Learn how to reverse engineer and call two function in the Tibia MMORPG. One function prints to the screen and the other sends a chat message. We will find the functions using OllyDBG and figure out their calling convention & function prototype and then learn to call them using an internal C++ DLL. Here is what the end result looks like, we make a C++ DLL that calls the functions for us Code (Text): #include <Windows.h> #include <iostream> typedef void(__fastcall* _PrintFunc)(const char* msg); typedef void(__fastcall* _SayFunc)(int number, const char* msg); _PrintFunc PrintFunc; _SayFunc SayFunc; DWORD WINAPI HackThread(HMODULE hModule) { AllocConsole(); FILE* f; freopen_s(&f, "CONOUT$", "w", stdout); std::cout << "Hello there, we are injected!\n"; uintptr_t moduleBase = (uintptr_t)GetModuleHandle(L"Tibia.exe"); PrintFunc = (_PrintFunc)(moduleBase + 0x214540); SayFunc = (_SayFunc)(moduleBase + 0x206C0); while (true) { if (GetAsyncKeyState(VK_END) & 1) { break; } if (GetAsyncKeyState(VK_NUMPAD1) & 1) { PrintFunc("Hello from my dll"); } if (GetAsyncKeyState(VK_NUMPAD2) & 1) { SayFunc(1, "Hello there"); } Sleep(10); } fclose(f); FreeConsole(); FreeLibraryAndExitThread(hModule, 0); return 0; } BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: { CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)HackThread, hModule, 0, nullptr)); } case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } Reverse Engineering Tibia Tutorial