| View previous topic :: View next topic |
| Author |
Message |
jycs
Newbie cheater
![]() Reputation: 0
Joined: 13 Nov 2015
Posts: 20
|
 Posted: Sun Jun 12, 2016 6:06 am Post subject: Finding unknown used values ? |
 |
|
Done, right.
Last edited by jycs on Sun Jul 10, 2016 10:43 pm; edited 1 time in total |
|
| Back to top |
|
 |
cooleko
Grandmaster Cheater
![]() Reputation: 11
Joined: 04 May 2016
Posts: 717
|
| Posted: Sun Jun 12, 2016 6:04 pm Post subject: |
|
|
Oftentimes, the game will encrypt/encode the value into some outlandish format. in order to reverse these types of games, what you do is find the value that you think it must be, in this case "159916119", find out what access/writes to this address, view in memory viewer the instruction, break and trace, follow to the end of the function call "ret" and double click the code right below it (aka, where the code returns to). The line above the value you just double clicked (in Memory Viewer) will be the function call. break and trace that function call, and look at each instruction until you find where the actual value appears (perhaps in a register after a multiply, xor, or another function call).
Then you just perform all of your edits at that line of code upon the register your value is hidden in.
If you cant figure out which "159916119" is acually the value you are looking for, then you can try the DBVM ultimap which will allow you to isolate the function call fairly closely, from there just break and trace each of the options until you find it. Search cheatengine from google to find those guides.
|
|
| Back to top |
|
|
jycs
Newbie cheater
![]() Reputation: 0
Joined: 13 Nov 2015
Posts: 20
|
| Posted: Mon Jun 13, 2016 4:22 am Post subject: |
|
|
Done, right.
Last edited by jycs on Sun Jul 10, 2016 10:44 pm; edited 2 times in total |
|
| Back to top |
|
|
jycs
Newbie cheater
![]() Reputation: 0
Joined: 13 Nov 2015
Posts: 20
|
| Posted: Tue Jun 14, 2016 12:56 am Post subject: |
|
|
Done, right.
Last edited by jycs on Sun Jul 10, 2016 10:44 pm; edited 1 time in total |
|
| Back to top |
|
|
jycs
Newbie cheater
![]() Reputation: 0
Joined: 13 Nov 2015
Posts: 20
|
| Posted: Wed Jun 15, 2016 10:18 am Post subject: |
|
|
Done, right.
Last edited by jycs on Sun Jul 10, 2016 10:44 pm; edited 1 time in total |
|
| Back to top |
|
|
cooleko
Grandmaster Cheater
![]() Reputation: 11
Joined: 04 May 2016
Posts: 717
|
| Posted: Wed Jun 15, 2016 12:38 pm Post subject: |
|
|
From Overfall (a game that encrypts data)
| Code: | 44EE03C7 - B9 801D6140 - mov ecx,40611D80 { [019D3D07] }
44EE03CC - 48 63 09 - movsxd rcx,dword ptr [rcx]
44EE03CF - 48 8B C7 - mov rax,rdi
44EE03D2 - 33 C1 - xor eax,ecx
44EE03D4 - EB 05 - jmp 44EE03DB |
The game loads some random value into RCX
Then copies the desired value from RDI to RAX
Then XORs the desired value with the random value
...
Stores the encrypted value and never stores the actual value.
...
I found this because I "Find out what accesses this address" and Break and Trace Instructions, jumped up a few function calls (Find a 2nd or third RET in the trace). Moved up one line of code to the function call. Break and Trace Instructions for that instruction, then scrolled up from my original instruction until i found the value in a register.
From my image, you can see that I found 00002701 (9985) in RDI, that is when I knew I had found my value, even though the encrypted value was 00002701 XORed with 019D3D07.
Hope this helps a little more. It is really an endeavor in looking instruction by instruction until you find your value.
|
|
| Back to top |
|
|
jycs
Newbie cheater
![]() Reputation: 0
Joined: 13 Nov 2015
Posts: 20
|
| Posted: Fri Jun 17, 2016 11:05 am Post subject: |
|
|
Done, right.
Last edited by jycs on Sun Jul 10, 2016 10:44 pm; edited 1 time in total |
|
| Back to top |
|
|
cooleko
Grandmaster Cheater
![]() Reputation: 11
Joined: 04 May 2016
Posts: 717
|
|
| Back to top |
|
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
