PwnAdventures3 – Part 2 – Making ourselves stronger

In my previous post, I covered off, how to modify the game using Cheat Engine and IDA in order to be able to cast as many spells as we want without spending Mana, in a nutshell, endless Mana.

If you haven’t read the previous post, please go and read that now. If you have, we are ready to go. Let’s do this.

As I mentioned in the last post, I’m going to explain all the techniques I’ve tried to modify our health and make ourselves invincible. As you may have noticed this only works when you play the game offline, without a server. This is because the server maintains information about the character such as position, mana, and health. But this is not a bad thing. We are learning to reverse games, and everything we try helps us to understand how things work and how we could manipulate them in order to gain an advantage. That said, today I’m going to show you four things I’ve tried to avoid dying in the game, which will help us solve the first Challenge.

tl;dr

We are going to try four different things this time. Increase the amount of HP, prevent us from receiving damage, prevent us from dying,  and the final trick and the only one that achieved my expectations and worked: wait… you will have to wait for it, I won’t spoil it for you. Last but not least, at the end of this post, we are going to solve the first challenge “Unbearable Revenge”.

Increase the amount of HP

Easy-peasy right? If we did it the last time with the Mana, we can do it again. We know that our HP is stored somewhere in the memory.

Let’s search the value as we did before, and repeat the process:

But wait, we need to modify our amount of HP, so let’s get out of the cave and get bitten by the Giant Rats. Once that happens we can start searching for values that are decreasing and match our current HP. We now modify the value of each possible address until we get the correct one.

Now we have the amount of HP we want. But what’s the problem? We don’t want to do this every time we launch the game, that’s not fun. Let’s try a different approach.

Prevent us from receiving damage

What if we try to figure out what instructions are decreasing our amount of HP and then we NOP them? Go back to Cheat Engine and we do “Right-Click -> Find out what address writes here”:

What do we have here? The instruction on the address 6E3A20C5 is subtracting EAX from EDI+30.

6D5020BC - 8B 0D 7C7D596D  - mov ecx,[GameLogic.dll+97D7C]
6D5020C2 - 8B 45 10  - mov eax,[ebp+10]
6D5020C5 - 29 47 30  - sub [edi+30],eax <<
6D5020C8 - FF 77 30  - push [edi+30]
6D5020CB - 8B 01  - mov eax,[ecx]

EAX=00000008
EBX=3127D828
ECX=07E602B0
EDX=014FEF20
ESI=00000000
EDI=4BCB79C8
ESP=022CF988
EBP=022CF9B8
EIP=6D5020C8

If we take a closer look, EAX is set to 8 and EDI+30 is equal to 0x4BCB79C8+30 = 0x4BCB79F8, which is the address of our current HP. Wait! Before patching, if you are using IDA, create a snapshot by clicking “File -> Create database snapshot”. This will help us to come back to this point if something goes wrong. Now we “Right-click on the address -> Replace with code that does nothing (NOP)”. This will replace 8B 0D 7C7D596D with 90 90 90 90 90 90. If you go back to the game and try your new superpower, you will see that something went wrong.

Yep, the game uses the same function to apply damage to the monsters too, so we can’t deal damage if we do this. We will have to think a different way of doing this.

Prevent us from Dying

Probably, the game is checking constantly for our HP to see if we still alive. Do you see where are we going? Yes, maybe we can play with that instruction and modify the value that it is taking as a reference to determine if we are dead or not, and confuse the game.

Let’s see if we can catch the moment where the game detects we died. “Right-Click -> Restore the original code”. With this we restore the code we replaced with NOPs, or if you are in IDA you can just go to the previous snapshot. Luckily, we saved it 😉

Now “Right-Click -> Find out what addresses access here” on the HP address. We will see that a few instructions are accessing our HP multiple times per second, but one of them is making an interesting comparison:

6D55076F - E8 EC130100 - call GameLogic.RandomFloat+40E70
6D550774 - F3 0F10 55 08  - movss xmm2,[ebp+08]
6D550779 - 83 7B 30 00 - cmp dword ptr [ebx+30],00 <<
6D55077D - 0F8E 71040000 - jng GameLogic.RandomFloat+2FF04
6D550783 - 33 C9  - xor ecx,ecx

EAX=022CFAF4
EBX=001E94F0
ECX=00000000
EDX=6D578440
ESI=066E6D80
EDI=4AAF4100
ESP=022CFA7C
EBP=022CFB0C
EIP=6D55077D

On the third line, it compares our HP (EBX+30) with “zero”, that’s exactly what we are looking for.

Cheat Engine allows us to modify quickly any instruction that we want by doing “Right-Click -> Assemble” on the memory viewer. Remember that we can revert any change with the same tool.

If we change this value to, for example 101, the game allows us to cast spells and do damage, but guess what? Monsters won’t die either. The game is again sharing the same portion of code to validate if monsters die. That’s a problem. What if we try with a negative value? Same, Rats keep killing us since the value keeps decreasing due to the damage we receive. And the same will happen to the monsters.

Another dead end.

Respawning with infinite HP

When we click in respawn after we die, the game takes our stats and set them as they were initially, 100 HP and 100 MP. Well, this information must be stored somewhere on the code. With all the things we have learned, we can figure this out easily.

Take into account that this game does not modify your stats, no matter how much you have progressed, you will always have 100 HP and MP. Other games that have stats and leveling systems won’t have this information “hardcoded”. It will be stored inside your character information on variables, structures, etc.

If we do “Right-Click -> Find out what writes here” before clicking on Respawn, we will find the instruction that does the job of recovering our stats before bringing us back to life.

Now if we change C7 46 30 64000000 to C7 46 30 FF FF FF , the next time we click “Respawn”, we will have a huge amount of HP. This would be the result after patching the binary on IDA:

Now the only thing we have to do is die once, and the next time we will be invincible.

Sweet, our HP doesn’t even fit inside the screen!

Bonus: First Challenge – Unbearable Revenge

This one is actually easy, once you have infinite HP and Mana you can just go there and wait the 5 minutes. This challenge is located outside of the cave. Let’s head outside, after you get out, just follow the road until you find a cabin, keep going forward and go deep into the forest until you see a Chest surrounded by fire.

The challenge consists on staying five minutes inside the circle without dying while tons of Bears will try to hug you so hard that it will hurt.

You could easily use the hackspeed from Cheat Engine if you want. I didn’t try it but it should work perfectly and you won’t have to wait 5 minutes. But remember that everything will happen faster. Not only the countdown; mobs will respawn faster, hit faster and you will be able to move faster and cast more spells per second.

Ready for the challenge.

You will need to kill a few of those bears or they are going to be so many that you won’t be able to move 🙂

Looting the chest.
Flag of the Bear

 

Remember that if you are trying to solve this challenge connected to a server you will die as soon as you receive 100 points of damage because the server knows that your HP is not infinite.

Conclusions

We found out today that sometimes, finding a workaround to a problem is not always the easiest solution, or maybe we just need to play around until we understand how the game interacts with the different variables and values, and how we can manipulate them to gain an advantage.

Next Post

We are going to continue with this game trying to unlock the rest of the challenges and all the achievements.