Hi, I'm new here. Yesterday I read quite a few threads about making a bot, and I decided to start off with a simple application that will just display my hp, mp, exp, etc. I know some C++ and basics of WinAPI, and from what I've read there are at least two ways to make a bot: using Open/Read/WriteProcess functions and simulating keypresses, or using TibiaAPI (which seems to be outdated, so I sticked to the first method). I also got to know with CheatEngine a bit. I am already able to read and display my experience, but I get stuck with HP. I can find the value in CheatEngine, but changing it doesn't work as it does with experience. I've read somehing about XOR, ASLR, adding 40000, +Tibia.exe... But I just don't get it, it's confusing. Can you help me?

You need XOR some addresses to get hp/mp.

DarkstaR's solution about ASLR (http://tpforums.org/forum/thread-8812-post-77728.html#pid77728)
How to use Windows XP Tibia 9.1 address in Vista/7 (http://tpforums.org/forum/thread-8824-post-77746.html#pid77746)

About XOR, it's exactly this:

const DWORD XOR = 0x7ABF8C;
const DWORD MyHp = 0x941000;
const DWORD MyMp = 0x7ABFE0;

int main()
{
DWORD pID = mem.getProcessIdByExeName("Tibia.exe");
HANDLE handle = mem.doOpenProcess(pID);
mem.setGameProcessId(pID);
mem.setGameHandle(handle);

uint32_t rMyHp = mem.readByte(MyHp, 4); // readByte() includes ASLR solution!
uint32_t rMyMp = mem.readByte(MyMp, 4);
uint32_t rXOR = mem.readByte(XOR, 4);
rMyHp = rMyHp ^ rXOR;
rMyMp = rMyMp ^ rXOR;

printf("Your HP: %i\nYour MP: %i\n", rMyHp, rMyMp);

getchar();
return 0;
}

9.44 addresses and changes - ONLY HERE! (http://tpforums.org/forum/thread-9196-post-80312.html#pid80312)

By the way, about DarkstaR's ASLR solution, keep in mind to change this line (if you don't use injected DLL):
HANDLE snapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE, GetCurrentProcessId());
The rest changes in this code you should know if you got some knowledge about C++.

Regards, Czepek!

Thanks for your replies. Czepek, is your code based on TibiaAPI? I haven't used it yet, but first four function calls look similar to the WinAPI ones. readByte() == ReadProcessMemory(), am I right? Is there a simple way to implement this without using TibiaAPI and this long solution of Darkstar's?

editbin /DYNAMICBASE:NO "C:\Program Files (x86)\Tibia910\tibia.exe"
Does this method still work? I couldn't execute it in VS command line.

Ok, I finally got it! I've had really hard time with that, took me a few hours to read many things and try various combinations :rolleyes:
I'll post my solution in case someone gets the same problem.


#include <TlHelp32.h>

const DWORD XOR = 0x7ABF8C;
const DWORD MyHp = 0x941000;
const DWORD MyMp = 0x7ABFE0;

DWORD BaseAddress(DWORD PID)
{
MODULEENTRY32 moduleEntry = {0};
HANDLE snapShot = CreateToolhelp32Snapshot(TH32CS_SNAPMODULE,PID);
DWORD base = NULL;
moduleEntry.dwSize = sizeof(moduleEntry);
BOOL currentModule = Module32First(snapShot, &moduleEntry);
base = (DWORD)moduleEntry.modBaseAddr;
CloseHandle(snapShot);
return base;
}

The function above is modified version of this: Addresses 9.1 (http://tpforums.org/forum/thread-8812-post-77728.html#pid77728). I've made this somewhat simpler, maybe less secure, but there is no 'WideToChar' function in standard headers and I didn't want to get into details, as I barely could understand this whole MODULEENTRY32 structure I saw for the first time.
Next, when I want to read the HP value, i do the following:


SIZE_T hp,xor;
ReadProcessMemory(hprocess,(LPCVOID)(BaseAddress(p rocessid)+MyHp-0x400000),&hp,4,0);
ReadProcessMemory(hprocess,(LPCVOID)(BaseAddress(p rocessid)+XOR-0x400000),&xor,4,0);

UINT hpvalue =(xor ^ hp);

It might not be too neat, but for now it works :).

Have you tried to replace 'WideToChar' function to the this one method:

memcpy(hold, moduleEntry.szModule, strlen(moduleEntry.szModule) + 1);

It should work.

Regards, Czepek!

No, I haven't. Anyway, could you explain to me what is this


if (currentModule)
{
static char hold[1000];
WideToChar(hold, moduleEntry.szModule);

if (string(hold).find(".exe") == string(hold).size() - 4)
// base = (DWORD)moduleEntry.modBaseAddr;
}

supposed to do? I've just left the commented out line which doesn't seem to be affected at all and it works just fine.

The purpose of that code block is to check whether the module entry in the current enumeration is related to the process' executable file. This is done to ensure that the correct base address is located in the event that it isn't the first module in the enumeration, I'm not sure whether this could actually occur but it's better safe than sorry.

The use of the WideToChar function is to make it all unicode compatible in the event that the unicode variants of the functions (usually due to UNICODE being defined before the headers are included), and in such an event the szModule member of the MODULEENTRY32 structure will be of the 16-bit type wchar_t instead of the 8-bit char. The purpose of WideToChar is to convert the unicode strings to ASCII in order to check if it contains ".exe" at the end using the std::string class which only works on ASCII. Windows uses the UTF-16 encoding which directly incorporates the ASCII encoding into the lower byte, this makes conversion pretty easy and a basic one can be done like so:


void WideToChar(char * dest, const TCHAR * source)
{
int index = -1;

while (source[++index] != 0)
{
dest[index] = (char)source[index];

if (dest[index] == 0)
{
dest[index] = ' ';
}
}

dest[index] = 0;
}

The TCHAR type used for the source parameter is defined by the Windows headers as either a char if UNICODE is undefined or a wchar_t if it is. So if you compile without the UNICODE definition it will be treated as an ASCII string and be directly copied over.