The cause
I was asked in a post how to bypass the WT multi-client check (to run more than 1 WT client), and I explained how it can be done here: [Only registered and activated users can see links. Click Here To Register...].
The information
However, let's go more in-depth.
Again multi-client checks are fairly easy to bypass as they rely on mutex object (I'm not saying ALL software do this).
How does it work? Usually the application uses the 'CreateMutex' API with 3 parameters (lpMutexAttributes, bInitialOwner, lpName) upon loading, so the next time when the application starts and it creates mutex it will fail because it already exists.
The looking back at my code:
So how does WolfTeam do it?
Exactly what I just did.
The Reversing:
Here is from what I reversed in Wolfteam:
[Only registered and activated users can see links. Click Here To Register...]
As you can see EBX = lpMutexAttributes, reversing back we see "xor ebx, ebx" which means EBX is now 0, so our first param is NULL.
Next they push in 1 aka TRUE, which I also do in my code.
Finally they push the lpName of the mutex which is "SoftnyxWolfTeam.gme" and call CreateMutexA.
Next they call GetLastError() and check for ERROR_ALREADY_EXISTS which is 183L and in asm it is "cmp eax, 0B7h", (0B7h = 183), if you know basic ASM you'd understand that if EAX == 0B7h they JMP back and terminate the process.
The Bypassing:
There are ALLOT of ways to bypass this, to name a few:
- Change string from "SoftnyxWolfTeam.gme" to anything random on first instance of game
- Change 0B7h to anything else
- Nop the jump (Do NOT change it to jnz as the first instance will fail to load then)
- Hook CreateMutex and "if (strcmp(lpName, "SoftnyxWolfTeam.gme") == 0) ... modify lpName"
And many more.
I suggest to select one of these methods and apply to the first instance of the game (you must be fast, direct after you login to launcher inject)
The Credits:
- M4L1F1C (Me)
I was asked in a post how to bypass the WT multi-client check (to run more than 1 WT client), and I explained how it can be done here: [Only registered and activated users can see links. Click Here To Register...].
The information
However, let's go more in-depth.
Again multi-client checks are fairly easy to bypass as they rely on mutex object (I'm not saying ALL software do this).
How does it work? Usually the application uses the 'CreateMutex' API with 3 parameters (lpMutexAttributes, bInitialOwner, lpName) upon loading, so the next time when the application starts and it creates mutex it will fail because it already exists.
The looking back at my code:
Code:
auto h_Mutex = CreateMutexA(NULL, TRUE, "YOUR_MUTEX_NAME"); if (GetLastError() == ERROR_ALREADY_EXISTS) TerminateProcess(GetCurrentProcess(), NULL);
Exactly what I just did.
The Reversing:
Here is from what I reversed in Wolfteam:
[Only registered and activated users can see links. Click Here To Register...]
As you can see EBX = lpMutexAttributes, reversing back we see "xor ebx, ebx" which means EBX is now 0, so our first param is NULL.
Next they push in 1 aka TRUE, which I also do in my code.
Finally they push the lpName of the mutex which is "SoftnyxWolfTeam.gme" and call CreateMutexA.
Next they call GetLastError() and check for ERROR_ALREADY_EXISTS which is 183L and in asm it is "cmp eax, 0B7h", (0B7h = 183), if you know basic ASM you'd understand that if EAX == 0B7h they JMP back and terminate the process.
The Bypassing:
There are ALLOT of ways to bypass this, to name a few:
- Change string from "SoftnyxWolfTeam.gme" to anything random on first instance of game
- Change 0B7h to anything else
- Nop the jump (Do NOT change it to jnz as the first instance will fail to load then)
- Hook CreateMutex and "if (strcmp(lpName, "SoftnyxWolfTeam.gme") == 0) ... modify lpName"
And many more.
I suggest to select one of these methods and apply to the first instance of the game (you must be fast, direct after you login to launcher inject)
The Credits:
- M4L1F1C (Me)