After years of hard working, we have found a way to hack into both American and German servers.
The only way to do such a thing is bypassing all security threads CipSoft have created to protect their files - which isn't an easy task, of course. We had advances, problems, good news and bad news along the past years. But we've done it - and we're here to prove it.
It all started when I got hacked, 5 years ago. The hacker used a known method of hacking, but it was new and unknown in those days. I didn't like it, of course, but I had to confess the hacker was very smart - and I could be just like him.
Things became easy to me, since I was a computer programmer. In some months I had a keylogger and started distributing it. But I couldn't use that forever.
When players became more intelligent, it was very hard to find someone who would download my stuff. So I needed something new, something unstopable. I met some friends that work with computers too - things like hardware and security. That would be a great help for my plans.
We started working as a team - me (DarkCerberus, programming), Burning Stins (hardware), and McGoe (security and others). People (friends) used to call us "Mad Men", because they didn't believe we would do it someday.
The plan was to get into Tibian servers and manipulate all data - copy, delete and change. We started it as a hobby, but it became realistic with time. First we had to find out how the servers work - the operating system, methods, security threads, firewalls, SKMs, and many other details.
Next, we had to come up with an idea: and we did it. First I'll have to explain how Tibia works.
Everything you do in Tibia - login, walk, attack, move items, use items, speak - is sent to their servers via 64-bit packets. For example, if you level up, your Tibia client will send a message to the servers saying something like "New Level: 15". Of course it's encrypted binary data, so it would be something like "VOAS98YG" - and the server understands the message.
We cannot send things like virus or keylogger to the servers, because their firewalls would detect it and block it - it wouldn't even reach the central database. So, we didn't need to do anything: why not send packets telling the server what to do?
Once again, I have to say it wasn't that easy. How would I know "VOAS98YG" means "New Level: 15"? That was one of the hardest steps. We had to check all 64-bit packets, decrypt all binary data and find out what kind of algorithm they use, which took us months.
But yes, it worked! We got into Tibian central database at 2003, September 17th. We copied all data to our database and hacked millions of gold from the best players. Of course that wasn't a good idea.
Well, we had made a mistake. Of course CipTeam would notice that attack. And it made everything more difficult.
They changed everything. Database structure, security threads, algorithms and more. After two years of hard working, we made the biggest mistake I've ever made. Things would never become the same.
We needed 4 more years to pass their security again. But this time we couldn't make anything wrong. This time we did the perfect job. We've installed a thread in each of their server that will send us information everytime they change anything in the servers. So if they read this document there will be no problem for us :)
Yes, we've done it again. We can do anything in their servers. Change, remove or copy data.
However, they have made something that we cannot get past. They have implanted a system called MD5, which is a widely used cryptographic hash function with a 128-bit hash value. It means all account numbers and passwords are stored in a one-way algorithm, and it looks like this: "9e107d9d372bb6826bd81d3542a419d6".
So, we cannot hack people anymore.
Of course, we have worked even more, and now we can do anything but hack them. It means we can give anyone level, skills, items or premium days.
The form below will show you a sample of what we can do. We are looking forward to sell our job or even sell our algorithm, but for now all you can do is test it - each account will be able to use one feature each 6 months :)
Have a good time!