How to use Windows XP Tibia 9.1+ address in Vista/7

[Blackd]

ok, in this forum you find a nice list of several address for Tibia 9.1+

The problem (since Tibia 9.1):
- they won't work directly in Vista/7
- the address only work if tibia base is &H400000
- tibia base is &H400000 always in Windows Xp
- tibia base is random in Vista/7

The solution
- you use a function to find current base in your tibia client instance
- offset = currentbase - &H400000
- the address that will work in your tibia client instance = offset + theXPaddress
- in windows xp you will always get offset = 0
- in windows 7/vista will get a random offset. But it will be the same until you close the tibia client.


How I find the current base? Maybe it is not the best way, but I know the size of the Tibia.exe submodule so I can find where is the right region with that.

In Tibia 9.1 : expectedRegionSize = &H2C3000
Below is the code of my function. Anyways you can see the full code in my multiclient or in my light cheat

Note: This code only will work for Tibia 9.1. For the updated code that works with any tibia version just scroll down to the end of this post

Code:

Public Function getProcessBase(ByVal hProcess As Long, expectedRegionSize As Long, Optional PIDinsteadHp As Boolean = False) As Long
    On Error GoTo goterr
    Dim lpMem As Long, ret As Long, lLenMBI As Long
    Dim lWritten As Long, CalcAddress As Long, lPos As Long
    Dim sBuffer As String
    Dim sSearchString As String, sReplaceString As String
    Dim si As SYSTEM_INFO
    Dim mbi As MEMORY_BASIC_INFORMATION
    Dim realH As Long
    Dim pid As Long
    Dim res As Long
    If PIDinsteadHp = True Then
        res = GetWindowThreadProcessId(hProcess, pid)
        realH = OpenProcess(PROCESS_READ_WRITE_QUERY, False, pid)
        hProcess = realH
    End If
    Call GetSystemInfo(si)
    lpMem = si.lpMinimumApplicationAddress
    lLenMBI = Len(mbi)
    ' Scan memory
    Do While lpMem < si.lpMaximumApplicationAddress
        mbi.RegionSize = 0
        ret = VirtualQueryEx(hProcess, ByVal lpMem, mbi, lLenMBI)
        If ret = lLenMBI Then
            If (mbi.State = MEM_COMMIT) Then
'           Debug.Print "BaseAddress=" & Hex(mbi.BaseAddress)
'           Debug.Print "AllocationBase=" & Hex(mbi.AllocationBase)
'           Debug.Print "RegionSize=" & Hex(mbi.RegionSize)
           If (mbi.RegionSize = expectedRegionSize) Then ' this is the interesting region
                If PIDinsteadHp = True Then
                   CloseHandle hProcess
                End If
               getProcessBase = mbi.AllocationBase
               Exit Function
           End If
           
           End If
           lpMem = mbi.BaseAddress + mbi.RegionSize
        Else
           Exit Do
        End If
    Loop
    If PIDinsteadHp = True Then
       CloseHandle hProcess
    End If
goterr:
    getProcessBase = 0
End Function

[size=large]UPDATE:[/size]
For newer versions of Tibia, you can leave the initial expectedRegionSize of 9.1 as a constant with value &H2C3000 AND just do a little change in my function:
From:

Code:

           If (mbi.RegionSize = expectedRegionSize) Then ' this is the interesting region

To:

Code:

           If (mbi.RegionSize >= expectedRegionSize) Then ' this is the interesting region

Why? because region size only have been growing since Tibia 9.1, and the good region it is always the first region with some big size. Exact region size does not really matter
(tested up to Tibia 9.44, but it probably will work in all future versions)

Below you have the final code already fixed to work in any tibia version:

Code:

Public Function getProcessBase(ByVal hProcess As Long, Optional PIDinsteadHp As Boolean = False) As Long
    On Error GoTo goterr
    Const expectedRegionSize As Long = &H2C3000
    Dim lpMem As Long, ret As Long, lLenMBI As Long
    Dim lWritten As Long, CalcAddress As Long, lPos As Long
    Dim sBuffer As String
    Dim sSearchString As String, sReplaceString As String
    Dim si As SYSTEM_INFO
    Dim mbi As MEMORY_BASIC_INFORMATION
    Dim realH As Long
    Dim pid As Long
    Dim res As Long
    If PIDinsteadHp = True Then
        res = GetWindowThreadProcessId(hProcess, pid)
        realH = OpenProcess(PROCESS_READ_WRITE_QUERY, False, pid)
        hProcess = realH
    End If
    Call GetSystemInfo(si)
    lpMem = si.lpMinimumApplicationAddress
    lLenMBI = Len(mbi)
    ' Scan memory
    Do While lpMem < si.lpMaximumApplicationAddress
        mbi.RegionSize = 0
        ret = VirtualQueryEx(hProcess, ByVal lpMem, mbi, lLenMBI)
        If ret = lLenMBI Then
            If (mbi.State = MEM_COMMIT) Then
'           Debug.Print "BaseAddress=" & Hex(mbi.BaseAddress)
'           Debug.Print "AllocationBase=" & Hex(mbi.AllocationBase)
'           Debug.Print "RegionSize=" & Hex(mbi.RegionSize)
           If (mbi.RegionSize >= expectedRegionSize) Then ' this is the interesting region
                If PIDinsteadHp = True Then
                   CloseHandle hProcess
                End If
               getProcessBase = mbi.AllocationBase
               Exit Function
           End If
           
           End If
           lpMem = mbi.BaseAddress + mbi.RegionSize
        Else
           Exit Do
        End If
    Loop
    If PIDinsteadHp = True Then
       CloseHandle hProcess
    End If
goterr:
    getProcessBase = 0
End Function

[maozao]

Hadn't time to test about that offset based in the BaseAddress yesterday, but today I have some minutes free after work.

I will test a thing that I've in my mind and I'll post the results after that.

Thanks for sharing.

[tulio150]

is this way faster than using Module32First?

[Sketchy]

is this way faster than using Module32First?

I would suspect Module32First/Next would be faster as less calls to the Windows API would be made, however I highly doubt you would notice any real difference between the two in a real world application.

Out of these two methods I would go with the Module32First method though simply because you don't need to update it for each specific Tibia client as you do with blackd's method where you need the size of the .text section of the loaded Tibia.exe module. With the module functions though you should probably check the module name to determine whether it is actually the Tibia executable module or not.

Another method that can be used is to create a remote thread inside the Tibia process whose sole job is to call GetModuleHandleA with a NULL parameter, inside your application you wait until the thread finishes and grab its exit code.

[megano0body]

ok, in this forum you find a nice list of several address for Tibia 9.1

The problem:
- they won't work directly in Vista/7
- the address only work if tibia base is &H400000
- tibia base is &H400000 always in Windows Xp
- tibia base is random in Vista/7

The solution
- you use a function to find current base in your tibia client instance
- offset = currentbase - &H400000
- the address that will work in your tibia client instance = offset + theXPaddress
- in windows xp you will always get offset = 0
- in windows 7/vista will get a random offset. But it will be the same until you close the tibia client.


How I find the current base? Maybe it is not the best way, but I know the size of the Tibia.exe submodule so I can find where is the right region with that.

In Tibia 9.1 : expectedRegionSize = &H2C3000
Blow is the code of my function. Anyways you can see the full code in my multiclient or in my light cheat

Thanks for sharing it.

[pater]

I like the way you've done it

[maozao]

I made some tests and worked great, I'm not at home now, so I will post what I remember from my head:

[code=csharp]Uint32 OffSet = Client.Process.MainModule.BaseAdress.ToUint32() - 0x400000; //Not sure about the BaseAddress path now
Player.Addresses.Experience += OffSet; //Player Exp Address must be the address used in the Windows XP
MessageBox.Show("Exp: " + Client.Memory.ReadUint32(Player.Addresses.Experien ce)); //Just to check if worked.[/code]

Nice and easy ;D

I will post the correct code when I'm in home, but it's just to show you how easy it is.

You don't need to check the OS, because if you are using WindowsXP the OffSet value will be 0, so 0x123456 + 0 = 0x123456

Tested in a Windows Seven and worked good.

Cya~

[megano0body]

I made some tests and worked great, I'm not at home now, so I will post what I remember from my head:

[code=csharp]Uint32 OffSet = Client.Process.MainModule.BaseAdress.ToUint32() - 0x400000; //Not sure about the BaseAddress path now
Player.Addresses.Experience += OffSet; //Player Exp Address must be the address used in the Windows XP
MessageBox.Show("Exp: " + Client.Memory.ReadUint32(Player.Addresses.Experien ce)); //Just to check if worked.[/code]

Nice and easy ;D

I will post the correct code when I'm in home, but it's just to show you how easy it is.

You just need to check the OS that the player is using, after that you just need to use the OffSet.

Tested in a Windows Seven and worked good.

Cya~

I think that even on the windowsxp the code will work...

[Blackd]

I made some tests and worked great, I'm not at home now, so I will post what I remember from my head:

[code=csharp]Uint32 OffSet = Client.Process.MainModule.BaseAdress.ToUint32() - 0x400000; //Not sure about the BaseAddress path now
Player.Addresses.Experience += OffSet; //Player Exp Address must be the address used in the Windows XP
MessageBox.Show("Exp: " + Client.Memory.ReadUint32(Player.Addresses.Experien ce)); //Just to check if worked.[/code]

Nice and easy ;D

I will post the correct code when I'm in home, but it's just to show you how easy it is.

You don't need to check the OS, because if you are using WindowsXP the OffSet value will be 0, so 0x123456 + 0 = 0x123456

Tested in a Windows Seven and worked good.

Cya~

I know there are easier ways in other languages. Is just I don't know how to write a smaller code with Visual Basic 6 ... if anyone knows then please post your function

[maozao]

I know there are easier ways in other languages. Is just I don't know how to write a smaller code with Visual Basic 6 ... if anyone knows then please post your function

I forgot that you use VB6, I though that was VB.NET xD

If I find something I send to you.