Cheat Engine

JordzR · Posted: Sun May 08, 2016 5:01 am Post subject: Those Really Troublesome Vales

Hey,
So we all know what Bloons Tower Defense 5 and many other games a matter of fact such as Dragon City have those extremely troublesome values.

For example, if i search for the value of "monkey money" in BTD5 while i'm trying to complete a level/map, lets say its "650 (double)", i will find it 100% of the time using the simple search of 650, issue a change (bloons popped + 10 = 10 + 650 monkey money), search for 660.

I put it into my cheat table and try to change it, that doesn't work, and i'm left wondering why? Can i not change these values directly, and how would i go about changing these values.

Well i have tried things such as, finding out what writes to it. Popping a bloon, comes up with an assembly script such as..

`movq [eax+17], xmm0`

But i do not know how to handle assembly scripts that revolve around doubles. ( i have tried googling it, but nothing comes up :< )

OK, so i question, why can't i change those values to what i want directly?

And could i have some help on basic assembly with doubles. Why does:

`add [eax+17], (double) 2`

freeze the address rather than resulting in a increment of it by + 2

JohannesJoestar

JordzR · Posted: Sun May 08, 2016 5:34 am Post subject:

Well you answered my first question flawlessly, so thanks a lot, that makes loads more sense now.

I actually already have the knowledge of xmm0 registers from Stephen Chapmans cheat engine videos, but thanks for letting me know either way.

And yeah, i think i'll try what you said, just a simple re-written code, even if the value of the address is a fake, the fake should change to 50 in the cheat table when i edit it. So i'll give it a go.

I understand that movq operates 64bit values, so i figured i may of not been entering the correct assembly instruction. There may be a special instruction for "add" with 64 bit values that i have no idea about.

These popular games such as BTD5 that do probably have protection code

ParkourPenguin · Posted: Sun May 08, 2016 8:51 am Post subject:

All of this is under the assumption you're playing offline. If you need to be connected to the internet in order to play a game, the values could be server-sided, in which case you won't be able to change them directly with CE.

If the devs of BTD5 don't have their heads up their asses, changing that value via code injection won't do anything. The value you easily found is a red herring. The real value the game uses is probably encrypted with a pseudorandom number and maybe some bitwise operations.

The reason why there aren't any tutorials on this stuff is because it's impossible to make a tutorial that covers breaking every possible type of encryption. The best you'd be able to find is one that covers a particular game, but even then, it's not very likely going to be the same for the game you want. If you want to do something, don't look for a tutorial telling you how to do it step-by-step: you'll never learn anything that way. It's like that saying, "Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime."

In the case of BTD5, the game has already given you a fake value that changes as the real one changes. As such, the asm that encrypts and stores the data should be around the instruction that writes to the address of the fake value. So, analyze the assembly around it (i.e. backtrace to find how it's getting the value), and you should find it eventually. Just note that when I say "around," I mean give or take a few thousand instructions.

You might even be able to get lucky with an unknown initial value scan and changed/unchanged value scans. Find a value that changes as your money changes, and it could be a part of the encryption. In this case, look at what instructions write to that address, and the encryption process should be very close to there. Just be careful with this, because searching for encrypted values works differently: just because the number on the screen is the same doesn't mean it's stored the same.

JordzR · Posted: Sun May 08, 2016 10:21 am Post subject:

Thanks for such an in-depth explanation, and yeah i understand what you mean by the hole tutorial conundrum, it's just that the internet has turned into a humongous learning resource so it's hard not to feel the need to look at a video tutorial, I need to start revising assembly again.

I'm fairly new to cheat engine really, i have only started messing around with assembly about 2 weeks ago or so. So attempting to read through instructions and back-trace is like a hole new ball game to me lol,
and sorry to ask but could you define these keywords you used:

ParkourPenguin · Posted: Sun May 08, 2016 10:30 am Post subject:

m32 simply stands for a 32-bit (4-byte) memory location.

dq is a pseudoinstruction that stands for "declare quadword" (quadword = 8 bytes). So when CE sees the line dq (double)2.0, it will interpret 2.0 as a double value type and write its bytes into that memory address.