Cheat Engine

[jupiter2020]

I am trying to crack the 1996 original version of Risk, and I could really use some help. I have had GE 5.6.1 now for less than a week, and I'm a nebie at this. Here is what I know. For the Ultimate Risk package of the game the play area is divided into 10 continents each with 8 territories. Each of those territories are allocated a block of addresses during game play. I'm going use Brazil for my example. Its range of addresses, on my computer, are 004BA5E0-F. 0 – 1 are for the battalions. 2 is for the player ID, 3 is used for the forts and capitals. 6 – 7 are used for the generals. I haven’t found a use for 4, 5, 8 – F yet, I have yet to see their values change from 0, I'm assuming they are not actually used. I can change the values of 0 – 3 at will. Let’s say I have address 0 set at 01, in byte notation, that would mean that there is 1 battalion stationed in the territory. I haven’t had a problem changing that at anytime. If I were to change address 1 to 01 then I would immediately have 256 + whatever value address 0 was set at, in this case I would have 257 armies stationed there. I can do that fine, my problem comes in when I want to change the generals. There are over 600 different generals divided among the different players and they have an ID in a numbered sequential order starting for some reason at 2 not 1, but anyway. Their primary address is 6. So let’s say I buy a general to put him in my territory and that generals ID is 352. In addresses 6 – 7 I would have, in byte notation, 60 in address 6 and 01 in address 7, representing 96+256=352. Now here is my problem, let’s say I change address 6 to 61 representing 97+256=353, instead of getting the next general in sequence, my general disappears. What I seem to have found is that the only generals I can access are ones that have already been loaded into the stack I guess. Even enemy generals are accessible if they have been played, but I cannot put in a general that hasn’t already been used. I seem to even be able to have an unlimited number of copy generals on the board. For instance I can have (5) 352’s, (2) 425’s, (7) 125’s, as long as they have all been played. But nothing unique. I have spent a lot of time looking for where the ID’s are loaded and/or retrieved from but I can't find anything. I've run what writes to this address, and what accesses this address and I get different addresses, but when I look at those addresses in the viewer they are empty. Anyone have any ideas what I'm doing wrong or what I should do?

[Geri]

How do You get Generals in the game? (Never played it.)
Did You try to track that process somehow?

[jupiter2020]

[Geri]

If You can change 3 battalions into a general, why don't You just change the number of battalions and buy a general from that?

Is there some other limit too? Or You can't choose which general will You get?

[jupiter2020]

the battalions cant be traded after they have been played, only at the beginning of the round are you allowed to use some of your round alotment to buy a general, and no, under normal play i can not chose which general i will get. i havent figured out how the game decides what generals are allowed to be played. it seems to be random in its selction process. i thought at the beginning there were blocks of generals that were available, but that dosent seem to be the case.

[Geri]

If it is really random, maybe the unrandomizer can help You with that. Turn it on before You "purchase" a general.

Is the game available for free? Do You have a link for it?

If it is not free, don't post link.

[jupiter2020]

i did try that, and the game crashes immediatly every time.

[Geri]

If the game is using static addresses, maybe You can find a list of the available general ID's (You can try to find it if it is dynamic too, but then it is harder).
And then You could check what is accessing to that region.

[jupiter2020]

ive been reading on writing some insert code, but i am completely lost when it comes to writing code.

no i dont think the game is free, mine wasnt, but then ive had 10+ years

[Geri]

I don't really have any other idea at the moment.
I would probably try to backtrace the process of buying a general and figuring out the new general's ID.

But it may also happen that not all numbers are valid ID's.
Did You try to write down some ID's and use them later?

[jupiter2020]

i do have their static addresses of the text, the generals name. the static address seem to be only used when a text display of the generals name is used. i cant find a static address of the numeric ID. I only know of the numeric ID's because they are listed the territories address 6 and 7, and that seems to be the only place those numeric values represent generals. yes i believe its the dynamic address that im trying to find, and yes that is much much harder.

[Geri]

In case You have found the name of the generals, You may have found or be able to find the structre that is holding their info. Then You could check a few things in that structure and trace what is happening with the values when You get that general. This may be a bit diffiult as You are not able to choose which general do You want to get.

Is this game Risk or Risk 2?
You said "the 96 ver". Are there more? With the same name just newer?
And is it running on Windows XP?

[jupiter2020]

first i want to say thanks for helping me.

then i wanted to respond to your last comment, because i couldnt repeat post right away. the numeric values that represent a generals ID in the territories addresses of 6 and 7 always use the same number for the same general. the 352 example that i used initially always represent the same general when its loaded into the territories address.

then i want to say that i have been working some more with the what writes to this address.

i get this code every time i run it on address 6 regardless of what values actually get loaded:

0040f702 - 66 89 b0 d6 a4 4b 00 - mov [eax+004ba4d6],si

ive been reading tring to understand what this is telling me, and i do and dont understand. no i guess i just plainly dont understand it. what messing with my head the most is that when i look at the values for 004ba4d6 there never anything there. when i run what writes to this address on it i get nothing.

when i click on the more info button for the 0040f702 address i get this:

0040f6fb – mov eax, [esp+30]
0040f6ff – shl eax, 04
>>0040f702 – mov [eax+004ba4d6], si
0040f709 – lea edi, [eax+00ba4d6]
0040f70f – call 00438600

Copy memory
The value of the pointer needed to find this address is probably 004ba4d6

EAX=00000110 EDX=00000021 EBP=0000000A
EBX=00000179 ESI=00000168 ESP=0012FC00
ECX=7A707700 EDI=00000147 EIP=0040F709

all of those addresses are the same every time, EAX and EBP have also been the same every time ive run it. the other values do however change.

it's risk one, it's probably is the only ver not really sure about that, yes im running in xp

[Geri]

mov [eax+004ba4d6],si

is not correctly disassembled.

First, it should be "esi" instead of "si".
But what is a bigger problem,

>>0040f702 – mov [eax+004ba4d6], si
0040f709 – lea edi, [eax+00ba4d6]

So at least one of the addresses are not correct. 00ba4d6 is strange because it is 7 digits. And the instruction is d6 a4 4b 00 so I guess that 004ba4d6 should be the correct address.
If eax is 110, maybe it is a counter and this is a static address and a counter. Or maybe the whole thing is just disassembled incorrectly.

You can also try to use "find out what accesses" and then You will get some more codes which are reading this value in some situations.

[jupiter2020]

ok first i was incorrect in stating that these values change:

EAX=00000110 EDX=00000021 EBP=0000000A
EBX=00000179 ESI=00000168 ESP=0012FC00
ECX=7A707700 EDI=00000147 EIP=0040F709

ESI, ECX and EDI are the only ones that chage the others remain the same.

not sure about what is or isnt correct as far as the coding goes, but i copied it verbatium with what was shown to me. the "si" is "si" every time i look at it.

also i ran what accesses this address on the 004ba4d6 adress and also got nothing.