All my tools are now updated, except Blackd Proxy.
Blackd Proxy will be a bit harder to update because they changed the login server structure.

Now login servers seems to be loaded from this part of the code:


004E8870 8B0D 1CF38000 MOV ECX,DWORD PTR DS:[80F31C]
004E8876 8B15 20F38000 MOV EDX,DWORD PTR DS:[80F320]
004E887C 3BCA CMP ECX,EDX
004E887E 74 0D JE SHORT Tibia.004E888D
004E8880 8079 32 00 CMP BYTE PTR DS:[ECX+32],0
004E8884 75 0A JNZ SHORT Tibia.004E8890
004E8886 83C1 38 ADD ECX,38
004E8889 3BCA CMP ECX,EDX
004E888B ^75 F3 JNZ SHORT Tibia.004E8880
004E888D 8910 MOV DWORD PTR DS:[EAX],EDX
004E888F C3 RETN
004E8890 890D 2CF38000 MOV DWORD PTR DS:[80F32C],ECX
004E8896 8908 MOV DWORD PTR DS:[EAX],ECX
004E8898 C3 RETN


In Tibia 10.11 ...
NewLoginStructPointer=&H80F31C *Windows xp address
NewLoginStructDist=&H38 = 56 in decimal
NewLoginStructPortStep As Integer = &H2C = 44 in decimal

Pointer points to the start of some kind of structure. In that structure, 4 bytes later, you find pointer to first tibia login server, 56 bytes later you find pointer to 2nd login server, 56 bytes later you find pointer to 3nd login server, etc (total=10 servers)

The port (7171) is found 44 bytes after each login pointer

Working on it.

you can do it. you the best<3

ok, thanks for info, but how to extract current server not just a list? or at least its IP...

I see there is some changes on charlist, cause not working for me

Thanks, blackd. Also, ports are located &H2C = 44 from each login server pointer.

Psuedo-Code


Dim NewLoginStructPointer As Long = &H80F31C
Dim NewLoginStructServerStep As Integer = &H38
Dim NewLoginStructPortStep As Integer = &H2C

Dim NewLoginStructStart As Long = Memory.ReadInt32(NewLoginStructPointer) + 4

Dim i As Integer = 0
While (i < 10)
Dim LoginServer As Long = Memory.ReadInt32(NewLoginStructStart + (i * NewLoginStructServerStep))

Dim Server As String = Memory.ReadString(LoginServer)
Dim Port As Short = Memory.ReadShort(NewLoginStructStart + ((i * NewLoginStructServerStep) + NewLoginStructPortStep)

'You can now store this server/port in an array, or whatever, before going to the next one.

i += 1
Do


Port addresses are not constant, you can write over them. However, even after changing all servers and ports in memory my proxy makes my client display a "server offline" error with error code 0. Not sure what that's all about, haha. Hopefully you can figure it out, and if I do I'll let you know.

Thanks, blackd. Also, ports are located &H2C = 44 from each login server pointer.
Port addresses are not constant, you can write over them. However, even after changing all servers and ports in memory my proxy makes my client display a "server offline" error with error code 0. Not sure what that's all about, haha. Hopefully you can figure it out, and if I do I'll let you know.

Thank you,
Yes. I am stuck there too.
I could modify all login ips to 127.0.0.1 and all ports to my program listen port, but somehow it does not even try to connect to program. Maybe the real port address is somewhere else, or maybe there is some kind of check to avoid changes.

Problem almost solved now.



proxyChecker=&H4E8660
LoginServerStartPointer=&H80F31C
LoginServerStep=&H38
HostnamePointerOffset=&H4
IPAddressPointerOffset=&H20
PortOffset=&H30

You have to change ip numeric part too, not only server name.

and to avoid being detected as proxy, we just need to find the following function:


004E8660 8B40 20 MOV EAX,DWORD PTR DS:[EAX+20] ; Tibia.004E8660(guessed void)
004E8663 8038 00 CMP BYTE PTR DS:[EAX],0
004E8666 74 18 JE SHORT 004E8680
004E8668 8078 01 00 CMP BYTE PTR DS:[EAX+1],0
004E866C 74 12 JE SHORT 004E8680
004E866E 8078 02 00 CMP BYTE PTR DS:[EAX+2],0
004E8672 74 0C JE SHORT 004E8680
004E8674 8078 03 00 CMP BYTE PTR DS:[EAX+3],0
004E8678 74 06 JE SHORT 004E8680
004E867A B8 01000000 MOV EAX,1
004E867F C3 RETN
004E8680 33C0 XOR EAX,EAX
004E8682 C3 RETN

and overwrite it with bytes &H8B, &H40, &H20, &H83, &H38, 0, &HB8, 0, 0, 0, 0, &HF, &H95, &HD0, &HC3