 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
FreePhoenix888
How do I cheat?
![]() Reputation: 0
Joined: 17 Sep 2024
Posts: 3
|
 Posted: Tue Sep 17, 2024 3:35 am Post subject: Trouble Finding Unique Offsets in "Underworld Idle" |
 |
|
Hi everyone,
I'm currently learning Cheat Engine, and after watching several tutorials and completing the built-in tutorial, I decided to try using it on the game Underworld Idle. However, I've run into an unusual issue when trying to find offsets.
The Issue:
When I use "Find out what writes to this address" for a value that I can change and see the effect in the game, I get three writers. For example:
00568702 - C7 06 00000000 - mov [esi],00000000
00568734 - 89 06 - mov [esi],eax
00568736 - 89 4E 04 - mov [esi+04],ecx
Since this game is a clicker-type, I assume it’s normal that the number of writes increases quickly.
Problem:
In most Cheat Engine tutorials, after using this method, people get an offset in brackets (e.g., [0000BC8]), which varies depending on the value they’re looking at. However, no matter which value I choose, I keep getting the same writers:
00568702 - C7 06 00000000 - mov [esi],00000000
00568734 - 89 06 - mov [esi],eax
00568736 - 89 4E 04 - mov [esi+04],ecx
This happens even when I try completely different values, which seems unusual compared to what I see in tutorials.
Pointer Scan Results:
I also tried a pointer scan, comparing two pointer maps and setting "Pointers must end with specific offsets" to 04. Unfortunately, I got 0 results, which I didn’t expect.
Extra Info:
Underworld Idle uses Double values. For example:
- 11 items = search for 1.1
- 210 items = search for 2.10
- 3650 items = search for 3.650
But no matter what I do, I keep getting the same writes.
Question:
Does this suggest that the game has some protection against pointer scanning, or am I doing something wrong? Any advice would be appreciated!
Thanks in advance!
|
|
| Back to top |
|
 |
Csimbi
I post too much
 Reputation: 97
Joined: 14 Jul 2007
Posts: 3337
|
| Posted: Tue Sep 17, 2024 5:52 am Post subject: |
|
|
Hacking online games is not supported on these forums.
Please check the rules when in doubt.
|
|
| Back to top |
|
|
FreePhoenix888
How do I cheat?
![]() Reputation: 0
Joined: 17 Sep 2024
Posts: 3
|
| Posted: Tue Sep 17, 2024 6:59 am Post subject: |
|
|
| Csimbi wrote: | Hacking online games is not supported on these forums.
Please check the rules when in doubt. |
Underworld Idle is not an online game
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
 Reputation: 152
Joined: 06 Jul 2014
Posts: 4718
|
| Posted: Tue Sep 17, 2024 11:29 am Post subject: |
|
|
| FreePhoenix888 wrote: | | When I use "Find out what writes to this address" for a value... |
Use "Find out what accesses" when looking for possible offsets. You'll get more results that way.
| FreePhoenix888 wrote: | ... For example:
00568702 - C7 06 00000000 - mov [esi],00000000
00568734 - 89 06 - mov [esi],eax
00568736 - 89 4E 04 - mov [esi+04],ecx |
Is that the actual code you get, or is that something you made up?
That code is weird. It looks like that's an 8-byte value, but it doesn't make sense to zero the lower 32 bits and leave the upper 32 bits alone. If that value is a double, perhaps it's some really weird memcpy routine.
| FreePhoenix888 wrote: | | setting "Pointers must end with specific offsets" to 04. |
If you don't know what the last offset is, don't guess. The pointer scanner will work even without you assuming the last offset.
| FreePhoenix888 wrote: | Underworld Idle uses Double values. For example:
- 11 items = search for 1.1
- 210 items = search for 2.10
- 3650 items = search for 3.650 |
wtf... did you not find this weird at all?
I assume "." is the decimal separator and not the thousands separator. If that's not a typo, how do you know "1.1" is "11" and not "110", "1100", "11000", etc.?
Maybe that's some kind of custom "big number" type, and the mantissa and exponent are being stored separately. That's not uncommon to see in javascript incremental games.
If you change whatever value you found, does it change what you expect it to in-game? e.g. if that's money and you change it to something big, can you buy something you wouldn't normally have been able to?
After looking at this for a bit, it looks like this game was written in javascript. You're at the mercy of the javascript engine. It could move around values at any time. It might put values or pointer nodes in a hash map randomly seeded for DoS-resistance (static pointers are basically useless). It could recompile JIT-compiled code, if it even JITs code in the first place (code injection might be too annoying to deal with).
You could change the javascript code itself, but the web version looks minimized and obfuscated, so that'll be really annoying.
If simple value scanning doesn't work out, I'd try attacking the save format. Have fun reverse engineering that. (if there's no export / import feature, change the local storage)
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
FreePhoenix888
How do I cheat?
![]() Reputation: 0
Joined: 17 Sep 2024
Posts: 3
|
| Posted: Tue Sep 17, 2024 1:17 pm Post subject: |
|
|
| Quote: | | Use "Find out what accesses" when looking for possible offsets. You'll get more results that way. |
I actually get more results this way, but why do I need it?
| Code: | 005675B7 - 8B 06 - mov eax,[esi]
005675B9 - 8B 4E 04 - mov ecx,[esi+04]
00568702 - C7 06 00000000 - mov [esi],00000000
00568734 - 89 06 - mov [esi],eax
00568736 - 89 4E 04 - mov [esi+04],ecx |
| Quote: | Is that the actual code you get, or is that something you made up?
That code is weird. It looks like that's an 8-byte value, but it doesn't make sense to zero the lower 32 bits and leave the upper 32 bits alone. If that value is a double, perhaps it's some really weird memcpy routine. |
These are the actual results I have copied by using "Copy selected to clipboard" in the context menu. Yes, these values are doubles
| Quote: | | wtf... did you not find this weird at all? |
Yes, this looks weird. I have found that these values are stored this way from this topic: ... I am sorry I am unable to post urls. Just google "Underworld Idle cheat engine" if you are interested
| Quote: | | If that's not a typo, how do you know "1.1" is "11" and not "110", "1100", "11000", etc.? |
I am not really sure, I still dig up how are these double values interpreted
| Quote: | | If you change whatever value you found, does it change what you expect it to in-game? e.g. if that's money and you change it to something big, can you buy something you wouldn't normally have been able to? |
Yes, not just visual changed, but actual changes that affect the game
| Quote: | After looking at this for a bit, it looks like this game was written in javascript. You're at the mercy of the javascript engine. It could move around values at any time. It might put values or pointer nodes in a hash map randomly seeded for DoS-resistance (static pointers are basically useless). It could recompile JIT-compiled code, if it even JITs code in the first place (code injection might be too annoying to deal with).
You could change the javascript code itself, but the web version looks minimized and obfuscated, so that'll be really annoying. |
Wow! Can you please tell me how you have found out that this game is written by using Javascript?
| Quote: | | If simple value scanning doesn't work out |
Do you mean just value scanning? There is actually no problem to find a value and change it, but it is too annoying to do after game restart especially if there is a really big number. If you mean scanning for offsets (if I understand it right) - how should I do it in this situation?
| Quote: | | I'd try attacking the save format. Have fun reverse engineering that. (if there's no export / import feature, change the local storage) |
I have been trying to before, game allows you to export/import your save. What resource/topic would you recommend to learn how to do this? By the way: imagine there is no import/export feature - how can I change local storage? Is there any way to open developer tools or what?
|
|
| Back to top |
|
|
ParkourPenguin
I post too much
Reputation: 152
Joined: 06 Jul 2014
Posts: 4718
|
| Posted: Tue Sep 17, 2024 2:32 pm Post subject: |
|
|
| FreePhoenix888 wrote: | | I actually get more results this way, but why do I need it? |
You're guessing the last offset. That guess can be more statistically significant if you have more data. e.g. if 2 instructions write to an address using offsets 1C and 40, you have no idea which one is likely to be in a good static pointer path. If 8 instructions access it and all but one use offset 40, then 40 is probably the correct final offset.
That doesn't really matter here. You can try to let the pointer scanner run with a couple pointer maps (don't specify a final offset), but I don't think it's going to find anything.
| FreePhoenix888 wrote: | | Can you please tell me how you have found out that this game is written by using Javascript? |
I found the web version of the game and opened the browser's console. The minified & obfuscated javascript source was right there. The steam version of the game is probably the same.
| FreePhoenix888 wrote: | | There is actually no problem to find a value and change it, but it is too annoying to do after game restart especially if there is a really big number. |
That's what I mean. In this case, it's far easier to just scan for those values every time you need them than it is to try to find either a static pointer or a good injection point.
| FreePhoenix888 wrote: | | I have been trying to before, game allows you to export/import your save. What resource/topic would you recommend to learn how to do this? |
I don't know of any. I'd open the game's data directory, find the javascript source (e.g. unpack an asar file), and start reverse engineering the minified and obfuscated source. If I'm lucky, maybe it would take a few minutes if I can find some unobfuscated API call (e.g. atob / btoa) and start looking at code around there. Otherwise, it could take hours or days.
It's far easier to just scan for values as I need them.
Regarding local storage- browsers have tools to inspect and modify it. I'm not familiar enough with desktop javascript apps to say how local storage is handled or if any kind of devtools are accessible.
_________________
I don't know where I'm going, but I'll figure it out when I get there. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
