blackd
10-04-2016, 10:26
Well, we are stuck here for now. Any extra help would be nice.
Goal: We need a reliable way to determine the selected row in the character list.
Purpose: This small "stupid" part is important for proxy bots, tibiacast and many other software that depends on packets.
This is my current progress:
- I could not find a reliable path that always contain the selector. However, there seems to be a path that works for the first show of the character list:
"Qt5Gui.dll"+00482EE4 > 20 > C > 58 > 4 > F8 > 418
This is not a full solution. However, this path maybe could mean something.
- In a fast look to the assembly code, it looks like the real path must end in
X > 418
or
X > 3DC > 4 > DC
Why? Because if you toggle breakpoint at
Qt5Quick.QQuickMouseEvent::y+91C0
then you can verify both paths are valid while execution is paused at that point:
[EBX+4] > 3DC > 4 > DC
[EBX+4] > 418
The problem is [EBX+4] is overwritten with trash after the execution is resumed. :(
It could be the start of a solution with the help of injection tactics. However I prefer to avoid injection for now.
Some related findings:
I already found a stable way to obtain character list: http://www.blackdtools.net/showthread.php?62978-Tibia-11-Collection-of-server-info-AND-character-list It does not include a way to know selection. However, I guess the selection must be somewhere near that list. We need to investigate around.
I also found a stable way to read Tibia title after login.
adrSelectedCharName="Qt5Core.dll" + 004555C8 > 8 > C > 4 > 18 > 38 > 28
adrSelectedCharName points to a QSTRING with character name. If you are outside game then it will point to null (address FFFFFFF) or to an address containing an empty qstring ""
I also found a way to pause everything in Tibia client using Cheat Engine: Memory View> Debug > Break > Select first thread in the list > OK
Pausing Tibia during char list inspection is great because other way the memory there seems to be changing a lot with each selection change. It also prevents char list window to go away because inactivity.
More facts:
- Somewhere in the memory there seems to be 3 chaotic places that hold the selection color for each row.
F4F4F4FF = COLOR SELECTED
C0C0C0FF = COLOR FOR ROW NOT SELECTED
Search array of bytes in Cheat Engine to discover them. If we can find the structure that links all the color positions then we could obtain selection from the color.
Goal: We need a reliable way to determine the selected row in the character list.
Purpose: This small "stupid" part is important for proxy bots, tibiacast and many other software that depends on packets.
This is my current progress:
- I could not find a reliable path that always contain the selector. However, there seems to be a path that works for the first show of the character list:
"Qt5Gui.dll"+00482EE4 > 20 > C > 58 > 4 > F8 > 418
This is not a full solution. However, this path maybe could mean something.
- In a fast look to the assembly code, it looks like the real path must end in
X > 418
or
X > 3DC > 4 > DC
Why? Because if you toggle breakpoint at
Qt5Quick.QQuickMouseEvent::y+91C0
then you can verify both paths are valid while execution is paused at that point:
[EBX+4] > 3DC > 4 > DC
[EBX+4] > 418
The problem is [EBX+4] is overwritten with trash after the execution is resumed. :(
It could be the start of a solution with the help of injection tactics. However I prefer to avoid injection for now.
Some related findings:
I already found a stable way to obtain character list: http://www.blackdtools.net/showthread.php?62978-Tibia-11-Collection-of-server-info-AND-character-list It does not include a way to know selection. However, I guess the selection must be somewhere near that list. We need to investigate around.
I also found a stable way to read Tibia title after login.
adrSelectedCharName="Qt5Core.dll" + 004555C8 > 8 > C > 4 > 18 > 38 > 28
adrSelectedCharName points to a QSTRING with character name. If you are outside game then it will point to null (address FFFFFFF) or to an address containing an empty qstring ""
I also found a way to pause everything in Tibia client using Cheat Engine: Memory View> Debug > Break > Select first thread in the list > OK
Pausing Tibia during char list inspection is great because other way the memory there seems to be changing a lot with each selection change. It also prevents char list window to go away because inactivity.
More facts:
- Somewhere in the memory there seems to be 3 chaotic places that hold the selection color for each row.
F4F4F4FF = COLOR SELECTED
C0C0C0FF = COLOR FOR ROW NOT SELECTED
Search array of bytes in Cheat Engine to discover them. If we can find the structure that links all the color positions then we could obtain selection from the color.