Xentales

Talk about stuff, and if you must, about Xenimus
It is currently 20 Dec 2013 15:23

All times are UTC - 5 hours




Post new topic Reply to topic  [ 12 posts ] 
Author Message
PostPosted: 07 Aug 2013 01:48 
Offline

Joined: 29 Apr 2013 23:03
Posts: 161
This will hopefully be an easy to follow guide for finding memory addresses inside of xen. The purpose is for updating xenlua or xenscan. Lets begin shall we;



Intro
XenLua's config is laid out as follows
Code:
<memory
      decrypt = "0x0"
      encrypt = "0x0"
      sendpacket = "0x0"
      mousex = "0x0"
      mousey = "0x0"
      wndproc = "0x0"
      curuipage = "0x0"
      localPositionX = "0x0"
      localPositionY = "0x0"
      currentViewMode = "0x0"
      updateLightSub = "0x0"
      getspell = "0x0"
      spellmanager = "0x0"
      mouseAction = "0x0"
/>

<console enabled = "0" />
<checksum value = "0x56B116F3" />
<update enabled = "1" />


What we need to change immediately before we begin is the <update> value. set it to 0. This means xenlua will not try to update itself. We dont want it to update when it hasnt been updated by Andy yet, otherwise it will change things we dont want to change. So what im going to be showing you right now if how to find the first few addresses with ollydbg. i will eventually show you how to use a memory scanner to find the other addresses.

Part I - Ollydbg

First things first; Open ollydbg (open with admiral rights on vista+) and load xenimus. To do this, click file->open and locate the xenimus.exe. Once olly loads xen up you should see something like this
Image

Now first address we want to find is the decrypt address. Decrypt is called right after the recvfrom() function is called. so if we locate that, we will find our decrypt address. Press CTRL+N to open the function calls.
Image

WS2_32.#17 is recvfrom(). Click on the function and press ENTER.
Image

Now click on the CALL not the JMP. So click the line and press ENTER again. This will take you to the call in the code. You should now be in a new window right at the recvfrom() call. The very next CALL after it is the decrypt function.
Image

Write down that address. Thats the new decrypt address.


Alright onto encrypt. Press CTRL+N again to go to the function calls window. This time we want to find the call WS2_32.#20 (sendto()). Find the call in the list, and click ENTER.
Image

Now same drill as last time. Except the encrypt call is BEFORE the sendto() call. So once you are at the call, scroll up a bit. Look for the first CALL before sendto()
Image

Theres our encrypt address. Now dont change windows yet. You are actually already in the sendpacket function. We just need to scroll up to the top of the function and write down its address. It will look something like this
Image

Ok well thats it for our packet functions. Now we need to find the cursor addresses.

Cheeseguy keeps the cursor locked to the center of the screen. He does this with the SetCursorPos() function. So all we need to do is find this call and we will find the addresses we need. Press CTRL+N to open the function calls window again. Scroll down until you find USER32.SetCursorPos
Image

Again, select that line and press ENTER.
Image

Select the CALL not the MOV and press ENTER again. You should see something like this, i cant really explain very well how to know what ones are the correct addresses, but if you look at the previous addresses they should somewhat resemble the new ones.
Image

So theres your mousex/y memory addresses.

Last thing i will show you how to find is the wndproc address. Press CTRL+N to open the functions window. This time we want to find USER32.DefWindowProcW
Image

Again like before. Hit ENTER.
Image

Select the CALL and hit ENTER to go to the call inside the exe. Now, like we did with the sendpacket function, we need to locate the START of the current function we are in. So scroll up until you reach the top of the function. You should see something like this.
Image

The start of the function is the wndproc address.

Next we can also use Olly to locate the localPositionX/Y addresses. Refer back to the decrypt function we found earlier. Get to the recvfrom() function in the code. Again, should look like this
Image

Now what we want to do is scroll down until we see "case 3 of switch". This is referring to the update packet. So you should be about here
Image

both memory addresses are float variables. they will be defined as FLD. Unfortunately, like with cursor positions, its hard for me to really explain how to know what addresses are correct. Basically again you need to look for 2 address that are similar to the old addresses. To kind of weed out some of them, the lines have to start with FLD. And the X/Y addresses will be very close to each other. So after scrolling down a tiny bit, i located the new addresses. Should be around here
Image

There you have it.



Alright sofar we have found these new addresses
Code:
decrypt = "0x4267C0"
encrypt = "0x4266F0"
sendpacket = "0x42C500"
mousex = "0x24D76A0"
mousey = "0x24C3A70"
wndproc = "0x40C7D0"

localPositionX = "0x10F9CF4"
localPositionY = "0x24CC568"


For most of the rest, you will need to use a memory search program. I will try to post the second part of this soon. Hope this helps some of you understand how easy it is to update lua/scan.


Top
 Profile  
 
PostPosted: 07 Aug 2013 02:47 
Offline

Joined: 29 Apr 2013 23:03
Posts: 161
Part I - Continued

Alright guys, since Andy doesnt like memory searchers as they generally dont find the TRUE values, i have found out how to obtain the last few addresses using Olly.

Once again, fire up Ollydbg and load xenimus. Once loaded: right click (inside CPU window)->Search For->All referenced text strings. Then inside the window that pops up, Right click->search for text. Enter "mainhud" and just to be safe, uncheck "case sensitive". "mainhud" is referenced twice, so its not hard to narrow it down to the correct one we want. Inside the referenced text strngs window, selected the line that says "mainhud" and hit enter.
Spoiler:
Correct
Image
Incorrect
Image


Inside the correct section, the Page address is located right above the "mainhud" text.
Image


Next we need to located the currentView address. Go back to the referenced text strings window (right click->search for->all referenced text string). This time, search for "WMC1". You will probably find a few different strings (like WMC10, WMC11), but it needs to be WMC1 with a black square after it (atleast thats how it looks on mine)
Image

Hit ENTER, you should land somewhere like this.
Image

Now scroll down a little bit until you see the words "Default case switch of blablabla". The memory address we are looking for is right after that. Its being compared, so the line should start with CMP
Image

And there you go, you now have the view address.

Hopefully this will make it easier for other to update their LUA values while they wait for andy to updated them every time.




Spoiler:
Part II - Cheat Engine/TSearch

There are a few memory address that are much easier to find using a memory scanning program then to find by using olly. The two we are looking for are curuipage & currentViewMode


We will find curuipage first (i will refer to it as page from here on out). Page is in reference to the menu currently being displayed (ie main screen, login, account, server list, drop screen, trade screen, stat screen, ect). Once you know the values of certain screen, its pretty easy to locate the page address within a few minutes.

Ok so for this we need to open up xenimus and then go ahead and fire up Cheat Engine (or tsearch if you know how to use it).
Image

Now click the button that is outlined and search for xenimus.exe and click open
Image

Alright, once xenimus is at the main screen, we can begin our first search. The main screen has a value of 1. So in cheat engine, change the value from "4 bytes" to "byte". Do an exact value search. And type 1 into the box, then press "New Scan"
Image

Next, click login on xenimus. This screen has a value of 2. Now we need to change the 1 to a 2 and hit "Next Scan" (note: dont hit new scan)
Image

Proceed to login to your account. Once you character list is pulled up, do another search. This screen has a value of 9. Repeat the above step with the value of 9 instead of 2.
Image

You should now be down to only a few values. I have found both seem to work just fine, but i always just select the first value in the list. Thats is for the page address, pretty simple right?



Now we are going to do the same thing for the currentViewMode address. There are only 3 values that currentViewMode can be: 1, 2, & 4
1 = top down view
2 = third person view
4 = first person view

Now, login and go to 3rd person view. In Cheat Engine, change the new search value to 2 and hit "New Search".
Image

Then change to top down view. Do a "Next Search" of 1
Image

Finally, change to 1st person view. Do a "Next Search" of 4
Image

You should be able to tell which value your looking for on that list. You can repeat the same steps over and over again until you get it down to 1 value if you want to be 100% accurate.



Now that we have finished, we managed to find both new addresses:
Code:
curuipage = "0x5456BC"
currentViewMode = "0x5456C4"


Last edited by lawn gnome on 08 Aug 2013 20:47, edited 1 time in total.

Top
 Profile  
 
cron
Powered by phpBB® Forum Software © phpBB Group