TryToUpdateRSA fails with ASLR (Windows Vista+)

[divinity76]

it's a known problem, anyway, in theory, we can use hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32,pid); -> Module32First(hSnapshot, &MODULEENTRY32); -> base address of main module is MODULEENTRY32.modBaseAddr regardless of ASLR being active or not , where i think the RSA address is stored not far away, regardless of tibia version

.. im working on a test implementation now

[divinity76]

in

Public Sub AutoUpdateRSA(ByVal pid As Long)
  On Error GoTo goterr
  Dim pg As Integer
  Dim i As Long
  Dim b As Byte
  Dim sb As String
  Dim s As String
  Dim si As Integer
 ' Dim sc As String
  Dim maxsi As Integer
  Dim backupi As Long
  Dim reskey As String

   frmMain.txtPackets.Text = frmMain.txtPackets.Text & vbCrLf & "Trying to autoupdate adrRSA..."
  reskey = ""
  pg = 0
  maxsi = 1
  si = 1
  'sc = Mid$(RLserverRSAkey, si, 1)
  sb = ""
  i = &H500000

what is &H500000 ? is it the default/non-ASLR address for the main thread/module of tibia.exe , or is it something else?

[blackdtools]

it is nothing special, just a reasonable low address. This was an old lazy function not intended for public usage. The function searches for RSA key between &H500000 and &HA00000, what should be a big enough space. However this simple code suppose ASLR is disabled. else the range of address depends of processBase.

The optimal correct solution that would allow locating the address in all cases would need to search in this exact range: From: processBase + &H1000 To: processBase + &H1000 + processMemorySize

[divinity76]

fixed in https://github.com/blackdtools/Blackd-Proxy-CLASSIC/pull/54 / https://github.com/blackdtools/Blackd-Proxy-CLASSIC/commit/0c498d264576515aea5565ce0568498220845fd0