Cheat question: How to track values behind shared buffer zones?


What is cheating?
May 29, 2017
Hi guys, lately I have been trying to cheat this game: Steel Division Normandy 44. I was wondering if a game design similiar to this can be unhackable?
I'll explain in detail:

In most games, when A shoots at B, the steps of computation like hit-miss, armor mitigation, hp reduction are done in a sequential manner, and unit data are nested together, so it's easy to find A's armor rating from HP, since they are close in memory, and are used in adjacent code lines. However this game is different.

First they tear unit A's memory values apart to many pieces, one value, one memory location, store them in dynamic containers(say a linked list of all key-value pairs)
Then each time that value is accessed/stored, they pass it through a shared buffer zone. There are few of them, say 10 for everything? Reused a lot.
Thirdly they do only one computation each pass, say: real dmg=weapon dmg * armor mitigation, they load the operands from dynamic memory behind buffers, and store result the same way. This pass does one step of computation for all units, and then it moves on to the next step(pass).

Say we were trying to develop a HP hack for player's units. In the Hp reduction step, we can only see old HP, HP lose, but not playerID, which is used in a way earlier step or even different 'sequence of steps'(maybe when trying to tell if A is able to attack B, as the mouse hovers over B).
To trace back to that step, we have to bypass buffer zone once to get back one step, and since these steps are utterly the first thing and last thing of an attack, we may be looking at tracing back 5+ steps, hence that many times through the buffer zone.

In theory it is possible to trace all the way back and find Unit's playerID MANUALLY, but writing cheat code would be difficult, because there is no place to put a tracking mark and pass it with the data, each time through the buffer, and many different steps of computation.

below are code snippets:

SteelDivision.exe+134F4CA - 8B D6 - mov edx,esi
SteelDivision.exe+134F4CC - E8 0F5BCCFF - call SteelDivision.exe+1014FE0
SteelDivision.exe+134F4D1 - F3 0F59 C8 - mulss xmm1,xmm0 <-------one step of computation: mitigation
SteelDivision.exe+134F4D5 - 8B 57 18 - mov edx,[rdi+18]
SteelDivision.exe+134F4D8 - 83 FA FF - cmp edx,-01 { 255 }

SteelDivision.exe+13434C9 - F3 0F58 C7 - addss xmm0,xmm7
SteelDivision.exe+13434CD - 0F28 F3 - movaps xmm6,xmm3
SteelDivision.exe+13434D0 - F3 0F5D F0 - minss xmm6,xmm0 <-------dmg < full HP, notice the distance in code addr
SteelDivision.exe+13434D4 - 0F57 C0 - xorps xmm0,xmm0
SteelDivision.exe+13434D7 - 0F28 F8 - movaps xmm7,xmm0

SteelDivision.exe+1BF8BC - C7 85 100E0000 FFFFFFFF - mov [rbp+00000E10],FFFFFFFF { -1 }
SteelDivision.exe+1BF8C6 - 48 89 BD 180E0000 - mov [rbp+00000E18],rdi
SteelDivision.exe+1BF8CD - 66 0F7F 85 200E0000 - movdqa [rbp+00000E20],xmm0 <-------write to buffer
SteelDivision.exe+1BF8D5 - 48 89 BD 380E0000 - mov [rbp+00000E38],rdi
SteelDivision.exe+1BF8DC - 66 0F6F C8 - movdqa xmm1,xmm0

SteelDivision.exe+1BFD67 - 48 89 85 280E0000 - mov [rbp+00000E28],rax
SteelDivision.exe+1BFD6E - 49 8B 41 30 - mov rax,[r9+30]
SteelDivision.exe+1BFD72 - 48 89 85 200E0000 - mov [rbp+00000E20],rax <-------write to buffer, tens of ways to write to same address
SteelDivision.exe+1BFD79 - 41 8B 81 F8000000 - mov eax,[r9+000000F8]
SteelDivision.exe+1BFD80 - 49 03 41 30 - add rax,[r9+30]
Top Bottom