Tibia Packet Reverse Engineering Tutorial 1/3

Looking for a Tibia 12 bot? Visit https://validusbot.net

Learn how to reverse engineer and call two function in the Tibia MMORPG. One function prints to the screen and the other sends a chat message. We will find the functions using OllyDBG and figure out their calling convention & function prototype and then learn to call them using an internal C++ DLL.

This video brought to GH by Petko123, my great thanks to him for sharing a video with us all.
https://guidedhacking.com/members/88907/

Discussion thread
https://guidedhacking.com/threads/rev...

In this video you will learn how to find and call 2 internal functions inside Tibia MMORPG. First function prints white text at the bottom of the screen and second one sends a speech packet with certain message. We will use Olly debugger to find these functions, figure out their calling conventions and make a function prototype so we can call them using an internal C++ DLL.

Tibia is one of the oldest and most successful massively multiplayer online role-playing games (MMORPG) created by a small development studio from Germany called Cipsoft back in 1997. For more than 20 years now, players have been visiting the medieval world of Tibia. It was really popular back in the day and still is cause of it's unique look and user-friendly client. There are 4 vocations (roles) you can play. Druid, knight, sorcerer and paladin. Each has it's strengths and weaknesses in PVP and PVE. Tibia map is HUGE and there are so many spawns, quests and mysteries you can research that you will never get bored.

Tibia was always a nice target for bot makers because it has a big player base, no anti cheat and it was built with native C++ which makes reversing super easy. There are thousands of source codes and posts out there on forums dedicated for reversing Tibia. One of the more famous game hackers you all probably heard of is Nick Cano, which made his bot for Tibia called Xenobot.

We are using old Tibia client from 2016 that is used on privately hosted server and doesn't have any anti debug methods in it. It's the last client with no anti cheat before the official client 12 which has Battleye in it. First we find our function to print white text by searching for string references for message "Sorry, not possible." which pops up when you walk into a wall. After we get it's RAV and calling convention which is __fastcall. We make a simple C++ DLL that get's the module base of Tibia.exe and adds RAV of the function to it. We make a prototype for the function using typedef and call it with a given message when we press NUMPAD 1.
Second function is speech function. We know it has to send a packet to the server so we will look for all intermodular calls from module Tibia.exe towards send() function located inside ws2_32.dll module. From there we put breakpoint and slowly go up the call stack until we see our message in plain text. We get the function RVA, make a new prototype for speech function which is also __fastcall that takes 2 arguments and call it by pressing NUMPAD 2.

Support GH
  / guidedhacking  
https://guidedhacking.com/donate
https://guidedhacking.com