Cheat Engine

h3x1c

Here's my situation: The game I'm playing has a file that it keeps unique to every player. That file is profile.bin. In that file, there are bytes that correspond to the number of keys you can have (like keys to open a chest). This file is loaded into memory when you start the game, so long story short, I found the base addresses that are used to store the values of these keys. Here's what the byte array looks like in my profile.bin:

FF 00 ** FF ** ** FF 00

(The *s are really bytes with 00, but they don't mean anything in this array.)

The first FF holds the total number of keys, then the 00 counts up as you use keys and that value is subtracted from the previous byte to show the total of keys on the screen.

The next FF increases and decreases when you obtain and use keys, respectively. These keys are only obtained via codes that are given out by the developers from time to time.

The final FF and 00 exhibit the exact same behavior as the first FF 00; however, these are the two bytes that seem to be unique to me, even though they shouldn't be. When modifying those two bytes on any other profile.bin that I try (I had friends send me theirs), nothing happens. The first part of the array, FF 00 ** FF, works for everyone.

I've tried modifying bytes all around the last two bytes in the full 8-byte array in memory viewer (lots of 00 bytes to play with), but to no avail.

So, with that said, my question is this: Is there some way that I can reference the functionality in the game that allows those two bytes to populate for me? If those base addresses aren't the same for everyone, but I know they work for me, then I'm thinking that the functionality has to be somewhere that I could find by using my profile.bin as a reference.

In other words, I have the base pointers in my profile.bin that work to give me these two extra bytes with key-related data that don't seem to work in other profile.bin files that I've tried, so is there some way to relate those two base pointers from my profile to something else in the game (code, perhaps) that would allow me to give others a way to populate wherever those two addresses happen to lie within their profile.bin files?

I'm sorry if this sounds convoluted; I'll try to clarify more, if need be.

Thanks!

TsTg · Posted: Sat Aug 10, 2013 10:23 pm Post subject:

try using 'Find out what writes/accesses' this address, in cheat engine, set the target address (the base address you found), then let the game reads or write it, the code that used your address should show up in a new window.

h3x1c · Posted: Sat Aug 10, 2013 10:41 pm Post subject:

Thanks so much for your response, TsTg. This is admittedly where my Cheat Engine skills are currently at a halt; I'm pretty unfamiliar with what to do with the bits of code/assembly that I see.

For one of the base addresses (the one that counts up as you use keys), I checked for what writes to it. After using a couple of keys, thus seeing its usage happening twice with the same bit of code, this is what popped up:

71512007 - 90 - nop
71512008 - 8A 06 - mov al,[esi]
7151200A - 88 07 - mov [edi],al <<
7151200C - 8B 45 08 - mov eax,[ebp+08]
7151200F - 5E - pop esi

EAX=00000001
EBX=23BC0FE0
ECX=00000002
EDX=00000001
ESI=2026E0F0
EDI=379AC620
ESP=006FCDC0
EBP=006FCDC8
EIP=7151200C

What should I do from this point? I'm sure there's a particular tutorial or something I can watch/read so that you don't have to explain something that's most likely already been explained, so feel free to just point me in the right direction from here if you don't mind. I'm definitely here to learn to become an expert with CE; not to have others do all the work for me. Smile

Thanks again for your help!

Dark Byte · Posted: Sun Aug 11, 2013 2:26 am Post subject:

For a beginner this is probably a bad starting point as it looks like this instruction is one of the system functions (7xxxxxxx, my guess memcpy) which means the function shown is called for other mundane tasks as well, like the mouse cursor and playing sound. So using this code is of very little use

In this case you would have to look at the stack data and figure out the caller (rightclick in the stackview and do a manual stacktrace is the easiest) and go from there.
But as you said you're new to assembler this probably goes way over your head

I recommend trying other values in the game first, perhaps they are more clear, or use a different game ( not an emulator game )

---

As for the original question, are those bytes in your friend's profile.bin file at the same offset? If so you might be able to compare both files and check what all is different.

My guess it is a simple flag like "has the user bought dlc xxx" or "was it a pre-order" and if so, make use of the extra keys field, else ignore

(It might also be explained somewhere in here http://forum.cheatengine.org/viewtopic.php?t=557381 in one of the 215 pages...)

h3x1c · Posted: Sun Aug 11, 2013 12:47 pm Post subject:

Thanks for that reply, Dark Byte.

Yes, I was thinking it was probably a simple flag as well, but I haven't found the right one yet, if so (I did try changing some bytes with this in mind, but I need to press on and try more).

Unfortunately, you're right; the things you mentioned with stack data is over my head at the moment, but I'm going to start studying assembler immediately. I've really wanted to let the basics of memory sink in (including the basic gist of how pointers work, etc.), so I definitely feel I'm ready for the next step.

It's funny that you mention the BL2 thread, because that's exactly what game this is that I'm doing this in. lol. There's nothing in that thread about it (I've been following it for months), and interestingly, no one else out there has found these two additional bytes that I have! (Or they haven't mentioned it publicly, at least.)

So...I feel like I'm on the cusp of something big and I want to release my own table and surprise everyone with it, thus my interest in figuring this out by giving away as few specifics as I can. lol. I really do think it's a matter of flags, though. I'll keep digging along that path and continuing to further my assembler knowledge in the mean time.

Thanks again! Very Happy

mgr.inz.Player · Posted: Mon Aug 12, 2013 3:49 am Post subject:

In memory of BL2 process, there is such structure:

h3x1c · Posted: Mon Aug 12, 2013 7:27 am Post subject:

Hey there, mgr.inz.Player,

Yeah, that's pretty close. Truth be told, I've done a lot of studying of profile.bin, and with my research, here's the deal:

FE FF 00 00 FF 00 AD FF 00

FE: Seems to be the same for every profile.bin; marks the start of golden key section.
FF: Pre-order and WillowDLC.ini keys total.
00: Pre-order and WillowDLC.ini keys used.
00: Unused.
FF: SHiFT keys total and used (this number increases and decreases as you use keys and enter SHiFT codes).
00: Unused.
AD: Not sure, but changing it has had no noticeable impact thus far.
FF: Behaves the same as pre-order and WillowDLC.ini keys total.
00: Behaves the same as pre-order and WillowDLC.ini keys used.

So, when I set my profile to the byte array you see above, I end up with 765 golden keys! I came to this after studying the profile.bin files of mine and about 5-6 friends. ONE of them had those last two bytes populated, which is how I discovered them in the first place.

Here's the strange thing, though: Now that I've found the base addresses for the 5 bytes that hold golden key values, the last two bytes only work for my profile.bin. As Dark Byte was saying, it's most likely a flag that enables successive bytes to be used for additional golden keys, but I haven't been able to find such a flag yet. The ONLY profile.bin I haven't been able to try my table with yet is the friend's whose profile.bin I made the discovery with in the first place!

BTW, golden key data is only stored in profile.bin (that I've found thus far), and profile.bin only saves if you get/use golden keys, bad-ass tokens, and a handful of other things, likes heads and skins, I believe (meaning that profile.bin doesn't save just by doing a regular save/quit). So, if I modify memory while in the game to have 765 keys, then I have to use one on the golden chest to get it to save, which means I end up with 764 in profile.bin. Alternately, I can hack profile.bin and change that byte array to what I have above, delete the first 20 bytes of profile.bin, save it, then get an SHA-1 hash of the file, re-open it, put that hash back as the first 20 bytes of the file, save it, then start the game and I'll have 765.

When I first worked out the discovery, I put a video up on YouTube about it: Borderlands 2: 765 Golden Keys! Here's how I did it. (Profile.bin editing and Cheat Engine)

Additionally, I did a pretty extensive write-up of my research at the time on Reddit: So, I figured out what the real max golden key count is: 765

To this day, I haven't seen anyone else mention the 765 keys, so it seems to be a pretty unique discovery, I guess. Interestingly, there are so many trailing 00s after that byte array, that I can't help but wonder...if there is a flag that enables successive bytes, then could even more of the trailing 00s be enabled? I've tried changing various combinations of them to FF, but 765 is the max number of golden keys I arrive at.

So, at this point, my table will work for everyone up to the point of those last two bytes (provided they have the same mission/level-based DLC installed). And this is where I'm stuck. Sad

I didn't want to mention all of this here until I had the table completely worked out, then I was going to surprise the BL2 thread here with my table, but I may instead have to request everyone's help and see if we can all get it worked out. Smile

mgr.inz.Player · Posted: Mon Aug 12, 2013 8:35 am Post subject:

Yes, I even made standalone CETRAINER for it. And script doesn't use injections. Only pointer base finding.

http://forum.cheatengine.org/viewtopic.php?p=5433228#5433228

I didn't know about:
"SHiFT keys total and used (this number increases and decreases as you use keys and enter SHiFT codes)."

I just made quick script for keys. I even didn't analyze the thing (this is why there is "SHiFTCode Used Keys" instead of "SHiFTCode Keys"). I just used informations I read from thread (that big thread).

h3x1c · Posted: Mon Aug 12, 2013 8:45 am Post subject:

mgr.inz.Player · Posted: Mon Aug 12, 2013 8:53 am Post subject:

h3x1c · Posted: Mon Aug 12, 2013 9:01 am Post subject:

mgr.inz.Player · Posted: Mon Aug 12, 2013 9:09 am Post subject:

If save file is damaged it can not use new keys.

(just an another telltale. Few people damaged save file while editing badass tokens or badass bonuses)

h3x1c · Posted: Mon Aug 12, 2013 9:18 am Post subject:

Yeah, I've heard of those cases, but I never saw a clear observation of what happened to profile.bin as well in the cases of the corrupt save-game files. I've tried to get my save-game to corrupt before so I could test things out and see if that also corrupted profile.bin, but no luck yet.

mgr.inz.Player · Posted: Mon Aug 12, 2013 9:40 am Post subject:

My cousin still have old BL2 (pirated, very very old, November ?)

And I asked him to try cetrainer I posted above. He tried setting those three 255 (total,shift,extra total) and those two 0 (used, extra used).

And he has only 255 of them.

h3x1c · Posted: Mon Aug 12, 2013 10:55 am Post subject:

Will he send you his profile.bin to try on your BL2 install, if you have an updated one (most current DLC, etc.)? If his version is old enough, then it may not even have the mechanics built-in/implemented for SHiFT keys yet.