| View previous topic :: View next topic |
| Author |
Message |
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
 Posted: Wed Jun 25, 2014 5:02 pm Post subject: |
 |
|
| DaSpamer wrote: | | If you could tell me what exactly you seek to accomplish, I could help. |
Nothing important, just trying to spot flaws in that cipher.
The big idea is to use something like CE's unrandomizer, force it to return 0, locate variable with 4byte/FlashInt exact value scans, (restore random() ?), find out what access..., read en/decryption code. But that would only be useful if we know the cipher is random()-based.
| DaSpamer wrote: |
Trying with forcing 1, because forcing 0 would pretty much break it (all values gonna be 0). |
Normally with random() returning 0 you should have:
-a=0
-b=1
-c=param1-0=param1 (no encryption)
-encryptedValue=0 xor param1=param1 (no encryption)
-password=0
I don't know how flash stores its data, but do you think this struct could be found with a groupscan command?
Something like FlashInt:0 FlashInt:1 FlashInt:Ingame_value [padding here?] FlashInt:Ingame_value FlashInt:0
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
 |
DaSpamer
Grandmaster Cheater Supreme
 Reputation: 52
Joined: 13 Sep 2011
Posts: 1578
|
| Posted: Wed Jun 25, 2014 7:43 pm Post subject: |
|
|
| Gniarf wrote: | | DaSpamer wrote: | | If you could tell me what exactly you seek to accomplish, I could help. |
Nothing important, just trying to spot flaws in that cipher.
The big idea is to use something like CE's unrandomizer, force it to return 0, locate variable with 4byte/FlashInt exact value scans, (restore random() ?), find out what access..., read en/decryption code. But that would only be useful if we know the cipher is random()-based.
| DaSpamer wrote: |
Trying with forcing 1, because forcing 0 would pretty much break it (all values gonna be 0). |
Normally with random() returning 0 you should have:
-a=0
-b=1
-c=param1-0=param1 (no encryption)
-encryptedValue=0 xor param1=param1 (no encryption)
-password=0
I don't know how flash stores its data, but do you think this struct could be found with a groupscan command?
Something like FlashInt:0 FlashInt:1 FlashInt:Ingame_value [padding here?] FlashInt:Ingame_value FlashInt:0 |
I also have no clue how flash stores its data.
Also, many other objects use that encoding (colors, moves,score(s .. there's number of functions, didn't analyzed much, but saw 5 references to the encoding method), time).
_________________
|
|
| Back to top |
|
|
limau
Newbie cheater
![]() Reputation: 0
Joined: 18 Jun 2014
Posts: 21
|
| Posted: Fri Jun 27, 2014 5:11 am Post subject: |
|
|
I am lost here.. 
Let me try to piece what you all are discussing here.
@DaSpamer, you analyzed the game and found the encryption function where you posted it here.
| Code: | package com.he.animal.utils
{
public class SecretInteger extends Object
{
private var _a:int;
private var _b:int;
private var _c:C;
private var _encryptedValue:int;
private var _password:int;
public function SecretInteger(param1:int = 0)
{
this.value = param1;
return;
}// end function
public function get value() : int
{
return (this._a + this._c.v) / this._b;
}// end function
public function get isValidate() : Boolean
{
var _loc_1:* = this._encryptedValue ^ this._password;
return this.value == _loc_1;
}// end function
public function set value(param1:int) : void
{
this._password = Math.random() * param1;
this._encryptedValue = param1 ^ this._password;
this._b = Math.floor(Math.random() * SecretScale.INT_SCALE_NUMBER) + 1;
param1 = param1 * this._b;
this._a = Math.floor(Math.random() * param1);
this._c = new C(param1 - this._a);
return;
}// end function
}
} |
Then It puzzles me what is this code here? I am kind of lost here.
| Code: |
EncryptValue // I'm gonna store it plain... so I could also override return function and make it return plain
d0 30 d0 60 ?? ?? ?? 46 ?? ?? ?? d1 a2 68 ?? ?? d0 d1 d0 66 ?? ?? aa 68 ?? ?? d0 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? 60 ?? ?? 66 ?? ?? a2 46 ?? ?? ?? ?? 24 01 a0 68 ?? ?? d1 d0 66 ?? ?? a2 73 d5 d0 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? d1 a2 46 ?? ?? ?? ?? 68 ?? ?? d0 5d ?? ?? d1 d0 66 ?? ?? ?? 4a ?? ?? ?? 68 ?? ?? 47
d0 30 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 d0 d1 68 ?? ?? 47 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
GetValue
d0 30 d0 66 ?? ?? d0 66 ?? ?? 66 ?? ?? a0 d0 66 ?? ?? a3 48
d0 30 d0 66 ?? ?? 48 02 02 02 02 02 02 02 02 02 02 02 02 02
|
* Also, I've not used the LUA engine before, so I am not sure what's what if it is related to it.
@Gniarf, do you need a temporary FB login with the game attached to it?
Would really appreciate it if you could have a look at it.
@DaSpamer, any Idea on how to change the step value? It looks like this game value changing is out of my skills.. 
Also, I will give your CETrainer a try. However, I need to learn how to use the LUA engine.. 
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Fri Jun 27, 2014 9:35 am Post subject: |
|
|
| Code: |
GetValue
d0 30 d0 66 ?? ?? d0 66 ?? ?? 66 ?? ?? a0 d0 66 ?? ?? a3 48
d0 30 d0 66 ?? ?? 48 02 02 02 02 02 02 02 02 02 02 02 02 02
|
Means scan for "d0 30 d0 66 ?? ?? d0 66 ?? ?? 66 ?? ?? a0 d0 66 ?? ?? a3 48 " with type array of bytes and replace with "d0 30 d0 66 ?? ?? 48 02 02 02 02 02 02 02 02 02 02 02 02 02". Basically you take the upper half and replace with the lower one.
You can also use an auto assembler script like:
| Code: | [enable]
aobscan(GetValue,d0 30 d0 66 ?? ?? d0 66 ?? ?? 66 ?? ?? a0 d0 66 ?? ?? a3 48 )
registersymbol(GetValue)
GetValue:
db d0 30 d0 66
GetValue+4+2: //skip the two ??. Beware that CE reads +4 and +2 as hex numbers.
db 48 02 02 02 02 02 02 02 02 02 02 02 02 02
[disable]
//not worth the bother |
Do the same for EncryptValue and encryption should be gone.
| limauing wrote: | @Gniarf, do you need a temporary FB login with the game attached to it?
Would really appreciate it if you could have a look at it. |
Now that DaSpamer blew the encryption I don't think that's needed anymore. Remove encryption, do simple exact value scans, problem solved.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
limau
Newbie cheater
![]() Reputation: 0
Joined: 18 Jun 2014
Posts: 21
|
| Posted: Fri Jun 27, 2014 10:21 am Post subject: |
|
|
| DaSpamer wrote: | | Gniarf wrote: | And there comes the flash game expert... 
@DaSpamer
Given the number of 02 in your patches I assume it means nop in ActionScript, heh?
Still since AS(3?) is compiled into asm at runtime, is it ok to apply your patches at the main menu, or is it too late and the OP should patch the .swf?
(I can't check because I don't have/want a FB account)
Thanks for showing us the encryption function. By the looks of it, forcing Math.random() to return 0 would surely have lovely results, hehehe... Aside from gameplay side effects... |
Yes 02 means no operation.
I will check effects if forcing 0 instead of math.random(), it'll be much easier to set up a formula.
This should be activated on screen loading (around the 70-100%, pause process..).
If you could tell me what exactly you seek to accomplish, I could help  .
|
I tried Scanning for the code
| Code: | GetValue
d0 30 d0 66 ?? ?? d0 66 ?? ?? 66 ?? ?? a0 d0 66 ?? ?? a3 48
d0 30 d0 66 ?? ?? 48 02 02 02 02 02 02 02 02 02 02 02 02 02 |
and replacing it with the second line.
I tried doing it while the flash was in loading process, at 20%, scan, could not find, then un pause, then pause again until i can find the code.
When successful, I tried running the game on one level, but the game outcome is all haywired. Steps is being random, and you could not run the game. Need a refresh.
When I tried changing it inside the game before entering a level, the game run smoothly but still the same, you could only find the display var and not the original value. Any thought on this?
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Fri Jun 27, 2014 10:25 am Post subject: |
|
|
Sounds like you patched the function that decrypts (GetValue) and forgot the one that encrypts (EncryptValue)...
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
limau
Newbie cheater
![]() Reputation: 0
Joined: 18 Jun 2014
Posts: 21
|
| Posted: Fri Jun 27, 2014 10:55 am Post subject: |
|
|
| Code: | EncryptValue // I'm gonna store it plain... so I could also override return function and make it return plain
d0 30 d0 60 ?? ?? ?? 46 ?? ?? ?? d1 a2 68 ?? ?? d0 d1 d0 66 ?? ?? aa 68 ?? ?? d0 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? 60 ?? ?? 66 ?? ?? a2 46 ?? ?? ?? ?? 24 01 a0 68 ?? ?? d1 d0 66 ?? ?? a2 73 d5 d0 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? d1 a2 46 ?? ?? ?? ?? 68 ?? ?? d0 5d ?? ?? d1 d0 66 ?? ?? ?? 4a ?? ?? ?? 68 ?? ?? 47
d0 30 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 d0 d1 68 ?? ?? 47 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02 02
GetValue
d0 30 d0 66 ?? ?? d0 66 ?? ?? 66 ?? ?? a0 d0 66 ?? ?? a3 48
d0 30 d0 66 ?? ?? 48 02 02 02 02 02 02 02 02 02 02 02 02 02 |
I did change the two segment of code as per above. Still the same result.
I even tried this too, where DaSpamer changed his code abit.
| Code: | d0 30 d0 60 ?? ?? ?? 46 ?? ?? ?? d1 a2 68 ?? ?? d0 d1 d0 66 ?? ?? aa 68 ?? ?? d0 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? 60 ?? ?? 66 ?? ?? a2 46 ?? ?? ?? ?? 24 01 a0 68 ?? ?? d1 d0 66 ?? ?? a2 73 d5 d0 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? d1 a2 46 ?? ?? ?? ?? 68 ?? ?? d0 5d ?? ?? d1 d0 66 ?? ?? ?? 4a ?? ?? ?? 68 ?? ?? 47
d0 30 d0 24 01 02 02 02 02 02 02 d1 a2 68 ?? ?? d0 d1 d0 66 ?? ?? aa 68 ?? ?? d0 60 ?? ?? ?? 24 01 02 02 02 02 02 02 60 ?? ?? 66 ?? ?? a2 46 ?? ?? ?? ?? 24 01 a0 68 ?? ?? d1 d0 66 ?? ?? a2 73 d5 d0 60 ?? ?? ?? 24 01 02 02 02 02 02 02 d1 a2 46 ?? ?? ?? ?? 68 ?? ?? d0 5d ?? ?? d1 d0 66 ?? ?? ?? 4a ?? ?? ?? 68 ?? ?? 47
|
|
|
| Back to top |
|
|
DaSpamer
Grandmaster Cheater Supreme
Reputation: 52
Joined: 13 Sep 2011
Posts: 1578
|
| Posted: Sat Jun 28, 2014 9:03 am Post subject: |
|
|
You must replace both functions (GetValue instead of returning it after 'decrypt' it returns value plain, EncryptValue at first I tried to store value as plain in _a variable, didn't work well, so I took Gniarf advice and change random factor to 1)
_________________
|
|
| Back to top |
|
|
Gniarf
Grandmaster Cheater Supreme
![]() Reputation: 43
Joined: 12 Mar 2012
Posts: 1285
|
| Posted: Sat Jun 28, 2014 9:37 am Post subject: |
|
|
| DaSpamer wrote: | | I took Gniarf advice and change random factor to 1 |
Sorry to insist but I still think than 0 would be better (ie: remove all encryption) than 1 (simplify it).
If you've got all values to 0 during your tests it might be because you changed the red 24 01 to 24 00:
| Quote: | d0 30 d0 60 ?? ?? ?? 46 ?? ?? ?? d1 a2 68 ?? ?? d0 d1 d0 66 ?? ?? aa 68 ?? ?? d0 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? 60 ?? ?? 66 ?? ?? a2 46 ?? ?? ?? ?? 24 01 a0 68 ?? ?? d1 d0 66 ?? ?? a2 73 d5 d0 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? d1 a2 46 ?? ?? ?? ?? 68 ?? ?? d0 5d ?? ?? d1 d0 66 ?? ?? ?? 4a ?? ?? ?? 68 ?? ?? 47
d0 30 d0 24 01 02 02 02 02 02 02 d1 a2 68 ?? ?? d0 d1 d0 66 ?? ?? aa 68 ?? ?? d0 60 ?? ?? ?? 24 01 02 02 02 02 02 02 60 ?? ?? 66 ?? ?? a2 46 ?? ?? ?? ?? 24 01 a0 68 ?? ?? d1 d0 66 ?? ?? a2 73 d5 d0 60 ?? ?? ?? 24 01 02 02 02 02 02 02 d1 a2 46 ?? ?? ?? ?? 68 ?? ?? d0 5d ?? ?? d1 d0 66 ?? ?? ?? 4a ?? ?? ?? 68 ?? ?? 47 |
Correct me if I'm wrong, but replacing all other 24 01 by 24 00 should kill the encryption.
_________________
DO NOT PM me if you want help on making/fixing/using a hack. |
|
| Back to top |
|
|
limau
Newbie cheater
![]() Reputation: 0
Joined: 18 Jun 2014
Posts: 21
|
| Posted: Sat Jun 28, 2014 9:42 am Post subject: |
|
|
I replaced both GetValue and EncryptValue with the random factor changed to 1. I still can't scan for the actual value of the step. Can you test it out with the real game?
*edit:
Gniarf, do you mean as below?
I tried it, but still unable to find the actual step variable. Could it be there could be a conversion formula + encryption for this game?
| Quote: |
d0 30 d0 60 ?? ?? ?? 46 ?? ?? ?? d1 a2 68 ?? ?? d0 d1 d0 66 ?? ?? aa 68 ?? ?? d0 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? 60 ?? ?? 66 ?? ?? a2 46 ?? ?? ?? ?? 24 01 a0 68 ?? ?? d1 d0 66 ?? ?? a2 73 d5 d0 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? d1 a2 46 ?? ?? ?? ?? 68 ?? ?? d0 5d ?? ?? d1 d0 66 ?? ?? ?? 4a ?? ?? ?? 68 ?? ?? 47
d0 30 d0 24 00 02 02 02 02 02 02 d1 a2 68 ?? ?? d0 d1 d0 66 ?? ?? aa 68 ?? ?? d0 60 ?? ?? ?? 24 00 02 02 02 02 02 02 60 ?? ?? 66 ?? ?? a2 46 ?? ?? ?? ?? 24 00 a0 68 ?? ?? d1 d0 66 ?? ?? a2 73 d5 d0 60 ?? ?? ?? 24 00 02 02 02 02 02 02 d1 a2 46 ?? ?? ?? ?? 68 ?? ?? d0 5d ?? ?? d1 d0 66 ?? ?? ?? 4a ?? ?? ?? 68 ?? ?? 47
|
| Description: |
|
| Filesize: |
184.18 KB |
| Viewed: |
14016 Time(s) |
|
|
|
| Back to top |
|
|
DaSpamer
Grandmaster Cheater Supreme
Reputation: 52
Joined: 13 Sep 2011
Posts: 1578
|
| Posted: Sun Jun 29, 2014 7:44 am Post subject: |
|
|
You know..
Changing random factor to 0 doesn't mean you'll find it as plain number..
Here's how the game encrypts the value
| Code: | package com.he.animal.utils
{
public class SecretInteger extends Object
{
private var _a:int;
private var _b:int;
private var _c:C;
private var _encryptedValue:int;
private var _password:int;
public function SecretInteger(param1:int = 0)
{
this.value = param1;
return;
}// end function
public function get value() : int
{
return (this._a + this._c.v) / this._b;
}// end function
public function get isValidate() : Boolean
{
var _loc_1:* = this._encryptedValue ^ this._password;
return this.value == _loc_1;
}// end function
public function set value(param1:int) : void
{
this._password = Math.random() * param1;
this._encryptedValue = param1 ^ this._password;
this._b = Math.floor(Math.random() * SecretScale.INT_SCALE_NUMBER) + 1;
param1 = param1 * this._b;
this._a = Math.floor(Math.random() * param1);
this._c = new C(param1 - this._a);
return;
}// end function
}
} |
_________________
|
|
| Back to top |
|
|
limau
Newbie cheater
![]() Reputation: 0
Joined: 18 Jun 2014
Posts: 21
|
| Posted: Sun Jun 29, 2014 11:33 pm Post subject: |
|
|
DaSpamer, what method & software did you use to get the function from the game? Maybe I can study it's code and see where I can change code itself.
Like you mentioned, even if the encryption is gone, there could be still a conversion formula making it hard to find.
Also, how did you get the swf file in whole?
|
|
| Back to top |
|
|
DaSpamer
Grandmaster Cheater Supreme
Reputation: 52
Joined: 13 Sep 2011
Posts: 1578
|
| Posted: Mon Jun 30, 2014 12:34 am Post subject: |
|
|
I can create hacks that increase amount of moves (start moves) or anything else I can come across.
The tool I used to get the function (decompile the .swf) is SWF Decomplier (There's plenty of other programs who do the same).
I got the .swf using this SWF Memory Dumper (dumps .swf from memory, so if it was encoded, you'll get it decoded (as long as it reached the decoding step)), it was created by Force Project X.
Get it directly from their site http://www.forceprojectx.com/SWFMemoryDumper.zip?attredirects=0&d=1
_________________
|
|
| Back to top |
|
|
limau
Newbie cheater
![]() Reputation: 0
Joined: 18 Jun 2014
Posts: 21
|
| Posted: Mon Jun 30, 2014 11:05 am Post subject: |
|
|
| DaSpamer, is it possible for you to create hacks for this game?
|
|
| Back to top |
|
|
DaSpamer
Grandmaster Cheater Supreme
Reputation: 52
Joined: 13 Sep 2011
Posts: 1578
|
| Posted: Mon Jun 30, 2014 2:39 pm Post subject: |
 |
|
I will look into it later hopefully this weekend.
_________________
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
