Closed divinity76 closed 8 years ago
in
Public Sub AutoUpdateRSA(ByVal pid As Long)
On Error GoTo goterr
Dim pg As Integer
Dim i As Long
Dim b As Byte
Dim sb As String
Dim s As String
Dim si As Integer
' Dim sc As String
Dim maxsi As Integer
Dim backupi As Long
Dim reskey As String
frmMain.txtPackets.Text = frmMain.txtPackets.Text & vbCrLf & "Trying to autoupdate adrRSA..."
reskey = ""
pg = 0
maxsi = 1
si = 1
'sc = Mid$(RLserverRSAkey, si, 1)
sb = ""
i = &H500000
what is &H500000 ? is it the default/non-ASLR address for the main thread/module of tibia.exe , or is it something else?
it is nothing special, just a reasonable low address. This was an old lazy function not intended for public usage. The function searches for RSA key between &H500000 and &HA00000, what should be a big enough space. However this simple code suppose ASLR is disabled. else the range of address depends of processBase.
The optimal correct solution that would allow locating the address in all cases would need to search in this exact range: From: processBase + &H1000 To: processBase + &H1000 + processMemorySize
it's a known problem, anyway, in theory, we can use hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPMODULE | TH32CS_SNAPMODULE32,pid); -> Module32First(hSnapshot, &MODULEENTRY32); -> base address of main module is MODULEENTRY32.modBaseAddr regardless of ASLR being active or not , where i think the RSA address is stored not far away, regardless of tibia version
.. im working on a test implementation now