Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


Cheat Engine Forum Index
PostGo back to topic
atom0s
Moderator
Reputation: 198
Joined: 25 Jan 2006
Posts: 8516
Location: 127.0.0.1

PostPosted: Sat Nov 29, 2014 8:41 pm    Post subject:

Alright, today I have some free time to play around with this.
So here is what I have found so far. Not done yet just posting some progress.

Before you read, just know I did use OllyDbg as the debugging method of choice. I can use Cheat Engines debugger fine with the info I posted above, I just do not really like using CE for debugging as it has various issues and bugs.
But, the object of making CE work and be usable to debug is already accomplished so that part of this challenge is done.


1. Locating The Player Information
    The first step was to locate the player information and see how the data was handled. In this applications case, simply searching for the data is not an option as the data is "encoded" in a manner to prevent cheating from happening easily. (More info on this below.) So I took to debugging to attempt to locate some usable information.

    The first thing I came across was the string: "FFFFFFFFFFFFFC22"

    Immediately this stood out to me as a double value in string/hex form. So converting this back to an actual value gives us: -990.00

    Afterward, I debugged the parts of the code that made use of this string which we see here:
    Code:
    004B7E4B   . 8B4E 7C        MOV ECX,DWORD PTR DS:[ESI+7C]
    004B7E4E   . 66:8941 04     MOV WORD PTR DS:[ECX+4],AX
    004B7E52   . 8D4D CC        LEA ECX,DWORD PTR SS:[EBP-34]
    004B7E55   . E8 4A99F4FF    CALL <JMP.&MSVBVM60.__vbaFreeVar>
    004B7E5A   . BA E46A4100    MOV EDX,challeng.00416AE4                         ;  UNICODE "FFFFFFFFFFFFFC22"
    004B7E5F   . 8D8E 88000000  LEA ECX,DWORD PTR DS:[ESI+88]
    004B7E65   . E8 2299F4FF    CALL <JMP.&MSVBVM60.__vbaStrCopy>
    004B7E6A   . BA 0C6B4100    MOV EDX,challeng.00416B0C
    004B7E6F   . 8D8E 8C000000  LEA ECX,DWORD PTR DS:[ESI+8C]
    004B7E75   . E8 1299F4FF    CALL <JMP.&MSVBVM60.__vbaStrCopy>


    From this if we monitor the data, we see that the string is truncated and copied to [ESI+88]. Next, we let the game run and we will see that the value that was stored in ESI+88 is changing as the game plays. Freezing this value freezes the time.
    Bingo, we have the time location.


2. Locating A Pointer
    I am not going to go into much detail here since it's not needed as using the pointer scanner of CE is pretty straight forward. But to give a little info, I scanned for the address of ESI+88 at that point, and came up with a large number of results. Restarting the game and rescanning the results with the new location of ESI+88 yielded me a small and specific pointer of:
    "challenge #1.exe"+000BD010

    I loaded of my VM for Windows XP, altered Cheat Engine to run on there too and tested the pointer, works. So I concluded this is a usable base pointer to work with.


3. Finding Other Information
    Now that we know that inside of this initialization function, were we have found the timer info in, that ESI is used as a base pointer to the timer data, we can assume that it holds other data in this area too.

    Towards the top of the function the first use of ESI we will see is:
    Code:
    004B7D60   . 8B46 44        MOV EAX,DWORD PTR DS:[ESI+44]
    004B7D63   . 66:C740 02 0E0>MOV WORD PTR DS:[EAX+2],0E
    004B7D69   . 8B46 44        MOV EAX,DWORD PTR DS:[ESI+44]
    004B7D6C   . 66:C740 04 0E0>MOV WORD PTR DS:[EAX+4],0E


    This is actually the player model X and Y axis coords.
    So we now know where these values are within this structure.

    Following below these instructions we will also see the locations for the key and the eye. (position +60 and +7C respectively for their pointers.)

    Next is the timer block information, which I explained above.

    Next is some unknown block of data being initialized by a logical AND against 0 in the block. This happens at the pointer located at ESI+A0. I have not researched into what this block is for yet.

    Next is the player mana and health:
    Code:

    004B7F2D   . D905 78114000  FLD DWORD PTR DS:[401178]
    004B7F33   . 8B86 CC000000  MOV EAX,DWORD PTR DS:[ESI+CC]
    004B7F39   . 66:83A6 D80000>AND WORD PTR DS:[ESI+D8],0
    004B7F41   . D99E B0000000  FSTP DWORD PTR DS:[ESI+B0]         <-- Store the initial player health
    004B7F47   . DD05 70114000  FLD QWORD PTR DS:[401170]
    004B7F4D   . 8D4D CC        LEA ECX,DWORD PTR SS:[EBP-34]
    004B7F50   . DD9E B4000000  FSTP QWORD PTR DS:[ESI+B4]        <-- Store the initial player mana


    From this, we can see that on initialization the values look like this:
    - Player Health
    --> Initial value: -100 (float)
    - Player Mana
    --> Initial value: 500 (double)

    Debugging more will result in us finding the other data values as well.


4. Key Count and Eye Count Values

    The last part of the data to find is the key and eye counts. These are a bit trickier. The key count is actually the last part of the timer information above at offset ESI+8C. However, this value is a string. The length of the string is the count of the keys.

    So to read this we would use:
    [[ESI+8C] - 4] = key length

    The game appends a character (so far just seems to be A) to the length each time a key is touched. The -4 offset points to the actual length which is what matters, the string does not.

    And last, the eye count. This ones a bit more confusing. It is a single value by itself. This one can be found doing a normal scan, however the pointer we use to get to it consists of two parts.

    The first part is the table the data is located in. This is found at:
    [ESI+A0] = pointer to info table

    The next part is the index in the table to locate the value at:
    [ESI+AC] = index in the pointer table.

    I am not sure if there is a suitable way to add this to a cheat table, I have not kept up with Cheat Engines newest features and such. So a double read usage thing is not something I am familiar with CE being able to do.

    However this would look like this:
    eax = [ESI+A0]
    ecx = [ESI+AC]
    value = (eax + ecx * 4)


Attached is a basic cheat table accessing these values described above.

Cheat table contains access to the following addresses:
- Health
- Mana
- Time
- Player X / Y
- Key X / Y
- Eye X / Y
- Key Count

And a small patch to never run out of time.
_________________
- Retired.
Back to top
View user's profile Send private message Visit poster's website
Post reviews:   Approve 1
Author Review
aikoncwd
Review: Approve
Post reference:
ReviewPosted: Sun Nov 30, 2014 1:48 pm

awesome work man, you beat it!
Back to top
View user's profile Send private message
Display:  
Cheat Engine Forum Index


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites