Hello guys, in this tutorial I'll try to teach you how to discover the functions which send packets to the server, so you can use in your program without messing with packets, encryptions and so. The disadvantage of this is that you need to update a bunch of addresses every update, also you have to inject a DLL into Tibia.
I'm explaining this all with 8.50 addresses.
Before start, you have to read my other tutorial here:
http://www.tpforums.org/forum/showthread.php?t=3024
in order to understand it all. If you already did or if you are kinda advanced, lets start!
The tool we'll use its OllyDbg. Run it, then do File->Open (or press F3) and load your Tibia executable. Run the program (F9 key) and log in any account. Protection zone is recommended.
Now, we'll search for the call to the winsock function send(). That function is the one which sends the packets to the server. After doing that, we'll set a brakpoint in the send() buffer, so we could know which function is writing it. The function that will stop will be the XTea encrypting, and debugging a bit we'll notice that every function that sends a packet calls it, so we'll have them.
In Olly, in the main window do right click->Search for->All intermodular calls. We'll have a list of every external function call.
In that window write "send" and clic in "Destination".
This should sort the calls and mark the "WS2_32.send", the one we need.
Double click over it. Now we'll have the place where is called. Set a break point there (press F2), and, in you Tibia window, say something, like "hello!". The program will stop.
Ok, so now we have to take a look on the stack. The second parameter of the send() function is a pointer to the buffer that holds the data. Take a look and write it down.
This is the address we were looking for: 0x0078B6F8. Mark again the breakpoint we did, and release it (press F2 over it) and let the program run (press F9). Now, go to the dump (that is the lower window), press Ctrl+G, and enter the address. Here is the buffer!
Ok, then lets put a hardware breakpoint on write there, to discover whats writing that buffer. Mark the first byte, Right click over it, then Breakpoint->Hardware, on write->Byte.
Back to Tibia, say again something. The program now will stop in the function we want!
Ok, knowing this address (0x0055247F), remove the hardware breakpoint. Go to the menu Debug->Hardware breakpoints and in the window that popups click on "Delete 1", press over "Ok" and press now F9, to let Tibia run again.
:icon4:You may have to log in again. Thats because when your program is stopped it doesn't send the ping packets to keep alive the connection, so it breaks.
Now, once we are in the function, scroll up a bit until we see where the function stars.
Set a breakpoint there (F2). Say something again in Tibia. The program will stop, take a look on the stack to discover from where the function was called.
So here we can see RETURN to Tibia.004F2E6F. Remove the memory breakpoint, and press Ctrl+G. Enter there that address (004F2E6F). We'll be now in the function that every send packet function calls.
Scroll up until you find where the function starts. Run Tibia again (F9), and log in.
Finally, we have it, the main function. Write down the address, because you'll be back here soon.
What we have to do now is to discover the address of every function we need. I'm going to explain, as example, how to discover the address of the player speech function.
Set a break point in the address and, again, cast something in Tibia. The program will stop, take a look on the stack, as we did after, to discover where to return. In this case we get RETURN to Tibia.00407509. Remove the breakpoint we set, press Ctrl+G and enter there the address 00407509.
We are now in the speech function. Scroll up, as we did before, until you find where the function starts.
Run Tibia, set a breakpoint there, cast something and take a look on the stack. Repeat the same, and you'll be in where the function is called. Scroll up only once and take a look on the CALL command you'll find. As I explained in my other tutorial, you can see there two arguments. Set a breakpoint here, cast again and discover it out.Code:004072F0 55 PUSH EBP
As we can see the first argument is an integer, it takes the values 1, 2 and 3 (normal, whisper and yell) and the pointer to the string.
We have all we need to cast something. In your injected DLL, you'll have to define the type like this:
And call it like that:Code:typedef void _PlayerSpeech(int type, char* text); static _PlayerSpeech *PlayerSpeech = (_PlayerSpeech*)0x004072F0;
Well, basically this is what I wanted to teach. Now you can discover every function you like. Some has more arguments, but aren't harder to discover.Code:PlayerSpeech(1, "aew");
Reply With Quote
