Deprecated: The behavior of unparenthesized expressions containing both '.' and '+'/'-' will change in PHP 8: '+'/'-' will take a higher precedence in /home/iano/public_html/tpforums-vb5/forum/includes/class_core.php on line 5842

PHP Warning: Use of undefined constant MYSQL_NUM - assumed 'MYSQL_NUM' (this will throw an Error in a future version of PHP) in ..../includes/init.php on line 165

PHP Warning: Use of undefined constant MYSQL_ASSOC - assumed 'MYSQL_ASSOC' (this will throw an Error in a future version of PHP) in ..../includes/init.php on line 165

PHP Warning: Use of undefined constant MYSQL_BOTH - assumed 'MYSQL_BOTH' (this will throw an Error in a future version of PHP) in ..../includes/init.php on line 165

PHP Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in ..../includes/functions_navigation.php on line 588

PHP Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in ..../includes/functions_navigation.php on line 612

PHP Warning: Use of undefined constant archive_postsperpage - assumed 'archive_postsperpage' (this will throw an Error in a future version of PHP) in ..../archive/index.php on line 456
Wrong Address Issue [Archive] - Forums

PDA

View Full Version : Wrong Address Issue



Lolrapa
08-12-2014, 02:58 PM
Hello, I'm trying to make my packet class to work but I have a problem with the OUTGOINGDATALEN (I guess) the code I'm using was uploaded by klusbert in this post
http://tpforums.org/forum/threads/4873-Tibiasock-dll-The-new-Packet-dll/page7

My problem is exactly here:


Public Sub SendPacketToServerEx(ByVal dataBuffer() As Byte, ByVal SendStreamData As Integer, ByVal SendStreamLength As Integer, ByVal SendPacketCall As Integer)
Dim MainThread As IntPtr = OpenAndSuspendThread(ProcessId)
Dim OldLength As Integer
Dim OldData(1024) As Byte
Dim length As Integer = dataBuffer.Length
Dim process As IntPtr = OpenProcess(PROCESS_ALL_ACCESS, False, ProcessId)
OldLength = BitConverter.ToInt32(ReadBytes(SendStreamLength, 4), 0)
OldData = ReadBytes(SendStreamData, OldLength)
length += 8
Dim actualBuffer() As Byte = CreateOutgoingBuffer(dataBuffer, length)
WriteInt(SendStreamLength, length)
WriteBytes(SendStreamData, actualBuffer, length)
ExecuteRemoteCode(process, SendPacketCall, 1)
WriteInt(SendStreamLength, OldLength)
WriteBytes(SendStreamData, OldData, OldLength)
ResumeAndCloseThread(MainThread)
End Sub

The return of this line
OldLength = BitConverter.ToInt32(ReadBytes(SendStreamLength, 4), 0) is a number over 600000 so the next read,

OldData = ReadBytes(SendStreamData, OldLength) tries to read over 600000 bytes from tibia memory.
I update SendStreamLength and to the newest version I found here, if you think the problem is the outdated direction could you please expalin me how I can find this values again?
Thanks :) And sorry about my english

Casky
08-12-2014, 03:44 PM
Do you have the correct addresses? Looks like you are reading from the wrong memory, that's why you get big numbers

Lolrapa
08-12-2014, 03:54 PM
Do you have the correct addresses? Looks like you are reading from the wrong memory, that's why you get big numbers

That was my first thought, do you know how to find those addresses, or a post explaining it?

ottizy
08-12-2014, 04:17 PM
For 10.52


SendStreamData = 0x812BF0 - 0x400000
SendStreamLength = 0xA3BC34 - 0x400000
SendPacketCall = 0x5311C0 - 0x400000

Lolrapa
08-12-2014, 11:25 PM
For 10.52


SendStreamData = 0x812BF0 - 0x400000
SendStreamLength = 0xA3BC34 - 0x400000
SendPacketCall = 0x5311C0 - 0x400000


Whoa, it seems to work at least there is no running error, but every packet I try to send logs me out. Thank you for the adresses! But there is a post explaining how to get them? or can you make one? So I can find them myself the next patch.
Here is the code that logs me off:


Public Sub Turn(ByVal direction As String)


Dim packet(2) As Byte

packet(0) = (&H1)
packet(1) = (&H0)
Select Case direction.ToString().ToLower()
Case "up"
packet(2) = (&H65)
Case "right"
packet(2) = (&H66)
Case "down"
packet(2) = (&H67)
Case "left"
packet(2) = (&H68)
End Select
p.SendPacketToServer(packet)
End Sub

I dont know if is a problem making the packet or inyecting it

DarkstaR
08-12-2014, 11:59 PM
If you send an invalid packet, Tibia will kick you. Seems like you're not setting the length properly, causing extra data in the buffer and a bad checksum, or something similar.

EDIT:
actually I had this problem in XB a few updates back. The SendOutgoingPacket function now takes its arg on ECX, not on the stack. So instead of:

PUSH 1
CALL
ADD ESP, 4

You need to do

MOV ECX, 1
CALL

Lolrapa
08-13-2014, 12:31 AM
If you send an invalid packet, Tibia will kick you. Seems like you're not setting the length properly, causing extra data in the buffer and a bad checksum, or something similar.

EDIT:
actually I had this problem in XB a few updates back. The SendOutgoingPacket function now takes its arg on ECX, not on the stack. So instead of:

PUSH 1
CALL
ADD ESP, 4

You need to do

MOV ECX, 1
CALL

Ok, I have no idea what are you talking about, give me a few hours to understund how the assembly code take part on this, and when I have a decent question I'll post back.
I repeat I'm using klusbert's code, just trying to make it work.
Thanks anyway!

Edit: actually now I think is just a vb version of your code.

Lolrapa
08-13-2014, 04:14 PM
If you send an invalid packet, Tibia will kick you. Seems like you're not setting the length properly, causing extra data in the buffer and a bad checksum, or something similar.

EDIT:
actually I had this problem in XB a few updates back. The SendOutgoingPacket function now takes its arg on ECX, not on the stack. So instead of:

PUSH 1
CALL
ADD ESP, 4

You need to do

MOV ECX, 1
CALL
Ok, I spend a few hours analyzing the code to the bone and I can't understund what is the assembly code above but, I think i understund the Sending packet code (I mean mine, not tibia's). So tell me if I'm right:
SendPacketCall = 0x5311C0 - 0x400000 is an address of a function in Tibia's code, precisely this function
http://i.imgur.com/jXm46Z6.jpg
This is the function you called SendOutgoingPacket?
and when you say:

So instead of:

PUSH 1
CALL
ADD ESP, 4

You need to do

MOV ECX, 1
CALL
You mean I have to find a new pointer?


Edit add:I was cheking the outging buffer for the moving one step packet and it was like 8 0's the same three bytes I passed to SendPacketToServer() and then the rest of the bytes in 0, ( like 1021 0's in the buffer) it's that right?

wgrzelak
08-14-2014, 12:31 PM
analyze SendPacketToClient().

DarkstaR
08-14-2014, 06:55 PM
You really seem to be trying to learn which I admire, as many people don't do that anymore. I don't want to give you the answer because you'll learn better this way.

You are at the right spot in the disassembly, now you should try looking at functions that call that function, and see how they are doing it.

Lolrapa
08-15-2014, 12:54 PM
You really seem to be trying to learn which I admire, as many people don't do that anymore. I don't want to give you the answer because you'll learn better this way.

You are at the right spot in the disassembly, now you should try looking at functions that call that function, and see how they are doing it.
Well I was checking the Assembly code (now with OllyDbg) And I manage to realyze two things,
Let's cal 58311C0 to the function that I RemoteExecute from my code, this function (I dont know what it does but I think it must send the buffer) is called several times within the assembly code and I was only able to realyze this:
1) This function is in most times (if not allways) called from inside a loop
2) The very previous command to te call allways have something to do with the CL register, so I think they must be a switch in their code
3) The previous and next functions to te call are almost every time the same
Besides that I have not idea what to do, in fact I don't know what to do if I find what I'm looking for, must I modify Tibia code?
I'm completely lost :(

ottizy
08-15-2014, 12:59 PM
You need to observe how the function is called by the Tibia client. What it is doing before the call etc. When you know how it's called you need to replicate that in your program

Lolrapa
08-16-2014, 12:44 AM
OK, I tried everything, I just can't make it work. Im bouncing between kicks and crashes.

DarkstaR
08-16-2014, 11:17 PM
CL register is the lowest byte of ECX. It's same same as MOV ECX, 1. Now look at the OLD Tibia versions (before 10.50, the ones this code was made for) and observe what they are doing. It should be obvious then.

Lolrapa
08-17-2014, 05:04 PM
CL register is the lowest byte of ECX. It's same same as MOV ECX, 1. Now look at the OLD Tibia versions (before 10.50, the ones this code was made for) and observe what they are doing. It should be obvious then.

Sorry if this process takes a long time, but im really new in this so i have to understand it in parts.
Here is the difference between the after and the before 10.50
http://i.imgur.com/m9Mgsy6.jpg?1?5226

I obviously noticed that in the new version there is a MOV CL,1 before making the call and in the old version it was a PUSH 1
What I dont understand is the next thing, in the code I'm using I execute tibia code like this:



Private Const SENDOUTGOINGPACKET As Integer = &H5311C0

Dim SendPacketCall As Integer = Rebase(SENDOUTGOINGPACKET, ImageBase)

ExecuteRemoteCode(process, SendPacketCall, 1)

Private Sub ExecuteRemoteCode(ByVal process As IntPtr, ByVal codeAddress As IntPtr, ByVal arg As UInteger)
Dim WorkThread As IntPtr = CreateRemoteThread(process, 0, 0, codeAddress, arg, 0, 0)
WaitForSingleObject(WorkThread, INFINITE)
CloseHandle(WorkThread)
End Sub


When I call execute remote code I give SendPacketCall as a parameter, and SendPacketCall is the address of the FIRST line of the function I don't understand what this has something to do with what happens before I call the function, unless i have to Make a MOV Cl, 1. But in the old version is PUSH 1 and in my code I dont see any executeRemoteCode with a PUSH 1. I think i really dont understand how this works.

DarkstaR
08-19-2014, 09:24 AM
CreateRemoteThread, by default, sends 1 argument (arg) to the function it calls (codeAddress, pointing to SendOutgoingPacket). This argument is placed by effectively executing a PUSH before codeAddress is invoked. When all that was needed for the call was a PUSH 1, this worked perfectly.

Now that SendOutgoingPacket takes this argument on ECX instead of the stack, the PUSH is throwing off the stack and leaving ECX as 0. The function uses the argument to know if it should encrypt the packet with XTEA or not (1 encrypt, 0 don't). With ECX set to 0, the packet does not get encrypted. This causes the server to disconnect you, as it has no clue what the fuck it is seeing.

In order to fix this, you will need to create a code cave and have CreateRemoteThread jump there instead. The code cave should look like this



MOV ECX, 1
RETN

Then, instead of sending '1' as the arg to CreateRemoteThread, you can send the address of the SendOutgoingPacket function.

Why will this work? RETN works by popping a value off the stack and jumping to it. Since the address of SendOutgoingPacket is on the top of the stack, RETN will do a pseudo-call to it and clear the stack in one shot.

Where will SendOutgoingPacket return to, since it wasn't really called? The RETN used for the pseudo-call popped it's own argument off the stack. Underneath that argument was the return address back into the kernel code invoked by CreateRemoteThread, as the thread procedure was expected to return to there. With this value on top of the stack, the RETN operation in SendOutgoingPacket will return into it, skipping right over the code-cave.


I'm only giving you so much help because you are so willing to learn; that's what this forum has been lacking in recent years. I don't want to spoil it all, though, so I'll leave the implementation details of these things up to you. Let me know if you run into trouble.

DarkstaR
08-19-2014, 09:49 AM
I just got in bed and realized that my last post is slightly wrong. The thread proc return address is above the are, not below. So instead of being

SendOutgoingPacket
RealRet

Like I originally said, it's

RealRet
SendOutgoingPacket

With this in mind, your code cave can just be

MOV ECX, 1
MOV EAX, DWORD:[ESP+4]
CALL EAX
RET


This will do a normal call too EAX, which has the value sent as an arg to CRT.

If you're lazy, you can actually do this another way. It's slower, but it'll work. Use the code you already have, but start the thread suspended and use SetThreadContext to modify ECX. Then resume.


Sorry if my formatting sucks, I'm posting from phone.

Lolrapa
08-19-2014, 01:21 PM
I just got in bed and realized that my last post is slightly wrong. The thread proc return address is above the are, not below. So instead of being

SendOutgoingPacket
RealRet

Like I originally said, it's

RealRet
SendOutgoingPacket

With this in mind, your code cave can just be

MOV ECX, 1
MOV EAX, DWORD:[ESP+4]
CALL EAX
RET


This will do a normal call too EAX, which has the value sent as an arg to CRT.

If you're lazy, you can actually do this another way. It's slower, but it'll work. Use the code you already have, but start the thread suspended and use SetThreadContext to modify ECX. Then resume.


Sorry if my formatting sucks, I'm posting from phone.

OMG! Thank you so much!! Here is the Magic code:


Dim CodeCave() As Byte = {&HB9, &H1, &H0, &H0, &H0, &H8B, &H44, &H24, &H4, &HFF, &HD0, &HC3} ' MOV ECX, 1 | MOV EAX, [ESP+4] | CALL EAX, RET
Dim CodeCavePointer As IntPtr = CreateRemoteBuffer(ProcessHandle, CodeCave, CodeCave.Length)
ExecuteRemoteCode(process, CodeCavePointer, SendPacketCall)

And it works!!

I'm so f**kin happy.

Now a little question, Is there any danger to be banned by sending the right packets? I mean besides the botting think, just by sending packets?


P.S: ty :)

Blequi
08-19-2014, 01:35 PM
Now a little question, Is there any danger to be banned by sending the right packets? I mean besides the botting think, just by sending packets?


The client must talk to the server through packets for fair players without banning them, so the answer is no (for well formed packets).

Lolrapa
08-19-2014, 03:32 PM
The client must talk to the server through packets for fair players without banning them, so the answer is no (for well formed packets).

Haha, I guess I'll get some bans until I discover how to make all the packets I need xD
Right now I have a problem with the Use item in containter packet, I'm trying to figure out what I must put in the 11'th byte

wgrzelak
08-19-2014, 04:22 PM
What is better method or there is no difference?


Dim CodeCave() As Byte = {&H32, &HC9, &HB1, &H1, &HB8, &H0, &H0, &H0, &H0, &HFF, &HD0, &HC3} ' XOR CL, CL | MOV CL,1 | MOV EAX,SENDOUTGOINGPACKET | CALL EAX | RETN
Dim pnt As IntPtr = Marshal.AllocHGlobal(4)
Dim b() As Byte = BitConverter.GetBytes(SendPacketCall)
Marshal.Copy(b, 0, pnt, 4)
Marshal.Copy(pnt, CodeCave, 5, 4) ' z xor cl,cl
Marshal.FreeHGlobal(pnt)
Dim CodeCavePointer As IntPtr = CreateRemoteBuffer(process, CodeCave, CodeCave.Length)
ExecuteRemoteCode(process, CodeCavePointer, 0)
VirtualFreeEx(process, CodeCavePointer, CodeCave.Length, AllocationType.Release)

DarkstaR
08-19-2014, 05:09 PM
You should create the code cave once upon process init instead of every time you send a packet

Lolrapa
08-19-2014, 06:23 PM
You should create the code cave once upon process init instead of every time you send a packet

Sounds smart

Blequi
08-19-2014, 08:36 PM
Haha, I guess I'll get some bans until I discover how to make all the packets I need xD
Right now I have a problem with the Use item in containter packet, I'm trying to figure out what I must put in the 11'th byte

It's good to guess what the client does, but sometimes it's good to leech from Cip and look at the Flash Client source code. I used to check it mostly for constants and structures layout, but I'm pretty sure there's a network helper class there to give you a cheater hand.

DarkstaR
08-20-2014, 02:05 AM
Also, no that you know how to call internal functions externally, it's not a stretch to say that you can start calling the actual composition functions with some small improvements to your methods.