[Tibianic] Finding Addresses

[Ash Katchup]

Hello there.


I've seen a couple of new users having trouble when gathering data from Tibianic's client. As i was bored tonight, i've decided to download this custom client and take a look around.

Bad news: Indeed, the health addresses changes every time we reload Tibia.

Good news: There is an easy way to workaround this "anti-bot feature"!


Before we start, i'd like to formally write my thanks to:
-XtrmJash, who explained me the concept of pointers and why would someone use them;
-LordOfWar, owner of the legendary TibiabotNG and who posted a thread showing an easy way to find pointers (http://tpforums.org/forum/threads/40...ll=1#post37360)

Also, there are tons of posts and threads on TPForums about memory reading and pointers. Each one of them was made by people who got more knowledge than me. Anyway, i'm going to explain some concepts with my words, even if the explanation isn't 100% accurate.


So, let's start.


Basically there are two kinds of memory addresses:
-Statics: the ones that didn't change when you reload your client (eg.: health, mana, battlelist start);
-Non-statics: as the name suggest, the kind of addresses that changes every time you open a new client (eg.: Tibia GUI pointer, Tibia MAP pointer);


It's easy as hell to find static addresses: open tibia, open CheatEngine, do your search until you get a green address (static).

The problem comes when there isn't a green address. You'll probably find addresses that shows the data you're looking for, but they're going to became useless as just you reopen Tibia Client.

And this is what happens on Tibianic health address (and maybe others; I can’t test with mana because I’m a lv 1 and don’t want to play now).

Here comes our savior: pointers

What on earth a pointer is?

Well, let us imagine that a normal address is like a door to your fridge. If you open the door (read the address), you’ll find what you want (bacon <3).

Now, imagine that you’re living a fucking nightmare that your fridge (address) moves itself every time you get home (open the client). What happens? No bacon D:

There is two ways to fight this:
(1) = Look for your fridge every time you get home;
(2) = Tie a piece of string to the fridge’s door


The first option would work fine if you own a small house. But Tibianic is a big house. You know, Beckham’s mansion like. And you fucking love bacon.

Let’s go for 2nd option, guys.

Basically, this is how a pointer works.

You have no clue where the data (bacon) you need is stored at (fridge), but you know that a pointer (string) will lead the way.

And the string’s length is called offset.

So, as Tibianic’s health address changes, you’ll need to find a pointer that goes to this tricky address.

How? This is where LordOfWar’s guide comes into hand.

CheatEngine offer us a really easy way to found pointers: it is called “Pointer Scan”.

Just follow this steps:

1. Log-in into Tibianic and search for your own health;



2. You’ll get many addresses. Maybe tons. Just lose/gain some health and repeat the process with “Next Scan” button.

3. Repeat Step 2 until you get ONE address.



4. Double click on the address to send it to the “bottom list”.



5. On this “bottom list”, right click on the address and select Pointer scan for this address.

[Ash Katchup]

6. At the search screen, check “stop traversing a path when a static has been found” and ”Improve pointerscan with gathered heap data”.



7. Click “ok”, pick a file name (to save the results) and click “ok” again.



8. The pointers that link to Health Address will be shown. As all of them are static (doesn’t change after a while), we will pick 000FB10C. Double click it and close this window.



9. Back at CheatEngine’s main window, double click at the pointer’s address.

[Ash Katchup]

10. There are three important things at this window that we should pay attention to:
->The pointer is stored at Tibianic.dll
->The pointer’s address is "Tibianic.dll"+000FB10C;
->The pointer’s offset is 0x4 (hexadecimal number);



Remember what i’ve said before: the pointer is the string and the offset is the string’s length.

Well, now some explanation is needed.

Most of the data that Tibia uses is stored on its own process (Tibia.exe) as there isn't any DLL at Tibia's folder.

Well, Tibianic has one tricky thing over here.

As we’ve seem above, some data (including your character’s health) is stored at Tibianic.dll (which explain why we can’t just direct look for it using CheatEngine).

So, we’ll read some data from Tibianic.exe and some from Tibianic.dll. So, we need to save both base address.

On C# I’m using the following code to read both:

Code:

Process[] processes = Process.GetProcessesByName("Tibianic");
Process process = processes[0];

_tibianic.ProcessID = process.Handle;
_tibianic.ProcessBase = process.MainModule.BaseAddress;


ProcessModuleCollection modules = process.Modules;

foreach (ProcessModule i in modules)
{
    if (i.ModuleName.ToLower() == "tibianic.dll")
    {
        _tibianic.DLLBase = i.BaseAddress;
        break;
    }
}

After saving this values, we’re about to see how to read a pointer value.

Recalling the example above, the pointer isn’t what we’re looking for (bacon). It just shows de path (string).

So, as we already know about that there is a string (pointer address we’ve got on CE), we need to hold it (read what is stored at this address).

This is my C# code:

Code:

//Address we’ve got from CE
static IntPtr HealthPointer = new IntPtr(0x000FB10C);

//This is the first pointer we must read
//It is located at Tibianic.dll + HealthPointer
int pointer = _tibianic.DLLBase.ToInt32() + HealthPointer.ToInt32();

//This useless variable is needed for ReadProcessMemory API
IntPtr bytesRead;

//Read the HealthPointer value
//Remember that this memory address will one store another address
//byte[4] = long
var buffer = new byte[4];
ReadProcessMemory(_tibianic.ProcessID, new IntPtr(pointer), buffer, 4, out bytesRead);
pointer = BitConverter.ToInt32(buffer, 0);

After the code above, we already found our string and hold it. But now we need to follow the string until find our precious bacon <3

Remember what I’ve said about string’s length? As we need to walk the string, we’ll sum that length to our pointer:

Code:

//Health Pointer Jump
static IntPtr HealthOffset = new IntPtr(0x4);

//Here we add the offset that we've found on CheatEngine
pointer = pointer + HealthOffset.ToInt32();

Jesus fucking Christ, we’ve found our fridge!

Now, we just need to open it and get bacon. Which means:

Code:

//Then, we read the memory again, now with the correct address
ReadProcessMemory(_tibianic.ProcessID, new IntPtr(pointer), buffer, 4, out bytesRead);

//And there is the final result!
Health = BitConverter.ToInt32(buffer, 0);

That is all, folks.

I’ve created a simple Console Application on Visual Studio 2012 (C#) that is doing exactly what I’ve explained above (check first post).

Hope this guide can help you guys.



Ash Katchup.

[aaronzinho]

Very Good !!

Thank you understand how to take the address, however, then? sorry I'm trying to get this area of programming and I am not able to find anything ... When you find the value I need to do for the program simulates precionada keys Tibianic simundo Healer

[aaronzinho]

sorry double post :'(

[Ash Katchup]

To whoever it might be useful, i've converted the code to Visual Basic 6, including Base Address's reading.

[dangero]

Could anyone do this in c++ and show me the example?

[chi3]

Could anyone do this in c++ and show me the example?

This should give you the base address to the dll if you're injected:

Code:

LPDWORD dllBase = (LPDWORD)GetModuleHandle("Tibianic.dll");

[mapashhe]

Whoa man this is a great tutorial, GZ!! :P

I have a question... the Tibianic have changed its name for Medivia, does the tibianic.dll have changed as well??

thanx in adv
Pd: you helped me understand a lot the way it works, thanx man I was looking for a tutorial like this www

[Ash Katchup]

Yes, it did.

I don't know how to read memory values from D3D games.

Sorry.