Cheat Engine

TheAdmiester · How do I cheat? Reputation: 0 Joined: 06 Mar 2017 Posts: 9

Hi, I'm not very experienced with Cheat Engine so bear with me if this sounds a bit odd/inaccurate.

I'm trying to work with a game that uses an encrypted database. The file extension is .slt, and I know from using IDA on the game that it is somehow transferred to an SQLite3 format database when the game runs. I can search for certain SQL queries and possibly even execute them using the string search on CE, but is there any way to actually get data FROM the database and/or export it?

I think what I'm basically looking for is a way to return the results of a query (for example, I can run "SELECT * FROM tablename" but I don't get to see the results) which would allow me to get the contents of the tables I want one by one, or export the whole thing.

Is this possible or is it too out-there?

Dark Byte · Posted: Mon Mar 06, 2017 3:55 pm Post subject:

does the target use a sqlite3 library? If so, try finding the exports and place a hook there to get the data you need, and then use the other api's in there to do querries

TheAdmiester · How do I cheat? Reputation: 0 Joined: 06 Mar 2017 Posts: 9

atom0s · Posted: Mon Mar 06, 2017 4:30 pm Post subject:

With what DB said, if it uses sqlite3, you will want to look into hooking:
- sqlite3_key
- sqlite3_key_v2

Or look for references to 'PRAGMA key'. This is how the database encryption key is set which you can then use to open the database with an external editor.

TheAdmiester · How do I cheat? Reputation: 0 Joined: 06 Mar 2017 Posts: 9

atom0s · Posted: Mon Mar 06, 2017 5:13 pm Post subject:

Stuff usually marked like "?AVkeywrapper_gamedb_decryptionkey@@" is either an import or an export. See if the function is being imported from another file. It may be stored in a .dll rather than the main exe.

TheAdmiester · How do I cheat? Reputation: 0 Joined: 06 Mar 2017 Posts: 9

TheAdmiester · How do I cheat? Reputation: 0 Joined: 06 Mar 2017 Posts: 9

I've found more things alone the lines of "gamedb_obfuscation" and "obfuscationseed" - not sure if these would help at all because the database isn't obfuscated by the game, it's already pre-scrambled.

Does that help at all?

EDIT:

Found some mentions of RSA1024, TransformIT, and some other stuff I can't quite remember. Wishing it was possible to get this database out of memory.

pellik · Posted: Tue Mar 07, 2017 5:32 pm Post subject:

Does the game constantly pull from the database or does it just do it at a set time? Maybe you could use ultimap to find the database retrieval function and just hook that.

TheAdmiester · How do I cheat? Reputation: 0 Joined: 06 Mar 2017 Posts: 9

pellik · Posted: Tue Mar 07, 2017 8:39 pm Post subject:

I'm not at all knowledgeable on databases or crypt32, so I can't help you do anything useful with this, but-

BOOL WINAPI CryptImportPublicKeyInfo(
_In_ HCRYPTPROV hCryptProv,
_In_ DWORD dwCertEncodingType,
_In_ PCERT_PUBLIC_KEY_INFO pInfo,
_Out_ HCRYPTKEY *phKey
);

So if you set a break point on the call then the stack will contain those calling variables in whatever convention order, and if you step over it then there will be the hcryptkey pointer. I hope that's the key you're looking for.

*edit
I just noticed your snippit is inside of crypt32. First find a ret out of crypt32 and see what in the program called it (or look for the return pointer in stack view).

TheAdmiester · How do I cheat? Reputation: 0 Joined: 06 Mar 2017 Posts: 9

pellik · Posted: Tue Mar 07, 2017 10:18 pm Post subject:

I'll try, but hopefully we're not getting into an example of the blind leading the deaf. I'm not sure where the cut-off on explaining stuff is, so apologies in advance if I'm off the joe. [/disclaimer]

So first off if you set a breakpoint at the address you posted in the image you can get all the state information. Then the stack view is in the bottom right. Right clicking and setting to full stack is helpful.

If you don't know how the stack works learn that first.

Next you need to get back into your games address space. The crypt32.somethingsomething means the instructions you see are inside of crypt32 which is windows stuff and not part of your game. To get back you can either look back through the stack for what might be the return address, or you can just step all the way through until you find a ret that takes you back to the game.

Now you need to know about calling conventions. Stdcall is the choice for windows api stuff. Knowing that, if you set your breakpoint on the call to crypt32 you can see the arguments right there at the top of the stack. Step over the call and there is the return value I think in eax.

Of course the call to crypt32 may not be interesting at all, but either way you're learning.

TheAdmiester · How do I cheat? Reputation: 0 Joined: 06 Mar 2017 Posts: 9

I'm not sure if you're the blind or deaf but I think you might in fact be leading the deaf, blind, and dumb Razz

I've been fiddling with the Ultimap and breakpoint abilities but I'm still going nowhere. I can occasionally find some plaintext stuff in the stack (like a filepath broken up over a few lines/addresses) that looks kinda interesting but I have no idea what to do with any of it.

pellik · Posted: Wed Mar 08, 2017 8:21 am Post subject:

You've got to apply your knowledge of programming to start reading assembly. It follows the same general structure as a program (function calls, loops, etc.), but it's much more verbose. So much more so that figuring out what it's doing is usually not worth it, so instead try to gleam the structure of the code.

Although cheat engine is a great place for learning assembly as a self teaching method, there aren't a lot of good tutorials out there. Maybe start with ollydbg instead. The tutorial series by lena151 is a good place to start.