Professional Documents
Culture Documents
Hello all.
I've noticed the huge amount of people asking how to do multiclient without the date going of and how to
remove virus scanner etc. This is a small tutorial to teach people how to make those by yourself.
Requirements :
- OllyDBG OllyDBG v1.10
- Conquer patched upto 5035.
Note 0-1. steps are same for all of the modifications.
0. BACKUP YOUR Conquer.exe BEFORE
DOING ANYTHING
1. Open Conquer in OllyDBG. (File -> Open -> Browser for Conquer.exe) and let it process the exe
[Creating Multiclient]
2. Right click on the CPU window -> Search for -> All referenced text strings
3. Scroll up in the list.
4. Right click -> Search for text and type in search box "TQ_CONQUER"
5. Double click the line that says "TQ_CONQUER"
6. Notice the line I have highlighted that says "PUSH 2". This line determines how many clients you can
open.
7. You can change the value in it for anything between 0 and 7F (Hexa)
8. Ok, now we have changed the value to 7F! How to save ?
9. Right click CPU window -> Copy to executable -> All modifications -> Copy All
10. Now a new window openened -> Right click on it -> Save file -> Browser for location (don't save it on
same folder as the original first)
11. Now you need to close OllyDBG and copy the Conquer.exe to Conquer folder!
[/Creating Multiclient]
[Removing 'Virus' scanner]
2. Right click on the CPU window -> Search for -> All referenced text strings
3. Scroll up in the list.
4. Right click -> Search for text and type in search box "ZFTqat"
5. Double click the line that says "ZFTqat"
6. Do as I did, highlight those addresses -> Right Click on CPU window -> Binary -> Fill with NOPS (NOP =
No OPeration)
7. Right click CPU window -> Copy to executable -> All modifications -> Copy All
8. Now a new window openened -> Right click on it -> Save file -> Browser for location (don't save it on
same folder as the original first)
9. Now you need to close OllyDBG and copy the Conquer.exe to Conquer folder!
[/Removing 'Virus' scanner]
[Running Conquer.exe directly]
2. Click on CPU window then press Ctrl + F (Open up a command search window)
3. Find "PUSH 273F" The code should look like this. (Couple lines up & down)
Code:
4687F6 . 83F8 01 CMP EAX,1
4687F9 . 7C 18 JL SHJRT Conquer.00468813
4687FB . 8D85 ECFAFFFF LEA EAX,DWJRD PTR SS:EBP-514,
468801 . 68 D0DB5500 PUSH Conquer.0055DBD0 ; /s2 = "blacknull"
468806 . 50 PUSH EAX ; |s1
468807 . FF15 CC555200 CALL DWJRD PTR DS:<&MSVCRT._stricmp, ; _stricmp
46880D . 59 PJP ECX
46880E . 85C0 TEST EAX,EAX
468810 . 59 PJP ECX
468811 74 29 JE SHJRT Conquer.0046883C
468813 FF15 54505200 CALL DWJRD PTR DS:<&GraphicData.GameDat; GraphicD.GameDataSetQuery
468819 . 8B10 MJV EDX,DWJRD PTR DS:EAX,
46881B . 6A 10 PUSH 10
46881D . 68 C8DB5500 PUSH Conquer.0055DBC8 ; ASCII "Error"
468822 . 68 3F270000 PUSH 273F
468827 . 8BC8 MJV ECX,EAX
468829 . FF52 3C CALL DWJRD PTR DS:EDX+3C,
46882C . 50 PUSH EAX ; |Text
46882D . 6A 00 PUSH 0 ; |hJwner = NULL
46882F . FF15 08575200 CALL DWJRD PTR DS:<&USER32.MessageBoxA; MessageBoxA
Notice the
Code:
4687F6 . 83F8 01 CMP EAX,1
4687F9 . 7C 18 JL SHJRT Conquer.00468813
Change the
Code:
4687F9 . 7C 18 JL SHJRT Conquer.00468813
Into
Code:
4687F9 . 7C 18 JMP SHJRT 0046883C
4. Right click CPU window -> Copy to executable -> All modifications -> Copy All
5. Now a new window openened -> Right click on it -> Save file -> Browser for location (don't save it on
same folder as the original first)
6. Now you need to close OllyDBG and copy the Conquer.exe to Conquer folder!
[/Running Conquer.exe directly]
[Enabling PM Commands]
1. Backup your Conquer.exe like usually.
2. Open Conquer.exe in OllyDBG (File -> Open -> Browser for its location)
3. Right click -> Search for -> All referenced text strings -> "PM"
4. Double click the "[PM]" that came up on search.
You should see code block like this :
Code:
4A6A2A |. 8D7405 D4 LEA ESI,DWJRD PTR SS:EBP+EAX-2C,
4A6A2E |. 8D46 FC LEA EAX,DWJRD PTR DS:ESI-4,
4A6A31 |. 3BC6 CMP EAX,ESI
4A6A33 |. 74 17 JE SHJRT Conquer.004A6A4C
4A6A35 BF 2C005600 MJV EDI,Conquer.0056002C ; ASCII "PM,"
4A6A3A |. 2BF8 SUB EDI,EAX
4A6A3C | 8A08 /MJV CL,BYTE PTR DS:EAX,
4A6A3E |. 3A0C07 |CMP CL,BYTE PTR DS:EDI+EAX,
4A6A41 |. 0F85 08050000 |JNZ Conquer.004A6F4F
4A6A47 |. 40 |INC EAX
4A6A48 |. 3BC6 |CMP EAX,ESI
4A6A4A |.^75 F0 JNZ SHJRT Conquer.004A6A3C
4A6A4C | A0 48AB5600 MJV AL,BYTE PTR DS:56AB48,
There is two ways of achieving the goal;
First way :
- NOP all those parts that I've colored red, it's basically the check wether your name contains [PM]
Second way :
- You notice the part that I've colored Dark Orange?
Code:
4A6A33 |. 74 17 JE SHJRT Conquer.004A6A4C
- If you look closely on the Address it jumps, you should notice that it jumps straight pass the check;
- Click that JE address and hit spacebar for assemblying it
- Change it to ->
Code:
4A6A33 |. EB 17 JMP SHJRT 004A6A4C
I'll add screenshots if requested.
[/Enabling PM Commands]
[Removing the popup(s)]
1. Backup your Conquer.exe like usually.
2. Open Conquer.exe in OllyDBG (File -> Open -> Browser for its location)
3. Right click -> Search for -> All referenced text strings -> "co.91.com" > Double click it > You should see
lines like this
Code:
477A9F 68 F4E05500 PUSH Conquer.0055E0F4 ; ASCII "http://co.91.com/signout
477AA4 . E9 DB000000 JMP Conquer.00477B84
477AA9 FFD7 CALL EDI
477AAB . 8B10 MJV EDX,DWJRD PTR DS:EAX,
4. Click this line
Code:
477AA4 . E9 DB000000 JMP Conquer.00477B84
5. Push enter (It follows the jmp)
6. Now you should see lines like this
Code:
477B84 53 PUSH EBX ; |Jperation
477B85 FF76 20 PUSH DWJRD PTR DS:ESI+20, ; |hWnd
477B88 FF15 78565200 CALL DWJRD PTR DS:<&SHELL32.ShellExecut; ShellExecuteA
7. Select all of those lines > Right Click > Binary > Fill with NOPs
8. After that the view in ollydbg should be like this
Code:
477B84 90 NJP ; |Jperation
477B85 90 NJP ; |hWnd
477B86 90 NJP
477B87 90 NJP
477B88 90 NJP ; ShellExecuteA
477B89 90 NJP
477B8A 90 NJP
477B8B 90 NJP
477B8C 90 NJP
477B8D 90 NJP
9. Right click > Search for > All refenced text strings > Search for next
10. Double click the line and you should see lines like this
Code:
477FED 68 F4E05500 PUSH Conquer.0055E0F4 ; ASCII "http://co.91.com/signout
477FF2 . E9 DB000000 JMP Conquer.004780D2
11. Click this line
Code:
477FF2 . E9 DB000000 JMP Conquer.004780D2
12. Hit enter to follow the jmp and you should come to lines like these
Code:
4780D2 53 PUSH EBX ; |Jperation
4780D3 FF76 20 PUSH DWJRD PTR DS:ESI+20, ; |hWnd
4780D6 FF15 78565200 CALL DWJRD PTR DS:<&SHELL32.ShellExecut; ShellExecuteA
13. Select those lines > Right Click > Binary > Fill with NOPs the lines should look like this
Code:
4780D2 90 NJP ; |Jperation
4780D3 90 NJP ; |hWnd
4780D4 90 NJP
4780D5 90 NJP
4780D6 90 NJP ; ShellExecuteA
4780D7 90 NJP
4780D8 90 NJP
4780D9 90 NJP
4780DA 90 NJP
4780DB 90 NJP
14. Now just save the file (Right click > Copy to executable > All modifications > Copy all > Right click >
Save file > Browser for save location)
[/Removing the popup(s)]