I've noticed the huge amount of people asking how to do multiclient without the date going of and how to remove virus scanner etc. This is a small tutorial to teach people how to make those by yourself.
Requirements :
- OllyDBG
- Conquer patched upto 5035.
Note 0-1. steps are same for all of the modifications.
0. BACKUP YOUR Conquer.exe BEFORE DOING ANYTHING
1. Open Conquer in OllyDBG. (File -> Open -> Browser for Conquer.exe) and let it process the exe
[Creating Multiclient]
2. Right click on the CPU window -> Search for -> All referenced text strings
3. Scroll up in the list.
4. Right click -> Search for text and type in search box "TQ_CONQUER"
5. Double click the line that says "TQ_CONQUER"
6. Notice the line I have highlighted that says "PUSH 2". This line determines how many clients you can open.
7. You can change the value in it for anything between 0 and 7F (Hexa)
8. Ok, now we have changed the value to 7F! How to save ?
9. Right click CPU window -> Copy to executable -> All modifications -> Copy All
10. Now a new window openened -> Right click on it -> Save file -> Browser for location (don't save it on same folder as the original first)
11. Now you need to close OllyDBG and copy the Conquer.exe to Conquer folder!
[/Creating Multiclient]
[Removing 'Virus' scanner]
2. Right click on the CPU window -> Search for -> All referenced text strings
3. Scroll up in the list.
4. Right click -> Search for text and type in search box "ZFTqat"
5. Double click the line that says "ZFTqat"
6. Do as I did, highlight those addresses -> Right Click on CPU window -> Binary -> Fill with NOPS (NOP = No OPeration)
7. Right click CPU window -> Copy to executable -> All modifications -> Copy All
8. Now a new window openened -> Right click on it -> Save file -> Browser for location (don't save it on same folder as the original first)
9. Now you need to close OllyDBG and copy the Conquer.exe to Conquer folder!
[/Removing 'Virus' scanner]
[Running Conquer.exe directly]
2. Click on CPU window then press Ctrl + F (Open up a command search window)
3. Find "PUSH 273F" The code should look like this. (Couple lines up & down)
Code:
004687F6 . 83F8 01 CMP EAX,1 004687F9 . 7C 18 JL SHORT Conquer.00468813 004687FB . 8D85 ECFAFFFF LEA EAX,DWORD PTR SS:[EBP-514] 00468801 . 68 D0DB5500 PUSH Conquer.0055DBD0 ; /s2 = "blacknull" 00468806 . 50 PUSH EAX ; |s1 00468807 . FF15 CC555200 CALL DWORD PTR DS:[<&MSVCRT._stricmp>] ; _stricmp 0046880D . 59 POP ECX 0046880E . 85C0 TEST EAX,EAX 00468810 . 59 POP ECX 00468811 74 29 JE SHORT Conquer.0046883C 00468813 > FF15 54505200 CALL DWORD PTR DS:[<&GraphicData.GameDat>; GraphicD.GameDataSetQuery 00468819 . 8B10 MOV EDX,DWORD PTR DS:[EAX] 0046881B . 6A 10 PUSH 10 0046881D . 68 C8DB5500 PUSH Conquer.0055DBC8 ; ASCII "Error" [B]00468822 . 68 3F270000 PUSH 273F[/B] 00468827 . 8BC8 MOV ECX,EAX 00468829 . FF52 3C CALL DWORD PTR DS:[EDX+3C] 0046882C . 50 PUSH EAX ; |Text 0046882D . 6A 00 PUSH 0 ; |hOwner = NULL 0046882F . FF15 08575200 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; MessageBoxA
Code:
004687F6 . 83F8 01 CMP EAX,1 004687F9 . 7C 18 JL SHORT Conquer.00468813
Code:
004687F9 . 7C 18 JL SHORT Conquer.00468813
Code:
004687F9 . 7C 18 JMP SHORT 0046883C
5. Now a new window openened -> Right click on it -> Save file -> Browser for location (don't save it on same folder as the original first)
6. Now you need to close OllyDBG and copy the Conquer.exe to Conquer folder!
[/Running Conquer.exe directly]
[Enabling PM Commands]
1. Backup your Conquer.exe like usually.
2. Open Conquer.exe in OllyDBG (File -> Open -> Browser for its location)
3. Right click -> Search for -> All referenced text strings -> "PM"
4. Double click the "[PM]" that came up on search.
You should see code block like this :
Code:
004A6A2A |. 8D7405 D4 LEA ESI,DWORD PTR SS:[EBP+EAX-2C] 004A6A2E |. 8D46 FC LEA EAX,DWORD PTR DS:[ESI-4] 004A6A31 |. 3BC6 CMP EAX,ESI [COLOR="DarkOrange"]004A6A33 |. 74 17 JE SHORT Conquer.004A6A4C[/COLOR] 004A6A35 BF 2C005600 MOV EDI,Conquer.0056002C ; ASCII "[PM]" 004A6A3A |. 2BF8 SUB EDI,EAX [COLOR="Red"]004A6A3C |> 8A08 /MOV CL,BYTE PTR DS:[EAX] 004A6A3E |. 3A0C07 |CMP CL,BYTE PTR DS:[EDI+EAX] 004A6A41 |. 0F85 08050000 |JNZ Conquer.004A6F4F 004A6A47 |. 40 |INC EAX 004A6A48 |. 3BC6 |CMP EAX,ESI 004A6A4A |.^75 F0 JNZ SHORT Conquer.004A6A3C[/COLOR] [COLOR="DarkOrange"]004A6A4C[/COLOR] |> A0 48AB5600 MOV AL,BYTE PTR DS:[56AB48]
First way :
- NOP all those parts that I've colored red, it's basically the check wether your name contains [PM]
Second way :
- You notice the part that I've colored Dark Orange?
Code:
004A6A33 |. 74 17 JE SHORT Conquer.004A6A4C
- Click that JE address and hit spacebar for assemblying it
- Change it to ->
Code:
004A6A33 |. EB 17 JMP SHORT 004A6A4C
I'll add screenshots if requested.
[/Enabling PM Commands]
[Removing the popup(s)]
1. Backup your Conquer.exe like usually.
2. Open Conquer.exe in OllyDBG (File -> Open -> Browser for its location)
3. Right click -> Search for -> All referenced text strings -> "co.91.com" > Double click it > You should see lines like this
Code:
00477A9F > 68 F4E05500 PUSH Conquer.0055E0F4 ; ASCII "http://co.91.com/signout/" 00477AA4 . E9 DB000000 JMP Conquer.00477B84 00477AA9 > FFD7 CALL EDI 00477AAB . 8B10 MOV EDX,DWORD PTR DS:[EAX]
Code:
00477AA4 . E9 DB000000 JMP Conquer.00477B84
6. Now you should see lines like this
Code:
00477B84 53 PUSH EBX ; |Operation 00477B85 FF76 20 PUSH DWORD PTR DS:[ESI+20] ; |hWnd 00477B88 FF15 78565200 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; ShellExecuteA
8. After that the view in ollydbg should be like this
Code:
00477B84 90 NOP ; |Operation 00477B85 90 NOP ; |hWnd 00477B86 90 NOP 00477B87 90 NOP 00477B88 90 NOP ; ShellExecuteA 00477B89 90 NOP 00477B8A 90 NOP 00477B8B 90 NOP 00477B8C 90 NOP 00477B8D 90 NOP
10. Double click the line and you should see lines like this
Code:
00477FED > 68 F4E05500 PUSH Conquer.0055E0F4 ; ASCII "http://co.91.com/signout/" 00477FF2 . E9 DB000000 JMP Conquer.004780D2
Code:
00477FF2 . E9 DB000000 JMP Conquer.004780D2
Code:
004780D2 53 PUSH EBX ; |Operation 004780D3 FF76 20 PUSH DWORD PTR DS:[ESI+20] ; |hWnd 004780D6 FF15 78565200 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; ShellExecuteA
Code:
004780D2 90 NOP ; |Operation 004780D3 90 NOP ; |hWnd 004780D4 90 NOP 004780D5 90 NOP 004780D6 90 NOP ; ShellExecuteA 004780D7 90 NOP 004780D8 90 NOP 004780D9 90 NOP 004780DA 90 NOP 004780DB 90 NOP
[/Removing the popup(s)]