Most Popular:

Home
PC Game News
PC Game Cheat Codes
PC Game Patch Updates
PC Game Tools
PC Game Trainers
PC Game Patch Fixes
Discussion Forums
Articles
Contact

Trainer Tutorials

This section of the site is dedicated to Trainer Tutorials to help everyone get a better understanding of how Game Trainers are made and how they function.
Decrypting Age of Mythology - Advanced Gamehacking

You can view this tutorial in its original format here

 
    .________.                                                 .________.
     \       |            ___///__  ._________ .__///____      |         \_ 
::::::|  ____|___   ____|__       |_|        /_|        / .____|_____      |:::::::  
::    |  |    __/___|             |     ____/|     ____/  |                |     :: 
::    |  |____       \_     |     |       _|_|______._|___|____.           |     :: 
::    |       |        |    |     |                 |          |   __///___|     ::
::    |       |        |    |     |                 |          |    |            ::
::    |_.              |    |_____|\_____///________|__________|    |            ::
::      \___///________|    |[sheep]                      |_        |       ::::::::::::
::               \__________|                               |_______|       ::   ::   ::
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::   ::
                                     Gamehacking Tutorial Collection..      ::        ::
                                                                            ::::::::::::

(best viewed in 1024x768)


SUBJECT: DECRYPTING AGE OF MYTHOLOGY - Advanced Gamehacking.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Well, it certainly has been a while since I last decided to take to the keyboard and inform 
you lucky people of some of the new techniques and interesting tricks ive come across while
training the best titles the pc has to offer.. All of my tutorials from this point onward 
are going to be for the experienced gamehackers, im not going to make allowances for people
who dont understand certain aspects of softice or asm, you should all be capable of working
at an advanced pace by now and if you are not then i suggest you stop reading now.

I seem to have gotten a reputation for being an asshole to newbies.. hehe.. come on .. ME? 
all I have to say to this is that it takes a long time to create these tutorials and to be
honest I would be just as happy explaining this shit to JUST my friends.. and not the masses
but I feel that we all deserve a shot at creating cool trainers and understanding something
more than boring NOP hacks.. see.. im not so bad :)

TOOLS NEEDED: Softice, memory searcher (your choice) SAS (my tool for grabbing injected code).

locations...

SOFTICE.........................LOOK FOR IT!!! ITS ON THE WEB!!
MEMORY SEARCHER.................GAMEHACKING.COM or GOOGLE.COM :)
SAS(Sheeps Array of Sunshine)...MY SITE SHEEPREC.CJB.NET


SOFTICE SETUP
*************

When you press CTRL-D to pop softice you should see the following windows.. 

REGISTER WINDOW - this window is always at the very top of the softice window
(WR [return])     and displays the contents of all the registers..
                  
DUMP WINDOW     - generally situated close to the top of the softice window
(WD [return])     contains a split screen display.. one side is ascii the 
                  other is hex.
CODE WINDOW     - this is the main window.. sits just under the DUMP WINDOW
(WC [return])     contains the code of whatever process maybe running when 
                  u pop softice.. the code is represented in ASSEMBLY LANGUAGE
                  instrutions..

The comments in the brackets are what you need to type to turn the different windows on..
you also need to type CODE ON.. this will bring up the OPCODES which are a set of numbers
displayed to the left of each ASM instruction and to the right of every memory location 
in the CODE WINDOW..


Well, Its Sunday the 3rd of November 2002 and at this present time only the cheats for
AGE OF MYTHOLOGY has been rlsed to the public.. I have seen no trainers or even heard 
of anyone managing a resource hack.. All this is going to change once you have read this
tutorial, I can fully understand why there are no trainers, the usual trainer muppets 
that usually produce substandard trainers and then rls them onto the unsuspecting public
would have given up on this game a long time ago because you actually need to do some work
to get a working resource hack :) MAN IM GRUMPY.. :))


LESSON START
************

Sections..

i)   Ground Work.
ii)  Finding our values (the hard but secure way).
iii) Looking at the Decryption Routine.
iv)  Code Injection (making the resource hack).
v)   Final Words.


GROUND WORK
-----------

Ok, GROUND WORK is a term I use for the very first information gleaned from the game you are
trying to hack.

The first things I noticed about AGE OF MYTHOLOGY was that the searches take forever :) so its
not going to be a nice quick hack.. :( .. 

After doing a few search patterns and wasting about an hour of my life I decided that the game
wasnt using the usual methods of INC/DECing the values, the only alternative was that it used
encrypted (usually XOR'ed) values which would be then converted only when the game uses them. 

If there is one thing for certain in this world apart from death and tax its that commercial
programmers are lazy bastards and will certainly not do more work than is absolutely necessary, 
for us this is very good news because it translates into there actually being values NOT encrypted 
in the game that we CAN get a handle on to find the encrypted resources values.. 

APPENDED NOTE!!
===============
you can also find the values by doing a VERY long winded CHANGED/NOT CHANGED search, but im trying
to teach you some advanced techniques that DO have major advantages in the future, all will become 
clear soon.. neways.. if you wish to obtain the values in this way be my guest but i suggest you
stick with me and do it the way I did.


FINDING OUR VALUES THE HARD BUT SECURE WAY
-------------------------------------------

Ok, there is lots of work to do so lets get on with it.  First thing we need to do is find some
values that have direct contact with the ENCRYPTED RESOURCE VALUES but are not actually encrypted
themselves... This is how its acheived.. 

Load up Age Of Mythology

Start a single player, random map

It must have 2v2 selected 

Once the game has loaded up we can start looking around for something useful to us, ive already 
done this bit for you to save time..

Click on the icon of the FOOD RESOURCE, this should bring up a TRIBUTE DISPLAY DIALOGBOX
with all of your  resources inside.. (this is for giving supplies to your allies HENCE the 2v2 necessity).

On this screen you will notice that you have 3 boxes with the value 0 in them, all next to 
the name of your allies.. these are to indicate how much resource of that type you wish to
send over. If you left click on one of the 0 boxes it should place 90 into the box, now 
click the right button on the same box and it will reduce the number to 0 again, do you
feel a search pattern coming on? :) 

APPENDED NOTE!!!
================
Finding options in games that are difficult to obtain usually consist of 2 things, 1. a good
logical thought process 2. good debugging skills. In this instance we need to follow a simple
logical pathway to understanding why this resource sending approach will help us.

1.    RESOUCE BOX IS CLICKED
           |
2.    INCREASE RESOURCE_SEND_VALUE 
           |
3.    CLICK "SEND" BUTTON ON TRIBUTE DIALOGBOX
           |
4.    RESOURCE_SEND_VALUE IS COMPARED TO ENCRYPTED RESOURCE VALUES *link here to real value
           |
5.    INCREASE ALLIES SUPPLIES BY RESOURCE_SEND_VALUE
           |
6.    DECREASE YOUR SUPPLIES BY RESOURCE_SEND_VALUE *link here to real value

So you can see that the marked items on the list would be VERY valueable to us because they
are actually affecting the ENCRYPTED RESOURCES but its all linked to the FIRST STEP which is 
clicking that resource box.. its just a thing to keep in mind in the future when trying to 
get a handle on harder options :)


ok, lets continue.. 

We now need to do an inc/dec search to find this RESOURCE_SEND_VALUE, this is how we do it..

(i shouldnt need to tell you this shit but here goes)

Start an UNKNOWN VALUE search.. (4 bytes)

Click the resource box with 0 inside (90 is added).

Search Increased..

Right click the box (90 is subtracted)

Search Decreased..

REPEAT!!!

because the RESOURCE_SEND_VALUE isnt too obviously linked to the resource values it seems that
ensemble studio have given us a break and not encrypted it so you will indeed be able to locate 
this address eventually.. it took me about 5 minutes to come up with this address..

2974db0 - RESOURCE_SEND_VALUE (your value MAY be different)

ok, once you have found this value we need to breakpoint it so that we can start our investigative
journey.

do this..

BPM 2974db0 <return>

the above instruction will place an OPEN breakpoint on the address which means softice
will pop every time that value is either READ or WRITTEN to..

Once you have done this exit softice with F5 until you are back in the game, make sure you 
have something in the resource box to send to your allies, 90 is fine.. and then press the 
SEND button at the bottom of the screen.

BANG!!

Immediately you should be looking at softice with the code below in your main code 
window display..

At this point you may want to type WF to take a look at the floating point stack. 

001B:0042EBD3  33FF                XOR       EDI,EDI
001B:0042EBD5  81C36C030000        ADD       EBX,0000036C
001B:0042EBDB  D906                FLD       REAL4 PTR [ESI]                 ; load FP stack position 0 (ST0) with
                                                                               amount of resources being sent.    
001B:0042EBDD  D81D6CCC9300        FCOMP     REAL4 PTR [0093CC6C] <--------- ; you will be landing here.
001B:0042EBE3  DFE0                FSTSW   AX
001B:0042EBE5  F6C441              TEST      AH,41                           
001B:0042EBE8  0F858A000000        JNZ       0042EC78
001B:0042EBEE  D90570CC9300        FLD       REAL4 PTR [0093CC70]
:u
001B:0042EBF4  8B542410            MOV       EDX,[ESP+10]
001B:0042EBF8  D8A284030000        FSUB      REAL4 PTR [EDX+00000384]
001B:0042EBFE  D83E                FDIVR     REAL4 PTR [ESI]
001B:0042EC00  D95C2414            FSTP      REAL4 PTR [ESP+14]
001B:0042EC04  D903                FLD       REAL4 PTR [EBX]    <----------- EBX contains a pointer to 
                                                                             to the de-crypted resource
                                                                             value.
001B:0042EC06  D8642414            FSUB      REAL4 PTR [ESP+14]
001B:0042EC0A  D8156CCC9300        FCOM      REAL4 PTR [0093CC6C]
001B:0042EC10  DFE0                FSTSW   AX
:u
001B:0042EC12  F6C401              TEST      AH,01
001B:0042EC15  755F                JNZ       0042EC76


oki.. basically the routine above checks to see if firstly you have entered anything 
to send to your allies and then to see if you actually have enough of that resource
to send.. 

now we must press F10(trace) until we reach location 001B:0042EC04 its marked on the
code above... 

before we go on its a good idea to clear all of our old breakpoints so do this...

BC* <return>

Once you have done this we need to dump EBX into our DUMP WINDOW... so type 

D EBX <return> 

this will display the location stored in EBX into the DUMP WINDOW, in the top left 
hand corner of the DUMP WINDOW should now be the de-crypted value of our resource.

once we have got this far we need to place yet another breakpoint on the location 
now displayed in the top left hand corner of the DUMP WINDOW this breakpoint needs
only WRITE access and we place it by doing this .. 

my DUMP WINDOW was at 2974eb4 so..

BPM 2974eb4 W <return>

Once this is set press F5 until you get back out into the game....

now click back on the FOOD RESOURCE icon to bring up the TRIBUTE DIALOGBOX again...

BANG!!!


LOOKING AT THE DECRYPTION ROUTINE
---------------------------------

when softice pops you should be looking at the code below in your code window. 


001B:0042E9C5  8B4C2434            MOV       ECX,[ESP+34]
001B:0042E9C9  53                  PUSH      EBX
001B:0042E9CA  E811791500          CALL      005862E0        <------ ; decrypt value CALL
001B:0042E9CF  D91E                FSTP      REAL4 PTR [ESI] <------ ; you will be here.
                                                                       this places the 
                                                                       decrypted value 
                                                                       into memory..its
                                                                       updating our value,
                                                                       thats why softice
                                                                       popped.
001B:0042E9D1  8BAEF0FDFFFF        MOV       EBP,[ESI-0210]
001B:0042E9D7  55                  PUSH      EBP

ok, so now we know that the main decryption routine will live inside CALL 005862e0 
because just after it the decrypted value is placed into the memory.. not always the
case but in this game it is :)

before we continue disable our old breakpoint by doing this.. 

BD* <return>

so, now we are here we need to breakpoint 42e9ca, this time its an executing breakpoint
so we do this.. 

BPX 42e9ca <return>

you could also either use your mouse to double click it (if your using one inside softice)
or you could highlight the address and then press F9.. doesnt matter as long as you 
breakpoint that address.. 

so now.. again!! press F5 until you are back into the game..

click CANCEL on the TRIBUTE DIALOGBOX..

then click back on the FOOD RESOURCE icon... 

BANG!!!

we are back where we just breakpointed.. but now we are here BEFORE the value is decrypted
so we can see exactly what is going on with our resource values :)

trace into the call at 42e9ca by pressing F8.. you now see this.. 

001B:005862E0  833900              CMP       DWORD PTR [ECX],00 <---- ; you are here...
001B:005862E3  7419                JZ        005862FE
001B:005862E5  8B442404            MOV       EAX,[ESP+04]
001B:005862E9  85C0                TEST      EAX,EAX
001B:005862EB  7C11                JL        005862FE
001B:005862ED  3B057028A300        CMP       EAX,[00A32870]
001B:005862F3  7D09                JGE       005862FE
001B:005862F5  50                  PUSH      EAX
001B:005862F6  E885FAFFFF          CALL      00585D80          <----- ; main decryption routine.. 
001B:005862FB  C20400              RET       0004

once again keep tracing with F10 until you come to 5862f6 then press F8 to 
trace into the call.. you will see this...


001B:00585D80  55                  PUSH      EBP               <----- ; you will be here...
001B:00585D81  8BEC                MOV       EBP,ESP
001B:00585D83  83EC08              SUB       ESP,08
001B:00585D86  8B01                MOV       EAX,[ECX]                ;
001B:00585D88  8945FC              MOV       [EBP-04],EAX             ; 
001B:00585D8B  8B4D08              MOV       ECX,[EBP+08]             ; SET UP POINTERS
001B:00585D8E  8B55FC              MOV       EDX,[EBP-04]             ;

001B:00585D91  8B048D6C9F9B00      MOV       EAX,[ECX*4+009B9F6C]     ; move decryption key into eax  
001B:00585D98  33048A              XOR       EAX,[ECX*4+EDX]          ; this instruction does the 
                                                                        decrypting.. it takes the
                                                                        REAL RESOURCE ENCRYPTED
                                                                        VALUE xor's it with the 
                                                                        decryption key so that 
                                                                        EAX will now contain the
                                                                        decrypted value.. 
001B:00585D9B  8945F8              MOV       [EBP-08],EAX
001B:00585D9E  D945F8              FLD       REAL4 PTR [EBP-08]
001B:00585DA1  8BE5                MOV       ESP,EBP
001B:00585DA3  5D                  POP       EBP
001B:00585DA4  C20400              RET       0004

few notes.. 
===========

EDX = start of YOUR RESOURCES STRUCTURE.. ie. EDX+0(GOLD) +4(WOOD) +8(FOOD) +C(FAVOR)
9b9f6c = DECRYPTION KEY TABLE. consists of 5 values.. 
12345678...09abcdef...0badf00d...deadbeef...76543210 <-- these are all hexadecimal decryption keys.. 


WELL!! lots to take in there eh? .. this is where all the business goes down :) 
as you can see from my description the value we really need to look at is at
address 585d98.. this address contains the REAL ENCRYPTED ADDRESS of our 
RESOURCES.. so now do this.. 

D ecx*4+edx <return>

and if you have followed this tutorial exactly, in the top left hand corner of the
DUMP WINDOW you should now see the REAL ENCRYPTED GOLD RESOURCE VALUE...

if you now look into EAX you will see the key that is used to decrypt that RESOURCE VALUE
we can do a little test for this.. 

42c80000 = 100.0 in float hex notation..

^ = XOR in softice

so.. in softice type this.. 

?12345678^42c80000 <return>

you will get this answer.. 50fc5678

if you enter that number into the top left hand corner replacing your original encryped 
RESOURCE VALUE you will have changed your gold value to 100.

press F5 to get out of softice and back to the game and you can make sure that your
gold value is indeed 100. :)


CODE INJECTION - MAKING THE RESOURCE HACK
-----------------------------------------

We now have all the information we need to produce a working hack...

return to the game.. without the TRIBUTE DIALOGBOX showing.. now press 
the FOOD RESOURCE ICON again..

BANG!!

again softice should take you to here...  

001B:0042E9CA  E811791500          CALL      005862E0        <------ ; you will be here.
001B:0042E9CF  D91E                FSTP      REAL4 PTR [ESI] 
                                                                       
press f10 to trace over the call..

then we examine the REGISTERS...

EAX = 42c80000 (this is 100.0 in hex.. its the decrypted resource value)

EBX = 0 (this is the index used to calculate what key to use from the table)

ECX = 0 

EDX = 59d2010 (may be different on yours.. this is the base address of your resource structure.)

oki.. so what we got??

1. BASE address of the decryption key table..       (9n9f6c) STATIC
2. BASE address of the encrypted resource values..  (59d2010) DYNAMIC (may be different on yours)

with these 2 values and a the location to inject at 42e9cf.. we are all ready to do our injecting..

oki.. first thing to do is find a nice spot to place your injected code.. anyone that is still
reading this tutorial AND FOLLOWING IT!! will be able to do this.. so im not going to explain 
how to do it.. use your fave method and keep reading once you have done this....

i chose a93e10...

so type.. 

A 42e9cf <return>

then type

JMP a93e10 <return>   (you obviously have to use your code injection place not mine :))
nop <return>
nop <return>
nop <return>

this will balance up the bytes we just destroyed (we need to recreate them in our code injection)


oki.. im going to just give you my injected code and then explain it afterwards..


D91E                FSTP      REAL4 PTR [ESI]        ; re-create the instruction we destroyed with our jmp
8BAEF0FDFFFF        MOV       EBP,[ESI-0210]         ; re-create the instruction we destroyed with our jmp
53                  PUSH      EBX                    ; save EBX onto the stack
51                  PUSH      ECX                    ; save ECX onto the stack
33DB                XOR       EBX,EBX                ; EBX = 0 
8B0C9D6C9F9B00      MOV       ECX,[EBX*4+009B9F6C]   ; Mov decryption key into ecx
81F10000C842        XOR       ECX,46C80000           ; encrypt 25600.0 with the encryption key..
890C9A              MOV       [EBX*4+EDX],ECX        ; move the new encrypted value back into memory (resource = 25600.0)
43                  INC       EBX                    ; increase loop counter
83FB04              CMP       EBX,04                 ; have we done ALL resources?
75EA                JNZ       00A93E1C               ; if we havent it will jump back and do the next resource
59                  POP       ECX                    ; restore ECX
5B                  POP       EBX                    ; restore EBX
E99BAB99FF          JMP       0042E9D4               ; jmp back to normal game code execution..


as you can see it looks a little more complex than your usual code injected hacks mainly
because all the code is actually specific to its location .. ie .. you wont be able to 
grab the decryption keys and the BASE locations of the encrypted resource from just anywhere
they need to be taken at certain places.. well.. this is it.. 

what it does is takes the first BASE address of the key.. encryptes the 25600 value with the key
which gives us the value to save back into memory.. we then move this value back where it should
be and carry on to the next KEY and the next VALUE.. doing the same.. until we reach 4 which is 
the end of the loop and the amount of resources we are hacking :)

GOLD  is now 25600
WOOD  is now 25600
FOOD  is now 25600
FAVOR is now 25600

:)))


a small note.. the favor resource is regulated by other factors .. during the game it may switch back to 
a lower number.. this is its maxxed number.. so dont worry about it.. 

SO.. now.. everytime you click on the resources and bring up that TRIBUTE DIALOGBOX you will refill 
all of your resources with 25600 cool eh? :)))

well, once you have done all of that i guess all that remains is to either write down all of those op
codes or you can use my SAS tool which will grab that data for you and place it into a MASM array, 
anyone coding a trainer in MASM?? your the lucky ones.. :))



FINAL WORDS
-----------

Man, i love coming to the end of a tutorial.. it means my normal life can continue :).. i hope some of 
you guys have learnt something new i know i sure as shit did :).. dont forget.. no matter what you
think you know.. or how good you think you are there is always someone better, so next time that newbie
asks for a little help.. do ME a favor and help him out.. its the decent thing to do..

take care of yourself and each other.. hehe JERRY!!! JERRY!!!!

until next time dudes.. 


*******************************************************************************************
*******************************************************************************************

If u have any questions or comments then email me at... sh33pr3c@hotmail.com

visit my site for more tutorials.. http://WWW.SHEEPREC.CJB.NET

I would just like to greet some people that support and inspire me....

Odin, MiraMax, KeyboardJunky, Calligula, Orr, DarkLighter, Kilby, LordFinal, ^chaos^.
MiNiSTER, [NTSC], [Drone], Rizzah, Bengi, tko..

No order.. just GREAT people.. 


PLEASE FEEL FREE TO SPREAD THIS DOCUMENT TO ANY SITES!!!!!

Copyright (1998) 2004 - 2016 GamePatchPlanet.com. All Rights Reserved. Privacy Policy Disclaimer