Shoutbox

***asta*** · (This post was last modified: 02-07-2008 03:56 AM by asta. *Edit Reason:* )

Hello! ;D

I'm posting some useful functions I use in my tibia programs in MASM. I'll be adding some later. With this, I'm trying to show how easy is to do an useful proggy in ASM without getting you head crashed. Working with the macros you have in MASM its more like a high-level language!

***

First, you'll have to define some constants.

Code:

.const

ClientName db "TibiaClient",0

Code:

Tibia_Hwnd      PROTO

Code:

Tibia_Hwnd PROC

        LOCAL PID          :DWORD

        invoke FindWindow, offset ClientName, NULL

        .IF eax!=NULL

                mov ecx, eax

                invoke GetWindowThreadProcessId, ecx, addr PID

                mov eax, PID

        .ENDIF

        ret

    Tibia_Hwnd endp

Code:

Memory_Read     PROTO :DWORD,:BYTE

Code:

Memory_Read PROC Address:DWORD,wordsize:BYTE

        LOCAL PID          :DWORD

        LOCAL Buffer      :DWORD

        LOCAL PHandle  :DWORD

        call Tibia_Hwnd

        mov PID, eax

        .IF PID!=NULL

            invoke OpenProcess, PROCESS_ALL_ACCESS, NULL, PID

            .IF eax!=NULL

                mov PHandle, eax

                invoke ReadProcessMemory, PHandle, Address, addr Buffer, wordsize, NULL

                invoke CloseHandle, PHandle

           .ENDIF

        .ENDIF

        mov eax, Buffer

        ret

    Memory_Read endp

Code:

Memory_Write    PROTO :DWORD,:DWORD,:DWORD

Code:

Memory_Write PROC Address:DWORD,newvalue:DWORD,wordsize:DWORD

        LOCAL PID          :DWORD

        LOCAL PHandle  :DWORD

        call Tibia_Hwnd

        mov PID, eax

        .IF PID!=NULL

            invoke OpenProcess, 10h+20h+8h+400h, NULL, PID

            .IF eax!=NULL

                mov PHandle, eax

                invoke WriteProcessMemory, PHandle, Address, newvalue, wordsize, NULL

                invoke CloseHandle, PHandle

           .ENDIF

        .ENDIF

    Memory_Write endp

Those codes are basic memory reading/writing under win32. Here some examples on how to use them:

Code:

invoke Memory_Read, PLAYER_HP, 4

invoke Memory_Write, XRAY1, offset XRAYDEFAULT1,2

I hope it helps someone. Smile

***Jack*** · 02-06-2008, 06:00 AM

woah its alot easier then i thought !

nice shit!

Grob · (This post was last modified: 02-07-2008 01:19 AM by Grob. *Edit Reason:* )

Isn't it a bit waste opening and closing the process handle as well as finding the window every single time you want to read from tibias memory? Nice work though, I really should look into using the macros more.

Grob · (This post was last modified: 02-07-2008 05:52 PM by Grob. *Edit Reason:* )

Asta, in your Tibia_Hwnd function I get a MASM error while compiling. It says something about invoke overwriting the eax value or something and refuses to create the exe. Was easily fixed with mov ecx, eax and using ecx in the GetWindowThreadProcessId call. I thought that might be something you could consider adding.

I got a bit interested in trying ASM with actually using invoke and .IF which is something I've never done. I wrote my entire chat server and Win32 GUI chat client with no macros (except for Iczelions RGB macro Smile

).

So, to get to the point. I've written a program that firstly reads the players id from the memory, and then uses the id to get the memory address to the player in the battlelist. 3rd it walks to a predetermined location in rookgaard.

Using the updated TGoto which is now only 7 rows using invoke instead of like 30 rows pushing everything to the stack by my self. So now you can easily travel to any destination in Tibia.

Now, if you or anyone else is interested in the code I'd be happy to post it. I've commented almost everything so it should be very easy to understand, as well as coding it in a way which makes it easy to use/understand better.

Code:

.code

    start:

        ; First we open the process and store the handle in TPHandle

        call TGetProcess

        .IF eax == NULL

            jmp @CleanUp

        .ENDIF

        mov TPHandle, eax

        ; Read the player id from Tibia's memory and store it in Player.id

        invoke TMemoryRead, Tibia_player_id, 4

        mov Player.id, eax

        ; Find and save the players battlelist pointer in Player.Battlelist

        call TGetPlayerBLPointer

        .IF eax == 0

            jmp @CleanUp

        .ELSE

            mov Player.Battlelist, eax

        .ENDIF

        ; Move the character to a specific location

        invoke TGoto, offset tempX, offset tempY, offset tempZ

        @CleanUp:

        invoke CloseHandle, TPHandle

        invoke ExitProcess, 0

        ; ........

        ; ........

        ; Functions

***asta*** · 02-07-2008, 03:57 AM

Thanks Grob, I think I've fixed it Smile

And about ur function, thats pretty nice! We should do a thread with some functions like that to hook up the ASM tibia programming ;D

Grob · 02-07-2008, 09:40 AM

I'm kinda suspecting we're probably the onle ones interested in it but I enjoy creating smart functions so I'd be up for it.

Dop · 02-07-2008, 09:56 AM

I don't understand this coding but good that you do xD

Grob · (This post was last modified: 02-07-2008 11:18 AM by Grob. *Edit Reason:* )

This is the function I use to retrieve the address to the current player logged in to the client.

Since the function is taken out of its context it's hard to know how to use it. Firstly, you need to of course use OpenProcess to get access to the memory. Secondly you read your own player id (00613B70h) from the memory and thirdly call the function.

So after doing this once, all you have to do to start walking with a character is set the GotoX,Y,Z to the correct coordinates then write 1 to IsWalking which will be the eax of TGetPlayerBLPointer + 76. It would be to much providing all the functions and I thought this would be the most interesting one.

Code:

invoke TGetPlayerBLPointer, Player.id ; eax will contain the memory address

Code:

; This function will find the pointer to the player in the battlelist

        ; so that we can use it every time we need to get info about

        ; the player in the battlelist

        TGetPlayerBLPointer PROC szPlayerId:DWORD

            xor ecx, ecx

            ; Set esi to store the BL pointer

            mov esi, Tibia_battlelist_start               ; 00613BD0h

            @@:

                ; Use esi to read a players/npc's ID from the memory in the battlelist

                invoke TMemoryRead, esi, 4

                ; If the ID just read doesn't match our player ID

                ; we add 160 to esi, so esi will point to the next ID

                ; since every battlelist entry is 160 bytes

                .IF eax != szPlayerId

                    add esi, 160

                    add ecx, 1

                    .IF ecx == 149  ; If we've read through the entire battlelist, jmp to @@

                        mov eax, 0  ; We return 0 if we couldn't find ourselves, hence an error

                        jmp @f      ; Jmp to next @@

                    .ENDIF

                    jmp @b          ; Jmp to previous @@

                .ELSE

                    mov eax, esi    ; Set eax to point to our character in the battlelist

                .ENDIF

            @@:

            ret

        TGetPlayerBLPointer endp

Grob · 02-08-2008, 06:12 PM

I had some problems reading a 2 byte value from my TMemoryRead so I added a few lines to clear the memory in 'buffer' before calling ReadProcessMemory. Not sure though, are there a simpler way of clearing 'buffer'?

Code:

; Clear the memory at buffers location

            lea eax, buffer

            mov byte ptr [eax], 0

            add eax, 1

            mov byte ptr [eax], 0

            add eax, 1

            mov byte ptr [eax], 0

            add eax, 1

            mov byte ptr [eax], 0