public void SendPacketToServer(byte[] packet) { CodeCaveHelper cv = new CodeCaveHelper(); IntPtr MainThread = OpenAndSuspendThread(tProcess.Id); uint OldPackelen = memRead.ReadUInt32(Addresses.MyAddresses.OutGoingPacketLen.Address); byte[] OldPacket = memRead.ReadBytes(Addresses.MyAddresses.OutGoingBuffer.Address, OldPackelen); IntPtr CodeCave = WinApi.VirtualAllocEx(tProcessHandle, IntPtr.Zero, 1024, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); //createPacket byte packetType = (byte)packet[0]; cv.AddLine((byte)0xb9, (UInt32)packetType); cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.CreatePacket.Address); cv.AddLine((byte)0xff, (byte)0xD0); for (int i = 1; i < packet.Length; i++) { byte val = packet[i]; cv.AddLine((byte)0xb9, (UInt32)val); cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.AddPacketByte.Address); cv.AddLine((byte)0xff, (byte)0xD0); } cv.AddLine((byte)0xb1, (byte)0x01); //push 1 as bool( using Xtea encrypt or not cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.SendPacket.Address); cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar cv.AddByte(0xC3); //ret memRead.WriteBytes(CodeCave.ToInt32(), cv.Data, (uint)cv.Data.Length); IntPtr hThread = WinApi.CreateRemoteThread(tProcessHandle, IntPtr.Zero, 0, CodeCave, IntPtr.Zero, 0, IntPtr.Zero); if (Addresses.MyAddresses.IgnoreReadClientPacketAddress > 0) { memRead.WriteByte(Addresses.MyAddresses.IgnoreReadClientPacketAddress, 0);//ignore this } WinApi.WaitForSingleObject(hThread, 0xFFFFFFFF); WinApi.CloseHandle(hThread); WinApi.VirtualFreeEx(tProcessHandle, CodeCave, 1024, WinApi.AllocationType.Release); memRead.WriteUInt32(Addresses.MyAddresses.OutGoingPacketLen.Address, OldPackelen); memRead.WriteBytes(Addresses.MyAddresses.OutGoingBuffer.Address, OldPacket, (uint)OldPackelen); ResumeAndCloseThread(MainThread); }
public void SendPacketToServer(byte[] packet) { CodeCaveHelper cv = new CodeCaveHelper(); IntPtr MainThread = OpenAndSuspendThread(tProcess.Id); uint OldPackelen = memRead.ReadUInt32(Addresses.MyAddresses.OutGoingPacketLen.Address); byte[] OldPacket = memRead.ReadBytes(Addresses.MyAddresses.OutGoingBuffer.Address, OldPackelen); IntPtr CodeCave = WinApi.VirtualAllocEx(tProcessHandle, IntPtr.Zero, 1024, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); //createPacket byte packetType = (byte)packet[0]; cv.AddLine((byte)0xb9, (UInt32)packetType); cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.CreatePacket.Address); cv.AddLine((byte)0xff, (byte)0xD0); for (int i = 1; i < packet.Length; i++) { byte val = packet[i]; cv.AddLine((byte)0xb9, (UInt32)val); cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.AddPacketByte.Address); cv.AddLine((byte)0xff, (byte)0xD0); } cv.AddLine((byte)0xb1, (byte)0x01); //push 1 as bool( using Xtea encrypt or not cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.SendPacket.Address); cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar cv.AddByte(0xC3);//ret System.Windows.Forms.Clipboard.SetText(CodeCave.ToString("X")); memRead.WriteBytes(CodeCave.ToInt32(), cv.Data, (uint)cv.Data.Length); IntPtr hThread = WinApi.CreateRemoteThread(tProcessHandle, IntPtr.Zero, 0, CodeCave, IntPtr.Zero, 0, IntPtr.Zero); WinApi.WaitForSingleObject(hThread, 0xFFFFFFFF); WinApi.CloseHandle(hThread); WinApi.VirtualFreeEx(tProcessHandle, CodeCave, 1024, WinApi.AllocationType.Release); memRead.WriteUInt32(Addresses.MyAddresses.OutGoingPacketLen.Address, OldPackelen); memRead.WriteBytes(Addresses.MyAddresses.OutGoingBuffer.Address, OldPacket, (uint)OldPackelen); ResumeAndCloseThread(MainThread); }
public void CreateCodeCave(int r, int g, int b, int x, int y, byte font, string text, string name) { byte[] bytes = System.Text.ASCIIEncoding.Default.GetBytes(text); IntPtr stringAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, (uint)bytes.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); memRead.WriteBytes(stringAdr.ToInt32(), bytes, (uint)bytes.Length); CodeCaveHelper cv = new CodeCaveHelper(); cv.AddLine((byte)0x6A, (byte)0x00); //push 0 cv.AddLine((byte)0x68, (UInt32)stringAdr.ToInt32()); //mov ecx string cv.AddLine((byte)0x68, (UInt32)b); //push blue int32 cv.AddLine((byte)0x68, (UInt32)g); //push green int32 cv.AddLine((byte)0x68, (UInt32)r); //push red int32 cv.AddLine((byte)0x6A, (byte)font); //push font byte cv.AddLine((byte)0x68, (UInt32)y); //push x int32 cv.AddLine((byte)0xBA, (UInt32)x); //push y int32 cv.AddLine((byte)0xb9, (UInt32)0x1); //push 1 cv.AddLine((byte)0xB8, (UInt32)Addresses.MyAddresses.PrintText.Address); // mov eax dword PrintName cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar cv.AddLine((byte)0x83, (byte)0xc4, (byte)0x1c); //add esp,20 cv.AddByte(0xC3); IntPtr CaveAddress = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, (uint)cv.Data.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); memRead.WriteBytes(CaveAddress.ToInt32(), cv.Data, (uint)cv.Data.Length); ChangePrintFpsCall(CaveAddress); System.Windows.Forms.Clipboard.SetText(CaveAddress.ToString("X")); }
public void CreateCodeCave(int r, int g, int b, int x, int y, byte font, string text,string name) { byte[] bytes = System.Text.ASCIIEncoding.Default.GetBytes(text); IntPtr stringAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, (uint)bytes.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); memRead.WriteBytes(stringAdr.ToInt32(), bytes, (uint)bytes.Length); CodeCaveHelper cv = new CodeCaveHelper(); cv.AddLine((byte)0x6A, (byte)0x00); //push 0 cv.AddLine((byte)0x68, (UInt32)stringAdr.ToInt32()); //mov ecx string cv.AddLine((byte)0x68, (UInt32)b); //push blue int32 cv.AddLine((byte)0x68, (UInt32)g); //push green int32 cv.AddLine((byte)0x68, (UInt32)r); //push red int32 cv.AddLine((byte)0x6A, (byte)font); //push font byte cv.AddLine((byte)0x68, (UInt32)y); //push x int32 cv.AddLine((byte)0xBA, (UInt32)x); //push y int32 cv.AddLine((byte)0xb9, (UInt32)0x1); //push 1 cv.AddLine((byte)0xB8, (UInt32)Addresses.MyAddresses.PrintText.Address); // mov eax dword PrintName cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar cv.AddLine((byte)0x83, (byte)0xc4, (byte)0x1c); //add esp,20 cv.AddByte(0xC3); IntPtr CaveAddress = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, (uint)cv.Data.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); memRead.WriteBytes(CaveAddress.ToInt32(), cv.Data, (uint)cv.Data.Length); ChangePrintFpsCall(CaveAddress); System.Windows.Forms.Clipboard.SetText(CaveAddress.ToString("X")); }