/// <summary>
/// Set the RSA key. Different from WriteString because must overcome protection.
/// </summary>
/// <param name="handle"></param>
/// <param name="address"></param>
/// <param name="newKey"></param>
/// <returns></returns>
public static bool WriteRSA(IntPtr handle, long address, string newKey)
{
IntPtr bytesWritten;
int result;
WinApi.MemoryProtection oldProtection = 0;
System.Text.ASCIIEncoding enc = new System.Text.ASCIIEncoding();
byte[] bytes = enc.GetBytes(newKey);
// Make it so we can write to the memory block
WinApi.VirtualProtectEx(
handle,
new IntPtr(address),
new IntPtr(bytes.Length),
WinApi.MemoryProtection.ExecuteReadWrite, ref oldProtection);
// Write to memory
result = WinApi.WriteProcessMemory(handle, new IntPtr(address), bytes, (uint)bytes.Length, out bytesWritten);
// Put the protection back on the memory block
WinApi.VirtualProtectEx(handle, new IntPtr(address), new IntPtr(bytes.Length), oldProtection, ref oldProtection);
return(result != 0);
}
public bool WriteOnGetNextPacketCode()
{
oldCallBytes = client.Memory.ReadBytes(
Tibia.Addresses.Client.GetNextPacketCall,
5);
#region opcodes
byte[] opCodes = new byte[] {
//fSendingToClient @ flagAddress
0x00, 0x00, 0x00, 0x00,
//mov eax,dword ptr ds:[flagAddress]
0xA1, 0x00, 0x00, 0x00, 0x00,
//cmp eax,1
0x83, 0xF8, 0x01,
//JNZ SHORT~ -> mov eax,origAddress
0x75, 0x26,
//mov eax,dword ptr ds:[ADDR_RECV_STREAM+4] //dwSize
0xA1, 0x00, 0x00, 0x00, 0x00,
//mov ebx,dword ptr ds:[ADDR_RECV_STREAM+8] //dwPos
0x8B, 0x1D, 0x00, 0x00, 0x00, 0x00,
//cmp ebx,eax
0x39, 0xC3,
//JGE SHORT~ -> //mov eax,-1
0x7D, 0x11,
//add ebx,dword ptr ds:[ADDR_RECV_STREAM]
0x03, 0x1D, 0x00, 0x00, 0x00, 0x00,
//mov al,byte ptr ds:[ebx]
0x8A, 0x03,
//mov ebx,ADDR_RECV_STREAM+8
0xBB, 0x00, 0x00, 0x00, 0x00,
//add dword ptr ds:[ebx],1
0x83, 0x03, 0x01,
//retn
0xC3,
//mov eax,-1
0xB8, 0xFF, 0xFF, 0xFF, 0xFF,
//retn,
0xC3,
//mov eax,oldAddress
0xB8, 0x00, 0x00, 0x00, 0x00,
//call eax
0xFF, 0xD0,
//retn
0xC3
};
#endregion
#region fixing opcodes
Array.Copy(
BitConverter.GetBytes(Tibia.Addresses.Client.RecvStream + 4),
0,
opCodes,
15,
4);//mov eax,dword ptr ds:[ADDR_RECV_STREAM+4]
Array.Copy(
BitConverter.GetBytes(Tibia.Addresses.Client.RecvStream + 8),
0,
opCodes,
21,
4); //mov ebx,dword ptr ds:[ADDR_RECV_STREAM+8]
Array.Copy(
BitConverter.GetBytes(Tibia.Addresses.Client.RecvStream),
0,
opCodes,
31,
4);//add ebx,dword ptr ds:[ADDR_RECV_STREAM]
Array.Copy(
BitConverter.GetBytes(Tibia.Addresses.Client.RecvStream + 8),
0,
opCodes,
38,
4);//mov ebx,ADDR_RECV_STREAM+8
#endregion
pSendToClient = WinApi.VirtualAllocEx(
client.ProcessHandle,
IntPtr.Zero,
(uint)opCodes.Length,
WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve,
WinApi.MemoryProtection.ExecuteReadWrite);
if (pSendToClient != IntPtr.Zero)
{
Array.Copy(BitConverter.GetBytes(pSendToClient.ToInt32()), 0, opCodes, 5, 4);
//Begin HookCall
WinApi.MemoryProtection oldProtect = WinApi.MemoryProtection.NoAccess;
WinApi.MemoryProtection newProtect = WinApi.MemoryProtection.NoAccess;
uint newCall, oldCall;
byte[] call = new byte[] { 0xE8, 0x00, 0x00, 0x00, 0x00 };
newCall = (uint)(pSendToClient.ToInt32() + 4) - Tibia.Addresses.Client.GetNextPacketCall - 5;
Array.Copy(BitConverter.GetBytes(newCall), 0, call, 1, 4);
if (WinApi.VirtualProtectEx(client.ProcessHandle,
new IntPtr(Tibia.Addresses.Client.GetNextPacketCall),
new IntPtr(5),
WinApi.MemoryProtection.ReadWrite,
ref oldProtect))
{
oldCall = BitConverter.ToUInt32(
client.Memory.ReadBytes(Tibia.Addresses.Client.GetNextPacketCall + 1, 4),
0);
int oldAddress = (int)(Tibia.Addresses.Client.GetNextPacketCall + oldCall + 5);
Array.Copy(
BitConverter.GetBytes(oldAddress),
0,
opCodes,
53,
4);//mov eax,oldAddress
if (client.Memory.WriteBytes(pSendToClient.ToInt64(), opCodes, (uint)opCodes.Length))
{
if (client.Memory.WriteBytes(Tibia.Addresses.Client.GetNextPacketCall, call, 5))
{
WinApi.VirtualProtectEx(client.ProcessHandle,
new IntPtr(Tibia.Addresses.Client.GetNextPacketCall),
new IntPtr(5),
oldProtect,
ref newProtect);
sendToClientCodeWritten = true;
return(true);
}
}
WinApi.VirtualProtectEx(client.ProcessHandle,
new IntPtr(Tibia.Addresses.Client.GetNextPacketCall),
new IntPtr(5),
oldProtect,
ref newProtect);
}
}
if (pSendToClient == IntPtr.Zero)
{
WinApi.VirtualFreeEx(
client.ProcessHandle,
pSendToClient,
(uint)opCodes.Length,
WinApi.AllocationType.Release);
}
sendToClientCodeWritten = false;
return(false);
}
