public void SetUpCodeCave()
{
CodeCaveHelper cv = new CodeCaveHelper();
//Let's get some space for our codecave
origanGetNextPacket = memRead.GetCallFunction(Addresses.MyAddresses.GetnextPacket.Address);
CodeCaveAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, 1024, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
GotPacketAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, 1, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
memRead.WriteByte(GotPacketAdr.ToInt32(), 0);
cv.AddLine((byte)0xE8);
cv.AddInt(((int)origanGetNextPacket - (CodeCaveAdr.ToInt32()) - 5)); // calls getnextPacket
cv.AddLine((byte)0x8b, (byte)0xd8); // store eax
cv.AddLine((byte)0xc7, (byte)0x05, (UInt32)GotPacketAdr.ToInt32(), (UInt32)0x00000001); //sets gotpacket to 1
cv.AddLine((byte)0x90);
cv.AddLine((byte)0xA1, (UInt32)GotPacketAdr.ToInt32());
cv.AddLine((byte)0x83, (byte)0xF8, (byte)1);
cv.AddLine((byte)0x74, (byte)0xF6);
cv.AddLine((byte)0x8b, (byte)0xC3);
cv.AddLine((byte)0xC3);
System.Windows.Forms.Clipboard.SetText(CodeCaveAdr.ToString("X"));
memRead.WriteBytes(CodeCaveAdr.ToInt32(), cv.Data, (uint)cv.Data.Length);
Thread t = new Thread(new ThreadStart(ReadingPacket));
running = true;
t.Start();
ReplaceCode();
}
public void SetUpCodeCave()
{
CodeCaveHelper cv = new CodeCaveHelper();
//Let's get some space for our codecave
origanGetNextPacket = memRead.GetCallFunction(Addresses.MyAddresses.GetnextPacket.Address);
CodeCaveAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, 1024, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
GotPacketAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, 1, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
memRead.WriteByte(GotPacketAdr.ToInt32(), 0);
cv.AddLine((byte)0xE8);
cv.AddInt(((int)origanGetNextPacket - (CodeCaveAdr.ToInt32()) - 5)); // calls getnextPacket
cv.AddLine((byte)0x8b, (byte)0xd8); // store eax
cv.AddLine((byte)0xc7, (byte)0x05, (UInt32)GotPacketAdr.ToInt32(), (UInt32)0x00000001); //sets gotpacket to 1
cv.AddLine((byte)0x90);
cv.AddLine((byte)0xA1, (UInt32)GotPacketAdr.ToInt32());
cv.AddLine((byte)0x83, (byte)0xF8, (byte)1);
cv.AddLine((byte)0x74, (byte)0xF6);
cv.AddLine((byte)0x8b, (byte)0xC3);
cv.AddLine((byte)0xC3);
System.Windows.Forms.Clipboard.SetText(CodeCaveAdr.ToString("X"));
memRead.WriteBytes(CodeCaveAdr.ToInt32(), cv.Data, (uint)cv.Data.Length);
Thread t = new Thread(new ThreadStart(ReadingPacket));
running = true;
t.Start();
ReplaceCode();
}
private void ReplaceCode()
{
CodeCaveHelper cv = new CodeCaveHelper();
cv.AddLine((byte)0xE8);
cv.AddInt(((int)(CodeCaveAdr.ToInt32() - Addresses.MyAddresses.GetnextPacket.Address) - 5));
memRead.WriteBytes(Addresses.MyAddresses.GetnextPacket.Address, cv.Data, (uint)cv.Data.Length);
}
private void ReplaceCode()
{
CodeCaveHelper cv = new CodeCaveHelper();
OrigalBytes = memRead.ReadBytes(Addresses.MyAddresses.SendPacket.Address, 5);
cv.AddLine((byte)0xE9);
cv.AddInt(((int)(CodeCaveAdr.ToInt32() - Addresses.MyAddresses.SendPacket.Address - 5)));
memRead.WriteBytes(Addresses.MyAddresses.SendPacket.Address, cv.Data, (uint)cv.Data.Length);
Addresses.MyAddresses.SendPacket.Address = NewSendAddress.ToInt32();
}
public void CleanUp()
{
if (running == false) { return; }
running = false;
CodeCaveHelper cv = new CodeCaveHelper();
cv.AddLine((byte)0xE8);
cv.AddInt(((int)(origanGetNextPacket - Addresses.MyAddresses.GetnextPacket.Address) - 5));
memRead.WriteBytes(Addresses.MyAddresses.GetnextPacket.Address, cv.Data, (uint)cv.Data.Length);
memRead.WriteByte(GotPacketAdr.ToInt32(), 0);
WinApi.VirtualFreeEx(TibiaHandle, CodeCaveAdr, 1024, WinApi.AllocationType.Release);
WinApi.VirtualFreeEx(TibiaHandle, GotPacketAdr, 1, WinApi.AllocationType.Release);
}
public void SendPacketToServer(byte[] packet)
{
CodeCaveHelper cv = new CodeCaveHelper();
IntPtr MainThread = OpenAndSuspendThread(tProcess.Id);
uint OldPackelen = memRead.ReadUInt32(Addresses.MyAddresses.OutGoingPacketLen.Address);
byte[] OldPacket = memRead.ReadBytes(Addresses.MyAddresses.OutGoingBuffer.Address, OldPackelen);
IntPtr CodeCave = WinApi.VirtualAllocEx(tProcessHandle, IntPtr.Zero, 1024, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
//createPacket
byte packetType = (byte)packet[0];
cv.AddLine((byte)0xb9, (UInt32)packetType);
cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.CreatePacket.Address);
cv.AddLine((byte)0xff, (byte)0xD0);
for (int i = 1; i < packet.Length; i++)
{
byte val = packet[i];
cv.AddLine((byte)0xb9, (UInt32)val);
cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.AddPacketByte.Address);
cv.AddLine((byte)0xff, (byte)0xD0);
}
cv.AddLine((byte)0xb1, (byte)0x01); //push 1 as bool( using Xtea encrypt or not
cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.SendPacket.Address);
cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar
cv.AddByte(0xC3); //ret
memRead.WriteBytes(CodeCave.ToInt32(), cv.Data, (uint)cv.Data.Length);
IntPtr hThread = WinApi.CreateRemoteThread(tProcessHandle, IntPtr.Zero, 0, CodeCave, IntPtr.Zero, 0, IntPtr.Zero);
if (Addresses.MyAddresses.IgnoreReadClientPacketAddress > 0)
{
memRead.WriteByte(Addresses.MyAddresses.IgnoreReadClientPacketAddress, 0);//ignore this
}
WinApi.WaitForSingleObject(hThread, 0xFFFFFFFF);
WinApi.CloseHandle(hThread);
WinApi.VirtualFreeEx(tProcessHandle, CodeCave, 1024, WinApi.AllocationType.Release);
memRead.WriteUInt32(Addresses.MyAddresses.OutGoingPacketLen.Address, OldPackelen);
memRead.WriteBytes(Addresses.MyAddresses.OutGoingBuffer.Address, OldPacket, (uint)OldPackelen);
ResumeAndCloseThread(MainThread);
}
public void CleanUp()
{
if (running == false)
{
return;
}
running = false;
CodeCaveHelper cv = new CodeCaveHelper();
cv.AddLine((byte)0xE8);
cv.AddInt(((int)(origanGetNextPacket - Addresses.MyAddresses.GetnextPacket.Address) - 5));
memRead.WriteBytes(Addresses.MyAddresses.GetnextPacket.Address, cv.Data, (uint)cv.Data.Length);
memRead.WriteByte(GotPacketAdr.ToInt32(), 0);
WinApi.VirtualFreeEx(TibiaHandle, CodeCaveAdr, 1024, WinApi.AllocationType.Release);
WinApi.VirtualFreeEx(TibiaHandle, GotPacketAdr, 1, WinApi.AllocationType.Release);
}
public void SetUpCodeCave()
{
CodeCaveHelper cv = new CodeCaveHelper();
//Let's get some space for our codecave
CodeCaveAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, 1024, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
GotPacketAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, 1, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
Addresses.MyAddresses.IgnoreReadClientPacketAddress = GotPacketAdr.ToInt32();
OrigalBytes = memRead.ReadBytes(Addresses.MyAddresses.SendPacket.Address, 5);
NewSendAddress = CodeCaveAdr + 0x19;
memRead.WriteByte(GotPacketAdr.ToInt32(), 0);
cv.AddLine((byte)0x8b, (byte)0xd8); // store eax
cv.AddLine((byte)0xc7, (byte)0x05, (UInt32)GotPacketAdr.ToInt32(), (UInt32)0x00000001); //sets gotpacket to 1
cv.AddLine((byte)0x90);
cv.AddLine((byte)0xA1, (UInt32)GotPacketAdr.ToInt32());
cv.AddLine((byte)0x83, (byte)0xF8, (byte)1);
cv.AddLine((byte)0x74, (byte)0xF6);
cv.AddLine((byte)0x8b, (byte)0xC3);
cv.AddBytes(OrigalBytes);// reads the orginall 5 bytes before we jumb back
cv.AddLine((byte)0xE8);
cv.AddInt(((int)Addresses.MyAddresses.SendPacket.Address - (CodeCaveAdr.ToInt32())) - cv.Data.Length + 1); // calls getnextPacke
cv.AddLine((byte)0xC3);
memRead.WriteBytes(CodeCaveAdr.ToInt32(), cv.Data, (uint)cv.Data.Length);
Thread t = new Thread(new ThreadStart(ReadingPacket));
running = true;
t.Start();
ReplaceCode();
IsRunning = true;
System.Windows.Forms.Clipboard.SetText(GotPacketAdr.ToString("X"));
System.Windows.Forms.MessageBox.Show(GotPacketAdr.ToString("X"));
}
public void SendPacketToServer(byte[] packet)
{
CodeCaveHelper cv = new CodeCaveHelper();
IntPtr MainThread = OpenAndSuspendThread(tProcess.Id);
uint OldPackelen = memRead.ReadUInt32(Addresses.MyAddresses.OutGoingPacketLen.Address);
byte[] OldPacket = memRead.ReadBytes(Addresses.MyAddresses.OutGoingBuffer.Address, OldPackelen);
IntPtr CodeCave = WinApi.VirtualAllocEx(tProcessHandle, IntPtr.Zero, 1024, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
//createPacket
byte packetType = (byte)packet[0];
cv.AddLine((byte)0xb9, (UInt32)packetType);
cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.CreatePacket.Address);
cv.AddLine((byte)0xff, (byte)0xD0);
for (int i = 1; i < packet.Length; i++)
{
byte val = packet[i];
cv.AddLine((byte)0xb9, (UInt32)val);
cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.AddPacketByte.Address);
cv.AddLine((byte)0xff, (byte)0xD0);
}
cv.AddLine((byte)0xb1, (byte)0x01); //push 1 as bool( using Xtea encrypt or not
cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.SendPacket.Address);
cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar
cv.AddByte(0xC3);//ret
System.Windows.Forms.Clipboard.SetText(CodeCave.ToString("X"));
memRead.WriteBytes(CodeCave.ToInt32(), cv.Data, (uint)cv.Data.Length);
IntPtr hThread = WinApi.CreateRemoteThread(tProcessHandle, IntPtr.Zero, 0, CodeCave, IntPtr.Zero, 0, IntPtr.Zero);
WinApi.WaitForSingleObject(hThread, 0xFFFFFFFF);
WinApi.CloseHandle(hThread);
WinApi.VirtualFreeEx(tProcessHandle, CodeCave, 1024, WinApi.AllocationType.Release);
memRead.WriteUInt32(Addresses.MyAddresses.OutGoingPacketLen.Address, OldPackelen);
memRead.WriteBytes(Addresses.MyAddresses.OutGoingBuffer.Address, OldPacket, (uint)OldPackelen);
ResumeAndCloseThread(MainThread);
}
public void SendPacketToServerEx(byte[] dataBuffer, uint SendStreamData, uint SendStreamLength, uint SendPacketCall)
{
IntPtr MainThread = OpenAndSuspendThread(client.Process.Id);
int OldLength = 0;
byte[] OldData = new byte[1025];
int length = dataBuffer.Length;
IntPtr process = WinApi.OpenProcess(WinApi.PROCESS_ALL_ACCESS, 0, (uint)client.Process.Id);
OldLength = Memory.ReadInt32(client.Handle, SendStreamLength);
OldData = Memory.ReadBytes(client.Handle, SendStreamData, (uint)OldLength);
length += 8;
byte[] actualBuffer = CreateOutgoingBuffer(dataBuffer, length);
client.Memory.WriteInt32(SendStreamLength, length);
client.Memory.WriteBytes(SendStreamData, actualBuffer, (uint)length);
CodeCaveHelper cv = new CodeCaveHelper();
cv.AddLine((byte)0xb1, (byte)1); // talkmode
cv.AddLine((byte)0xB8, (uint)SendPacketCall); // this moves speakfunc address
cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar
cv.AddLine((byte)0xc3); //ret
IntPtr CaveAddress = WinApi.VirtualAllocEx(client.Handle, IntPtr.Zero, (uint)cv.Data.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
Memory.WriteBytes(client.Handle, CaveAddress.ToInt64(), cv.Data, (uint)cv.Data.Length);
// System.Windows.Forms.Clipboard.SetText(CaveAddress.ToString("X"));
IntPtr thread = WinApi.CreateRemoteThread(client.Handle, IntPtr.Zero, 0, CaveAddress, IntPtr.Zero, 0, IntPtr.Zero);
WinApi.WaitForSingleObject(thread, 0xFFFFFFFF);
WinApi.VirtualFreeEx(client.Handle, CaveAddress, (uint)cv.Data.Length, WinApi.AllocationType.Release); //free up memory
client.Memory.WriteInt32(SendStreamLength, OldLength);
client.Memory.WriteBytes(SendStreamData, OldData, (uint)OldLength);
ResumeAndCloseThread(MainThread);
}
private void CreateCave()
{
int x, y;
x = 0;
y = 0;
CodeCaveHelper cv = new CodeCaveHelper();
cv.AddLine((byte)0x6A, (byte)0x00); //push 0
cv.AddLine((byte)0x68, (Int32)y); //push y int32
cv.AddLine((byte)0x68, (Int32)x); //push x int32
cv.AddLine((byte)0xb8, (uint)Addresses.MyAddresses.WalkFunction.Address); // MOV EAX, <DWORD> | ty DarkStar
cv.AddLine((byte)0xFF, (byte)0xD0); // call eax
cv.AddLine((byte)0xc3);
Adr = WinApi.VirtualAllocEx(Handle, IntPtr.Zero, (uint)cv.Data.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
memRead.WriteBytes(Adr.ToInt64(), cv.Data, (uint)cv.Data.Length);
System.Windows.Forms.Clipboard.SetText(Adr.ToString("X"));
}
public void CreateCodeCave(int r, int g, int b, int x, int y, byte font, string text, string name)
{
byte[] bytes = System.Text.ASCIIEncoding.Default.GetBytes(text);
IntPtr stringAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, (uint)bytes.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
memRead.WriteBytes(stringAdr.ToInt32(), bytes, (uint)bytes.Length);
CodeCaveHelper cv = new CodeCaveHelper();
cv.AddLine((byte)0x6A, (byte)0x00); //push 0
cv.AddLine((byte)0x68, (UInt32)stringAdr.ToInt32()); //mov ecx string
cv.AddLine((byte)0x68, (UInt32)b); //push blue int32
cv.AddLine((byte)0x68, (UInt32)g); //push green int32
cv.AddLine((byte)0x68, (UInt32)r); //push red int32
cv.AddLine((byte)0x6A, (byte)font); //push font byte
cv.AddLine((byte)0x68, (UInt32)y); //push x int32
cv.AddLine((byte)0xBA, (UInt32)x); //push y int32
cv.AddLine((byte)0xb9, (UInt32)0x1); //push 1
cv.AddLine((byte)0xB8, (UInt32)Addresses.MyAddresses.PrintText.Address); // mov eax dword PrintName
cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar
cv.AddLine((byte)0x83, (byte)0xc4, (byte)0x1c); //add esp,20
cv.AddByte(0xC3);
IntPtr CaveAddress = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, (uint)cv.Data.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
memRead.WriteBytes(CaveAddress.ToInt32(), cv.Data, (uint)cv.Data.Length);
ChangePrintFpsCall(CaveAddress);
System.Windows.Forms.Clipboard.SetText(CaveAddress.ToString("X"));
}
public void CreateCodeCave(int r, int g, int b, int x, int y, byte font, string text,string name)
{
byte[] bytes = System.Text.ASCIIEncoding.Default.GetBytes(text);
IntPtr stringAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, (uint)bytes.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
memRead.WriteBytes(stringAdr.ToInt32(), bytes, (uint)bytes.Length);
CodeCaveHelper cv = new CodeCaveHelper();
cv.AddLine((byte)0x6A, (byte)0x00); //push 0
cv.AddLine((byte)0x68, (UInt32)stringAdr.ToInt32()); //mov ecx string
cv.AddLine((byte)0x68, (UInt32)b); //push blue int32
cv.AddLine((byte)0x68, (UInt32)g); //push green int32
cv.AddLine((byte)0x68, (UInt32)r); //push red int32
cv.AddLine((byte)0x6A, (byte)font); //push font byte
cv.AddLine((byte)0x68, (UInt32)y); //push x int32
cv.AddLine((byte)0xBA, (UInt32)x); //push y int32
cv.AddLine((byte)0xb9, (UInt32)0x1); //push 1
cv.AddLine((byte)0xB8, (UInt32)Addresses.MyAddresses.PrintText.Address); // mov eax dword PrintName
cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar
cv.AddLine((byte)0x83, (byte)0xc4, (byte)0x1c); //add esp,20
cv.AddByte(0xC3);
IntPtr CaveAddress = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, (uint)cv.Data.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite);
memRead.WriteBytes(CaveAddress.ToInt32(), cv.Data, (uint)cv.Data.Length);
ChangePrintFpsCall(CaveAddress);
System.Windows.Forms.Clipboard.SetText(CaveAddress.ToString("X"));
}
private void ReplaceCode()
{
CodeCaveHelper cv = new CodeCaveHelper();
cv.AddLine((byte)0xE8);
cv.AddInt(((int)(CodeCaveAdr.ToInt32() - Addresses.MyAddresses.GetnextPacket.Address) - 5));
memRead.WriteBytes(Addresses.MyAddresses.GetnextPacket.Address, cv.Data, (uint)cv.Data.Length);
}
