3/19/2024 0 Comments Forum metin2 orgRemove the breakpoint we set, press Ctrl+G and enter there the address 00407509. In this case we get RETURN to Tibia.00407509. The program will stop, take a look on the stack, as we did after, to discover where to return. Set a break point in the address and, again, cast something in Tibia. I'm going to explain, as example, how to discover the address of the player speech function. What we have to do now is to discover the address of every function we need. Write down the address, because you'll be back here soon. Run Tibia again (F9), and log in.įinally, we have it, the main function. Scroll up until you find where the function starts. We'll be now in the function that every send packet function calls. Remove the memory breakpoint, and press Ctrl+G. So here we can see RETURN to Tibia.004F2E6F. The program will stop, take a look on the stack to discover from where the function was called. Now, once we are in the function, scroll up a bit until we see where the function stars. Thats because when your program is stopped it doesn't send the ping packets to keep alive the connection, so it breaks. Go to the menu Debug->Hardware breakpoints and in the window that popups click on "Delete 1", press over "Ok" and press now F9, to let Tibia run again. Ok, knowing this address (0x0055247F), remove the hardware breakpoint. The program now will stop in the function we want! Mark the first byte, Right click over it, then Breakpoint->Hardware, on write->Byte.īack to Tibia, say again something. Ok, then lets put a hardware breakpoint on write there, to discover whats writing that buffer. Now, go to the dump (that is the lower window), press Ctrl+G, and enter the address. Mark again the breakpoint we did, and release it (press F2 over it) and let the program run (press F9). This is the address we were looking for: 0x0078B6F8. The second parameter of the send() function is a pointer to the buffer that holds the data. Ok, so now we have to take a look on the stack. Set a break point there (press F2), and, in you Tibia window, say something, like "hello!". Now we'll have the place where is called. This should sort the calls and mark the "WS2_32.send", the one we need.ĭouble click over it. In that window write "send" and clic in "Destination". We'll have a list of every external function call. In Olly, in the main window do right click->Search for->All intermodular calls. The function that will stop will be the XTea encrypting, and debugging a bit we'll notice that every function that sends a packet calls it, so we'll have them. After doing that, we'll set a brakpoint in the send() buffer, so we could know which function is writing it. That function is the one which sends the packets to the server. Now, we'll search for the call to the winsock function send(). Run the program (F9 key) and log in any account. Run it, then do File->Open (or press F3) and load your Tibia executable. If you already did or if you are kinda advanced, lets start! I'm explaining this all with 8.50 addresses.īefore start, you have to read my other tutorial here: The disadvantage of this is that you need to update a bunch of addresses every update, also you have to inject a DLL into Tibia. Hello guys, in this tutorial I'll try to teach you how to discover the functions which send packets to the server, so you can use in your program without messing with packets, encryptions and so.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |