.________. .________. \ | ___///__ ._________ .__///____ | \_ ::::::| ____|___ ____|__ |_| /_| / .____|_____ |::::::: :: | | __/___| | ____/| ____/ | | :: :: | |____ \_ | | _|_|______._|___|____. | :: :: | | | | | | | __///___| :: :: | | | | | | | | :: :: |_. | |_____|\_____///________|__________| | :: :: \___///________| |[sheep] |_ | :::::::::::: :: \__________| |_______| :: :: :: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: :: Gamehacking Tutorial Collection.. :: :: :::::::::::: (best viewed in 1024x768) SUBJECT: DECRYPTING AGE OF MYTHOLOGY - Advanced Gamehacking. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Well, it certainly has been a while since I last decided to take to the keyboard and inform you lucky people of some of the new techniques and interesting tricks ive come across while training the best titles the pc has to offer.. All of my tutorials from this point onward are going to be for the experienced gamehackers, im not going to make allowances for people who dont understand certain aspects of softice or asm, you should all be capable of working at an advanced pace by now and if you are not then i suggest you stop reading now. I seem to have gotten a reputation for being an asshole to newbies.. hehe.. come on .. ME? all I have to say to this is that it takes a long time to create these tutorials and to be honest I would be just as happy explaining this shit to JUST my friends.. and not the masses but I feel that we all deserve a shot at creating cool trainers and understanding something more than boring NOP hacks.. see.. im not so bad :) TOOLS NEEDED: Softice, memory searcher (your choice) SAS (my tool for grabbing injected code). locations... SOFTICE.........................LOOK FOR IT!!! ITS ON THE WEB!! MEMORY SEARCHER.................GAMEHACKING.COM or GOOGLE.COM :) SAS(Sheeps Array of Sunshine)...MY SITE SHEEPREC.CJB.NET SOFTICE SETUP ************* When you press CTRL-D to pop softice you should see the following windows.. REGISTER WINDOW - this window is always at the very top of the softice window (WR [return]) and displays the contents of all the registers.. DUMP WINDOW - generally situated close to the top of the softice window (WD [return]) contains a split screen display.. one side is ascii the other is hex. CODE WINDOW - this is the main window.. sits just under the DUMP WINDOW (WC [return]) contains the code of whatever process maybe running when u pop softice.. the code is represented in ASSEMBLY LANGUAGE instrutions.. The comments in the brackets are what you need to type to turn the different windows on.. you also need to type CODE ON.. this will bring up the OPCODES which are a set of numbers displayed to the left of each ASM instruction and to the right of every memory location in the CODE WINDOW.. Well, Its Sunday the 3rd of November 2002 and at this present time only the cheats for AGE OF MYTHOLOGY has been rlsed to the public.. I have seen no trainers or even heard of anyone managing a resource hack.. All this is going to change once you have read this tutorial, I can fully understand why there are no trainers, the usual trainer muppets that usually produce substandard trainers and then rls them onto the unsuspecting public would have given up on this game a long time ago because you actually need to do some work to get a working resource hack :) MAN IM GRUMPY.. :)) LESSON START ************ Sections.. i) Ground Work. ii) Finding our values (the hard but secure way). iii) Looking at the Decryption Routine. iv) Code Injection (making the resource hack). v) Final Words. GROUND WORK ----------- Ok, GROUND WORK is a term I use for the very first information gleaned from the game you are trying to hack. The first things I noticed about AGE OF MYTHOLOGY was that the searches take forever :) so its not going to be a nice quick hack.. :( .. After doing a few search patterns and wasting about an hour of my life I decided that the game wasnt using the usual methods of INC/DECing the values, the only alternative was that it used encrypted (usually XOR'ed) values which would be then converted only when the game uses them. If there is one thing for certain in this world apart from death and tax its that commercial programmers are lazy bastards and will certainly not do more work than is absolutely necessary, for us this is very good news because it translates into there actually being values NOT encrypted in the game that we CAN get a handle on to find the encrypted resources values.. APPENDED NOTE!! =============== you can also find the values by doing a VERY long winded CHANGED/NOT CHANGED search, but im trying to teach you some advanced techniques that DO have major advantages in the future, all will become clear soon.. neways.. if you wish to obtain the values in this way be my guest but i suggest you stick with me and do it the way I did. FINDING OUR VALUES THE HARD BUT SECURE WAY ------------------------------------------- Ok, there is lots of work to do so lets get on with it. First thing we need to do is find some values that have direct contact with the ENCRYPTED RESOURCE VALUES but are not actually encrypted themselves... This is how its acheived.. Load up Age Of Mythology Start a single player, random map It must have 2v2 selected Once the game has loaded up we can start looking around for something useful to us, ive already done this bit for you to save time.. Click on the icon of the FOOD RESOURCE, this should bring up a TRIBUTE DISPLAY DIALOGBOX with all of your resources inside.. (this is for giving supplies to your allies HENCE the 2v2 necessity). On this screen you will notice that you have 3 boxes with the value 0 in them, all next to the name of your allies.. these are to indicate how much resource of that type you wish to send over. If you left click on one of the 0 boxes it should place 90 into the box, now click the right button on the same box and it will reduce the number to 0 again, do you feel a search pattern coming on? :) APPENDED NOTE!!! ================ Finding options in games that are difficult to obtain usually consist of 2 things, 1. a good logical thought process 2. good debugging skills. In this instance we need to follow a simple logical pathway to understanding why this resource sending approach will help us. 1. RESOUCE BOX IS CLICKED | 2. INCREASE RESOURCE_SEND_VALUE | 3. CLICK "SEND" BUTTON ON TRIBUTE DIALOGBOX | 4. RESOURCE_SEND_VALUE IS COMPARED TO ENCRYPTED RESOURCE VALUES *link here to real value | 5. INCREASE ALLIES SUPPLIES BY RESOURCE_SEND_VALUE | 6. DECREASE YOUR SUPPLIES BY RESOURCE_SEND_VALUE *link here to real value So you can see that the marked items on the list would be VERY valueable to us because they are actually affecting the ENCRYPTED RESOURCES but its all linked to the FIRST STEP which is clicking that resource box.. its just a thing to keep in mind in the future when trying to get a handle on harder options :) ok, lets continue.. We now need to do an inc/dec search to find this RESOURCE_SEND_VALUE, this is how we do it.. (i shouldnt need to tell you this shit but here goes) Start an UNKNOWN VALUE search.. (4 bytes) Click the resource box with 0 inside (90 is added). Search Increased.. Right click the box (90 is subtracted) Search Decreased.. REPEAT!!! because the RESOURCE_SEND_VALUE isnt too obviously linked to the resource values it seems that ensemble studio have given us a break and not encrypted it so you will indeed be able to locate this address eventually.. it took me about 5 minutes to come up with this address.. 2974db0 - RESOURCE_SEND_VALUE (your value MAY be different) ok, once you have found this value we need to breakpoint it so that we can start our investigative journey. do this.. BPM 2974db0 the above instruction will place an OPEN breakpoint on the address which means softice will pop every time that value is either READ or WRITTEN to.. Once you have done this exit softice with F5 until you are back in the game, make sure you have something in the resource box to send to your allies, 90 is fine.. and then press the SEND button at the bottom of the screen. BANG!! Immediately you should be looking at softice with the code below in your main code window display.. At this point you may want to type WF to take a look at the floating point stack. 001B:0042EBD3 33FF XOR EDI,EDI 001B:0042EBD5 81C36C030000 ADD EBX,0000036C 001B:0042EBDB D906 FLD REAL4 PTR [ESI] ; load FP stack position 0 (ST0) with amount of resources being sent. 001B:0042EBDD D81D6CCC9300 FCOMP REAL4 PTR [0093CC6C] <--------- ; you will be landing here. 001B:0042EBE3 DFE0 FSTSW AX 001B:0042EBE5 F6C441 TEST AH,41 001B:0042EBE8 0F858A000000 JNZ 0042EC78 001B:0042EBEE D90570CC9300 FLD REAL4 PTR [0093CC70] :u 001B:0042EBF4 8B542410 MOV EDX,[ESP+10] 001B:0042EBF8 D8A284030000 FSUB REAL4 PTR [EDX+00000384] 001B:0042EBFE D83E FDIVR REAL4 PTR [ESI] 001B:0042EC00 D95C2414 FSTP REAL4 PTR [ESP+14] 001B:0042EC04 D903 FLD REAL4 PTR [EBX] <----------- EBX contains a pointer to to the de-crypted resource value. 001B:0042EC06 D8642414 FSUB REAL4 PTR [ESP+14] 001B:0042EC0A D8156CCC9300 FCOM REAL4 PTR [0093CC6C] 001B:0042EC10 DFE0 FSTSW AX :u 001B:0042EC12 F6C401 TEST AH,01 001B:0042EC15 755F JNZ 0042EC76 oki.. basically the routine above checks to see if firstly you have entered anything to send to your allies and then to see if you actually have enough of that resource to send.. now we must press F10(trace) until we reach location 001B:0042EC04 its marked on the code above... before we go on its a good idea to clear all of our old breakpoints so do this... BC* Once you have done this we need to dump EBX into our DUMP WINDOW... so type D EBX this will display the location stored in EBX into the DUMP WINDOW, in the top left hand corner of the DUMP WINDOW should now be the de-crypted value of our resource. once we have got this far we need to place yet another breakpoint on the location now displayed in the top left hand corner of the DUMP WINDOW this breakpoint needs only WRITE access and we place it by doing this .. my DUMP WINDOW was at 2974eb4 so.. BPM 2974eb4 W Once this is set press F5 until you get back out into the game.... now click back on the FOOD RESOURCE icon to bring up the TRIBUTE DIALOGBOX again... BANG!!! LOOKING AT THE DECRYPTION ROUTINE --------------------------------- when softice pops you should be looking at the code below in your code window. 001B:0042E9C5 8B4C2434 MOV ECX,[ESP+34] 001B:0042E9C9 53 PUSH EBX 001B:0042E9CA E811791500 CALL 005862E0 <------ ; decrypt value CALL 001B:0042E9CF D91E FSTP REAL4 PTR [ESI] <------ ; you will be here. this places the decrypted value into memory..its updating our value, thats why softice popped. 001B:0042E9D1 8BAEF0FDFFFF MOV EBP,[ESI-0210] 001B:0042E9D7 55 PUSH EBP ok, so now we know that the main decryption routine will live inside CALL 005862e0 because just after it the decrypted value is placed into the memory.. not always the case but in this game it is :) before we continue disable our old breakpoint by doing this.. BD* so, now we are here we need to breakpoint 42e9ca, this time its an executing breakpoint so we do this.. BPX 42e9ca you could also either use your mouse to double click it (if your using one inside softice) or you could highlight the address and then press F9.. doesnt matter as long as you breakpoint that address.. so now.. again!! press F5 until you are back into the game.. click CANCEL on the TRIBUTE DIALOGBOX.. then click back on the FOOD RESOURCE icon... BANG!!! we are back where we just breakpointed.. but now we are here BEFORE the value is decrypted so we can see exactly what is going on with our resource values :) trace into the call at 42e9ca by pressing F8.. you now see this.. 001B:005862E0 833900 CMP DWORD PTR [ECX],00 <---- ; you are here... 001B:005862E3 7419 JZ 005862FE 001B:005862E5 8B442404 MOV EAX,[ESP+04] 001B:005862E9 85C0 TEST EAX,EAX 001B:005862EB 7C11 JL 005862FE 001B:005862ED 3B057028A300 CMP EAX,[00A32870] 001B:005862F3 7D09 JGE 005862FE 001B:005862F5 50 PUSH EAX 001B:005862F6 E885FAFFFF CALL 00585D80 <----- ; main decryption routine.. 001B:005862FB C20400 RET 0004 once again keep tracing with F10 until you come to 5862f6 then press F8 to trace into the call.. you will see this... 001B:00585D80 55 PUSH EBP <----- ; you will be here... 001B:00585D81 8BEC MOV EBP,ESP 001B:00585D83 83EC08 SUB ESP,08 001B:00585D86 8B01 MOV EAX,[ECX] ; 001B:00585D88 8945FC MOV [EBP-04],EAX ; 001B:00585D8B 8B4D08 MOV ECX,[EBP+08] ; SET UP POINTERS 001B:00585D8E 8B55FC MOV EDX,[EBP-04] ; 001B:00585D91 8B048D6C9F9B00 MOV EAX,[ECX*4+009B9F6C] ; move decryption key into eax 001B:00585D98 33048A XOR EAX,[ECX*4+EDX] ; this instruction does the decrypting.. it takes the REAL RESOURCE ENCRYPTED VALUE xor's it with the decryption key so that EAX will now contain the decrypted value.. 001B:00585D9B 8945F8 MOV [EBP-08],EAX 001B:00585D9E D945F8 FLD REAL4 PTR [EBP-08] 001B:00585DA1 8BE5 MOV ESP,EBP 001B:00585DA3 5D POP EBP 001B:00585DA4 C20400 RET 0004 few notes.. =========== EDX = start of YOUR RESOURCES STRUCTURE.. ie. EDX+0(GOLD) +4(WOOD) +8(FOOD) +C(FAVOR) 9b9f6c = DECRYPTION KEY TABLE. consists of 5 values.. 12345678...09abcdef...0badf00d...deadbeef...76543210 <-- these are all hexadecimal decryption keys.. WELL!! lots to take in there eh? .. this is where all the business goes down :) as you can see from my description the value we really need to look at is at address 585d98.. this address contains the REAL ENCRYPTED ADDRESS of our RESOURCES.. so now do this.. D ecx*4+edx and if you have followed this tutorial exactly, in the top left hand corner of the DUMP WINDOW you should now see the REAL ENCRYPTED GOLD RESOURCE VALUE... if you now look into EAX you will see the key that is used to decrypt that RESOURCE VALUE we can do a little test for this.. 42c80000 = 100.0 in float hex notation.. ^ = XOR in softice so.. in softice type this.. ?12345678^42c80000 you will get this answer.. 50fc5678 if you enter that number into the top left hand corner replacing your original encryped RESOURCE VALUE you will have changed your gold value to 100. press F5 to get out of softice and back to the game and you can make sure that your gold value is indeed 100. :) CODE INJECTION - MAKING THE RESOURCE HACK ----------------------------------------- We now have all the information we need to produce a working hack... return to the game.. without the TRIBUTE DIALOGBOX showing.. now press the FOOD RESOURCE ICON again.. BANG!! again softice should take you to here... 001B:0042E9CA E811791500 CALL 005862E0 <------ ; you will be here. 001B:0042E9CF D91E FSTP REAL4 PTR [ESI] press f10 to trace over the call.. then we examine the REGISTERS... EAX = 42c80000 (this is 100.0 in hex.. its the decrypted resource value) EBX = 0 (this is the index used to calculate what key to use from the table) ECX = 0 EDX = 59d2010 (may be different on yours.. this is the base address of your resource structure.) oki.. so what we got?? 1. BASE address of the decryption key table.. (9n9f6c) STATIC 2. BASE address of the encrypted resource values.. (59d2010) DYNAMIC (may be different on yours) with these 2 values and a the location to inject at 42e9cf.. we are all ready to do our injecting.. oki.. first thing to do is find a nice spot to place your injected code.. anyone that is still reading this tutorial AND FOLLOWING IT!! will be able to do this.. so im not going to explain how to do it.. use your fave method and keep reading once you have done this.... i chose a93e10... so type.. A 42e9cf then type JMP a93e10 (you obviously have to use your code injection place not mine :)) nop nop nop this will balance up the bytes we just destroyed (we need to recreate them in our code injection) oki.. im going to just give you my injected code and then explain it afterwards.. D91E FSTP REAL4 PTR [ESI] ; re-create the instruction we destroyed with our jmp 8BAEF0FDFFFF MOV EBP,[ESI-0210] ; re-create the instruction we destroyed with our jmp 53 PUSH EBX ; save EBX onto the stack 51 PUSH ECX ; save ECX onto the stack 33DB XOR EBX,EBX ; EBX = 0 8B0C9D6C9F9B00 MOV ECX,[EBX*4+009B9F6C] ; Mov decryption key into ecx 81F10000C842 XOR ECX,46C80000 ; encrypt 25600.0 with the encryption key.. 890C9A MOV [EBX*4+EDX],ECX ; move the new encrypted value back into memory (resource = 25600.0) 43 INC EBX ; increase loop counter 83FB04 CMP EBX,04 ; have we done ALL resources? 75EA JNZ 00A93E1C ; if we havent it will jump back and do the next resource 59 POP ECX ; restore ECX 5B POP EBX ; restore EBX E99BAB99FF JMP 0042E9D4 ; jmp back to normal game code execution.. as you can see it looks a little more complex than your usual code injected hacks mainly because all the code is actually specific to its location .. ie .. you wont be able to grab the decryption keys and the BASE locations of the encrypted resource from just anywhere they need to be taken at certain places.. well.. this is it.. what it does is takes the first BASE address of the key.. encryptes the 25600 value with the key which gives us the value to save back into memory.. we then move this value back where it should be and carry on to the next KEY and the next VALUE.. doing the same.. until we reach 4 which is the end of the loop and the amount of resources we are hacking :) GOLD is now 25600 WOOD is now 25600 FOOD is now 25600 FAVOR is now 25600 :))) a small note.. the favor resource is regulated by other factors .. during the game it may switch back to a lower number.. this is its maxxed number.. so dont worry about it.. SO.. now.. everytime you click on the resources and bring up that TRIBUTE DIALOGBOX you will refill all of your resources with 25600 cool eh? :))) well, once you have done all of that i guess all that remains is to either write down all of those op codes or you can use my SAS tool which will grab that data for you and place it into a MASM array, anyone coding a trainer in MASM?? your the lucky ones.. :)) FINAL WORDS ----------- Man, i love coming to the end of a tutorial.. it means my normal life can continue :).. i hope some of you guys have learnt something new i know i sure as shit did :).. dont forget.. no matter what you think you know.. or how good you think you are there is always someone better, so next time that newbie asks for a little help.. do ME a favor and help him out.. its the decent thing to do.. take care of yourself and each other.. hehe JERRY!!! JERRY!!!! until next time dudes.. ******************************************************************************************* ******************************************************************************************* If u have any questions or comments then email me at... sh33pr3c@hotmail.com visit my site for more tutorials.. http://WWW.SHEEPREC.CJB.NET I would just like to greet some people that support and inspire me.... Odin, MiraMax, KeyboardJunky, Calligula, Orr, DarkLighter, Kilby, LordFinal, ^chaos^. MiNiSTER, [NTSC], [Drone], Rizzah, Bengi, tko.. No order.. just GREAT people.. PLEASE FEEL FREE TO SPREAD THIS DOCUMENT TO ANY SITES!!!!!