[HOWTO] Pokemon Online SPR/DAT/PIC reading

[beziak]

Hiho!
Now i will try to explain you how the MoleBox packer works in Pokemon Online client.
Only what you need is Tibia 8.10 (for comparisions), PO client and OllyDbg.
Let's take a look how Tibia and PO are getting handle to a file:



Now you can see that Tibia is using original CreateFileA API to get a handle instead of PO's unknown function. If you put breakpoint on PO's function, you will notice that it's requesting Tibia.spr same as original Tibia client.
Ok! Now go to 0x597100 address. There are pointers to API's what Tibia uses.



At the first look you can notice that packer changed pointers to some API's like:
CreateFileA, ReadFile
What's our goal? Write a simple program that will use changed API's and write original file.

Code:

#include <windows.h>
#include <stdio.h>
#include <process.h>

#define DEFAULT_BUF_LEN 40000000
// 40mb~

typedef HANDLE (__stdcall *_CREATEFILE) (LPCTSTR lpFileName,DWORD dwDesiredAccess,DWORD dwShareMode,LPSECURITY_ATTRIBUTES lpSecurityAttributes,DWORD dwCreationDisposition,DWORD dwFlagsAndAttributes,HANDLE hTemplateFile);
_CREATEFILE MBCreateFile = (_CREATEFILE)(*(DWORD*)0x597100);

typedef BOOL (__stdcall *_READFILE)(HANDLE hFile,LPVOID lpBuffer,DWORD nNumberOfBytesToRead,LPDWORD lpNumberOfBytesRead,LPOVERLAPPED lpOverlapped);
_READFILE MBReadFile = (_READFILE)(*(DWORD*)0x5970E8);

void ThreadProc(void *param)
{
     DWORD bytesRead;
     DWORD bytesWritten;
     char *buffer = new char[DEFAULT_BUF_LEN]; //40mb~
     HANDLE h = MBCreateFile("Tibia.spr", GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
     MBReadFile(h, buffer, DEFAULT_BUF_LEN, &bytesRead, NULL);
     //
     HANDLE p = CreateFile("Tibia2.spr", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
     WriteFile(p, buffer, bytesRead, &bytesWritten, NULL);
     CloseHandle(p);
     delete[] buffer;
}

extern "C" BOOL APIENTRY DllMain (HINSTANCE hInst,
                       DWORD reason,
                       LPVOID reserved)
{
    switch (reason)
    {
      case DLL_PROCESS_ATTACH:
           {         
               _beginthread(ThreadProc, 0, NULL);   
           }
        break;
    }
 
    return TRUE;
}

Next step is inject DLL to tibia and wait some seconds for Tibia2.spr in PO's directory.
In this tutorial i missed checking for compressed file size (buffer allocation).
If you want to get PIC for example.. You need to change "Tibia.spr" and "Tibia2.spr" strings (it won't work with exe).

Src&Bin attached.

[spyk3z]

Woah nice. Now I know how not to pack my spr and dat.

[Pro-grammer]

This sucks :/ i have a more easy way

[conde2]

Don't work for me.
I put the P.O exe and record.exe in the same folder and i executed the record and nothing....
Can you help me?

[beziak]

This sucks :/ i have a more easy way

Yeah I know why this sucks.. because I can destroy your bussiness? Am I right?

Don't work for me.
I put the P.O exe and record.exe in the same folder and i executed the record and nothing....
Can you help me?

You should have 3 files in the same folder.
record.exe
po.dll
pokemon client

Run pokemon client, next record.exe and then wait for files in your folder.
(Faster than copy-paste someone's script )

[abdiel2475]

yeah (: works good thanks

[DarkstaR]

This sucks :/ i have a more easy way

Dumb thing to say. There is a million easy ways.

I didnt read this thouroughly, but I can tell you i can just read the Spr pointer, find the SPR address, read that and write to a file. Simple code and something slow like VB can do it in 5 seconds or less, bet me.

Don't be a dick and brag, show proof or fuckoff.

Good work, Beziak. You always have helpful input where it is needed. I wish I had the time to help as much as you, like I used to.

[conde2]

Thank you so much xD
Work very nice now =)
I'm so glad =D

[reynaldo]

Molebox 2.x Unpacker

~

[Cybermaster]

how can I do the opposite? (encrypt my own custom client to avoid custom sprites steal?)