OllyDBG & CO

[tanelipe]

Hello all.

I've noticed the huge amount of people asking how to do multiclient without the date going of and how to remove virus scanner etc. This is a small tutorial to teach people how to make those by yourself.


Requirements :
- OllyDBG
- Conquer patched upto 5035.

Note 0-1. steps are same for all of the modifications.

0. BACKUP YOUR Conquer.exe BEFORE DOING ANYTHING

1. Open Conquer in OllyDBG. (File -> Open -> Browser for Conquer.exe) and let it process the exe

[Creating Multiclient]
2. Right click on the CPU window -> Search for -> All referenced text strings

3. Scroll up in the list.
4. Right click -> Search for text and type in search box "TQ_CONQUER"
5. Double click the line that says "TQ_CONQUER"

6. Notice the line I have highlighted that says "PUSH 2". This line determines how many clients you can open.
7. You can change the value in it for anything between 0 and 7F (Hexa)
8. Ok, now we have changed the value to 7F! How to save ?
9. Right click CPU window -> Copy to executable -> All modifications -> Copy All
10. Now a new window openened -> Right click on it -> Save file -> Browser for location (don't save it on same folder as the original first)
11. Now you need to close OllyDBG and copy the Conquer.exe to Conquer folder!
[/Creating Multiclient]


[Removing 'Virus' scanner]
2. Right click on the CPU window -> Search for -> All referenced text strings
3. Scroll up in the list.
4. Right click -> Search for text and type in search box "ZFTqat"
5. Double click the line that says "ZFTqat"

6. Do as I did, highlight those addresses -> Right Click on CPU window -> Binary -> Fill with NOPS (NOP = No OPeration)
7. Right click CPU window -> Copy to executable -> All modifications -> Copy All
8. Now a new window openened -> Right click on it -> Save file -> Browser for location (don't save it on same folder as the original first)
9. Now you need to close OllyDBG and copy the Conquer.exe to Conquer folder!
[/Removing 'Virus' scanner]


[Running Conquer.exe directly]
2. Click on CPU window then press Ctrl + F (Open up a command search window)
3. Find "PUSH 273F" The code should look like this. (Couple lines up & down)

Code:

004687F6   . 83F8 01        CMP EAX,1
004687F9   . 7C 18          JL SHORT Conquer.00468813
004687FB   . 8D85 ECFAFFFF  LEA EAX,DWORD PTR SS:[EBP-514]
00468801   . 68 D0DB5500    PUSH Conquer.0055DBD0                    ; /s2 = "blacknull"
00468806   . 50             PUSH EAX                                 ; |s1
00468807   . FF15 CC555200  CALL DWORD PTR DS:[<&MSVCRT._stricmp>]   ; _stricmp
0046880D   . 59             POP ECX
0046880E   . 85C0           TEST EAX,EAX
00468810   . 59             POP ECX
00468811     74 29          JE SHORT Conquer.0046883C
00468813   > FF15 54505200  CALL DWORD PTR DS:[<&GraphicData.GameDat>;  GraphicD.GameDataSetQuery
00468819   . 8B10           MOV EDX,DWORD PTR DS:[EAX]
0046881B   . 6A 10          PUSH 10
0046881D   . 68 C8DB5500    PUSH Conquer.0055DBC8                    ;  ASCII "Error"
[B]00468822   . 68 3F270000    PUSH 273F[/B]
00468827   . 8BC8           MOV ECX,EAX
00468829   . FF52 3C        CALL DWORD PTR DS:[EDX+3C]
0046882C   . 50             PUSH EAX                                 ; |Text
0046882D   . 6A 00          PUSH 0                                   ; |hOwner = NULL
0046882F   . FF15 08575200  CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; MessageBoxA

Notice the

Code:

004687F6   . 83F8 01        CMP EAX,1
004687F9   . 7C 18          JL SHORT Conquer.00468813

Change the

Code:

004687F9   . 7C 18          JL SHORT Conquer.00468813

Into

Code:

004687F9   . 7C 18          JMP SHORT 0046883C

4. Right click CPU window -> Copy to executable -> All modifications -> Copy All
5. Now a new window openened -> Right click on it -> Save file -> Browser for location (don't save it on same folder as the original first)
6. Now you need to close OllyDBG and copy the Conquer.exe to Conquer folder!
[/Running Conquer.exe directly]


[Enabling PM Commands]

1. Backup your Conquer.exe like usually.
2. Open Conquer.exe in OllyDBG (File -> Open -> Browser for its location)

3. Right click -> Search for -> All referenced text strings -> "PM"
4. Double click the "[PM]" that came up on search.

You should see code block like this :

Code:

004A6A2A  |. 8D7405 D4      LEA ESI,DWORD PTR SS:[EBP+EAX-2C]
004A6A2E  |. 8D46 FC        LEA EAX,DWORD PTR DS:[ESI-4]
004A6A31  |. 3BC6           CMP EAX,ESI
[COLOR="DarkOrange"]004A6A33  |. 74 17          JE SHORT Conquer.004A6A4C[/COLOR]
004A6A35     BF 2C005600    MOV EDI,Conquer.0056002C                 ;  ASCII "[PM]"
004A6A3A  |. 2BF8           SUB EDI,EAX
[COLOR="Red"]004A6A3C  |> 8A08           /MOV CL,BYTE PTR DS:[EAX]
004A6A3E  |. 3A0C07         |CMP CL,BYTE PTR DS:[EDI+EAX]
004A6A41  |. 0F85 08050000  |JNZ Conquer.004A6F4F
004A6A47  |. 40             |INC EAX
004A6A48  |. 3BC6           |CMP EAX,ESI
004A6A4A  |.^75 F0          JNZ SHORT Conquer.004A6A3C[/COLOR]
[COLOR="DarkOrange"]004A6A4C[/COLOR]  |> A0 48AB5600    MOV AL,BYTE PTR DS:[56AB48]

There is two ways of achieving the goal;

First way :
- NOP all those parts that I've colored red, it's basically the check wether your name contains [PM]

Second way :

- You notice the part that I've colored Dark Orange?

Code:

004A6A33  |. 74 17          JE SHORT Conquer.004A6A4C

- If you look closely on the Address it jumps, you should notice that it jumps straight pass the check;
- Click that JE address and hit spacebar for assemblying it
- Change it to ->

Code:

004A6A33  |. EB 17          JMP SHORT 004A6A4C

I'll add screenshots if requested.

[/Enabling PM Commands]

[Removing the popup(s)]

1. Backup your Conquer.exe like usually.
2. Open Conquer.exe in OllyDBG (File -> Open -> Browser for its location)

3. Right click -> Search for -> All referenced text strings -> "co.91.com" > Double click it > You should see lines like this

Code:

00477A9F   > 68 F4E05500    PUSH Conquer.0055E0F4                    ;  ASCII "http://co.91.com/signout/"
00477AA4   . E9 DB000000    JMP Conquer.00477B84
00477AA9   > FFD7           CALL EDI
00477AAB   . 8B10           MOV EDX,DWORD PTR DS:[EAX]

4. Click this line

Code:

00477AA4   . E9 DB000000    JMP Conquer.00477B84

5. Push enter (It follows the jmp)
6. Now you should see lines like this

Code:

00477B84     53             PUSH EBX                                 ; |Operation
00477B85     FF76 20        PUSH DWORD PTR DS:[ESI+20]               ; |hWnd
00477B88     FF15 78565200  CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; ShellExecuteA

7. Select all of those lines > Right Click > Binary > Fill with NOPs

8. After that the view in ollydbg should be like this

Code:

00477B84     90             NOP                                      ; |Operation
00477B85     90             NOP                                      ; |hWnd
00477B86     90             NOP
00477B87     90             NOP
00477B88     90             NOP                                      ; ShellExecuteA
00477B89     90             NOP
00477B8A     90             NOP
00477B8B     90             NOP
00477B8C     90             NOP
00477B8D     90             NOP

9. Right click > Search for > All refenced text strings > Search for next

10. Double click the line and you should see lines like this

Code:

00477FED   > 68 F4E05500    PUSH Conquer.0055E0F4                    ;  ASCII "http://co.91.com/signout/"
00477FF2   . E9 DB000000    JMP Conquer.004780D2

11. Click this line

Code:

00477FF2   . E9 DB000000    JMP Conquer.004780D2

12. Hit enter to follow the jmp and you should come to lines like these

Code:

004780D2     53             PUSH EBX                                 ; |Operation
004780D3     FF76 20        PUSH DWORD PTR DS:[ESI+20]               ; |hWnd
004780D6     FF15 78565200  CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; ShellExecuteA

13. Select those lines > Right Click > Binary > Fill with NOPs the lines should look like this

Code:

004780D2     90             NOP                                      ; |Operation
004780D3     90             NOP                                      ; |hWnd
004780D4     90             NOP
004780D5     90             NOP
004780D6     90             NOP                                      ; ShellExecuteA
004780D7     90             NOP
004780D8     90             NOP
004780D9     90             NOP
004780DA     90             NOP
004780DB     90             NOP

14. Now just save the file (Right click > Copy to executable > All modifications > Copy all > Right click > Save file > Browser for save location)
[/Removing the popup(s)]

[nTL3fTy]

I've been waiting for disassembling tutorials. Thanks.

[mrringo]

sweet gonna play with that =p

[tanelipe]

Basically you can find the place where they output the error message by looking at StrRes.ini for the value and that way "bypass" the checks.

For example in StrRes.ini there is line :

Code:

10047=Please run Play.exe

Take that 10047 and convert it to hex (I use MS calc for this)
It's 273F in hex, now look in OllyDBG for command (Ctrl + F)

Code:

PUSH 273F

And it should bring you to place where they ouput the error message; Usually the checks are couple lines above that. Sometimes there are many of those checks.

[Laserman]

hi!
Could you remove the annoying popup?

[tanelipe]

I'll write a tutorial how to do it soon.

[nTL3fTy]

Quote:

Originally Posted by tanelipe

I'll write a tutorial how to do it soon.

Would you essentially just NOP the two instances of the ShellExecute?

[tanelipe]

And NOP the place they push the params onto stack (optional) but that's the general idea.

[keving]

ty alot for this nice Guide

[32991304]

WOW , nice thread , u can teach us , how to do : wallJump , and PM Comands , that is my suggestion

[Real~Death]

thanks,ive asked before for some tut's on using OllyDBG.
Hope to see some more

[tanelipe]

Enabling PM Commands (Client side fun)

1. Backup your Conquer.exe like usually.
2. Open Conquer.exe in OllyDBG (File -> Open -> Browser for its location)

3. Right click -> Search for -> All referenced text strings -> "PM"
4. Double click the "[PM]" that came up on search.

You should see code block like this :

Code:

004A6A2A  |. 8D7405 D4      LEA ESI,DWORD PTR SS:[EBP+EAX-2C]
004A6A2E  |. 8D46 FC        LEA EAX,DWORD PTR DS:[ESI-4]
004A6A31  |. 3BC6           CMP EAX,ESI
[COLOR="DarkOrange"]004A6A33  |. 74 17          JE SHORT Conquer.004A6A4C[/COLOR]
004A6A35     BF 2C005600    MOV EDI,Conquer.0056002C                 ;  ASCII "[PM]"
004A6A3A  |. 2BF8           SUB EDI,EAX
[COLOR="Red"]004A6A3C  |> 8A08           /MOV CL,BYTE PTR DS:[EAX]
004A6A3E  |. 3A0C07         |CMP CL,BYTE PTR DS:[EDI+EAX]
004A6A41  |. 0F85 08050000  |JNZ Conquer.004A6F4F
004A6A47  |. 40             |INC EAX
004A6A48  |. 3BC6           |CMP EAX,ESI
004A6A4A  |.^75 F0          JNZ SHORT Conquer.004A6A3C[/COLOR]
[COLOR="DarkOrange"]004A6A4C[/COLOR]  |> A0 48AB5600    MOV AL,BYTE PTR DS:[56AB48]

There is two ways of achieving the goal;

First way :
- NOP all those parts that I've colored red, it's basically the check wether your name contains [PM]

Second way :

- You notice the part that I've colored Dark Orange?

Code:

004A6A33  |. 74 17          JE SHORT Conquer.004A6A4C

- If you look closely on the Address it jumps, you should notice that it jumps straight pass the check;
- Click that JE address and hit spacebar for assemblying it
- Change it to ->

Code:

004A6A33  |. EB 17          JMP SHORT 004A6A4C

I'll add screenshots if requested.

[nTL3fTy]

Quote:

Originally Posted by tanelipe

Enabling PM Commands (Client side fun)

1. Backup your Conquer.exe like usually.
2. Open Conquer.exe in OllyDBG (File -> Open -> Browser for its location)

3. Right click -> Search for -> All referenced text strings -> "PM"
4. Double click the "[PM]" that came up on search.

You should see code block like this :

Code:

004A6A2A  |. 8D7405 D4      LEA ESI,DWORD PTR SS:[EBP+EAX-2C]
004A6A2E  |. 8D46 FC        LEA EAX,DWORD PTR DS:[ESI-4]
004A6A31  |. 3BC6           CMP EAX,ESI
[COLOR="DarkOrange"]004A6A33  |. 74 17          JE SHORT Conquer.004A6A4C[/COLOR]
004A6A35     BF 2C005600    MOV EDI,Conquer.0056002C                 ;  ASCII "[PM]"
004A6A3A  |. 2BF8           SUB EDI,EAX
[COLOR="Red"]004A6A3C  |> 8A08           /MOV CL,BYTE PTR DS:[EAX]
004A6A3E  |. 3A0C07         |CMP CL,BYTE PTR DS:[EDI+EAX]
004A6A41  |. 0F85 08050000  |JNZ Conquer.004A6F4F
004A6A47  |. 40             |INC EAX
004A6A48  |. 3BC6           |CMP EAX,ESI
004A6A4A  |.^75 F0          JNZ SHORT Conquer.004A6A3C[/COLOR]
[COLOR="DarkOrange"]004A6A4C[/COLOR]  |> A0 48AB5600    MOV AL,BYTE PTR DS:[56AB48]

There is two ways of achieving the goal;

First way :
- NOP all those parts that I've colored red, it's basically the check wether your name contains [PM]

Second way :

- You notice the part that I've colored Dark Orange?

Code:

004A6A33  |. 74 17          JE SHORT Conquer.004A6A4C

- If you look closely on the Address it jumps, you should notice that it jumps straight pass the check;
- Click that JE address and hit spacebar for assemblying it
- Change it to ->

Code:

004A6A33  |. EB 17          JMP SHORT 004A6A4C

I'll add screenshots if requested.

Heh, I was playing around with enabling PM commands.

[32991304]

Dammit , that the best thread ^^ , i ever want to do this things myself , and now i can Thanks again

Edit: btw . u know why we just can open 8 conquers at same time ? when u try to open the 9° client it closed automatically , i use windows xp SP3 ( already tested in SP2, and doesn't work too ) . If u can fix this , it will help a lot of people .

PS: for make a test u have to login in conquer , not just open 10 conquer and leave on login screen , if u don't have 9 chars to test i can give to u. Thx again

[tanelipe]

I'm not sure why it would cause that, have you tried other multiclients and were you able to open more than 8 ?