how to restore a script?

[Insterluda]

Hello fellas,


Maybe someone knows a guide about this too, that would be great.
This is something harder to cheat than I've thought and still I wanna try and spent hours in.

Currently I try to restore an old script about bloons: Adventure Time TD game
The creator of the code said I can use it and try my best.

Code: Select all

// Game   : btdadventuretime.exe
// Version:
// Date   :
// Author : Cs
[ENABLE]
aobscanmodule(aobCashGrabber,GameAssembly.dll,01 48 8B 0D ?? ?? ?? ?? 48 8B 9B 10 02 00 00)

alloc(newmemCashGrabber,4096,aobCashGrabber)

label(aobCashGrabber_r)
label(aobCashGrabber_i)
registersymbol(aobCashGrabber_r)
registersymbol(aobCashGrabber_i)

label(lblCashGrabber)
label(lblCashGrabberSkip)
label(lblCashGrabberRet)

label(bEnableMinCash)
label(dMinCash)
registersymbol(bEnableMinCash)
registersymbol(dMinCash)

newmemCashGrabber:
bEnableMinCash:
dd 1
dMinCash:
dq (double)999999.0

lblCashGrabber:
readmem(aobCashGrabber+08,7)
push rax
push rcx
push rdx
push r10
cmp dword ptr [bEnableMinCash],1
jne short lblCashGrabberSkip
mov rax,[GameAssembly.dll+1ED25F8]
mov rax,[rax+000000B8]
mov rcx,[rax]
mov rax,[rbx+10]
mov rdx,[rax+20]
movsxd rax,[rbx+18]
mov rcx,[rcx+rax*8+20]
mov r10,[rcx+20]
xor rdx,r10
mov rax,[dMinCash]
cmp rdx,rax
jge short lblCashGrabberSkip
mov rdx,rax
xor rdx,r10
mov rax,[rbx+10]
mov [rax+20],rdx
lblCashGrabberSkip:
pop r10
pop rdx
pop rcx
pop rax
jmp lblCashGrabberRet
aobCashGrabber_i:
readmem(aobCashGrabber+08,7)

aobCashGrabber+08:
aobCashGrabber_r:
jmp lblCashGrabber
nop
nop
lblCashGrabberRet:

[DISABLE]
aobCashGrabber_r:
readmem(aobCashGrabber_i,7)

unregistersymbol(aobCashGrabber_r)
unregistersymbol(aobCashGrabber_i)

unregistersymbol(bEnableMinCash)
unregistersymbol(dMinCash)

dealloc(newmemCashGrabber)

I know this:
The game uses the CryptVarDouble class to store the cash.
CryptVarDouble is a proprietary class.
It uses a System.Byte[] to store a the byte sausage.
The byte sausage itself is 8 bytes, representing the double.
The byte sausage is continually re-encrypted using a collection of 16 random XOR keys.

I'm curious how to restore the "?? ?? ?? ??" in the code
I feel I'm close to the solution.
currently I try to find the stack value in Tracer (Break and Trace instruction)


Maybe someone has an idea or guides.
ty.

[GreenHouse]

What do you mean how to restore the "?? ?? ?? ??"?
The "??" mean that it's unknown, so try doing an aob scan of the entire aob and try replacing the offsets with ?? too, as the update may have changed them. Or just search for similar ones.

[Insterluda]

Hi,
Thank you for your support.
I will try right now an aob scan.

if it's not working is there a possible way to scan a display value with aob?

[GreenHouse]

if it's not working is there a possible way to scan a display value with aob?

Scan a display value with aob? It's a value, meaning that you can see it as an aob. So the answer is yes.

[Insterluda]

if it's not working is there a possible way to scan a display value with aob?

Scan a display value with aob? It's a value, meaning that you can see it as an aob. So the answer is yes.

hi,
Thanks for the answer.
I got one more question this will be the last for sure.
I'm not a pro with aob scans.

The value type is double and its only the "display value" you see as cash, but you can't change the value because it changes back in his original form.
this means the "display value" is encrypted.
does aob. scan still work?

I have seen no tutorials yet which uses aob. scan at encrypted values.


ty.

[GreenHouse]

The value type is double and its only the "display value" you see as cash, but you can't change the value because it changes back in his original form.
this means the "display value" is encrypted.
does aob. scan still work?

I have seen no tutorials yet which uses aob. scan at encrypted values.


ty.

I mean, if you're trying to use an aobscan to search the literal value, then no, as the value keeps changing.
As for the aobscan from that script, I got the game and the aob that you're looking for is: 01 48 8B 0D 5D 87 79 01 48 8B 9B 10 02 00 00 (On the last game update from Steam only). That's the function that accesses your health, and from there you can access the cash and do whatever the script does.

[Insterluda]

The value type is double and its only the "display value" you see as cash, but you can't change the value because it changes back in his original form.
this means the "display value" is encrypted.
does aob. scan still work?

I have seen no tutorials yet which uses aob. scan at encrypted values.


ty.

I mean, if you're trying to use an aobscan to search the literal value, then no, as the value keeps changing.
As for the aobscan from that script, I got the game and the aob that you're looking for is: 01 48 8B 0D 5D 87 79 01 48 8B 9B 10 02 00 00 (On the last game update from Steam only). That's the function that accesses your health, and from there you can access the cash and do whatever the script does.

Thank you so much... meh its so sad I couldn't even grab the address and you got it like in 2min...
Is there a better way to improve my knowledege about this?
Could you maybe recommend me anything?

Is there anything you wanna have for this effort?
You wanna some donating cash as exchange?
I mean I couldnt find a soluation even after 10hours+

[Insterluda]

The value type is double and its only the "display value" you see as cash, but you can't change the value because it changes back in his original form.
this means the "display value" is encrypted.
does aob. scan still work?

I have seen no tutorials yet which uses aob. scan at encrypted values.


ty.

I mean, if you're trying to use an aobscan to search the literal value, then no, as the value keeps changing.
As for the aobscan from that script, I got the game and the aob that you're looking for is: 01 48 8B 0D 5D 87 79 01 48 8B 9B 10 02 00 00 (On the last game update from Steam only). That's the function that accesses your health, and from there you can access the cash and do whatever the script does.

Thank you so much... meh its so sad I couldn't even grab the address and you got it like in 2min...
Is there a better way to improve my knowledege about this?
Could you maybe recommend me anything?

Is there anything you wanna have for this effort?
You wanna some donating cash as exchange?
I mean I couldnt find a soluation even after 10hours+


*) The next step is to get the script working again or?
So its not enough to just simple copy & paste that aob right?

[Insterluda]

Hi fellas,

just wanna let you know I MADE IT.

Coins, life, gems, crystals, cash.
and all upgrade resources you need.

No idea how to grab "cosmic essence" or usable abilites.
No idea how to increase damage output, speed of a unit.

and aob scan 01 48 8B 0D 5D 87 79 01 48 8B 9B 10 02 00 00 is bullshit throw it away.
best tutorial to beat encrypted values + unity game


Maybe I will upload a guide how, but I'm sure some losers will go online with the cheats and fuck up the devs. again and they will encrypt this shit even more.
Since it feels like almost zero one can beat encrypted values....
so many hours wasted.

[GreenHouse]

just wanna let you know I MADE IT.

Nicely done. I've been checking the game myself too and I've done 3 scripts. One is so none of the currencies decrease on purchase or use, from in match coins to gems and shards, a script to be immortal, and a script to auto-complete quests.
There's a lot of stuff that you can do pretty easily, as they're not server sided.

[Insterluda]

just wanna let you know I MADE IT.

Nicely done. I've been checking the game myself too and I've done 3 scripts. One is so none of the currencies decrease on purchase or use, from in match coins to gems and shards, a script to be immortal, and a script to auto-complete quests.
There's a lot of stuff that you can do pretty easily, as they're not server sided.

Don't play online with your scripts.
We are only at this bad situation cuz people went online with cheats.
They have hard encrypted the values cuz of too many cheater reports.

No clue how good you are, but I'm using cheatengine for 3+ years now and this was the biggest challenge I've ever tried.
I have almost given up.

good luck mate.