/// <summary> /// Set the RSA key. Different from WriteString because must overcome protection. /// </summary> /// <param name="handle"></param> /// <param name="address"></param> /// <param name="newKey"></param> /// <returns></returns> public static bool WriteRSA(IntPtr handle, long address, string newKey) { IntPtr bytesWritten; int result; WinApi.MemoryProtection oldProtection = 0; System.Text.ASCIIEncoding enc = new System.Text.ASCIIEncoding(); byte[] bytes = enc.GetBytes(newKey); // Make it so we can write to the memory block WinApi.VirtualProtectEx( handle, new IntPtr(address), new IntPtr(bytes.Length), WinApi.MemoryProtection.ExecuteReadWrite, ref oldProtection); // Write to memory result = WinApi.WriteProcessMemory(handle, new IntPtr(address), bytes, (uint)bytes.Length, out bytesWritten); // Put the protection back on the memory block WinApi.VirtualProtectEx(handle, new IntPtr(address), new IntPtr(bytes.Length), oldProtection, ref oldProtection); return(result != 0); }
public bool WriteOnGetNextPacketCode() { oldCallBytes = client.Memory.ReadBytes( Tibia.Addresses.Client.GetNextPacketCall, 5); #region opcodes byte[] opCodes = new byte[] { //fSendingToClient @ flagAddress 0x00, 0x00, 0x00, 0x00, //mov eax,dword ptr ds:[flagAddress] 0xA1, 0x00, 0x00, 0x00, 0x00, //cmp eax,1 0x83, 0xF8, 0x01, //JNZ SHORT~ -> mov eax,origAddress 0x75, 0x26, //mov eax,dword ptr ds:[ADDR_RECV_STREAM+4] //dwSize 0xA1, 0x00, 0x00, 0x00, 0x00, //mov ebx,dword ptr ds:[ADDR_RECV_STREAM+8] //dwPos 0x8B, 0x1D, 0x00, 0x00, 0x00, 0x00, //cmp ebx,eax 0x39, 0xC3, //JGE SHORT~ -> //mov eax,-1 0x7D, 0x11, //add ebx,dword ptr ds:[ADDR_RECV_STREAM] 0x03, 0x1D, 0x00, 0x00, 0x00, 0x00, //mov al,byte ptr ds:[ebx] 0x8A, 0x03, //mov ebx,ADDR_RECV_STREAM+8 0xBB, 0x00, 0x00, 0x00, 0x00, //add dword ptr ds:[ebx],1 0x83, 0x03, 0x01, //retn 0xC3, //mov eax,-1 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, //retn, 0xC3, //mov eax,oldAddress 0xB8, 0x00, 0x00, 0x00, 0x00, //call eax 0xFF, 0xD0, //retn 0xC3 }; #endregion #region fixing opcodes Array.Copy( BitConverter.GetBytes(Tibia.Addresses.Client.RecvStream + 4), 0, opCodes, 15, 4);//mov eax,dword ptr ds:[ADDR_RECV_STREAM+4] Array.Copy( BitConverter.GetBytes(Tibia.Addresses.Client.RecvStream + 8), 0, opCodes, 21, 4); //mov ebx,dword ptr ds:[ADDR_RECV_STREAM+8] Array.Copy( BitConverter.GetBytes(Tibia.Addresses.Client.RecvStream), 0, opCodes, 31, 4);//add ebx,dword ptr ds:[ADDR_RECV_STREAM] Array.Copy( BitConverter.GetBytes(Tibia.Addresses.Client.RecvStream + 8), 0, opCodes, 38, 4);//mov ebx,ADDR_RECV_STREAM+8 #endregion pSendToClient = WinApi.VirtualAllocEx( client.ProcessHandle, IntPtr.Zero, (uint)opCodes.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); if (pSendToClient != IntPtr.Zero) { Array.Copy(BitConverter.GetBytes(pSendToClient.ToInt32()), 0, opCodes, 5, 4); //Begin HookCall WinApi.MemoryProtection oldProtect = WinApi.MemoryProtection.NoAccess; WinApi.MemoryProtection newProtect = WinApi.MemoryProtection.NoAccess; uint newCall, oldCall; byte[] call = new byte[] { 0xE8, 0x00, 0x00, 0x00, 0x00 }; newCall = (uint)(pSendToClient.ToInt32() + 4) - Tibia.Addresses.Client.GetNextPacketCall - 5; Array.Copy(BitConverter.GetBytes(newCall), 0, call, 1, 4); if (WinApi.VirtualProtectEx(client.ProcessHandle, new IntPtr(Tibia.Addresses.Client.GetNextPacketCall), new IntPtr(5), WinApi.MemoryProtection.ReadWrite, ref oldProtect)) { oldCall = BitConverter.ToUInt32( client.Memory.ReadBytes(Tibia.Addresses.Client.GetNextPacketCall + 1, 4), 0); int oldAddress = (int)(Tibia.Addresses.Client.GetNextPacketCall + oldCall + 5); Array.Copy( BitConverter.GetBytes(oldAddress), 0, opCodes, 53, 4);//mov eax,oldAddress if (client.Memory.WriteBytes(pSendToClient.ToInt64(), opCodes, (uint)opCodes.Length)) { if (client.Memory.WriteBytes(Tibia.Addresses.Client.GetNextPacketCall, call, 5)) { WinApi.VirtualProtectEx(client.ProcessHandle, new IntPtr(Tibia.Addresses.Client.GetNextPacketCall), new IntPtr(5), oldProtect, ref newProtect); sendToClientCodeWritten = true; return(true); } } WinApi.VirtualProtectEx(client.ProcessHandle, new IntPtr(Tibia.Addresses.Client.GetNextPacketCall), new IntPtr(5), oldProtect, ref newProtect); } } if (pSendToClient == IntPtr.Zero) { WinApi.VirtualFreeEx( client.ProcessHandle, pSendToClient, (uint)opCodes.Length, WinApi.AllocationType.Release); } sendToClientCodeWritten = false; return(false); }