Announcement

Collapse
No announcement yet.

[OTClient] How to build a Full Light Hack

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • [OTClient] How to build a Full Light Hack

    Hi,

    this tutorial is meant to build a Full Light Hack mostly based on OTClient source code (https://github.com/edubart/otclient). You will need Cheat Engine (http://www.cheatengine.org) to follow this guide and I'll use Medivia (Open GL version) as example, since their client is a customized OTClient version.



    Outline
    1. Find Light address
    2. Find and patch instructions responsible for changes to the Light address when we turn a torch on/off
    3. Find and patch instructions responsible for changes to the Light address when we get into a cave




    Find Light address



    For a light hack, of course, we need somehow to overwrite the client's light value, so we need Light address.

    You can check that OTClient stores a light value in the creature object (or children objects in the hierarchy): https://github.com/edubart/otclient/...ent/creature.h

    At this time, the current Light structure is defined at https://github.com/edubart/otclient/...nt/thingtype.h

    The easiest way I can think of to find Light address is to find Direction first, because Direction is a few members above Light and Direction is enum (this means Direction is really easy to find with Cheat Engine), defined at https://github.com/edubart/otclient/...client/const.h

    Steps:
    1. Turn your character to north and search for 0

    2. Turn east and search for 1
    3. Turn south and search for 2
    4. After repeating this process a bit, I'll suppose you got a single address. So, add this address to the list and browse memory region. As we know, Light address is really close to the Direction address. So, turning a torch on/off we can see where the Light is stored


      If you got to this point, you know the address where Light is stored, but you need the pointer path, since it is not static. For this, add the Light address to the list and use Pointer scan for this address CE feature with the following configuration. Hint: begin Max level with 1 and increase it until you got a path


      Expected result


  • #2
    Find and patch instructions responsible for changes to the Light address when we turn a torch on/off


    Everytime you turn a torch on/off, the server sends such information to the client and then, the client parses this message and apply a small colored light around your character. In the end, our problem can be converted to: "How can we block the client applying these new values and stay with a value that we have provided (the full light)?"

    Well, you can find the function used by the client to parse such Light changes and nop certain things.

    This time, we'll follow another route: we'll set a breakpoint in the Light address and trick the client to always assign a Full Light value, regardless the real value received from the server. In other words, we are looking for a MOV instruction referencing the address with offset equal to Light in the pointer path where we can place our Full Light value.

    The idea is:

    In C, C++, we want something like this

    Code:
    creaturePtr->setLight({FULL_INTENSITY, DAY_COLOR});
    In ASM, we want something like this

    Code:
    MOV LIGHT_ADDRESS FULL_INTENSITY_COMBINED_WITH_FULL_COLOR
    That being said, we can just "Find out what writes to this address" to Light address in CE to see related code changing values without stopping client execution.

    Steps:
    • In the Light address path from 'Pointer scan' in the address list, right click it and Find out what writes to this address

    • Find what writes the address pointed at by this pointer
    • Turn on/off a torch and select the new entry generated by changes to Light address, then click Show disassembler button

    • Scroll up a bit and we'll see something like this



    We can see a few mov instructions around:

    Code:
    mov ax, [ebp-SOMETHING]
    mov [ecx+LIGHT_OFFSET], ax
    The line mov [ecx+LIGHT_OFFSET], ax in C++ means
    Code:
    creaturePtr->setLight(someLight);,
    because ax holds the light value received from the server.

    Now, we want to swap this ax to our Full Light: how do we do that?
    From the sources, we know that Light is a structure 2-bytes long and if we try to assemble this line, there's some incompatibility in opcode length, i.e., we can't do:

    Code:
    mov [ecx+LIGHT_OFFSET], FULL_LIGHT
    The line with mov ax, [ebp-SOMETHING] means assign a value from some parameter of this function to ax register. The good news is: we can do the trick here and it solves the problem:

    Code:
    mov ax, FULL_LIGHT
    So, select this line, right click and click Assemble
    Type
    Code:
    mov ax, D7FF
    0xFF is our full light intensity. 0xD7 is our full light color

    After these steps, we'll have something like this

    The green circle address contains these opcodes that we need to patch with full light. The red circle contains the bytes we are going to write through WriteProcessMemory

    Comment


    • #3
      Find and patch instructions responsible for changes to the Light address when we get into a cave


      If you got this far, this will be easy for you.

      At this point, everytime we use a torch or cast something like utevo lux, the client writes our full light to the light address. The problem is that somewhere in OTClient, when we are in the main floor and go down + 1, you will see the dark again.

      I don't like to guess where OTClient developer wrote these things, so we will do pretty much everything we have done so far for the Torch case, except that at first step, we'll use a torch to activate our "almost finished light hack".

      Steps:
      1. Turn a torch on/off - DO NOT CAST MAGIC SPELLS (full light gets enabled)

      2. In the Light address path from 'Pointer scan' in the address list, right click it and Find out what writes to this address

      3. Find what writes the address pointed at by this pointer
      4. Go down main floor + 1 (e.g.: go to a cave). At this step, everything shall be in the darkness and Cheat Engine shown some instruction

      5. You can follow the "same" instructions from the Torch case in the second post to get:





      How To Code


      Now, this can be done programmatically:
      1. Patch Torch-case address (given by Address column) with opcode bytes (given by Bytes column)
      2. Patch Cave-case address (given by Address column) with opcode bytes (given by Bytes column)
      3. Write full light address to Light address


      Check and test this sample code to be executed in Cheat Engine (Medivia OpenGL) to understand the process:

      Code:
      -- get the base address
      local baseAddress = getAddress("Medivia_OGL.exe")
      
      -- light intensity = 0xFF
      -- light color = 0xD7
      local lightValue = { 0xFF, 0xD7 }
      
      -- address to creature pointer
      local creaturePtrAddress = baseAddress + 0x00579A68
      
      -- offset to light address
      local lightOffset = 0xA4
      
      -- address to patch when we turn torch on or
      -- cast something that changes current light
      local torchAddress = baseAddress + 0xDF336
      
      -- address to patch when we change our character
      -- z position (e.g.: get into a cave) and we get a light change
      local floorChangeAddress = baseAddress + 0xE5B76
      
      -- cheat code: mov ax, D7FF
      local opcode = { 0x66, 0xB8, 0xFF, 0xD7 }
      
      -- patch with our cheat code
      writeBytes(torchAddress, opcode)
      writeBytes(floorChangeAddress, opcode)
      
      -- at end, we write our desired light to the light address
      -- to force the client display our new light:
      -- first, read pointer
      -- later, write light value to light offset
      local creaturePtr = readInteger(creaturePtrAddress)
      
      if (creaturePtr and creaturePtr ~= 0) then
      	local lightAddress = creaturePtr + lightOffset
      	writeBytes(lightAddress, lightValue)
      end

      Comment


      • #4
        Great share Keep it up

        Comment


        • #5
          Plus information:

          For Medivia_D3D version(Direct 3D) if you want just change the value in cheat engine you can add this address:
          "Medivia_D3D.exe" + 54C090 with pointer 0xA4

          And change the value... I prefer value between 8 to 12 ... I dont like the FULL LIGHT I prefer a big size of light.
          Using this way if you change the floor the light come to normal again so you can just "freeze" the address click in left size field "Active" and mark him.

          "Medivia_D3D.exe" is the base address of Medivia Client version.... for OpenGL version you just change the name to "Medivia_OGL.exe" and you have the base address.
          54C090 is the player address and A4 is the pointer.
          THE ADDRESS OF MEDIVIA OPENGL ISNT EQUALS TO DIRECT 3D VERSION!

          If you want learn more you can just pratice with some Direct3D address:

          public static uint playerStart_D3D = 0x54C090;
          public static uint characterName_D3D = 0x54C108;
          public static uint health_D3D = 0x320;
          public static uint healthMax_D3D = 0x328;
          public static uint mana_D3D = 0x358;
          public static uint manaMax_D3D = 0x360;
          public static uint capacity_D3D = 0x330;
          public static uint light_D3D = 0xA4;

          public static uint yPos_D3D = 0x54C6E0;
          //You can use a reference of another address to make him static...It makes your job easy
          public static uint xPos_D3D = yPos_D3D-4;
          public static uint zPos_D3D = yPos_D3D+4;
          //Some addresses are close and you just need to find the difference between one to know the position of the next.
          //The same applies to the battleList, if you find the difference between one and the other
          // you can find the pattern and know what is the next address, you can use to scan the enemies on the screen creating a structure like method "hasNext" .



          Yours,
          Naresh.
          Last edited by naresh; 31-08-2016, 07:50 AM.

          Comment


          • #6
            Can I follow the tutorial also to create a light hack for an old tibia client?(7.4)

            Comment


            • #7
              Originally posted by Crataeis View Post
              Can I follow the tutorial also to create a light hack for an old tibia client?(7.4)
              if it's the default Tibia client (tibia.exe), a similar process could be used. You could find the address that stores the light and prevent it from being modified by the client.

              Comment


              • #8
                Originally posted by Blequi View Post
                Find and patch instructions responsible for changes to the Light address when we get into a cave


                If you got this far, this will be easy for you.

                At this point, everytime we use a torch or cast something like utevo lux, the client writes our full light to the light address. The problem is that somewhere in OTClient, when we are in the main floor and go down + 1, you will see the dark again.

                I don't like to guess where OTClient developer wrote these things, so we will do pretty much everything we have done so far for the Torch case, except that at first step, we'll use a torch to activate our "almost finished light hack".

                Steps:
                1. Turn a torch on/off - DO NOT CAST MAGIC SPELLS (full light gets enabled)

                2. In the Light address path from 'Pointer scan' in the address list, right click it and Find out what writes to this address

                3. Find what writes the address pointed at by this pointer
                4. Go down main floor + 1 (e.g.: go to a cave). At this step, everything shall be in the darkness and Cheat Engine shown some instruction

                5. You can follow the "same" instructions from the Torch case in the second post to get:





                How To Code


                Now, this can be done programmatically:
                1. Patch Torch-case address (given by Address column) with opcode bytes (given by Bytes column)
                2. Patch Cave-case address (given by Address column) with opcode bytes (given by Bytes column)
                3. Write full light address to Light address


                Check and test this sample code to be executed in Cheat Engine (Medivia OpenGL) to understand the process:

                Code:
                -- get the base address
                local baseAddress = getAddress("Medivia_OGL.exe")
                
                -- light intensity = 0xFF
                -- light color = 0xD7
                local lightValue = { 0xFF, 0xD7 }
                
                -- address to creature pointer
                local creaturePtrAddress = baseAddress + 0x00579A68
                
                -- offset to light address
                local lightOffset = 0xA4
                
                -- address to patch when we turn torch on or
                -- cast something that changes current light
                local torchAddress = baseAddress + 0xDF336
                
                -- address to patch when we change our character
                -- z position (e.g.: get into a cave) and we get a light change
                local floorChangeAddress = baseAddress + 0xE5B76
                
                -- cheat code: mov ax, D7FF
                local opcode = { 0x66, 0xB8, 0xFF, 0xD7 }
                
                -- patch with our cheat code
                writeBytes(torchAddress, opcode)
                writeBytes(floorChangeAddress, opcode)
                
                -- at end, we write our desired light to the light address
                -- to force the client display our new light:
                -- first, read pointer
                -- later, write light value to light offset
                local creaturePtr = readInteger(creaturePtrAddress)
                
                if (creaturePtr and creaturePtr ~= 0) then
                	local lightAddress = creaturePtr + lightOffset
                	writeBytes(lightAddress, lightValue)
                end
                How i use this code?, i don't want to do all the process every time i going to play.

                Comment


                • #9
                  How i use the code?, i don't want to do all the process every time i going to play. Help please

                  Comment


                  • #10
                    Originally posted by kingnanox View Post
                    How i use the code?, i don't want to do all the process every time i going to play. Help please
                    this thread is a 'how to'. In other words, this thread is designed for programmers, not end users looking for a light hack.

                    Comment


                    • #11
                      How would i do if i would look for light adresses in another server? Such as http://www.nastarius.com/

                      Comment


                      • #12
                        Originally posted by Tinkz View Post
                        How would i do if i would look for light adresses in another server? Such as http://www.nastarius.com/
                        First of all, it all depends the client it uses in order to play.

                        If it is otclient, then the process described here should work, otherwise if it's CipSoft's client, then the process differs. However, a common approach would be to search for the light radius and intensity that a brand new torch provides when activated, then pointer scan and such things.

                        Comment


                        • #13
                          Originally posted by Blequi View Post
                          this thread is a 'how to'. In other words, this thread is designed for programmers, not end users looking for a light hack.
                          Very nice and easy tutorial. But i have same problem as @kingnanox i have to all steps every time i run Medivia. Is there any tutorial how to save this changes as a exe file or something?

                          Comment


                          • #14
                            Originally posted by LuisPro View Post
                            Very nice and easy tutorial. But i have same problem as @kingnanox i have to all steps every time i run Medivia. Is there any tutorial how to save this changes as a exe file or something?
                            This can be implemented easily in most programming languages. If you want some kind of automation and don't want to code it yourself, you would be better using a full featured bot for Medivia. Just look around this forum for a Medivia bot.

                            Comment


                            • #15
                              Haven't been able to modify the values. every time I try to modify
                              Code:
                              move rax,[rbp-0x20]
                              with anything else, Medivia crashes after I turn on/off the torch.

                              U used 0xFFD7 because I got an error with just FFD7
                              Screen Shot 2017-04-02 at 2.28.11 AM.jpg

                              Any ideas of what am I doing wrong?

                              Screen Shot 2017-04-02 at 2.12.29 AM.jpg

                              Comment

                              Working...
                              X