PDA

View Full Version : Tibia 11 - How to read things in Tibia 11 memory



blackd
09-15-2016, 18:52
Well, let's gather what we have.
For now it looks like dealing with memory addresses will be the main problem for bot updates.
- Tibia proccess is now named "client" instead of "Tibia".
- Tibia class name is now called "Qt5QWindowOwnDCIcon" instead of "TibiaClient".
- The new tibia client code is now distributed in several parts, each of them allocated in a different zone of memory.
- At this moment all the shortest address paths start at Qt5Core.dll
- A first step for a future Tibia 11 bot will be calculating base address for each part of the new Tibia client code.
- A second step will be obtaining stable paths of all addresses through Cheat Engine (http://www.cheatengine.org/).
- A Tibia 11 address will usually look like paths. Below I already got some of them:

adrXPos="Qt5Core.dll" + 004555C8 > 8 > 134 > 24 > 18
adrYPos="Qt5Core.dll" + 004555C8 > 8 > 134 > 24 > 1C
adrZPos="Qt5Core.dll" + 004555C8 > 8 > 134 > 24 > 20

You can find full list here (http://www.blackdtools.net/showthread.php?62965-11-00-Blackd-Tibia-addresses-11-00).

In this image you can see how to obtain current player position X using adrXPos in Cheat Engine:
https://blackdtools.net/adrXPos_Tibia11.jpg

You can learn how to obtain paths here (http://www.blackdtools.net/showthread.php?62970-Tibia-11-The-procedure-to-find-new-memory-addresses-(paths)).

blackd
09-16-2016, 01:20
I just made a VB.NET function that will help to use address paths obtained with Cheat Engine:



' Obtain memory bases and region sizes of all modules in a running proccess.
' By Blackd (blackdtools.com)
' Tibia 11 : expectedName="client" expectedClass="Qt5QWindowOwnDCIcon"
Public Sub GetAllBaseAddressesAndRegionSizes(ByRef expectedName As String, ByRef expectedClass As String)
Dim procmodule_name As String
Dim procmodule_base As Long
Dim procmodule_size As Long
Dim ubproc As Long
Dim hwnd As Long
Dim allModules As System.Diagnostics.ProcessModuleCollection
Try
Dim proc() As Process
proc = System.Diagnostics.Process.GetProcessesByName(expe ctedName)
ubproc = UBound(proc)
If ubproc < 0 Then
Debug.Print("Error: Can't find anything with class=" & expectedName)
Exit Sub
End If
For i As Integer = 0 To ubproc
hwnd = proc(i).MainWindowHandle
If GetWindowClass(hwnd) = expectedClass Then
allModules = proc(i).Modules
Debug.Print("Found " + CStr(allModules.Count) + " process modules:")
For Each procmodule As ProcessModule In allModules
' Get procmodule_name - Static: always same names.
procmodule_name = procmodule.ModuleName
' Get procmodule_base - Dynamic: bases will change each new run of the executable!
procmodule_base = procmodule.BaseAddress
' Get procmodule_size - Static: always same size. Usefull to search things in modules (for autoupdaters)
procmodule_size = procmodule.ModuleMemorySize '
Debug.Print(procmodule_name & " = " & Hex(procmodule_base) & " (size = " & Hex(procmodule_size) & ")")
' TODO: Add/update in a dictionary object so we can later
' translate complex address paths that start in such places.
Next procmodule
Exit Sub
End If
Next
Exit Sub
Catch ex As Exception
Debug.Print("Error: Unexpected error - " & ex.ToString())
End Try
End Sub

blackd
09-16-2016, 10:18
Tibia 11 seems to have 90 modules in memory. When a memory address path starts in a module you need to obtain its base addresses so you can start translating the memory address path into a final address (only valid for your current running proccess).

Below is the full list of modules for Tibia 11.00.3801 :

client.exe (size = 60C000)
ntdll.dll (size = 17B000)
KERNEL32.DLL (size = E0000)
KERNELBASE.dll (size = 17E000)
USER32.dll (size = 147000)
Qt5Concurrent.dll (size = 9000)
GDI32.dll (size = 14F000)
Qt5Widgets.dll (size = 43B000)
Qt5Quick.dll (size = 256000)
ADVAPI32.dll (size = 7B000)
msvcrt.dll (size = BE000)
sechost.dll (size = 44000)
RPCRT4.dll (size = AD000)
SspiCli.dll (size = 1E000)
CRYPTBASE.dll (size = A000)
bcryptPrimitives.dll (size = 58000)
SHELL32.dll (size = 13FE000)
cfgmgr32.dll (size = 37000)
windows.storage.dll (size = 4FA000)
combase.dll (size = 1BD000)
shlwapi.dll (size = 45000)
kernel.appcore.dll (size = C000)
shcore.dll (size = 8D000)
powrprof.dll (size = 44000)
profapi.dll (size = F000)
Qt5Gui.dll (size = 4A9000)
Qt5Qml.dll (size = 27C000)
Qt5Network.dll (size = D4000)
Qt5Core.dll (size = 46E000)
MSVCP120.dll (size = 71000)
MSVCR120.dll (size = EE000)
WS2_32.dll (size = 5F000)
CRYPT32.dll (size = 179000)
MSASN1.dll (size = E000)
DNSAPI.dll (size = 84000)
NSI.dll (size = 7000)
ole32.dll (size = EB000)
MPR.dll (size = 16000)
IMM32.DLL (size = 2B000)
version.dll (size = 8000)
qwindows.dll (size = F9000)
OLEAUT32.dll (size = 95000)
WINMM.dll (size = 24000)
WINMMBASE.dll (size = 23000)
uxtheme.dll (size = 75000)
dwmapi.dll (size = 1D000)
d3d9.dll (size = 1CB000)
nvspcap.dll (size = 151000)
SETUPAPI.dll (size = 40B000)
PSAPI.DLL (size = 6000)
WINHTTP.dll (size = 9B000)
nvapi.dll (size = 381000)
dxgi.dll (size = 82000)
opengl32.dll (size = E0000)
GLU32.dll (size = 25000)
DDRAW.dll (size = EE000)
DCIMAN32.dll (size = 7000)
MSCTF.dll (size = 11F000)
nvoglv32.DLL (size = 1B18000)
WTSAPI32.dll (size = F000)
Dbghelp.dll (size = 13F000)
DEVOBJ.dll (size = 22000)
WINTRUST.dll (size = 42000)
ntmarta.dll (size = 28000)
WINSTA.dll (size = 44000)
dbgcore.DLL (size = 21000)
iphlpapi.dll (size = 2F000)
dhcpcsvc.DLL (size = 14000)
dhcpcsvc6.DLL (size = 13000)
clbcatq.dll (size = 84000)
PROPSYS.dll (size = 14B000)
qtquick2plugin.dll (size = 9000)
windowplugin.dll (size = 8000)
qjpeg.dll (size = 3F000)
dataexchange.dll (size = 41000)
d3d11.dll (size = 21A000)
dcomp.dll (size = A7000)
twinapi.appcore.dll (size = CE000)
bcrypt.dll (size = 1B000)
ssleay32.dll (size = 57000)
LIBEAY32.dll (size = 154000)
CRYPTSP.dll (size = 13000)
rsaenh.dll (size = 2F000)
ondemandconnroutehelper.dll (size = 12000)
mswsock.dll (size = 4F000)
rasadhlp.dll (size = 8000)
fwpuclnt.dll (size = 47000)
qtquickcontrolsplugin.dll (size = AD000)
qquicklayoutsplugin.dll (size = 12000)
edputil.dll (size = 49000)

PsychoBoy
09-29-2016, 11:26
Hello. Do you know if new Tibia 11 client uses the same tibia protocol as before? As far as I know it does. And if so then what's the point of reversing new client from scratch if you can use already reversed tibia protocol to make clientless bots? I think it's 100% possible, am I right? I saw someone connected to OTS using Tibia 11 client so it means that Tibia 11 client still uses the same protocol and therefore you can just simply send packets onto real tibia server to simulate that you are moving/attacking or doing whatever you want.

blackd
09-29-2016, 14:09
Hello. Do you know if new Tibia 11 client uses the same tibia protocol as before? As far as I know it does. And if so then what's the point of reversing new client from scratch if you can use already reversed tibia protocol to make clientless bots? I think it's 100% possible, am I right? I saw someone connected to OTS using Tibia 11 client so it means that Tibia 11 client still uses the same protocol and therefore you can just simply send packets onto real tibia server to simulate that you are moving/attacking or doing whatever you want.

Yes, it is the same protocol, so my bot does not really require a total change.
However, the main problem for me is handling memory, specially login interception (so I can proxify the game connection). Then I also need to know a way to order a move to x,y,z using memory, a way to know selected char in the character list, and a few more things that requires memory.

Acrozo0
10-01-2016, 01:55
What's language is blackdtools in ?

blackd
10-04-2016, 10:08
Blackd Proxy = Visual Basic 6

However I try to make all my new projects with VB.NET 2010.