In-depth tutorial for code tracing - finding checksum checks

Section's for general approaches on hacking various options in games. No online-related discussions/posts OR warez!
Post Reply
User avatar
seikur0
Code Alchemist
Code Alchemist
Posts: 440
Joined: Sat Aug 26, 2017 10:48 am
Reputation: 339

In-depth tutorial for code tracing - finding checksum checks

Post by seikur0 »

Hi everyone,

I made a very educational video and I think you can learn quite a lot from it, so I'm posting it here. It just turned out to be slightly short of one hour, didn't feel that long though.
It's me (re-)finding the checksum code for Monster Hunter Stories 2, while also describing the methods used in great detail.
In the video I use the "Break and Trace" feature of Cheat Engine quite a lot.

So starting from the beginning, the game Monster Hunter Stories 2 has among other anti-cheat measures, that prevent you from attaching the CE debugger or setting breakpoints, also CRC checks running over its code, effectively preventing any form of code injection based cheats. (The ones where you replace some code, e.g. "write gold", with a jump to your own code, where you instead execute "write a lot of gold" and then jump back.) If the check determines that the game code was changed, it'll sort of freeze.

In those cases you want to prevent the checksum checks and while there are many solutions for this, a very nice one is to change the code location of "Is the calculated checksum equal to the expected checksum" and just let the answer always be yes.

Since we're talking Monster Hunter here, they weren't happy with just one check, they actually have a lot of them, tightly interwoven with the real game code and obfuscated quite a lot. But once you find just one, you can sort of abstract a pattern and thus find all of them with that pattern. In the video I won't be going into that, I'll just go from "so I have some code accessing the gold value and I want to change that" to "where is the code that compares the real/expected checksum to the one calculated from the current code".

Let me also add, that I didn't prepare for this in the slightest and originally I actually used a slightly different method to reach the goal, so it was very, very live and I'm glad it turned out well and I found the crc check. I don't think I strayed from that goal very far but I didn't cut the video or anything, so bear with some pauses here and there.

So here you go:
[Link]

(I hope posting video links like that is allowed here, otherwise someone should tell me how I should do it.)

Have fun and stay cool,
SeiKur0

Post Reply

Who is online

Users browsing this forum: No registered users