blackd
10-12-2016, 00:53
Ok, I am now working on this part, required for my proxy.
For now I found a method to locate it:
IMPORTANT: You should disable "Fast scan" and you should enable "Executable memory"
Just search the XTEA const called delta (please check XTEA C implementation at this wikipedia article: https://en.wikipedia.org/wiki/XTEA ).
Using Cheat Engine, just search 4 bytes HEX: 61C88647 in executable memory and you should find it in 2-5 places. You can do an initial bet for the second one. If xtea function is not there then just try the rest.
Go to Memory View > right click > Go to address > enter your choosen address.
If it is the correct address then it should point to client.exe + something.
If it is the correct address then you should be reading the function to cipher/decipher packets with XTEA. Right click, select current function and you will see it better:
client.exe+2E6A6D - 55 - push ebp
client.exe+2E6A6E - 8B EC - mov ebp,esp
client.exe+2E6A70 - 51 - push ecx
client.exe+2E6A71 - 51 - push ecx
client.exe+2E6A72 - 53 - push ebx
client.exe+2E6A73 - 56 - push esi
client.exe+2E6A74 - 8B 35 50030C01 - mov esi,[client.exe+330350]
client.exe+2E6A7A - 57 - push edi
client.exe+2E6A7B - 8B 7D 08 - mov edi,[ebp+08]
client.exe+2E6A7E - 89 4D FC - mov [ebp-04],ecx
client.exe+2E6A81 - FF 37 - push [edi]
client.exe+2E6A83 - FF D6 - call esi
client.exe+2E6A85 - FF 77 04 - push [edi+04]
client.exe+2E6A88 - 8B D8 - mov ebx,eax
client.exe+2E6A8A - FF D6 - call esi
client.exe+2E6A8C - 8B D0 - mov edx,eax
client.exe+2E6A8E - 33 F6 - xor esi,esi
client.exe+2E6A90 - 8B 45 FC - mov eax,[ebp-04]
client.exe+2E6A93 - 59 - pop ecx
client.exe+2E6A94 - 59 - pop ecx
client.exe+2E6A95 - 8B 48 2C - mov ecx,[eax+2C]
client.exe+2E6A98 - 89 4D 08 - mov [ebp+08],ecx
client.exe+2E6A9B - 85 C9 - test ecx,ecx
client.exe+2E6A9D - 74 49 - je client.exe+2E6AE8
client.exe+2E6A9F - 8B 78 28 - mov edi,[eax+28]
client.exe+2E6AA2 - 8B CA - mov ecx,edx
client.exe+2E6AA4 - 8B C2 - mov eax,edx
client.exe+2E6AA6 - C1 E0 04 - shl eax,04
client.exe+2E6AA9 - C1 E9 05 - shr ecx,05
client.exe+2E6AAC - 33 C8 - xor ecx,eax
client.exe+2E6AAE - 8B C6 - mov eax,esi
client.exe+2E6AB0 - 83 E0 03 - and eax,03
client.exe+2E6AB3 - 03 CA - add ecx,edx
client.exe+2E6AB5 - 8B 04 87 - mov eax,[edi+eax*4] << XTEA KEY HERE!
client.exe+2E6AB8 - 03 C6 - add eax,esi
client.exe+2E6ABA - 81 EE 4786C861 - sub esi,61C88647
client.exe+2E6AC0 - 33 C8 - xor ecx,eax
client.exe+2E6AC2 - 03 D9 - add ebx,ecx
client.exe+2E6AC4 - 8B CB - mov ecx,ebx
client.exe+2E6AC6 - 8B C3 - mov eax,ebx
client.exe+2E6AC8 - C1 E0 04 - shl eax,04
client.exe+2E6ACB - C1 E9 05 - shr ecx,05
client.exe+2E6ACE - 33 C8 - xor ecx,eax
client.exe+2E6AD0 - 8B C6 - mov eax,esi
client.exe+2E6AD2 - C1 E8 0B - shr eax,0B
client.exe+2E6AD5 - 03 CB - add ecx,ebx
client.exe+2E6AD7 - 83 E0 03 - and eax,03
client.exe+2E6ADA - 8B 04 87 - mov eax,[edi+eax*4]
client.exe+2E6ADD - 03 C6 - add eax,esi
client.exe+2E6ADF - 33 C8 - xor ecx,eax
client.exe+2E6AE1 - 03 D1 - add edx,ecx
client.exe+2E6AE3 - 3B 75 08 - cmp esi,[ebp+08]
client.exe+2E6AE6 - 75 BA - jne client.exe+2E6AA2
client.exe+2E6AE8 - 8B 45 0C - mov eax,[ebp+0C]
client.exe+2E6AEB - 8D 4D F8 - lea ecx,[ebp-08] : (float)18940.7500
client.exe+2E6AEE - 52 - push edx
client.exe+2E6AEF - 89 45 F8 - mov [ebp-08],eax
client.exe+2E6AF2 - 8B 45 10 - mov eax,[ebp+10]
client.exe+2E6AF5 - 53 - push ebx
client.exe+2E6AF6 - 89 45 FC - mov [ebp-04],eax
client.exe+2E6AF9 - E8 D2010000 - call client.exe+2E6CD0
client.exe+2E6AFE - 8B C8 - mov ecx,eax
client.exe+2E6B00 - E8 CB010000 - call client.exe+2E6CD0
client.exe+2E6B05 - 5F - pop edi
client.exe+2E6B06 - 5E - pop esi
client.exe+2E6B07 - 5B - pop ebx
client.exe+2E6B08 - 8B E5 - mov esp,ebp
client.exe+2E6B0A - 5D - pop ebp
client.exe+2E6B0B - C2 0C00 - ret 000C
2 lines above we have the key, inside EDI. Just select that line, right click, Find out what addresses this instruction accesses.
client.exe+2E6AB5 - 8B 04 87 - mov eax,[edi+eax*4] << XTEA KEY HERE!
client.exe+2E6AB8 - 03 C6 - add eax,esi
client.exe+2E6ABA - 81 EE 4786C861 - sub esi,61C88647
And then you will see a window called "Changed Addresses" that will show a lot of activity in 4 addresses. It is really the same address (just split in 4 parts of 4 bytes each) That is, the lower address is the start of the XTEA key.
Now we only need to search path to this place.
We obtain several paths. The best looking one is this:
"Qt5Gui.dll"+00482EE4 > 28 > 0 > 1D8 > 2F0 > 7C > B8
And we know we can safely translate it to this shorter one:
"Qt5Core.dll" + 004555C8 > 8 > 1D8 > 2F0 > 7C > B8
That is:
(Tibia 11.00) adrConnectionKey="Qt5Core.dll" + 004555C8 > 8 > 1D8 > 2F0 > 7C > B8
(Tibia 11.01) adrConnectionKey="Qt5Core.dll" + 004555C8 > 8 > 1D8 > 2F8 > 7C > B8
For now I found a method to locate it:
IMPORTANT: You should disable "Fast scan" and you should enable "Executable memory"
Just search the XTEA const called delta (please check XTEA C implementation at this wikipedia article: https://en.wikipedia.org/wiki/XTEA ).
Using Cheat Engine, just search 4 bytes HEX: 61C88647 in executable memory and you should find it in 2-5 places. You can do an initial bet for the second one. If xtea function is not there then just try the rest.
Go to Memory View > right click > Go to address > enter your choosen address.
If it is the correct address then it should point to client.exe + something.
If it is the correct address then you should be reading the function to cipher/decipher packets with XTEA. Right click, select current function and you will see it better:
client.exe+2E6A6D - 55 - push ebp
client.exe+2E6A6E - 8B EC - mov ebp,esp
client.exe+2E6A70 - 51 - push ecx
client.exe+2E6A71 - 51 - push ecx
client.exe+2E6A72 - 53 - push ebx
client.exe+2E6A73 - 56 - push esi
client.exe+2E6A74 - 8B 35 50030C01 - mov esi,[client.exe+330350]
client.exe+2E6A7A - 57 - push edi
client.exe+2E6A7B - 8B 7D 08 - mov edi,[ebp+08]
client.exe+2E6A7E - 89 4D FC - mov [ebp-04],ecx
client.exe+2E6A81 - FF 37 - push [edi]
client.exe+2E6A83 - FF D6 - call esi
client.exe+2E6A85 - FF 77 04 - push [edi+04]
client.exe+2E6A88 - 8B D8 - mov ebx,eax
client.exe+2E6A8A - FF D6 - call esi
client.exe+2E6A8C - 8B D0 - mov edx,eax
client.exe+2E6A8E - 33 F6 - xor esi,esi
client.exe+2E6A90 - 8B 45 FC - mov eax,[ebp-04]
client.exe+2E6A93 - 59 - pop ecx
client.exe+2E6A94 - 59 - pop ecx
client.exe+2E6A95 - 8B 48 2C - mov ecx,[eax+2C]
client.exe+2E6A98 - 89 4D 08 - mov [ebp+08],ecx
client.exe+2E6A9B - 85 C9 - test ecx,ecx
client.exe+2E6A9D - 74 49 - je client.exe+2E6AE8
client.exe+2E6A9F - 8B 78 28 - mov edi,[eax+28]
client.exe+2E6AA2 - 8B CA - mov ecx,edx
client.exe+2E6AA4 - 8B C2 - mov eax,edx
client.exe+2E6AA6 - C1 E0 04 - shl eax,04
client.exe+2E6AA9 - C1 E9 05 - shr ecx,05
client.exe+2E6AAC - 33 C8 - xor ecx,eax
client.exe+2E6AAE - 8B C6 - mov eax,esi
client.exe+2E6AB0 - 83 E0 03 - and eax,03
client.exe+2E6AB3 - 03 CA - add ecx,edx
client.exe+2E6AB5 - 8B 04 87 - mov eax,[edi+eax*4] << XTEA KEY HERE!
client.exe+2E6AB8 - 03 C6 - add eax,esi
client.exe+2E6ABA - 81 EE 4786C861 - sub esi,61C88647
client.exe+2E6AC0 - 33 C8 - xor ecx,eax
client.exe+2E6AC2 - 03 D9 - add ebx,ecx
client.exe+2E6AC4 - 8B CB - mov ecx,ebx
client.exe+2E6AC6 - 8B C3 - mov eax,ebx
client.exe+2E6AC8 - C1 E0 04 - shl eax,04
client.exe+2E6ACB - C1 E9 05 - shr ecx,05
client.exe+2E6ACE - 33 C8 - xor ecx,eax
client.exe+2E6AD0 - 8B C6 - mov eax,esi
client.exe+2E6AD2 - C1 E8 0B - shr eax,0B
client.exe+2E6AD5 - 03 CB - add ecx,ebx
client.exe+2E6AD7 - 83 E0 03 - and eax,03
client.exe+2E6ADA - 8B 04 87 - mov eax,[edi+eax*4]
client.exe+2E6ADD - 03 C6 - add eax,esi
client.exe+2E6ADF - 33 C8 - xor ecx,eax
client.exe+2E6AE1 - 03 D1 - add edx,ecx
client.exe+2E6AE3 - 3B 75 08 - cmp esi,[ebp+08]
client.exe+2E6AE6 - 75 BA - jne client.exe+2E6AA2
client.exe+2E6AE8 - 8B 45 0C - mov eax,[ebp+0C]
client.exe+2E6AEB - 8D 4D F8 - lea ecx,[ebp-08] : (float)18940.7500
client.exe+2E6AEE - 52 - push edx
client.exe+2E6AEF - 89 45 F8 - mov [ebp-08],eax
client.exe+2E6AF2 - 8B 45 10 - mov eax,[ebp+10]
client.exe+2E6AF5 - 53 - push ebx
client.exe+2E6AF6 - 89 45 FC - mov [ebp-04],eax
client.exe+2E6AF9 - E8 D2010000 - call client.exe+2E6CD0
client.exe+2E6AFE - 8B C8 - mov ecx,eax
client.exe+2E6B00 - E8 CB010000 - call client.exe+2E6CD0
client.exe+2E6B05 - 5F - pop edi
client.exe+2E6B06 - 5E - pop esi
client.exe+2E6B07 - 5B - pop ebx
client.exe+2E6B08 - 8B E5 - mov esp,ebp
client.exe+2E6B0A - 5D - pop ebp
client.exe+2E6B0B - C2 0C00 - ret 000C
2 lines above we have the key, inside EDI. Just select that line, right click, Find out what addresses this instruction accesses.
client.exe+2E6AB5 - 8B 04 87 - mov eax,[edi+eax*4] << XTEA KEY HERE!
client.exe+2E6AB8 - 03 C6 - add eax,esi
client.exe+2E6ABA - 81 EE 4786C861 - sub esi,61C88647
And then you will see a window called "Changed Addresses" that will show a lot of activity in 4 addresses. It is really the same address (just split in 4 parts of 4 bytes each) That is, the lower address is the start of the XTEA key.
Now we only need to search path to this place.
We obtain several paths. The best looking one is this:
"Qt5Gui.dll"+00482EE4 > 28 > 0 > 1D8 > 2F0 > 7C > B8
And we know we can safely translate it to this shorter one:
"Qt5Core.dll" + 004555C8 > 8 > 1D8 > 2F0 > 7C > B8
That is:
(Tibia 11.00) adrConnectionKey="Qt5Core.dll" + 004555C8 > 8 > 1D8 > 2F0 > 7C > B8
(Tibia 11.01) adrConnectionKey="Qt5Core.dll" + 004555C8 > 8 > 1D8 > 2F8 > 7C > B8