Scribd Logo
Upload

Welcome to Scribd!

  • Y%!&' (Y) ' Y!" + Y,-, Y .Y%.) Ô.Y

    Uploaded by

    Joelton Gomes
    192 views5 pages
    This document provides instructions for modifying the Conquer game client using OllyDBG to: 1. Create a multiclient version that allows opening multiple client instances simultaneously. This involves changing a value that determines the client limit. 2. Remove the "virus scanner" check by filling the relevant code sections with NOP instructions. 3. Modify the code to allow running Conquer.exe directly without the launcher. This involves changing a jump instruction. 4. Enable private message commands by nopping instructions that check for [PM] or changing a jump target. 5. Remove pop-up windows by nopping code that executes the pop-up launching functions.

    Original Description:

    Original Title

    OllyDBG

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document provides instructions for modifying the Conquer game client using OllyDBG to: 1. Create a multiclient version that allows opening multiple client instances simultaneously. This involves changing a value that determines the client limit. 2. Remove the "virus scanner" check by filling the relevant code sections with NOP instructions. 3. Modify the code to allow running Conquer.exe directly without the launcher. This involves changing a jump instruction. 4. Enable private message commands by nopping instructions that check for [PM] or changing a jump target. 5. Remove pop-up windows by nopping code that executes the pop-up launching functions.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    192 views5 pages

    Y%!&' (Y) ' Y!" + Y,-, Y .Y%.) Ô.Y

    Uploaded by

    Joelton Gomes
    This document provides instructions for modifying the Conquer game client using OllyDBG to: 1. Create a multiclient version that allows opening multiple client instances simultaneously. This involves changing a value that determines the client limit. 2. Remove the "virus scanner" check by filling the relevant code sections with NOP instructions. 3. Modify the code to allow running Conquer.exe directly without the launcher. This involves changing a jump instruction. 4. Enable private message commands by nopping instructions that check for [PM] or changing a jump target. 5. Remove pop-up windows by nopping code that executes the pop-up launching functions.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 5

    OllyDBG & CO

    Hello all.

    I've noticed the huge amount of people asking how to do multiclient without the date going of and how to
    remove virus scanner etc. This is a small tutorial to teach people how to make those by yourself.


    Requirements :
    - OllyDBG OllyDBG v1.10
    - Conquer patched upto 5035.

    Note 0-1. steps are same for all of the modifications.

    0. BACKUP YOUR Conquer.exe BEFORE
    DOING ANYTHING

    1. Open Conquer in OllyDBG. (File -> Open -> Browser for Conquer.exe) and let it process the exe

    [Creating Multiclient]
    2. Right click on the CPU window -> Search for -> All referenced text strings

    3. Scroll up in the list.
    4. Right click -> Search for text and type in search box "TQ_CONQUER"
    5. Double click the line that says "TQ_CONQUER"

    6. Notice the line I have highlighted that says "PUSH 2". This line determines how many clients you can
    open.
    7. You can change the value in it for anything between 0 and 7F (Hexa)
    8. Ok, now we have changed the value to 7F! How to save ?
    9. Right click CPU window -> Copy to executable -> All modifications -> Copy All
    10. Now a new window openened -> Right click on it -> Save file -> Browser for location (don't save it on
    same folder as the original first)
    11. Now you need to close OllyDBG and copy the Conquer.exe to Conquer folder!
    [/Creating Multiclient]


    [Removing 'Virus' scanner]
    2. Right click on the CPU window -> Search for -> All referenced text strings
    3. Scroll up in the list.
    4. Right click -> Search for text and type in search box "ZFTqat"
    5. Double click the line that says "ZFTqat"

    6. Do as I did, highlight those addresses -> Right Click on CPU window -> Binary -> Fill with NOPS (NOP =
    No OPeration)
    7. Right click CPU window -> Copy to executable -> All modifications -> Copy All
    8. Now a new window openened -> Right click on it -> Save file -> Browser for location (don't save it on
    same folder as the original first)
    9. Now you need to close OllyDBG and copy the Conquer.exe to Conquer folder!
    [/Removing 'Virus' scanner]


    [Running Conquer.exe directly]
    2. Click on CPU window then press Ctrl + F (Open up a command search window)
    3. Find "PUSH 273F" The code should look like this. (Couple lines up & down)
    Code:
    4687F6 . 83F8 01 CMP EAX,1
    4687F9 . 7C 18 JL SHJRT Conquer.00468813
    4687FB . 8D85 ECFAFFFF LEA EAX,DWJRD PTR SS:EBP-514,
    468801 . 68 D0DB5500 PUSH Conquer.0055DBD0 ; /s2 = "blacknull"
    468806 . 50 PUSH EAX ; |s1
    468807 . FF15 CC555200 CALL DWJRD PTR DS:<&MSVCRT._stricmp, ; _stricmp
    46880D . 59 PJP ECX
    46880E . 85C0 TEST EAX,EAX
    468810 . 59 PJP ECX
    468811 74 29 JE SHJRT Conquer.0046883C
    468813 FF15 54505200 CALL DWJRD PTR DS:<&GraphicData.GameDat; GraphicD.GameDataSetQuery
    468819 . 8B10 MJV EDX,DWJRD PTR DS:EAX,
    46881B . 6A 10 PUSH 10
    46881D . 68 C8DB5500 PUSH Conquer.0055DBC8 ; ASCII "Error"
    468822 . 68 3F270000 PUSH 273F
    468827 . 8BC8 MJV ECX,EAX
    468829 . FF52 3C CALL DWJRD PTR DS:EDX+3C,
    46882C . 50 PUSH EAX ; |Text
    46882D . 6A 00 PUSH 0 ; |hJwner = NULL
    46882F . FF15 08575200 CALL DWJRD PTR DS:<&USER32.MessageBoxA; MessageBoxA
    Notice the
    Code:
    4687F6 . 83F8 01 CMP EAX,1
    4687F9 . 7C 18 JL SHJRT Conquer.00468813
    Change the
    Code:
    4687F9 . 7C 18 JL SHJRT Conquer.00468813
    Into
    Code:
    4687F9 . 7C 18 JMP SHJRT 0046883C
    4. Right click CPU window -> Copy to executable -> All modifications -> Copy All
    5. Now a new window openened -> Right click on it -> Save file -> Browser for location (don't save it on
    same folder as the original first)
    6. Now you need to close OllyDBG and copy the Conquer.exe to Conquer folder!
    [/Running Conquer.exe directly]


    [Enabling PM Commands]

    1. Backup your Conquer.exe like usually.
    2. Open Conquer.exe in OllyDBG (File -> Open -> Browser for its location)

    3. Right click -> Search for -> All referenced text strings -> "PM"
    4. Double click the "[PM]" that came up on search.

    You should see code block like this :
    Code:
    4A6A2A |. 8D7405 D4 LEA ESI,DWJRD PTR SS:EBP+EAX-2C,
    4A6A2E |. 8D46 FC LEA EAX,DWJRD PTR DS:ESI-4,
    4A6A31 |. 3BC6 CMP EAX,ESI
    4A6A33 |. 74 17 JE SHJRT Conquer.004A6A4C
    4A6A35 BF 2C005600 MJV EDI,Conquer.0056002C ; ASCII "PM,"
    4A6A3A |. 2BF8 SUB EDI,EAX
    4A6A3C | 8A08 /MJV CL,BYTE PTR DS:EAX,
    4A6A3E |. 3A0C07 |CMP CL,BYTE PTR DS:EDI+EAX,
    4A6A41 |. 0F85 08050000 |JNZ Conquer.004A6F4F
    4A6A47 |. 40 |INC EAX
    4A6A48 |. 3BC6 |CMP EAX,ESI
    4A6A4A |.^75 F0 JNZ SHJRT Conquer.004A6A3C
    4A6A4C | A0 48AB5600 MJV AL,BYTE PTR DS:56AB48,
    There is two ways of achieving the goal;

    First way :
    - NOP all those parts that I've colored red, it's basically the check wether your name contains [PM]

    Second way :

    - You notice the part that I've colored Dark Orange?
    Code:
    4A6A33 |. 74 17 JE SHJRT Conquer.004A6A4C
    - If you look closely on the Address it jumps, you should notice that it jumps straight pass the check;
    - Click that JE address and hit spacebar for assemblying it
    - Change it to ->
    Code:
    4A6A33 |. EB 17 JMP SHJRT 004A6A4C

    I'll add screenshots if requested.

    [/Enabling PM Commands]

    [Removing the popup(s)]

    1. Backup your Conquer.exe like usually.
    2. Open Conquer.exe in OllyDBG (File -> Open -> Browser for its location)

    3. Right click -> Search for -> All referenced text strings -> "co.91.com" > Double click it > You should see
    lines like this
    Code:
    477A9F 68 F4E05500 PUSH Conquer.0055E0F4 ; ASCII "http://co.91.com/signout
    477AA4 . E9 DB000000 JMP Conquer.00477B84
    477AA9 FFD7 CALL EDI
    477AAB . 8B10 MJV EDX,DWJRD PTR DS:EAX,
    4. Click this line
    Code:
    477AA4 . E9 DB000000 JMP Conquer.00477B84
    5. Push enter (It follows the jmp)
    6. Now you should see lines like this
    Code:
    477B84 53 PUSH EBX ; |Jperation
    477B85 FF76 20 PUSH DWJRD PTR DS:ESI+20, ; |hWnd
    477B88 FF15 78565200 CALL DWJRD PTR DS:<&SHELL32.ShellExecut; ShellExecuteA
    7. Select all of those lines > Right Click > Binary > Fill with NOPs

    8. After that the view in ollydbg should be like this
    Code:
    477B84 90 NJP ; |Jperation
    477B85 90 NJP ; |hWnd
    477B86 90 NJP
    477B87 90 NJP
    477B88 90 NJP ; ShellExecuteA
    477B89 90 NJP
    477B8A 90 NJP
    477B8B 90 NJP
    477B8C 90 NJP
    477B8D 90 NJP
    9. Right click > Search for > All refenced text strings > Search for next

    10. Double click the line and you should see lines like this
    Code:
    477FED 68 F4E05500 PUSH Conquer.0055E0F4 ; ASCII "http://co.91.com/signout
    477FF2 . E9 DB000000 JMP Conquer.004780D2
    11. Click this line
    Code:
    477FF2 . E9 DB000000 JMP Conquer.004780D2
    12. Hit enter to follow the jmp and you should come to lines like these
    Code:
    4780D2 53 PUSH EBX ; |Jperation
    4780D3 FF76 20 PUSH DWJRD PTR DS:ESI+20, ; |hWnd
    4780D6 FF15 78565200 CALL DWJRD PTR DS:<&SHELL32.ShellExecut; ShellExecuteA
    13. Select those lines > Right Click > Binary > Fill with NOPs the lines should look like this
    Code:
    4780D2 90 NJP ; |Jperation
    4780D3 90 NJP ; |hWnd
    4780D4 90 NJP
    4780D5 90 NJP
    4780D6 90 NJP ; ShellExecuteA
    4780D7 90 NJP
    4780D8 90 NJP
    4780D9 90 NJP
    4780DA 90 NJP
    4780DB 90 NJP
    14. Now just save the file (Right click > Copy to executable > All modifications > Copy all > Right click >
    Save file > Browser for save location)
    [/Removing the popup(s)]

    You might also like