Deprecated: The behavior of unparenthesized expressions containing both '.' and '+'/'-' will change in PHP 8: '+'/'-' will take a higher precedence in /home/iano/public_html/tpforums-vb5/forum/includes/class_core.php on line 5842

PHP Warning: Use of undefined constant MYSQL_NUM - assumed 'MYSQL_NUM' (this will throw an Error in a future version of PHP) in ..../includes/init.php on line 165

PHP Warning: Use of undefined constant MYSQL_ASSOC - assumed 'MYSQL_ASSOC' (this will throw an Error in a future version of PHP) in ..../includes/init.php on line 165

PHP Warning: Use of undefined constant MYSQL_BOTH - assumed 'MYSQL_BOTH' (this will throw an Error in a future version of PHP) in ..../includes/init.php on line 165

PHP Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in ..../includes/functions_navigation.php on line 588

PHP Warning: "continue" targeting switch is equivalent to "break". Did you mean to use "continue 2"? in ..../includes/functions_navigation.php on line 612

PHP Warning: Use of undefined constant archive_postsperpage - assumed 'archive_postsperpage' (this will throw an Error in a future version of PHP) in ..../archive/index.php on line 456
How to find attackCreature function address? [Archive] - Forums
PDA

View Full Version : How to find attackCreature function address?


onkkos
01-14-2016, 04:08 PM
Hi :)

I'm programming my own bot like a bunch of people here and my codecave code isnīt working, I suspect after read some posts about it that is because my RemoteThread it is not syncronized but I think that the address of attackCreature Tibia's function is wrong on my code too....



DWORD function = 0x19BF0 + baseAddress; // = 0x419BF0
DWORD creatureId = 0x400027; // wolf ID

BYTE codeCave[] = { 0xB9, 0x00, 0x00, 0x00, 0x00, // MOV ECX, creatureId
0xB8, 0x00, 0x00, 0x00, 0x00, // MOV EAX, function
0xFF, 0xD0, // CALL EAX
0xC3, // RETN
};

memcpy(&codeCave[1], &creatureId, 4);
memcpy(&codeCave[6], &function, 4);

LPVOID codeCaveAddress = VirtualAllocEx(gHandle, 0, sizeof(codeCave), MEM_COMMIT, PAGE_EXECUTE_READWRITE);

WriteProcessMemory(gHandle, codeCaveAddress, &codeCave, sizeof(codeCave), 0);

HANDLE remoteThread = CreateRemoteThread(gHandle, 0, 0, (LPTHREAD_START_ROUTINE)codeCaveAddress, 0, 0, 0);

WaitForSingleObject(remoteThread, INFINITE);

VirtualFreeEx(gHandle, codeCaveAddress, sizeof(codeCave), MEM_RELEASE);


So How can I find or test the attackCreature address?? I am with problems to find the creatureId too....
And the last question, What you bot programmers use to move your character in your bot?(Right now I'm using mouse clicks with SendMessage but it's impossible to maintain this)
ottizy
01-14-2016, 04:19 PM
Okay I'll try again. Why did you remove the WriteProcessMemory part?
wizzarr
01-14-2016, 07:55 PM
In the game I'm writing a bot to, the function that attacks looks like this f(mobId, 0), and to stop attacking it is called with 0 in both parameters. Maybe you could look for functions with similar prototype using olly.
Regarding your second point, to move a character you can just send a keyboard message via PostMessage to the client. I do that and it works perfectly. Why do you say it is impossible to maintain?
onkkos
01-19-2016, 03:18 PM
In the game I'm writing a bot to, the function that attacks looks like this f(mobId, 0), and to stop attacking it is called with 0 in both parameters. Maybe you could look for functions with similar prototype using olly.
Regarding your second point, to move a character you can just send a keyboard message via PostMessage to the client. I do that and it works perfectly. Why do you say it is impossible to maintain?

Unfortunately I dont know how to do this kind of search for prototype at olly, could you give me some tips or screenshots about that? And You are right about movement with X,Y,Z adresses and keyboard commands with PostMessage you can do any kind of movimentation that a bot needs.
ottizy
01-19-2016, 04:23 PM
Search for all intermodular calls

http://i.imgur.com/srmXjij.png

Find the ws2_32 send function

http://i.imgur.com/2Jdv4Yr.png

Follow the function by doubleclicking on it. Start the client and login. Once you're logged in you want to quickly put a breakpoint on the function by pressing F2, go back to the Tibia client and perform the action that you are searching for. This should make the breakpoint hit in Olly.

http://i.imgur.com/rbV25qF.png

Press ALT+K to view the callstack

http://i.imgur.com/JshvPNI.png

The top function is the function where the breakpoint was. The function Tibia.009B39B0 is the function which finalizes the packet before it's sent. The function Tibia.0099DF4E that one is the one you're looking for which you can see if you follow it.

However you cannot use the one that is in the screenshot because I had ASLR enabled.
onkkos
01-19-2016, 08:18 PM
Search for all intermodular calls

http://i.imgur.com/srmXjij.png

Find the ws2_32 send function

http://i.imgur.com/2Jdv4Yr.png

Follow the function by doubleclicking on it. Start the client and login. Once you're logged in you want to quickly put a breakpoint on the function by pressing F2, go back to the Tibia client and perform the action that you are searching for. This should make the breakpoint hit in Olly.

http://i.imgur.com/rbV25qF.png

Press ALT+K to view the callstack

http://i.imgur.com/JshvPNI.png

The top function is the function where the breakpoint was. The function Tibia.009B39B0 is the function which finalizes the packet before it's sent. The function Tibia.0099DF4E that one is the one you're looking for which you can see if you follow it.

However you cannot use the one that is in the screenshot because I had ASLR enabled.

I repeated the same way but none of the instructions listed has 3 arguments with the last one equals to 0, and How you know that 009B39B0 is the function which finalizes the packet??Another doubt, In your case the address for the function is 0099DF4E + baseAddress??
ottizy
01-19-2016, 08:37 PM
No those addresses are with baseaddress however I have no idea what the baseaddress is since ASLR was enabled while I made the screenshots. You are not looking for a function with 3 arguments, you are looking for a function with 1 argument which is the creature ID of the creature you want to attack. The reason the arguments doesn't show up is because the creature ID is passed via the ECX register.