public static void PrepareServerSendCave(ClientInfo ci)
{
byte[] cave = new byte[] {
0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x66, 0xA1,
0xFF, 0xFF, 0xFF, 0xFF, 0x66, 0x83, 0xF8, 0x00,
0x75, 0x06, 0xE8, 0xFF, 0xFF, 0xFF, 0xFF, 0xC3,
0x66, 0x33, 0xC0, 0x66, 0xA3, 0xFF, 0xFF, 0xFF,
0xFF, 0x53, 0x54, 0x55, 0x56, 0x57, 0xA1, 0xFF,
0xFF, 0xFF, 0xFF, 0x50, 0x8B, 0x0D, 0xFF, 0xFF,
0xFF, 0xFF, 0x8B, 0xD9, 0xE8, 0xFF, 0xFF, 0xFF,
0xFF, 0x5F, 0x5E, 0x5D, 0x5C, 0x5B, 0xC3
};
int caveAddress = ci.ServerSendCaveAddress.ToInt32();
byte[] bufferDword = BitConverter.GetBytes(caveAddress);
byte[] startWord = BitConverter.GetBytes(caveAddress + 4);
byte[] packetSendCALL = ClientHook.CreateCALL((IntPtr)(caveAddress + 52), (IntPtr)ci.ServerPacketSendFunction, CallType.CALL);
byte[] clientSendCaveCall = ClientHook.CreateCALL((IntPtr)(caveAddress + 18), (IntPtr)(ci.ClientSendCaveAddress.ToInt32() + 10), CallType.CALL);
byte[] data = BitConverter.GetBytes(ci.ClientPacketData);
Buffer.BlockCopy(startWord, 0, cave, 8, 4);
Buffer.BlockCopy(startWord, 0, cave, 29, 4);
Buffer.BlockCopy(bufferDword, 0, cave, 39, 4);
Buffer.BlockCopy(data, 0, cave, 46, 4);
Buffer.BlockCopy(packetSendCALL, 0, cave, 52, 5);
Buffer.BlockCopy(clientSendCaveCall, 0, cave, 18, 5);
Memory.Write(ci.Handle, ci.ServerSendCaveAddress, cave, true);
}
public static void PreparePrimaryCave(ClientInfo ci)
{
ci.PrimaryCave = new byte[] {
0x00, 0x00, 0xE8, 0xFF, 0xFF, 0xFF, 0xFF, 0x68,
0xFF, 0xFF, 0xFF, 0xFF, 0x66, 0xA1, 0xFF, 0xFF,
0xFF, 0xFF, 0x66, 0x83, 0xF8, 0x00, 0x75, 0x01,
0xC3, 0x66, 0x31, 0xC0, 0x66, 0xA3, 0xFF, 0xFF,
0xFF, 0xFF, 0x68, 0x00, 0x00, 0x00, 0x00, 0x68,
0xFF, 0xFF, 0xFF, 0xFF, 0x68, 0xFF, 0xFF, 0xFF,
0xFF, 0x68, 0xFF, 0xFF, 0xFF, 0xFF, 0xC3, 0x83,
0xC4, 0x08, 0xC3, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00,
0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0xFF, 0x00, 0x00, 0x00, 0xFF, 0x00,
0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
};
ci.PrimaryCave[0] = 0;
int startWordAddress = ci.CaveAddress.ToInt32();
byte[] hookBytes = ClientHook.CreateCALL(ci.HookAddress, (IntPtr)(startWordAddress + func1offset), CallType.CALL);
byte[] origDest = BitConverter.GetBytes(ci.OriginalDest);
byte[] serverSendCaveCall = ClientHook.CreateCALL(startWordAddress + func1offset, ci.ServerSendCaveAddress.ToInt32() + 6, CallType.CALL);
byte[] startAddress = BitConverter.GetBytes(startWordAddress);
byte[] data1Address = BitConverter.GetBytes(startWordAddress + data1offset);
byte[] returnAddress = BitConverter.GetBytes(ci.ReturnAddress);
byte[] addressForFunc2 = BitConverter.GetBytes(startWordAddress + func2offset + 21);
Buffer.BlockCopy(serverSendCaveCall, 0, ci.PrimaryCave, 2, 5);
Buffer.BlockCopy(origDest, 0, ci.PrimaryCave, 8, 4);
Buffer.BlockCopy(startAddress, 0, ci.PrimaryCave, 14, 4);
Buffer.BlockCopy(startAddress, 0, ci.PrimaryCave, 30, 4);
Buffer.BlockCopy(data1Address, 0, ci.PrimaryCave, 40, 4);
Buffer.BlockCopy(addressForFunc2, 0, ci.PrimaryCave, 45, 4);
Buffer.BlockCopy(returnAddress, 0, ci.PrimaryCave, 50, 4);
Memory.Write(ci.Handle, ci.CaveAddress, ci.PrimaryCave, true);
Memory.Write(ci.Handle, ci.HookAddress, hookBytes, true);
ci.PrimaryCave[0] = 1;
}
public static void PrepareClientSendCave(ClientInfo ci)
{
byte[] cave = new byte[] {
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0x00, 0x00, 0x66, 0xA1, 0xFF, 0xFF, 0xFF, 0xFF,
0x66, 0x83, 0xF8, 0x00, 0x75, 0x06, 0x90, 0x90,
0x90, 0x90, 0x90, 0xC3, 0x90, 0x90, 0x90, 0x90,
0x90, 0x90, 0x90, 0x90, 0x90, 0x51, 0x52, 0x53,
0x54, 0x55, 0x56, 0x57, 0x8B, 0x2D, 0xFF, 0xFF,
0xFF, 0xFF, 0x8B, 0x3D, 0xFF, 0xFF, 0xFF, 0xFF,
0x55, 0x8B, 0x0D, 0xFF, 0xFF, 0xFF, 0xFF, 0x8B,
0xF1, 0xE8, 0xFF, 0xFF, 0xFF, 0xFF,
0x66, 0x33, 0xC0, 0x66,
0xA3, 0xFF, 0xFF, 0xFF, 0xFF,
0x5F, 0x5E,
0x5D, 0x5C, 0x5B, 0x5A, 0x59,
0x90, 0x90, 0x90, 0x90, 0x90,
0xC3
};
/*
* 0000000000000000 ffff invalid
* 0000000000000002 ffff invalid
* 0000000000000004 ffff invalid
* 0000000000000006 ffff invalid
* 0000000000000008 0000 add [eax], al
* 000000000000000a 66a1ffffffff mov ax, [0xffffffff]
* 0000000000000010 6683f800 cmp ax, 0x0
* 0000000000000014 7506 jnz 0x1c
* 0000000000000016 90 nop
* 0000000000000017 90 nop
* 0000000000000018 90 nop
* 0000000000000019 90 nop
* 000000000000001a 90 nop
* 000000000000001b c3 ret
* 000000000000001c 90 nop
* 000000000000001d 90 nop
* 000000000000001e 90 nop
* 000000000000001f 90 nop
* 0000000000000020 90 nop
* 0000000000000021 90 nop
* 0000000000000022 90 nop
* 0000000000000023 90 nop
* 0000000000000024 90 nop
* 0000000000000025 51 push ecx
* 0000000000000026 52 push edx
* 0000000000000027 53 push ebx
* 0000000000000028 54 push esp
* 0000000000000029 55 push ebp
* 000000000000002a 56 push esi
* 000000000000002b 57 push edi
* 000000000000002c 8b2dffffffff mov ebp, [0xffffffff]
* 0000000000000032 8b3dffffffff mov edi, [0xffffffff]
* 0000000000000038 55 push ebp
* 0000000000000039 8b0dffffffff mov ecx, [0xffffffff]
* 000000000000003f 8bf1 mov esi, ecx
* 0000000000000041 e8ffffffff call 0x45
* 0000000000000046 6633c0 xor ax, ax
* 0000000000000049 66a3ffffffff mov [0xffffffff], ax
* 000000000000004f 5f pop edi
* 0000000000000050 5e pop esi
* 0000000000000051 5d pop ebp
* 0000000000000052 5c pop esp
* 0000000000000053 5b pop ebx
* 0000000000000054 5a pop edx
* 0000000000000055 59 pop ecx
* 0000000000000056 90 nop
* 0000000000000057 90 nop
* 0000000000000058 90 nop
* 0000000000000059 90 nop
* 000000000000005a 90 nop
* 000000000000005b c3 ret
*/
int caveAddress = ci.ClientSendCaveAddress.ToInt32();
byte[] bufferDword = BitConverter.GetBytes(caveAddress);
byte[] lenDword = BitConverter.GetBytes(caveAddress + 4);
byte[] startWord = BitConverter.GetBytes(caveAddress + 8);
byte[] packetRecvCALL = ClientHook.CreateCALL((IntPtr)(caveAddress + 65), ci.RecvHookAddress, CallType.CALL);
byte[] pathFindCaveCALL = ClientHook.CreateCALL(caveAddress + 22, ci.PathFindCaveAddress.ToInt32() + 8, CallType.CALL);
byte[] recheckCALL = ClientHook.CreateCALL(caveAddress + /*77*/ 86, caveAddress + 10, CallType.JMP);
byte[] data = BitConverter.GetBytes(ci.ClientPacketData);
Buffer.BlockCopy(startWord, 0, cave, 12, 4);
Buffer.BlockCopy(pathFindCaveCALL, 0, cave, 22, 5);
Buffer.BlockCopy(startWord, 0, cave, /*33*/ 75, 4);
Buffer.BlockCopy(bufferDword, 0, cave, 46, 4);
Buffer.BlockCopy(lenDword, 0, cave, 52, 4);
Buffer.BlockCopy(data, 0, cave, 59, 4);
Buffer.BlockCopy(packetRecvCALL, 0, cave, 65, 5);
Buffer.BlockCopy(recheckCALL, 0, cave, /*77*/ 86, 5);
Memory.Write(ci.Handle, ci.ClientSendCaveAddress, cave, true);
}
public static void PreparePathfindCave(ClientInfo ci)
{
byte[] cave;
int caveAddress = ci.PathFindCaveAddress.ToInt32();
byte[] startWord = BitConverter.GetBytes(caveAddress + 6);
byte[] EAXDword = BitConverter.GetBytes(caveAddress - 0x24);
byte[] gumpFunction;
byte[] RETNDword;
byte[] pathFindJMP;
switch (ci.PathFindType)
{
case 0:
cave = new byte[] {
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00,
0x66, 0xA1, 0xFF, 0xFF, 0xFF, 0xFF, 0x66, 0x83,
0xF8, 0x00, 0x75, 0x06, 0x90, 0x90, 0x90, 0x90,
0x90, 0xC3, 0x66, 0x33, 0xC0, 0x66, 0xA3, 0xFF,
0xFF, 0xFF, 0xFF, 0x6A, 0x00, 0x6A, 0x00, 0x68,
0xFF, 0xFF, 0xFF, 0xFF, 0x51, 0x53, 0x55, 0x56,
0x57, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xE9, 0xFF,
0xFF, 0xFF, 0xFF, 0xC3
};
gumpFunction = ClientHook.CreateCALL(caveAddress + 20, ci.GumpFunctionCaveAddress.ToInt32() + 10, CallType.CALL);
pathFindJMP = ClientHook.CreateCALL(caveAddress + 54, ci.PathFindFunction, CallType.JMP);
RETNDword = BitConverter.GetBytes(caveAddress + cave.Length - 1);
Buffer.BlockCopy(startWord, 0, cave, 10, 4);
Buffer.BlockCopy(startWord, 0, cave, 31, 4);
Buffer.BlockCopy(gumpFunction, 0, cave, 20, 5);
Buffer.BlockCopy(RETNDword, 0, cave, 40, 4);
Buffer.BlockCopy(EAXDword, 0, cave, 50, 4);
Buffer.BlockCopy(pathFindJMP, 0, cave, 54, 5);
Memory.Write(ci.Handle, ci.PathFindCaveAddress, cave, true);
break;
case 1:
/* 004008D1 FFFF ??? ; X
* 004008D3 FFFF ??? ; Y
* 004008D5 FFFF ??? ; Z
* 004008D7 0000 ADD BYTE PTR DS:[EAX],AL ; nonzero = execute
* 004008D9 66:A1 D7084000 MOV AX,WORD PTR DS:[4008D7]
* 004008DF 66:83F8 00 CMP AX,0
* 004008E3 75 06 JNZ SHORT client.004008EB
* 004008E5 90 NOP ; reserved for future
* 004008E6 90 NOP ; reserved for future
* 004008E7 90 NOP ; reserved for future
* 004008E8 90 NOP ; reserved for future
* 004008E9 90 NOP ; reserved for future
* 004008EA C3 RETN
* 004008EB 66:33C0 XOR AX,AX
* 004008EE 66:A3 D7084000 MOV WORD PTR DS:[4008D7],AX
* 004008F4 6A 00 PUSH 0
* 004008F6 6A 00 PUSH 0
* 004008F8 68 08094000 PUSH client.00400908 ; RETN from pathfind
* 004008FD 51 PUSH ECX
* 004008FE B8 AD084000 MOV EAX,client.004008AD ; EAX + 0x24 = X word
* 00400903 -E9 51980900 JMP client.0049A159
* 00400908 C3 RETN */
cave = new byte[] {
0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00,
0x66, 0xA1, 0xFF, 0xFF, 0xFF, 0xFF, 0x66, 0x83,
0xF8, 0x00, 0x75, 0x06, 0x90, 0x90, 0x90, 0x90,
0x90, 0xC3, 0x66, 0x33, 0xC0, 0x66, 0xA3, 0xFF,
0xFF, 0xFF, 0xFF, 0x6A, 0x00, 0x6A, 0x00, 0x68,
0xFF, 0xFF, 0xFF, 0xFF, 0x51, 0xB8, 0xFF, 0xFF,
0xFF, 0xFF, 0xE9, 0xFF, 0xFF, 0xFF, 0xFF, 0xC3
};
gumpFunction = ClientHook.CreateCALL(caveAddress + 20, ci.GumpFunctionCaveAddress.ToInt32() + 10, CallType.CALL);
pathFindJMP = ClientHook.CreateCALL(caveAddress + 50, ci.PathFindFunction, CallType.JMP);
RETNDword = BitConverter.GetBytes(caveAddress + cave.Length - 1);
Buffer.BlockCopy(startWord, 0, cave, 10, 4);
Buffer.BlockCopy(startWord, 0, cave, 31, 4);
Buffer.BlockCopy(RETNDword, 0, cave, 40, 4);
Buffer.BlockCopy(EAXDword, 0, cave, 46, 4);
Buffer.BlockCopy(pathFindJMP, 0, cave, 50, 5);
Buffer.BlockCopy(gumpFunction, 0, cave, 20, 5);
Memory.Write(ci.Handle, ci.PathFindCaveAddress, cave, true);
break;
}
}
