GH_Rake
New member
Learn how to reverse engineer and call two function in the Tibia MMORPG. One function prints to the screen and the other sends a chat message. We will find the functions using OllyDBG and figure out their calling convention & function prototype and then learn to call them using an internal C++ DLL.
Here is what the end result looks like, we make a C++ DLL that calls the functions for us
Reverse Engineering Tibia Tutorial
Here is what the end result looks like, we make a C++ DLL that calls the functions for us
Code:
#include <Windows.h>
#include <iostream>
typedef void(__fastcall* _PrintFunc)(const char* msg);
typedef void(__fastcall* _SayFunc)(int number, const char* msg);
_PrintFunc PrintFunc;
_SayFunc SayFunc;
DWORD WINAPI HackThread(HMODULE hModule)
{
AllocConsole();
FILE* f;
freopen_s(&f, "CONOUT$", "w", stdout);
std::cout << "Hello there, we are injected!\n";
uintptr_t moduleBase = (uintptr_t)GetModuleHandle(L"Tibia.exe");
PrintFunc = (_PrintFunc)(moduleBase + 0x214540);
SayFunc = (_SayFunc)(moduleBase + 0x206C0);
while (true)
{
if (GetAsyncKeyState(VK_END) & 1)
{
break;
}
if (GetAsyncKeyState(VK_NUMPAD1) & 1)
{
PrintFunc("Hello from my dll");
}
if (GetAsyncKeyState(VK_NUMPAD2) & 1)
{
SayFunc(1, "Hello there");
}
Sleep(10);
}
fclose(f);
FreeConsole();
FreeLibraryAndExitThread(hModule, 0);
return 0;
}
BOOL APIENTRY DllMain( HMODULE hModule,
DWORD ul_reason_for_call,
LPVOID lpReserved
)
{
switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
{
CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)HackThread, hModule, 0, nullptr));
}
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
}
return TRUE;
}
Reverse Engineering Tibia Tutorial
Last edited: