Cheat Engine

Nemexia55 · Posted: Tue Jan 26, 2016 11:19 am Post subject: XOR?

hi, I've just seen in a forum that XOR is usually used to encrypt data,like this:

real number.....................in memory
0.................................5
1.................................4
2.................................7
3.................................6
4.................................1
5.................................0
6.................................3
7.................................2
8.................................13
9.................................10
10...............................15
which is (x XOR 5) (integer)
as you see memory value fluctuates and does not increase as real number increase
so we cant find the memory by INC/DEC search, CHANGE type also makes lots of results
so how do people find these?

h3x1c · Posted: Tue Jan 26, 2016 12:31 pm Post subject:

Creativity and patience.

Let's say you're looking for money and the value on your screen is $10,000. Try searching for that value, and if you find it, start exploring other instructions that access that address. Break/Trace can reveal a lot in those cases, too. The overall premise is that the value you see on the screen is somehow related to the actual XOR value, so dig through instructions and their data to look for related values.

If that fails, then try finding another value related to the character that might also reside in the same class. Find, say, ammo/health/etc., then dissect the structure containing that address/value and see what you can find.

You could also try something like reducing the range of memory you scan. Let's say you identify some other values (ammo, health, etc.) and you see that they're in addresses 05B48C14 and 05B4CC30.

Well, presumably, you should be able to find other character-related values within close range. So, to search for your XOR value, start a new search, select value type of All, select unknown initial value, then change your Start and Stop range to something like 03000000 -> 06000000. That should filter out results outside that range. Then, just keep searching for changed/unchanged values while continue to do as many things as you can think of to change (or keep unchanged) the value: add money all the different ways you can (find it, sell something, etc. -- changed value), sub money the same way (changed value), do a bunch of stuff that doesn't involve money (unchanged values), and setup hotkeys in CE so you can search for these things without having to pause the game or leave the window.

You just have to start thinking a bit more creatively and focus less on searching for only the address itself containing the value. Smile

mgostIH · Posted: Tue Jan 26, 2016 1:05 pm Post subject:

Watching some of sneakymofo videos, I can surely tell his usual way is to load up cheat engine and go for trial and error searching for the right address (which I am not referring to as a bad way, some times I do that aswell)
But I would prefer to explain another way of doing so.

First of all, you should reduce your range of scan, as stated by h3x1c, you can do this by finding another value that might be near your health address (player name for example?) which is not xored and then adjusting your range to something near that if you want to go with the changed value method (I suggest small ranges, like 0x401000-0x4B0000)

But it's very common the health itself is in the same structure as the pointer to the playername or the playername itself, so I think that finding your player structure would be better.

You could also analyze how the executable itself works: find references for the xor opcode (0x35 if 2 or 4 bits value) in the code section of the executable (rarely the values are processed in DLLs; I reccomend OllyDBG for this), find the code that kills you with either ultimap or whatever tool you like and the register that stores the hp is surely near there.

If you are really stuck in finding the right address, you have no other choice aside changed/unchanged value.

Gniarf · Posted: Tue Jan 26, 2016 1:41 pm Post subject:

Personally, I just used changed/unchanged scans to find xored values (or any encrypted stuff). Just use type=4 bytes, fast scan's alignment=4 regardless of the size of what you're looking for, and be patient...

If you absolutely can't lower the result count after several dozen scans, use dichotomy. ie: add all your results to the table, freeze half, see if it has an effect ingame. Remove the frozen ones if no effect, or remove the others if the value was frozen ingame. Rinse and repeat.

Nemexia55 · Posted: Wed Jan 27, 2016 11:29 am Post subject:

thanks for replies!
i just saw "ultimap", do i need it? because its written it needs dbvm thing....
and i its not enabled in my bios, should i enabled it?

hhhuut · Posted: Wed Jan 27, 2016 11:54 am Post subject:

If you read the previous posts carefully you can see, that you don't need Ultimap but that you can also do an "oldschool" changed/unchanged scan ...

But if you know how to use it best, Ultimap can speed things up a bit ...

Nemexia55 · Posted: Wed Jan 27, 2016 12:04 pm Post subject:

is this dbvm and intelvt harmful for laptop?

h3x1c · Posted: Wed Jan 27, 2016 12:14 pm Post subject:

Nemexia55 · Posted: Wed Jan 27, 2016 12:41 pm Post subject:

thanks
what about VEH and windows debugger?
what is their difference and benefits?

mgostIH · Posted: Wed Jan 27, 2016 1:25 pm Post subject: