Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Sands of Coliseum
Goto page 1, 2, 3, 4  Next
 
Post new topic   Reply to topic    Cheat Engine Forum Index -> Flash Games
View previous topic :: View next topic  
Author Message
Confirmed
How do I cheat?
Reputation: 0

Joined: 13 Aug 2008
Posts: 7
Location: Swe

PostPosted: Wed Jun 06, 2012 4:53 pm    Post subject: Sands of Coliseum Reply with quote

Cheat works best on downloaded game*
Sands of coliseum has a cheat detection system that prevents any cheat.
The only cheat you can do is what the creator hasn't thought of and thats the "Goal" AKA Achievements cheat.

Open up achievements, search the reward of the achievement, there will be a bunch of addresses, about 150. Now change the values of all those addresses to a desired number and then complete the achievement and you have yourself too much gold!

I believe this could be done to Gold Bars, but problem is the reward is only 1, so youll get about 500k addresses so.... Rolling Eyes

If you have something share it.

_________________
Please Confirm Me!
Back to top
View user's profile Send private message
johnnygg
Advanced Cheater
Reputation: 0

Joined: 20 Jan 2010
Posts: 51

PostPosted: Fri Jun 08, 2012 10:58 pm    Post subject: Reply with quote

someone should combine this thread with the berzerker studios hacking detection system post
Back to top
View user's profile Send private message
TORPEDa
Cheater
Reputation: 1

Joined: 16 Sep 2010
Posts: 41

PostPosted: Sat Jun 09, 2012 8:05 am    Post subject: This post has 1 review(s) Reply with quote

Make "Writable' memory check box grey before scanning!
Use Array of Byte scan and search for this array:
Code:
FF D0 83 C4 10 8B 45 FC DD 40

You will find 1 address. Code will look like this:
Code:
FF D0 - call eax
83 C4 10 - add esp,10
8B 45 FC - mov eax,[ebp-04]
DD 40 18 - fld qword ptr [eax+18]

Just change call eax to nop.
Then you can search for gold and change it without being detected.
This might work with other values as well, but I tested it only on Gold.
EDIT:In order to totally bypass detection system, put breakpoint on
Code:
FF D0 - call eax

then step into and the code will look like this(addresses will be different):
Code:
1171F486 - 55                    - push ebp
1171F487 - 8B EC                 - mov ebp,esp
1171F489 - 83 EC 68              - sub esp,68
1171F48C - 89 5D CC              - mov [ebp-34],ebx
1171F48F - 89 75 BC              - mov [ebp-44],esi
1171F492 - 89 7D B8              - mov [ebp-48],edi
1171F495 - 8B 4D 08              - mov ecx,[ebp+08]
1171F498 - 8B 45 10              - mov eax,[ebp+10]
1171F49B - 8D 75 C0              - lea esi,[ebp-40]
1171F49E - 8B 15 38483710        - mov edx,[10374838] : [002EEAF0]
1171F4A4 - 89 4D C4              - mov [ebp-3C],ecx
1171F4A7 - 89 55 C0              - mov [ebp-40],edx
1171F4AA - 89 35 38483710        - mov [10374838],esi
1171F4B0 - 8B 15 2C483710        - mov edx,[1037482C] : [00210000]
1171F4B6 - 3B F2                 - cmp esi,edx
1171F4B8 - 73 09                 - jae 1171F4C3
1171F4BA - 8B F0                 - mov esi,eax
1171F4BC - E8 1F318C5B           - call NPSWF32_11_2_202_235.dll+4825E0
1171F4C1 - 8B C6                 - mov eax,esi
1171F4C3 - 8B 30                 - mov esi,[eax]
1171F4C5 - F3 0F7E 40 04         - movq xmm0,[eax+04]
1171F4CA - 66 0FD6 45 A0         - movq [ebp-60],xmm0
1171F4CF - 8B 46 08              - mov eax,[esi+08]
1171F4D2 - 8B 48 50              - mov ecx,[eax+50]
1171F4D5 - 8D 55 B4              - lea edx,[ebp-4C]
1171F4D8 - 89 75 B4              - mov [ebp-4C],esi
1171F4DB - 8B 41 04              - mov eax,[ecx+04]
1171F4DE - 83 EC 04              - sub esp,04
1171F4E1 - 52                    - push edx
1171F4E2 - 6A 00                 - push 00
1171F4E4 - 51                    - push ecx
1171F4E5 - FF D0                 - call eax
1171F4E7 - 83 C4 10              - add esp,10
1171F4EA - F3 0F7E 4D A0         - movq xmm1,[ebp-60]
1171F4EF - 8B CE                 - mov ecx,esi
1171F4F1 - 8B 75 BC              - mov esi,[ebp-44]
1171F4F4 - 8B D0                 - mov edx,eax
1171F4F6 - B8 04000000           - mov eax,00000004
1171F4FB - 89 55 E8              - mov [ebp-18],edx
1171F4FE - 85 D2                 - test edx,edx
1171F500 - 74 2A                 - je 1171F52C
1171F502 - F3 0F7E 41 28         - movq xmm0,[ecx+28]
1171F507 - F3 0F7E 51 20         - movq xmm2,[ecx+20]
1171F50C - F2 0F58 CA            - addsd xmm1,xmm2
1171F510 - 8B C9                 - mov ecx,ecx
1171F512 - 66 0F2E C1            - ucomisd xmm0,xmm1
1171F516 - 0F94 C9               - sete cl
1171F519 - 0F9B ED               - setnp ch
1171F51C - 22 CD                 - and cl,ch
1171F51E - 0FB6 C9               - movzx ecx,cl
1171F521 - 85 C9                 - test ecx,ecx
1171F523 - 0F94 C9               - sete cl
1171F526 - 0FB6 C9               - movzx ecx,cl
1171F529 - 89 4D E8              - mov [ebp-18],ecx
1171F52C - 8B 4D E8              - mov ecx,[ebp-18]
1171F52F - 85 C9                 - test ecx,ecx
1171F531 - 0F84 D0000000         - je 1171F607
1171F537 - 8B 5D 08              - mov ebx,[ebp+08]
1171F53A - 83 EC 04              - sub esp,04
1171F53D - 6A 00                 - push 00
1171F53F - 68 3CFDA113           - push 13A1FD3C : [14EBC4D8]
1171F544 - 53                    - push ebx
1171F545 - E8 96FF8F5B           - call NPSWF32_11_2_202_235.dll+4BF4E0


You need to change
Code:
1171F531 - 0F84 D0000000         - je 1171F607
into JMP and that is all. Now you can change any value you want.
Back to top
View user's profile Send private message
xabk
How do I cheat?
Reputation: 0

Joined: 09 Jun 2012
Posts: 1

PostPosted: Sat Jun 09, 2012 1:57 pm    Post subject: Reply with quote

Thanks. Anti-cheat system bypass works Smile

I couldn't find exactly this array (FF D0 83 C4 10 8B 45 FC DD 40), but I was able to find the code in question using wildcards: FF D0 83 C4 ** 8B 45 ** DD. I guess the game alters offsets depending on something? Anyway, this worked for me.
Back to top
View user's profile Send private message
johnnygg
Advanced Cheater
Reputation: 0

Joined: 20 Jan 2010
Posts: 51

PostPosted: Sat Jun 09, 2012 7:18 pm    Post subject: Reply with quote

what version of flash are you using?
Back to top
View user's profile Send private message
TORPEDa
Cheater
Reputation: 1

Joined: 16 Sep 2010
Posts: 41

PostPosted: Sat Jun 09, 2012 7:21 pm    Post subject: Reply with quote

johnnygg wrote:
what version of flash are you using?

Me ? I am using 11.2.202.235.
Back to top
View user's profile Send private message
johnnygg
Advanced Cheater
Reputation: 0

Joined: 20 Jan 2010
Posts: 51

PostPosted: Sat Jun 09, 2012 8:00 pm    Post subject: Reply with quote

thats weird...i can't find that aob...the closest i can find to Code:
FF D0 83 C4 ** 8B 45 FC DD ** is
ff d0 83 c4 ** 8b 45 always followed by either a move or a compare...I tried just looking for the code 55 8b ec ... etc, and found a lot of similar stuff, but in my version, there's always a ret followed by a bunch of "int 3"s instead of a jmp to some address at the end.
Back to top
View user's profile Send private message
TORPEDa
Cheater
Reputation: 1

Joined: 16 Sep 2010
Posts: 41

PostPosted: Sat Jun 09, 2012 8:23 pm    Post subject: Reply with quote

johnnygg wrote:
thats weird...i can't find that aob...the closest i can find to Code:
FF D0 83 C4 ** 8B 45 FC DD ** is
ff d0 83 c4 ** 8b 45 always followed by either a move or a compare...I tried just looking for the code 55 8b ec ... etc, and found a lot of similar stuff, but in my version, there's always a ret followed by a bunch of "int 3"s instead of a jmp to some address at the end.

Did you click on Writable check box in Memory Scan Options and make it grey ?
Back to top
View user's profile Send private message
johnnygg
Advanced Cheater
Reputation: 0

Joined: 20 Jan 2010
Posts: 51

PostPosted: Sat Jun 09, 2012 8:30 pm    Post subject: Reply with quote

yep
Back to top
View user's profile Send private message
TORPEDa
Cheater
Reputation: 1

Joined: 16 Sep 2010
Posts: 41

PostPosted: Sat Jun 09, 2012 8:46 pm    Post subject: Reply with quote

Then find address of the value you want to change, for example find where gold is stored, and find out what accesses that address. There should be about 2-4 instructions. Look for something like:
Code:
movq xmm0,[eax+18]
Go to disassembler and a little bit lower there you will see:
Code:
call eax
(eax or other register, but i always get eax). Put breakpoint on it, step into it and follow the instructions which i posted earlier.
Use Float when you want to find the gold.
Back to top
View user's profile Send private message
johnnygg
Advanced Cheater
Reputation: 0

Joined: 20 Jan 2010
Posts: 51

PostPosted: Sat Jun 09, 2012 8:50 pm    Post subject: Reply with quote

o.o my gold is stored in double o.o weird but i'll give it a shot


[edit] for some reason, my instructions are very different--and when i try to change the call eax's with nops, i get detected :/

[edit2] managed to find almost exact code to

Code:
FF D0 - call eax
83 C4 10 - add esp,10
8B 45 FC - mov eax,[ebp-04]
DD 40 18 - fld qword ptr [eax+18]


instead of call eax though, i got "call BrokerMainW+C9C9E" I have no idea what brokermainw is...that some sort of special register or something?

[edit 3] well, once i replaced those 5 bytes with nops, i've been able to set the gold value to whatever i want....but the problem is that for some reason, at break/trace it doesn't show anything :/
[edit 4] LOL well, the gold value got changed, but anytime the gold value is changed in-game(when i win a fight, try to buy/sell something, etc), it detects the cheat---fail

[final edit] well, if you save the game with all the gold after you set the value to whatever you want, then come back, it'll save the hacked value and u won't be detected when it changes later in-game....still, i'd like to mess with other values; any input would be nice :0
Back to top
View user's profile Send private message
TORPEDa
Cheater
Reputation: 1

Joined: 16 Sep 2010
Posts: 41

PostPosted: Sun Jun 10, 2012 4:48 am    Post subject: Reply with quote

Try searching for this aob:
Code:
0F 84 D4 00 00 00 8B * 08 83 EC 04 6A 00 68

And do not forget to make Writable check box grey!
You should find conditional jump. Make it unconditional(jmp).This should bypass protection.
Back to top
View user's profile Send private message
johnnygg
Advanced Cheater
Reputation: 0

Joined: 20 Jan 2010
Posts: 51

PostPosted: Sun Jun 10, 2012 12:41 pm    Post subject: Reply with quote

TORPEDa wrote:
Try searching for this aob:
Code:
0F 84 D4 00 00 00 8B * 08 83 EC 04 6A 00 68

And do not forget to make Writable check box grey!
You should find conditional jump. Make it unconditional(jmp).This should bypass protection.


nope--nothing
the option you're talking about setting is "not caring if memory is writable or not", right? I tried checked, unchecked, AND gray---nothing =(

I messed around a bit yesterday, and tried to repeat a similar process to the gold for other values, but for some reason, the instructions were very different once I broke/traced and stepped in to look at the instructions to check for cheating =/ I did manage to get the gold to work though--i wrote how i did it in the previous post
Back to top
View user's profile Send private message
TORPEDa
Cheater
Reputation: 1

Joined: 16 Sep 2010
Posts: 41

PostPosted: Sun Jun 10, 2012 1:10 pm    Post subject: Reply with quote

johnnygg wrote:
TORPEDa wrote:
Try searching for this aob:
Code:
0F 84 D4 00 00 00 8B * 08 83 EC 04 6A 00 68

And do not forget to make Writable check box grey!
You should find conditional jump. Make it unconditional(jmp).This should bypass protection.


nope--nothing
the option you're talking about setting is "not caring if memory is writable or not", right? I tried checked, unchecked, AND gray---nothing =(

I messed around a bit yesterday, and tried to repeat a similar process to the gold for other values, but for some reason, the instructions were very different once I broke/traced and stepped in to look at the instructions to check for cheating =/ I did manage to get the gold to work though--i wrote how i did it in the previous post

You must be doing something wrong.
Back to top
View user's profile Send private message
johnnygg
Advanced Cheater
Reputation: 0

Joined: 20 Jan 2010
Posts: 51

PostPosted: Sun Jun 10, 2012 2:48 pm    Post subject: Reply with quote

maybe we're playing diff versions of the game...what site are you playing off of?
Back to top
View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> Flash Games All times are GMT - 6 Hours
Goto page 1, 2, 3, 4  Next
Page 1 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum



Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)