Hello.
To enable MC in ANY Tibia Cipsoft Client using just OllyDbg, basic knowledge of Olly is required, but I will try to show on images as much as possible. So in this tutorial I would like to show how enable MC support (disabling client check if there's opened another Tibia window) in any Tibia Cipsoft client (with "any" I mean clients from 7.0 to 10 with protocol 11.47 compatibility).
In every other tutorial you will see "go to offset XX and change YYYY 75 YYYY to ZZZZ EB ZZZZ" (like here), but what are those "75" and "EB" bytes? In short words:
For PoC (Proof of Concept) I will show you how to find it for clients 7.1, 9.0 and latest possible 10. Where to start? We could try to find what calls Tibia error dialog with "You can run only one Tibia client at once.", but it's easier when you know, that from 8.0 Cipsoft decided to create a mutex and then raising an exception (before - from 7.0 to 7.9 - we can indeed look for that modal message).
7.1 and 9.0 error messages
In all cases first thing you will do is to open Tibia.exe with OllyDbg, then right-click on main window and select View -> Module 'Tibia' and press CTRL+A shortcut, so program will analyze Tibia client code.
7.0 - 7.9 clients
Now, for clients 7.0 - 7.9 (7.1 in our example), we will right-click on main window and select "Search for" -> "All referenced text strings" (to 8.0+ scroll a little down for "8.0+ clients chapter").
In a small window on the right right-click, select "Search for text" and type "already running" and OK. Next, double click on selected entry.
Now, in main area scroll a little up and you will see something like 83 XXX, 7E XXX and then some other instructions.
So as we know what those bytes means, we can read as follows (and why it is that way it's not our concern):
1. Compare EAX register
2. JLE (jump if lower or equal) 0x0E (14) bytes down and then execute rest of code.
But if for some reason EAX comparision is other than "lower or equal", "A Tibia client is already running" will show - there is some JMP instruction to "MessageBoxA" function and then CALL to other function I guess responsible for client abort.
So to make client won't exeute that dialog, we want to change instruction from JLE to JMP, so client will ignore comparision and jump to rest of code. We will click now on JLE instruction and press CTRL+E shortcut, so window will appear.
Now, please scroll down to "Change jump instruction" chapter.
8.0+ clients
For clients 8.0 - 10 (9.0 in our example), we will right-click on main window and select "Search for" -> "All intermodular calls".
In a small window on the right click on "Destination" column to sort entries alphabetically and scroll for "CreateMutexA" entry. Next, double click on selected entry.
Now, in main area scroll a little up and you will see something like 84 XXX, 75 XXX and then some other instructions.
So as we know what those bytes means, we can read as follows (and why it is that way it's not our concern):
1. Test some values.
2. JNZ (jump if not zero) 0x52 (82) bytes down and then execute rest of code.
But if for some reason test is other than "not zero", client will create a mutex and then in other part raise an exception which I guess is responsible for client abort.
So to make client won't exeute that code, we want to change instruction from JNZ to JMP, so client will ignore comparision and jump to rest of code. We will click now on JNZ instruction and press CTRL+E shortcut, so window will appear.
Change jump instruction
Now just type EB, so it will replace old entry and press OK.
View has changed and now we see it on red with arrow updated. Now, to save our changes to file right-click on main window, select "Copy to exeutable" -> "All modifications" and in next window "Copy all".
A small window will appear with our changed code, so right-click in it again and select "Save file".
And that's it! Following this steps allows you to disable MC check in any client. Enjoy
To enable MC in ANY Tibia Cipsoft Client using just OllyDbg, basic knowledge of Olly is required, but I will try to show on images as much as possible. So in this tutorial I would like to show how enable MC support (disabling client check if there's opened another Tibia window) in any Tibia Cipsoft client (with "any" I mean clients from 7.0 to 10 with protocol 11.47 compatibility).
In every other tutorial you will see "go to offset XX and change YYYY 75 YYYY to ZZZZ EB ZZZZ" (like here), but what are those "75" and "EB" bytes? In short words:
- "75" (or any between 70 to 7F - instructions) are "jump if condition" instruction like "jump if lower or equal", "jump if zero", "jump if not equal"
- "EB" (or any between E9 to EB) are just "jump" instruction, so code will ignore what's under and jump given bytes up or down
- "83" "compare" instruction
For PoC (Proof of Concept) I will show you how to find it for clients 7.1, 9.0 and latest possible 10. Where to start? We could try to find what calls Tibia error dialog with "You can run only one Tibia client at once.", but it's easier when you know, that from 8.0 Cipsoft decided to create a mutex and then raising an exception (before - from 7.0 to 7.9 - we can indeed look for that modal message).
7.1 and 9.0 error messages
In all cases first thing you will do is to open Tibia.exe with OllyDbg, then right-click on main window and select View -> Module 'Tibia' and press CTRL+A shortcut, so program will analyze Tibia client code.
7.0 - 7.9 clients
Now, for clients 7.0 - 7.9 (7.1 in our example), we will right-click on main window and select "Search for" -> "All referenced text strings" (to 8.0+ scroll a little down for "8.0+ clients chapter").
In a small window on the right right-click, select "Search for text" and type "already running" and OK. Next, double click on selected entry.
Now, in main area scroll a little up and you will see something like 83 XXX, 7E XXX and then some other instructions.
So as we know what those bytes means, we can read as follows (and why it is that way it's not our concern):
1. Compare EAX register
2. JLE (jump if lower or equal) 0x0E (14) bytes down and then execute rest of code.
But if for some reason EAX comparision is other than "lower or equal", "A Tibia client is already running" will show - there is some JMP instruction to "MessageBoxA" function and then CALL to other function I guess responsible for client abort.
So to make client won't exeute that dialog, we want to change instruction from JLE to JMP, so client will ignore comparision and jump to rest of code. We will click now on JLE instruction and press CTRL+E shortcut, so window will appear.
Now, please scroll down to "Change jump instruction" chapter.
8.0+ clients
For clients 8.0 - 10 (9.0 in our example), we will right-click on main window and select "Search for" -> "All intermodular calls".
In a small window on the right click on "Destination" column to sort entries alphabetically and scroll for "CreateMutexA" entry. Next, double click on selected entry.
Now, in main area scroll a little up and you will see something like 84 XXX, 75 XXX and then some other instructions.
So as we know what those bytes means, we can read as follows (and why it is that way it's not our concern):
1. Test some values.
2. JNZ (jump if not zero) 0x52 (82) bytes down and then execute rest of code.
But if for some reason test is other than "not zero", client will create a mutex and then in other part raise an exception which I guess is responsible for client abort.
So to make client won't exeute that code, we want to change instruction from JNZ to JMP, so client will ignore comparision and jump to rest of code. We will click now on JNZ instruction and press CTRL+E shortcut, so window will appear.
Change jump instruction
Now just type EB, so it will replace old entry and press OK.
View has changed and now we see it on red with arrow updated. Now, to save our changes to file right-click on main window, select "Copy to exeutable" -> "All modifications" and in next window "Copy all".
A small window will appear with our changed code, so right-click in it again and select "Save file".
And that's it! Following this steps allows you to disable MC check in any client. Enjoy
Last edited: