Synchronizing and thread hijacking

[DarkstaR]

The destination of a MOV comes first, meaning that is a read from A68248, not a write to it. Typically you'll only need to restore things that would be changed, so only writes.

[Lolrapa]

The destination of a MOV comes first, meaning that is a read from A68248, not a write to it. Typically you'll only need to restore things that would be changed, so only writes.

Thanks! I was able to get all them but client still crashing, now I noticed something, if I manualy change any of the values in those memory addresses tibia crashes and shows me a message and shows me an error log when I open it again but when my bot makes Tibia crash WINDOWS shows me a message and if I open it again there is no error log, it's like tibia dies completely
They are different crash types

[DarkstaR]

Thanks! I was able to get all them but client still crashing, now I noticed something, if I manualy change any of the values in those memory addresses tibia crashes and shows me a message and shows me an error log when I open it again but when my bot makes Tibia crash WINDOWS shows me a message and if I open it again there is no error log, it's like tibia dies completely
They are different crash types

Is your bot injected into Tibia? If so, there's a much easier way to do all of this.

[Lolrapa]

Is your bot injected into Tibia? If so, there's a much easier way to do all of this.

No, i'm just calling send outgoing packet with winapi, just like you did in tibiaapi. But i'm quite curious about why it is crashing.
Btw: what do you mean by an easier way?
Thanks!

[wgrzelak]

No, i'm just calling send outgoing packet with winapi, just like you did in tibiaapi. But i'm quite curious about why it is crashing.
Btw: what do you mean by an easier way?
Thanks!

Code:

void SendToServer(BYTE* dataBuffer, int length)
{
	_sendpacket SendPacket = (_sendpacket)(Addresses::SendPacketCall + baseAddress);

	DWORD packetLenght = length + 8;

	BYTE actualBuffer[1024];
	ZeroMemory((LPVOID)actualBuffer, 8);
	memcpy((LPVOID)&actualBuffer[8], (LPVOID)dataBuffer, packetLenght - 8);

	memcpy((LPVOID)(Addresses::SendStreamLength + baseAddress), &packetLenght, 4);
	memcpy((LPVOID)(Addresses::SendStreamData + baseAddress), actualBuffer, packetLenght);

	SendPacket(1);
}

[DarkstaR]

Code:

void SendToServer(BYTE* dataBuffer, int length)
{
    _sendpacket SendPacket = (_sendpacket)(Addresses::SendPacketCall + baseAddress);

    DWORD packetLenght = length + 8;

    BYTE actualBuffer[1024];
    ZeroMemory((LPVOID)actualBuffer, 8);
    memcpy((LPVOID)&actualBuffer[8], (LPVOID)dataBuffer, packetLenght - 8);

    memcpy((LPVOID)(Addresses::SendStreamLength + baseAddress), &packetLenght, 4);
    memcpy((LPVOID)(Addresses::SendStreamData + baseAddress), actualBuffer, packetLenght);

    SendPacket(1);
}

This still has to be thread-synced, but it can be done easily by hooking PeekMessage()

[wgrzelak]

This still has to be thread-synced, but it can be done easily by hooking PeekMessage()

I made this :P

[Lolrapa]

Hey! sorry for bringing this thread up again but I want to complete this.
I was doing some research an I was able to inject my dll in tibia, then create the pointer to Sendpacket and even send a movement packet with great results.
Now I know my code will crash sometime due I haven't syncornized my thread with the main thread and now I'm fighting with that
Following what Darkstar says I want to use peekMessage function to do the sincorinyzation.
I was able to get peekMessage address and create my funcion and get it address.

May I assume that if tibia calls peekMessage then the main thread isn't doing something important, so I can send my packets in that moment??

If I can assume that I just have to make a call to my function form peekMessage, send the packet and then return back, but I dont know how to do that, can somebody help me with that?
Thanks!

[szulak]

May I assume that if tibia calls PeekMessage then the main thread isn't doing something important, so I can send my packets in that moment??

PeekMessage is called always on the main thread. Regarding to your question, you might want to introduce a concept of action - whose could be produced (by your bot) and consumed (in the PeekMessage hook). It gives you a synchronization with main thread of tibia, however more logic is needed to make it work smoothly: for example, too many produced actions, any mechanism for prioritized actions, removing them and so on.

Another possibility which came to my mind is playing directly with SendPacket function (a pseudocode below):

Code:

void send_packet_hooked(packet p)
{
	for (const auto& packet : packets_to_send)
		send_packet_original(packet);
		
	send_packet_original(p);
}

[Lolrapa]

Hey! Thanks for your answer,
I allready have a packet sending queue class, it has a function Send() that sends the next packet in queue and remove it form the queue
I just need to find the right time to call that function, If I call it when the main thread is sending a packet or maybe another important process it will crash.
I know peekMessage is in the main loop of the program and, as far as I understand, when peekMessage is called tibia is free and ready to start a new action
so that's the perfect time to send one of my packets.
I've been trying by many ways, and I think I must replace the firs't five bytes of peekMessage with a five-bytes call to my function, then send the packet and return back to peekMessage.
The problem is I dont know how parameters are sent to peekMesssage, tibia makes a PUSH EAX before calling it but I dont know if that's the only parameter.

There are more registers that my function must return to their original value before returning back to peekMessage?
Tibia uses a Mutex in peekMessage?
How do I make shure the stack is exactly how it was in the call to my function when I return to peekMessage?

Those are the points that might be dpoing my code crash.
Thanks again!