atom0s Moderator Reputation: 198 Joined: 25 Jan 2006 Posts: 8516 Location: 127.0.0.1
|
Posted: Sat Nov 29, 2014 8:41 pm Post subject: |
|
|
Alright, today I have some free time to play around with this.
So here is what I have found so far. Not done yet just posting some progress.
Before you read, just know I did use OllyDbg as the debugging method of choice. I can use Cheat Engines debugger fine with the info I posted above, I just do not really like using CE for debugging as it has various issues and bugs.
But, the object of making CE work and be usable to debug is already accomplished so that part of this challenge is done.
1. Locating The Player Information
The first step was to locate the player information and see how the data was handled. In this applications case, simply searching for the data is not an option as the data is "encoded" in a manner to prevent cheating from happening easily. (More info on this below.) So I took to debugging to attempt to locate some usable information.
The first thing I came across was the string: "FFFFFFFFFFFFFC22"
Immediately this stood out to me as a double value in string/hex form. So converting this back to an actual value gives us: -990.00
Afterward, I debugged the parts of the code that made use of this string which we see here:
Code: | 004B7E4B . 8B4E 7C MOV ECX,DWORD PTR DS:[ESI+7C]
004B7E4E . 66:8941 04 MOV WORD PTR DS:[ECX+4],AX
004B7E52 . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
004B7E55 . E8 4A99F4FF CALL <JMP.&MSVBVM60.__vbaFreeVar>
004B7E5A . BA E46A4100 MOV EDX,challeng.00416AE4 ; UNICODE "FFFFFFFFFFFFFC22"
004B7E5F . 8D8E 88000000 LEA ECX,DWORD PTR DS:[ESI+88]
004B7E65 . E8 2299F4FF CALL <JMP.&MSVBVM60.__vbaStrCopy>
004B7E6A . BA 0C6B4100 MOV EDX,challeng.00416B0C
004B7E6F . 8D8E 8C000000 LEA ECX,DWORD PTR DS:[ESI+8C]
004B7E75 . E8 1299F4FF CALL <JMP.&MSVBVM60.__vbaStrCopy> |
From this if we monitor the data, we see that the string is truncated and copied to [ESI+88]. Next, we let the game run and we will see that the value that was stored in ESI+88 is changing as the game plays. Freezing this value freezes the time.
Bingo, we have the time location.
2. Locating A Pointer
I am not going to go into much detail here since it's not needed as using the pointer scanner of CE is pretty straight forward. But to give a little info, I scanned for the address of ESI+88 at that point, and came up with a large number of results. Restarting the game and rescanning the results with the new location of ESI+88 yielded me a small and specific pointer of:
"challenge #1.exe"+000BD010
I loaded of my VM for Windows XP, altered Cheat Engine to run on there too and tested the pointer, works. So I concluded this is a usable base pointer to work with.
3. Finding Other Information
Now that we know that inside of this initialization function, were we have found the timer info in, that ESI is used as a base pointer to the timer data, we can assume that it holds other data in this area too.
Towards the top of the function the first use of ESI we will see is:
Code: | 004B7D60 . 8B46 44 MOV EAX,DWORD PTR DS:[ESI+44]
004B7D63 . 66:C740 02 0E0>MOV WORD PTR DS:[EAX+2],0E
004B7D69 . 8B46 44 MOV EAX,DWORD PTR DS:[ESI+44]
004B7D6C . 66:C740 04 0E0>MOV WORD PTR DS:[EAX+4],0E |
This is actually the player model X and Y axis coords.
So we now know where these values are within this structure.
Following below these instructions we will also see the locations for the key and the eye. (position +60 and +7C respectively for their pointers.)
Next is the timer block information, which I explained above.
Next is some unknown block of data being initialized by a logical AND against 0 in the block. This happens at the pointer located at ESI+A0. I have not researched into what this block is for yet.
Next is the player mana and health:
Code: |
004B7F2D . D905 78114000 FLD DWORD PTR DS:[401178]
004B7F33 . 8B86 CC000000 MOV EAX,DWORD PTR DS:[ESI+CC]
004B7F39 . 66:83A6 D80000>AND WORD PTR DS:[ESI+D8],0
004B7F41 . D99E B0000000 FSTP DWORD PTR DS:[ESI+B0] <-- Store the initial player health
004B7F47 . DD05 70114000 FLD QWORD PTR DS:[401170]
004B7F4D . 8D4D CC LEA ECX,DWORD PTR SS:[EBP-34]
004B7F50 . DD9E B4000000 FSTP QWORD PTR DS:[ESI+B4] <-- Store the initial player mana |
From this, we can see that on initialization the values look like this:
- Player Health
--> Initial value: -100 (float)
- Player Mana
--> Initial value: 500 (double)
Debugging more will result in us finding the other data values as well.
4. Key Count and Eye Count Values
The last part of the data to find is the key and eye counts. These are a bit trickier. The key count is actually the last part of the timer information above at offset ESI+8C. However, this value is a string. The length of the string is the count of the keys.
So to read this we would use:
[[ESI+8C] - 4] = key length
The game appends a character (so far just seems to be A) to the length each time a key is touched. The -4 offset points to the actual length which is what matters, the string does not.
And last, the eye count. This ones a bit more confusing. It is a single value by itself. This one can be found doing a normal scan, however the pointer we use to get to it consists of two parts.
The first part is the table the data is located in. This is found at:
[ESI+A0] = pointer to info table
The next part is the index in the table to locate the value at:
[ESI+AC] = index in the pointer table.
I am not sure if there is a suitable way to add this to a cheat table, I have not kept up with Cheat Engines newest features and such. So a double read usage thing is not something I am familiar with CE being able to do.
However this would look like this:
eax = [ESI+A0]
ecx = [ESI+AC]
value = (eax + ecx * 4)
Attached is a basic cheat table accessing these values described above.
Cheat table contains access to the following addresses:
- Health
- Mana
- Time
- Player X / Y
- Key X / Y
- Eye X / Y
- Key Count
And a small patch to never run out of time. _________________ - Retired.
|
|