Alien shooter 2 the legend

[TheStranger81]

^ I'm using the Steam version, the hook address is hard-coded. Use the script content to find it for your version (you're clearly playing the a cracked/torrented version).

I prefer to try titles like this first cause most of the times they are seriously bad (laggy with bugs all over) and with graphics worse than what we had with the Amiga back in the early 90's (last game of this type i bought was Defence Force Ultra HD - or something like that - since i did enjoy playing the cracked version - never did manage to use cheat engine with it however).

I think many people are the same way and why not, we used to have Demos back in the day, now we don't so to test a game you only have the cracked version.

PS: This game is annoying without cheats (not to mention its graphics are seriously bad) which is why i wanted to check and see if it gets any better with better weapons and such.

[SunBeam]

Did I ask you to explain yourself? I simply said I've hard-coded the address to the version I'm playing. Can't be arsed right now to do aobscan and all the other crap. Like I said, you have all you need in the script itself (scroll to the bottom, copy some bytes, scan in your version, adjust AlienShooter.exe+[offset], done).

[caliber1942]

...

Not sure what versions people are using or what this talk of randomness is, but the game is definitely encoding values.

writes

AlienShooter.exe+5D95E - 89 04 BD F06EAE00 - mov [edi*4+AlienShooter.exe+4B6EF0],eax
AlienShooter.exe+5D965 - 33 45 08 - xor eax,[ebp+08]
AlienShooter.exe+5D968 - 89 46 04 - mov [esi+04],eax

reads

AlienShooter.exe+C8F85 - 0FB7 48 14 - movzx ecx,word ptr [eax+14]
AlienShooter.exe+C8F89 - 8B 3C 8D F06EAE00 - mov edi,[ecx*4+AlienShooter.exe+4B6EF0]
AlienShooter.exe+C8F90 - 33 78 18 - xor edi,[eax+18]



Might be more for strings and for floats.

Another annoying feature is that the base of structs (like the x/y postion/health, etc.) changes pretty regularly, or when you open inventory, etc. So people trying to freeze health or other values, this is why the game crashes, etc.

I must admit this one was annoying and took some time, but I ended up with some decent options.

I will be curious to see if you work out unlocker for cheats or whatever it is you seemed to be working on. I did not see anything like that in the Steam version of this game.

Enjoy,
Cal

[TheStranger81]

Did I ask you to explain yourself? I simply said I've hard-coded the address to the version I'm playing. Can't be arsed right now to do aobscan and all the other crap. Like I said, you have all you need in the script itself (scroll to the bottom, copy some bytes, scan in your version, adjust AlienShooter.exe+[offset], done).

I always like explaining why i do the things i do that's all.

As for your instructions i am seriously not into cheat engine but will try (did scroll at the end but couldn't figure out which bytes to copy).

[SunBeam]

Not sure what versions people are using or what this talk of randomness is, but the game is definitely encoding values.

Some people don't have sufficient knowledge or some sort of stable logic when they SCAN for shit in a game. They do things randomly and random is the effect. The person I mentioned scanned for unknown/increased by/decreased by. Which clearly has no logic, when game is encoding values. Increased by what? What you see on screen? Doesn't work like that, as we both mentioned. So that's what the "randomness" was about.

I will be curious to see if you work out unlocker for cheats or whatever it is you seemed to be working on. I did not see anything like that in the Steam version of this game.

There aren't any cheats in this version of the game. Reloaded (the game, not the 0-day people) version has a bunch in plain-text scripts that are loaded and ran. The Legend uses pre-compiled scripts, thus no more sneaking around with raw text

While you were writing your message, I've posted the 5.000.000 Money script. Even with the encode/decode functions available, you still have to filter out an entire script handler to make sure you're tampering only the right variable (clearly illustrated in my script: "temp.cache.player.money"). The write function is the same I got, then I back-traced out of as close as possible to the start of the script processing.

BR,
Sun

[SunBeam]

As for your instructions i am seriously not into cheat engine but will try (did scroll at the end but couldn't figure out which bytes to copy).

Script with aobscanmodule:

Code: Select all

{ Game   : AlienShooter.exe
  Version:
  Date   : 2020-01-27
  Author : SunBeam
}

[ENABLE]

aobscanmodule( hk_ScriptVars, AlienShooter.exe, 8D55E88B4E0468C1BDF0FF )
registersymbol( hk_ScriptVars )

alloc( Hook, 0x1000, AlienShooter.exe )
label( szVar )
registersymbol( szVar )

Hook:
lea edx,[ebp-18] // original

// we want to modify stuff here only when a certain script runs
// and that is easily determined from the EDX pointer, as string

push esi              // backup esi
push edi              // backup edi
push ecx
mov esi,[edx]         // get source pointer in esi
lea edi,[szVar]       // get string against we'll compare
mov ecx,18            // sizeof( string ) + 1 to check, including 00
repe cmpsb
jne short @f          // if strings don't match, exit

// if they do match, then
// hijack the transaction, setting value to a constant 5.000.000

mov [ebp+C],4C4B40

@@:
pop ecx               // restore ecx
pop edi               // restore edi
pop esi               // restore esi
//
mov ecx,[esi+04]
jmp hk_ScriptVars+6

szVar:
db 'temp.cache.player.money',0

hk_ScriptVars:
jmp Hook
nop

[DISABLE]

hk_ScriptVars:
db 8D 55 E8 8B 4E 04

unregistersymbol( szVar )
dealloc(Hook)
unregistersymbol( hk_ScriptVars )

{
// ORIGINAL CODE - INJECTION POINT: "AlienShooter.exe"+CDC2B

"AlienShooter.exe"+CDC06: A1 EC 8F 08 01        -  mov eax,[AlienShooter.exe+4A8FEC]
"AlienShooter.exe"+CDC0B: 33 C5                 -  xor eax,ebp
"AlienShooter.exe"+CDC0D: 50                    -  push eax
"AlienShooter.exe"+CDC0E: 8D 45 F4              -  lea eax,[ebp-0C]
"AlienShooter.exe"+CDC11: 64 A3 00 00 00 00     -  mov fs:[00000000],eax
"AlienShooter.exe"+CDC17: 8B F1                 -  mov esi,ecx
"AlienShooter.exe"+CDC19: 8B 55 08              -  mov edx,[ebp+08]
"AlienShooter.exe"+CDC1C: 8D 4D E8              -  lea ecx,[ebp-18]
"AlienShooter.exe"+CDC1F: E8 3C FB FF FF        -  call AlienShooter.exe+CD760
"AlienShooter.exe"+CDC24: C7 45 FC 00 00 00 00  -  mov [ebp-04],00000000
// ---------- INJECTING HERE ----------
"AlienShooter.exe"+CDC2B: 8D 55 E8              -  lea edx,[ebp-18]
"AlienShooter.exe"+CDC2E: 8B 4E 04              -  mov ecx,[esi+04]
// ---------- DONE INJECTING  ----------
"AlienShooter.exe"+CDC31: 68 C1 BD F0 FF        -  push FFF0BDC1
"AlienShooter.exe"+CDC36: 52                    -  push edx
"AlienShooter.exe"+CDC37: 8B 01                 -  mov eax,[ecx]
"AlienShooter.exe"+CDC39: FF 50 0C              -  call dword ptr [eax+0C]
"AlienShooter.exe"+CDC3C: 8B 7D 0C              -  mov edi,[ebp+0C]
"AlienShooter.exe"+CDC3F: 3B F8                 -  cmp edi,eax
"AlienShooter.exe"+CDC41: 74 19                 -  je AlienShooter.exe+CDC5C
"AlienShooter.exe"+CDC43: 8B 4E 04              -  mov ecx,[esi+04]
"AlienShooter.exe"+CDC46: 57                    -  push edi
"AlienShooter.exe"+CDC47: FF 75 08              -  push [ebp+08]
}

I really hope you know how to copy-paste. Updated the table as well in the previous page.

BR,
Sun

[Veav]

Thank you for the comprehensive explanation!

And I knew it, I freakin' knew it! Every time I tried tracking something down it would go through that same function whether it was money or components or stack counts. This one was not simple.

[SunBeam]

^ Honestly, I see all of these as challenges The fact that it's "hard" makes it even more enjoyable. But each to their own.

[Veav]

Don't get me wrong, it doesn't always need to be simple. But it was beyond my skills even after stretching them with multiple tutorials I hadn't cracked open before. So I'm happy to find out that it's not JUST my inexperience at work.

[TheStranger81]

As for your instructions i am seriously not into cheat engine but will try (did scroll at the end but couldn't figure out which bytes to copy).

Script with aobscanmodule:

Code: Select all

{ Game   : AlienShooter.exe
  Version:
  Date   : 2020-01-27
  Author : SunBeam
}

[ENABLE]

aobscanmodule( hk_ScriptVars, AlienShooter.exe, 8D55E88B4E0468C1BDF0FF )
registersymbol( hk_ScriptVars )

alloc( Hook, 0x1000, AlienShooter.exe )
label( szVar )
registersymbol( szVar )

Hook:
lea edx,[ebp-18] // original

// we want to modify stuff here only when a certain script runs
// and that is easily determined from the EDX pointer, as string

push esi              // backup esi
push edi              // backup edi
push ecx
mov esi,[edx]         // get source pointer in esi
lea edi,[szVar]       // get string against we'll compare
mov ecx,18            // sizeof( string ) + 1 to check, including 00
repe cmpsb
jne short @f          // if strings don't match, exit

// if they do match, then
// hijack the transaction, setting value to a constant 5.000.000

mov [ebp+C],4C4B40

@@:
pop ecx               // restore ecx
pop edi               // restore edi
pop esi               // restore esi
//
mov ecx,[esi+04]
jmp hk_ScriptVars+6

szVar:
db 'temp.cache.player.money',0

hk_ScriptVars:
jmp Hook
nop

[DISABLE]

hk_ScriptVars:
db 8D 55 E8 8B 4E 04

unregistersymbol( szVar )
dealloc(Hook)
unregistersymbol( hk_ScriptVars )

{
// ORIGINAL CODE - INJECTION POINT: "AlienShooter.exe"+CDC2B

"AlienShooter.exe"+CDC06: A1 EC 8F 08 01        -  mov eax,[AlienShooter.exe+4A8FEC]
"AlienShooter.exe"+CDC0B: 33 C5                 -  xor eax,ebp
"AlienShooter.exe"+CDC0D: 50                    -  push eax
"AlienShooter.exe"+CDC0E: 8D 45 F4              -  lea eax,[ebp-0C]
"AlienShooter.exe"+CDC11: 64 A3 00 00 00 00     -  mov fs:[00000000],eax
"AlienShooter.exe"+CDC17: 8B F1                 -  mov esi,ecx
"AlienShooter.exe"+CDC19: 8B 55 08              -  mov edx,[ebp+08]
"AlienShooter.exe"+CDC1C: 8D 4D E8              -  lea ecx,[ebp-18]
"AlienShooter.exe"+CDC1F: E8 3C FB FF FF        -  call AlienShooter.exe+CD760
"AlienShooter.exe"+CDC24: C7 45 FC 00 00 00 00  -  mov [ebp-04],00000000
// ---------- INJECTING HERE ----------
"AlienShooter.exe"+CDC2B: 8D 55 E8              -  lea edx,[ebp-18]
"AlienShooter.exe"+CDC2E: 8B 4E 04              -  mov ecx,[esi+04]
// ---------- DONE INJECTING  ----------
"AlienShooter.exe"+CDC31: 68 C1 BD F0 FF        -  push FFF0BDC1
"AlienShooter.exe"+CDC36: 52                    -  push edx
"AlienShooter.exe"+CDC37: 8B 01                 -  mov eax,[ecx]
"AlienShooter.exe"+CDC39: FF 50 0C              -  call dword ptr [eax+0C]
"AlienShooter.exe"+CDC3C: 8B 7D 0C              -  mov edi,[ebp+0C]
"AlienShooter.exe"+CDC3F: 3B F8                 -  cmp edi,eax
"AlienShooter.exe"+CDC41: 74 19                 -  je AlienShooter.exe+CDC5C
"AlienShooter.exe"+CDC43: 8B 4E 04              -  mov ecx,[esi+04]
"AlienShooter.exe"+CDC46: 57                    -  push edi
"AlienShooter.exe"+CDC47: FF 75 08              -  push [ebp+08]
}

I really hope you know how to copy-paste. Updated the table as well in the previous page.

BR,
Sun

Worked like a charm, thanks !

[caliber1942]

Not sure what versions people are using or what this talk of randomness is, but the game is definitely encoding values.

Some people don't have sufficient knowledge or some sort of stable logic when they SCAN for shit in a game. They do things randomly and random is the effect. The person I mentioned scanned for unknown/increased by/decreased by. Which clearly has no logic, when game is encoding values. Increased by what? What you see on screen? Doesn't work like that, as we both mentioned. So that's what the "randomness" was about.

I will be curious to see if you work out unlocker for cheats or whatever it is you seemed to be working on. I did not see anything like that in the Steam version of this game.

There aren't any cheats in this version of the game. Reloaded (the game, not the 0-day people) version has a bunch in plain-text scripts that are loaded and ran. The Legend uses pre-compiled scripts, thus no more sneaking around with raw text

While you were writing your message, I've posted the 5.000.000 Money script. Even with the encode/decode functions available, you still have to filter out an entire script handler to make sure you're tampering only the right variable (clearly illustrated in my script: "temp.cache.player.money"). The write function is the same I got, then I back-traced out of as close as possible to the start of the script processing.

BR,
Sun

yes, so for write, here is the encryption being put into place:

AlienShooter.exe+5D95E - 89 04 BD F06E1801 - mov [edi*4+AlienShooter.exe+4B6EF0],eax
AlienShooter.exe+5D965 - 33 45 08 - xor eax,[ebp+08]
AlienShooter.exe+5D968 - 89 46 04 - mov [esi+04],eax

breakpoint at:

AlienShooter.exe+5D920 - 55 - push ebp

ECX-14 is BASE

BASE+8 is pointer to string descriptor (i.e. temp.cache.player.money)
BASE+14 is counter to help point to STATIC XOR values.
BASE+18 is current value (encrypted)

each time the value is written to (BASE+18)
which happens here:
AlienShooter.exe+5D968 - 89 46 04 - mov [esi+04],eax (ESI-0x14 is BASE of the struct)

it's XOR here,
AlienShooter.exe+5D965 - 33 45 08 - xor eax,[ebp+08]

and EDI is is set here from static values:
AlienShooter.exe+5D93A - 0FB7 F9 - movzx edi,cx

and used here:
AlienShooter.exe+5D95E - 89 04 BD F06E1801 - mov [edi*4+AlienShooter.exe+4B6EF0],eax

Whereas EDI is the value stored here:
BASE+14

and every time a new value is written, BASE+14 is incremented to point to a new XOR encryption here:

AlienShooter.exe+5D927 - 66 FF 06 - inc word ptr [esi]

so this is why it seems'random', but its' not actually random at all, just that the game is changing the encrypted value itself, but is changing which XOR from static location (offset of AlienShooter.exe+4B6EF0) is being used as the encryption.

Also note that the static XOR address (offset of AlienShooter.exe+4B6EF0) is ALSO changed at each write.

AlienShooter.exe+5D95E - 89 04 BD F06E1801 - mov [edi*4+AlienShooter.exe+4B6EF0],eax

Also breakpoint at:

AlienShooter.exe+5D920 - 55 - push ebp

[esp+4] holds the value that will ultimately be written to the address in this function.

so it's a complex encryption for sure, but it's actually pretty easy to defeat once you figure out the process. This is also why it seems 'random'.
There are several more of these for other types of values (other than int, etc.)

struct looks like this:

BASE
BASE+4
BASE+8 (pointer to string description)
BASE+C
BASE+10
BASE+14 (value used to read XOR from static offsets)
BASE+18 current value of address (i.e. money) in encrypted form


AlienShooter.exe+5D920 - 55 - push ebp
AlienShooter.exe+5D921 - 8B EC - mov ebp,esp
AlienShooter.exe+5D923 - 56 - push esi
AlienShooter.exe+5D924 - 8B F1 - mov esi,ecx
AlienShooter.exe+5D926 - 57 - push edi
AlienShooter.exe+5D927 - 66 FF 06 - inc word ptr [esi]
AlienShooter.exe+5D92A - 66 83 3E 64 - cmp word ptr [esi],64 { 100 }
AlienShooter.exe+5D92E - 0FB7 0E - movzx ecx,word ptr [esi]
AlienShooter.exe+5D931 - 72 07 - jb AlienShooter.exe+5D93A
AlienShooter.exe+5D933 - 33 C0 - xor eax,eax
AlienShooter.exe+5D935 - 33 C9 - xor ecx,ecx
AlienShooter.exe+5D937 - 66 89 06 - mov [esi],ax
AlienShooter.exe+5D93A - 0FB7 F9 - movzx edi,cx
AlienShooter.exe+5D93D - 8B 04 BD F06E1801 - mov eax,[edi*4+AlienShooter.exe+4B6EF0]
AlienShooter.exe+5D944 - 85 C0 - test eax,eax
AlienShooter.exe+5D946 - 75 1D - jne AlienShooter.exe+5D965
AlienShooter.exe+5D948 - FF 15 24270701 - call dword ptr [AlienShooter.exe+3A2724] { ->ucrtbase.dll+3F3D0 }
AlienShooter.exe+5D94E - 25 FFFF0080 - and eax,8000FFFF { -2147418113 }
AlienShooter.exe+5D953 - 79 07 - jns AlienShooter.exe+5D95C
AlienShooter.exe+5D955 - 48 - dec eax
AlienShooter.exe+5D956 - 0D 0000FFFF - or eax,FFFF0000 { -65536 }
AlienShooter.exe+5D95B - 40 - inc eax
AlienShooter.exe+5D95C - F7 D0 - not eax
AlienShooter.exe+5D95E - 89 04 BD F06E1801 - mov [edi*4+AlienShooter.exe+4B6EF0],eax
AlienShooter.exe+5D965 - 33 45 08 - xor eax,[ebp+08]
AlienShooter.exe+5D968 - 89 46 04 - mov [esi+04],eax
AlienShooter.exe+5D96B - 8B C6 - mov eax,esi
AlienShooter.exe+5D96D - 5F - pop edi
AlienShooter.exe+5D96E - 5E - pop esi
AlienShooter.exe+5D96F - 5D - pop ebp
AlienShooter.exe+5D970 - C2 0400 - ret 0004 { 4 }

for reads, the process is reversed:

AlienShooter.exe+C8F85 - 0FB7 48 14 - movzx ecx,word ptr [eax+14]
AlienShooter.exe+C8F89 - 8B 3C 8D F06EAE00 - mov edi,[ecx*4+AlienShooter.exe+4B6EF0]
AlienShooter.exe+C8F90 - 33 78 18 - xor edi,[eax+18]

Whereas EAX is the base here, then the process completes here
AlienShooter.exe+C8F90 - 33 78 18 - xor edi,[eax+18]

Where we end up with edi being the value shown/used.

best,
Cal

[SunBeam]

Alright. Figured out how to get Instant Reload. First-up, the weapon ammunition is stored as -1 (0xFFFFFFFF) when full. As you shoot, value becomes 0 and incremented by 1. So first fired bullet, 1; second bullet, 2 and so on. You will find this location by debugging on write:

Code: Select all

AlienShooter.exe+7854F - 89 47 14              - mov [edi+14],eax
AlienShooter.exe+78552 - 83 B8 A8000000 00     - cmp dword ptr [eax+000000A8],00
AlienShooter.exe+78559 - 7D 0D                 - jnl AlienShooter.exe+78568
AlienShooter.exe+7855B - C7 80 A8000000 00000000 - mov [eax+000000A8],00000000
AlienShooter.exe+78565 - 8B 47 14              - mov eax,[edi+14]
AlienShooter.exe+78568 - FF 80 A8000000        - inc [eax+000000A8] <-- +1 as you fire

Now, if you debug the address as you reload, you will get this:

Code: Select all

AlienShooter.exe+6F866 - 8B 47 14              - mov eax,[edi+14]
AlienShooter.exe+6F869 - 85 C0                 - test eax,eax
AlienShooter.exe+6F86B - 0F84 A5100000         - je AlienShooter.exe+70916
AlienShooter.exe+6F871 - 8B 4F 04              - mov ecx,[edi+04]
AlienShooter.exe+6F874 - 85 C9                 - test ecx,ecx
AlienShooter.exe+6F876 - 0F84 9A100000         - je AlienShooter.exe+70916
AlienShooter.exe+6F87C - 83 79 24 00           - cmp dword ptr [ecx+24],00
AlienShooter.exe+6F880 - 0F84 90100000         - je AlienShooter.exe+70916
AlienShooter.exe+6F886 - C7 80 A8000000 FFFFFFFF - mov [eax+000000A8],FFFFFFFF <-- reset
AlienShooter.exe+6F890 - 8B 47 04              - mov eax,[edi+04]
AlienShooter.exe+6F893 - 8B 40 24              - mov eax,[eax+24]
AlienShooter.exe+6F896 - 8B 40 2C              - mov eax,[eax+2C]
AlienShooter.exe+6F899 - 05 B8820100           - add eax,000182B8 { 99000 }
AlienShooter.exe+6F89E - 89 47 4C              - mov [edi+4C],eax

The last part of the code above, past the 0xFFFFFFFF will simply read-up the reload time and add it to the event handler In my case, I saw [eax+2C] hold value 2870 for the Superior RIPPER H240. If you check out the weapon statistics in the inventory, you will see it says "Reload: 2.87 sec". So 2.87 sec = 2870, 4 bytes, in memory. Set that to 0 and as soon as your ammo depletes it will instantly reload, no cool-down whatsoever

Close-by, at 0x30 you will find the Fire rate value. In my case, for 8.3 rds/sec that value is 120. I changed it to 1

Clip size is stored at 0x24.

But like caliber1942 mentioned, once you go into Inventory and out, there's this happening:

Code: Select all

void __thiscall MAP::ExecFunc(int)

In short, values get reset to their default states.

More soon.

[serg2011ubercan]

finished this piece of russian game for 15 hours. Not worth game for buy. boring and long...

[MaCcoyGamer]

finished this piece of russian game for 15 hours. Not worth game for buy. boring and long...

If they remove the very repetitive filler missions and only left the main ones, it's a decent game.

[SunBeam]

I don't get it.. what the fuck is wrong with some of you, people? You finished way worse games than this one.. what's with the "this piece of russian game"? "Racist" much? The game is decent, has its quirks, no one asks you to play the 'repetitive' missions and what not. Furthermore, you're clearly saying "I didn't buy this, yet I played and finished it". Which makes you a complete hypocrite. Bitching about how crap the game is, yet finishing it is the same as complaining games have micro-transactions, yet buying shit in-game anyway I fucking hate the way people like to portray themselves as something they aren't. Just cuz anonymity...