• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Finding opcodes/packet ID's from Client. (7.7/7.72)

Tony32

Veteran OT User
Joined
Jun 6, 2008
Messages
1,256
Reaction score
345
Hello Otland,
I'm currently wondering where to find all opcodes in a Tibia client. I am only interested (for the most part) in client version 7.7/7.72. If you do not know what I mean, look here: https://github.com/edubart/otclient/blob/master/src/client/protocolcodes.h

Why do I need to know where to find this?
Well, I'm gonna start working on a tool that will extract the opcodes from the client automaticly. I know these can be read from memory of the client, but I do not know where and if they are easy to read (if they are structured somehow in the client for easy finding) When an update comes around for Tibia people are insanely quick to post the new ones if they are identified, so I believe there is an easy way to get them.

So if the opcode is unknown from the start, but the client version is the same, I would need to know the address to find the modified/changed opcode. (unless it's moved, but I don't need to go that far.. yet)

If you got any information about this it would be greatly appreciated. Post here or PM, does not matter to me.

Regards,
Tony
 
Open the Tibia client in OllyDbg and do a "Search for"..."All referenced text strings" then search for "unknown packet type" [uncheck 'Case sensitive' and check 'Entire scope']. You should find two text strings, one "unknown packet type during login" and the other "unknown packet type during game". Both of these strings are preceded by a switch. All of the cases in the switches are the opcodes you are looking for. Login opcodes are things like character list, message of the day, etc. when you login to the client, the game opcodes are for all the protocol messages. For Tibia 7.72 these switches are located in the function at memory address 0x44A900.

The reason people are so quick to identify them now is because CipSoft's flash client is easy to decompile, and all of the protocol messages are in there. However, sometimes the opcodes in the flash client don't always match the ones in the standalone client (the opcodes are the same, but the flash client may have some that the standalone client does not). For example, with Tibia 10.76 the standalone client added auto-equip which the flash client already had, and removed creature square (and, I believe, one more) which the flash client never had.

With the latest standalone clients, CipSoft not only has the opcodes in the switch, but also the name of the protocol message (creature move, outfit, ping, etc.). You can view this by opening the latest client in OllyDbg, and doing a "Search for"..."All referenced text strings" then search for "SPENDINGSTATEENTERED" [uncheck 'Case sensitive' and check 'Entire scope'].
 
Open the Tibia client in OllyDbg and do a "Search for"..."All referenced text strings" then search for "unknown packet type" [uncheck 'Case sensitive' and check 'Entire scope']. You should find two text strings, one "unknown packet type during login" and the other "unknown packet type during game". Both of these strings are preceded by a switch. All of the cases in the switches are the opcodes you are looking for. Login opcodes are things like character list, message of the day, etc. when you login to the client, the game opcodes are for all the protocol messages. For Tibia 7.72 these switches are located in the function at memory address 0x44A900.

The reason people are so quick to identify them now is because CipSoft's flash client is easy to decompile, and all of the protocol messages are in there. However, sometimes the opcodes in the flash client don't always match the ones in the standalone client (the opcodes are the same, but the flash client may have some that the standalone client does not). For example, with Tibia 10.76 the standalone client added auto-equip which the flash client already had, and removed creature square (and, I believe, one more) which the flash client never had.

With the latest standalone clients, CipSoft not only has the opcodes in the switch, but also the name of the protocol message (creature move, outfit, ping, etc.). You can view this by opening the latest client in OllyDbg, and doing a "Search for"..."All referenced text strings" then search for "SPENDINGSTATEENTERED" [uncheck 'Case sensitive' and check 'Entire scope'].
Damn, that's a nice response right there. Thanks a lot, I really appreciate that you took your time to help out a fellow stranger. I'm not at home at the moment so I can't check it out right now, but I doubt it would be any problems. It seems amazingly easy now when I've got it explained to me.
again, thank you very much. Liked <3


Found them nicely, I just cant figure out how Olly can find out what the cases are as shown in the screenshot:
T3U1ut4.png

CALL, MOV, MOV then JUMP and repeat between most cases, but I can't find where olly actually finds out what the Case's actually are :S
 
Last edited:
Olly doesn't "know" what the cases are, it just knows the value of each case. CALL calls the function that parses that particular case. Only CipSoft knows what each case is, but we can manually figure them out. One way is to set a breakpoint on each case, or one at a time, and login and see what causes that case to trigger. Then you can can follow the CALL, and use that function to parse the packet. If you were doing this from scratch, without any previous knowledge of the protocol, it would take time and patience to understand each packet. Luckily for us, we can use the flash client now to get opcodes and know exactly how to parse each packet, and what each byte refers to.
 
Olly doesn't "know" what the cases are, it just knows the value of each case.
Thanks again for answering!
I must've been unclear, sorry, but I just ment that Olly seems to know what the input in the switch statement compares to (the "cases" so to speak)
I can't explain it really well, but for example the first Case in the screenshot is Case A, which is 10 in decimal which probably equals to the "GameServerLoginOrPendingState = 10" (as in OTC) (Ignore what they really are for, I just want to know where and how to get to them)

Does that case basicly in a if-statement form be like this?
if(switchInput == A)
{
do stuff
}
if(switchInput == B)
{
do stuff
}
if(switchInput == 14)
{
do stuff
}

(as in the screenshot)

So I just want to know if that's correct, where can I actually find those cases in memory, like the ones shown in olly (A, B, 14, 1E, 1F(those are the acutal opcodes right?)) and so on. Get it? Or am I totaly mistaken about this?

Regarding the flash client, that's nice, but I am only working on the 7.72 client right now.

Thanks again!


EDIT: facepalming myself, the cases are the actual opcodes I'm looking for right? Just where in memory are they located?
 
Yes, the cases are the opcodes.

And:
Code:
switch (opcode) {
    case 0x0A:
        //do stuff
        break;
    case 0x0B:
        //do stuff
        break;
    ...
}
Which is the same as:
Code:
if (opcode == 0x0A) {
    //do stuff
} else if (opcode == 0x0B) {
    //do stuff
}
 
Yes, the cases are the opcodes.

And:
Code:
switch (opcode) {
    case 0x0A:
        //do stuff
        break;
    case 0x0B:
        //do stuff
        break;
    ...
}
Which is the same as:
Code:
if (opcode == 0x0A) {
    //do stuff
} else if (opcode == 0x0B) {
    //do stuff
}
Ahh, that's exactly it. I just can't find where those case values are stored in memory, memory view of the case area doesn't make me any smarter unfortunately. the (0x0A, 0x0B and so forth)
 
Bump, i just need to know where one of them are, that way i will know where to find the others x)
 
@Jo3Bingham Are you sure that those are the opcodes? I've been comparing the switch cases in different clients (still 7.72 so addresses are the same) but the opcodes are identical even if I know that they have been modified (custom client)
Any idea why that is?

I've been comparing the original unmodified 7.72 client to Classicus for example (that I know for sure have custom opcodes) still exact same in Olly
 
@Jo3Bingham Are you sure that those are the opcodes? I've been comparing the switch cases in different clients (still 7.72 so addresses are the same) but the opcodes are identical even if I know that they have been modified (custom client)
Any idea why that is?

I've been comparing the original unmodified 7.72 client to Classicus for example (that I know for sure have custom opcodes) still exact same in Olly
Yes, I'm sure that's the opcodes. The ASCII string "unknown packet type during..." immediately following the switch gives it away. As for Classicus, if they're still using code that I made for their anti-bot client (and I'm sure they are) the custom opcodes aren't modified in the switch case, but in their injected DLL.
 
Yes, I'm sure that's the opcodes. The ASCII string "unknown packet type during..." immediately following the switch gives it away. As for Classicus, if they're still using code that I made for their anti-bot client (and I'm sure they are) the custom opcodes aren't modified in the switch case, but in their injected DLL.
Ahh, I see. Thanks for clearifying mate.
 
Back
Top