Giters

JakobKlocker / Encrypted-Values

Finding Encrypted Values

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Finding Encrypted Values

In this post I will explain/guide you how to find encrypted values in games.

Intro

Most games these days will encrypt important values such as player & enemy information.
This makes it harder to find this information, since we can't just search the memory for an exact value without knowing the encryption.
Since the game needs the actual values to do arithmetic and logic operations on it these values will have to be decrypted, worked with and encrypted again. In this post I will explain how to find the decrypted values, using the gold value as an example.

Approaches

There are two common approaches, one is to reverse the encryption/decryption function and use that to decrypt the encrypted value which is stored on the heap.
The other one is to hook the place where the game is working with the decrypted values and edit/copy the content there.
We will be doing the second approach today, the first approach will be covered in a later post.

Tools

We'll be using mainly Cheat Engine for memory scanning & tracing and IDA to get a better understanding of the functions we're analysing.
https://en.wikipedia.org/wiki/Cheat_Engine
https://en.wikipedia.org/wiki/Interactive_Disassembler

Theory

In today's post we will be looking for the gold value and display it in a C/C++ console.
Since the value is encrypted, we can't search for the exact amount of gold we are holding since that value is never stored on the heap.
Therefore we will be using Cheat Engines "Changed Value" & "Unchanged Value" scanning option to find the encrypted gold address.

The theory is to first scan for an "Unknown initial value". Then to scan for "Changed Value" when the amount of Gold you are holding has Changed and for "Unchanged Value" when the Value hasn't changed. Repeat this step till you are down to a few addresses.
After that we will use Cheat Engines "Find out what writes to this address" function to find the function which writes to the memory address where the encrypted value is stored. This should lead us to the encryption function.
By tracing back the stack we can find out which function called the encryption function and fetch the real gold value before it's encrypted. To achieve our goal we will be placing a hook at the place where our value is decrypted, storing it into our own allocated memory & printing it into a C/C++ console.

Skills requiered

-Basic x86 ASM
-Basic Debugging experience

Skills acquired

-Basic understanding of memory scanning
-Dynamic Analysis

Practical - Finding Encrypted gold address


1. First open Cheat Engine and attach it to the Game.


2. Search for "Unknown initial value" with value type 4 Bytes. The value type may vary depending on which type is holding the gold, if you can't find any decent result with 4 Bytes try 2 Bytes (short) or 8 Bytes (long). Most games will use 4 Bytes though. This will search the entire memory of the process attached for a specific type.

3. In game change your gold by dropping or gaining gold and search for "Changed Value". Since we do not know how the encryption works we can't search for "increased" or "decreased value". This will filter out all values which haven't changed.

4. Use different game functions like attacking, moving without changing your gold. Search for "Unchanged Value". This will filter out all values which have been changed. It is a good idea to use as many in game functions as possible to trigger a change to uninteresting values.

Keep repeating steps 3 & 4 until you are left with only a few addresses.

Values_Left

In my case I'm left with four addresses which are all 4 bytes apart. This could lead to the assumption that we found a structure which contains the encrypted gold value and some additional information used to decrypt it.

Practical - Finding Encryption Function

The next step is to find out where the encrypted value is written to the address we found. To do this, right click the memory address and "find out what writes to this address". By doing this a window will pop up which keeps track at which location the content of our address is modified. If you now change your gold value it should display which assembly instruction, including the address, is changing the value.
writesToAddr
We now found the function which encrypts our value. Most encryption functions have xor, shl/shr assembly instructions in them which is a good indicator to know you're at the correct place.
I decided to look at that function in IDA to get an overview of how many functions call that encryption function and to get an idea of how the encryption looks like.
callsToEncryption
The encryption is called at 1123 places, meaning it won't just be used to encrypt our gold value. This tells us it won't be as easy as setting a breakpoint and tracing back the stack when changing the gold value, since the encryption will most likely be called by another function before we are able to change our gold value.
encryptionFunction
Looking at the encryption function we see that it creates a random value, stores it at the address of the second argument. It uses the random value to perform some arithmetic on the first argument(which will most likely be our decrypted value) which is stored at the second arguments address + 4(most likely a structure). The function returns some kind of checksum, which is created with some arithmetic including the encrypted value, the random value and 0xBAADF00D. The random value will most likely be stored on the heap to decrypt the value later. Since we're hooking the gold value before it gets encrypted, we won't bother any further with looking at the encryption. I'd still suggest naming the values & functions inside of IDA once you know what they are doing.
encrpytionFucntionNamed

Practical - Finding Decrypted gold value

Moving back to Cheat Engine, we still have the window open which tells us what instruction writes to our encrypted gold value. If you double click the instruction a window will pop up, at the bottom it will show what the registers held at the time the instruction was executed.

As explained above the encryption function is called at 1122 other places, meaning we can't simply set a breakpoint. What we'll have to do is set a conditional breakpoint. Since we know that the instruction which writes our address is "mov [edi], esi" we know that edi must hold our memory address we found. Looking at the registers, we see that EDI equals 559A9131, which is our memory address(It's our memory address + 1, Cheat Engine displays "The value of the pointer needed to find this address is probably 559A9131").
We want to trace back which function called the encryption function for the gold, there are multiple methods for that. One way is to use Break and trace, a Cheat Engine function which is quite powerful. For the sake of simplicity we will use a normal conditional breakpoint, step through the code till we hit a return and safe that address. To set a breakpoint, go to the memory address which wrote our encrypted gold value, right click it and click "set breakpoint(Hardware Breakpoint)".

After setting a breakpoint we have to add a condition to it. Right click the address again, select "set/change Breakpoint condition". A window will pop up where you'll enter the condition.

In my case the breakpoint should hit if EDI equals 0x559A9131. It is possible that the breakpoint was hit before you were able to set the condition, in that case press "Run"(f9) to continue the game. Now drop/gain some gold, the breakpoint should get hit. Step Over (f8) the instructions until you reach a return. Once you step over the return, you'll reach the function which called the encryption. Above the instructions you're currently at you'll see a call (the call to the encryption). Set a breakpoint at that call and you should see the encrypted gold value inside a register or the stack.

In my case the register EAX and ECX both hold my current gold value in hex. The location your gold is stored may differ depending on the game.
gold

Detour

Since there are lots of tutorials about detouring online I will not cover that topic today. Simply write a detour at the address where the gold value is stored, mov it into your own allocated memory and print it. Inline Assembly can be used for this.

About

Finding Encrypted Values