Esempio n. 1
 public static void Execute( ClientInfo ci, byte param1, byte param2a, byte param2b )
     ci.PrimaryCave[data1offset + 24] = param1;
     ci.PrimaryCave[data1offset + 28] = param2b;
     ci.PrimaryCave[data1offset + 29] = param2a;
     Memory.Write( ci.Handle, ci.CaveAddress, ci.PrimaryCave, true );
Esempio n. 2
 public static void MemoryInit(ClientInfo ci)
     ulong len = (ulong)ci.EntryPoint - (ulong)ci.BaseAddress;
     NativeMethods.GainMemoryAccessEx(ci.Handle, ci.BaseAddress, len);
     if (!SetInfoAddresses(ci))
         ci.IsValid = false;
Esempio n. 3
        public static void Execute( ClientInfo ci, byte param1, byte param2, string param3 )
            ci.PrimaryCave[data1offset + 24] = param1;
            ci.PrimaryCave[data1offset + 28] = param2;
            byte[] data2Address = BitConverter.GetBytes( ci.CaveAddress.ToInt32() + data2offset );
            Buffer.BlockCopy( data2Address, 0, ci.PrimaryCave, data1offset + 32, 4 );
            byte[] unicodeBytes = UnicodeEncoding.Unicode.GetBytes( param3 );

            if (unicodeBytes.Length > 256) Buffer.BlockCopy( unicodeBytes, 0, ci.PrimaryCave, data2offset, 256 );
            else Buffer.BlockCopy( unicodeBytes, 0, ci.PrimaryCave, data2offset, unicodeBytes.Length );
            Memory.Write( ci.Handle, ci.CaveAddress, ci.PrimaryCave, true );
            Buffer.BlockCopy( emptyArray, 0, ci.PrimaryCave, data2offset, 256 );  // clear previous data
Esempio n. 4
 private static bool SetInfoAddresses(ClientInfo ci)
     byte[] memBytes = new byte[4];
     uint playerInfoAddress = 0;
     for (int x = 0; x < 100; x++)
         Memory.Read(ci.Handle, ci.PlayerInfoPointer, memBytes, true);
         playerInfoAddress = BitConverter.ToUInt32(memBytes, 0);
         if (playerInfoAddress > 0) break;
     if (playerInfoAddress == 0) return false;
     ci.ZAddress = (IntPtr)(playerInfoAddress + 0x28);
     return true;
        public static bool AddClient(ClientInfo clientInfo, out int instance)
            if (Count >= ClientList.Length)
                throw new ApplicationException("Maximum number of simultaneous clients exceeded.");

            for (int x = 0; x < ClientList.Length; x++)
                ClientInfo ci = ThreadHelper.VolatileRead<ClientInfo>(ref ClientList[x]);
                if (ci == null)
                    Interlocked.Exchange<ClientInfo>(ref ClientList[x], clientInfo);
                    TreeViewUpdater.AddPlaceHolder(x, clientInfo.ProcessID);
                    instance = x;
                    return true;
            instance = -1;
            return false;
Esempio n. 6
        private static bool GetLoginServerAddress(int baseAddress, byte[] buffer, ClientInfo clientInfo)
            /* Here we're getting address for server IP as well as preventing client from overwriting our IP
             * we're also getting port address and protecting it as well */

            byte[] sig1 = new byte[] { 0x8B, 0x44, 0x24, 0x0C, 0xC1, 0xE1, 0x08, 0x0B, 0xC8, 0x66, 0x89, 0x15 };
            byte[] sig2 = new byte[] { 0xC1, 0xE1, 0x08, 0x0B, 0x4C, 0x24, 0x0C, 0x89, 0x0D };
            byte[] sig3 = new byte[] { 0x83, 0XC4, 0X04, 0X50, 0X51, 0X8B, 0XCF, 0XE8 };
            int    offset;

            if (FindSignatureOffset(sig1, buffer, out offset))
                byte[] patch            = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
                byte[] portPatch        = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
                IntPtr portPatchAddress = (IntPtr)(baseAddress + offset + 0x09);
                IntPtr patchAddress     = (IntPtr)(baseAddress + offset + 0x10);
                clientInfo.LoginServerAddress = (IntPtr)(BitConverter.ToInt32(buffer, offset + 0x12));
                clientInfo.LoginPortAddress   = (IntPtr)(BitConverter.ToInt32(buffer, offset + 0x0C));
                if (Memory.Write(clientInfo.Handle, patchAddress, patch, true))
                    return(Memory.Write(clientInfo.Handle, portPatchAddress, portPatch, true));

            if (FindSignatureOffset(sig2, buffer, out offset))
                byte[] patch            = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
                byte[] portPatch        = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
                IntPtr portPatchAddress = (IntPtr)(baseAddress + offset - 0x07);
                IntPtr patchAddress     = (IntPtr)(baseAddress + offset + 0x07);
                clientInfo.LoginServerAddress = (IntPtr)(BitConverter.ToInt32(buffer, offset + 0x09));
                clientInfo.LoginPortAddress   = (IntPtr)(BitConverter.ToInt32(buffer, offset - 0x04));
                if (Memory.Write(clientInfo.Handle, patchAddress, patch, true))
                    return(Memory.Write(clientInfo.Handle, portPatchAddress, portPatch, true));

            if (FindSignatureOffset(sig3, buffer, out offset))
                // Tested up to 2015-10-22
                //.text: 00599FB0 loc_599FB0:                             ; CODE XREF: sub_599F10 + E5j
                //.text:00599FB0 push    ebx
                //.text:00599FB1 call    sub_595C10         // NOP's here
                //.text:00599FB6 movzx   eax, word_A9A634   // port
                //.text:00599FBD mov     ecx, dword_A9A630  // address
                //.text:00599FC3 add     esp, 4
                //.text:00599FC6 push    eax; hostshort
                //.text:00599FC7 push    ecx; hostlong
                //.text:00599FC8 mov     ecx, edi

                byte[] patch        = { 0x90, 0x90, 0x90, 0x90, 0x90 };
                IntPtr patchAddress = (IntPtr)(baseAddress + offset - 0x12);
                Memory.Write(clientInfo.Handle, patchAddress, patch, true);
                clientInfo.LoginServerAddress = (IntPtr)(BitConverter.ToInt32(buffer, offset - 0x04));
                clientInfo.LoginPortAddress   = (IntPtr)(BitConverter.ToInt32(buffer, offset - 0x0A));

Esempio n. 7
        public static void PreparePathfindCave(ClientInfo ci)
            byte[] cave;
            int    caveAddress = ci.PathFindCaveAddress.ToInt32();

            byte[] startWord = BitConverter.GetBytes(caveAddress + 6);
            byte[] EAXDword  = BitConverter.GetBytes(caveAddress - 0x24);
            byte[] gumpFunction;
            byte[] RETNDword;
            byte[] pathFindJMP;
            switch (ci.PathFindType)
            case 0:
                cave = new byte[] {
                    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00,
                    0x66, 0xA1, 0xFF, 0xFF, 0xFF, 0xFF, 0x66, 0x83,
                    0xF8, 0x00, 0x75, 0x06, 0x90, 0x90, 0x90, 0x90,
                    0x90, 0xC3, 0x66, 0x33, 0xC0, 0x66, 0xA3, 0xFF,
                    0xFF, 0xFF, 0xFF, 0x6A, 0x00, 0x6A, 0x00, 0x68,
                    0xFF, 0xFF, 0xFF, 0xFF, 0x51, 0x53, 0x55, 0x56,
                    0x57, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xE9, 0xFF,
                    0xFF, 0xFF, 0xFF, 0xC3
                gumpFunction = ClientHook.CreateCALL(caveAddress + 20, ci.GumpFunctionCaveAddress.ToInt32() + 10, CallType.CALL);
                pathFindJMP  = ClientHook.CreateCALL(caveAddress + 54, ci.PathFindFunction, CallType.JMP);
                RETNDword    = BitConverter.GetBytes(caveAddress + cave.Length - 1);
                Buffer.BlockCopy(startWord, 0, cave, 10, 4);
                Buffer.BlockCopy(startWord, 0, cave, 31, 4);
                Buffer.BlockCopy(gumpFunction, 0, cave, 20, 5);
                Buffer.BlockCopy(RETNDword, 0, cave, 40, 4);
                Buffer.BlockCopy(EAXDword, 0, cave, 50, 4);
                Buffer.BlockCopy(pathFindJMP, 0, cave, 54, 5);
                Memory.Write(ci.Handle, ci.PathFindCaveAddress, cave, true);

            case 1:

                /* 004008D1   FFFF             ???                         ; X
                 * 004008D3   FFFF             ???                         ; Y
                 * 004008D5   FFFF             ???                         ; Z
                 * 004008D7   0000             ADD BYTE PTR DS:[EAX],AL    ; nonzero = execute
                 * 004008D9   66:A1 D7084000   MOV AX,WORD PTR DS:[4008D7]
                 * 004008DF   66:83F8 00       CMP AX,0
                 * 004008E3   75 06            JNZ SHORT client.004008EB
                 * 004008E5   90               NOP                         ; reserved for future
                 * 004008E6   90               NOP                         ; reserved for future
                 * 004008E7   90               NOP                         ; reserved for future
                 * 004008E8   90               NOP                         ; reserved for future
                 * 004008E9   90               NOP                         ; reserved for future
                 * 004008EA   C3               RETN
                 * 004008EB   66:33C0          XOR AX,AX
                 * 004008EE   66:A3 D7084000   MOV WORD PTR DS:[4008D7],AX
                 * 004008F4   6A 00            PUSH 0
                 * 004008F6   6A 00            PUSH 0
                 * 004008F8   68 08094000      PUSH client.00400908        ; RETN from pathfind
                 * 004008FD   51               PUSH ECX
                 * 004008FE   B8 AD084000      MOV EAX,client.004008AD     ; EAX + 0x24 = X word
                 * 00400903  -E9 51980900      JMP client.0049A159
                 * 00400908   C3               RETN                        */

                cave = new byte[] {
                    0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00,
                    0x66, 0xA1, 0xFF, 0xFF, 0xFF, 0xFF, 0x66, 0x83,
                    0xF8, 0x00, 0x75, 0x06, 0x90, 0x90, 0x90, 0x90,
                    0x90, 0xC3, 0x66, 0x33, 0xC0, 0x66, 0xA3, 0xFF,
                    0xFF, 0xFF, 0xFF, 0x6A, 0x00, 0x6A, 0x00, 0x68,
                    0xFF, 0xFF, 0xFF, 0xFF, 0x51, 0xB8, 0xFF, 0xFF,
                    0xFF, 0xFF, 0xE9, 0xFF, 0xFF, 0xFF, 0xFF, 0xC3
                gumpFunction = ClientHook.CreateCALL(caveAddress + 20, ci.GumpFunctionCaveAddress.ToInt32() + 10, CallType.CALL);
                pathFindJMP  = ClientHook.CreateCALL(caveAddress + 50, ci.PathFindFunction, CallType.JMP);
                RETNDword    = BitConverter.GetBytes(caveAddress + cave.Length - 1);
                Buffer.BlockCopy(startWord, 0, cave, 10, 4);
                Buffer.BlockCopy(startWord, 0, cave, 31, 4);
                Buffer.BlockCopy(RETNDword, 0, cave, 40, 4);
                Buffer.BlockCopy(EAXDword, 0, cave, 46, 4);
                Buffer.BlockCopy(pathFindJMP, 0, cave, 50, 5);
                Buffer.BlockCopy(gumpFunction, 0, cave, 20, 5);
                Memory.Write(ci.Handle, ci.PathFindCaveAddress, cave, true);
Esempio n. 8
        public static bool SetAddresses(ClientInfo clientInfo, string fileName)
                byte[] fileBytes   = File.ReadAllBytes(fileName);
                int    baseAddress = clientInfo.BaseAddress.ToInt32();
                clientInfo.Version   = ExeInfo.GetFileVersion(fileName);
                clientInfo.DateStamp = ExeInfo.GetStamp(fileBytes);

                if (!GetHookAddress(baseAddress, fileBytes, clientInfo))
                if (!GetRecvAddress(baseAddress, fileBytes, clientInfo))
                if (!GetSendAddress(baseAddress, fileBytes, clientInfo))
                if (!GetReturnAddress1(baseAddress, fileBytes, clientInfo))
                if (!GetCaveAddress(baseAddress, fileBytes, clientInfo))
                if (!GetPlayerInfoPointer(baseAddress, fileBytes, clientInfo))
                if (!GetClientPacketData(baseAddress, fileBytes, clientInfo))
                if (!GetCursorAddress(baseAddress, fileBytes, clientInfo))
                if (!GetServerSendAddress(baseAddress, fileBytes, clientInfo))
                if (!GetPathFindAddress(baseAddress, fileBytes, clientInfo))
                if (!GetGumpPointer(baseAddress, fileBytes, clientInfo))
                if (!GetLoginServerAddress(baseAddress, fileBytes, clientInfo))

                clientInfo.IsValid = true;
            catch (Exception) { }
Esempio n. 9
        public static void PreparePrimaryCave( ClientInfo ci )
            ci.PrimaryCave = new byte[] {
            0x00, 0x00, 0xE8, 0xFF, 0xFF, 0xFF, 0xFF, 0x68,
            0xFF, 0xFF, 0xFF, 0xFF, 0x66, 0xA1, 0xFF, 0xFF,
            0xFF, 0xFF, 0x66, 0x83, 0xF8, 0x00, 0x75, 0x01,
            0xC3, 0x66, 0x31, 0xC0, 0x66, 0xA3, 0xFF, 0xFF,
            0xFF, 0xFF, 0x68, 0x00, 0x00, 0x00, 0x00, 0x68,
            0xFF, 0xFF, 0xFF, 0xFF, 0x68, 0xFF, 0xFF, 0xFF,
            0xFF, 0x68, 0xFF, 0xFF, 0xFF, 0xFF, 0xC3, 0x83,
            0xC4, 0x08, 0xC3, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
            0x00, 0x00, 0xFF, 0x00, 0x00, 0x00, 0xFF, 0x00,
            0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
            0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };

            ci.PrimaryCave[0] = 0;
            int startWordAddress = ci.CaveAddress.ToInt32();
            byte[] hookBytes = ClientHook.CreateCALL( ci.HookAddress, (IntPtr)(startWordAddress + func1offset), CallType.CALL );
            byte[] origDest = BitConverter.GetBytes( ci.OriginalDest );
            byte[] serverSendCaveCall = ClientHook.CreateCALL( startWordAddress + func1offset, ci.ServerSendCaveAddress.ToInt32() + 6, CallType.CALL );
            byte[] startAddress = BitConverter.GetBytes( startWordAddress );
            byte[] data1Address = BitConverter.GetBytes( startWordAddress + data1offset );
            byte[] returnAddress = BitConverter.GetBytes( ci.ReturnAddress );
            byte[] addressForFunc2 = BitConverter.GetBytes( startWordAddress + func2offset + 21 );

            Buffer.BlockCopy( serverSendCaveCall, 0, ci.PrimaryCave, 2, 5 );
            Buffer.BlockCopy( origDest, 0, ci.PrimaryCave, 8, 4 );
            Buffer.BlockCopy( startAddress, 0, ci.PrimaryCave, 14, 4 );
            Buffer.BlockCopy( startAddress, 0, ci.PrimaryCave, 30, 4 );
            Buffer.BlockCopy( data1Address, 0, ci.PrimaryCave, 40, 4 );
            Buffer.BlockCopy( addressForFunc2, 0, ci.PrimaryCave, 45, 4 );
            Buffer.BlockCopy( returnAddress, 0, ci.PrimaryCave, 50, 4 );

            Memory.Write( ci.Handle, ci.CaveAddress, ci.PrimaryCave, true );
            Memory.Write( ci.Handle, ci.HookAddress, hookBytes, true );
            ci.PrimaryCave[0] = 1;
Esempio n. 10
        public static void PrepareGumpFunctionCave( ClientInfo ci )
            /* 00400911   FFFF             ???                             ; \
             * 00400913   FFFF             ???                             ; / parent gump address
             * 00400915   FFFF             ???                             ; \
             * 00400917   FFFF             ???                             ; / function index to call
             * 00400919   0000             ADD BYTE PTR DS:[EAX],AL        ; nonzero = execute
             * 0040091B   66:A1 19094000   MOV AX,WORD PTR DS:[400919]
             * 00400921   66:83F8 00       CMP AX,0
             * 00400925   75 06            JNZ SHORT uoml_win.0040092D
             * 00400927   90               NOP                             ; reserved for future
             * 00400928   90               NOP                             ; reserved for future
             * 00400929   90               NOP                             ; reserved for future
             * 0040092A   90               NOP                             ; reserved for future
             * 0040092B   90               NOP                             ; reserved for future
             * 0040092C   C3               RETN
             * 0040092D   66:33C0          XOR AX,AX
             * 00400930   66:A3 19094000   MOV WORD PTR DS:[400919],AX
             * 00400936   8B0D 11094000    MOV ECX,DWORD PTR DS:[400911]
             * 0040093C   A1 15094000      MOV EAX,DWORD PTR DS:[400915]
             * 00400941   BA 04000000      MOV EDX,4
             * 00400946   F7E2             MUL EDX
             * 00400948   8B11             MOV EDX,DWORD PTR DS:[ECX]
             * 0040094A   03C2             ADD EAX,EDX
             * 0040094C   8B10             MOV EDX,DWORD PTR DS:[EAX]
             * 0040094E   FFD2             CALL EDX
             * 00400950   C3               RETN                           */

            byte[] cave = new byte[] {
                0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
                0x00, 0x00, 0x66, 0xA1, 0xFF, 0xFF, 0xFF, 0xFF,
                0x66, 0x83, 0xF8, 0x00, 0x75, 0x06, 0x90, 0x90,
                0x90, 0x90, 0x90, 0xC3, 0x66, 0x33, 0xC0, 0x66,
                0xA3, 0xFF, 0xFF, 0xFF, 0xFF, 0x8B, 0x0D, 0xFF,
                0xFF, 0xFF, 0xFF, 0xA1, 0xFF, 0xFF, 0xFF, 0xFF,
                0xBA, 0x04, 0x00, 0x00, 0x00, 0xF7, 0xE2, 0x8B,
                0x11, 0x03, 0xC2, 0x8B, 0x10, 0xFF, 0xD2, 0xC3};

            int caveAddress = ci.GumpFunctionCaveAddress.ToInt32();
            byte[] startWord = BitConverter.GetBytes( caveAddress + 8 );
            byte[] gumpOffset = BitConverter.GetBytes( caveAddress );
            byte[] functionOffset = BitConverter.GetBytes( caveAddress + 4 );

            Buffer.BlockCopy( startWord, 0, cave, 12, 4 );
            Buffer.BlockCopy( startWord, 0, cave, 33, 4 );
            Buffer.BlockCopy( gumpOffset, 0, cave, 39, 4 );
            Buffer.BlockCopy( functionOffset, 0, cave, 44, 4 );

            Memory.Write( ci.Handle, ci.GumpFunctionCaveAddress, cave, true );
Esempio n. 11
        public static bool SetAddresses( ClientInfo clientInfo, string fileName )
                byte[] fileBytes = File.ReadAllBytes( fileName );
                int baseAddress = clientInfo.BaseAddress.ToInt32();
                clientInfo.Version = ExeInfo.GetFileVersion( fileName );
                clientInfo.DateStamp = ExeInfo.GetStamp( fileBytes );

                if (!GetHookAddress( baseAddress, fileBytes, clientInfo )) return false;
                if (!GetRecvAddress( baseAddress, fileBytes, clientInfo )) return false;
                if (!GetSendAddress( baseAddress, fileBytes, clientInfo )) return false;
                if (!GetReturnAddress1( baseAddress, fileBytes, clientInfo )) return false;
                if (!GetCaveAddress( baseAddress, fileBytes, clientInfo )) return false;
                if (!GetPlayerInfoPointer( baseAddress, fileBytes, clientInfo )) return false;
                if (!GetClientPacketData( baseAddress, fileBytes, clientInfo )) return false;
                if (!GetCursorAddress( baseAddress, fileBytes, clientInfo )) return false;
                if (!GetServerSendAddress( baseAddress, fileBytes, clientInfo )) return false;
                if (!GetPathFindAddress( baseAddress, fileBytes, clientInfo )) return false;
                if (!GetGumpPointer( baseAddress, fileBytes, clientInfo )) return false;
                if (!GetLoginServerAddress( baseAddress, fileBytes, clientInfo )) return false;

                clientInfo.IsValid = true;
                return true;
            catch (Exception) { }
            return false;
Esempio n. 12
        private static bool GetCursorAddress( int baseAddress, byte[] buffer, ClientInfo clientInfo )
            byte[] sig1 = new byte[] { 0xD0, 0x00, 0x00, 0x00, 0x3B, 0xC7, 0x74, 0x38 };
            byte[] sig2 = new byte[] { 0x8B, 0xF1, 0x83, 0xBE, 0xFC, 0x00, 0x00, 0x00, 0x00 };
            int offset;

            if (FindSignatureOffset( sig1, buffer, out offset ))
                clientInfo.CursorAddress = (IntPtr) BitConverter.ToInt32( buffer, offset + 9 );
                return true;

            if (FindSignatureOffset( sig2, buffer, out offset ))
                offset += 9;
                for (int i = 0; i < 10; i++)
                    if (buffer[offset + i] == 0xA1)
                        clientInfo.CursorAddress = (IntPtr) BitConverter.ToInt32( buffer, ( offset + i ) + 1 );
                        return true;

            return false;
Esempio n. 13
        private static bool GetClientPacketData( int baseAddress, byte[] buffer, ClientInfo clientInfo )
            byte[] sig1 = new byte[] {
                0xA1, 0xCC, 0xCC, 0xCC, 0xCC, 0x8B, 0x0D, 0xCC,
                0xCC, 0xCC, 0xCC, 0x8B, 0x16 };
            byte[] sig2 = new byte[] {
                0xC7, 0x06, 0xCC, 0xCC, 0xCC, 0xCC, 0x89, 0x35,
                0xCC, 0xCC, 0xCC, 0xCC, 0x8B, 0x4C, 0x24, 0x0C };
            int offset;

            if (FindSignatureOffset( sig1, buffer, out offset ))
                clientInfo.ClientPacketData = BitConverter.ToInt32( buffer, offset + 7 );
                return true;

            if (FindSignatureOffset( sig2, buffer, out offset ))
                clientInfo.ClientPacketData = BitConverter.ToInt32( buffer, offset + 8 );
                return true;

            return false;
Esempio n. 14
        private static bool GetCaveAddress( int baseAddress, byte[] buffer, ClientInfo clientInfo )
            byte[] sig1 = new byte[3192]; //was 1024 (Reximus 02/2010)
            int offset;

             * In the past, client crashes I had were due to EasyUO overwriting parts of the code cave with data (I verified).
             * I'm still getting occasional client crashes when using big EasyUO scripts, and although I haven't checked for sure,
             * I will assume it's the same problem, so let's VirtualAllocEx our own memory space and use that, I don't know yet if this
             * will cause any problems (far jmps?) so this is purely a test.
            if (clientInfo.AllocCodeAddress != null)
                uint caveAddress = (uint) clientInfo.AllocCodeAddress;
                uint recvCaveAddress = caveAddress + 526;
                uint clientSendCaveAddress = recvCaveAddress + 50;
                uint sendCaveAddress = clientSendCaveAddress + 180;
                uint serverSendCaveAddress = sendCaveAddress + 100;//26;
                uint pathFindCaveAddress = serverSendCaveAddress + 100;
                uint gumpFunctionCaveAddress = pathFindCaveAddress + 100;

                clientInfo.CaveAddress = (IntPtr) caveAddress;
                clientInfo.RecvCaveAddress = (IntPtr) recvCaveAddress;
                clientInfo.SendCaveAddress = (IntPtr) sendCaveAddress;
                clientInfo.ClientSendCaveAddress = (IntPtr) clientSendCaveAddress;
                clientInfo.ServerSendCaveAddress = (IntPtr) serverSendCaveAddress;
                clientInfo.PathFindCaveAddress = (IntPtr) pathFindCaveAddress;
                clientInfo.GumpFunctionCaveAddress = (IntPtr) gumpFunctionCaveAddress;

            #if DEBUG
                Log.LogMessage( clientInfo.Instance, "Cave address = 0x" + clientInfo.RecvHookAddress.ToString( "X" ) + "\r\n" +
                                                    "Recv cave address = 0x" + clientInfo.RecvCaveAddress.ToString( "X" ) + "\r\n" +
                                                    "Send cave address = 0x" + clientInfo.SendCaveAddress.ToString( "X" ) + "\r\n" +
                                                    "Client send cave address = 0x" + clientInfo.ClientSendCaveAddress.ToString( "X" ) + "\r\n" +
                                                    "Server send cave address = 0x" + clientInfo.ServerSendCaveAddress.ToString( "X" ) + "\r\n" +
                                                    "Pathfind cave address = 0x" + clientInfo.PathFindCaveAddress.ToString( "X" ) + "\r\n" +
                                                    "Gump function cave address = 0x" + clientInfo.GumpFunctionCaveAddress.ToString( "X" ) + "\r\n" );

                return true;

            if (FindSignatureOffset( sig1, buffer, out offset ))
                uint caveAddress = (uint) baseAddress + (uint) offset + 1750; //was 750 (Reximus 02/2010)
                uint recvCaveAddress = caveAddress + 526;
                uint clientSendCaveAddress = recvCaveAddress + 28;
                uint sendCaveAddress = clientSendCaveAddress + 80;
                uint serverSendCaveAddress = sendCaveAddress + 26;
                uint pathFindCaveAddress = serverSendCaveAddress + 74;
                uint gumpFunctionCaveAddress = pathFindCaveAddress + 64;

                clientInfo.CaveAddress = (IntPtr) caveAddress;
                clientInfo.RecvCaveAddress = (IntPtr) recvCaveAddress;
                clientInfo.SendCaveAddress = (IntPtr) sendCaveAddress;
                clientInfo.ClientSendCaveAddress = (IntPtr) clientSendCaveAddress;
                clientInfo.ServerSendCaveAddress = (IntPtr) serverSendCaveAddress;
                clientInfo.PathFindCaveAddress = (IntPtr) pathFindCaveAddress;
                clientInfo.GumpFunctionCaveAddress = (IntPtr) gumpFunctionCaveAddress;
                return true;

            return false;
Esempio n. 15
        private static bool GetLoginServerAddress(int baseAddress, byte[] buffer, ClientInfo clientInfo)
            /* Here we're getting address for server IP as well as preventing client from overwriting our IP
             * we're also getting port address and protecting it as well */

            byte[] sig1 = new byte[] { 0x8B, 0x44, 0x24, 0x0C, 0xC1, 0xE1, 0x08, 0x0B, 0xC8, 0x66, 0x89, 0x15 };
            byte[] sig2 = new byte[] { 0xC1, 0xE1, 0x08, 0x0B, 0x4C, 0x24, 0x0C, 0x89, 0x0D };
            byte[] sig3 = new byte[] { 0x56, 0x57, 0x6A, 0x1C, 0xC7 };
            byte[] sig4 = new byte[] { 0x83, 0XC4, 0X04, 0X50, 0X51, 0X8B, 0XCF, 0XE8 };
            int offset;

            if (FindSignatureOffset(sig1, buffer, out offset))
                byte[] patch = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
                byte[] portPatch = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
                IntPtr portPatchAddress = (IntPtr)(baseAddress + offset + 0x09);
                IntPtr patchAddress = (IntPtr)(baseAddress + offset + 0x10);
                clientInfo.LoginServerAddress = (IntPtr)(BitConverter.ToInt32(buffer, offset + 0x12));
                clientInfo.LoginPortAddress = (IntPtr)(BitConverter.ToInt32(buffer, offset + 0x0C));
                if (Memory.Write(clientInfo.Handle, patchAddress, patch, true))
                    return Memory.Write(clientInfo.Handle, portPatchAddress, portPatch, true);

            if (FindSignatureOffset(sig2, buffer, out offset))
                byte[] patch = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
                byte[] portPatch = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
                IntPtr portPatchAddress = (IntPtr)(baseAddress + offset - 0x07);
                IntPtr patchAddress = (IntPtr)(baseAddress + offset + 0x07);
                clientInfo.LoginServerAddress = (IntPtr)(BitConverter.ToInt32(buffer, offset + 0x09));
                clientInfo.LoginPortAddress = (IntPtr)(BitConverter.ToInt32(buffer, offset - 0x04));
                if (Memory.Write(clientInfo.Handle, patchAddress, patch, true))
                    return Memory.Write(clientInfo.Handle, portPatchAddress, portPatch, true);

            //if (FindSignatureOffset(sig3, buffer, out offset))
            //    byte[] patch = { 0x90, 0x90, 0x90, 0x90, 0x90 };
            //    IntPtr loginPointer = (IntPtr)(BitConverter.ToInt32(buffer, offset + 0x20));
            //    clientInfo.LoginServerAddress = loginPointer;
            //    clientInfo.NewStyleLoginPatch = true;
            //    IntPtr patchAddress = (IntPtr)(baseAddress + offset + 0x1f);
            //    Memory.Write(clientInfo.Handle, patchAddress, patch, true);
            //    patchAddress = (IntPtr)(baseAddress + offset + 0x46);
            //    Memory.Write(clientInfo.Handle, patchAddress, patch, true);

            //    return true;

            if (FindSignatureOffset(sig4, buffer, out offset))
                //byte[] patch = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
                //IntPtr patchAddress = (IntPtr)(baseAddress + offset - 0x13);
                byte[] patch = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
                IntPtr patchAddress = (IntPtr)(baseAddress + offset - 0x476B);
                Memory.Write(clientInfo.Handle, patchAddress, patch, true);
                clientInfo.LoginServerAddress = (IntPtr)(BitConverter.ToInt32(buffer, offset - 0x04));
                clientInfo.LoginPortAddress = (IntPtr)(BitConverter.ToInt32(buffer, offset - 0x0A));
                return true;

            return false;
Esempio n. 16
        public static bool Attach( uint pid, OptionsData options, bool isRazor, out int index )
            lock (myLock)
                Process p = null;
                index = -1;
                    Thread.Sleep( 2000 );
                    p = Process.GetProcessById( (int)pid );
                    p.EnableRaisingEvents = true;
                    p.Exited += new EventHandler( UOM.OnClientExit );
                    ClientInfo ci = new ClientInfo( p );
                    Memory.MemoryInit( ci );
                    if (ci.IsValid) ci.InstallMacroHook();
                    else return false;

                    if (!isRazor && options.PatchClientEncryptionUOM)
                        if (!ClientPatcher.PatchEncryption( p.Handle ))
                            MessageBox.Show( Strings.Errorpatchingclientencryption, Strings.Error );
                    if (ci.DateStamp < 0x4AA52CC4 && options.PatchStaminaCheck)
                        if (!ClientPatcher.PatchStaminaCheck( p.Handle ))
                            MessageBox.Show( Strings.Errorpatchingstaminacheck, Strings.Error );
                    if (options.PatchAlwaysLight)
                        if (!ClientPatcher.PatchLight( p.Handle ))
                            MessageBox.Show( Strings.Errorwithalwayslightpatch, Strings.Error );
                    if (options.PatchGameSize)
                        if (!ClientPatcher.SetGameSize( p.Handle, options.PatchGameSizeWidth, options.PatchGameSizeHeight ))
                            //Silently fail for now as this will fail on UOSteam.
                    int instance;
                    if (!ClientInfoCollection.AddClient( ci, out instance ))
                        throw new ApplicationException( String.Concat( Strings.Unknownerror, ": ClientInfoCollection.Add." ) );
                    ci.Instance = instance;
                    index = instance;
                    Macros.Macro.ChangeServer( instance, options.Server, options.Port );
                    Thread.Sleep( 500 );
                    RemoteHooking.Inject( p.Id, Path.Combine( UOM.StartupPath, "clienthook.dll" ), Path.Combine( UOM.StartupPath, "clienthook.dll" ), UOM.ServerName );
                catch (Exception e)
                    Utility.Log.LogMessage( e );
                    MessageBox.Show( Strings.Errorinjectingdll, Strings.Error );
                    try { if (p != null) p.Kill(); }
                    catch (Win32Exception) { }
                    catch (InvalidOperationException) { }
                    return false;
                UOM.SetStatusLabel( Strings.Attachedtoclient );
                return true;
Esempio n. 17
        public static void PreparePrimaryCave(ClientInfo ci)
            ci.PrimaryCave = new byte[] {
                0x00, 0x00, 0xE8, 0xFF, 0xFF, 0xFF, 0xFF, 0x68,
                0xFF, 0xFF, 0xFF, 0xFF, 0x66, 0xA1, 0xFF, 0xFF,
                0xFF, 0xFF, 0x66, 0x83, 0xF8, 0x00, 0x75, 0x01,
                0xC3, 0x66, 0x31, 0xC0, 0x66, 0xA3, 0xFF, 0xFF,
                0xFF, 0xFF, 0x68, 0x00, 0x00, 0x00, 0x00, 0x68,
                0xFF, 0xFF, 0xFF, 0xFF, 0x68, 0xFF, 0xFF, 0xFF,
                0xFF, 0x68, 0xFF, 0xFF, 0xFF, 0xFF, 0xC3, 0x83,
                0xC4, 0x08, 0xC3, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x50, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x19, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
                0x00, 0x00, 0xFF, 0x00, 0x00, 0x00, 0xFF, 0x00,
                0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00

            ci.PrimaryCave[0] = 0;
            int startWordAddress = ci.CaveAddress.ToInt32();

            byte[] hookBytes          = ClientHook.CreateCALL(ci.HookAddress, (IntPtr)(startWordAddress + func1offset), CallType.CALL);
            byte[] origDest           = BitConverter.GetBytes(ci.OriginalDest);
            byte[] serverSendCaveCall = ClientHook.CreateCALL(startWordAddress + func1offset, ci.ServerSendCaveAddress.ToInt32() + 6, CallType.CALL);
            byte[] startAddress       = BitConverter.GetBytes(startWordAddress);
            byte[] data1Address       = BitConverter.GetBytes(startWordAddress + data1offset);
            byte[] returnAddress      = BitConverter.GetBytes(ci.ReturnAddress);
            byte[] addressForFunc2    = BitConverter.GetBytes(startWordAddress + func2offset + 21);

            Buffer.BlockCopy(serverSendCaveCall, 0, ci.PrimaryCave, 2, 5);
            Buffer.BlockCopy(origDest, 0, ci.PrimaryCave, 8, 4);
            Buffer.BlockCopy(startAddress, 0, ci.PrimaryCave, 14, 4);
            Buffer.BlockCopy(startAddress, 0, ci.PrimaryCave, 30, 4);
            Buffer.BlockCopy(data1Address, 0, ci.PrimaryCave, 40, 4);
            Buffer.BlockCopy(addressForFunc2, 0, ci.PrimaryCave, 45, 4);
            Buffer.BlockCopy(returnAddress, 0, ci.PrimaryCave, 50, 4);

            Memory.Write(ci.Handle, ci.CaveAddress, ci.PrimaryCave, true);
            Memory.Write(ci.Handle, ci.HookAddress, hookBytes, true);
            ci.PrimaryCave[0] = 1;
Esempio n. 18
        public static void PrepareClientSendCave(ClientInfo ci)
            byte[] cave = new byte[] {
                0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
                0x00, 0x00, 0x66, 0xA1, 0xFF, 0xFF, 0xFF, 0xFF,
                0x66, 0x83, 0xF8, 0x00, 0x75, 0x06, 0x90, 0x90,
                0x90, 0x90, 0x90, 0xC3, 0x90, 0x90, 0x90, 0x90,
                0x90, 0x90, 0x90, 0x90, 0x90, 0x51, 0x52, 0x53,
                0x54, 0x55, 0x56, 0x57, 0x8B, 0x2D, 0xFF, 0xFF,
                0xFF, 0xFF, 0x8B, 0x3D, 0xFF, 0xFF, 0xFF, 0xFF,
                0x55, 0x8B, 0x0D, 0xFF, 0xFF, 0xFF, 0xFF, 0x8B,
                0xF1, 0xE8, 0xFF, 0xFF, 0xFF, 0xFF,
                0x66, 0x33, 0xC0, 0x66,
                0xA3, 0xFF, 0xFF, 0xFF, 0xFF,
                0x5F, 0x5E,
                0x5D, 0x5C, 0x5B, 0x5A, 0x59,
                0x90, 0x90, 0x90, 0x90, 0x90,

             * 0000000000000000 ffff             invalid
             * 0000000000000002 ffff             invalid
             * 0000000000000004 ffff             invalid
             * 0000000000000006 ffff             invalid
             * 0000000000000008 0000             add [eax], al
             * 000000000000000a 66a1ffffffff     mov ax, [0xffffffff]
             * 0000000000000010 6683f800         cmp ax, 0x0
             * 0000000000000014 7506             jnz 0x1c
             * 0000000000000016 90               nop
             * 0000000000000017 90               nop
             * 0000000000000018 90               nop
             * 0000000000000019 90               nop
             * 000000000000001a 90               nop
             * 000000000000001b c3               ret
             * 000000000000001c 90               nop
             * 000000000000001d 90               nop
             * 000000000000001e 90               nop
             * 000000000000001f 90               nop
             * 0000000000000020 90               nop
             * 0000000000000021 90               nop
             * 0000000000000022 90               nop
             * 0000000000000023 90               nop
             * 0000000000000024 90               nop
             * 0000000000000025 51               push ecx
             * 0000000000000026 52               push edx
             * 0000000000000027 53               push ebx
             * 0000000000000028 54               push esp
             * 0000000000000029 55               push ebp
             * 000000000000002a 56               push esi
             * 000000000000002b 57               push edi
             * 000000000000002c 8b2dffffffff     mov ebp, [0xffffffff]
             * 0000000000000032 8b3dffffffff     mov edi, [0xffffffff]
             * 0000000000000038 55               push ebp
             * 0000000000000039 8b0dffffffff     mov ecx, [0xffffffff]
             * 000000000000003f 8bf1             mov esi, ecx
             * 0000000000000041 e8ffffffff       call 0x45
             * 0000000000000046 6633c0           xor ax, ax
             * 0000000000000049 66a3ffffffff     mov [0xffffffff], ax
             * 000000000000004f 5f               pop edi
             * 0000000000000050 5e               pop esi
             * 0000000000000051 5d               pop ebp
             * 0000000000000052 5c               pop esp
             * 0000000000000053 5b               pop ebx
             * 0000000000000054 5a               pop edx
             * 0000000000000055 59               pop ecx
             * 0000000000000056 90               nop
             * 0000000000000057 90               nop
             * 0000000000000058 90               nop
             * 0000000000000059 90               nop
             * 000000000000005a 90               nop
             * 000000000000005b c3               ret
            int caveAddress = ci.ClientSendCaveAddress.ToInt32();

            byte[] bufferDword      = BitConverter.GetBytes(caveAddress);
            byte[] lenDword         = BitConverter.GetBytes(caveAddress + 4);
            byte[] startWord        = BitConverter.GetBytes(caveAddress + 8);
            byte[] packetRecvCALL   = ClientHook.CreateCALL((IntPtr)(caveAddress + 65), ci.RecvHookAddress, CallType.CALL);
            byte[] pathFindCaveCALL = ClientHook.CreateCALL(caveAddress + 22, ci.PathFindCaveAddress.ToInt32() + 8, CallType.CALL);
            byte[] recheckCALL      = ClientHook.CreateCALL(caveAddress + /*77*/ 86, caveAddress + 10, CallType.JMP);
            byte[] data             = BitConverter.GetBytes(ci.ClientPacketData);

            Buffer.BlockCopy(startWord, 0, cave, 12, 4);
            Buffer.BlockCopy(pathFindCaveCALL, 0, cave, 22, 5);
            Buffer.BlockCopy(startWord, 0, cave, /*33*/ 75, 4);
            Buffer.BlockCopy(bufferDword, 0, cave, 46, 4);
            Buffer.BlockCopy(lenDword, 0, cave, 52, 4);
            Buffer.BlockCopy(data, 0, cave, 59, 4);
            Buffer.BlockCopy(packetRecvCALL, 0, cave, 65, 5);
            Buffer.BlockCopy(recheckCALL, 0, cave, /*77*/ 86, 5);

            Memory.Write(ci.Handle, ci.ClientSendCaveAddress, cave, true);
Esempio n. 19
        private static bool GetSendAddress( int baseAddress, byte[] buffer, ClientInfo clientInfo )
            byte[] sig1 = new byte[] { 0x8D, 0x8B, 0x94, 0x00, 0x00, 0x00 }; // 8d8b94000000     lea ecx, [ebx+0x94]
            byte[] sig2 = new byte[] { 0x0F, 0xB7, 0xD8, 0x0F, 0xB6, 0x06, 0x83, 0xC4, 0x04 };
                0000000000000000 0fb7d8           movzx ebx, ax
                0000000000000003 0fb606           movzx eax, byte [esi]
                0000000000000006 83c404           add esp, 0x4
            int offset;

            if (FindSignatureOffset( sig1, buffer, out offset ))
                clientInfo.SendHookAddress = (IntPtr) ( baseAddress + offset + 11 );
                clientInfo.SendHookType = 0;
                return true;

            if (FindSignatureOffset( sig2, buffer, out offset ))
                clientInfo.SendHookAddress = (IntPtr) ( baseAddress + offset + 9 );
                clientInfo.SendHookType = 1;
                return true;

            return false;
Esempio n. 20
        private static bool GetServerSendAddress( int baseAddress, byte[] buffer, ClientInfo clientInfo )
            byte[] sig1 = new byte[] { 0x85, 0xC9, 0x74, 0x0A, 0x8B, 0x44, 0x24, 0x04, 0x50, 0xE8 };
            int offset;

            if (FindSignatureOffset( sig1, buffer, out offset ))
                int address = BitConverter.ToInt32( buffer, offset + 10 );
                clientInfo.ServerPacketSendFunction = baseAddress + offset + 14 + address;
                return true;

            return false;
Esempio n. 21
        private static bool GetGumpPointer( int baseAddress, byte[] buffer, ClientInfo clientInfo )
            byte[] sig1 = new byte[] { 0x8B, 0x44, 0x24, 0x04, 0xC7, 0x41, 0x5C, 0x00, 0x00, 0x00, 0x00 };
            byte[] sig2 = new byte[] { 0x8B, 0x44, 0x24, 0x04, 0x85, 0xC0, 0x89, 0x41, 0x64 };
            int offset;

            if (FindSignatureOffset( sig1, buffer, out offset ))
                clientInfo.TopGumpPointer = (IntPtr) BitConverter.ToUInt32( buffer, offset + 0x14 );
                return true;

            if (FindSignatureOffset( sig2, buffer, out offset ))
                clientInfo.TopGumpPointer = (IntPtr) BitConverter.ToUInt32( buffer, offset + 0x14 );
                return true;

            return false;
Esempio n. 22
        public static bool Attach(uint pid, OptionsData options, bool isRazor, out int index)
            lock (myLock)
                Process p = null;
                index = -1;
                    p = Process.GetProcessById((int)pid);
                    p.EnableRaisingEvents = true;
                    p.Exited += new EventHandler(UOM.OnClientExit);
                    ClientInfo ci = new ClientInfo(p);
                    if (ci.IsValid)

                    if (!isRazor && options.PatchClientEncryptionUOM)
                        if (!ClientPatcher.PatchEncryption(p.Handle))
                            MessageBox.Show("Error patching client encryption!", "Error");
                    if (ci.DateStamp < 0x4AA52CC4 && options.PatchStaminaCheck)
                        if (!ClientPatcher.PatchStaminaCheck(p.Handle))
                            MessageBox.Show("Error patching stamina check!", "Error");
                    if (options.PatchAlwaysLight)
                        if (!ClientPatcher.PatchLight(p.Handle))
                            MessageBox.Show("Error with always light patch!", "Error");
                    int instance;
                    if (!ClientInfoCollection.AddClient(ci, out instance))
                        throw new ApplicationException("Unknown error at ClientInfoCollection.Add.");
                    ci.Instance = instance;
                    index       = instance;
                    Macros.Macro.ChangeServer(instance, options.Server, options.Port);
                    RemoteHooking.Inject(p.Id, Path.Combine(UOM.StartupPath, "clienthook.dll"), Path.Combine(UOM.StartupPath, "clienthook.dll"), UOM.ServerName);
                catch (Exception e)
                    MessageBox.Show("Error injecting ClientHook.dll into target process.  Please try again.", "Error");
                    try { if (p != null)
                    catch (Win32Exception) { }
                    catch (InvalidOperationException) { }
                UOM.SetStatusLabel("Status: Attached to client");
Esempio n. 23
        private static bool GetHookAddress( int baseAddress, byte[] buffer, ClientInfo clientInfo )
            byte[] sig1 = new byte[] { 0x53, 0x68, 0xE8, 0x03, 0x00, 0x00, 0x52 };
            int offset;

            if (FindSignatureOffset( sig1, buffer, out offset ))
                clientInfo.HookAddress = (IntPtr) ( baseAddress + offset + 8 );
                clientInfo.OriginalDest = baseAddress + ( offset + 9 ) + 4 + BitConverter.ToInt32( buffer, offset + 9 );
                return true;

            return false;
Esempio n. 24
        public static void PreparePathfindCave( ClientInfo ci )
            byte[] cave;
            int caveAddress = ci.PathFindCaveAddress.ToInt32();
            byte[] startWord = BitConverter.GetBytes( caveAddress + 6 );
            byte[] EAXDword = BitConverter.GetBytes( caveAddress - 0x24 );
            byte[] gumpFunction;
            byte[] RETNDword;
            byte[] pathFindJMP;
            switch (ci.PathFindType)
                case 0:
                    cave = new byte[] {
                        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00,
                        0x66, 0xA1, 0xFF, 0xFF, 0xFF, 0xFF, 0x66, 0x83,
                        0xF8, 0x00, 0x75, 0x06, 0x90, 0x90, 0x90, 0x90,
                        0x90, 0xC3, 0x66, 0x33, 0xC0, 0x66, 0xA3, 0xFF,
                        0xFF, 0xFF, 0xFF, 0x6A, 0x00, 0x6A, 0x00, 0x68,
                        0xFF, 0xFF, 0xFF, 0xFF, 0x51, 0x53, 0x55, 0x56,
                        0x57, 0xB8, 0xFF, 0xFF, 0xFF, 0xFF, 0xE9, 0xFF,
                        0xFF, 0xFF, 0xFF, 0xC3 };
                    gumpFunction = ClientHook.CreateCALL( caveAddress + 20, ci.GumpFunctionCaveAddress.ToInt32() + 10, CallType.CALL );
                    pathFindJMP = ClientHook.CreateCALL( caveAddress + 54, ci.PathFindFunction, CallType.JMP );
                    RETNDword = BitConverter.GetBytes( caveAddress + cave.Length - 1 );
                    Buffer.BlockCopy( startWord, 0, cave, 10, 4 );
                    Buffer.BlockCopy( startWord, 0, cave, 31, 4 );
                    Buffer.BlockCopy( gumpFunction, 0, cave, 20, 5 );
                    Buffer.BlockCopy( RETNDword, 0, cave, 40, 4 );
                    Buffer.BlockCopy( EAXDword, 0, cave, 50, 4 );
                    Buffer.BlockCopy( pathFindJMP, 0, cave, 54, 5 );
                    Memory.Write( ci.Handle, ci.PathFindCaveAddress, cave, true );

                case 1:

                    /* 004008D1   FFFF             ???                         ; X
                     * 004008D3   FFFF             ???                         ; Y
                     * 004008D5   FFFF             ???                         ; Z
                     * 004008D7   0000             ADD BYTE PTR DS:[EAX],AL    ; nonzero = execute
                     * 004008D9   66:A1 D7084000   MOV AX,WORD PTR DS:[4008D7]
                     * 004008DF   66:83F8 00       CMP AX,0
                     * 004008E3   75 06            JNZ SHORT client.004008EB
                     * 004008E5   90               NOP                         ; reserved for future
                     * 004008E6   90               NOP                         ; reserved for future
                     * 004008E7   90               NOP                         ; reserved for future
                     * 004008E8   90               NOP                         ; reserved for future
                     * 004008E9   90               NOP                         ; reserved for future
                     * 004008EA   C3               RETN
                     * 004008EB   66:33C0          XOR AX,AX
                     * 004008EE   66:A3 D7084000   MOV WORD PTR DS:[4008D7],AX
                     * 004008F4   6A 00            PUSH 0
                     * 004008F6   6A 00            PUSH 0
                     * 004008F8   68 08094000      PUSH client.00400908        ; RETN from pathfind
                     * 004008FD   51               PUSH ECX
                     * 004008FE   B8 AD084000      MOV EAX,client.004008AD     ; EAX + 0x24 = X word
                     * 00400903  -E9 51980900      JMP client.0049A159
                     * 00400908   C3               RETN                        */

                    cave = new byte[] {
                        0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00,
                        0x66, 0xA1, 0xFF, 0xFF, 0xFF, 0xFF, 0x66, 0x83,
                        0xF8, 0x00, 0x75, 0x06, 0x90, 0x90, 0x90, 0x90,
                        0x90, 0xC3, 0x66, 0x33, 0xC0, 0x66, 0xA3, 0xFF,
                        0xFF, 0xFF, 0xFF, 0x6A, 0x00, 0x6A, 0x00, 0x68,
                        0xFF, 0xFF, 0xFF, 0xFF, 0x51, 0xB8, 0xFF, 0xFF,
                        0xFF, 0xFF, 0xE9, 0xFF, 0xFF, 0xFF, 0xFF, 0xC3 };
                    gumpFunction = ClientHook.CreateCALL( caveAddress + 20, ci.GumpFunctionCaveAddress.ToInt32() + 10, CallType.CALL );
                    pathFindJMP = ClientHook.CreateCALL( caveAddress + 50, ci.PathFindFunction, CallType.JMP );
                    RETNDword = BitConverter.GetBytes( caveAddress + cave.Length - 1 );
                    Buffer.BlockCopy( startWord, 0, cave, 10, 4 );
                    Buffer.BlockCopy( startWord, 0, cave, 31, 4 );
                    Buffer.BlockCopy( RETNDword, 0, cave, 40, 4 );
                    Buffer.BlockCopy( EAXDword, 0, cave, 46, 4 );
                    Buffer.BlockCopy( pathFindJMP, 0, cave, 50, 5 );
                    Buffer.BlockCopy( gumpFunction, 0, cave, 20, 5 );
                    Memory.Write( ci.Handle, ci.PathFindCaveAddress, cave, true );
Esempio n. 25
        public static void PrepareClientSendCave( ClientInfo ci )
            byte[] cave = new byte[] {
                0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
                0x00, 0x00, 0x66, 0xA1, 0xFF, 0xFF, 0xFF, 0xFF,
                0x66, 0x83, 0xF8, 0x00, 0x75, 0x06, 0x90, 0x90,
                0x90, 0x90, 0x90, 0xC3, 0x90, 0x90, 0x90, 0x90,
                0x90, 0x90, 0x90, 0x90, 0x90, 0x51, 0x52, 0x53,
                0x54, 0x55, 0x56, 0x57, 0x8B, 0x2D, 0xFF, 0xFF,
                0xFF, 0xFF, 0x8B, 0x3D, 0xFF, 0xFF, 0xFF, 0xFF,
                0x55, 0x8B, 0x0D, 0xFF, 0xFF, 0xFF, 0xFF, 0x8B,
                0xF1, 0xE8, 0xFF, 0xFF, 0xFF, 0xFF,
                0x66, 0x33, 0xC0, 0x66,
                0xA3, 0xFF, 0xFF, 0xFF, 0xFF,
                0x5F, 0x5E,
                0x5D, 0x5C, 0x5B, 0x5A, 0x59,
                0x90, 0x90, 0x90, 0x90, 0x90,
                0xC3 };

            0000000000000000 ffff             invalid
            0000000000000002 ffff             invalid
            0000000000000004 ffff             invalid
            0000000000000006 ffff             invalid
            0000000000000008 0000             add [eax], al
            000000000000000a 66a1ffffffff     mov ax, [0xffffffff]
            0000000000000010 6683f800         cmp ax, 0x0
            0000000000000014 7506             jnz 0x1c
            0000000000000016 90               nop
            0000000000000017 90               nop
            0000000000000018 90               nop
            0000000000000019 90               nop
            000000000000001a 90               nop
            000000000000001b c3               ret
            000000000000001c 90               nop
            000000000000001d 90               nop
            000000000000001e 90               nop
            000000000000001f 90               nop
            0000000000000020 90               nop
            0000000000000021 90               nop
            0000000000000022 90               nop
            0000000000000023 90               nop
            0000000000000024 90               nop
            0000000000000025 51               push ecx
            0000000000000026 52               push edx
            0000000000000027 53               push ebx
            0000000000000028 54               push esp
            0000000000000029 55               push ebp
            000000000000002a 56               push esi
            000000000000002b 57               push edi
            000000000000002c 8b2dffffffff     mov ebp, [0xffffffff]
            0000000000000032 8b3dffffffff     mov edi, [0xffffffff]
            0000000000000038 55               push ebp
            0000000000000039 8b0dffffffff     mov ecx, [0xffffffff]
            000000000000003f 8bf1             mov esi, ecx
            0000000000000041 e8ffffffff       call 0x45
            0000000000000046 6633c0           xor ax, ax
            0000000000000049 66a3ffffffff     mov [0xffffffff], ax
            000000000000004f 5f               pop edi
            0000000000000050 5e               pop esi
            0000000000000051 5d               pop ebp
            0000000000000052 5c               pop esp
            0000000000000053 5b               pop ebx
            0000000000000054 5a               pop edx
            0000000000000055 59               pop ecx
            0000000000000056 90               nop
            0000000000000057 90               nop
            0000000000000058 90               nop
            0000000000000059 90               nop
            000000000000005a 90               nop
            000000000000005b c3               ret
            int caveAddress = ci.ClientSendCaveAddress.ToInt32();

            byte[] bufferDword = BitConverter.GetBytes( caveAddress );
            byte[] lenDword = BitConverter.GetBytes( caveAddress + 4 );
            byte[] startWord = BitConverter.GetBytes( caveAddress + 8 );
            byte[] packetRecvCALL = ClientHook.CreateCALL( (IntPtr)(caveAddress + 65), ci.RecvHookAddress, CallType.CALL );
            byte[] pathFindCaveCALL = ClientHook.CreateCALL( caveAddress + 22, ci.PathFindCaveAddress.ToInt32() + 8, CallType.CALL );
            byte[] recheckCALL = ClientHook.CreateCALL( caveAddress + /*77*/86, caveAddress + 10, CallType.JMP );
            byte[] data = BitConverter.GetBytes( ci.ClientPacketData );

            Buffer.BlockCopy( startWord, 0, cave, 12, 4 );
            Buffer.BlockCopy( pathFindCaveCALL, 0, cave, 22, 5 );
            Buffer.BlockCopy( startWord, 0, cave, /*33*/75, 4 );
            Buffer.BlockCopy( bufferDword, 0, cave, 46, 4 );
            Buffer.BlockCopy( lenDword, 0, cave, 52, 4 );
            Buffer.BlockCopy( data, 0, cave, 59, 4 );
            Buffer.BlockCopy( packetRecvCALL, 0, cave, 65, 5 );
            Buffer.BlockCopy( recheckCALL, 0, cave, /*77*/86, 5 );

            Memory.Write( ci.Handle, ci.ClientSendCaveAddress, cave, true );
Esempio n. 26
        public static void PrepareServerSendCave( ClientInfo ci )
            byte[] cave = new byte[] {
                0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x66, 0xA1,
                0xFF, 0xFF, 0xFF, 0xFF, 0x66, 0x83, 0xF8, 0x00,
                0x75, 0x06, 0xE8, 0xFF, 0xFF, 0xFF, 0xFF, 0xC3,
                0x66, 0x33, 0xC0, 0x66, 0xA3, 0xFF, 0xFF, 0xFF,
                0xFF, 0x53, 0x54, 0x55, 0x56, 0x57, 0xA1, 0xFF,
                0xFF, 0xFF, 0xFF, 0x50, 0x8B, 0x0D, 0xFF, 0xFF,
                0xFF, 0xFF, 0x8B, 0xD9, 0xE8, 0xFF, 0xFF, 0xFF,
                0xFF, 0x5F, 0x5E, 0x5D, 0x5C, 0x5B, 0xC3 };

            int caveAddress = ci.ServerSendCaveAddress.ToInt32();

            byte[] bufferDword = BitConverter.GetBytes( caveAddress );
            byte[] startWord = BitConverter.GetBytes( caveAddress + 4 );
            byte[] packetSendCALL = ClientHook.CreateCALL( (IntPtr)(caveAddress + 52), (IntPtr)ci.ServerPacketSendFunction, CallType.CALL );
            byte[] clientSendCaveCall = ClientHook.CreateCALL( (IntPtr)(caveAddress + 18), (IntPtr)(ci.ClientSendCaveAddress.ToInt32() + 10), CallType.CALL );
            byte[] data = BitConverter.GetBytes( ci.ClientPacketData );

            Buffer.BlockCopy( startWord, 0, cave, 8, 4 );
            Buffer.BlockCopy( startWord, 0, cave, 29, 4 );
            Buffer.BlockCopy( bufferDword, 0, cave, 39, 4 );
            Buffer.BlockCopy( data, 0, cave, 46, 4 );
            Buffer.BlockCopy( packetSendCALL, 0, cave, 52, 5 );
            Buffer.BlockCopy( clientSendCaveCall, 0, cave, 18, 5 );

            Memory.Write( ci.Handle, ci.ServerSendCaveAddress, cave, true );
Esempio n. 27
        public string Start(string path)
            Process clientProcess = null;
            try {
                ProcessStartInfo startInfo = new ProcessStartInfo();
                startInfo.WorkingDirectory = path;
                startInfo.FileName = Path.Combine(path, "client.exe");

                UOMachine.NativeMethods.SafeProcessHandle hProcess;
                UOMachine.NativeMethods.SafeThreadHandle hThread;
                uint pid, tid;

                if (UOMachine.NativeMethods.CreateProcess(startInfo, true, out hProcess, out hThread, out pid, out tid))
                    bool result = false;
                    m_AddressLock = new object();
                    clientProcess = Process.GetProcessById((int)pid);

                    UOMachine.Utility.Log.Initialize("UnitTests" + DateTime.Now.ToString("[MM - dd - yyyy] ") + ".txt");


                    ClientInfo ci = new ClientInfo(clientProcess);

                    int instance = 0;
                    ClientInfoCollection.ClientList[instance] = ci;
                    ClientInfoCollection.Count = 1;

                    ulong len = (ulong)ci.EntryPoint - (ulong)ci.BaseAddress;
                    UOMachine.NativeMethods.GainMemoryAccessEx(ci.Handle, ci.BaseAddress, len);

                    string channelName = null;
                    RemoteHooking.IpcCreateServer<LoginServerTest>(ref channelName, System.Runtime.Remoting.WellKnownObjectMode.SingleCall);
                    RemoteHooking.Inject(clientProcess.Id, Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "UnitTests.dll"), null, channelName);

                    Macro.ChangeServer(instance, "", 2593);


                    lock (m_AddressLock)
                        GumpInfo[] gi = Macro.GetGumpList(instance);
                        foreach (GumpInfo g in gi)
                            if (g.Type == "MainMenu gump")
                                foreach (GumpInfo g2 in g.SubGumps)
                                    if (g2.Type == "AcctLogin gump")
                                        if (ci.DateStamp > 0x43A06A35) g2.CallFunction(26);
                                        else g2.CallFunction(23);
                        result = Monitor.Wait(m_AddressLock, 60000);

                    UOMachine.NativeMethods.TerminateProcess(Process.GetProcessById(clientProcess.Id).Handle, 0);

                    return m_Address;
            } catch (Exception)
                UOMachine.NativeMethods.TerminateProcess(Process.GetProcessById(clientProcess.Id).Handle, 0);
            return null;
Esempio n. 28
        private static bool GetLoginServerAddress( int baseAddress, byte[] buffer, ClientInfo clientInfo )
            /* Here we're getting address for server IP as well as preventing client from overwriting our IP
             * we're also getting port address and protecting it as well */

            byte[] sig1 = new byte[] { 0x8B, 0x44, 0x24, 0x0C, 0xC1, 0xE1, 0x08, 0x0B, 0xC8, 0x66, 0x89, 0x15 };
            byte[] sig2 = new byte[] { 0xC1, 0xE1, 0x08, 0x0B, 0x4C, 0x24, 0x0C, 0x89, 0x0D };
            byte[] sig3 = new byte[] { 0x83, 0XC4, 0X04, 0X50, 0X51, 0X8B, 0XCF, 0XE8 };
            int offset;

            if (FindSignatureOffset( sig1, buffer, out offset ))
                byte[] patch = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
                byte[] portPatch = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
                IntPtr portPatchAddress = (IntPtr) ( baseAddress + offset + 0x09 );
                IntPtr patchAddress = (IntPtr) ( baseAddress + offset + 0x10 );
                clientInfo.LoginServerAddress = (IntPtr) ( BitConverter.ToInt32( buffer, offset + 0x12 ) );
                clientInfo.LoginPortAddress = (IntPtr) ( BitConverter.ToInt32( buffer, offset + 0x0C ) );
                if (Memory.Write( clientInfo.Handle, patchAddress, patch, true ))
                    return Memory.Write( clientInfo.Handle, portPatchAddress, portPatch, true );

            if (FindSignatureOffset( sig2, buffer, out offset ))
                byte[] patch = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
                byte[] portPatch = { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
                IntPtr portPatchAddress = (IntPtr) ( baseAddress + offset - 0x07 );
                IntPtr patchAddress = (IntPtr) ( baseAddress + offset + 0x07 );
                clientInfo.LoginServerAddress = (IntPtr) ( BitConverter.ToInt32( buffer, offset + 0x09 ) );
                clientInfo.LoginPortAddress = (IntPtr) ( BitConverter.ToInt32( buffer, offset - 0x04 ) );
                if (Memory.Write( clientInfo.Handle, patchAddress, patch, true ))
                    return Memory.Write( clientInfo.Handle, portPatchAddress, portPatch, true );

            if (FindSignatureOffset( sig3, buffer, out offset ))
                // Tested up to 2015-10-22
                //.text: 00599FB0 loc_599FB0:                             ; CODE XREF: sub_599F10 + E5j
                //.text:00599FB0 push    ebx
                //.text:00599FB1 call    sub_595C10         // NOP's here
                //.text:00599FB6 movzx   eax, word_A9A634   // port
                //.text:00599FBD mov     ecx, dword_A9A630  // address
                //.text:00599FC3 add     esp, 4
                //.text:00599FC6 push    eax; hostshort
                //.text:00599FC7 push    ecx; hostlong
                //.text:00599FC8 mov     ecx, edi

                byte[] patch = { 0x90, 0x90, 0x90, 0x90, 0x90 };
                IntPtr patchAddress = (IntPtr) ( baseAddress + offset - 0x12 );
                Memory.Write( clientInfo.Handle, patchAddress, patch, true );
                clientInfo.LoginServerAddress = (IntPtr) ( BitConverter.ToInt32( buffer, offset - 0x04 ) );
                clientInfo.LoginPortAddress = (IntPtr) ( BitConverter.ToInt32( buffer, offset - 0x0A ) );
                return true;

            return false;
Esempio n. 29
 public static void Execute(ClientInfo ci, byte param1, byte param2)
     ci.PrimaryCave[data1offset + 24] = param1;
     ci.PrimaryCave[data1offset + 28] = param2;
     Memory.Write(ci.Handle, ci.CaveAddress, ci.PrimaryCave, true);
Esempio n. 30
        public static void InstallRecvHook( ClientInfo ci )
            switch (ci.RecvHookType)
                case 0:

                    /* 00400801   50               PUSH EAX
                     * 00400802   51               PUSH ECX
                     * 00400803   52               PUSH EDX
                     * 00400804   57               PUSH EDI
                     * 00400805   55               PUSH EBP
                     * 00400806   E8 4708B845      CALL 45F81052
                     * 0040080B   5A               POP EDX
                     * 0040080C   59               POP ECX
                     * 0040080D   58               POP EAX
                     * 0040080E   53               PUSH EBX
                     * 0040080F   56               PUSH ESI
                     * 00400810   57               PUSH EDI
                     * 00400811   89CF             MOV EDI,ECX
                     * 00400813  -E9 6D420300      JMP client.00434A85 */

                    int caveAddress0 = ci.RecvCaveAddress.ToInt32();

                    IntPtr callStart0 = (IntPtr)(caveAddress0 + 5);
                    int jmpStart0 = caveAddress0 + 18;
                    int jmpEnd0 = ci.RecvHookAddress.ToInt32() + 5;
                    byte[] call0 = CreateCALL( callStart0, ci.RecvFunctionPointer, CallType.CALL );
                    byte[] jump0 = CreateCALL( jmpStart0, jmpEnd0, CallType.JMP );
                    byte[] newCode0 = new byte[] {
                        0x50, 0x51, 0x52, 0x57, 0x55, 0xE8, 0x00, 0x00,
                        0x00, 0x00, 0x5A, 0x59, 0x58, 0x53, 0x56, 0x57,
                        0x89, 0xCF, 0xE9, 0x00, 0x00, 0x00, 0x00 };
                    Buffer.BlockCopy( call0, 0, newCode0, 5, 5 );
                    Buffer.BlockCopy( jump0, 0, newCode0, 18, 5 );
                    byte[] hook0 = CreateCALL( ci.RecvHookAddress, ci.RecvCaveAddress, CallType.JMP );
                    Memory.Write( ci.Handle, ci.RecvCaveAddress, newCode0, true );
                    Memory.Write( ci.Handle, ci.RecvHookAddress, hook0, true );
                case 1:

                    /* 004007F9   50               PUSH EAX
                     * 004007FA   51               PUSH ECX
                     * 004007FB   52               PUSH EDX
                     * 004007FC   57               PUSH EDI
                     * 004007FD   55               PUSH EBP
                     * 004007FE   E8 4F08AD45      CALL 45ED1052
                     * 00400803   5A               POP EDX
                     * 00400804   59               POP ECX
                     * 00400805   58               POP EAX
                     * 00400806   A1 D4797F00      MOV EAX,DWORD PTR DS:[7F79D4]
                     * 0040080B  -E9 45890300      JMP client.00439155           */

                    int caveAddress1 = ci.RecvCaveAddress.ToInt32();
                    byte[] firstInstruction = new byte[5];
                    Memory.Read( ci.Handle, ci.RecvHookAddress, firstInstruction, true );
                    IntPtr callStart1 = (IntPtr)(caveAddress1 + 5);
                    int jmpStart1 = caveAddress1 + (18 + 5);
                    int jmpEnd1 = ci.RecvHookAddress.ToInt32() + 5;
                    byte[] call1 = CreateCALL( callStart1, ci.RecvFunctionPointer, CallType.CALL );
                    byte[] jump1 = CreateCALL( jmpStart1, jmpEnd1, CallType.JMP );
                    byte[] newCode1 = new byte[] {
                        0xE8, 0x00, 0x00, 0x00, 0x00,
                        0x83, 0xF8, 0x01, // CMP EAX, 1
                        0x74, 0x0D, // JE +D
                        0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
                        0xE9, 0x00, 0x00, 0x00, 0x00,
                        0x90, 0x90, 0x90, 0x90, 0x90,
                        0xC2, 0x04, 0x00

                    Buffer.BlockCopy( firstInstruction, 0, newCode1, (13 + 5), 5 );
                    Buffer.BlockCopy( firstInstruction, 0, newCode1, (31), 5 );
                    Buffer.BlockCopy( call1, 0, newCode1, 5, 5 );
                    Buffer.BlockCopy( jump1, 0, newCode1, (18 + 5), 5 );
                    byte[] hook1 = CreateCALL( ci.RecvHookAddress, ci.RecvCaveAddress, CallType.JMP );
                    Memory.Write( ci.Handle, ci.RecvCaveAddress, newCode1, true );
                    Memory.Write( ci.Handle, ci.RecvHookAddress, hook1, true );
Esempio n. 31
        private static bool GetPathFindAddress( int baseAddress, byte[] buffer, ClientInfo clientInfo )
            byte[] sig1 = new byte[] { 0x0F, 0xBF, 0x68, 0x24, 0x0F, 0xBF, 0x50, 0x26 };
            byte[] sig2 = new byte[] { 0x0F, 0xBF, 0x50, 0x26, 0x53, 0x8B, 0x1D };

            int offset;
            if (FindSignatureOffset( sig1, buffer, out offset ))
                clientInfo.PathFindFunction = baseAddress + offset;
                clientInfo.PathFindType = 0;
                return true;

            if (FindSignatureOffset( sig2, buffer, out offset ))
                clientInfo.PathFindFunction = baseAddress + offset;
                clientInfo.PathFindType = 1;
                return true;

            return false;
Esempio n. 32
        private static bool GetPlayerInfoPointer( int baseAddress, byte[] buffer, ClientInfo clientInfo )
            int offset;
            byte[] sig1 = new byte[] { 0x0F, 0xBF, 0x4A, 0x28, 0x83, 0xC1, 0x05 };

            if (FindSignatureOffset( sig1, buffer, out offset ))
                clientInfo.PlayerInfoPointer = (IntPtr) BitConverter.ToUInt32( buffer, offset - 6 );
            #if DEBUG
                Log.LogMessage( clientInfo.Instance, "Player info pointer = 0x" + clientInfo.PlayerInfoPointer.ToString( "X" ) );
                return true;

            return false;
Esempio n. 33
        private static bool GetRecvAddress( int baseAddress, byte[] buffer, ClientInfo clientInfo )
            byte[] sig1 = new byte[] { 0x53, 0x56, 0x57, 0x8B, 0xF9, 0x8B, 0x0D };
            byte[] sig2 = new byte[] { 0x8B, 0x38, 0x8B, 0xE9, 0xBE };
            byte[] sig3 = new byte[] { 0x8B, 0x38, 0x8B, 0xD9, 0xBE };

            int offset;

            if (FindSignatureOffset( sig1, buffer, out offset ))
                clientInfo.RecvHookAddress = (IntPtr) ( baseAddress + offset );
                clientInfo.RecvHookType = 0;
            #if DEBUG
                Log.LogMessage( clientInfo.Instance, "Recv hook address = 0x" + clientInfo.RecvHookAddress.ToString( "X" ) );
                return true;

            if (FindSignatureOffset( sig2, buffer, out offset ))
                clientInfo.RecvHookAddress = (IntPtr) ( baseAddress + offset - 18 );
                clientInfo.RecvHookType = 1;
            #if DEBUG
                Log.LogMessage( clientInfo.Instance, "Recv hook address = 0x" + clientInfo.RecvHookAddress.ToString( "X" ) );
                return true;

            if (FindSignatureOffset( sig3, buffer, out offset ))
                clientInfo.RecvHookAddress = (IntPtr) ( baseAddress + offset - 18 );
                clientInfo.RecvHookType = 1;
            #if DEBUG
                Log.LogMessage( clientInfo.Instance, "Recv hook address = 0x" + clientInfo.RecvHookAddress.ToString( "X" ) );
                return true;

            return false;
Esempio n. 34
 public static bool GetClient(int index, out ClientInfo clientInfo)
     if (index < 0 || index > 31)
         clientInfo = null;
         return false;
     clientInfo = ThreadHelper.VolatileRead<ClientInfo>(ref ClientList[index]);
     return clientInfo == null ? false : true;
Esempio n. 35
        private static bool GetReturnAddress1( int baseAddress, byte[] buffer, ClientInfo clientInfo )
            byte[] sig1 = new byte[] {
                0x6A, 0xFF, 0x68, 0xCC, 0xCC, 0xCC, 0xCC, 0x64,
                0xA1, 0x00, 0x00, 0x00, 0x00, 0x50, 0xB8, 0x78,
                0x30, 0x00, 0x00 };
            byte[] sig2 = new byte[] {
                0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0xCC, 0xCC,
                0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0xCC, 0x68, 0xCC,
                0xCC, 0xCC, 0xCC, 0x50, 0xB8, 0xCC, 0xCC, 0xCC,
                0xCC, 0x64, 0x89, 0x25, 0x00, 0x00, 0x00, 0x00,
                0xE8, 0xCC, 0xCC, 0xCC, 0xCC, 0x8B, 0x84, 0x24 };
            int offset;

            if (FindSignatureOffset( sig1, buffer, out offset ))
                clientInfo.ReturnAddress = baseAddress + offset;
                return true;

            if (FindSignatureOffset( sig2, buffer, out offset ))
                clientInfo.ReturnAddress = baseAddress + offset + 6;
                return true;

            return false;
Esempio n. 36
        public static void InstallSendHook(ClientInfo ci)
            switch (ci.SendHookType)
                case 0:
                    byte[] newCode0 = new byte[] {
                        0x50, 0x51, 0x52, 0x55, 0x56, 0xE8, 0xFF, 0xFF,
                        0xFF, 0xFF, 0x5A, 0x59, 0x58, 0x55, 0x8D, 0x8B,
                        0xBC, 0x00, 0x00, 0x00, 0xE9, 0xFF, 0xFF, 0xFF,
                        0xFF };
                        0000000000000000 50               push eax
                        0000000000000001 51               push ecx
                        0000000000000002 52               push edx
                        0000000000000003 55               push ebp
                        0000000000000004 56               push esi
                        0000000000000005 e8ffffffff       call 0xffffffff
                        000000000000000a 5a               pop edx
                        000000000000000b 59               pop ecx
                        000000000000000c 58               pop eax
                        000000000000000d 55               push ebp
                        000000000000000e 8d8bbc000000     lea ecx, [ebx+0xbc]
                        0000000000000014 e9ffffffff       jmp 0xffffffff
                    byte[] hook0 = new byte[] { 0x90, 0x90, 0x90, 0x90, 0x90, 0x90, 0x90 };
                    byte[] hookTemp0 = CreateCALL(ci.SendHookAddress, ci.SendCaveAddress, CallType.JMP);
                    byte[] functionCall0 = CreateCALL(ci.SendCaveAddress.ToInt32() + 5, ci.SendFunctionPointer.ToInt32(), CallType.CALL);
                    byte[] jmpBack0 = CreateCALL(ci.SendCaveAddress.ToInt32() + 20, ci.SendHookAddress.ToInt32() + 7, CallType.JMP);

                    Buffer.BlockCopy(hookTemp0, 0, hook0, 0, 5);
                    Buffer.BlockCopy(functionCall0, 0, newCode0, 5, 5);
                    Buffer.BlockCopy(jmpBack0, 0, newCode0, 20, 5);

                    Memory.Write(ci.Handle, ci.SendCaveAddress, newCode0, true);
                    Memory.Write(ci.Handle, ci.SendHookAddress, hook0, true);
                case 1:
                    byte[] newCode1 = new byte[] {
                        0xE8, 0xFF, 0xFF, 0xFF, 0xFF,
                        0x83, 0xF8, 01, // CMP EAX, 1
                        0x74, 0x0D, // JZ +D
                        0x8D, 0x4F, 0x6C,
                        0xE9, 0xFF, 0xFF, 0xFF, 0xFF,
                        0xC2, 04, 00 // RETN 4
                        0000000000000000 50               push eax
                        0000000000000001 51               push ecx
                        0000000000000002 52               push edx
                        0000000000000003 53               push ebx
                        0000000000000004 56               push esi
                        0000000000000005 e8ffffffff       call 0xffffffff
                        000000000000000a 5a               pop edx
                        000000000000000b 59               pop ecx
                        000000000000000c 58               pop eax
                        000000000000000d 53               push ebx
                        000000000000000e 50               push eax
                        000000000000000f 8d4f6c           lea ecx, [edi+0x6c]
                        0000000000000012 e9ffffffff       jmp 0xffffffff
                    byte[] hook1 = CreateCALL(ci.SendHookAddress, ci.SendCaveAddress, CallType.JMP);
                    byte[] functionCall1 = CreateCALL(ci.SendCaveAddress.ToInt32() + 5, ci.SendFunctionPointer.ToInt32(), CallType.CALL);
                    byte[] jmpBack1 = CreateCALL(ci.SendCaveAddress.ToInt32() + (18+5), ci.SendHookAddress.ToInt32() + 5, CallType.JMP);

                    Buffer.BlockCopy(functionCall1, 0, newCode1, 5, 5);
                    Buffer.BlockCopy(jmpBack1, 0, newCode1, (18 + 5), 5);

                    Memory.Write(ci.Handle, ci.SendCaveAddress, newCode1, true);
                    Memory.Write(ci.Handle, ci.SendHookAddress, hook1, true);
Esempio n. 37
        private static bool GetCaveAddress(int baseAddress, byte[] buffer, ClientInfo clientInfo)
            byte[] sig1 = new byte[3192]; //was 1024 (Reximus 02/2010)
            int    offset;

             * In the past, client crashes I had were due to EasyUO overwriting parts of the code cave with data (I verified).
             * I'm still getting occasional client crashes when using big EasyUO scripts, and although I haven't checked for sure,
             * I will assume it's the same problem, so let's VirtualAllocEx our own memory space and use that, I don't know yet if this
             * will cause any problems (far jmps?) so this is purely a test.
            if (clientInfo.AllocCodeAddress != null)
                uint caveAddress             = (uint)clientInfo.AllocCodeAddress;
                uint recvCaveAddress         = caveAddress + 526;
                uint clientSendCaveAddress   = recvCaveAddress + 50;
                uint sendCaveAddress         = clientSendCaveAddress + 180;
                uint serverSendCaveAddress   = sendCaveAddress + 100;//26;
                uint pathFindCaveAddress     = serverSendCaveAddress + 100;
                uint gumpFunctionCaveAddress = pathFindCaveAddress + 100;

                clientInfo.CaveAddress             = (IntPtr)caveAddress;
                clientInfo.RecvCaveAddress         = (IntPtr)recvCaveAddress;
                clientInfo.SendCaveAddress         = (IntPtr)sendCaveAddress;
                clientInfo.ClientSendCaveAddress   = (IntPtr)clientSendCaveAddress;
                clientInfo.ServerSendCaveAddress   = (IntPtr)serverSendCaveAddress;
                clientInfo.PathFindCaveAddress     = (IntPtr)pathFindCaveAddress;
                clientInfo.GumpFunctionCaveAddress = (IntPtr)gumpFunctionCaveAddress;

                Log.LogMessage(clientInfo.Instance, "Cave address = 0x" + clientInfo.RecvHookAddress.ToString("X") + "\r\n" +
                               "Recv cave address = 0x" + clientInfo.RecvCaveAddress.ToString("X") + "\r\n" +
                               "Send cave address = 0x" + clientInfo.SendCaveAddress.ToString("X") + "\r\n" +
                               "Client send cave address = 0x" + clientInfo.ClientSendCaveAddress.ToString("X") + "\r\n" +
                               "Server send cave address = 0x" + clientInfo.ServerSendCaveAddress.ToString("X") + "\r\n" +
                               "Pathfind cave address = 0x" + clientInfo.PathFindCaveAddress.ToString("X") + "\r\n" +
                               "Gump function cave address = 0x" + clientInfo.GumpFunctionCaveAddress.ToString("X") + "\r\n");


            if (FindSignatureOffset(sig1, buffer, out offset))
                uint caveAddress             = (uint)baseAddress + (uint)offset + 1750; //was 750 (Reximus 02/2010)
                uint recvCaveAddress         = caveAddress + 526;
                uint clientSendCaveAddress   = recvCaveAddress + 28;
                uint sendCaveAddress         = clientSendCaveAddress + 80;
                uint serverSendCaveAddress   = sendCaveAddress + 26;
                uint pathFindCaveAddress     = serverSendCaveAddress + 74;
                uint gumpFunctionCaveAddress = pathFindCaveAddress + 64;

                clientInfo.CaveAddress             = (IntPtr)caveAddress;
                clientInfo.RecvCaveAddress         = (IntPtr)recvCaveAddress;
                clientInfo.SendCaveAddress         = (IntPtr)sendCaveAddress;
                clientInfo.ClientSendCaveAddress   = (IntPtr)clientSendCaveAddress;
                clientInfo.ServerSendCaveAddress   = (IntPtr)serverSendCaveAddress;
                clientInfo.PathFindCaveAddress     = (IntPtr)pathFindCaveAddress;
                clientInfo.GumpFunctionCaveAddress = (IntPtr)gumpFunctionCaveAddress;
