public void SetUpCodeCave()
        {
            CodeCaveHelper cv = new CodeCaveHelper();

            //Let's get some space for our codecave
            origanGetNextPacket = memRead.GetCallFunction(Addresses.MyAddresses.GetnextPacket.Address);
            CodeCaveAdr         = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, 1024, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
            GotPacketAdr        = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, 1, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);

            memRead.WriteByte(GotPacketAdr.ToInt32(), 0);
            cv.AddLine((byte)0xE8);
            cv.AddInt(((int)origanGetNextPacket - (CodeCaveAdr.ToInt32()) - 5));  // calls getnextPacket


            cv.AddLine((byte)0x8b, (byte)0xd8);                                                     // store eax

            cv.AddLine((byte)0xc7, (byte)0x05, (UInt32)GotPacketAdr.ToInt32(), (UInt32)0x00000001); //sets gotpacket to 1

            cv.AddLine((byte)0x90);
            cv.AddLine((byte)0xA1, (UInt32)GotPacketAdr.ToInt32());

            cv.AddLine((byte)0x83, (byte)0xF8, (byte)1);
            cv.AddLine((byte)0x74, (byte)0xF6);
            cv.AddLine((byte)0x8b, (byte)0xC3);
            cv.AddLine((byte)0xC3);

            System.Windows.Forms.Clipboard.SetText(CodeCaveAdr.ToString("X"));

            memRead.WriteBytes(CodeCaveAdr.ToInt32(), cv.Data, (uint)cv.Data.Length);
            Thread t = new Thread(new ThreadStart(ReadingPacket));

            running = true;
            t.Start();
            ReplaceCode();
        }
        public void SetUpCodeCave()
        {
            CodeCaveHelper cv = new CodeCaveHelper();
            //Let's get some space for our codecave
            origanGetNextPacket = memRead.GetCallFunction(Addresses.MyAddresses.GetnextPacket.Address);
            CodeCaveAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, 1024, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
            GotPacketAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, 1, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);

            memRead.WriteByte(GotPacketAdr.ToInt32(), 0);
            cv.AddLine((byte)0xE8);
            cv.AddInt(((int)origanGetNextPacket - (CodeCaveAdr.ToInt32()) - 5));  // calls getnextPacket

            cv.AddLine((byte)0x8b, (byte)0xd8); // store eax

            cv.AddLine((byte)0xc7, (byte)0x05, (UInt32)GotPacketAdr.ToInt32(), (UInt32)0x00000001); //sets gotpacket to 1

            cv.AddLine((byte)0x90);
            cv.AddLine((byte)0xA1, (UInt32)GotPacketAdr.ToInt32());

            cv.AddLine((byte)0x83, (byte)0xF8, (byte)1);
            cv.AddLine((byte)0x74, (byte)0xF6);
            cv.AddLine((byte)0x8b, (byte)0xC3);
            cv.AddLine((byte)0xC3);

            System.Windows.Forms.Clipboard.SetText(CodeCaveAdr.ToString("X"));

            memRead.WriteBytes(CodeCaveAdr.ToInt32(), cv.Data, (uint)cv.Data.Length);
            Thread t = new Thread(new ThreadStart(ReadingPacket));
            running = true;
            t.Start();
            ReplaceCode();
        }
        private void ReplaceCode()
        {
            CodeCaveHelper cv = new CodeCaveHelper();

            cv.AddLine((byte)0xE8);
            cv.AddInt(((int)(CodeCaveAdr.ToInt32() - Addresses.MyAddresses.GetnextPacket.Address) - 5));

            memRead.WriteBytes(Addresses.MyAddresses.GetnextPacket.Address, cv.Data, (uint)cv.Data.Length);
        }
        private void ReplaceCode()
        {
            CodeCaveHelper cv = new CodeCaveHelper();

            OrigalBytes = memRead.ReadBytes(Addresses.MyAddresses.SendPacket.Address, 5);

            cv.AddLine((byte)0xE9);
            cv.AddInt(((int)(CodeCaveAdr.ToInt32() - Addresses.MyAddresses.SendPacket.Address - 5)));
            memRead.WriteBytes(Addresses.MyAddresses.SendPacket.Address, cv.Data, (uint)cv.Data.Length);
            Addresses.MyAddresses.SendPacket.Address = NewSendAddress.ToInt32();
        }
        public void CleanUp()
        {
            if (running == false) { return; }
            running = false;

            CodeCaveHelper cv = new CodeCaveHelper();
            cv.AddLine((byte)0xE8);
            cv.AddInt(((int)(origanGetNextPacket - Addresses.MyAddresses.GetnextPacket.Address) - 5));

            memRead.WriteBytes(Addresses.MyAddresses.GetnextPacket.Address, cv.Data, (uint)cv.Data.Length);
            memRead.WriteByte(GotPacketAdr.ToInt32(), 0);
            WinApi.VirtualFreeEx(TibiaHandle, CodeCaveAdr, 1024, WinApi.AllocationType.Release);
            WinApi.VirtualFreeEx(TibiaHandle, GotPacketAdr, 1, WinApi.AllocationType.Release);
        }
Example #6
0
        public void SendPacketToServer(byte[] packet)
        {
            CodeCaveHelper cv          = new CodeCaveHelper();
            IntPtr         MainThread  = OpenAndSuspendThread(tProcess.Id);
            uint           OldPackelen = memRead.ReadUInt32(Addresses.MyAddresses.OutGoingPacketLen.Address);

            byte[] OldPacket = memRead.ReadBytes(Addresses.MyAddresses.OutGoingBuffer.Address, OldPackelen);
            IntPtr CodeCave  = WinApi.VirtualAllocEx(tProcessHandle, IntPtr.Zero, 1024, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);

            //createPacket
            byte packetType = (byte)packet[0];

            cv.AddLine((byte)0xb9, (UInt32)packetType);
            cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.CreatePacket.Address);
            cv.AddLine((byte)0xff, (byte)0xD0);

            for (int i = 1; i < packet.Length; i++)
            {
                byte val = packet[i];

                cv.AddLine((byte)0xb9, (UInt32)val);
                cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.AddPacketByte.Address);
                cv.AddLine((byte)0xff, (byte)0xD0);
            }

            cv.AddLine((byte)0xb1, (byte)0x01); //push 1 as bool( using Xtea encrypt or not
            cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.SendPacket.Address);
            cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar

            cv.AddByte(0xC3);                   //ret

            memRead.WriteBytes(CodeCave.ToInt32(), cv.Data, (uint)cv.Data.Length);

            IntPtr hThread = WinApi.CreateRemoteThread(tProcessHandle, IntPtr.Zero, 0, CodeCave, IntPtr.Zero, 0, IntPtr.Zero);

            if (Addresses.MyAddresses.IgnoreReadClientPacketAddress > 0)
            {
                memRead.WriteByte(Addresses.MyAddresses.IgnoreReadClientPacketAddress, 0);//ignore this
            }
            WinApi.WaitForSingleObject(hThread, 0xFFFFFFFF);
            WinApi.CloseHandle(hThread);
            WinApi.VirtualFreeEx(tProcessHandle, CodeCave, 1024, WinApi.AllocationType.Release);

            memRead.WriteUInt32(Addresses.MyAddresses.OutGoingPacketLen.Address, OldPackelen);
            memRead.WriteBytes(Addresses.MyAddresses.OutGoingBuffer.Address, OldPacket, (uint)OldPackelen);

            ResumeAndCloseThread(MainThread);
        }
        public void CleanUp()
        {
            if (running == false)
            {
                return;
            }
            running = false;

            CodeCaveHelper cv = new CodeCaveHelper();

            cv.AddLine((byte)0xE8);
            cv.AddInt(((int)(origanGetNextPacket - Addresses.MyAddresses.GetnextPacket.Address) - 5));

            memRead.WriteBytes(Addresses.MyAddresses.GetnextPacket.Address, cv.Data, (uint)cv.Data.Length);
            memRead.WriteByte(GotPacketAdr.ToInt32(), 0);
            WinApi.VirtualFreeEx(TibiaHandle, CodeCaveAdr, 1024, WinApi.AllocationType.Release);
            WinApi.VirtualFreeEx(TibiaHandle, GotPacketAdr, 1, WinApi.AllocationType.Release);
        }
        public void SetUpCodeCave()
        {
            CodeCaveHelper cv = new CodeCaveHelper();

            //Let's get some space for our codecave
            CodeCaveAdr  = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, 1024, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
            GotPacketAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, 1, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
            Addresses.MyAddresses.IgnoreReadClientPacketAddress = GotPacketAdr.ToInt32();

            OrigalBytes    = memRead.ReadBytes(Addresses.MyAddresses.SendPacket.Address, 5);
            NewSendAddress = CodeCaveAdr + 0x19;

            memRead.WriteByte(GotPacketAdr.ToInt32(), 0);

            cv.AddLine((byte)0x8b, (byte)0xd8);                                                     // store eax

            cv.AddLine((byte)0xc7, (byte)0x05, (UInt32)GotPacketAdr.ToInt32(), (UInt32)0x00000001); //sets gotpacket to 1

            cv.AddLine((byte)0x90);
            cv.AddLine((byte)0xA1, (UInt32)GotPacketAdr.ToInt32());

            cv.AddLine((byte)0x83, (byte)0xF8, (byte)1);
            cv.AddLine((byte)0x74, (byte)0xF6);
            cv.AddLine((byte)0x8b, (byte)0xC3);


            cv.AddBytes(OrigalBytes);// reads the orginall 5 bytes before we jumb back

            cv.AddLine((byte)0xE8);
            cv.AddInt(((int)Addresses.MyAddresses.SendPacket.Address - (CodeCaveAdr.ToInt32())) - cv.Data.Length + 1);   // calls getnextPacke

            cv.AddLine((byte)0xC3);


            memRead.WriteBytes(CodeCaveAdr.ToInt32(), cv.Data, (uint)cv.Data.Length);
            Thread t = new Thread(new ThreadStart(ReadingPacket));

            running = true;
            t.Start();
            ReplaceCode();
            IsRunning = true;
            System.Windows.Forms.Clipboard.SetText(GotPacketAdr.ToString("X"));
            System.Windows.Forms.MessageBox.Show(GotPacketAdr.ToString("X"));
        }
Example #9
0
        public void SendPacketToServer(byte[] packet)
        {
            CodeCaveHelper cv = new CodeCaveHelper();
            IntPtr MainThread = OpenAndSuspendThread(tProcess.Id);
            uint OldPackelen = memRead.ReadUInt32(Addresses.MyAddresses.OutGoingPacketLen.Address);
            byte[] OldPacket = memRead.ReadBytes(Addresses.MyAddresses.OutGoingBuffer.Address, OldPackelen);
            IntPtr CodeCave = WinApi.VirtualAllocEx(tProcessHandle, IntPtr.Zero, 1024, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);

            //createPacket
            byte packetType = (byte)packet[0];
            cv.AddLine((byte)0xb9, (UInt32)packetType);
            cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.CreatePacket.Address);
            cv.AddLine((byte)0xff, (byte)0xD0);

            for (int i = 1; i < packet.Length; i++)
            {
                byte val = packet[i];

                cv.AddLine((byte)0xb9, (UInt32)val);
                cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.AddPacketByte.Address);
                cv.AddLine((byte)0xff, (byte)0xD0);

            }

            cv.AddLine((byte)0xb1, (byte)0x01); //push 1 as bool( using Xtea encrypt or not
            cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.SendPacket.Address);
            cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar

            cv.AddByte(0xC3);//ret
            System.Windows.Forms.Clipboard.SetText(CodeCave.ToString("X"));

            memRead.WriteBytes(CodeCave.ToInt32(), cv.Data, (uint)cv.Data.Length);

            IntPtr hThread = WinApi.CreateRemoteThread(tProcessHandle, IntPtr.Zero, 0, CodeCave, IntPtr.Zero, 0, IntPtr.Zero);
            WinApi.WaitForSingleObject(hThread, 0xFFFFFFFF);
            WinApi.CloseHandle(hThread);
            WinApi.VirtualFreeEx(tProcessHandle, CodeCave, 1024, WinApi.AllocationType.Release);

            memRead.WriteUInt32(Addresses.MyAddresses.OutGoingPacketLen.Address, OldPackelen);
            memRead.WriteBytes(Addresses.MyAddresses.OutGoingBuffer.Address, OldPacket, (uint)OldPackelen);

            ResumeAndCloseThread(MainThread);
        }
Example #10
0
        public void SendPacketToServerEx(byte[] dataBuffer, uint SendStreamData, uint SendStreamLength, uint SendPacketCall)
        {
            IntPtr MainThread = OpenAndSuspendThread(client.Process.Id);
            int    OldLength  = 0;

            byte[] OldData = new byte[1025];
            int    length  = dataBuffer.Length;
            IntPtr process = WinApi.OpenProcess(WinApi.PROCESS_ALL_ACCESS, 0, (uint)client.Process.Id);

            OldLength = Memory.ReadInt32(client.Handle, SendStreamLength);

            OldData = Memory.ReadBytes(client.Handle, SendStreamData, (uint)OldLength);
            length += 8;
            byte[] actualBuffer = CreateOutgoingBuffer(dataBuffer, length);


            client.Memory.WriteInt32(SendStreamLength, length);
            client.Memory.WriteBytes(SendStreamData, actualBuffer, (uint)length);
            CodeCaveHelper cv = new CodeCaveHelper();

            cv.AddLine((byte)0xb1, (byte)1);              // talkmode
            cv.AddLine((byte)0xB8, (uint)SendPacketCall); // this moves speakfunc address
            cv.AddLine((byte)0xff, (byte)0xD0);           // call eax Thanks Darkstar

            cv.AddLine((byte)0xc3);                       //ret

            IntPtr CaveAddress = WinApi.VirtualAllocEx(client.Handle, IntPtr.Zero, (uint)cv.Data.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);

            Memory.WriteBytes(client.Handle, CaveAddress.ToInt64(), cv.Data, (uint)cv.Data.Length);
            //   System.Windows.Forms.Clipboard.SetText(CaveAddress.ToString("X"));

            IntPtr thread = WinApi.CreateRemoteThread(client.Handle, IntPtr.Zero, 0, CaveAddress, IntPtr.Zero, 0, IntPtr.Zero);

            WinApi.WaitForSingleObject(thread, 0xFFFFFFFF);


            WinApi.VirtualFreeEx(client.Handle, CaveAddress, (uint)cv.Data.Length, WinApi.AllocationType.Release); //free up memory


            client.Memory.WriteInt32(SendStreamLength, OldLength);
            client.Memory.WriteBytes(SendStreamData, OldData, (uint)OldLength);
            ResumeAndCloseThread(MainThread);
        }
Example #11
0
        private void CreateCave()
        {
            int x, y;

            x = 0;
            y = 0;
            CodeCaveHelper cv = new CodeCaveHelper();

            cv.AddLine((byte)0x6A, (byte)0x00);                                       //push 0
            cv.AddLine((byte)0x68, (Int32)y);                                         //push y int32
            cv.AddLine((byte)0x68, (Int32)x);                                         //push x int32
            cv.AddLine((byte)0xb8, (uint)Addresses.MyAddresses.WalkFunction.Address); //  MOV EAX, <DWORD> | ty DarkStar
            cv.AddLine((byte)0xFF, (byte)0xD0);                                       // call eax
            cv.AddLine((byte)0xc3);

            Adr = WinApi.VirtualAllocEx(Handle, IntPtr.Zero, (uint)cv.Data.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
            memRead.WriteBytes(Adr.ToInt64(), cv.Data, (uint)cv.Data.Length);
            System.Windows.Forms.Clipboard.SetText(Adr.ToString("X"));
        }
Example #12
0
        public void CreateCodeCave(int r, int g, int b, int x, int y, byte font, string text, string name)
        {
            byte[] bytes     = System.Text.ASCIIEncoding.Default.GetBytes(text);
            IntPtr stringAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, (uint)bytes.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);

            memRead.WriteBytes(stringAdr.ToInt32(), bytes, (uint)bytes.Length);

            CodeCaveHelper cv = new CodeCaveHelper();

            cv.AddLine((byte)0x6A, (byte)0x00);                                      //push 0
            cv.AddLine((byte)0x68, (UInt32)stringAdr.ToInt32());                     //mov ecx string

            cv.AddLine((byte)0x68, (UInt32)b);                                       //push blue int32

            cv.AddLine((byte)0x68, (UInt32)g);                                       //push green int32

            cv.AddLine((byte)0x68, (UInt32)r);                                       //push red int32

            cv.AddLine((byte)0x6A, (byte)font);                                      //push font byte

            cv.AddLine((byte)0x68, (UInt32)y);                                       //push x int32

            cv.AddLine((byte)0xBA, (UInt32)x);                                       //push y int32

            cv.AddLine((byte)0xb9, (UInt32)0x1);                                     //push 1

            cv.AddLine((byte)0xB8, (UInt32)Addresses.MyAddresses.PrintText.Address); // mov eax dword PrintName

            cv.AddLine((byte)0xff, (byte)0xD0);                                      // call eax Thanks Darkstar

            cv.AddLine((byte)0x83, (byte)0xc4, (byte)0x1c);                          //add esp,20
            cv.AddByte(0xC3);

            IntPtr CaveAddress = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, (uint)cv.Data.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);

            memRead.WriteBytes(CaveAddress.ToInt32(), cv.Data, (uint)cv.Data.Length);
            ChangePrintFpsCall(CaveAddress);
            System.Windows.Forms.Clipboard.SetText(CaveAddress.ToString("X"));
        }
Example #13
0
        public void CreateCodeCave(int r, int g, int b, int x, int y, byte font, string text,string name)
        {
            byte[] bytes = System.Text.ASCIIEncoding.Default.GetBytes(text);
            IntPtr stringAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, (uint)bytes.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);

            memRead.WriteBytes(stringAdr.ToInt32(), bytes, (uint)bytes.Length);

            CodeCaveHelper cv = new CodeCaveHelper();
            cv.AddLine((byte)0x6A, (byte)0x00); //push 0
            cv.AddLine((byte)0x68, (UInt32)stringAdr.ToInt32()); //mov ecx string

            cv.AddLine((byte)0x68, (UInt32)b); //push blue int32

            cv.AddLine((byte)0x68, (UInt32)g); //push green int32

            cv.AddLine((byte)0x68, (UInt32)r); //push red int32

            cv.AddLine((byte)0x6A, (byte)font); //push font byte

            cv.AddLine((byte)0x68, (UInt32)y); //push x int32

            cv.AddLine((byte)0xBA, (UInt32)x); //push y int32

            cv.AddLine((byte)0xb9, (UInt32)0x1); //push 1

            cv.AddLine((byte)0xB8, (UInt32)Addresses.MyAddresses.PrintText.Address); // mov eax dword PrintName

            cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar

            cv.AddLine((byte)0x83, (byte)0xc4, (byte)0x1c); //add esp,20
            cv.AddByte(0xC3);

            IntPtr CaveAddress = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, (uint)cv.Data.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
            memRead.WriteBytes(CaveAddress.ToInt32(), cv.Data, (uint)cv.Data.Length);
            ChangePrintFpsCall(CaveAddress);
            System.Windows.Forms.Clipboard.SetText(CaveAddress.ToString("X"));
        }
        private void ReplaceCode()
        {
            CodeCaveHelper cv = new CodeCaveHelper();
            cv.AddLine((byte)0xE8);
            cv.AddInt(((int)(CodeCaveAdr.ToInt32() - Addresses.MyAddresses.GetnextPacket.Address) - 5));

            memRead.WriteBytes(Addresses.MyAddresses.GetnextPacket.Address, cv.Data, (uint)cv.Data.Length);
        }