Cheat Engine

limau · Newbie cheater Reputation: 0 Joined: 18 Jun 2014 Posts: 21

Is it possible to find global variable that is hidden as shown above (attachment)?
First I use normal 4 byte scan and I found the Steps Value inside the global variable, but this variable's purpose is just to display your Steps and not the actual value. Then I use what location writes to this location. Then from the assembly language, this value was copied from a location in the temporary variable (checked the ebp pointer pointing at). I tried to do the same with the temporary variable by putting what writes to this variable. But the problem is this is a temporary location and it gets updated periodic by other function as it's a temporary variable. From my trial and error, when ever the steps reduce, there is a few times the function will use back this temporary variable. Is there any way I can set a break point at this temporary variable, eg. break when 28 is written to this temporary location so that I can find out where the actual value is copied from?

Gniarf

limau · Newbie cheater Reputation: 0 Joined: 18 Jun 2014 Posts: 21

Thanks for the reply Gniarf.

Gniarf · Posted: Sat Jun 21, 2014 9:43 am Post subject:

limau · Newbie cheater Reputation: 0 Joined: 18 Jun 2014 Posts: 21

Ok, Here's what I got so far.

I've scan the display variable and use "find out what writes to this address".
I attached the screen shot, showing the assembly code and stack value.

What should I do next?

Gniarf · Posted: Mon Jun 23, 2014 10:15 am Post subject:

Scroll up, look for a "mov [ebp-58],***".
If you can't find any, look for a "mov [e**-58],***".
If you can't find any either, post the whole function. Function are usually separated by a bunch of nop or int 3.

limau · Newbie cheater Reputation: 0 Joined: 18 Jun 2014 Posts: 21

Ok, I scrolled up and up, and found this quite top of the function as you mentioned. What should I do next?

Gniarf · Posted: Mon Jun 23, 2014 3:02 pm Post subject:

Read upward.
mov [ebp-58],ebx means the game stores ebx at ebp-58 (and you saw that ebp-58 was later on copied into ecx then ecx into DisplayVar).

Q:What is the last instruction that wrote ebx?
A:The line just above: mov ebx,[eax+4] . Now look at the order of magnitude: eax and esp are awfully close, so that means eax is also a temporary variable, or an argument passed on to your function.

Anyway, continue looking up, where does that eax come from? [ebp+10].
push ebp+mov ebp,esp is a common way to start a function, and whatever is above looks like bullshit so it's probably some data but no code thus I assume your function starts at this push ebp. In this case ebp+0x10 would mean the 3rd argument* passed on to your function.

In C your code looks like that:

limau · Newbie cheater Reputation: 0 Joined: 18 Jun 2014 Posts: 21

Ok, from the stack window, I found the ebp+4 as you mention. I jump to the address, and above it there is 3 push instructions. I find out what Arg3 till the top of the function. Where do I go to now?

Gniarf · Posted: Tue Jun 24, 2014 9:31 am Post subject:

Looks like you're getting the hang of backtracing, congratulation.

You have found CopyFunction ages ago, now you've found the function that calls CopyFunction, let's call the latter CopyFunction_1. CopyFunction_2 would be the function that calls CopyFunction_1, etc...
My naming convention might not be very good, if you've got a better suggestion, I'm all ears/eyes.

The boxed ebx on 5.png is probably set by the parent function (CopyFunction_2). Also you see the 55 8b ec bytes just above the sub esp,78, that's the bytecode for push ebp+mov ebp,esp.

Anyway beware of the lea edx,[ebp-68] (boxed on 4.png), which means that edx=ebp-68, and NOT edx=the 4 bytes at address ebp-68. So basically CopyFunction_1 is building a ThirdArgument struct on the stack, beginning at ebp-68. ThirdArgument.Unknown comes from the ebx on 5.png, but we're tracking ThirdArgument.ValueToDisplay which is at ebp-68+4=ebp-64.
Looking up at your screenshots, I see:
mov [ebp-64],eax at 9c11840
mov eax,[ebp-5c] at 9c117fd
mov [ebp-5c], esi at 9c117e1
mov esi,[eax+4] at 9c117de
mov eax,[ebp+10] at 9C117d9 and 9c117b0
Lol, ebp+10 means 3rd argument to CopyFunction_1, eax+4 means there is a 4 byte offset, exactly like when you traced CopyFunction.

You have 2 options to continue tracing:
A-right click on DisplayVar in your cheat table->browse this memory region->right click->data breakpoint->break on write, then debug->"execute till return" when cheat engine breaks execution. That will lead you to CopyFunction_1, execute till return again to go to CopyFunction_2. There you continue backtracing manually.
Note: if cheat engine stops on an instruction that starts with "ret", do debug->step over.
B-You use the ebp backup (at ebp+0)) in the stack view to see what was ebp for CopyFunction_1. Check that [CopyFunction_1's ebp+10]+4 is equal to DisplayVar to make sure you didn't lose track of what you are tracing. Then go to [CopyFunction_1's ebp+4] to locate CopyFunction_2.

In both cases the third argument is the address of Something (probably a ThirdArgument struct) and you want to know who wrote on Something+4 (the ValueToDisplay member).
Also check if Something is allocated on the stack or somewhere else (which would mean you hit the jackpot)

Thinking again about it, if you could locate the .swf of your game you could try to decompile it to at least get some clues on how SourceVar is handled, and maybe find it by scanning.

limau · Newbie cheater Reputation: 0 Joined: 18 Jun 2014 Posts: 21

I tried finding the swf file, but seems like this game has many components of swf inside the temporary internet files. Was planning to use Sothink SWF Decompiler but that's out of the point since I can't get the whole SWF.

I tried Option A and that's a faster way to find the CopyFunction_2. Here's what I got, Please refer to 6.png.

From the box I highlighted, starting from the Arg3 which is the 3rd push from the bottom,

mov edx,[esi+68]
test edx,edx
mov [ebp-28],edx
lea edx,[ebp-28]
push edx

Then from the register esi which is 0578D330, I add hex68 to get 578D398. When I see the value in this address, it's 21. Is there something I missed?

*Also, after setting the break point, I want to try to change the value 21 to see if it's has something to do with the Steps. But when I delete the break point, CE hangs, I close it and the flash game crashes.

Gniarf · Posted: Wed Jun 25, 2014 11:22 am Post subject:

daspamer · Posted: Wed Jun 25, 2014 3:06 pm Post subject:

Game encoding functions..

Gniarf · Posted: Wed Jun 25, 2014 4:01 pm Post subject:

And there comes the flash game expert... Very Happy

@DaSpamer
Given the number of 02 in your patches I assume it means nop in ActionScript, heh?

Still since AS(3?) is compiled into asm at runtime, is it ok to apply your patches at the main menu, or is it too late and the OP should patch the .swf?
(I can't check because I don't have/want a FB account)

Thanks for showing us the encryption function. By the looks of it, forcing Math.random() to return 0 would surely have lovely results, hehehe... Aside from gameplay side effects...

daspamer · Posted: Wed Jun 25, 2014 4:33 pm Post subject: