Is there any way to auto discover addresses in tibia? So i dont have few configs for every tibia client.

It would require you to write AI which processes the data in the client in the same way that you do. Possible, but very difficult. Using a text interpreter based on pixel reading there's a strong probability it could be created, but considering the fact that you had to ask this question in the first place, I suspect you will lack the knowledge required to undertake such a task. Best thing you can do is probably to write a Lua script which will allow you to search more easily using CheatEngine. Other than that, wait for people to share them if you're still pretty new or struggle to find them yourself.

It would require you to write AI which processes the data in the client in the same way that you do. Possible, but very difficult. Using a text interpreter based on pixel reading there's a strong probability it could be created, but considering the fact that you had to ask this question in the first place, I suspect you will lack the knowledge required to undertake such a task. Best thing you can do is probably to write a Lua script which will allow you to search more easily using CheatEngine. Other than that, wait for people to share them if you're still pretty new or struggle to find them yourself.
I'm writing a tool and I'd like it to work on all versions of Tibia. If not I'll hardcode it.

I saw baseAdress + tibia adress to be used. Is that a standard now?

I'm writing a tool and I'd like it to work on all versions of Tibia. If not I'll hardcode it.

I saw baseAdress + tibia adress to be used. Is that a standard now?
You will be better off manually adding addresses for each version.

CipSoft added ASLR to the Tibia client starting with the 9.10 update. Before this, all clients shared the same base address of 0x400000. With ASLR, each time a client is executed the base address is randomized. You can disable ASLR in the client, but to make it easier for users most people now use the "BaseAddress + TibiaAddress" method (which can also be applied to those older clients).

I'm writing a tool and I'd like it to work on all versions of Tibia. If not I'll hardcode it.

I saw baseAdress + tibia adress to be used. Is that a standard now?

Majority of people (I think, at least) use a util class. That stores the base address of the selected client, and is instantiated. This allows a number of things, one being multiple client control from one client, another being multiple version support, and beyond that there are a lot more benefits. I'll typically have a client class which stores these:

Player structure (all info on player, including hp, mp, position, outfit, items, containers, etc)
Exe path (I get this using Process.FileInfo (or something of that nature, in C#.NET)
Exe version (Again using Process.FileInfo to get file version, it gives me it as a string like "10.0.2.0"
Hotkey array
Map array
Battle list structure
Update world method (which updates all the above each X ms - typically 100ms, depending on the function of the program)
Process ID
Process object
Process Handle
Process Main Module Base Address
Window structure (location of each container, area, sizes of all objects, etc)
Log message list (I always use logging for debug, and check build type to enable / disable logging throughout)

Probably a few other things, too, but that's what I've got in my current project. If you wanted to be really clever you could incorporate a WPF TabItem structure to build with each instance of the class, then add it to a tab control when you initialize the class. At that point you can look at a bot which will control numerous clients etc, which is always an enjoyable project!

Any snippets out here for the baseaddress? Can't find one.

check the #pragma region Window / Process Utils
of this code http://pastebin.com/eTemUNuH

Okay got it. I've managed to do it. Also how to read a string from memory? Eg. player name, or creature names from battlelist?
I mean, how get to know when the string ends?

Also where's current online indicator stored?

Okay got it. I've managed to do it. Also how to read a string from memory? Eg. player name, or creature names from battlelist?
I mean, how get to know when the string ends?

as soon as you find a null-char terminator '\0'


Also where's current online indicator stored?

alternate scans between changed and unchanged value at cheat engine in the process of log in/out. You'll have a few static addresses (green addresses) to test.

loggedin indicator Tibia.exe+3CBBBC

if logged in this addres == 11

can someone confirm?

loggedin indicator Tibia.exe+3CBBBC

if logged in this addres == 11

can someone confirm?

good to know you have understood :)

Okay got it. I've managed to do it. Also how to read a string from memory? Eg. player name, or creature names from battlelist?
I mean, how get to know when the string ends?

Also where's current online indicator stored?

I had a few issues using first module, so I went ahead and wrote the code in this post (http://tpforums.org/forum/threads/5863-ReadProcessMemory-C-Sample-code-amp-Question-for-advanced-C-users?p=51732&viewfull=1#post51732). Maybe you'll find it useful / interesting at least. Nothing ventured, nothing gained.

I've done a fair bit of work with automatically finding addresses and I'd advise avoiding the topic until you are much more experienced, especially with regards to assembly. Even then it's not something you should blindly rely upon as your routines can easily break, unless you are very confident in your routines they should ideally be limited to helper tools to help you manually update the addresses of your main program/s. When harnessed right though it can be a very powerful ability, for instance my favourite routine automatically locates the parser/getGextPacket (and parser's call to it)/decryptPacket/sendPacket functions along with all the client-side packet generation functions including their ID number and this routine works for all clients (that I've tested anyway) from 7.8 up until the latest one without problem (7.72 works too with exception of client packet. But as said you should avoid diving into this area until you are more experienced.

I've done a fair bit of work with automatically finding addresses and I'd advise avoiding the topic until you are much more experienced, especially with regards to assembly. Even then it's not something you should blindly rely upon as your routines can easily break, unless you are very confident in your routines they should ideally be limited to helper tools to help you manually update the addresses of your main program/s. When harnessed right though it can be a very powerful ability, for instance my favourite routine automatically locates the parser/getGextPacket (and parser's call to it)/decryptPacket/sendPacket functions along with all the client-side packet generation functions including their ID number and this routine works for all clients (that I've tested anyway) from 7.8 up until the latest one without problem (7.72 works too with exception of client packet. But as said you should avoid diving into this area until you are more experienced.

One day before the 10.20 tibia patch, I did a small tool to ease my life in the update day. It basically scans tibia (static tibia.exe module) memory for the structures I'm currently using. The tool basically relies on finding sequence of integers or strings placed quite near (it's the key point of my tool) of the desired address I want to. Also, I did it export the address in the XML format that Cheat Engine uses to build its address table, so the only work I do is to check if the addresses have been updated fine.

Indeed, my tool in question is not designed to be a perfect patcher, only a handy helper or something to guess a location quite near the desired address.

Resume: Reduced from 1h to 5 min ~ 10 min (30 secs to the program itself, the rest I'm just checking if everything went fine) the estimated time to update my tool in the 10.20 patch and probably will be the same in future updates if the update was cosmetic/small like shifting structures addresses.

I would release this tool, but unfortunately beginners would use it in the wrong way like "I want address and don't give a fuck how to find them". Also, it could be used to auto patch (crack) paid bots.

The tool basically relies on finding sequence of integers or strings placed quite near (it's the key point of my tool) of the desired address I want to.

Yeah searching for a pattern, strings being an excellent choice, is a key point in automated routines.

In my routine I'm just searching the client executable (parsing the PE file itself, so the client doesn't need to be running) for 3 different strings from which I determine the InitClientPacket/SendPacket/DecryptPacket function addresses, then the other stuff is determined from the addresses of these 3 functions. I was actually making the routine to be a part of my main project, a hook DLL, but eventually lost interest in the project before finishing it.



Indeed, my tool in question is not designed to be a perfect patcher, only a handy helper or something to guess a location quite near the desired address.

Resume: Reduced from 1h to 5 min ~ 10 min (30 secs to the program itself, the rest I'm just checking if everything went fine) the estimated time to update my tool in the 10.20 patch and probably will be the same in future updates if the update was cosmetic/small like shifting structures addresses.

Very nice. I've only got one helper tool that I use right now which I add my C# address enums to, then it parses out the relative address into the selected enum value from the ASM instruction string copied from Olly, then finally outputs my updated enum. It probably saves me 30 at most per address but is well worth it to avoid the annoyance of manually writing them out and removing the base address (I don't like having a based address constant in my programs now since you will have to re-base it anyway).

@Sketchy: are you searching regexp-wise through the .exe File ? I once tried it, yet it wasnt so easy. Some encoding or I was just plain stupid to make up the right regexp pattern.. Can you give those who know how to find addresses manually any more insight on how you have been able to find specific assembly lines inside the file itself? I am not 100% sure if there is still a need for runtime "compilation" with cpp code which might explain the difference between hex viewing the client.exe and taking a look at it in olly's number formatted line..