Video Tutorial Tibia OllyDBG Reverse Engineering & Packet Function Calling

Hexui Undetected CSGO Cheats Sinkicheat PUBG Cheat

Petko123

Biggest paster
Dank Tier VIP
Trump Tier Donator
Feb 19, 2018
80
6,593
3
Hello everyone, today I made a video tutorial with some reverse engineering of Tibia. (finding and calling internal functions)

Learn how to reverse engineer and call two function in the Tibia MMORPG. One function prints to the screen and the other sends a chat message. We will find the functions using OllyDBG and figure out their calling convention & function prototype and then learn to call them using an internal C++ DLL.



In this tutorial I found printWhiteMsgFunc and sayFunc. I find out the arguments and calling conventions and write a simple .dll in C++.

If people are interested I will make a second video covering calling functions that are based around encrypting the packets (since all packets are encrypted with RSA key, but we will call functions that will do the job for us and send the packet to the server)

Anyways, hope you find it helpful.

This tutorial assumes you finished the Guide - START HERE Beginners Guide to Learning Game Hacking and are working on Guide - Beginners Guide To Reverse Engineering Tutorial

If you're looking for more information on calling game functions:
https://guidedhacking.com/threads/guide-on-how-to-call-game-functions.11116/


Here is the completed code:
C++:
// dllmain.cpp : Defines the entry point for the DLL application.
#include <Windows.h>
#include <iostream>

typedef void(__fastcall* _PrintFunc)(const char* msg);
typedef void(__fastcall* _SayFunc)(int number, const char* msg);
_PrintFunc PrintFunc;
_SayFunc SayFunc;


DWORD WINAPI HackThread(HMODULE hModule)
{
    AllocConsole();
    FILE* f;
    freopen_s(&f, "CONOUT$", "w", stdout);

    std::cout << "Hello there, we are injected!\n";

    uintptr_t moduleBase = (uintptr_t)GetModuleHandle(L"Tibia.exe");

    PrintFunc = (_PrintFunc)(moduleBase + 0x214540);
    SayFunc = (_SayFunc)(moduleBase + 0x206C0);

    while (true)
    {
        if (GetAsyncKeyState(VK_END) & 1)
        {
            break;
        }
        if (GetAsyncKeyState(VK_NUMPAD1) & 1)
        {
            PrintFunc("Hello from my dll");
        }
        if (GetAsyncKeyState(VK_NUMPAD2) & 1)
        {
            SayFunc(1, "Hello there");
        }
        Sleep(10);
    }
    fclose(f);
    FreeConsole();
    FreeLibraryAndExitThread(hModule, 0);
    return 0;
}


BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    {
        CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)HackThread, hModule, 0, nullptr));
    }
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
 
Last edited by a moderator:

Petko123

Biggest paster
Dank Tier VIP
Trump Tier Donator
Feb 19, 2018
80
6,593
3
Reverse Engineer Tibia Packet Sending Function with x64dbg

Learn how to send packets by calling functions in Tibia. Learn reverse engineering with x64dbg.


Tutorial:
// dllmain.cpp : Defines the entry point for the DLL application.
#include <Windows.h>
#include <iostream>

typedef void(__fastcall* _PrintFunc)(const char* msg);
typedef void(__fastcall* _SayFunc)(int number, const char* msg);
typedef void(__fastcall* _PacketIdFunc)(int number);
typedef void(__fastcall* _PacketItemFunc)(int creatureId);
typedef void(__fastcall* _PacketThreeFunc)(int number);
typedef void(__fastcall* _PacketEndFunc)(BYTE one);
_PrintFunc PrintFunc;
_SayFunc SayFunc;
_PacketIdFunc PacketId;
_PacketItemFunc PacketItem;
_PacketThreeFunc PacketThreeFunc;
_PacketEndFunc PacketEnd;

DWORD WINAPI HackThread(HMODULE hModule)
{
    AllocConsole();
    FILE* f;
    freopen_s(&f, "CONOUT$", "w", stdout);

    std::cout << "Hello there, we are injected!\n";

    uintptr_t moduleBase = (uintptr_t)GetModuleHandle(L"Tibia.exe");

    PrintFunc = (_PrintFunc)(moduleBase + 0x214540);
    SayFunc = (_SayFunc)(moduleBase + 0x206C0);

    PacketId = (_PacketIdFunc)(moduleBase + 0x1B5C10);
    PacketItem = (_PacketItemFunc)(moduleBase + 0x1B6330);
    PacketThreeFunc = (_PacketThreeFunc)(moduleBase + 0x1B6330);
    PacketEnd = (_PacketEndFunc)(moduleBase + 0x1B6B10);

    while (true)
    {
        if (GetAsyncKeyState(VK_END) & 1)
        {
            break;
        }
        if (GetAsyncKeyState(VK_NUMPAD1) & 1)
        {
            PrintFunc("Hello from my dll");
        }
        if (GetAsyncKeyState(VK_NUMPAD2) & 1)
        {
            SayFunc(1, "hello");
        }
        if (GetAsyncKeyState(VK_NUMPAD3) & 1)
        {
            PacketId(0xa1);
            PacketItem(0x80000224);
            PacketThreeFunc(10);
            PacketEnd(1);
        }
        if (GetAsyncKeyState(VK_NUMPAD4) & 1)
        {
            PacketId(0xa2);
            PacketItem(0x80000224);
            PacketThreeFunc(10);
            PacketEnd(1);
        }
        Sleep(10);
    }
    fclose(f);
    FreeConsole();
    FreeLibraryAndExitThread(hModule, 0);
    return 0;
}

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
    {
        CloseHandle(CreateThread(nullptr, 0, (LPTHREAD_START_ROUTINE)HackThread, hModule, 0, nullptr));
    }
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
 

Attachments

Last edited by a moderator:

Petko123

Biggest paster
Dank Tier VIP
Trump Tier Donator
Feb 19, 2018
80
6,593
3
How to make a Tibia Bot - MMO Botting Tutorial - Auto Attack

This will be the first tutorial in series on "How to make a simple bot for Tibia?" In this tutorial we are making our first feature which will be "auto attack".

Tutorial provided to you by Petko123.

Learn how to find the Tibia Entitylist using Cheat Engine and ReClass.NET and make a mini bot that is going to attack monsters on screen. In Tibia the Entitylist is an array of entity objects, these objects contain all the data that we need for our "auto attack" to work. Knowing how to loop through entity list is a MUST cause that gives us a lot of information about creatures around us and their state in the game

 

Attachments

Last edited by a moderator:

Icew0lf

Software Ninjaneer
Dank Tier VIP
Fleep Tier Donator
Aug 20, 2013
577
13,688
44
Very nice and beginner friendly explanation!
I like how you describe every step you make.
Would love to See more videos from you.

 
  • Like
  • Love
Reactions: Zyndar and Petko123

Petko123

Biggest paster
Dank Tier VIP
Trump Tier Donator
Feb 19, 2018
80
6,593
3
Very nice and beginner friendly explanation!
I like how you describe every step you make.
Would love to See more videos from you.

Thank you very much man. I got a lot of compliments for this video so I will keep making them. Don't know if it will be more about Tibia or other games. :)
 
  • Like
Reactions: RyccoSN

foolano

Trump Tier Donator
Dank Tier Donator
Nov 3, 2019
4
508
0
If people are interested I will make a second video covering calling functions that are based around encrypting the packets (since all packets are encrypted with RSA key, but we will call functions that will do the job for us and send the packet to the server)
Can't wait for it!
I really liked your way of explaining things, mainly telling what hotkeys you were using, makes everything so clear.

Thank you very much man. I got a lot of compliments for this video so I will keep making them. Don't know if it will be more about Tibia or other games. :)
I vote for Tibia!
 
  • Like
Reactions: Zyndar and Petko123

Petko123

Biggest paster
Dank Tier VIP
Trump Tier Donator
Feb 19, 2018
80
6,593
3
Can't wait for it!
I really liked your way of explaining things, mainly telling what hotkeys you were using, makes everything so clear.
Thank you. Well, I like to make videos as I am watching them. I'm the biggest noob and I like to be shown everything baby steps, cause that's how I can learn everything the best and understand everything someone is doing in the video.
 

Icew0lf

Software Ninjaneer
Dank Tier VIP
Fleep Tier Donator
Aug 20, 2013
577
13,688
44
Thank you very much man. I got a lot of compliments for this video so I will keep making them. Don't know if it will be more about Tibia or other games. :)
I never worked much with calling conventions in the past so a series or follow up Video calling stuff or working with packets is much appreciated.

Best regards
 
  • Love
Reactions: Petko123
Feb 10, 2019
152
2,468
18
Not to be "that guy" as its a great tutorial but the first function is actually a thiscall.

more along the lines of this

C++:
const auto module_base = reinterpret_cast<uintptr_t>(GetModuleHandle(nullptr));

void PrintConsole(const std::string& msg)
{
    return reinterpret_cast<void(__thiscall*)(const char*)>(module_base + 0x214540)(msg.c_str());
}

int32_t SayChat(const std::string& msg, const int32_t msgType = 1)
{
    return reinterpret_cast<int32_t(__fastcall*)(int32_t, const char*)>(module_base + 0x206C0)(msgType, msg.c_str());
}

DWORD WINAPI HackThread(const HMODULE hModule)
{
    AllocConsole();
    FILE* f;
    freopen_s(&f, "CONOUT$", "w", stdout);

    std::cout << "Hello there, we are injected!\n";

    while (1 & !GetAsyncKeyState(VK_F4))
    {
        if (GetAsyncKeyState(VK_F5) & 1)
            PrintConsole("Hello from my dll");

        if (GetAsyncKeyState(VK_F6) & 1)
            SayChat("Hello from my dll");

        Sleep(1);
    }

    fclose(f);
    FreeConsole();
    FreeLibraryAndExitThread(hModule, 0);
}
 
Last edited:
  • Wow
  • Like
Reactions: x9e and Petko123

Rake

Cesspool Admin
Administrator
Jan 21, 2014
11,525
78,998
2,308
Not to be "that guy" as its a great tutorial but the first function is actually a thiscall.

more along the lines of this, also they both have return values

C++:
const auto module_base = reinterpret_cast<uintptr_t>(GetModuleHandle(nullptr));

char PrintConsole(const std::string& msg)
{
    return reinterpret_cast<char(__thiscall*)(const char*)>(module_base + 0x214540)(msg.c_str());
}

int32_t SayChat(const std::string& msg, const int32_t msgType = 1)
{
    return reinterpret_cast<int32_t(__fastcall*)(int32_t, const char*)>(module_base + 0x206C0)(msgType, msg.c_str());
}

DWORD WINAPI HackThread(const HMODULE hModule)
{
    AllocConsole();
    FILE* f;
    freopen_s(&f, "CONOUT$", "w", stdout);

    std::cout << "Hello there, we are injected!\n";

    while (1 & !GetAsyncKeyState(VK_F4))
    {
        if (GetAsyncKeyState(VK_F5) & 1)
            PrintConsole("Hello from my dll");

        if (GetAsyncKeyState(VK_F6) & 1)
            SayChat("Hello from my dll");

        Sleep(1);
    }

    fclose(f);
    FreeConsole();
    FreeLibraryAndExitThread(hModule, 0);
}
you've been "that guy" since your first post :p
 

Petko123

Biggest paster
Dank Tier VIP
Trump Tier Donator
Feb 19, 2018
80
6,593
3
Not to be "that guy" as its a great tutorial but the first function is actually a thiscall.

more along the lines of this, also they both have return values

C++:
const auto module_base = reinterpret_cast<uintptr_t>(GetModuleHandle(nullptr));

char PrintConsole(const std::string& msg)
{
    return reinterpret_cast<char(__thiscall*)(const char*)>(module_base + 0x214540)(msg.c_str());
}

int32_t SayChat(const std::string& msg, const int32_t msgType = 1)
{
    return reinterpret_cast<int32_t(__fastcall*)(int32_t, const char*)>(module_base + 0x206C0)(msgType, msg.c_str());
}

DWORD WINAPI HackThread(const HMODULE hModule)
{
    AllocConsole();
    FILE* f;
    freopen_s(&f, "CONOUT$", "w", stdout);

    std::cout << "Hello there, we are injected!\n";

    while (1 & !GetAsyncKeyState(VK_F4))
    {
        if (GetAsyncKeyState(VK_F5) & 1)
            PrintConsole("Hello from my dll");

        if (GetAsyncKeyState(VK_F6) & 1)
            SayChat("Hello from my dll");

        Sleep(1);
    }

    fclose(f);
    FreeConsole();
    FreeLibraryAndExitThread(hModule, 0);
}
Oh, really? For thiscall I know cause it takes pointer to char array but it works the way I did it. For return values I didn’t know :eek: can you explain it in more detail please since I’m interested, thanks.
 
Feb 10, 2019
152
2,468
18
Oh, really? For thiscall I know cause it takes pointer to char array but it works the way I did it. For return values I didn’t know :eek: can you explain it in more detail please since I’m interested, thanks.
Well tbf can't really say thiscall or fastcall here is wrong or right without seeing the source code, they will both work as this only takes 1 argument, if this function is a member function (I would assume it is) thiscall would be correct since it takes no arguments and only a this pointer. If it is just a stand alone function then fastcall is correct with the 1 arg being the buffer. They both work because in thiscall and fastcall both use ecx as the first storage point and the callee cleans up the stack in both aswell. The reason I lean towards this as a thiscall is in AAA games/titles odds are more likely that most functions are member functions thus making it a thiscall. For what it is worth ida also guesses this function as a thiscall

as you can see ida also (based on how its referenced) determines this is a member function aswell

So to end you are not wrong and who knows without seeing the source code ¯\_(ツ)_/¯
 
Last edited:

x9e

Full Member
Jan 27, 2020
2
128
0
Great video, I'd love to see an attempt on creating a HUD with the ingame print functions, e.g the print function that prints names & various HUD properties.
Thanks
 

droriko

Full Member
Mar 17, 2020
8
104
0
Premiering the next Tibia Packet Function calling tutorial


I am tempted to make tibia cheat, this looks fun
awesome tutorials, thanks!

is it possible to make series of this?
like using runes on enemy / self, fast hands looting items etc.
 
  • Like
Reactions: Petko123

Petko123

Biggest paster
Dank Tier VIP
Trump Tier Donator
Feb 19, 2018
80
6,593
3
awesome tutorials, thanks!

is it possible to make series of this?
like using runes on enemy / self, fast hands looting items etc.
Yes, it is. With next tutorial I will start the series of making a mini bot that will consider of auto attacker, healer, auto loot, some memory editing for Xray, hooking some functions to change peoples names, maybe to draw something on screen f.e. a mana bar, since we only have health bar. (This might be too much for me tbh but we'll see :D ) But before I start making videos I need to set up my project and get used to work with classes and multiple files inside of a project since I'm a terrible coder and I only worked with 1 file and 1 function aka main.
 
  • Like
Reactions: droriko
Attention! Before you post:

Read the How to Ask Questions Guide
99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

  • Fill out the form correctly
  • Tell us the game name & coding language
  • Post everything we need to know to help you
  • Ask specific questions, be descriptive
  • Post errors, line numbers & screenshots
  • Post code snippets using code tags
  • If it's a large project, zip it up and attach it

If you do not comply, your post may be deleted.  We want to help, please make a good post and we will do our best to help you.

Community Mods League of Legends Accounts