Crown Trick help please. Understand basics, unity no so much

Want Cheat Engine to do something specific and no idea how to do that, ask here. (From simple scripts to full trainers and extensions)
Post Reply
t3xboar
What is cheating?
What is cheating?
Posts: 4
Joined: Thu Oct 22, 2020 2:54 pm
Reputation: 0

Crown Trick help please. Understand basics, unity no so much

Post by t3xboar »

Hello everyone,

Been around CE since about version 3ish, dabbled like us all, know the basics but tbh, never really took it further than a here and there go-to over the years. In comes something like Crown Trick. Annoying little sod to edit... challenge accepted!

So! In the spirit of what CE was/is, I've decided to register an account and brainstorm it out with you all for a gem of a game. :)

link here someone made a req with bit of info. viewtopic.php?t=14134
edit: older trainer? here. maybe we can edit to update? viewtopic.php?t=10293


///////////using gog torrent fyi//////////////////////////

Image


To begin, this is a unity ported game. so normal searching will find your items, gold etc, but all changes will be wiped out the second you touch a button. This changes how you edit, dabbling in a bit of unity I get the gist of how it's structured. so we attach (CE 7.1 64bit) to the process, then mono up!

Image

we need to grab the 1st thing and expand, then look for (usually top) assembly-csharp here.

Image


Inside we have a list view of all the game items and codes. it takes a very long time to go through this by hand, so lets use the search. gold will turn up everywhere, but as most unity games use currency tags of some sort as a build in reference a better bet is to search for that instead.

we pull a multitude of things to play with! The list view is broken into the 3 main coded parts up top. (10,18 and 20) with what they do exactly in ref to the junk below. we will need these later visually, put aside for now.
Below all that is the things we can start looking to play with. do we want to inject? do we want to change the drop rates for added gold? this time around i want to try something simple as just editing the gold itself.

Image

So I'll grab this here (blue) and right click it, and choose JIT to pop up the box.

Image

Image


// now here is where I'm stuck n rusty as a spoon haha //

I know we are looking at the 3 title within the tree of 10,18.20, then trying to use the one "around" it to see if an inject works. IE: find 18, then use 10 or 20 in the end code to "edit" it live, make the change in memory and let it be continual until you close the game. Usually in HP this means killing you/ healing you (above below the mid neutral state of hp or the gist of it.)

Here in the gold , we can find the 10, see that the code is [rpb-10] which is prob the 10 above in the list. I cant seem to figure out the 80/20 to grab the [] and replace it in the 10 part, to see if it hooks/works/etc..

Then part 2 would be to run the assemble once you replace as a FYI to see if it all works out. this I'm rusty on also not having fully unity/CE knowledge haha.

So I would appreciate a little help to get over the final hump. Or is the above totally off the mark and I'm doing everything wrong :P possible! thanks!

Oh and thank you all for the wonderful program and tables over all the years btw :D

aSwedishMagyar
Table Makers
Table Makers
Posts: 421
Joined: Mon Jul 06, 2020 3:19 am
Reputation: 492

Re: Crown Trick help please. Understand basics, unity no so much

Post by aSwedishMagyar »

I would not edit the addresses from those two opcodes as they are likely values that have been pushed onto the stack and not your real gold address. I would recommend you start off setting a breakpoint at the beginning of the function and using 'step over' to see what registers are holding your current value and new value. You may want to 'step into' CurrencyData:Set as that probably takes the xmm2 value and writes it into the correct address. Note that the value you found may be only a UI element and that could be the reason it changes when you pickup gold. From what I can see, you should have searched for a 'double' to find your gold, see the return type for get_Gold()? If I were you I would actually start in get_Gold() and just try to find where your gold is stored, then you can do a 'what accesses this address' to figure out exactly where gold is being added.

User avatar
Cake-san
Table Makers
Table Makers
Posts: 365
Joined: Sun Mar 26, 2017 4:32 pm
Reputation: 503

Re: Crown Trick help please. Understand basics, unity no so much

Post by Cake-san »

CurrencyData:Set is a good spot

Image
Image
Spoiler

Code: Select all

{$lua}
function getInsForJump(address,registername,destination,allocsize,SharedMemoryName)
  address = getAddressSafe(address)
  if address==nil then error('getInsForJump address nil') return end
  if allocsize==nil then allocsize=4096 end
  destination=getAddressSafe(destination)
  if destination==nil then
	if SharedMemoryName==nil then destination = allocateMemory(allocsize,address)
	else destination = allocateSharedMemory(SharedMemoryName,allocsize) end
  end
  local size = (address+5-destination>0x7FFFFFFF) and 14 or 5
  if registername~=nil then
	unregisterSymbol(registername)
	registerSymbol(registername,destination,true)
  end
  local opcodes = {}
  local i = 0
  while(i<size) do
    local ext, opc=splitDisassembledString(disassemble(address+i))
    opcodes[#opcodes+1] = opc
    i=i+getInstructionSize(address+i)
  end
  local copy = table.concat(opcodes,'\r\n')
  local readAsTable = true
  local byt = readBytes(address,i,readAsTable)
  for j=1,#byt do byt[j] = ('%02X'):format(byt[j]) end
  local bytes = table.concat(byt, ' ')
  return i,copy,bytes,size,destination
end

function enablescript(name,registername,addressname,script,disable)
	local address=getAddress(addressname)
	if disable then script=(script):format(address,registername,readBytes(registername,1))
	else
		local i,copy,bytes,size =getInsForJump(address,name)
		script=(script):format(registername, registername, name, copy, registername, i, bytes, address)..string.rep('nop\n',i-size)..'returnhere:'
	end
	local success=autoAssemble(script)
	if disable then
		if not success then error(name..' autoAssemble failed')
		else
			deAlloc(name)
			unregisterSymbol(name)
			unregisterSymbol(registername)
		end
	else
		if not success then
			deAlloc(name)
			unregisterSymbol(name)
			error(name..' autoAssemble failed')
		end
	end
end

if syntaxcheck then return end
LaunchMonoDataCollector()
[ENABLE]
enablescript('CurrencyDataSet_alloc','CurrencyDataSet_save','CurrencyData:Set',[[
label(newmem)
label(returnhere)
label(%s)
registersymbol(%s)

%s:
newmem:
movsd xmm2,[value]
%s
jmp returnhere
value:
dq (double)99900
%s:
db %X %s
%X:
jmp newmem
]])

miMonoActivateClick(sender)

[DISABLE]
enablescript('CurrencyDataSet_alloc','CurrencyDataSet_save','CurrencyData:Set',[[
%X:
readmem(%s+1,%u)
]],true)

miMonoActivateClick(sender)

t3xboar
What is cheating?
What is cheating?
Posts: 4
Joined: Thu Oct 22, 2020 2:54 pm
Reputation: 0

Re: Crown Trick help please. Understand basics, unity no so much

Post by t3xboar »

you know what? The post is a bit odd you might have noticed.

was workin it like a mini tutorial, got stuck near the end, went.. hmm... wrong forum.. i better move it. got a beer and you know the rest :P

So! lets get to work here and see what I can advance. above i was just piddering about. thanks for the currencydata thingy.

I'm in there now gonna see what we can do.

OliverSky
Noobzor
Noobzor
Posts: 7
Joined: Tue Oct 27, 2020 6:20 pm
Reputation: 0

Re: Crown Trick help please. Understand basics, unity no so much

Post by OliverSky »

Cake-san wrote:
Fri Oct 23, 2020 11:06 pm
CurrencyData:Set is a good spot

Image
Image
Spoiler

Code: Select all

{$lua}
function getInsForJump(address,registername,destination,allocsize,SharedMemoryName)
  address = getAddressSafe(address)
  if address==nil then error('getInsForJump address nil') return end
  if allocsize==nil then allocsize=4096 end
  destination=getAddressSafe(destination)
  if destination==nil then
	if SharedMemoryName==nil then destination = allocateMemory(allocsize,address)
	else destination = allocateSharedMemory(SharedMemoryName,allocsize) end
  end
  local size = (address+5-destination>0x7FFFFFFF) and 14 or 5
  if registername~=nil then
	unregisterSymbol(registername)
	registerSymbol(registername,destination,true)
  end
  local opcodes = {}
  local i = 0
  while(i<size) do
    local ext, opc=splitDisassembledString(disassemble(address+i))
    opcodes[#opcodes+1] = opc
    i=i+getInstructionSize(address+i)
  end
  local copy = table.concat(opcodes,'\r\n')
  local readAsTable = true
  local byt = readBytes(address,i,readAsTable)
  for j=1,#byt do byt[j] = ('%02X'):format(byt[j]) end
  local bytes = table.concat(byt, ' ')
  return i,copy,bytes,size,destination
end

function enablescript(name,registername,addressname,script,disable)
	local address=getAddress(addressname)
	if disable then script=(script):format(address,registername,readBytes(registername,1))
	else
		local i,copy,bytes,size =getInsForJump(address,name)
		script=(script):format(registername, registername, name, copy, registername, i, bytes, address)..string.rep('nop\n',i-size)..'returnhere:'
	end
	local success=autoAssemble(script)
	if disable then
		if not success then error(name..' autoAssemble failed')
		else
			deAlloc(name)
			unregisterSymbol(name)
			unregisterSymbol(registername)
		end
	else
		if not success then
			deAlloc(name)
			unregisterSymbol(name)
			error(name..' autoAssemble failed')
		end
	end
end

if syntaxcheck then return end
LaunchMonoDataCollector()
[ENABLE]
enablescript('CurrencyDataSet_alloc','CurrencyDataSet_save','CurrencyData:Set',[[
label(newmem)
label(returnhere)
label(%s)
registersymbol(%s)

%s:
newmem:
movsd xmm2,[value]
%s
jmp returnhere
value:
dq (double)99900
%s:
db %X %s
%X:
jmp newmem
]])

miMonoActivateClick(sender)

[DISABLE]
enablescript('CurrencyDataSet_alloc','CurrencyDataSet_save','CurrencyData:Set',[[
%X:
readmem(%s+1,%u)
]],true)

miMonoActivateClick(sender)
57: syntax error near 'enablescript'
Last edited by OliverSky on Tue Oct 27, 2020 9:05 pm, edited 1 time in total.

OliverSky
Noobzor
Noobzor
Posts: 7
Joined: Tue Oct 27, 2020 6:20 pm
Reputation: 0

Re: Crown Trick help please. Understand basics, unity no so much

Post by OliverSky »

Cake-san wrote:
Fri Oct 23, 2020 11:06 pm
CurrencyData:Set is a good spot

Image
Image
Spoiler

Code: Select all

{$lua}
function getInsForJump(address,registername,destination,allocsize,SharedMemoryName)
  address = getAddressSafe(address)
  if address==nil then error('getInsForJump address nil') return end
  if allocsize==nil then allocsize=4096 end
  destination=getAddressSafe(destination)
  if destination==nil then
	if SharedMemoryName==nil then destination = allocateMemory(allocsize,address)
	else destination = allocateSharedMemory(SharedMemoryName,allocsize) end
  end
  local size = (address+5-destination>0x7FFFFFFF) and 14 or 5
  if registername~=nil then
	unregisterSymbol(registername)
	registerSymbol(registername,destination,true)
  end
  local opcodes = {}
  local i = 0
  while(i<size) do
    local ext, opc=splitDisassembledString(disassemble(address+i))
    opcodes[#opcodes+1] = opc
    i=i+getInstructionSize(address+i)
  end
  local copy = table.concat(opcodes,'\r\n')
  local readAsTable = true
  local byt = readBytes(address,i,readAsTable)
  for j=1,#byt do byt[j] = ('%02X'):format(byt[j]) end
  local bytes = table.concat(byt, ' ')
  return i,copy,bytes,size,destination
end

function enablescript(name,registername,addressname,script,disable)
	local address=getAddress(addressname)
	if disable then script=(script):format(address,registername,readBytes(registername,1))
	else
		local i,copy,bytes,size =getInsForJump(address,name)
		script=(script):format(registername, registername, name, copy, registername, i, bytes, address)..string.rep('nop\n',i-size)..'returnhere:'
	end
	local success=autoAssemble(script)
	if disable then
		if not success then error(name..' autoAssemble failed')
		else
			deAlloc(name)
			unregisterSymbol(name)
			unregisterSymbol(registername)
		end
	else
		if not success then
			deAlloc(name)
			unregisterSymbol(name)
			error(name..' autoAssemble failed')
		end
	end
end

if syntaxcheck then return end
LaunchMonoDataCollector()
[ENABLE]
enablescript('CurrencyDataSet_alloc','CurrencyDataSet_save','CurrencyData:Set',[[
label(newmem)
label(returnhere)
label(%s)
registersymbol(%s)

%s:
newmem:
movsd xmm2,[value]
%s
jmp returnhere
value:
dq (double)99900
%s:
db %X %s
%X:
jmp newmem
]])

miMonoActivateClick(sender)

[DISABLE]
enablescript('CurrencyDataSet_alloc','CurrencyDataSet_save','CurrencyData:Set',[[
%X:
readmem(%s+1,%u)
]],true)

miMonoActivateClick(sender)
how to do it in ilspy ... This is the ilspy interface, but I didn't work with the program, how does it work?

User avatar
lihken
What is cheating?
What is cheating?
Posts: 3
Joined: Sun Oct 25, 2020 7:46 pm
Reputation: 1

Re: Crown Trick help please. Understand basics, unity no so much

Post by lihken »

OliverSky wrote:
Tue Oct 27, 2020 9:03 pm
Cake-san wrote:
Fri Oct 23, 2020 11:06 pm
CurrencyData:Set is a good spot

Image
Image
Spoiler

Code: Select all

{$lua}
function getInsForJump(address,registername,destination,allocsize,SharedMemoryName)
  address = getAddressSafe(address)
  if address==nil then error('getInsForJump address nil') return end
  if allocsize==nil then allocsize=4096 end
  destination=getAddressSafe(destination)
  if destination==nil then
	if SharedMemoryName==nil then destination = allocateMemory(allocsize,address)
	else destination = allocateSharedMemory(SharedMemoryName,allocsize) end
  end
  local size = (address+5-destination>0x7FFFFFFF) and 14 or 5
  if registername~=nil then
	unregisterSymbol(registername)
	registerSymbol(registername,destination,true)
  end
  local opcodes = {}
  local i = 0
  while(i<size) do
    local ext, opc=splitDisassembledString(disassemble(address+i))
    opcodes[#opcodes+1] = opc
    i=i+getInstructionSize(address+i)
  end
  local copy = table.concat(opcodes,'\r\n')
  local readAsTable = true
  local byt = readBytes(address,i,readAsTable)
  for j=1,#byt do byt[j] = ('%02X'):format(byt[j]) end
  local bytes = table.concat(byt, ' ')
  return i,copy,bytes,size,destination
end

function enablescript(name,registername,addressname,script,disable)
	local address=getAddress(addressname)
	if disable then script=(script):format(address,registername,readBytes(registername,1))
	else
		local i,copy,bytes,size =getInsForJump(address,name)
		script=(script):format(registername, registername, name, copy, registername, i, bytes, address)..string.rep('nop\n',i-size)..'returnhere:'
	end
	local success=autoAssemble(script)
	if disable then
		if not success then error(name..' autoAssemble failed')
		else
			deAlloc(name)
			unregisterSymbol(name)
			unregisterSymbol(registername)
		end
	else
		if not success then
			deAlloc(name)
			unregisterSymbol(name)
			error(name..' autoAssemble failed')
		end
	end
end

if syntaxcheck then return end
LaunchMonoDataCollector()
[ENABLE]
enablescript('CurrencyDataSet_alloc','CurrencyDataSet_save','CurrencyData:Set',[[
label(newmem)
label(returnhere)
label(%s)
registersymbol(%s)

%s:
newmem:
movsd xmm2,[value]
%s
jmp returnhere
value:
dq (double)99900
%s:
db %X %s
%X:
jmp newmem
]])

miMonoActivateClick(sender)

[DISABLE]
enablescript('CurrencyDataSet_alloc','CurrencyDataSet_save','CurrencyData:Set',[[
%X:
readmem(%s+1,%u)
]],true)

miMonoActivateClick(sender)
how to do it in ilspy ... This is the ilspy interface, but I didn't work with the program, how does it work?
use CE, memory view, ctrl + A, paste and execute

Seth_Arkhan
What is cheating?
What is cheating?
Posts: 1
Joined: Mon Nov 02, 2020 11:22 pm
Reputation: 0

Re: Crown Trick help please. Understand basics, unity no so much

Post by Seth_Arkhan »

Friend PLEASE, can you post a tutorial? I cant find the values to gold and souls...PLEEEEEEEEASE MAN!

Post Reply

Who is online

Users browsing this forum: No registered users