Hello all.
I've noticed the huge amount of people asking how to do multiclient without the date going of and how to remove virus scanner etc. This is a small tutorial to teach people how to make those by yourself.
Requirements :
- OllyDBG

- Conquer patched upto 5035.
Note 0-1. steps are same for all of the modifications.
0. BACKUP YOUR Conquer.exe BEFORE DOING ANYTHING
1. Open Conquer in OllyDBG. (File -> Open -> Browser for Conquer.exe) and let it process the exe
[Creating Multiclient]
2. Right click on the CPU window -> Search for -> All referenced text strings

3. Scroll up in the list.
4. Right click -> Search for text and type in search box "TQ_CONQUER"
5. Double click the line that says "TQ_CONQUER"

6. Notice the line I have highlighted that says "PUSH 2". This line determines how many clients you can open.
7. You can change the value in it for anything between 0 and 7F (Hexa)
8. Ok, now we have changed the value to 7F! How to save ?
9. Right click CPU window -> Copy to executable -> All modifications -> Copy All
10. Now a new window openened -> Right click on it -> Save file -> Browser for location (don't save it on same folder as the original first)
11. Now you need to close OllyDBG and copy the Conquer.exe to Conquer folder!
[/Creating Multiclient]
[Removing 'Virus' scanner]
2. Right click on the CPU window -> Search for -> All referenced text strings
3. Scroll up in the list.
4. Right click -> Search for text and type in search box "ZFTqat"
5. Double click the line that says "ZFTqat"

6. Do as I did, highlight those addresses -> Right Click on CPU window -> Binary -> Fill with NOPS (NOP = No OPeration)
7. Right click CPU window -> Copy to executable -> All modifications -> Copy All
8. Now a new window openened -> Right click on it -> Save file -> Browser for location (don't save it on same folder as the original first)
9. Now you need to close OllyDBG and copy the Conquer.exe to Conquer folder!
[/Removing 'Virus' scanner]
[Running Conquer.exe directly]
2. Click on CPU window then press Ctrl + F (Open up a command search window)
3. Find "PUSH 273F" The code should look like this. (Couple lines up & down)
Code:
004687F6 . 83F8 01 CMP EAX,1
004687F9 . 7C 18 JL SHORT Conquer.00468813
004687FB . 8D85 ECFAFFFF LEA EAX,DWORD PTR SS:[EBP-514]
00468801 . 68 D0DB5500 PUSH Conquer.0055DBD0 ; /s2 = "blacknull"
00468806 . 50 PUSH EAX ; |s1
00468807 . FF15 CC555200 CALL DWORD PTR DS:[<&MSVCRT._stricmp>] ; _stricmp
0046880D . 59 POP ECX
0046880E . 85C0 TEST EAX,EAX
00468810 . 59 POP ECX
00468811 74 29 JE SHORT Conquer.0046883C
00468813 > FF15 54505200 CALL DWORD PTR DS:[<&GraphicData.GameDat>; GraphicD.GameDataSetQuery
00468819 . 8B10 MOV EDX,DWORD PTR DS:[EAX]
0046881B . 6A 10 PUSH 10
0046881D . 68 C8DB5500 PUSH Conquer.0055DBC8 ; ASCII "Error"
[B]00468822 . 68 3F270000 PUSH 273F[/B]
00468827 . 8BC8 MOV ECX,EAX
00468829 . FF52 3C CALL DWORD PTR DS:[EDX+3C]
0046882C . 50 PUSH EAX ; |Text
0046882D . 6A 00 PUSH 0 ; |hOwner = NULL
0046882F . FF15 08575200 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; MessageBoxA
Notice the
Code:
004687F6 . 83F8 01 CMP EAX,1
004687F9 . 7C 18 JL SHORT Conquer.00468813
Change the
Code:
004687F9 . 7C 18 JL SHORT Conquer.00468813
Into
Code:
004687F9 . 7C 18 JMP SHORT 0046883C
4. Right click CPU window -> Copy to executable -> All modifications -> Copy All
5. Now a new window openened -> Right click on it -> Save file -> Browser for location (don't save it on same folder as the original first)
6. Now you need to close OllyDBG and copy the Conquer.exe to Conquer folder!
[/Running Conquer.exe directly]
[Enabling PM Commands]
1. Backup your Conquer.exe like usually.
2. Open Conquer.exe in OllyDBG (File -> Open -> Browser for its location)
3. Right click -> Search for -> All referenced text strings -> "PM"
4. Double click the "[PM]" that came up on search.
You should see code block like this :
Code:
004A6A2A |. 8D7405 D4 LEA ESI,DWORD PTR SS:[EBP+EAX-2C]
004A6A2E |. 8D46 FC LEA EAX,DWORD PTR DS:[ESI-4]
004A6A31 |. 3BC6 CMP EAX,ESI
[COLOR="DarkOrange"]004A6A33 |. 74 17 JE SHORT Conquer.004A6A4C[/COLOR]
004A6A35 BF 2C005600 MOV EDI,Conquer.0056002C ; ASCII "[PM]"
004A6A3A |. 2BF8 SUB EDI,EAX
[COLOR="Red"]004A6A3C |> 8A08 /MOV CL,BYTE PTR DS:[EAX]
004A6A3E |. 3A0C07 |CMP CL,BYTE PTR DS:[EDI+EAX]
004A6A41 |. 0F85 08050000 |JNZ Conquer.004A6F4F
004A6A47 |. 40 |INC EAX
004A6A48 |. 3BC6 |CMP EAX,ESI
004A6A4A |.^75 F0 JNZ SHORT Conquer.004A6A3C[/COLOR]
[COLOR="DarkOrange"]004A6A4C[/COLOR] |> A0 48AB5600 MOV AL,BYTE PTR DS:[56AB48]
There is two ways of achieving the goal;
First way :
- NOP all those parts that I've colored red, it's basically the check wether your name contains [PM]
Second way :
- You notice the part that I've colored Dark Orange?
Code:
004A6A33 |. 74 17 JE SHORT Conquer.004A6A4C
- If you look closely on the Address it jumps, you should notice that it jumps straight pass the check;
- Click that JE address and hit spacebar for assemblying it
- Change it to ->
Code:
004A6A33 |. EB 17 JMP SHORT 004A6A4C
I'll add screenshots if requested.
[/Enabling PM Commands]
[Removing the popup(s)]
1. Backup your Conquer.exe like usually.
2. Open Conquer.exe in OllyDBG (File -> Open -> Browser for its location)
3. Right click -> Search for -> All referenced text strings -> "co.91.com" > Double click it > You should see lines like this
Code:
00477A9F > 68 F4E05500 PUSH Conquer.0055E0F4 ; ASCII "http://co.91.com/signout/"
00477AA4 . E9 DB000000 JMP Conquer.00477B84
00477AA9 > FFD7 CALL EDI
00477AAB . 8B10 MOV EDX,DWORD PTR DS:[EAX]
4. Click this line
Code:
00477AA4 . E9 DB000000 JMP Conquer.00477B84
5. Push enter (It follows the jmp)
6. Now you should see lines like this
Code:
00477B84 53 PUSH EBX ; |Operation
00477B85 FF76 20 PUSH DWORD PTR DS:[ESI+20] ; |hWnd
00477B88 FF15 78565200 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; ShellExecuteA
7. Select all of those lines > Right Click > Binary > Fill with NOPs
8. After that the view in ollydbg should be like this
Code:
00477B84 90 NOP ; |Operation
00477B85 90 NOP ; |hWnd
00477B86 90 NOP
00477B87 90 NOP
00477B88 90 NOP ; ShellExecuteA
00477B89 90 NOP
00477B8A 90 NOP
00477B8B 90 NOP
00477B8C 90 NOP
00477B8D 90 NOP
9. Right click > Search for > All refenced text strings > Search for next
10. Double click the line and you should see lines like this
Code:
00477FED > 68 F4E05500 PUSH Conquer.0055E0F4 ; ASCII "http://co.91.com/signout/"
00477FF2 . E9 DB000000 JMP Conquer.004780D2
11. Click this line
Code:
00477FF2 . E9 DB000000 JMP Conquer.004780D2
12. Hit enter to follow the jmp and you should come to lines like these
Code:
004780D2 53 PUSH EBX ; |Operation
004780D3 FF76 20 PUSH DWORD PTR DS:[ESI+20] ; |hWnd
004780D6 FF15 78565200 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; ShellExecuteA
13. Select those lines > Right Click > Binary > Fill with NOPs the lines should look like this
Code:
004780D2 90 NOP ; |Operation
004780D3 90 NOP ; |hWnd
004780D4 90 NOP
004780D5 90 NOP
004780D6 90 NOP ; ShellExecuteA
004780D7 90 NOP
004780D8 90 NOP
004780D9 90 NOP
004780DA 90 NOP
004780DB 90 NOP
14. Now just save the file (Right click > Copy to executable > All modifications > Copy all > Right click > Save file > Browser for save location)
[/Removing the popup(s)]