help hacking Stronghold Crusader 2 - The Jackal and The Khan

[pharaon]

i can't hack Stronghold Crusader 2 - The Jackal and The Khan gold
i only get one float address with the display amount of gold not the real amount so i can't change the gold real value
and when i check what access that address i got two opcode
fld dword ptr [ecx+24] with really high count

and mov [eax],edx with count that match gold value changing

i tried many things like mov [eax],(float)10000
and mov edx,(float)10000

but nothing work and sometimes the games crash

any advice

[koderkrazy]

I think you need to investigate second instruction mov [eax],edx more. You need to find what is putting value in edx. Look code before this instruction something like mov edx,[esp+8] basically any instruction like mov edx, xyz.
If it's not esp then try to change value there. If it's esp then you need to debug or do break and trace to get to calling method to see what is putting that value as parameter on to stack(esp).

Post some code before the mov [eax], edx.

[pharaon]

StrongholdBase.GImage::GImage+843 - call StrongholdBase.GImage::GImage+2910
StrongholdBase.GImage::GImage+848 - mov edx,[ebp+08]
StrongholdBase.GImage::GImage+84B - mov byte ptr [esp+13],01 { 1 }
StrongholdBase.GImage::GImage+850 - mov bl,[esp+13]
StrongholdBase.GImage::GImage+854 - mov [eax],edx
StrongholdBase.GImage::GImage+856 - mov eax,[edi]


so i tried mov edx,(float)9999 instead of mov edx,[ebp+08] but nothing happen i even nop it and money still can decrease and increase by the game

[koderkrazy]

You are modifying wrong registers\pointers. Money amount is coming from some location(source) and getting assigned to pointer stored in eax(destination). May be pointer in eax for display purpose. So modifying [eax] or edx won't change actual value. So we need to focus on getting to source location.

To understand following you need some knowledge of assembly language and code debugging using Cheat engine. Watch some youtube videos if you have to.
-in given code lines value is in [ebp+08]
-ebp is pointer to call stack. so it's not the actual source.
-so money value is being passed as a method parameter
-look for instruction like mov ebp, esp
-debug\break and trace (see youtube videos if you don't know.) and get to calling method. And look at what parameters are being passed to this method.
-by passing parameter I mean 'push ' instructions.

Code: Select all

push edx    ----//parameter to the method  ,  either one of these could be money values.
push ecx    ----//parameter to the method
push eax    ----//parameter to the method
call StrongholdBase+xyz

-now once you get which register has the money as param then look up the code and see where the value is coming from.
- go all the way up call hierarchy till you find a pointer upon modifying it the real money changes.

[pharaon]

sorry for the previous post
i retrace the code and found that previous the function of displaying gold there's those codes

Code: Select all

push ebx
push 72374160 
push ecx
mov ecx,7243DB68         <<< tried mov ecx,(float)9999 after the code but game crash
fstp dword ptr [esp]         << tried mov [esp],(float)9999 after the code but also game crash
call 72094D90                  <<< the cal for displaying Gold

[koderkrazy]

Code: Select all

             <<inject before this
push ebx                     
push 72374160 
push ecx        <<find who sets ecx in code above this, this has gold, post this method code
mov ecx,7243DB68         
fstp dword ptr [esp]         << don't modify esp after 'call 72094D90'
call 72094D90                  <<< the cal for displaying Gold

[pharaon]

there's quote few how can i check the ecx value to know if it's the right one

Code: Select all

mov ecx,[eax+74]
mov ecx,[eax]<<<<< makes ecx 000000
mov ecx,[ebp-000000B4]
mov ecx,[edi+0000020C]
mov ecx,[ebp+08]<<<<< from call
and ecx,[ebp+0C] <<<<< from call
mov ecx,[eax+74]
sub ecx,[eax+70]
sar ecx,02 { 2 }
test ecx,ecx

i tried to change some but the gam crash so i want to know how can i be able to check the ecx value

[koderkrazy]

Looking at the code your value is in [eax+74], and decrypted with subtract [eax+70] then sar,2 (shift and rotate)

try to modify eax+74 before mov ecx,[eax+74]
change value in [eax+74] to 00461C3C(to do this add eax+74 in watch list)
then change value in eax+70 to zero.

[pharaon]

thats what i get when i add eax+74 to watch list

before break point the opcode


after breaking down the opcode



i couldn't change any value in the watch list so i made script and it crash the game
mov [eax+74],00461C3C
mov [eax+74],0
mov ecx,[eax+74]
sub ecx,[eax+70]
jmp return


what am i doing wrong

[pharaon]

Looking at the code your value is in [eax+74], and decrypted with subtract [eax+70] then sar,2 (shift and rotate)

try to modify eax+74 before mov ecx,[eax+74]
change value in [eax+74] to 00461C3C(to do this add eax+74 in watch list)
then change value in eax+70 to zero.

why 00461C3C? what represent

[pharaon]

ok new update
apparently i was doing the back trace in wrong way
the function were doing multi-things to i was back trace the wrong value

so i did it again

in this one i back trace with condition EAX==0x2840F3FC (0x2840F3FC is the address of the displaying gold value)


so it gave me this result




and as you can see no other functions appear in the results

so i tried to back trace at mov [eax],ecx with same condition but nothing happen
so i tried [ebp+08]==(float)805.00 and nothing happen when gold reach that amount
so i tried this condition 0x0106F3D8==0x2840F3FC to make it equal the EAX value and still nothing happen
so how can i back trace it with the right condition to avoid back tracing the wrong values through all the functions

[koderkrazy]

Sorry buddy for the late replay.

I got hold of v1.022611. Don't have the DLC, that should be ok cos DLC just adds new maps.

Here is how the game stores the stats:

Code: Select all

//this code reads encrypted stat
"StrongholdBase.dll"+2CC169: 8B 8B 0C 02 00 00     -  mov ecx,[ebx+0000020C]    //ebx has base address
"StrongholdBase.dll"+2CC16F: 8B 99 2C 01 00 00     -  mov ebx,[ecx+0000012C]
"StrongholdBase.dll"+2CC175: 8B 14 82              -  mov edx,[edx+eax*4]
"StrongholdBase.dll"+2CC178: 8B 89 F4 00 00 00     -  mov ecx,[ecx+000000F4]
"StrongholdBase.dll"+2CC17E: 8B 14 93              -  mov edx,[ebx+edx*4]        //stat location  edx changes for every stat. Also it changes every game session. So can't inject here.
"StrongholdBase.dll"+2CC181: 8B 49 10              -  mov ecx,[ecx+10]
"StrongholdBase.dll"+2CC184: 33 D7                 -  xor edx,edi              //xor decryption. edi also changes per game session.
"StrongholdBase.dll"+2CC186: 89 55 FC              -  mov [ebp-04],edx

See attached table for gold and wood cheats. Here is how you can do it for other stats:
1. Do 4byte 'unknown initial value' search.
2. change stone.
3. do changed value. This will take a while till results get in millions.
4 do unchanged value.
5. repeat 2-4 till you get ~30 values.
6. add all values to address list
6. Lock[x] few values from bottom. Gather stones. See if stones display changes.
7. Do it till you find a pointer which will stop stone counter on display. Also make sure when you set it to 0 display should change.
8. Do what writes to the address. Then inject there. Look at my scripts for wood and gold.

[pharaon]

man you been a great help for me i'm still learning that's why i take some time myself ....
so about your way

1. Do 4byte 'unknown initial value' search.
2. change stone.
3. do changed value. This will take a while till results get in millions.
4 do unchanged value.
5. repeat 2-4 till you get ~30 values.
6. add all values to address list
6. Lock[x] few values from bottom. Gather stones. See if stones display changes.
7. Do it till you find a pointer which will stop stone counter on display. Also make sure when you set it to 0 display should change.
8. Do what writes to the address. Then inject there. Look at my scripts for wood and gold.

i'll do it
but why the back trace for gold display value isn't working,,what am i doing wrong

i'm asking because i want to learn how to do it from there i mean back tracing from gold display value

if you can help me till i do it then you will be helping me to learn back tracing very well for encrypted values

[pharaon]

See attached table for gold and wood cheats. Here is how you can do it for other stats:
1. Do 4byte 'unknown initial value' search.
2. change stone.
3. do changed value. This will take a while till results get in millions.
4 do unchanged value.
5. repeat 2-4 till you get ~30 values.
6. add all values to address list

8. Do what writes to the address. Then inject there. Look at my scripts for wood and gold.

6. Lock[x] few values from bottom. Gather stones. See if stones display changes.
7. Do it till you find a pointer which will stop stone counter on display. Also make sure when you set it to 0 display should change.

the game always crash when i freeze or change the value...i'm doing that on wood value in tutorial session
what is the cause of the crashing

[koderkrazy]

...
6. Lock[x] few values from bottom. Gather stones. See if stones display changes.
7. Do it till you find a pointer which will stop stone counter on display. Also make sure when you set it to 0 display should change.

the game always crash when i freeze or change the value...i'm doing that on wood value in tutorial session
what is the cause of the crashing

As you are trying it for wood, I suggest build stockpile far away from wood camp. And build only one wood camp. Or pause game in between to let search complete.

At step 5, all the values in result list should be changing only when wood changes.
Once you get down to address list lock one(since game is crashing better to lock one by one) value then get\spend some wood.

On locking proper pointer the wood display should not change on getting\spending wood.