• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

MC in ANY Tibia Cipsoft client

kor

PHP ziom
Premium User
Joined
Jul 12, 2008
Messages
252
Solutions
13
Reaction score
410
Location
Bialystok, Poland
GitHub
rookgaard
YouTube
Rookgaard
Hello.

To enable MC in ANY Tibia Cipsoft Client using just OllyDbg, basic knowledge of Olly is required, but I will try to show on images as much as possible. So in this tutorial I would like to show how enable MC support (disabling client check if there's opened another Tibia window) in any Tibia Cipsoft client (with "any" I mean clients from 7.0 to 10 with protocol 11.47 compatibility).

In every other tutorial you will see "go to offset XX and change YYYY 75 YYYY to ZZZZ EB ZZZZ" (like here), but what are those "75" and "EB" bytes? In short words:
  • "75" (or any between 70 to 7F - instructions) are "jump if condition" instruction like "jump if lower or equal", "jump if zero", "jump if not equal"
  • "EB" (or any between E9 to EB) are just "jump" instruction, so code will ignore what's under and jump given bytes up or down
  • "83" "compare" instruction

For PoC (Proof of Concept) I will show you how to find it for clients 7.1, 9.0 and latest possible 10. Where to start? We could try to find what calls Tibia error dialog with "You can run only one Tibia client at once.", but it's easier when you know, that from 8.0 Cipsoft decided to create a mutex and then raising an exception (before - from 7.0 to 7.9 - we can indeed look for that modal message).

4KUIVlz.png
XfDjcmz.png

7.1 and 9.0 error messages​

In all cases first thing you will do is to open Tibia.exe with OllyDbg, then right-click on main window and select View -> Module 'Tibia' and press CTRL+A shortcut, so program will analyze Tibia client code.

oE7P6cC.png

7.0 - 7.9 clients

Now, for clients 7.0 - 7.9 (7.1 in our example), we will right-click on main window and select "Search for" -> "All referenced text strings" (to 8.0+ scroll a little down for "8.0+ clients chapter").

jmksvh6.png

In a small window on the right right-click, select "Search for text" and type "already running" and OK. Next, double click on selected entry.

FuPPpVe.png


Lticw83.png


5Nw7Iou.png

Now, in main area scroll a little up and you will see something like 83 XXX, 7E XXX and then some other instructions.

d6HMKwB.png


So as we know what those bytes means, we can read as follows (and why it is that way it's not our concern):
1. Compare EAX register
2. JLE (jump if lower or equal) 0x0E (14) bytes down and then execute rest of code.

But if for some reason EAX comparision is other than "lower or equal", "A Tibia client is already running" will show - there is some JMP instruction to "MessageBoxA" function and then CALL to other function I guess responsible for client abort.

NSlPxj0.png

So to make client won't exeute that dialog, we want to change instruction from JLE to JMP, so client will ignore comparision and jump to rest of code. We will click now on JLE instruction and press CTRL+E shortcut, so window will appear.

BK6voMV.png

Now, please scroll down to "Change jump instruction" chapter.

8.0+ clients

For clients 8.0 - 10 (9.0 in our example), we will right-click on main window and select "Search for" -> "All intermodular calls".

bc6M4xR.png

In a small window on the right click on "Destination" column to sort entries alphabetically and scroll for "CreateMutexA" entry. Next, double click on selected entry.

H9zdF9y.png

Now, in main area scroll a little up and you will see something like 84 XXX, 75 XXX and then some other instructions.

f4lHEWf.png

So as we know what those bytes means, we can read as follows (and why it is that way it's not our concern):
1. Test some values.
2. JNZ (jump if not zero) 0x52 (82) bytes down and then execute rest of code.

But if for some reason test is other than "not zero", client will create a mutex and then in other part raise an exception which I guess is responsible for client abort.

SAWwFT5.png

So to make client won't exeute that code, we want to change instruction from JNZ to JMP, so client will ignore comparision and jump to rest of code. We will click now on JNZ instruction and press CTRL+E shortcut, so window will appear.

T6ZEGCV.png

Change jump instruction

Now just type EB, so it will replace old entry and press OK.

SvC6k2t.png

View has changed and now we see it on red with arrow updated. Now, to save our changes to file right-click on main window, select "Copy to exeutable" -> "All modifications" and in next window "Copy all".

PLbhdAa.png


arMc3UA.png

A small window will appear with our changed code, so right-click in it again and select "Save file".

suiFbpo.png

And that's it! Following this steps allows you to disable MC check in any client. Enjoy :)
 
Last edited:
Back
Top