[Request] Starcraft II Singleplayer inbuilt cheats

[Insterluda]

Hello.

If you don't own the game, I can buy it for you too.

Game Name: Starcraft II
Game Engine: custom engine
Game Version STARCRAFT II 5.0.5 [2. Dezember 2020] They are not updating it anymore.
Options Required: Resource pile cheat (Ingame built cheats, SpectralTiger, RealMenDrillDeep, WhoRunBartertown)
Other Info: Some cheats can be enabled, and disabled, the internal flag is 0 for disabled, and 2 for enabled, if you use TerribleTerribleDamage and when it says "enable" search for 2 and data type byte, write again TerribleTerribleDamage and search for 0. you should get it quickly.
The game is not crashing anymore when you are using Cheat engine 7.2. Their Anti-Debug can be easy bypassed using UDCE.

Optional: I will pay for the cheat if anyone manages to get those ingame built cheats.
I just use them to grind on an Arcade game solo.

[SunBeam]

Who told you they are not updating it anymore?.. Every week there's a new update

[Insterluda]

Who told you they are not updating it anymore?.. Every week there's a new update

Where did you take your information about patching every week?
They said they don't support it anymore, no more major updates.
just fixes or rare balance updates when needed which were zero since months.
and their last patch was from 2. Dezember 2020 and they said "Ending Development on Starcraft 2"


Minerals were fucked by last big patch, now I don't find them anymore.
Before this happened, you could search 4096, 4byte for 1 Mineral.

My informations are based on the expierence I've met with the game, and I used CE. many years on SC II.

[SunBeam]

just fixes or rare balance updates [...] many years on SC II.

Then you know each update comes with a different enveloped executable, meaning different spots to hook, meaning having to change the scripts all the time, etc., etc. Scanning for fixed AOBs doesn't work 100%, as Blizzard is using their own packer/protector. They have code obfuscation/mutation, meaning a simple instruction can be broken down into multiple ones. That means a "mov rax,[rcx+64]" can become "mov rax,rcx; mov rax,[rax+64]". In which case your aob is fucked. I've seen this happen with 5-6 iterations I've kept up with the game and I've decided to fuck it at some point. I'd have finished the game 2-3 times by then, so I was bored and done.

That's my experience.

[Insterluda]

just fixes or rare balance updates [...] many years on SC II.

Then you know each update comes with a different enveloped executable, meaning different spots to hook, meaning having to change the scripts all the time, etc., etc. Scanning for fixed AOBs doesn't work 100%, as Blizzard is using their own packer/protector. They have code obfuscation/mutation, meaning a simple instruction can be broken down into multiple ones. That means a "mov rax,[rcx+64]" can become "mov rax,rcx; mov rax,[rax+64]". In which case your aob is fucked. I've seen this happen with 5-6 iterations I've kept up with the game and I've decided to fuck it at some point. I'd have finished the game 2-3 times by then, so I was bored and done.

That's my experience.

True point, but you and me know that no script is working for eternity, plus since 3 months there wasn't a single patch, and their support has ended.
I'm not that expierence as you are, but I learned over the years more and more, and CTG. is a great community which offers me a lot of help.
That's why I don't make scripts for the game, instead of this I'm looking always again for the value I need, becaue scripts were not effectic, since you already said it, they patched too much. (which is not happening anymore).

Well, maybe you could explain me how I should search for a cheat which is not enabling anything, it just gives you resources instantly.
I tried a few things, but the hardest way is already done finding the proper flags which I found its 0 and 2, but HOW do you find a cheat code which grant you 5000 resources as example? this cheat is not working like a flag, I've tried to find anything in the memory browser, but no luck so far, because I thought the cheat must be near to the other cheats, but it's not.

[Link]

[SunBeam]

Like I said, I studied the Battle.net.dll code quite a lot. Even wrote a tool that restores the original ASM code of a function (rather than their spaghetti code with lots of jmp, xchg, etc. instructions). The resources are encrypted. If I remember correctly, the only thing that was a constant, was the fact that the encrypted value for a static value was the same. In the sense that they don't use dynamic cycling. So, if 5000 Minerals are 0x7F58694D, then the next time you have 5000 Minerals you can search for the same 0x7F58694D. Then use the resources and search for the equivalent of another constant (build something, you get 4550; find out what 4550's encrypted value is). That's what I had at the time. I have not kept up with the updates so I don't really know if they've changed the algorithm.

But in short: don't know the value, start with "unknown value". Go with 8 bytes as the type. Create something, so resources decrease: "has changed". Repeat the process, alternating scenarios: build to decrease, acquire to increase, pause the game, open options menu, etc. For each operation do the specific type of scan you feel logic. Just don't scan for "has increased" when your value on-screen has increased. The real value is encrypted and you won't find it with that logic. Always do "has changed", "has not changed".

Here's how I had the code in my Increased Damage (x10) + 5000 x Resources + Reveal Map script:

Code: Select all

[ENABLE]

alloc( Damage, 2048, SC2.exe )
label( back )
label( Damage_exit )
label( Player_do )
label( Damage_next )
label( bResources )
registersymbol( bResources )
label( bMap )
registersymbol( bMap )
label( pResources )
registersymbol( pResources )
label( rAmount )
registersymbol( rAmount )
label( dwMapVal )
registersymbol( dwMapVal )
label( GetResPtrToDword )
label( GetResPtrFromDword )
label( DecryptAddEncryptResource )
label( DecryptAddEncryptResource_exit )
label( GetMapPtr )
label( DecryptMapVal )
label( EncryptMapVal )
label( lResources )
label( Damage_ )
registersymbol( Damage_ )

Damage:
cmp byte ptr [edi+86E],1
jne Damage_exit
	cmp byte ptr [bResources],1
	jne Damage_next
		pushad
		movzx ebx,[edi+86E]
		call GetResPtrToDword
		push pResources
		call GetResPtrFromDword
		xor esi,esi
		mov edi,[pResources]
        lResources:
		    mov eax,esi
		    mov ecx,edi
		    lea ecx,[ecx+eax*8+340]
		    call DecryptAddEncryptResource
            inc esi
            cmp esi,2 // Minerals and Vespene Gas (change to 4 if you want Biomass as well)
            jb lResources
		popad
		mov byte ptr [bResources],0
		jmp Player_do
	Damage_next:
	cmp byte ptr [bMap],1
	jne Player_do
		pushad
		call GetMapPtr
        push edx // store ptr for later
		push dwMapVal
		call DecryptMapVal
        mov eax,[dwMapVal]
		cmp eax,-1
		setne bl
		movzx ecx,bl
		neg ecx
		sbb ecx,ecx
        pop ebx // then pop it here
        push ecx
		call EncryptMapVal
		popad
		mov byte ptr [bMap],0
	Player_do:
	jmp back+2F
Damage_exit:
test [edx+ecx+1C],eax
jmp back+10

GetResPtrToDword:
mov eax,[SC2.exe+1EC9064]
sub eax,[SC2.exe+1B5359C]
mov edx,[eax]
movzx ecx,bl
lea edx,[edx+ecx*4]
ret

GetResPtrFromDword:
push ebp
mov ebp,esp
push esi
push edi
mov edi,[ebp+8]
mov esi,edx
movzx eax,word ptr [esi]
movzx ecx,word ptr [esi+02]
mov edx,eax
and edx,FFF
mov esi,SC2.exe+1B52C18 // added by me
//movzx edx,word ptr [edx*4+SC2.exe+1B52C18]
movzx edx,word ptr [edx*4+esi]
add ecx,edx
mov edx,ecx
and edx,FFF
//movzx edx,word ptr [edx*4+SC2.exe+1B52C18]
movzx edx,word ptr [edx*4+esi]
sub eax,edx
mov [edi],ax
mov [edi+02],cx
pop edi
pop esi
pop ebp
ret 4

DecryptAddEncryptResource:
push ebp
mov ebp,esp
push esi
push edi
// decrypt
mov esi,[ecx]
mov edx,[ecx+04]
mov edi,esi
mov eax,esi
shr edi,C
sub eax,edi
not eax
and eax,FFF
mov ebx,SC2.exe+1B52C18 // added by me
//xor edx,[eax*4+SC2.exe+1B52C18]
xor edx,[eax*4+ebx]
mov eax,edx
shr eax,C
xor eax,edx
and eax,FFF
//mov eax,[eax*4+SC2.exe+1B52C18]
mov eax,[eax*4+ebx]
add eax,esi
mov esi,eax
xor esi,edx
and esi,55555555
xor esi,eax
xor eax,edx
and eax,55555555
xor eax,edx
// add
mov edi,eax
add esi,[rAmount]
mov eax,esi
or eax,edi
jne short @f
	// if 0, set value to encrypted NULL, already calculated in pointers below
    mov edx,[SC2.exe+1F4C23C]
    mov [ecx],edx
    mov eax,[SC2.exe+1F4C240]
    mov [ecx+04],eax
	jmp DecryptAddEncryptResource_exit
@@:
// encrypt
mov edx,esi
mov eax,esi
xor edx,edi
xor eax,edi
and edx,55555555
xor edx,edi
and eax,55555555
xor eax,esi
mov esi,edx
shr esi,C
xor esi,edx
and esi,FFF
mov ebx,SC2.exe+1B52C18 // added by me
//sub eax,[esi*4+SC2.exe+1B52C18]
sub eax,[esi*4+ebx]
mov edi,eax
shr edi,C
mov esi,eax
sub esi,edi
not esi
and esi,FFF
//mov esi,[esi*4+SC2.exe+1B52C18]
mov esi,[esi*4+ebx]
xor esi,edx
mov [ecx],eax
mov [ecx+04],esi
DecryptAddEncryptResource_exit:
pop edi
pop esi
pop ebp
ret

GetMapPtr:
mov edx,[SC2.exe+1B53DD4]
xor edx,[SC2.exe+1C62A84]
add edx,14
ret

DecryptMapVal:
push ebp
mov ebp,esp
push esi
push edi
mov edi,[ebp+8]
mov esi,edx
movzx eax,word ptr [esi]
movzx ecx,word ptr [esi+02]
mov edx,eax
and edx,FFF
mov esi,SC2.exe+1B52C18 // added by me
//movzx edx,word ptr [edx*4+SC2.exe+1B52C18]
movzx edx,word ptr [edx*4+esi]
sub ecx,edx
mov edx,ecx
and edx,FFF
//movzx edx,word ptr [edx*4+SC2.exe+1B52C18]
movzx edx,word ptr [edx*4+esi]
sub eax,edx
mov [edi],ax
mov [edi+02],cx
pop edi
pop esi
pop ebp
ret 4

EncryptMapVal:
push ebp
mov ebp,esp
push esi
lea edx,[ebp+8]
movzx esi,word ptr [edx+02]
movzx eax,word ptr [edx]
mov edx,esi
and edx,FFF
mov edi,SC2.exe+1B52C18
//movzx edx,word ptr [edx*4+SC2.exe+1B52C18]
movzx edx,word ptr [edx*4+edi]
add eax,edx
mov edx,eax
and edx,FFF
//movzx edx,word ptr [edx*4+SC2.exe+1B52C18]
movzx edx,word ptr [edx*4+edi]
add edx,esi
movzx edx,dx
mov [ebx],ax
mov [ebx+02],dx
pop esi
pop ebp
ret 4

bResources:
db 0
bMap:
db 0
pResources:
dd 0
rAmount:
dd (int)5000
dwMapVal:
dd 0

SC2.exe+4EDFD7:
Damage_:
jmp Damage
nop
back:

[DISABLE]

Damage_:
db 85 44 0A 1C EB 10

unregistersymbol( Damage_ )
unregistersymbol( dwMapVal )
unregistersymbol( rAmount )
unregistersymbol( pResources )
unregistersymbol( bMap )
unregistersymbol( bResources )
dealloc( Damage )

It's an example, I don't know how to find it in current version or whatever other questions you have. Just know the code is ripped from the game's engine itself (am using their function from that version of the game, at the time). Which code: the code that's executed when you type in the cheats which give you resources I've found where the effect is when the cheat is processed, understood how it works and ripped that code to use it myself.

BR,
Sun

P.S.: The problem I didn't have back in the day was I could debug the game. Now they have this shitty driver-like mechanism which blocks debugging in any form. I think they also disallow changing executable code (so no scripts). They do let you scan memory and change values (which are not in the executable code)

[Insterluda]

....

Wow, amazing.
how and where did you learn such complex stuff, my learning curve is very slowly, but I get into more and more.
It's always easy to say use your logic sense , but in reality it's harder than you think xd.
I'm not good at kicking instructions, I understand what push, pop, mov, sub, add, calls do, but still pretty weak when I see something different like fld qword ptr [rcx] still unsure how to handle things like this.

You can still use scripts, I made a pointer for the inbuilt campaign cheats, they are still working for arcade games, since I play only full solo.
I like how SC II is protected, so many things you have to be careful.
There is also a timer, which kicks you out of a game if you enable cheats too fast at the beginning of game.

Why are you so sure it's 8 byte? I always used 4 byte and found sometimes the minerals, but often it just crashes xd
I will try with 8 bytes, because this time, I found nothing when I searched for 8 bytes.
I use UDCE. it pretty works well with SC II and a kind soul showed me how to bypass their anti-debugg mecha.

[SunBeam]

Why are you so sure it's 8 byte? I always used 4 byte and found sometimes the minerals, but often it just crashes xd
I will try with 8 bytes, because this time, I found nothing when I searched for 8 bytes.
I use UDCE. it pretty works well with SC II and a kind soul showed me how to bypass their anti-debugg mecha.

I did not say they store it on 8 bytes, how the devs intended this to be. When decoded, the value is an integer, so 4 bytes. But I think I remember it being stored in encoded form as 8 bytes. Point to the matter is it doesn't matter the type, considering you're always searching unknown, has changed. So not a fixed, exact scan for some value. If the value is 4 bytes, it's included in an 8 byte format, don't you think? So if it 's a DWORD/4 bytes, the it's half of that 8 bytes. When that half is changing, your "has changed" scan will catch it Try to detach yourself a bit from "how it should be" and use some common sense

About anti-debug, if you're willing to explain more, I'd love to hear it in a PM Just to see if I knew the stuff already or is there something else to it that I didn't catch. And with that UDCE maybe I will get interested in updating my old scripts

BR,
Sun