blackd
09-26-2016, 17:51
I noticed that Tibia 11 stores server info in some kind of collection struct.
This collection will only store 1 entry per server, no matter if your account have many chars that belong to that server.
If all your chars play same server, then this collection will only have 1 item.
If you have 20 chars, each of them in 20 different servers, then this collection will have 20 items.
Tips for reverse engineering, for future updates:
- The initial key for finding this struct is searching game server url in memory. For example: astera-lb.ciproxy.com
- A shortcut is using an account with only 1 char, and searching 010000000000000000000000????????????????031C0000
- You should find 2 results. Result - 0x0C = possible element. So have ELEM0 and ELEM1. Each possible element points to a possible start address: STARTER0 and STARTER1. Check what access each address. Control+L to go back to char list. Tibia should access the right one. Now you should be able to determine wich one is the good start. If good start is STARTER0 then use cheat engine to search address ELEM1. If good start is STARTER0 then use cheat engine to search address ELEM1. In any case, force last offset to 0.
- You usually end obtaining a path starting in gui or threadstack-e8, don't worry. Use following translations to Qt5Core.dll, a stable point where all the most important things can start safely:
"THREADSTACK0"-000000E8 = "Qt5Core.dll" + 004555C8 > 8
"Qt5Gui.dll" + 00482EE4 > 28 > 0 = "Qt5Core.dll" + 004555C8 > 8
"Qt5Gui.dll" + 00482EE4 > 20 > C = "Qt5Core.dll" + 004555C8 > 4 > 20 > C
How is a Tibia 11 collection struct?
COLLECTION START:
[Pointer to starter item] 4 bytes
[Total count] 4 bytes
STARTER ITEM:
[Pointer 0] 4 bytes
[Pointer 1] 4 bytes
[Pointer 2] 4 bytes
1 byte , always 01
[Byte 2] 1 byte , always 01
[B]COLLECTION ITEM
[Pointer 0] 4 bytes - points to a random? different collection item
[Pointer 1] 4 bytes - points to a random? different collection item
[Pointer 2] 4 bytes - points to a random? different collection item
1 byte
[Byte 2] 1 byte
[Integer] 2 bytes
[KEY] 4 bytes - The key required by client to find this item. In the case of the server collection here you have a short id number that is used in the charlist as reference to this server.
[Long number] 4 bytes
[Server Name] 4 bytes - points to a QString containing game server name
[Server URL] 4 bytes - points to a QString containing game server url
[Server port] 4 bytes - game server port, for now always 7171
[B]Current path to the collection start:
adrServerList_CollectionStart="Qt5Core.dll" + 004555C8 > 8 > 168 > 54 > 18 > 2c
An example path to test if it worked:
randomServerNameInCollection="Qt5Core.dll" + 004555C8 > 8 > 168 > 54 > 18 > 2c > 0 > 18 > 10
Some final notes:
- Reading full collection will require a small algorithm to follow all possible pointer paths, avoiding loops.
- Tibia 11 skills are stored in a collection struct too. However they are always the same number of skills, and they are always stored in the same order so each of them can be retrieved using a fixed path. Read more here (http://www.blackdtools.net/showthread.php?62973-Tibia-11-About-the-structure-of-the-SKILLS-in-memory).
This collection will only store 1 entry per server, no matter if your account have many chars that belong to that server.
If all your chars play same server, then this collection will only have 1 item.
If you have 20 chars, each of them in 20 different servers, then this collection will have 20 items.
Tips for reverse engineering, for future updates:
- The initial key for finding this struct is searching game server url in memory. For example: astera-lb.ciproxy.com
- A shortcut is using an account with only 1 char, and searching 010000000000000000000000????????????????031C0000
- You should find 2 results. Result - 0x0C = possible element. So have ELEM0 and ELEM1. Each possible element points to a possible start address: STARTER0 and STARTER1. Check what access each address. Control+L to go back to char list. Tibia should access the right one. Now you should be able to determine wich one is the good start. If good start is STARTER0 then use cheat engine to search address ELEM1. If good start is STARTER0 then use cheat engine to search address ELEM1. In any case, force last offset to 0.
- You usually end obtaining a path starting in gui or threadstack-e8, don't worry. Use following translations to Qt5Core.dll, a stable point where all the most important things can start safely:
"THREADSTACK0"-000000E8 = "Qt5Core.dll" + 004555C8 > 8
"Qt5Gui.dll" + 00482EE4 > 28 > 0 = "Qt5Core.dll" + 004555C8 > 8
"Qt5Gui.dll" + 00482EE4 > 20 > C = "Qt5Core.dll" + 004555C8 > 4 > 20 > C
How is a Tibia 11 collection struct?
COLLECTION START:
[Pointer to starter item] 4 bytes
[Total count] 4 bytes
STARTER ITEM:
[Pointer 0] 4 bytes
[Pointer 1] 4 bytes
[Pointer 2] 4 bytes
1 byte , always 01
[Byte 2] 1 byte , always 01
[B]COLLECTION ITEM
[Pointer 0] 4 bytes - points to a random? different collection item
[Pointer 1] 4 bytes - points to a random? different collection item
[Pointer 2] 4 bytes - points to a random? different collection item
1 byte
[Byte 2] 1 byte
[Integer] 2 bytes
[KEY] 4 bytes - The key required by client to find this item. In the case of the server collection here you have a short id number that is used in the charlist as reference to this server.
[Long number] 4 bytes
[Server Name] 4 bytes - points to a QString containing game server name
[Server URL] 4 bytes - points to a QString containing game server url
[Server port] 4 bytes - game server port, for now always 7171
[B]Current path to the collection start:
adrServerList_CollectionStart="Qt5Core.dll" + 004555C8 > 8 > 168 > 54 > 18 > 2c
An example path to test if it worked:
randomServerNameInCollection="Qt5Core.dll" + 004555C8 > 8 > 168 > 54 > 18 > 2c > 0 > 18 > 10
Some final notes:
- Reading full collection will require a small algorithm to follow all possible pointer paths, avoiding loops.
- Tibia 11 skills are stored in a collection struct too. However they are always the same number of skills, and they are always stored in the same order so each of them can be retrieved using a fixed path. Read more here (http://www.blackdtools.net/showthread.php?62973-Tibia-11-About-the-structure-of-the-SKILLS-in-memory).