Last visit was: It is currently Sat Sep 23, 2023 2:00 pm


All times are UTC-05:00




Post new topic Reply to topic  [29 posts ] 
Author Message
 Post subject:Re: Onlink... Money... Video Guide
PostPosted:Thu Jul 10, 2008 1:34 am 
 

Joined:Wed Jan 16, 2008 4:52 pm
Posts:66
Quote:
Nope, neither method seems to work, and I tried both methods with both ArtMoney and CE.

-- Griffinhart
Can you give us an example link to a flash game that doesn't work please? I'll test it myself.


Top
Offline  
 Post subject:Re: Onlink... Money... Video Guide
PostPosted:Thu Jul 10, 2008 2:01 am 
User avatar
 

Joined:Sat Jun 03, 2006 3:51 am
Posts:1186
Website:http://griffinhart.livejournal.com/
Yahoo Messenger:Squall591
AOL:FinalWarrior591
Location:Look at my horse, my horse is amazing!
http://www.sugar-free-games.com/showgame.php?game=849

I've tried both the downloaded and the browser versions. Can't cheat the game either way.

(Specifically, I went to story mode and tried to give my character more than 21 stat points.)

-- Griffinhart

_________________
"My word is my honor. My honor is my life."
-- Demonchild, Angelkin, the Blackest Seraph, the Final Warrior

Image


Top
Offline  
 Post subject:Re: Onlink... Money... Video Guide
PostPosted:Thu Jul 10, 2008 2:23 am 
 

Joined:Wed Jan 16, 2008 4:52 pm
Posts:66
Quote:
http://www.sugar-free-games.com/showgame.php?game=849

I've tried both the downloaded and the browser versions. Can't cheat the game either way.

(Specifically, I went to story mode and tried to give my character more than 21 stat points.)

-- Griffinhart
Hmm, doesn't seem to work on version 9. Artmoney used to work with V8 if you multiply the value by eight. Looks like V9 uses some other means to stores values.


Top
Offline  
 Post subject:Re: Onlink... Money... Video Guide
PostPosted:Thu Jul 10, 2008 10:27 am 
User avatar
 

Joined:Mon Mar 07, 2005 9:32 am
Posts:600
Location:localhost
From what I can figure in Flash 9, variables are stored with a random obfuscation value. For example:
Code:
class Integer { private int InternalValue; private int Obfuscation; public void new() { Obfuscation = rand(); } public void SetValue(int value) { // using xor operator ^ for variable obfuscation InternalValue = value ^ Obfuscation; } public int GetValue() { // using xor operator ^ again to undo variable obfuscation return InternalValue ^ Obfuscation; } }
That kinda thing.

_________________
BAZINGA.


Top
Offline  
 Post subject:Re: Onlink... Money... Video Guide
PostPosted:Thu Jul 10, 2008 8:20 pm 
 

Joined:Wed Jan 16, 2008 4:52 pm
Posts:66
Quote:
From what I can figure in Flash 9, variables are stored with a random obfuscation value. For example:
Code:
class Integer { private int InternalValue; private int Obfuscation; public void new() { Obfuscation = rand(); } public void SetValue(int value) { // using xor operator ^ for variable obfuscation InternalValue = value ^ Obfuscation; } public int GetValue() { // using xor operator ^ again to undo variable obfuscation return InternalValue ^ Obfuscation; } }
That kinda thing.
That being the case, even though the value is generated randomly it's still stored as a variable itself...

Should be a fairly simple matter for one to write a small program to retrieve the Obfuscation value and XOR it with the value being searched for.

Unfortunately this is beyond my abilities, or at least beyond my programming language knowledge which at present only extends to the old 16 bit Pascal and QuickBasic.

Hopefully we'll see this feature integrated into a new version of Artmoney.


Top
Offline  
 Post subject:Re: Onlink... Money... Video Guide
PostPosted:Sat Jul 12, 2008 4:56 pm 
User avatar
 

Joined:Mon Mar 07, 2005 9:32 am
Posts:600
Location:localhost
There are a few problems with that:
1) We don't know the value, so we can't find it in the first place.
2) We know that the memory address of the obfuscation value is near that of the obfuscated value, but we don't know where either value is in memory.

The only way to do it really is to reverse engineer the Flash ActiveX component and find the random number generator code, then find all calls to it. After that, each instance must be evaluated to find the number class. Unfortunately that requires a high knowledge of ASM and reverse engineering. I'm not qualified :P

_________________
BAZINGA.


Top
Offline  
 Post subject:Re: Onlink... Money... Video Guide
PostPosted:Fri Jul 25, 2008 12:06 pm 
 

Joined:Sun Jul 13, 2008 2:49 am
Posts:2
Code:
#include <windows.h> #include <tlhelp32.h> #include <iostream> int main() { STARTUPINFO si; PROCESS_INFORMATION pi; ZeroMemory(&si, sizeof(si)); ZeroMemory(&pi, sizeof(pi)); si.cb = sizeof(si); HANDLE hProcessSnapshot; PROCESSENTRY32 ProcessEntry32; DWORD dwProcessID; HANDLE hProcessHandle; system("color 0c");//gotta love the red on black for (;;Sleep(5)) { if((hProcessSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL)) == INVALID_HANDLE_VALUE) return FALSE; ProcessEntry32.dwSize = sizeof(PROCESSENTRY32); if(Process32First(hProcessSnapshot, &ProcessEntry32) == FALSE) { CloseHandle(hProcessSnapshot); return FALSE; } do { if(strcmp(ProcessEntry32.szExeFile, "Onlink-SSE2.exe") == NULL) { dwProcessID = ProcessEntry32.th32ProcessID; break; } } while(Process32Next(hProcessSnapshot, &ProcessEntry32) == TRUE); CloseHandle(hProcessSnapshot); if((hProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID)) == NULL) { continue; } else { BYTE writethis[3] = {0x89, 0xA9, 0xCC}; WriteProcessMemory(hProcessHandle, (PVOID)0x00518e06, &writethis, 3, NULL); exit(0); } } }
gives infinite money. compiled in vs.net 2k3, only compatible with onlink sse2 0.1.2.


Top
Offline  
 Post subject:Re: Onlink... Money... Video Guide
PostPosted:Thu Sep 04, 2008 10:53 am 
Literally Nine
User avatar
 

Joined:Sat Apr 02, 2005 3:31 pm
Posts:1171
Location:The vicinity of an area adjacent to a location.
Quote:
There are a few problems with that:
1) We don't know the value, so we can't find it in the first place.
2) We know that the memory address of the obfuscation value is near that of the obfuscated value, but we don't know where either value is in memory.

The only way to do it really is to reverse engineer the Flash ActiveX component and find the random number generator code, then find all calls to it. After that, each instance must be evaluated to find the number class. Unfortunately that requires a high knowledge of ASM and reverse engineering. I'm not qualified :P
Actually, a lot of the "trainer creator" programs that popped up in the mid 90s use an inexact method for finding values. Instead of telling the program what the current value is, you just tell it whether it's increasing, decreasing, or has stayed the same between different periods of time. This eliminates all but a few points of memory, usually.

_________________
- Tycho

Image


Top
Offline  
 Post subject:Re: Onlink... Money... Video Guide
PostPosted:Thu Sep 04, 2008 11:35 am 
 

Joined:Wed Jan 16, 2008 4:52 pm
Posts:66
Quote:
Actually, a lot of the "trainer creator" programs that popped up in the mid 90s use an inexact method for finding values. Instead of telling the program what the current value is, you just tell it whether it's increasing, decreasing, or has stayed the same between different periods of time. This eliminates all but a few points of memory, usually.
Yes, but with an obfuscation value when it's XOR'd it can change it so that when the true value goes up, the result actually goes down, and vice versa sometimes.

Such as in this example:

Current Value 83
Obfuscation value 11

Results in the XOR'd value 88

Wheras if I increase the current value by 1 the resulting value becomes 95, increasing it by 1 again leaves us with 94. You only have to get it doing that once to make searching for an increasing or decreasing value impossible, because you never know whether the result has increased or decreased, even if the true value follows a normal pattern.


Top
Offline  
 Post subject:Re: Onlink... Money... Video Guide
PostPosted:Thu Sep 04, 2008 6:35 pm 
User avatar
 

Joined:Mon Mar 07, 2005 9:32 am
Posts:600
Location:localhost
Quote:
Actually, a lot of the "trainer creator" programs that popped up in the mid 90s use an inexact method for finding values. Instead of telling the program what the current value is, you just tell it whether it's increasing, decreasing, or has stayed the same between different periods of time. This eliminates all but a few points of memory, usually.
There are three simple ways to get around this:
1) XOR obfuscation - Often causes an increase of 1 in the true value to be an increase or decrease of an different amount in the obfuscated variable.
2) Randomize the obfuscation value each time you perform a read or write of the value and recalculate the new obfuscated value.
3) Store protection values - Create duplicate values that can be checked to see if the original was modified. For example:
Code:
/* Written by Burningmace on 5th September 2008 Code is in C# so it should be easy to convert to C or C++ */ class ProtectedInt { private int internalValue; private int obfuscValue1; private int protectValue; ProtectedInt(int value) { obfuscValue = int.MinValue + (rnd() * (int.MaxValue - int.MinValue)); internalValue = value ^ obfuscValue; /* * Simple equation for protection variable. * Ideally store multiple protection variables with complex * equations. * Using internalValue % 2 is useful if you have another * algorithm, as it is very hard to find the right 0/1 in * the entire process memory. * I sometimes use hash algorithms like CRC32 and MD5 to store * even more secure protection vars. * */ protectValue = (int)((internalValue % 32) / 4) + 1; } int Read() { if(!Check()) { // Shouldn't ever get here, but just in case... return 0; } return internalValue ^ obfuscValue; } void Write(int value) { if(!Check()) { // Again, shouldn't ever get here. return 0; } internalValue = value ^ obfuscValue; protectValue = (int)((internalValue % 32) / 4) + 1; } bool Check() { if(protectValue != (int)((internalValue % 32) / 4) + 1) { Exception ex = new Exception("Error"); throw ex; // Shouldn't be executed, but will be if exception was handled. return false; } // Re-generate the values with a new obfuscValue int realValue = internalValue ^ obfuscValue; obfuscValue = int.MinValue + (rnd() * (int.MaxValue - int.MinValue)); internalValue = value ^ obfuscValue; protectValue = (int)((internalValue % 32) / 4) + 1; } }
I actually coded a class in VB.NET a while back to do this. It uses multiple protection values including a hash function, securely obfuscates the value (uses RNGCryptoServiceProvider class to generate obfuscation values), puts the values in random offsets in an array in order to alter the memory offset and last but not least creates "chaff" variables that cause false positives to appear on memory scanner applications. If anyone wants it, shout up and I'll post it.

_________________
BAZINGA.


Top
Offline  
 Post subject:Re: Onlink... Money... Video Guide
PostPosted:Fri Oct 03, 2008 6:40 pm 
User avatar
 

Joined:Tue Sep 30, 2008 4:54 pm
Posts:21
I know someone whos qualifed, Joseph Carter, He's a good friend of mine who knows over 20 different scripting languages, including Visual Basic and Asm, he has VERY high knowledge of ASM and reverse engineering. Ill see if i can direct him to this topic.

_________________
When life gives you lemons, make a battery and power up your laptop!


Top
Offline  
 Post subject:Re: Onlink... Money... Video Guide
PostPosted:Sun Oct 05, 2008 7:33 am 
User avatar
 

Joined:Mon Mar 07, 2005 9:32 am
Posts:600
Location:localhost
Oh, and if you want any help in the area of code injection and memory scanning, take a look at the cheat engine forums. I go there every so often to ask about this and that, and to post some ideas and stuff.

_________________
BAZINGA.


Top
Offline  
 Post subject:Re: Onlink... Money... Video Guide
PostPosted:Tue Oct 07, 2008 2:22 pm 
User avatar
 

Joined:Sun Feb 12, 2006 8:56 pm
Posts:1019
Website:http://eddieringle.com
Location:Detroit, MI
Quote:
I know someone whos qualifed, Joseph Carter, He's a good friend of mine who knows over 20 different scripting languages, including Visual Basic and Asm, he has VERY high knowledge of ASM and reverse engineering. Ill see if i can direct him to this topic.
Assembly is not a scripting language...

Of course, you might be talking of something completely different, in that case, disregard this.

_________________
-- Eddie Ringle

Check out Elysian Shadows and consider backing us on Kickstarter!

====================================

Image


Top
Offline  
 Post subject:Re: Onlink... Money... Video Guide
PostPosted:Fri Oct 10, 2008 9:52 am 
User avatar
 

Joined:Mon Mar 07, 2005 9:32 am
Posts:600
Location:localhost
VB isn't either. Nonetheless we understood him, so meh.

_________________
BAZINGA.


Top
Offline  
Display posts from previous: Sort by 
Post new topic Reply to topic

All times are UTC-05:00


Who is online

Users browsing this forum: No registered users and 13 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Theme created by Miah with assistance from hyprnova