Learn how to reverse engineer and call two function in the Tibia MMORPG. One function prints to the screen and the other sends a chat message. We will find the functions using OllyDBG and figure out their calling convention & function prototype and then learn to call them using an internal C++ DLL.

Here is what the end result looks like, we make a C++ DLL that calls the functions for us

Code (Text):

#include <Windows.h>
#include <iostream>
 
typedef void(__fastcall* _PrintFunc)(const char* msg);
typedef void(__fastcall* _SayFunc)(int number, const char* msg);
_PrintFunc PrintFunc;
_SayFunc SayFunc;
 
 
DWORD WINAPI HackThread(HMODULE hModule)
{
    AllocConsole();
    FILE* f;
    freopen_s(&f, "CONOUT$", "w", stdout);
 
    std::cout << "Hello there, we are injected!\n";
 
    uintptr_t moduleBase = (uintptr_t)GetModuleHandle(L"Tibia.exe");
 
    PrintFunc = (_PrintFunc)(moduleBase + 0x214540);
    SayFunc = (_SayFunc)(moduleBase + 0x206C0);
 
    while (true)
    {
        if (GetAsyncKeyState(VK_END) & 1)
        {
            break;
        }
        if (GetAsyncKeyState(VK_NUMPAD1) & 1)
        {
            PrintFunc("Hello from my dll");
        }
        if (GetAsyncKeyState(VK_NUMPAD2) & 1)
        {
            SayFunc(1, "Hello there");
        }
        Sleep(10);
    }
    fclose(f);
    FreeConsole();
    FreeLibraryAndExitThread(hModule, 0);
    return 0;
}
 
 
BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    {
        CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)HackThread, hModule, 0, nullptr));
    }
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}