the creature ID to the packet 4 times when it should only be added once. And for 8.6+ clients there should also be a 32-bit count variable added after the ID.

Anyway I was looking a bit deeper into .NET marshalling and PInvoke last night and came to the realisation that the prototypes I posted didn't take the calling convention of the Tibiasock functions into account. By default PInvoke uses the stdcall convention whilst the functions are using cdecl, this of course results in the stack not getting cleaned. I don't believe this is the cause of the client crashes/freezes that DP and klusbert said they were experiencing as the stack should only be corrupted when the function finishes so it should at least fire off a single packet (interestingly though my test program works fine with either stdcall or cdecl). In any case the prototypes really should specify cdecl as the convention via the CallingConvention property of the DllImport attribute like below:


[DllImport("Tibiasock.dll", CallingConvention = CallingConvention.Cdecl)]
static extern void SendPacketToServer(IntPtr clientHandle, byte[] packetBuffer, int packetLength);


<DllImport("Tibiasock.dll", CallingConvention := CallingConvention.Cdecl)> _
Public Shared Sub SendPacketToServer(clientHandle As IntPtr, packetBuffer As Byte(), packetLength As Integer)
End Sub

Well an improper calling convention would corrupt the stack within the calling program, not Tibia - so you're right assuming thats not the problem with client crashes..

I should point out that I'm using Win7 64bit and when Tibia crashed, it wasn't a debug error with the pretty "Tibia DEBUG error message", the program freezes and Windows pops up a message saying that the program has stopped responding, etc etc

robssito you can read more about packets here --> http://tpforums.org/forum/thread-8772.html

@Sketchy
Thanks :D





I should point out that I'm using Win7 64bit and when Tibia crashed, it wasn't a debug error with the pretty "Tibia DEBUG error message", the program freezes and Windows pops up a message saying that the program has stopped responding, etc etc


The same happens with me...

A call to PInvoke function 'NameOfMyBot!NameOfMyBot.Packet.WinApi::ReadProces sMemory' has unbalanced the stack. This is likely because the managed PInvoke signature does not match the unmanaged target signature. Check that the calling convention and parameters of the PInvoke signature match the target unmanaged signature.

Lol, is normal on a time, on i reconnect the character i get this 0o
The tibia freeze on a white screen like DarkPallys said

Line error:
SendPacketToServerEx -> ReadProcessMemory(process, SendStreamLength, OldLength, 4, 0)

I might need to just change that too &OldLength, not sure how I did it.

Ohh, also: I'm using the Dark Pallys class to vb.net...


@DarkstaR
It doesn't work...

Dim OldLength As Integer
ReadProcessMemory(process, SendStreamLength, OldLength, 4, 0)

I have tested de c++ version and tibia simple freeze.
I'm using windows 7

Works fine for me using C++

I don't know what is the problem

Hey,
So I made a few changes to the .NET version, bundled it up on a dll, and created an example project of how to use the .NET version using the dll, and examples of using the Tibiasock module embed into your program..

Note that now the functions take in the process id, not the process handle.


EDIT: Re-uploaded, now supports .NET Framework 4 :) Thanks klusbert!

Hey,
So I made a few changes to the .NET version, bundled it up on a dll, and created an example project of how to use the .NET version using the dll, and examples of using the Tibiasock module embed into your program..

Note that now the functions take in the process id, not the process handle.


Really nice dp! I think most users will use this instead of the orginal, becouse it's easier to use in .net.

And here is also a good proof that you can do ALOT of things in vb.net.

You should mention that is do only work in netframework 3.0, I've updated it to work with 4.0 but one bug on sendtoClient right now, but I've been so dumb lately so it might be the problem.

VB.Net and C# are *pretty much* equivalent.. only the syntax that is different and how lenient the language is.. but since they are both based off the .NET framework, nearly anything is directly interchangeable..

Hey,
So I made a few changes to the .NET version, bundled it up on a dll, and created an example project of how to use the .NET version using the dll, and examples of using the Tibiasock module embed into your program..

Note that now the functions take in the process id, not the process handle.



Great work! :)

I cleaned up you version dp, you had like 5 readmemoryProcess function. Witch I found verry confusing, So I made it just abit cleaner and this works with netframework 4 also and I think its work with older frameworks to.

But still it's your and Darkstars work!



Imports System.Runtime.InteropServices
Public Module WinAPi
<DllImport("kernel32.dll")> _
Public Function SuspendThread(ByVal hThread As IntPtr) As UInteger
End Function
<DllImport("kernel32.dll")> _
Public Function OpenThread(ByVal dwDesiredAccess As ThreadAccess, ByVal bInheritHandle As Boolean, ByVal dwThreadId As UInteger) As IntPtr
End Function
<DllImport("kernel32.dll")> _
Public Function ReadProcessMemory(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, <[In](), Out()> ByVal buffer As Byte(), ByVal size As UInt32, ByRef lpNumberOfBytesRead As IntPtr) As Int32
End Function
<DllImport("kernel32.dll")> _
Public Function OpenProcess(ByVal dwDesiredAccess As UInt32, ByVal bInheritHandle As Int32, ByVal dwProcessId As UInt32) As IntPtr
End Function
<DllImport("kernel32.dll")> _
Public Function WriteProcessMemory(ByVal hProcess As IntPtr, ByVal lpBaseAddress As IntPtr, <[In](), Out()> ByVal buffer As Byte(), ByVal size As UInt32, ByRef lpNumberOfBytesWritten As IntPtr) As Int32
End Function
<DllImport("kernel32.dll")> _
Public Function CreateRemoteThread(ByVal hProcess As IntPtr, ByVal lpThreadAttributes As IntPtr, ByVal dwStackSize As UInteger, ByVal lpStartAddress As IntPtr, ByVal lpParameter As IntPtr, ByVal dwCreationFlags As UInteger, ByVal lpThreadId As IntPtr) As IntPtr
End Function
<DllImport("kernel32.dll", SetLastError:=True)> _
Public Function CloseHandle(ByVal hObject As IntPtr) As <MarshalAs(UnmanagedType.Bool)> Boolean
End Function
<DllImport("kernel32.dll")> _
Public Function ResumeThread(ByVal hThread As IntPtr) As UInt32
End Function
<DllImport("kernel32", SetLastError:=True)> _
Public Function WaitForSingleObject(ByVal handle As IntPtr, ByVal milliseconds As UInt32) As UInt32
End Function
<DllImport("kernel32.dll", SetLastError:=True, ExactSpelling:=True)> _
Public Function VirtualAllocEx(ByVal hProcess As IntPtr, ByVal lpAddress As IntPtr, _
ByVal dwSize As UInteger, ByVal flAllocationType As UInteger, _
ByVal flProtect As UInteger) As IntPtr
End Function
<DllImport("kernel32.dll")> _
Public Function VirtualFreeEx(ByVal hProcess As IntPtr, _
ByVal lpAddress As IntPtr, _
ByVal dwSize As Integer, _
ByVal dwFreeType As AllocationType) As Boolean
End Function
Public PROCESS_ALL_ACCESS = &H1F0FFF
<Flags()> _
Public Enum ThreadAccess As Integer
TERMINATE = (&H1)
SUSPEND_RESUME = (&H2)
GET_CONTEXT = (&H8)
SET_CONTEXT = (&H10)
SET_INFORMATION = (&H20)
QUERY_INFORMATION = (&H40)
SET_THREAD_TOKEN = (&H80)
IMPERSONATE = (&H100)
DIRECT_IMPERSONATION = (&H200)
End Enum
<Flags()> _
Public Enum AllocationType
Commit = &H1000
Reserve = &H2000
Decommit = &H4000
Release = &H8000
Reset = &H80000
Physical = &H400000
TopDown = &H100000
WriteWatch = &H200000
LargePages = &H20000000
End Enum
<Flags()> _
Public Enum MemoryProtection
Execute = &H10
ExecuteRead = &H20
ExecuteReadWrite = &H40
ExecuteWriteCopy = &H80
NoAccess = &H1
[ReadOnly] = &H2
ReadWrite = &H4
WriteCopy = &H8
GuardModifierflag = &H100
NoCacheModifierflag = &H200
WriteCombineModifierflag = &H400
End Enum
End Module
Public Class Packet
Private Const OUTGOINGDATASTREAM As Integer = &H828A08
Private Const OUTGOINGDATALEN As Integer = &H9B4894
Private Const SENDOUTGOINGPACKET As Integer = &H4FBA80
Private Const INCOMINGDATASTREAM As Integer = &H9B4880
Private Const PARSERFUNC As Integer = &H45D3F0
Private Const INFINITE As UInteger = &HFFFFFFFFUI

#Region "Helper Methods"
Private ProcessId As Integer
Private ProcessHandle As IntPtr
Private p As Process

Sub New(ByVal _p As Process)
p = _p
ProcessId = p.Id
ProcessHandle = WinApi.OpenProcess(WinApi.PROCESS_ALL_ACCESS, 0, p.Id)

End Sub
Public Function ReadBytes(ByVal address As Long, ByVal bytesToRead As UInteger) As Byte()
Dim ptrBytesRead As IntPtr
Dim buffer As Byte() = New Byte(bytesToRead - 1) {}
WinApi.ReadProcessMemory(ProcessHandle, New IntPtr(address), buffer, bytesToRead, ptrBytesRead)
Return buffer
End Function
Public Function ReadInt(ByVal address As Long) As Integer
Return BitConverter.ToInt32(ReadBytes(address, 4), 0)
End Function

Public Function WriteBytes(ByVal address As Long, ByVal bytes As Byte(), ByVal length As UInteger) As Boolean
Dim bytesWritten As IntPtr
Dim result As Integer = WinApi.WriteProcessMemory(ProcessHandle, New IntPtr(address), bytes, length, bytesWritten)
Return result <> 0
End Function
Public Function WriteInt(ByVal address As Long, ByVal value As Integer) As Boolean
Dim bytes As Byte() = BitConverter.GetBytes(value)
Return WriteBytes(address, bytes, 4)
End Function
Private Function OpenAndSuspendThread(ByVal threadID As ULong) As IntPtr
Dim proc As Process = Process.GetProcessById(threadID)
Dim pOpenThread As IntPtr
Dim mtime As Double = 0.0
Dim tmptime As Double = 0.0
Dim pid As Integer

For Each pT As ProcessThread In proc.Threads

tmptime = Math.Max(mtime, pT.UserProcessorTime.TotalSeconds)
If tmptime > mtime Then
pid = pT.Id
mtime = tmptime
End If

Next
pOpenThread = OpenThread((ThreadAccess.GET_CONTEXT Or ThreadAccess.SUSPEND_RESUME Or ThreadAccess.SET_CONTEXT), False, CUInt(pid))
SuspendThread(pOpenThread)

Return pOpenThread

End Function

Private Sub ResumeAndCloseThread(ByVal thread As IntPtr)
ResumeThread(thread)
CloseHandle(thread)
End Sub

Private Sub ExecuteRemoteCode(ByVal process As IntPtr, ByVal codeAddress As IntPtr, ByVal arg As UInteger)

Dim WorkThread As IntPtr = CreateRemoteThread(process, 0, 0, codeAddress, arg, 0, 0)
WaitForSingleObject(WorkThread, INFINITE)
CloseHandle(WorkThread)
End Sub

Private Function Rebase(ByVal address As ULong, ByVal base As ULong) As ULong

Return CULng((address - &H400000) + base)

End Function

Private Function CreateOutgoingBuffer(ByVal dataBuffer() As Byte, ByVal length As Integer) As Byte()

Dim actualBuffer(1024) As Byte
Dim size As Integer = Marshal.SizeOf(dataBuffer(0)) * dataBuffer.Length

Dim pnt As IntPtr = Marshal.AllocHGlobal(size)

Marshal.Copy(dataBuffer, 0, pnt, length - 8)
Marshal.Copy(pnt, actualBuffer, 8, length - 8)
Marshal.FreeHGlobal(pnt)

Return actualBuffer

End Function

Private Sub WriteIncomingBuffer(ByVal process As IntPtr, ByVal recvStream As Integer, ByVal data() As Byte, ByVal length As Integer, ByVal position As Integer)

Dim DataPointer As Integer

WriteInt(recvStream + 4, length)
WriteInt(recvStream + 8, position)
DataPointer = ReadInt(recvStream)

WriteBytes(DataPointer, data, length)

End Sub
Private Function CreateRemoteBuffer(ByVal process As IntPtr, ByVal dataBuffer() As Byte, ByVal length As Integer) As IntPtr

Dim RemoteBufferPointer As IntPtr = VirtualAllocEx(process, 0, length, AllocationType.Commit, MemoryProtection.ExecuteReadWrite)
WriteProcessMemory(process, RemoteBufferPointer, dataBuffer, length, 0)
Return RemoteBufferPointer
End Function
#End Region


Public Sub SendPacketToServerEx(ByVal dataBuffer() As Byte, ByVal SendStreamData As Integer, ByVal SendStreamLength As Integer, ByVal SendPacketCall As Integer)
Dim MainThread As IntPtr = OpenAndSuspendThread(ProcessId)
Dim OldLength As Integer
Dim OldData(1024) As Byte
Dim length As Integer = dataBuffer.Length
Dim process As IntPtr = OpenProcess(PROCESS_ALL_ACCESS, False, ProcessId)
OldLength = BitConverter.ToInt32(ReadBytes(SendStreamLength, 4), 0)
OldData = ReadBytes(SendStreamData, OldLength)
length += 8
Dim actualBuffer() As Byte = CreateOutgoingBuffer(dataBuffer, length)
WriteInt(SendStreamLength, length)
WriteBytes(SendStreamData, actualBuffer, length)
ExecuteRemoteCode(process, SendPacketCall, 1)
WriteInt(SendStreamLength, OldLength)
WriteBytes(SendStreamData, OldData, OldLength)
ResumeAndCloseThread(MainThread)
End Sub
Public Sub SendPacketToServer(ByVal dataBuffer() As Byte)
Dim ImageBase As Integer = Process.GetProcessById(ProcessId).MainModule.BaseA ddress
Dim SendStreamData As Integer = Rebase(OUTGOINGDATASTREAM, ImageBase)
Dim SendStreamLength As Integer = Rebase(OUTGOINGDATALEN, ImageBase)
Dim SendPacketCall As Integer = Rebase(SENDOUTGOINGPACKET, ImageBase)
SendPacketToServerEx(dataBuffer, SendStreamData, SendStreamLength, SendPacketCall)
End Sub




Public Sub SendPacketToClientEx(ByVal dataBuffer() As Byte, ByVal RecvStream As Integer, ByVal ParserCall As Integer)
Dim length As Integer = dataBuffer.Length
Dim MainThread As IntPtr = OpenAndSuspendThread(ProcessId)
Dim DataPointer As Integer
Dim OldLength As Integer, OldPosition As Integer
Dim OldDataBuffer(4096) As Byte
OldLength = ReadInt(RecvStream + 4)
OldPosition = ReadInt(RecvStream + 8)
DataPointer = ReadInt(RecvStream)
OldDataBuffer = ReadBytes(DataPointer, OldLength)
WriteIncomingBuffer(ProcessHandle, RecvStream, dataBuffer, length, 0)
Dim CodeCave() As Byte = {&HB8, &H0, &H0, &H0, &H0, &HFF, &HD0, &HC3} ' MOV EAX, <DWORD> | CALL EAX | RETN
Dim pnt As IntPtr = Marshal.AllocHGlobal(4)
Dim b() As Byte = BitConverter.GetBytes(ParserCall)
Marshal.Copy(b, 0, pnt, 4)
Marshal.Copy(pnt, CodeCave, 1, 4)
Marshal.FreeHGlobal(pnt)
Dim CodeCavePointer As IntPtr = CreateRemoteBuffer(ProcessHandle, CodeCave, 10)
ExecuteRemoteCode(ProcessHandle, CodeCavePointer, 0)
VirtualFreeEx(ProcessHandle, CodeCavePointer, 10, AllocationType.Release)
WriteIncomingBuffer(ProcessHandle, RecvStream, OldDataBuffer, OldLength, OldPosition)
ResumeAndCloseThread(MainThread)
End Sub
Public Sub SendPacketToClient(ByVal dataBuffer() As Byte)
Dim ImageBase As Integer = Process.GetProcessById(ProcessId).MainModule.BaseA ddress
Dim RecvStream As Integer = Rebase(INCOMINGDATASTREAM, ImageBase)
Dim ParserCall As Integer = Rebase(PARSERFUNC, ImageBase)
SendPacketToClientEx(dataBuffer, RecvStream, ParserCall)
End Sub

End Class

Frankly your version is messier, and creates a bigger overhead.. I'm sure you've heard of overloaded functions, I had 5 different WriteProcessMemory and ReadProcessMemory to accommodate to different data types (emulating a "As Any" from good ol' vb6)... I suppose you could argue that you have to write less.. but meh :P

Nice work anyway :)

One question though, what does <[In](), Out()> do?

It's the same as ByRef, basically.

When you pass a variable by reference you are actually passing a pointer to that variable so the function it is being passed to can modify it and those modifications will be reflected in the calling block. (I'm sure you already know that, I like to over-explain). As far as I know, specifying "Out()" just works the same way and passes the pointer so a value can be OUTput to that variable. "in()" works like ByVal, as the variable is an INput and nothing more. That's my understanding of it, anyway.

Indeed I know what ByRef is, equivalent of &/* in C/C++.

But in this case, assuming that In() means "ByVal".. why would you pass it as that? On ReadProcessMemory, the buffer parameter is only used for output only afaik.

http://msdn.microsoft.com/en-us/library/windows/desktop/ms680553%28v=vs.85%29.aspx

BOOL WINAPI ReadProcessMemory(
__in HANDLE hProcess,
__in LPCVOID lpBaseAddress,
__out LPVOID lpBuffer,
__in SIZE_T nSize,
__out SIZE_T *lpNumberOfBytesRead
);


Also, I was checking out pinvoke's declaration for this..

If we use this, there's no need for BitConverter, or overloaded declarations, since it's basically "As Any"

<DllImport("kernel32.dll", SetLastError:=true)> _
Public Shared Function ReadProcessMemory( _
ByVal hProcess As IntPtr, _
ByVal lpBaseAddress As IntPtr, _
<Out(),MarshalAs(UnmanagedType.AsAny)>ByVal lpBuffer As object, _
ByVal dwSize as Integer, _
ByRef lpNumberOfBytesRead as Integer _
) As Boolean
End Function

The problem is in netframework 4.0 you need to have the buffer you read as a byte array, the reason why I did this was becouse your code made it crash on 4.0. Becouse of wrong pinvoke arguments. Becouse you cant have a buffer as integer or string.

Like I said, I made this becouse I wanted it to work with 4.0, and it work with 2.0 to 4.0.


And I am abit of allergic to old good vb6 :P

Ahh I see, I fixed up and re-uploaded the dll + example projects to support .NET Framework 4, thanks klusbert :)

just to make it clear, this its your work right ?
kuz tibiasock.dll somehow i imagine tibia making changes in the client with this and i didnt found the sock LOL

What the hell are you on about?

WHAT??? :P

What the hell are you on about?

nothing forget it, i just thought tibia had a new dll, i didnt log in in years lol, anyays good work :)

For me there was no page 8.

You are on page 8 :P

You are on page 8 :P


Yes when I posted, before I posted I only saw darkstar post on page 7 :P Not first time on this thread :S

I just need to edit this values to get the dll updated to the last version of tibia?


Private Const OUTGOINGDATASTREAM As Integer = &H828A08
Private Const OUTGOINGDATALEN As Integer = &H9B4894
Private Const SENDOUTGOINGPACKET As Integer = &H4FBA80

Private Const INCOMINGDATASTREAM As Integer = &H9B4880
Private Const PARSERFUNC As Integer = &H45D3F0

Private Const INFINITE As UInteger = &HFFFFFFFFUI

I just need to edit this values to get the dll updated to the last version of tibia?


Private Const OUTGOINGDATASTREAM As Integer = &H828A08
Private Const OUTGOINGDATALEN As Integer = &H9B4894
Private Const SENDOUTGOINGPACKET As Integer = &H4FBA80

Private Const INCOMINGDATASTREAM As Integer = &H9B4880
Private Const PARSERFUNC As Integer = &H45D3F0

Private Const INFINITE As UInteger = &HFFFFFFFFUI


this is for 9.31

anyone got 8.70 adresses? can't find them anywhere :(

That's because this project was started on Tibia 9.31..

The best place to find them is somewhere within the memory space of the desired client, IMO.

Pretty nice solution ^^ I've tried(failing atm), but still there are still chances that someone already got them, so he can post ;)

I think there already exist good way of sending packets for 8.70 since aslr was not implemented then.

The best place to find them is somewhere within the memory space of the desired client, IMO.

How can i find them

I have a custom server. How can i find these values?

Private Const OUTGOINGDATASTREAM As Integer = &H846AF0 '940
Private Const OUTGOINGDATALEN As Integer = &H9D2BA4 '940
Private Const SENDOUTGOINGPACKET As Integer = &H505360 '940
Private Const INCOMINGDATASTREAM As Integer = &H9D2B90 '940
Private Const PARSERFUNC As Integer = &H45F3B0 '9.40


Private Const OUTGOINGDATASTREAM As Integer = &H828A08 '931
Private Const OUTGOINGDATALEN As Integer = &H9B4894'931
Private Const SENDOUTGOINGPACKET As Integer = &H4FBA80'931
Private Const INCOMINGDATASTREAM As Integer = &H9B4880'931
Private Const PARSERFUNC As Integer = &H45D3F0'931

Private Const OUTGOINGDATASTREAM As Integer = &H7C54B0 '870
Private Const OUTGOINGDATALEN As Integer = &H7C5CD8 '870
Private Const SENDOUTGOINGPACKET As Integer = &H4F8DF0 '870
Private Const PARSERFUNC As Integer = &H45C670 '870
Private Const INCOMINGDATASTREAM As Integer = &H7C5CDC '870

Private Const OUTGOINGDATASTREAM As Integer = &H799080 '860
Private Const OUTGOINGDATALEN As Integer = &H7998A8 '860
Private Const SENDOUTGOINGPACKET As Integer = &H4F8E40 '860
Private Const PARSERFUNC As Integer = &H45C370 '860
Private Const INCOMINGDATASTREAM As Integer = &H7998AC '860


When you have these addresses you can use this methoed to update to older version http://tpforums.org/forum/thread-5310.html

Sorry, but this works for the current version of Tibia?

Private Const OUTGOINGDATASTREAM As Integer = &H7C54B0 '8.70
Private Const OUTGOINGDATALEN As Integer = &H7C5CD8 '8.70
Private Const SENDOUTGOINGPACKET As Integer = &H4F8DF0 '8.70
Private Const PARSERFUNC As Integer = &H45C670 '8.70
Private Const INCOMINGDATASTREAM As Integer = &H7C5CDC '8.70

How can i find these adresses for 8.6?

Using this method

http://tpforums.org/forum/thread-5310.html


I found this addresses
Tibiasock.dll - The new Packet.dll (http://tpforums.org/forum/thread-9038-post-79562.html#pid79562)

I always get Item not Found in olly, what should i do?

I'm searching: 799080 in Tibia 8.6 client and nothing =s

I always get Item not Found in olly, what should i do?

I'm searching: 799080 in Tibia 8.6 client and nothing =s


Are you in right module? you should be in tibia.exe.
run tibia using f9

I always get Item not Found in olly, what should i do?

I'm searching: 799080 in Tibia 8.6 client and nothing =s


Are you in right module? you should be in tibia.exe.
run tibia using f9


I could not update to version 9.43...
I don't know. I tried follow these steps but always return "Item not found".
I don't know why. Have other method or something to try?

wtf is not next showing.[hr]
again

I always get Item not Found in olly, what should i do?

I'm searching: 799080 in Tibia 8.6 client and nothing =s


Are you in right module? you should be in tibia.exe.
run tibia using f9


Tibia should be running? I'm noob hahaha

Just a question i need to login in my character or just run Tibia works?

I always get Item not Found in olly, what should i do?

I'm searching: 799080 in Tibia 8.6 client and nothing =s


Are you in right module? you should be in tibia.exe.
run tibia using f9


Tibia should be running? I'm noob hahaha

Just a question i need to login in my character or just run Tibia works?


no no make sure you are at tibia.exe. it starts with 40000
btw finaly the page 10 is showed.

I always get Item not Found in olly, what should i do?

I'm searching: 799080 in Tibia 8.6 client and nothing =s


Are you in right module? you should be in tibia.exe.
run tibia using f9


Tibia should be running? I'm noob hahaha

Just a question i need to login in my character or just run Tibia works?


no no make sure you are at tibia.exe. it starts with 40000
btw finaly the page 10 is showed.


Yeah, finaly.

Well, Klusbert can you help me?
I could not update the address with that method (comparing). Have other method or how it work? Like, i send message and use reverse to find... just dont know how I start of.

for what version?

for what version?


For anyone. I just want to know update. I follow that steps compareting older version but dont work. I repeat much times, tried many times and I think some has changed.

I tried update 9.4 for 9.43 without success. =/

I just want know how it work. Well, when I put some and ground and find for it I found the pointer/address for it. But I don't know how it work.
When it happens for I get the address?

you know u cant find the addresses if aslr is enable. Or at least I dont know how.

you know u cant find the addresses if aslr is enable. Or at least I dont know how.


Of course my aslr is disabled. I dont know how. =/

You can use BlackD's method to find them, it's easy, you just need to relax and search =)

Hmmm, i'm get some errors trying to convert it to C#...
See it:
When i try to send a packet to client, i get an Run Time Error, and the error is in this function:



public static void SendPacketToServerEx(IntPtr processId, byte[] dataBuffer, int SendStreamData, int SendStreamLength, int SendPacketCall)
{
IntPtr mainThread = OpenAndSuspendThread((int)processId);
int oldLength = 0;
byte[] oldData = new byte[1024];

int length = dataBuffer.Length;

IntPtr process = WinApi.OpenProcess(WinApi.PROCESS_ALL_ACCESS, 0, (uint)processId);
oldLength = BitConverter.ToInt32(ReadBytes(SendStreamLength, 4), 0);
oldData = ReadBytes(SendStreamData,(uint)oldLength);
length += 8;

byte[] actualBuffer = CreateOutgoingBuffer(dataBuffer, length);
WriteInt(SendStreamLength, length);
WriteBytes(SendStreamData, actualBuffer, (uint)length);
ExecuteRemoteCode(process, (IntPtr)SendPacketCall, 1);
WriteInt(SendStreamLength, oldLength);
WriteBytes(SendStreamData, oldData, (uint)oldLength);
ResumeAndCloseThread(mainThread);
}


To be more specific, in this line:



WriteInt(SendStreamLength, oldLength);


WriteInt


public static bool WriteInt(long address, int value)
{
byte[] bytes = BitConverter.GetBytes(value);
return WriteBytes(address, bytes, 4);
}

Maybe i'm doing something wrong...?
Ps: i'm testing on 8.70...

try this :P

Warning I am noob in c# but it worked for me 8.7

Thanks you so much ^^

Line 18: error: expected '(' before '{' token
The same error in DevC++ and Code::Blocks

Why this is happening ? The windows.h is declared!!!
OPEN THREAD NOT DECLARED

Line 18: error: expected '(' before '{' token
The same error in DevC++ and Code::Blocks


Are you missing a "(" ?! lol

I assume you are using the MingW compiler with both IDEs Devil? I ran into the same issue of the OpenThread function not being declared back in November with regards to the MingW compiler. I tracked the problem down to a conditional compilation statement inside the winbase.h header, in which OpenThread is declared, which checks if the WINVER macro (from windef.h) is defined as being >= 500. Unfortunately defined as 0x300 thus resulting in OpenThread never being declared. There are 4 possible solutions to this:


1. Edit the windef.h file and change the value of WINVER to 0x500 (or greater).

2. Define the WINVER macro yourself BEFORE you include windows.h (or any file that includes it or windef.h), the project defines is a great place for this.

3. Get the address of OpenThread through GetProcAddress and call it through a function pointer.

4. Use the MSVC compiler instead of MingW. This doesn't necessarily mean you have to use Visual Studio, the MSVC compiler can be used by C::B and can be installed via the free-to-download Windows SDK which doesn't require any version of Visual Studio to be installed.


I personally went with option 2 and would suggest that, it's easy to do and doesn't require other people to mess around with their compiler to get your code to work.

Thanks for share DarkstaR!!!!

void SendPacketToClientEx(HANDLE process, BYTE* dataBuffer, int length, DWORD RecvStream, DWORD ParserCall)
void SendPacketToServerEx(HANDLE process, BYTE* dataBuffer, int length, DWORD SendStreamData, DWORD SendStreamLength, DWORD SendPacketCall)

So I can use another address for another version without recompiling using this function ?

It's updated to 9.52?

void SendPacketToClientEx(HANDLE process, BYTE* dataBuffer, int length, DWORD RecvStream, DWORD ParserCall)
void SendPacketToServerEx(HANDLE process, BYTE* dataBuffer, int length, DWORD SendStreamData, DWORD SendStreamLength, DWORD SendPacketCall)

So I can use another address for another version without recompiling using this function ?


Yes you can, however keep in mind the addresses you pass must be pre-aligned to the process' base address.

Yes you can, however keep in mind the addresses you pass must be pre-aligned to the process' base address.


Which?
[hr]
Which?

void SendPacketToClientEx(HANDLE process, BYTE* dataBuffer, int length, DWORD RecvStream, DWORD ParserCall)
void SendPacketToServerEx(HANDLE process, BYTE* dataBuffer, int length, DWORD SendStreamData, DWORD SendStreamLength, DWORD SendPacketCall)

So I can use another address for another version without recompiling using this function ?


Yes you can, however keep in mind the addresses you pass must be pre-aligned to the process' base address.


Thanks :D
But no problem, I will use this for older versions *-*

Private Const OUTGOINGDATASTREAM As Integer = &H846AF0 '9.40
Private Const OUTGOINGDATALEN As Integer = &H9D2BA4 '9.40
Private Const SENDOUTGOINGPACKET As Integer = &H505360 '9.40
Private Const INCOMINGDATASTREAM As Integer = &H9D2B90 '9.40
Private Const PARSERFUNC As Integer = &H45F3B0 '9.40


Private Const OUTGOINGDATASTREAM As Integer = &H828A08 '931
Private Const OUTGOINGDATALEN As Integer = &H9B4894'931
Private Const SENDOUTGOINGPACKET As Integer = &H4FBA80'931
Private Const INCOMINGDATASTREAM As Integer = &H9B4880'931
Private Const PARSERFUNC As Integer = &H45D3F0'931

Private Const OUTGOINGDATASTREAM As Integer = &H7C54B0 '870
Private Const OUTGOINGDATALEN As Integer = &H7C5CD8 '870
Private Const SENDOUTGOINGPACKET As Integer = &H4F8DF0 '870
Private Const PARSERFUNC As Integer = &H45C670 '870
Private Const INCOMINGDATASTREAM As Integer = &H7C5CDC '870

Private Const OUTGOINGDATASTREAM As Integer = &H799080 '860
Private Const OUTGOINGDATALEN As Integer = &H7998A8 '860
Private Const SENDOUTGOINGPACKET As Integer = &H4F8E40 '860
Private Const PARSERFUNC As Integer = &H45C370 '860
Private Const INCOMINGDATASTREAM As Integer = &H7998AC '860

Private Const SENDOUTGOINGPACKET As Integer = &H510140 '944
Private Const OUTGOINGDATASTREAM As Integer = &H7B2E80 '944
Private Const OUTGOINGDATALEN As Integer = &H9E6EC4 '944

Private Const INCOMINGDATASTREAM As Integer = &H9D2B90 '944
Private Const PARSERFUNC As Integer = &H45F3B0 '9.44

Private Const SENDOUTGOINGPACKET As Integer = &H510BE0 '953
Private Const OUTGOINGDATASTREAM As Integer = &H7B4EC8 '953
Private Const OUTGOINGDATALEN As Integer = &H9E9524 '953

Private Const INCOMINGDATASTREAM As Integer = &H9E9510 '953
Private Const PARSERFUNC As Integer = &H461720 '953


Updated to 9.53

I wanted to know where I think to vb.net or C # Or else if I copila using C + + and uses the dll in a C # project would have a problem?

I wanted to know where I think to vb.net or C # Or else if I copila using C + + and uses the dll in a C # project would have a problem?


Sorry I dont understand what you mean :(

I think he is needing a project using this dll as example, to understand it...

I think I have already told you that you can find c++ version, vb.net version and c# version in this thread.

Tibiasock.dll - c++ (http://tpforums.org/forum/thread-9038-post-79057.html#pid79057)
Tibiasock.dll - vb.net (http://tpforums.org/forum/thread-9038-post-79199.html#pid79199)
Tibiasock.dll - c# (http://tpforums.org/forum/thread-9038-post-80854.html#pid80854)

up?:s


????

DWORD GetThreadInfoBlockPointer()
{
DWORD ThreadInfoBlock;
__asm
{
MOV EAX, FS:[0x18]
MOV [ThreadInfoBlock], EAX
}
return ThreadInfoBlock;
}

Maybe port for mingw-gcc, asm function is different than this from msvc++ version ;/

9.54


Public Shared SendOutGoingPacket As Integer = &H512F20 '954
Public Shared OutGoingDataStream As Integer = &H7B8F28 '954
Public Shared OutGoginDataLenght As Integer = &H9EDA78 '954
Public Shared IncommingPacketStream As Integer = &H9EDA64 '954
Public Shared ParseFunction As Integer = &H462D50 '954

DWORD GetThreadInfoBlockPointer()
{
DWORD ThreadInfoBlock;
__asm
{
MOV EAX, FS:[0x18]
MOV [ThreadInfoBlock], EAX
}
return ThreadInfoBlock;
}

Maybe port for mingw-gcc, asm function is different than this from msvc++ version ;/



__asm__("movl %%fs:0x18, %0" : "=r" (ThreadInfoBlock) : : );

That would work, and of course this would be incompatible with the MSVC compiler. If you want compatibility with both compilers you could use the preprocessor to check which compiler is being used and supply it the appropriate ASM syntax. Alternatively you could use a code cave called through a function pointer instead of inline ASM, but you would lose out on potential optimisations from the compiler.

Is it possible to use it in delphi? ANd if not, how can i import this dll and use something from the library in C#? I've never been programming in C# but if it doesn't work in delphi, i'll have to switch to c# :P

Hey could someone help me understand how I get these addresses from the client or maybe you are able to provide the 9.10 addresses? :) I would like to know how it is done though, I mean I understand most of using odbg just don't know exactly what it is I'm looking for here.

@Klusbert

Where i must add this??
And how to compile this project?
I must open the Tibia Client??

Language C++.[hr]
I worked it out thanks for .Dll Darkstar !!!

sample (tibiasock) code works great, but while i'm trying to send pocket from my bot with this code:

p->AddByte(0x0);
p->AddByte(0x14);
SendPacketToServer(process, p->GetRawPacket(), p->GetRawSize());
bots exits with code -1073741819 (0xc0000005).

WTF? i copied all the code from test...

Bump !

Private Const SENDOUTGOINGPACKET As Integer = &H5146C0 '960
Private Const OUTGOINGDATASTREAM As Integer = &H7B6F50 '960
Private Const OUTGOINGDATALEN As Integer = &H9D1D38 '960

Private Const INCOMINGDATASTREAM As Integer = &H9D1D24 '960
Private Const PARSERFUNC As Integer = &H4630E0 '960

Private Const SENDOUTGOINGPACKET As Integer = &H5146C0 '960
Private Const OUTGOINGDATASTREAM As Integer = &H7B6F50 '960
Private Const OUTGOINGDATALEN As Integer = &H9D1D38 '960

Private Const INCOMINGDATASTREAM As Integer = &H9D1D24 '960
Private Const PARSERFUNC As Integer = &H4630E0 '960



How do you found IncomingDataStream ?
I need this for older versions to read packets to client from memory... (like you did here: http://tpforums.org/forum/thread-10408-post-84260.html#pid84260)
I need because some friends computer don't work injecting ( to hook ) dll on win7, and I will do a secundary magic effect reader XD
Thxx

You could follow Stepler's tutorial about hook proxy (sticky somewhere I could find for you if you don't know which one I'm talking about :P).
But it's all down to finding winsock recv I guess - that would be a starting point at least...

Send "Hey bro you suck!" In a chat window. Freeze the client RIGHT when you send it. Search for that string in memory and then go back some bytes (2 for string length, 1 for packet type, 2 for packet size, 4 for adler? Havent touch this in forever) and boom

Private Const SENDOUTGOINGPACKET As Integer = &H5146C0 '953
Private Const OUTGOINGDATASTREAM As Integer = &H7B6F50 '960
Private Const OUTGOINGDATALEN As Integer = &H9D1D38 '960

Private Const INCOMINGDATASTREAM As Integer = &H9D1D24 '960
Private Const PARSERFUNC As Integer = &H4630E0 '960



How do you found IncomingDataStream ?
I need this for older versions to read packets to client from memory... (like you did here: http://tpforums.org/forum/thread-10408-post-84260.html#pid84260)
I need because some friends computer don't work injecting ( to hook ) dll on win7, and I will do a secundary magic effect reader XD
Thxx

For what version? I have posted for some older client versions already. So you can use Osqu's method much easier.

How to send Goto (x,y,z) ?

How to send Goto (x,y,z) ?


You can either send movepacket(direction) or autowalkpacket(with list of direction)

To make a gotoLocation function checkout these addresses:

GotoX
GotoY
GotoZ

And you must also find your character in battlelist and set IsWalking to 1.

Dev-C++ version [cutted]


#include "dll.h"
#define _WIN32_WINNT _WIN32_WINNT_WINXP

#include <windows.h>



#define OUTGOINGDATASTREAM 0x7B6F50
#define OUTGOINGDATALEN 0x9D1D38
#define SENDOUTGOINGPACKET 0x5146C0

#define INCOMINGDATASTREAM 0x9D1D24
#define PARSERFUNC 0x4630E0

/* PEB & TIB */
DWORD GetThreadInfoBlockPointer()
{
DWORD ThreadInfoBlock;

__asm__("movl %%fs:0x18, %0" : "=r" (ThreadInfoBlock) : : );
return ThreadInfoBlock;
}
DWORD GetProcessImageBase(HANDLE process)
{
DWORD ThreadInfoBlock = GetThreadInfoBlockPointer();
DWORD ProcessEnviromentBlock, ImageBase;

ReadProcessMemory(process, (LPVOID)(ThreadInfoBlock + 0x30), &ProcessEnviromentBlock, 4, NULL);
ReadProcessMemory(process, (LPVOID)(ProcessEnviromentBlock + 0x8), &ImageBase, 4, NULL);
return ImageBase;
}
DWORD GetProcessMainThreadId(HANDLE process)
{
DWORD ThreadInfoBlock = GetThreadInfoBlockPointer();
DWORD MainThreadId;

ReadProcessMemory(process, (LPVOID)(ThreadInfoBlock + 0x24), &MainThreadId, 4, NULL);
return MainThreadId;
}

/* THREADS */
HANDLE OpenAndSuspendThread(DWORD threadID)
{

HANDLE thread = OpenThread((THREAD_GET_CONTEXT | THREAD_SUSPEND_RESUME | THREAD_SET_CONTEXT), false, threadID);
SuspendThread(thread);
return thread;
}
void ResumeAndCloseThread(HANDLE thread)
{
ResumeThread(thread);
CloseHandle(thread);
}
void ExecuteRemoteCode(HANDLE process, LPVOID codeAddress, LPVOID arg)
{
HANDLE WorkThread = CreateRemoteThread(process, NULL, NULL, (LPTHREAD_START_ROUTINE)codeAddress, arg, NULL, NULL);
WaitForSingleObject(WorkThread, INFINITE);
CloseHandle(WorkThread);
}

/* MAIN CODE */
DWORD Rebase(DWORD address, DWORD base)
{
return (DWORD)(((int)address - (int)0x400000) + (int)base);
}
/* To Server */
BYTE* CreateOutgoingBuffer(BYTE* dataBuffer, int length)
{
BYTE actualBuffer[1024];
ZeroMemory((LPVOID)actualBuffer, 8);
memcpy((LPVOID)&actualBuffer[8], (LPVOID)dataBuffer, length-8);
return actualBuffer;

}

void SendPacketToServerEx(HANDLE process, BYTE* dataBuffer, int length, DWORD SendStreamData, DWORD SendStreamLength, DWORD SendPacketCall)
{
DWORD MainThreadId = GetProcessMainThreadId(process);
HANDLE MainThread = OpenAndSuspendThread(MainThreadId);

int OldLength;
BYTE OldData[1024];
ReadProcessMemory(process, (LPVOID)SendStreamLength, &OldLength, 4, NULL);
ReadProcessMemory(process, (LPVOID)SendStreamData, OldData, OldLength, NULL);

length += 8;
BYTE* actualBuffer = CreateOutgoingBuffer(dataBuffer, length);
WriteProcessMemory(process, (LPVOID)SendStreamLength, &length, 4, NULL);
WriteProcessMemory(process, (LPVOID)SendStreamData, actualBuffer, length, NULL);

ExecuteRemoteCode(process, (LPVOID)SendPacketCall, (LPVOID)1);

WriteProcessMemory(process, (LPVOID)SendStreamLength, &OldLength, 4, NULL);
WriteProcessMemory(process, (LPVOID)SendStreamData, OldData, OldLength, NULL);

ResumeAndCloseThread(MainThread);
}

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
return TRUE;
}


Before compile, edit winbase.h file, else you should got linker error.



#if (_WIN32_WINNT >= 0x0500) || (_WIN32_WINDOWS >= 0x0490)
WINBASEAPI HANDLE WINAPI OpenThread(DWORD,BOOL,DWORD);
#endif

to :

//#if (_WIN32_WINNT >= 0x0500) || (_WIN32_WINDOWS >= 0x0490)
WINBASEAPI HANDLE WINAPI OpenThread(DWORD,BOOL,DWORD);
//#endif

#include "dll.h" ???

This is strange edit of darkstar's code for me and doesn't work.

Use MVC++

New 9.61 packet adresses ?

Private Const SENDOUTGOINGPACKET As Integer = &H514900 '961
Private Const OUTGOINGDATASTREAM As Integer = &H7B6F50 '961
Private Const OUTGOINGDATALEN As Integer = &H9D1FD8 '961

Private Const INCOMINGDATASTREAM As Integer = &H9D1FC4 '961

Private Const PARSERFUNC As Integer = &H463330 '961


Be gratefull I did it just for you.

Very very thanks ! ;p

@Kush
i'm using msv c++ 2010 :)

How can i use declaration of Tibiasock.dll in Delphi 7?[hr]
How can i add Tibiasock.dll to Delphi 7?
How to declare externals? Same like packet.dll

Hello, can someone give me adresses for Tibia 7.6?[hr]
Hello, can someone tell me how to get adresses for tibia 7.6?[hr]
Hello, can someone tell me how to get adresses for tibia 7.6?

I can't update this :/

Solved

Adresses for 9.70 ? ;)

Private Const SENDOUTGOINGPACKET As Integer = &H518330'970
Private Const OUTGOINGDATASTREAM As Integer = &H7B9D78 '970
Private Const OUTGOINGDATALEN As Integer = &H9D45D8 '970
Private Const INCOMINGDATASTREAM As Integer = &H9D45C4 '970
'search for "packet size is too small even for one"
Private Const PARSERFUNC As Integer = &H4662E0 '970
' search for "unknown packet type during login"

Tested and it is working.

God should bless you

9.71 adresses?


Thanks.

#define OUTGOINGDATASTREAM 0x7BADB8
#define OUTGOINGDATALEN 0x9D53A8
#define SENDOUTGOINGPACKET 0x51a2d0

9.71 adresses?


Thanks.


Have you at least tried your self? I uploaded a video to help people with no knowledge about updating addresses.

I have ported it to D in case anyone is interested: http://code.google.com/p/tibiasock-d/source/browse/trunk/Tibiasock%20Test/tibia/tibiasock.d

Concerning D:
Official website: http://dlang.org/
Why should you care about D/Features: http://dlang.org/comparison.html
A great free [in development] book: http://ddili.org/ders/d.en/pdf_indir.html

What is it? a New "Tibia API"??

Nope. It's a socket library which manipulates Tibia's top-level protocol.

Nope. It's a socket library which manipulates Tibia's top-level protocol.

If you start the .exe file (the test version that you made), it causes the Tibia client to crash. Do you need to recompile it and update the addresses?

If you start the .exe file (the test version that you made), it causes the Tibia client to crash. Do you need to recompile it and update the addresses?
Its good, not magic. Of course you do.

Its good, not magic. Of course you do.


Ok mate. Which Tibia version do the current addresses support now - at least that would be a start. Or if you could simply release the 5 addresses for 9.81 to make this work and I'll work from there. Good work with Xenobot, by the way.

@Up - I know that ReceiveStream is 0x5DA5F4 at in 9.81, take a look in TibiaAPI source (http://code.google.com/p/tibiaapi/source/browse/branches/tibiaapi-current/trunk/tibiaapi/Addresses/Versions/Version9_8_1_0.cs) for the rest

@Up - I know that ReceiveStream is 0x5DA5F4 at in 9.81, take a look in TibiaAPI source (http://code.google.com/p/tibiaapi/source/browse/branches/tibiaapi-current/trunk/tibiaapi/Addresses/Versions/Version9_8_1_0.cs) for the rest

Yeh, the only ones I couldn't find there are the OUTGOINGDATASTREAM- and the OUTGOINGDATALEN address. I believe that the SENDOUTGOINGPACKET is 0x2F7970, right?

Have you checked out my youtube movie about updating tibiasock?
check it out and I hope it helps.
http://tpforums.org/vbulletin/showthread.php?5463-Update-tibiasock

Have you checked out my youtube movie about updating tibiasock?
check it out and I hope it helps.
http://tpforums.org/vbulletin/showthread.php?5463-Update-tibiasock

Thanks a lot man. I just wonder, concerning the first address you find, I can't really see from where you get it. Is it the address for PUSH EBP (the address on the left side)? I'm new to this "finding addresses" thingy, but I'm learning. :)

I appreciate your help man.

Yeh, the only ones I couldn't find there are the OUTGOINGDATASTREAM- and the OUTGOINGDATALEN address. I believe that the SENDOUTGOINGPACKET is 0x2F7970, right?

I suspect so, I'm not entirely sure since I've not really used Tibiasock in a while, let's see if klusbert has any more support to offer!

Updated to 9.81:
Private Const SENDOUTGOINGPACKET As Integer = &H51B4F0 '981
Private Const OUTGOINGDATASTREAM As Integer = &H7BDDD8 '981
Private Const OUTGOINGDATALEN As Integer = &H9DA608 '981
Private Const INCOMINGDATASTREAM As Integer = &H9DA5F4 '981
Private Const PARSERFUNC As Integer = &H468BD0 '981

Updated to 9.81:
Private Const SENDOUTGOINGPACKET As Integer = &H51B4F0 '981
Private Const OUTGOINGDATASTREAM As Integer = &H7BDDD8 '981
Private Const OUTGOINGDATALEN As Integer = &H9DA608 '981
Private Const INCOMINGDATASTREAM As Integer = &H9DA5F4 '981
Private Const PARSERFUNC As Integer = &H468BD0 '981

Excellent. In the future, I'll update on my own and post them here as well. Have a nice day mate =)

Klusbert, you sure the OUTGOINGDATALEN address is right? I found 0x98A608.

EDIT: Actually I double checked it... it's 0x9DA608

It worked for me, so I never double checked it, do your address work?

Ah saw your edit. I am glad you can get it your self :) But just so I know did you use my video to do this?

No.
I set a break point at socket_send function. Then checked the call stack, the last function called before send is encrypt packets (I knew it by checking the stack), so there is our SendOutgoingPacket. So I forced Tibia to send a packet I know, and it showed up on the stack... after that, I followed my packet on memory dump, and set a break point on access that memory address. When the break point was hit, I would have an assembly of something like: mov[eax+edx] (there's my buffer), and an inc ecx (my buffer length).

Anyways, couldn't get TibiaSock example to work by just updating the addresses. I'll try to do it myself...

Private Const SENDOUTGOINGPACKET As Integer = &H51D600 '982
Private Const OUTGOINGDATASTREAM As Integer = &H7C0F78 '982
Private Const OUTGOINGDATALEN As Integer = &H9DE6F0 '982
Private Const INCOMINGDATASTREAM As Integer = &H9DE6DC '982
Private Const PARSERFUNC As Integer = &H46B2F0 '982

9.90

OUTGOINGDATASTREAM = $7C0F60;
OUTGOINGDATALEN = $9E6418;
SENDOUTGOINGPACKET = $51d800;

I have problem. Tibia has stopped working. I search and found that the problem lies in the function "WaitForSingleObject(WorkThread, INFINITE);" in "ExecuteRemoteCode(HANDLE process, LPVOID codeAddress, LPVOID arg)". I using Tibia 10.22 using address from http://tpforums.org/forum/threads/5463-Update-tibiasock?p=52778&viewfull=1#post52778

#define SENDOUTGOINGPACKET 0x51F4B0 //10.30
#define OUTGOINGDATASTREAM 0x7C7C90 //10.30
#define OUTGOINGDATALEN 0x9E8AA0 //10.30

#define INCOMINGDATASTREAM 0x9E8A8C //10.30
#define PARSERFUNC 0x471370 //10.30

Problem solved.

I have this same bug ;p

#define SENDOUTGOINGPACKET 0x51F4B0 //10.30
#define OUTGOINGDATASTREAM 0x7C7C90 //10.30
#define OUTGOINGDATALEN 0x9E8AA0 //10.30

#define INCOMINGDATASTREAM 0x9E8A8C //10.30
#define PARSERFUNC 0x471370 //10.30

are u sure these addresses are correct?

Are these addresses right? They are what I found..

Private Const SENDOUTGOINGPACKET As UInteger = &H525740 '10.34
Private Const OUTGOINGDATASTREAM As UInteger = &H7C8D20 '10.34
Private Const OUTGOINGDATALEN As UInteger = &H9E9768 '10.34

Private Const INCOMINGDATASTREAM As UInteger = &H9E9754 '10.34
Private Const PARSERFUNC As UInteger = &H4716A0 '10.34

Got it nvm. These are the right ones.

public static int SendStreamLength = 0x9E9768 - 0x400000 + baseAdress_int; //10.34
public static int SendStreamData = 0x7C8D20 - 0x400000 + baseAdress_int; //10.34
public static int SendOutGoingPacket = 0x525740 - 0x400000 + baseAdress_int; //10.34

How did you fixed the Tibia client crash afteralll?

where i can download this? :S

anyone got new dll for 10.50?

I'm not sure if anyone updated tibiasock yet, but here is the vb version.
http://pastebin.com/m3EUYwnk

You need to call SendPacket function diffrently since it uses fastcalls nowdays, so I solved it by creating a codecave.

This code is pretty bad and pretty old. I'll make a new one of these that works much better when I have more time. I can probably include memory reading functions and such.

This code is pretty bad and pretty old. I'll make a new one of these that works much better when I have more time. I can probably include memory reading functions and such.
C'mon dont be so hard with klusbert :(

C'mon dont be so hard with klusbert :(

the fuck are you smoking? It's my code.

the fuck are you smoking? It's my code.
Haha it was a joke about the comment above yours.

I'm looking forwards to seethe new tibia socket!!

Suggestion: you can ask the needed addresses as params of the functions, so you don't have to cpmpile the dll every tibia update. For those who dosen't have the needed compiler. :)

Darkstar I have some free time, right now can you tell me the problem with this tibiaSock and maybe I can work something out?

Darkstar I have some free time, right now can you tell me the problem with this tibiaSock and maybe I can work something out?
I think there is no problem (besides the fast call addition), I think he just want to make it better.

Please try Google (https://www.google.com/) before asking about Top Rated Product Blog (https://hondaikmciledug.co.id/HRIS/showthread.php?tid=4721&pid=47075#pid47075) 6b89d22

Please try Google (https://www.google.com/) before asking about Cool Product Website (https://forum.goddesszex.dev/showthread.php?tid=9873&pid=13508#pid13508) f6fd6b8

For the person asking about pop the slots, mega slots, free online craps, immortal romance slot, free sign up bonus casino, live slots today, free casino no deposit, slot cq9, slot website, best slot machines to play at the casino, I highly suggest this high rated details (http://fumankong2.cc/home.php?mod=space&uid=562154) or best online slot games, online slots, bovada slots, hacksaw gaming slots, slots plus casino, lucky lands slots, slots of vegas similar games, billionaire casino slots 777, pinball slot machine, new slot sites, not to mention this recommended site (https://www.rune-zero.com/index.php?action=profile;u=115764) not to mention popular slots, guru slots, thunderstruck 2 slot, jackpot party casino slots, wheel of fortune slots, huff n puff slot, real casino slots online, heart of vegas slots casino, doubleu casino free slots, jackpot mania, as well as this more tips here on info (http://forums.overhax.fun/member.php?action=profile&uid=3154) which is also great. Also, have a look at this read more here on blog (http://16510.ww.w.molifan.net/space-uid-2045388.html) on top of bc slots, myjackpot slots & casino, free cash no deposit casino, free slot machine games to play, $200 no deposit bonus 200 free spins, best online slots real money no deposit, spartan casino, starburst game, hit it rich casino, igt casino, alongside all this look at this on tips (http://lntoxicated.com/home.php?mod=space&uid=1222476) with slots no deposit, cash mania, gold fortune fafafa, casinoslots, jackpot slots, manhattan slots, real cash slots, ruby slots no deposit, new online casino no deposit bonus, new online slots, for good measure. Check more @ Best Peptide Website (https://forums.cychosting.com/showthread.php?tid=1863&pid=13065#pid13065) edbb9b2

In response to the lady asking about zlato ?eská národnÃ* banka, zlato obchod, ?nb mincovna, prodej zlatých slitk?, zlaté mince na prodej, cihla zlata cena, technicke zlato, investi?nÃ* zlato 1kg, investi?nÃ* zlatá cihla, vyvoj stribra, I highly recommend this a fantastic read on zlate mince advice (https://samuel8t02thd6.blog2freedom.com/profile) or cena st?ibra, hodnota zlateho dukatu, pam?tnÃ* mince, zlata mince cena, nejv?tÅ¡Ã* kus zlata na sv?t?, cena st?Ã*bra za gram v k?, ?eská mincovna eshop, nákup zlata, stribrny tolar, sb?ratelstvÃ* mincÃ*, on top of this click here about zlate mince link (https://christian4y23yqi4.worldblogged.com/profile) as well as zlato na prodej, ?eská mincovna prodejna praha, 1kg zlata, obchod zlato, ?nb pam?tnÃ* mince, numismatika praha 4, zlaté slitky prodej, ?eská národnÃ* banka zlaté cihly, stribro na prodej, koupit zlatou cihlu, on top of this updated zlate mince details (https://nathaniel1o88kab4.wikijm.com/user) which is also great. Also, have a look at this her comment is here about zlate mince tips (http://huaihuagongshe.com/home.php?mod=space&uid=482710) and don't forget investicni zlato cena, s zlato, zlato je, p?vod zlata, 1 gram st?Ã*bra, výkup zlata cena za gram, investi?nÃ* mince praha, zlatý dukát karla iv, cena zlatých slitk?, cena za gram zlata, on top of this continue reading this on zlate mince details (https://monobookmarks.com/story17007256/unce-zlata-cena-and-%C4%8Desk%C3%A1-mincovna-eshop) with mince ?eská mincovna, výkup a prodej zlata, ?eský dukát cena, zlata cihli?ka, historie mincÃ*, zlato dph, ceska mincovna slitky, aukce zlata, zlato jako investice, cena zlata unce graf, for good measure. Check more @ High Rated Zlate Mince Website (http://www.subaruxvthailand.com/forum/index.php?topic=52868.new#new) 9b2ee98

In response to the people talking about nama slot tergacor, judi depo, mpo agen slot, main cuan slot, slot gacor mpo, home casino, slot online judi, game slot link, slot dana pragmatic play, link slot game online, I highly recommend this a replacement for mpo700 slot details (https://simonfwit75814.dsiblogger.com/59641148/good-facts-for-choosing-mpo-slot-login-casinos) or all bet slot, cuan mpo login, raja play slot, game slot login, spadegaming slot online, apa saja nama situs slot, habanero slot online, nama slot online, link game slot online, bandar judi slot online terpercaya, not to mention this new mpo slot login forum (https://daltoncgez06273.bloggerchest.com/26848959/best-advice-for-picking-mpo-slot-login-websites) not to mention nama slot gacor, main cuan slot, slot online vip, game spin judi, slot apa yang gacor, online casino login, judi online gacor, login game slot, agen slot yang lagi gacor sekarang, slot dunia, as well as this a knockout post on mpo700 blog (https://travishrzg22210.vidublog.com/26556526/handy-news-for-selecting-mpo700-casinos) which is also great. Also, have a look at this get more info for mpo slot login forum (https://tysonbnrx35928.wikitelevisions.com/6295877/handy_advice_for_choosing_mpo700_slot_casinos) as well as game slot online gacor, nama game online slot, nama slot, slot online link, judi slot tergacor, agen mpo, slot hari ini yang lagi gacor, slot habanero gacor, nama slot online, agen slot tergacor, not to mention this extra resources for mpo slot login link (https://paxtonredd71526.thebindingwiki.com/7366434/excellent_tips_to_selecting_mpo700_slot_websites) with bandar slot vip, click slot, koi slots, satu play slot, nama link gacor, mpo judi slot, link slot online gacor, judi 777 online, promo game slot, agen mpo, for good measure. Check more @ Updated Ufabet Site (https://30daysongs.com/forums/viewtopic.php?p=51972#p51972) dedbb9b

For the man inquiring about digital branding companies, website and digital marketing, results digital, digital advertising agencies, latest marketing strategies, digital marketing agency in canberra, unique name for digital marketing company, businesses that need digital marketing, marketing website, digital agency trends, I highly recommend this my explanation on seo agency in sydney advice (https://andersonlnmg39506.wikififfi.com/688669/recommended_advice_to_selecting_a_web_design_agenc y_in_sydney) or digital agency brisbane, about marketing agency, name for digital marketing agency, i want to know about digital marketing, digital goals, content marketing agency australia, 360 digital marketing agency, develop marketing strategies, digital agency business, seo marketing companies near me, alongside all this cool google ads agency in sydney link (https://josuetckr76554.wikigop.com/583014/handy_reasons_on_picking_a_social_media_agency_in_ sydney) as well as marketing helps, a marketing agency, google digital marketing agency, latest trends in online marketing, different digital marketing channels, platforms marketing, digital marketing companies in australia, digital marketing business owner, digital business agency, online advertising companies, alongside all this get the facts about social media agency in sydney forum (https://lorenzoswaz47913.bloggip.com/26979391/great-reasons-on-picking-a-web-design-agency-in-sydney) which is also great. Also, have a look at this funny post on google ads agency in sydney link (https://franciscokxnu94944.wikikarts.com/684299/new_news_on_choosing_an_seo_agency_in_sydney) not to mention business model in digital marketing, on digital marketing, marketing agencii, digital marketing departments, popular digital marketing companies, advertising agency revenue, digital marketing what is it all about, marketing tactic strategy, latest update on digital marketing, the latest trends in digital marketing, on top of this go to the website about social media agency in sydney site (https://jaredmjha06173.wikiparticularization.com/690526/good_suggestions_for_selecting_a_social_media_agen cy_in_sydney) with website marketing agency, digital publicity, ad agency of record, multimedia agencies, website traffic agency, digital presence, digital marketing today, success of digital marketing, ad agencies us, email marketing companies near me, for good measure. Check more @ Best Mpo700 Website (http://i-freego.com--www.i-freego.com/viewthread.php?tid=8394619&pid=9650700&page=1&extra=#pid9650700) edbb9b2