.________. .________.
\ | ___///__ ._________ .__///____ | \_
::::::| ____|___ ____|__ |_| /_| / .____|_____ |:::::::
:: | | __/___| | ____/| ____/ | | ::
:: | |____ \_ | | _|_|______._|___|____. | ::
:: | | | | | | | __///___| ::
:: | | | | | | | | ::
:: |_. | |_____|\_____///________|__________| | ::
:: \___///________| |[sheep] |_ | ::::::::::::
:: \__________| |_______| :: :: ::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::
Gamehacking Tutorial Collection.. :: ::
::::::::::::
(best viewed in 1024x768)
SUBJECT: DECRYPTING AGE OF MYTHOLOGY - Advanced Gamehacking.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Well, it certainly has been a while since I last decided to take to the keyboard and inform
you lucky people of some of the new techniques and interesting tricks ive come across while
training the best titles the pc has to offer.. All of my tutorials from this point onward
are going to be for the experienced gamehackers, im not going to make allowances for people
who dont understand certain aspects of softice or asm, you should all be capable of working
at an advanced pace by now and if you are not then i suggest you stop reading now.
I seem to have gotten a reputation for being an asshole to newbies.. hehe.. come on .. ME?
all I have to say to this is that it takes a long time to create these tutorials and to be
honest I would be just as happy explaining this shit to JUST my friends.. and not the masses
but I feel that we all deserve a shot at creating cool trainers and understanding something
more than boring NOP hacks.. see.. im not so bad :)
TOOLS NEEDED: Softice, memory searcher (your choice) SAS (my tool for grabbing injected code).
locations...
SOFTICE.........................LOOK FOR IT!!! ITS ON THE WEB!!
MEMORY SEARCHER.................GAMEHACKING.COM or GOOGLE.COM :)
SAS(Sheeps Array of Sunshine)...MY SITE SHEEPREC.CJB.NET
SOFTICE SETUP
*************
When you press CTRL-D to pop softice you should see the following windows..
REGISTER WINDOW - this window is always at the very top of the softice window
(WR [return]) and displays the contents of all the registers..
DUMP WINDOW - generally situated close to the top of the softice window
(WD [return]) contains a split screen display.. one side is ascii the
other is hex.
CODE WINDOW - this is the main window.. sits just under the DUMP WINDOW
(WC [return]) contains the code of whatever process maybe running when
u pop softice.. the code is represented in ASSEMBLY LANGUAGE
instrutions..
The comments in the brackets are what you need to type to turn the different windows on..
you also need to type CODE ON.. this will bring up the OPCODES which are a set of numbers
displayed to the left of each ASM instruction and to the right of every memory location
in the CODE WINDOW..
Well, Its Sunday the 3rd of November 2002 and at this present time only the cheats for
AGE OF MYTHOLOGY has been rlsed to the public.. I have seen no trainers or even heard
of anyone managing a resource hack.. All this is going to change once you have read this
tutorial, I can fully understand why there are no trainers, the usual trainer muppets
that usually produce substandard trainers and then rls them onto the unsuspecting public
would have given up on this game a long time ago because you actually need to do some work
to get a working resource hack :) MAN IM GRUMPY.. :))
LESSON START
************
Sections..
i) Ground Work.
ii) Finding our values (the hard but secure way).
iii) Looking at the Decryption Routine.
iv) Code Injection (making the resource hack).
v) Final Words.
GROUND WORK
-----------
Ok, GROUND WORK is a term I use for the very first information gleaned from the game you are
trying to hack.
The first things I noticed about AGE OF MYTHOLOGY was that the searches take forever :) so its
not going to be a nice quick hack.. :( ..
After doing a few search patterns and wasting about an hour of my life I decided that the game
wasnt using the usual methods of INC/DECing the values, the only alternative was that it used
encrypted (usually XOR'ed) values which would be then converted only when the game uses them.
If there is one thing for certain in this world apart from death and tax its that commercial
programmers are lazy bastards and will certainly not do more work than is absolutely necessary,
for us this is very good news because it translates into there actually being values NOT encrypted
in the game that we CAN get a handle on to find the encrypted resources values..
APPENDED NOTE!!
===============
you can also find the values by doing a VERY long winded CHANGED/NOT CHANGED search, but im trying
to teach you some advanced techniques that DO have major advantages in the future, all will become
clear soon.. neways.. if you wish to obtain the values in this way be my guest but i suggest you
stick with me and do it the way I did.
FINDING OUR VALUES THE HARD BUT SECURE WAY
-------------------------------------------
Ok, there is lots of work to do so lets get on with it. First thing we need to do is find some
values that have direct contact with the ENCRYPTED RESOURCE VALUES but are not actually encrypted
themselves... This is how its acheived..
Load up Age Of Mythology
Start a single player, random map
It must have 2v2 selected
Once the game has loaded up we can start looking around for something useful to us, ive already
done this bit for you to save time..
Click on the icon of the FOOD RESOURCE, this should bring up a TRIBUTE DISPLAY DIALOGBOX
with all of your resources inside.. (this is for giving supplies to your allies HENCE the 2v2 necessity).
On this screen you will notice that you have 3 boxes with the value 0 in them, all next to
the name of your allies.. these are to indicate how much resource of that type you wish to
send over. If you left click on one of the 0 boxes it should place 90 into the box, now
click the right button on the same box and it will reduce the number to 0 again, do you
feel a search pattern coming on? :)
APPENDED NOTE!!!
================
Finding options in games that are difficult to obtain usually consist of 2 things, 1. a good
logical thought process 2. good debugging skills. In this instance we need to follow a simple
logical pathway to understanding why this resource sending approach will help us.
1. RESOUCE BOX IS CLICKED
|
2. INCREASE RESOURCE_SEND_VALUE
|
3. CLICK "SEND" BUTTON ON TRIBUTE DIALOGBOX
|
4. RESOURCE_SEND_VALUE IS COMPARED TO ENCRYPTED RESOURCE VALUES *link here to real value
|
5. INCREASE ALLIES SUPPLIES BY RESOURCE_SEND_VALUE
|
6. DECREASE YOUR SUPPLIES BY RESOURCE_SEND_VALUE *link here to real value
So you can see that the marked items on the list would be VERY valueable to us because they
are actually affecting the ENCRYPTED RESOURCES but its all linked to the FIRST STEP which is
clicking that resource box.. its just a thing to keep in mind in the future when trying to
get a handle on harder options :)
ok, lets continue..
We now need to do an inc/dec search to find this RESOURCE_SEND_VALUE, this is how we do it..
(i shouldnt need to tell you this shit but here goes)
Start an UNKNOWN VALUE search.. (4 bytes)
Click the resource box with 0 inside (90 is added).
Search Increased..
Right click the box (90 is subtracted)
Search Decreased..
REPEAT!!!
because the RESOURCE_SEND_VALUE isnt too obviously linked to the resource values it seems that
ensemble studio have given us a break and not encrypted it so you will indeed be able to locate
this address eventually.. it took me about 5 minutes to come up with this address..
2974db0 - RESOURCE_SEND_VALUE (your value MAY be different)
ok, once you have found this value we need to breakpoint it so that we can start our investigative
journey.
do this..
BPM 2974db0 <return>
the above instruction will place an OPEN breakpoint on the address which means softice
will pop every time that value is either READ or WRITTEN to..
Once you have done this exit softice with F5 until you are back in the game, make sure you
have something in the resource box to send to your allies, 90 is fine.. and then press the
SEND button at the bottom of the screen.
BANG!!
Immediately you should be looking at softice with the code below in your main code
window display..
At this point you may want to type WF to take a look at the floating point stack.
001B:0042EBD3 33FF XOR EDI,EDI
001B:0042EBD5 81C36C030000 ADD EBX,0000036C
001B:0042EBDB D906 FLD REAL4 PTR [ESI] ; load FP stack position 0 (ST0) with
amount of resources being sent.
001B:0042EBDD D81D6CCC9300 FCOMP REAL4 PTR [0093CC6C] <--------- ; you will be landing here.
001B:0042EBE3 DFE0 FSTSW AX
001B:0042EBE5 F6C441 TEST AH,41
001B:0042EBE8 0F858A000000 JNZ 0042EC78
001B:0042EBEE D90570CC9300 FLD REAL4 PTR [0093CC70]
:u
001B:0042EBF4 8B542410 MOV EDX,[ESP+10]
001B:0042EBF8 D8A284030000 FSUB REAL4 PTR [EDX+00000384]
001B:0042EBFE D83E FDIVR REAL4 PTR [ESI]
001B:0042EC00 D95C2414 FSTP REAL4 PTR [ESP+14]
001B:0042EC04 D903 FLD REAL4 PTR [EBX] <----------- EBX contains a pointer to
to the de-crypted resource
value.
001B:0042EC06 D8642414 FSUB REAL4 PTR [ESP+14]
001B:0042EC0A D8156CCC9300 FCOM REAL4 PTR [0093CC6C]
001B:0042EC10 DFE0 FSTSW AX
:u
001B:0042EC12 F6C401 TEST AH,01
001B:0042EC15 755F JNZ 0042EC76
oki.. basically the routine above checks to see if firstly you have entered anything
to send to your allies and then to see if you actually have enough of that resource
to send..
now we must press F10(trace) until we reach location 001B:0042EC04 its marked on the
code above...
before we go on its a good idea to clear all of our old breakpoints so do this...
BC* <return>
Once you have done this we need to dump EBX into our DUMP WINDOW... so type
D EBX <return>
this will display the location stored in EBX into the DUMP WINDOW, in the top left
hand corner of the DUMP WINDOW should now be the de-crypted value of our resource.
once we have got this far we need to place yet another breakpoint on the location
now displayed in the top left hand corner of the DUMP WINDOW this breakpoint needs
only WRITE access and we place it by doing this ..
my DUMP WINDOW was at 2974eb4 so..
BPM 2974eb4 W <return>
Once this is set press F5 until you get back out into the game....
now click back on the FOOD RESOURCE icon to bring up the TRIBUTE DIALOGBOX again...
BANG!!!
LOOKING AT THE DECRYPTION ROUTINE
---------------------------------
when softice pops you should be looking at the code below in your code window.
001B:0042E9C5 8B4C2434 MOV ECX,[ESP+34]
001B:0042E9C9 53 PUSH EBX
001B:0042E9CA E811791500 CALL 005862E0 <------ ; decrypt value CALL
001B:0042E9CF D91E FSTP REAL4 PTR [ESI] <------ ; you will be here.
this places the
decrypted value
into memory..its
updating our value,
thats why softice
popped.
001B:0042E9D1 8BAEF0FDFFFF MOV EBP,[ESI-0210]
001B:0042E9D7 55 PUSH EBP
ok, so now we know that the main decryption routine will live inside CALL 005862e0
because just after it the decrypted value is placed into the memory.. not always the
case but in this game it is :)
before we continue disable our old breakpoint by doing this..
BD* <return>
so, now we are here we need to breakpoint 42e9ca, this time its an executing breakpoint
so we do this..
BPX 42e9ca <return>
you could also either use your mouse to double click it (if your using one inside softice)
or you could highlight the address and then press F9.. doesnt matter as long as you
breakpoint that address..
so now.. again!! press F5 until you are back into the game..
click CANCEL on the TRIBUTE DIALOGBOX..
then click back on the FOOD RESOURCE icon...
BANG!!!
we are back where we just breakpointed.. but now we are here BEFORE the value is decrypted
so we can see exactly what is going on with our resource values :)
trace into the call at 42e9ca by pressing F8.. you now see this..
001B:005862E0 833900 CMP DWORD PTR [ECX],00 <---- ; you are here...
001B:005862E3 7419 JZ 005862FE
001B:005862E5 8B442404 MOV EAX,[ESP+04]
001B:005862E9 85C0 TEST EAX,EAX
001B:005862EB 7C11 JL 005862FE
001B:005862ED 3B057028A300 CMP EAX,[00A32870]
001B:005862F3 7D09 JGE 005862FE
001B:005862F5 50 PUSH EAX
001B:005862F6 E885FAFFFF CALL 00585D80 <----- ; main decryption routine..
001B:005862FB C20400 RET 0004
once again keep tracing with F10 until you come to 5862f6 then press F8 to
trace into the call.. you will see this...
001B:00585D80 55 PUSH EBP <----- ; you will be here...
001B:00585D81 8BEC MOV EBP,ESP
001B:00585D83 83EC08 SUB ESP,08
001B:00585D86 8B01 MOV EAX,[ECX] ;
001B:00585D88 8945FC MOV [EBP-04],EAX ;
001B:00585D8B 8B4D08 MOV ECX,[EBP+08] ; SET UP POINTERS
001B:00585D8E 8B55FC MOV EDX,[EBP-04] ;
001B:00585D91 8B048D6C9F9B00 MOV EAX,[ECX*4+009B9F6C] ; move decryption key into eax
001B:00585D98 33048A XOR EAX,[ECX*4+EDX] ; this instruction does the
decrypting.. it takes the
REAL RESOURCE ENCRYPTED
VALUE xor's it with the
decryption key so that
EAX will now contain the
decrypted value..
001B:00585D9B 8945F8 MOV [EBP-08],EAX
001B:00585D9E D945F8 FLD REAL4 PTR [EBP-08]
001B:00585DA1 8BE5 MOV ESP,EBP
001B:00585DA3 5D POP EBP
001B:00585DA4 C20400 RET 0004
few notes..
===========
EDX = start of YOUR RESOURCES STRUCTURE.. ie. EDX+0(GOLD) +4(WOOD) +8(FOOD) +C(FAVOR)
9b9f6c = DECRYPTION KEY TABLE. consists of 5 values..
12345678...09abcdef...0badf00d...deadbeef...76543210 <-- these are all hexadecimal decryption keys..
WELL!! lots to take in there eh? .. this is where all the business goes down :)
as you can see from my description the value we really need to look at is at
address 585d98.. this address contains the REAL ENCRYPTED ADDRESS of our
RESOURCES.. so now do this..
D ecx*4+edx <return>
and if you have followed this tutorial exactly, in the top left hand corner of the
DUMP WINDOW you should now see the REAL ENCRYPTED GOLD RESOURCE VALUE...
if you now look into EAX you will see the key that is used to decrypt that RESOURCE VALUE
we can do a little test for this..
42c80000 = 100.0 in float hex notation..
^ = XOR in softice
so.. in softice type this..
?12345678^42c80000 <return>
you will get this answer.. 50fc5678
if you enter that number into the top left hand corner replacing your original encryped
RESOURCE VALUE you will have changed your gold value to 100.
press F5 to get out of softice and back to the game and you can make sure that your
gold value is indeed 100. :)
CODE INJECTION - MAKING THE RESOURCE HACK
-----------------------------------------
We now have all the information we need to produce a working hack...
return to the game.. without the TRIBUTE DIALOGBOX showing.. now press
the FOOD RESOURCE ICON again..
BANG!!
again softice should take you to here...
001B:0042E9CA E811791500 CALL 005862E0 <------ ; you will be here.
001B:0042E9CF D91E FSTP REAL4 PTR [ESI]
press f10 to trace over the call..
then we examine the REGISTERS...
EAX = 42c80000 (this is 100.0 in hex.. its the decrypted resource value)
EBX = 0 (this is the index used to calculate what key to use from the table)
ECX = 0
EDX = 59d2010 (may be different on yours.. this is the base address of your resource structure.)
oki.. so what we got??
1. BASE address of the decryption key table.. (9n9f6c) STATIC
2. BASE address of the encrypted resource values.. (59d2010) DYNAMIC (may be different on yours)
with these 2 values and a the location to inject at 42e9cf.. we are all ready to do our injecting..
oki.. first thing to do is find a nice spot to place your injected code.. anyone that is still
reading this tutorial AND FOLLOWING IT!! will be able to do this.. so im not going to explain
how to do it.. use your fave method and keep reading once you have done this....
i chose a93e10...
so type..
A 42e9cf <return>
then type
JMP a93e10 <return> (you obviously have to use your code injection place not mine :))
nop <return>
nop <return>
nop <return>
this will balance up the bytes we just destroyed (we need to recreate them in our code injection)
oki.. im going to just give you my injected code and then explain it afterwards..
D91E FSTP REAL4 PTR [ESI] ; re-create the instruction we destroyed with our jmp
8BAEF0FDFFFF MOV EBP,[ESI-0210] ; re-create the instruction we destroyed with our jmp
53 PUSH EBX ; save EBX onto the stack
51 PUSH ECX ; save ECX onto the stack
33DB XOR EBX,EBX ; EBX = 0
8B0C9D6C9F9B00 MOV ECX,[EBX*4+009B9F6C] ; Mov decryption key into ecx
81F10000C842 XOR ECX,46C80000 ; encrypt 25600.0 with the encryption key..
890C9A MOV [EBX*4+EDX],ECX ; move the new encrypted value back into memory (resource = 25600.0)
43 INC EBX ; increase loop counter
83FB04 CMP EBX,04 ; have we done ALL resources?
75EA JNZ 00A93E1C ; if we havent it will jump back and do the next resource
59 POP ECX ; restore ECX
5B POP EBX ; restore EBX
E99BAB99FF JMP 0042E9D4 ; jmp back to normal game code execution..
as you can see it looks a little more complex than your usual code injected hacks mainly
because all the code is actually specific to its location .. ie .. you wont be able to
grab the decryption keys and the BASE locations of the encrypted resource from just anywhere
they need to be taken at certain places.. well.. this is it..
what it does is takes the first BASE address of the key.. encryptes the 25600 value with the key
which gives us the value to save back into memory.. we then move this value back where it should
be and carry on to the next KEY and the next VALUE.. doing the same.. until we reach 4 which is
the end of the loop and the amount of resources we are hacking :)
GOLD is now 25600
WOOD is now 25600
FOOD is now 25600
FAVOR is now 25600
:)))
a small note.. the favor resource is regulated by other factors .. during the game it may switch back to
a lower number.. this is its maxxed number.. so dont worry about it..
SO.. now.. everytime you click on the resources and bring up that TRIBUTE DIALOGBOX you will refill
all of your resources with 25600 cool eh? :)))
well, once you have done all of that i guess all that remains is to either write down all of those op
codes or you can use my SAS tool which will grab that data for you and place it into a MASM array,
anyone coding a trainer in MASM?? your the lucky ones.. :))
FINAL WORDS
-----------
Man, i love coming to the end of a tutorial.. it means my normal life can continue :).. i hope some of
you guys have learnt something new i know i sure as shit did :).. dont forget.. no matter what you
think you know.. or how good you think you are there is always someone better, so next time that newbie
asks for a little help.. do ME a favor and help him out.. its the decent thing to do..
take care of yourself and each other.. hehe JERRY!!! JERRY!!!!
until next time dudes..
*******************************************************************************************
*******************************************************************************************
If u have any questions or comments then email me at... sh33pr3c@hotmail.com
visit my site for more tutorials.. http://WWW.SHEEPREC.CJB.NET
I would just like to greet some people that support and inspire me....
Odin, MiraMax, KeyboardJunky, Calligula, Orr, DarkLighter, Kilby, LordFinal, ^chaos^.
MiNiSTER, [NTSC], [Drone], Rizzah, Bengi, tko..
No order.. just GREAT people..
PLEASE FEEL FREE TO SPREAD THIS DOCUMENT TO ANY SITES!!!!!
|