public void SetUpCodeCave() { CodeCaveHelper cv = new CodeCaveHelper(); //Let's get some space for our codecave origanGetNextPacket = memRead.GetCallFunction(Addresses.MyAddresses.GetnextPacket.Address); CodeCaveAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, 1024, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); GotPacketAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, 1, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); memRead.WriteByte(GotPacketAdr.ToInt32(), 0); cv.AddLine((byte)0xE8); cv.AddInt(((int)origanGetNextPacket - (CodeCaveAdr.ToInt32()) - 5)); // calls getnextPacket cv.AddLine((byte)0x8b, (byte)0xd8); // store eax cv.AddLine((byte)0xc7, (byte)0x05, (UInt32)GotPacketAdr.ToInt32(), (UInt32)0x00000001); //sets gotpacket to 1 cv.AddLine((byte)0x90); cv.AddLine((byte)0xA1, (UInt32)GotPacketAdr.ToInt32()); cv.AddLine((byte)0x83, (byte)0xF8, (byte)1); cv.AddLine((byte)0x74, (byte)0xF6); cv.AddLine((byte)0x8b, (byte)0xC3); cv.AddLine((byte)0xC3); System.Windows.Forms.Clipboard.SetText(CodeCaveAdr.ToString("X")); memRead.WriteBytes(CodeCaveAdr.ToInt32(), cv.Data, (uint)cv.Data.Length); Thread t = new Thread(new ThreadStart(ReadingPacket)); running = true; t.Start(); ReplaceCode(); }
private void ReplaceCode() { CodeCaveHelper cv = new CodeCaveHelper(); cv.AddLine((byte)0xE8); cv.AddInt(((int)(CodeCaveAdr.ToInt32() - Addresses.MyAddresses.GetnextPacket.Address) - 5)); memRead.WriteBytes(Addresses.MyAddresses.GetnextPacket.Address, cv.Data, (uint)cv.Data.Length); }
public void SendPacketToServerEx(byte[] dataBuffer, uint SendStreamData, uint SendStreamLength, uint SendPacketCall) { IntPtr MainThread = OpenAndSuspendThread(client.Process.Id); int OldLength = 0; byte[] OldData = new byte[1025]; int length = dataBuffer.Length; IntPtr process = WinApi.OpenProcess(WinApi.PROCESS_ALL_ACCESS, 0, (uint)client.Process.Id); OldLength = Memory.ReadInt32(client.Handle, SendStreamLength); OldData = Memory.ReadBytes(client.Handle, SendStreamData, (uint)OldLength); length += 8; byte[] actualBuffer = CreateOutgoingBuffer(dataBuffer, length); client.Memory.WriteInt32(SendStreamLength, length); client.Memory.WriteBytes(SendStreamData, actualBuffer, (uint)length); CodeCaveHelper cv = new CodeCaveHelper(); cv.AddLine((byte)0xb1, (byte)1); // talkmode cv.AddLine((byte)0xB8, (uint)SendPacketCall); // this moves speakfunc address cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar cv.AddLine((byte)0xc3); //ret IntPtr CaveAddress = WinApi.VirtualAllocEx(client.Handle, IntPtr.Zero, (uint)cv.Data.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); Memory.WriteBytes(client.Handle, CaveAddress.ToInt64(), cv.Data, (uint)cv.Data.Length); // System.Windows.Forms.Clipboard.SetText(CaveAddress.ToString("X")); IntPtr thread = WinApi.CreateRemoteThread(client.Handle, IntPtr.Zero, 0, CaveAddress, IntPtr.Zero, 0, IntPtr.Zero); WinApi.WaitForSingleObject(thread, 0xFFFFFFFF); WinApi.VirtualFreeEx(client.Handle, CaveAddress, (uint)cv.Data.Length, WinApi.AllocationType.Release); //free up memory client.Memory.WriteInt32(SendStreamLength, OldLength); client.Memory.WriteBytes(SendStreamData, OldData, (uint)OldLength); ResumeAndCloseThread(MainThread); }
public void SendPacketToServer(byte[] packet) { CodeCaveHelper cv = new CodeCaveHelper(); IntPtr MainThread = OpenAndSuspendThread(tProcess.Id); uint OldPackelen = memRead.ReadUInt32(Addresses.MyAddresses.OutGoingPacketLen.Address); byte[] OldPacket = memRead.ReadBytes(Addresses.MyAddresses.OutGoingBuffer.Address, OldPackelen); IntPtr CodeCave = WinApi.VirtualAllocEx(tProcessHandle, IntPtr.Zero, 1024, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); //createPacket byte packetType = (byte)packet[0]; cv.AddLine((byte)0xb9, (UInt32)packetType); cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.CreatePacket.Address); cv.AddLine((byte)0xff, (byte)0xD0); for (int i = 1; i < packet.Length; i++) { byte val = packet[i]; cv.AddLine((byte)0xb9, (UInt32)val); cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.AddPacketByte.Address); cv.AddLine((byte)0xff, (byte)0xD0); } cv.AddLine((byte)0xb1, (byte)0x01); //push 1 as bool( using Xtea encrypt or not cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.SendPacket.Address); cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar cv.AddByte(0xC3); //ret memRead.WriteBytes(CodeCave.ToInt32(), cv.Data, (uint)cv.Data.Length); IntPtr hThread = WinApi.CreateRemoteThread(tProcessHandle, IntPtr.Zero, 0, CodeCave, IntPtr.Zero, 0, IntPtr.Zero); if (Addresses.MyAddresses.IgnoreReadClientPacketAddress > 0) { memRead.WriteByte(Addresses.MyAddresses.IgnoreReadClientPacketAddress, 0);//ignore this } WinApi.WaitForSingleObject(hThread, 0xFFFFFFFF); WinApi.CloseHandle(hThread); WinApi.VirtualFreeEx(tProcessHandle, CodeCave, 1024, WinApi.AllocationType.Release); memRead.WriteUInt32(Addresses.MyAddresses.OutGoingPacketLen.Address, OldPackelen); memRead.WriteBytes(Addresses.MyAddresses.OutGoingBuffer.Address, OldPacket, (uint)OldPackelen); ResumeAndCloseThread(MainThread); }
private void ReplaceCode() { CodeCaveHelper cv = new CodeCaveHelper(); OrigalBytes = memRead.ReadBytes(Addresses.MyAddresses.SendPacket.Address, 5); cv.AddLine((byte)0xE9); cv.AddInt(((int)(CodeCaveAdr.ToInt32() - Addresses.MyAddresses.SendPacket.Address - 5))); memRead.WriteBytes(Addresses.MyAddresses.SendPacket.Address, cv.Data, (uint)cv.Data.Length); Addresses.MyAddresses.SendPacket.Address = NewSendAddress.ToInt32(); }
public void SetUpCodeCave() { CodeCaveHelper cv = new CodeCaveHelper(); //Let's get some space for our codecave CodeCaveAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, 1024, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); GotPacketAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, 1, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); Addresses.MyAddresses.IgnoreReadClientPacketAddress = GotPacketAdr.ToInt32(); OrigalBytes = memRead.ReadBytes(Addresses.MyAddresses.SendPacket.Address, 5); NewSendAddress = CodeCaveAdr + 0x19; memRead.WriteByte(GotPacketAdr.ToInt32(), 0); cv.AddLine((byte)0x8b, (byte)0xd8); // store eax cv.AddLine((byte)0xc7, (byte)0x05, (UInt32)GotPacketAdr.ToInt32(), (UInt32)0x00000001); //sets gotpacket to 1 cv.AddLine((byte)0x90); cv.AddLine((byte)0xA1, (UInt32)GotPacketAdr.ToInt32()); cv.AddLine((byte)0x83, (byte)0xF8, (byte)1); cv.AddLine((byte)0x74, (byte)0xF6); cv.AddLine((byte)0x8b, (byte)0xC3); cv.AddBytes(OrigalBytes);// reads the orginall 5 bytes before we jumb back cv.AddLine((byte)0xE8); cv.AddInt(((int)Addresses.MyAddresses.SendPacket.Address - (CodeCaveAdr.ToInt32())) - cv.Data.Length + 1); // calls getnextPacke cv.AddLine((byte)0xC3); memRead.WriteBytes(CodeCaveAdr.ToInt32(), cv.Data, (uint)cv.Data.Length); Thread t = new Thread(new ThreadStart(ReadingPacket)); running = true; t.Start(); ReplaceCode(); IsRunning = true; System.Windows.Forms.Clipboard.SetText(GotPacketAdr.ToString("X")); System.Windows.Forms.MessageBox.Show(GotPacketAdr.ToString("X")); }
public void SendPacketToServer(byte[] packet) { CodeCaveHelper cv = new CodeCaveHelper(); IntPtr MainThread = OpenAndSuspendThread(tProcess.Id); uint OldPackelen = memRead.ReadUInt32(Addresses.MyAddresses.OutGoingPacketLen.Address); byte[] OldPacket = memRead.ReadBytes(Addresses.MyAddresses.OutGoingBuffer.Address, OldPackelen); IntPtr CodeCave = WinApi.VirtualAllocEx(tProcessHandle, IntPtr.Zero, 1024, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); //createPacket byte packetType = (byte)packet[0]; cv.AddLine((byte)0xb9, (UInt32)packetType); cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.CreatePacket.Address); cv.AddLine((byte)0xff, (byte)0xD0); for (int i = 1; i < packet.Length; i++) { byte val = packet[i]; cv.AddLine((byte)0xb9, (UInt32)val); cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.AddPacketByte.Address); cv.AddLine((byte)0xff, (byte)0xD0); } cv.AddLine((byte)0xb1, (byte)0x01); //push 1 as bool( using Xtea encrypt or not cv.AddLine((byte)0xB8, (uint)Addresses.MyAddresses.SendPacket.Address); cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar cv.AddByte(0xC3);//ret System.Windows.Forms.Clipboard.SetText(CodeCave.ToString("X")); memRead.WriteBytes(CodeCave.ToInt32(), cv.Data, (uint)cv.Data.Length); IntPtr hThread = WinApi.CreateRemoteThread(tProcessHandle, IntPtr.Zero, 0, CodeCave, IntPtr.Zero, 0, IntPtr.Zero); WinApi.WaitForSingleObject(hThread, 0xFFFFFFFF); WinApi.CloseHandle(hThread); WinApi.VirtualFreeEx(tProcessHandle, CodeCave, 1024, WinApi.AllocationType.Release); memRead.WriteUInt32(Addresses.MyAddresses.OutGoingPacketLen.Address, OldPackelen); memRead.WriteBytes(Addresses.MyAddresses.OutGoingBuffer.Address, OldPacket, (uint)OldPackelen); ResumeAndCloseThread(MainThread); }
public void CleanUp() { if (running == false) { return; } running = false; CodeCaveHelper cv = new CodeCaveHelper(); cv.AddLine((byte)0xE8); cv.AddInt(((int)(origanGetNextPacket - Addresses.MyAddresses.GetnextPacket.Address) - 5)); memRead.WriteBytes(Addresses.MyAddresses.GetnextPacket.Address, cv.Data, (uint)cv.Data.Length); memRead.WriteByte(GotPacketAdr.ToInt32(), 0); WinApi.VirtualFreeEx(TibiaHandle, CodeCaveAdr, 1024, WinApi.AllocationType.Release); WinApi.VirtualFreeEx(TibiaHandle, GotPacketAdr, 1, WinApi.AllocationType.Release); }
private void CreateCave() { int x, y; x = 0; y = 0; CodeCaveHelper cv = new CodeCaveHelper(); cv.AddLine((byte)0x6A, (byte)0x00); //push 0 cv.AddLine((byte)0x68, (Int32)y); //push y int32 cv.AddLine((byte)0x68, (Int32)x); //push x int32 cv.AddLine((byte)0xb8, (uint)Addresses.MyAddresses.WalkFunction.Address); // MOV EAX, <DWORD> | ty DarkStar cv.AddLine((byte)0xFF, (byte)0xD0); // call eax cv.AddLine((byte)0xc3); Adr = WinApi.VirtualAllocEx(Handle, IntPtr.Zero, (uint)cv.Data.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); memRead.WriteBytes(Adr.ToInt64(), cv.Data, (uint)cv.Data.Length); System.Windows.Forms.Clipboard.SetText(Adr.ToString("X")); }
public void CreateCodeCave(int r, int g, int b, int x, int y, byte font, string text,string name) { byte[] bytes = System.Text.ASCIIEncoding.Default.GetBytes(text); IntPtr stringAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, (uint)bytes.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); memRead.WriteBytes(stringAdr.ToInt32(), bytes, (uint)bytes.Length); CodeCaveHelper cv = new CodeCaveHelper(); cv.AddLine((byte)0x6A, (byte)0x00); //push 0 cv.AddLine((byte)0x68, (UInt32)stringAdr.ToInt32()); //mov ecx string cv.AddLine((byte)0x68, (UInt32)b); //push blue int32 cv.AddLine((byte)0x68, (UInt32)g); //push green int32 cv.AddLine((byte)0x68, (UInt32)r); //push red int32 cv.AddLine((byte)0x6A, (byte)font); //push font byte cv.AddLine((byte)0x68, (UInt32)y); //push x int32 cv.AddLine((byte)0xBA, (UInt32)x); //push y int32 cv.AddLine((byte)0xb9, (UInt32)0x1); //push 1 cv.AddLine((byte)0xB8, (UInt32)Addresses.MyAddresses.PrintText.Address); // mov eax dword PrintName cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar cv.AddLine((byte)0x83, (byte)0xc4, (byte)0x1c); //add esp,20 cv.AddByte(0xC3); IntPtr CaveAddress = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, (uint)cv.Data.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); memRead.WriteBytes(CaveAddress.ToInt32(), cv.Data, (uint)cv.Data.Length); ChangePrintFpsCall(CaveAddress); System.Windows.Forms.Clipboard.SetText(CaveAddress.ToString("X")); }
public void CreateCodeCave(int r, int g, int b, int x, int y, byte font, string text, string name) { byte[] bytes = System.Text.ASCIIEncoding.Default.GetBytes(text); IntPtr stringAdr = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, (uint)bytes.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); memRead.WriteBytes(stringAdr.ToInt32(), bytes, (uint)bytes.Length); CodeCaveHelper cv = new CodeCaveHelper(); cv.AddLine((byte)0x6A, (byte)0x00); //push 0 cv.AddLine((byte)0x68, (UInt32)stringAdr.ToInt32()); //mov ecx string cv.AddLine((byte)0x68, (UInt32)b); //push blue int32 cv.AddLine((byte)0x68, (UInt32)g); //push green int32 cv.AddLine((byte)0x68, (UInt32)r); //push red int32 cv.AddLine((byte)0x6A, (byte)font); //push font byte cv.AddLine((byte)0x68, (UInt32)y); //push x int32 cv.AddLine((byte)0xBA, (UInt32)x); //push y int32 cv.AddLine((byte)0xb9, (UInt32)0x1); //push 1 cv.AddLine((byte)0xB8, (UInt32)Addresses.MyAddresses.PrintText.Address); // mov eax dword PrintName cv.AddLine((byte)0xff, (byte)0xD0); // call eax Thanks Darkstar cv.AddLine((byte)0x83, (byte)0xc4, (byte)0x1c); //add esp,20 cv.AddByte(0xC3); IntPtr CaveAddress = WinApi.VirtualAllocEx(TibiaHandle, IntPtr.Zero, (uint)cv.Data.Length, WinApi.AllocationType.Commit | WinApi.AllocationType.Reserve, WinApi.MemoryProtection.ExecuteReadWrite); memRead.WriteBytes(CaveAddress.ToInt32(), cv.Data, (uint)cv.Data.Length); ChangePrintFpsCall(CaveAddress); System.Windows.Forms.Clipboard.SetText(CaveAddress.ToString("X")); }