How to find attackCreature function address?

**onkkos** · 01-14-2016, 04:08 PM

Hi

I'm programming my own bot like a bunch of people here and my codecave code isn´t working, I suspect after read some posts about it that is because my RemoteThread it is not syncronized but I think that the address of attackCreature Tibia's function is wrong on my code too....

Code:

DWORD function = 0x19BF0 + baseAddress; // = 0x419BF0
DWORD creatureId = 0x400027; // wolf  ID

BYTE codeCave[] = { 0xB9, 0x00, 0x00, 0x00, 0x00, // MOV ECX, creatureId
					0xB8, 0x00, 0x00, 0x00, 0x00, // MOV EAX, function
					0xFF, 0xD0,	// CALL EAX
					0xC3,	// RETN
};

memcpy(&codeCave[1], &creatureId, 4);
memcpy(&codeCave[6], &function, 4);

LPVOID codeCaveAddress = VirtualAllocEx(gHandle, 0, sizeof(codeCave), MEM_COMMIT, PAGE_EXECUTE_READWRITE);

WriteProcessMemory(gHandle, codeCaveAddress, &codeCave, sizeof(codeCave), 0);

HANDLE remoteThread = CreateRemoteThread(gHandle, 0, 0, (LPTHREAD_START_ROUTINE)codeCaveAddress, 0, 0, 0);

WaitForSingleObject(remoteThread, INFINITE);

VirtualFreeEx(gHandle, codeCaveAddress, sizeof(codeCave), MEM_RELEASE);

So How can I find or test the attackCreature address?? I am with problems to find the creatureId too....
And the last question, What you bot programmers use to move your character in your bot?(Right now I'm using mouse clicks with SendMessage but it's impossible to maintain this)

**ottizy** · 01-14-2016, 04:19 PM

Okay I'll try again. Why did you remove the WriteProcessMemory part?

**wizzarr** · 01-14-2016, 07:55 PM

In the game I'm writing a bot to, the function that attacks looks like this f(mobId, 0), and to stop attacking it is called with 0 in both parameters. Maybe you could look for functions with similar prototype using olly.
Regarding your second point, to move a character you can just send a keyboard message via PostMessage to the client. I do that and it works perfectly. Why do you say it is impossible to maintain?

**onkkos** · 01-19-2016, 03:18 PM

Originally Posted by wizzarr

In the game I'm writing a bot to, the function that attacks looks like this f(mobId, 0), and to stop attacking it is called with 0 in both parameters. Maybe you could look for functions with similar prototype using olly.
Regarding your second point, to move a character you can just send a keyboard message via PostMessage to the client. I do that and it works perfectly. Why do you say it is impossible to maintain?

Unfortunately I dont know how to do this kind of search for prototype at olly, could you give me some tips or screenshots about that? And You are right about movement with X,Y,Z adresses and keyboard commands with PostMessage you can do any kind of movimentation that a bot needs.

**ottizy** · 01-19-2016, 04:23 PM

Search for all intermodular calls

Find the ws2_32 send function

Follow the function by doubleclicking on it. Start the client and login. Once you're logged in you want to quickly put a breakpoint on the function by pressing F2, go back to the Tibia client and perform the action that you are searching for. This should make the breakpoint hit in Olly.

Press ALT+K to view the callstack

The top function is the function where the breakpoint was. The function Tibia.009B39B0 is the function which finalizes the packet before it's sent. The function Tibia.0099DF4E that one is the one you're looking for which you can see if you follow it.

However you cannot use the one that is in the screenshot because I had ASLR enabled.

**onkkos** · 01-19-2016, 08:18 PM

Originally Posted by ottizy

Search for all intermodular calls

Find the ws2_32 send function

Follow the function by doubleclicking on it. Start the client and login. Once you're logged in you want to quickly put a breakpoint on the function by pressing F2, go back to the Tibia client and perform the action that you are searching for. This should make the breakpoint hit in Olly.

Press ALT+K to view the callstack

The top function is the function where the breakpoint was. The function Tibia.009B39B0 is the function which finalizes the packet before it's sent. The function Tibia.0099DF4E that one is the one you're looking for which you can see if you follow it.

However you cannot use the one that is in the screenshot because I had ASLR enabled.

I repeated the same way but none of the instructions listed has 3 arguments with the last one equals to 0, and How you know that 009B39B0 is the function which finalizes the packet??Another doubt, In your case the address for the function is 0099DF4E + baseAddress??

**ottizy** · 01-19-2016, 08:37 PM

No those addresses are with baseaddress however I have no idea what the baseaddress is since ASLR was enabled while I made the screenshots. You are not looking for a function with 3 arguments, you are looking for a function with 1 argument which is the creature ID of the creature you want to attack. The reason the arguments doesn't show up is because the creature ID is passed via the ECX register.

Thread: How to find attackCreature function address?

Thread Tools

Search Thread

Display

How to find attackCreature function address?

Posting Permissions