 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
Redouane
Master Cheater
![]() Reputation: 3
Joined: 05 Sep 2013
Posts: 363
Location: Algeria
|
 Posted: Wed Aug 13, 2014 6:22 pm Post subject: Unity hacking question |
 |
|
Hi,I'm trying to cheat on a unity game that runs inside a browser,the game did not load mono.dll,it loaded webplayer_win.dll instead (the unity web player),I dumped all the dlls,now,I don't really know where the game source is.
The game isn't protected against cheating,normal value editing/code injection works.
Any help is appreciated.
Here are all the dumped dlls:
| Description: |
|
| Filesize: |
27.1 KB |
| Viewed: |
169058 Time(s) |
|
|
|
| Back to top |
|
 |
atom0s
Moderator
 Reputation: 204
Joined: 25 Jan 2006
Posts: 8579
Location: 127.0.0.1
|
| Posted: Wed Aug 13, 2014 6:37 pm Post subject: |
|
|
For Unity games, the game code is found within the Assembly-CSharp.dll's
_________________
- Retired. |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 221
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Thu Aug 14, 2014 5:14 am Post subject: |
|
|
1) launch game
2) attach CE to game process (it must be CE6.4, not older)
3) in CE menu, there should be "Mono" submenu
4) choose "activate mono features"
5) choose "dissect mono"
6) expand first node, navigate to "Assembly-CSharp"
7) there will be game objects. Class names with their fields (properties) and methods (functions).
8 ) For example, Darkwood game. There is "::Generator" class.
It has fields and methods:
| Code: | 96a8608 : :Generator
fields
10 : powerItems (type: System.Collections.Generic.List<Item>)
18 : fuel (type: System.Int32)
1c : maxFuel (type: System.Int32)
20 : drainInterval (type: System.Int32)
24 : powerArea (type: System.Single)
28 : isOn (type: System.Boolean)
29 : lowPower (type: System.Boolean)
14 : item (type: Item)
methods
96a88a0 : .ctor
96a88c0 : Start
96a88e0 : OnEnable
96a8900 : turnOn
96a8920 : turnOff
96a8940 : powerDown
96a8960 : addFuel
96a8980 : drainFuel
96a89a0 : getMouseText
96a89c0 : checkIfOutOfFuel
96a89e0 : waitToDrainFuel
96a8a00 : lowPowerFlicker |
As you see, fuel is at offset 0x18 and maxFuel at offset 0x1C. And those values are System.Int32 (which is 4byte signed integer)
Interesting method is: drainFuel
Right click it:
- choose "Show IL Disassembly", that way you can see IL code
- choose "Jit", that way CE will give you "just in time" compiled assembly code address. Let's do this. In Memory View press CTRL+G and paste address.
Now you will see the beginning of JIT'ed drainFuel method. To find interesting piece of code you can highlight the beginning of code ( Generator:drainFuel ) and click "search" from menu (Memory View menu). And choose "find assembly code".
We know that fuel is at 0x18 offset. So just use this string:
+18]
Click scan. After few seconds click "cancel".
CE will find at least two instructions (it is obvious that this method will read current value, reduce it and write back). I found two occurrences:
- mov eax,[esi+18]
- mov [esi+18],eax
And code between those two is:
| Code: | 04207797 - 8B 46 18 - mov eax,[esi+18] // <- reads current fuel value
0420779A - D9 45 EC - fld dword ptr [ebp-14]
0420779D - 8B 0D 7C8E7D16 - mov ecx,[167D8E7C] : [00000000]
042077A3 - D9 81 E4010000 - fld dword ptr [ecx+000001E4]
042077A9 - DEC9 - fmulp st(1),st(0)
042077AB - DD 5D F0 - fstp qword ptr [ebp-10]
042077AE - F2 0F10 45 F0 - movsd xmm0,[ebp-10]
042077B3 - F2 0F2C D0 - cvttsd2si edx,xmm0
042077B7 - 8B 4D 0C - mov ecx,[ebp+0C]
042077BA - 0FAF CA - imul ecx,edx
042077BD - 2B C1 - sub eax,ecx // <- subtraction
042077BF - 89 46 18 - mov [esi+18],eax // <- overwrites with smaller value |
I just made AA script ( with aobscan, it is important ), hackpoint at 042077BD
| Code: | (....)
newmem:
originalcode:
// sub eax,ecx // originalcode
mov eax,[esi+1C] // get max
mov [esi+18],eax // originalcode
exit:
jmp returnhere
(....) |
I made other cheats that way:
http://forum.cheatengine.org/viewtopic.php?p=5545736#5545736 (Darkwood game)
_________________
|
|
| Back to top |
|
|
Redouane
Master Cheater
![]() Reputation: 3
Joined: 05 Sep 2013
Posts: 363
Location: Algeria
|
| Posted: Thu Aug 14, 2014 5:39 am Post subject: |
|
|
| mgr.inz.Player wrote: |
Your post
|
The mono submenu does not show,because the game is inside a browser,it did not load mono.dll,it loaded webplayer_win.dll instead.
Of course,using CE 6.4
Thanks anyway for the explaination.
What does this mean?
| Code: | | 0420779D - 8B 0D 7C8E7D16 - mov ecx,[167D8E7C] : [00000000] // Looks like a segment register access |
@Atomos Thanks.
I found something interesting,how do I craft an array of bytes?
| Description: |
|
| Filesize: |
4.8 KB |
| Viewed: |
169000 Time(s) |
|
|
|
| Back to top |
|
|
mugen_is_here
Newbie cheater
![]() Reputation: 0
Joined: 17 Sep 2012
Posts: 12
|
| Posted: Wed Mar 27, 2019 10:50 pm Post subject: |
|
|
| mgr.inz.Player wrote: | 1) launch game
2) attach CE to game process (it must be CE6.4, not older)
3) in CE menu, there should be "Mono" submenu
4) choose "activate mono features"
5) choose "dissect mono"
6) expand first node, navigate to "Assembly-CSharp"
7) there will be game objects. Class names with their fields (properties) and methods (functions).
8 ) For example, Darkwood game. There is "::Generator" class.
It has fields and methods:
| Code: | 96a8608 : :Generator
fields
10 : powerItems (type: System.Collections.Generic.List<Item>)
18 : fuel (type: System.Int32)
1c : maxFuel (type: System.Int32)
20 : drainInterval (type: System.Int32)
24 : powerArea (type: System.Single)
28 : isOn (type: System.Boolean)
29 : lowPower (type: System.Boolean)
14 : item (type: Item)
methods
96a88a0 : .ctor
96a88c0 : Start
96a88e0 : OnEnable
96a8900 : turnOn
96a8920 : turnOff
96a8940 : powerDown
96a8960 : addFuel
96a8980 : drainFuel
96a89a0 : getMouseText
96a89c0 : checkIfOutOfFuel
96a89e0 : waitToDrainFuel
96a8a00 : lowPowerFlicker |
As you see, fuel is at offset 0x18 and maxFuel at offset 0x1C. And those values are System.Int32 (which is 4byte signed integer)
Interesting method is: drainFuel
Right click it:
- choose "Show IL Disassembly", that way you can see IL code
- choose "Jit", that way CE will give you "just in time" compiled assembly code address. Let's do this. In Memory View press CTRL+G and paste address.
Now you will see the beginning of JIT'ed drainFuel method. To find interesting piece of code you can highlight the beginning of code ( Generator:drainFuel ) and click "search" from menu (Memory View menu). And choose "find assembly code".
We know that fuel is at 0x18 offset. So just use this string:
+18]
Click scan. After few seconds click "cancel".
CE will find at least two instructions (it is obvious that this method will read current value, reduce it and write back). I found two occurrences:
- mov eax,[esi+18]
- mov [esi+18],eax
And code between those two is:
| Code: | 04207797 - 8B 46 18 - mov eax,[esi+18] // <- reads current fuel value
0420779A - D9 45 EC - fld dword ptr [ebp-14]
0420779D - 8B 0D 7C8E7D16 - mov ecx,[167D8E7C] : [00000000]
042077A3 - D9 81 E4010000 - fld dword ptr [ecx+000001E4]
042077A9 - DEC9 - fmulp st(1),st(0)
042077AB - DD 5D F0 - fstp qword ptr [ebp-10]
042077AE - F2 0F10 45 F0 - movsd xmm0,[ebp-10]
042077B3 - F2 0F2C D0 - cvttsd2si edx,xmm0
042077B7 - 8B 4D 0C - mov ecx,[ebp+0C]
042077BA - 0FAF CA - imul ecx,edx
042077BD - 2B C1 - sub eax,ecx // <- subtraction
042077BF - 89 46 18 - mov [esi+18],eax // <- overwrites with smaller value |
I just made AA script ( with aobscan, it is important ), hackpoint at 042077BD
| Code: | (....)
newmem:
originalcode:
// sub eax,ecx // originalcode
mov eax,[esi+1C] // get max
mov [esi+18],eax // originalcode
exit:
jmp returnhere
(....) |
|
Thanks a lot for posting this fantastic tutorial! I had been struggling with a game for more than 12 hours and this tutorial helped me crack it within 30 mins.
Say, would you happen to know a similar alternative in case mono doesn't work? For example, there is another game for which the mono menu doesn't appear. Instead we get the "D3D hooks" which doesn't seem to have anything useful.
_________________
Mugen Here |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
