Update tibiasock

[klusbert]

I did a fast youtube movie to show you how easy it is to update tibiasock using osqus method.

http://www.youtube.com/watch?v=ynYwtNvy9RA.

This is what I needed to search for!

Code:

  MOV DWORD PTR SS:[EBP-198h],EBX
  LEA EAX,DWORD PTR DS:[EBX-6h]
  MOV DWORD PTR SS:[EBP-1A0h],EAX
  LEA ECX,DWORD PTR DS:[EBX-4h]

this will brings you to SENDOUTGOINGPACKET function and in this function you will find 2 other adresses OUTGOINGDATASTREAM and OUTGOINGDATALEN.


Next I searched for a string "packet size is too small even for one" to find INCOMINGDATASTREAM.

To find PARSERFUNC I searched for "unknown packet type during login".

Enyoy credit to DarkStar and OsQu!

[Czepek]

Good job!

I think we should do some list of video tutorials. Our life may be lighter.

Regards, Czepek!

[klusbert]

Good job!

I think we should do some list of video tutorials. Our life may be lighter.

Regards, Czepek!

Thanks!
Yeah todays computer users are to lazy to read, if you can't learn it on youtube it's impossible to learn. :P
General speaking ofc.

[Noen]

Great tutorial klusbert!

In the SENDOUTGOINGPACKET case, you can also search for reference text string "Symmetric encryption failed".
I wonder how these addresses were first found. I mean without using OsQu's method or searching for strings.

[DarkstaR]

Great tutorial klusbert!

In the SENDOUTGOINGPACKET case, you can also search for reference text string "Symmetric encryption failed".
I wonder how these addresses were first found. I mean without using OsQu's method or searching for strings.

Neither. I put a breakpoint on winsock send and crawled up the call stack. I got to their top-level composition functions (attack, say, etc) which were easily identifiable by what data they pushed to the stack. It was an easy inference that, right under the composition functions, there was a function which encrypted and sent the packets. So, when crawling up the call stack, I would stop one layer below the composition function and I would be inside the send outgoing packet function. The buffer was found by looking at the calls in the composition functions. They would push values to the stack and then call functions which I identified as pushInt, pushByte, pushString, etc. By following what was pulling the data from the stack I was able to figure out what buffer the data was being thrown into.

All of the incoming stuff was found by Stepler and I'm not sure what initial process he used.

[Noen]

Thanks DarkstaR.
I'll start playing with the stack and breakpoints from now on.

[wgrzelak]

yo
I'm trying follow this instruction and i get this addresses:

Code:

#define OUTGOINGDATASTREAM 0x1448D00
#define OUTGOINGDATALEN 0x166A688
#define SENDOUTGOINGPACKET 0x119F1F0


#define INCOMINGDATASTREAM 0x166A674
#define PARSERFUNC 0x10F14C0

But this is wrong. Can someone help me?

[klusbert]

Code:

//10.22
            Client.SendPacket = RecalcAddress(0x51f1f0, baseAdr);
            Client.OutGoingDataStream = RecalcAddress(0x7C8D00, baseAdr);
            Client.OutgoingDataLen = RecalcAddress(0x9EA688, baseAdr);
            Client.IncommingDataStream = RecalcAddress(0x9EA674, baseAdr);
            Client.ParseFunction = RecalcAddress(0x4714c0, baseAdr);