Page 1 of 1

Bloons: Adventure Time TD

Posted: Thu Jul 11, 2019 10:26 am
by Csimbi
This game is a unique take on the Bloons franchise.
If you played Bloons, you know what to expect, just with a story around it.
If you are a kid, or have kids, most of the characters should be familiar to you from the cartoons they air on TV.
I myself found the Bloons games very repetitive, hence my favourite has always been Bloons: Monkey City - that had a strategic component around it and a lot of variety.

Anyway, I took it out for a spin and it seems okay.
Not great, but interesting enough to invest a few hours into it.
I attached a table with a script, which gives you:
- Min. cash; as name suggests, it gives you a min. budget during the Simulation.
The script uses fixed offsets right now, meaning that it will most likely break in the next update.
You would do well to play offline only with the cash hack - or get yourself banned for doing so.
If you do get banned, I am curious what you did when it happened, so post it here or PM me in case you don't want it posted for everyone to see.

The game uses the CryptVarDouble class to store the cash.
CryptVarDouble is a proprietary class.
It uses a System.Byte[] to store a the byte sausage.
The byte sausage itself is 8 bytes, representing the double.
The byte sausage is continually re-encrypted using a collection of 16 random XOR keys.
That's the cash.

Max level can be found in AdventureTimePlayer.ProfileModel, while AdventureTimePlayer.ProfileModel.Resources contain Coins, Crystals and Martian Coins.
Each of these are instances of the CryptVarInt32 class.
Wish data is also part of AdventureTimePlayer.ProfileModel.Resources, but it's a bit different.
CryptVarInt32 follows the same principle as CryptVarDouble, but your byte sausage is 4 bytes.
I chose not to publish any scripts for this (and please don't ask via PM either).
The devs are providing this game for free and I don't want to rob them from the means on making some money (as these are purchasable resources).
Consider this as my way of showing my respect to the NinjaKiwis.
Enough said on this topic.

There is a CryptVarSimple class in there, too. Pretty much the same as CryptVarInt32, except the byte sausage represents a float.
I have not really found any value yet that's a float and worth hacking though - they are either doubles or ints.

That said, enjoy the cash hack while it lasts, I don't think I will be updating it...

Re: Bloons: Adventure Time TD

Posted: Sun Jul 21, 2019 10:57 pm
by KraftCrafterMcCrafty
Any chance you could add Cosmic Essence to this list? I tried doing it your way but I couldn't get the values to stick.

Re: Bloons: Adventure Time TD

Posted: Thu Aug 08, 2019 8:16 am
by fat_cat
It has not worked since version 1.5.1.
Please fix it. Thanks so much :oops:

Re: Bloons: Adventure Time TD

Posted: Fri Aug 09, 2019 12:06 pm
by Csimbi
fat_cat wrote:
Thu Aug 08, 2019 8:16 am
It has not worked since version 1.5.1.
Please fix it. Thanks so much :oops:
Csimbi wrote:
Thu Jul 11, 2019 10:26 am
...enjoy the cash hack while it lasts, I don't think I will be updating it...
This game has an online competitive component (since the Martian thingie has been added), so I won't be publishing any more hacks for it for sure.

It's a Unity game, so it' easily hackable to smithereens.
Everything you need to create your own hacks is up there in the original post.
Go, get yourself banned, but leave me out of it.
Thanks!

Re: Bloons: Adventure Time TD

Posted: Sat Feb 15, 2020 10:48 am
by Insterluda
Hello guys,

Could someone lend me a hand to find the intial value of cash?

I'm doing this so far:
650§ starting value ---> searching 8Bytes
350$ next scan ---> now I found the display value 350 (type; 8Byte)
rightclick on value ---> Find out what what accesses this address
Display Address: 22EE6AAE668

I found 2 addresses
89 43 28 - mov [rbx+28],eax
8B 53 28 - mov edx, [rbx+28]

I'm using
8B 53 28 - mov edx, [rbx+28] and continue
target and ---> show disassembler
rightclick on 8B 53 28 - mov edx, [rbx+28] and "Break and Trace instruction"
Setup: 1000 maximal trace count
(Y: Dereference Addresses)
(Y: Save stack snapshots)
(Y: Step over instead of single step)
then I click on OK

In tracer I do righclick expand all

Now I'm there where I stuck the realy hard part of it.
I'm looking for the function that calls 8B 53 28 - mov edx, [rbx+28] this function.

Every day I spent 2-3 hours and try different ways... but nothing works so far.
Currently I use breakpoints and try different opcodes


Best Regards.