Onlink... Money... Video Guide

Sabranan · **Joined:**Wed Jan 16, 2008 4:52 pm **Posts:**66

Quote:

Nope, neither method seems to work, and I tried both methods with both ArtMoney and CE.

-- Griffinhart

Can you give us an example link to a flash game that doesn't work please? I'll test it myself.

FinalWarrior · PostPosted:Thu Jul 10, 2008 2:01 am

http://www.sugar-free-games.com/showgame.php?game=849

I've tried both the downloaded and the browser versions. Can't cheat the game either way.

(Specifically, I went to story mode and tried to give my character more than 21 stat points.)

-- Griffinhart

Sabranan · **Joined:**Wed Jan 16, 2008 4:52 pm **Posts:**66

Quote:

http://www.sugar-free-games.com/showgame.php?game=849

I've tried both the downloaded and the browser versions. Can't cheat the game either way.

(Specifically, I went to story mode and tried to give my character more than 21 stat points.)

-- Griffinhart

Hmm, doesn't seem to work on version 9. Artmoney used to work with V8 if you multiply the value by eight. Looks like V9 uses some other means to stores values.

Burningmace · PostPosted:Thu Jul 10, 2008 10:27 am

From what I can figure in Flash 9, variables are stored with a random obfuscation value. For example:

Code:

class Integer {
    private int InternalValue;
    private int Obfuscation;
    public void new() {
        Obfuscation = rand();
    }
    public void SetValue(int value) {
        // using xor operator ^ for variable obfuscation
        InternalValue = value ^ Obfuscation;
    }
    public int GetValue() {
        // using xor operator ^ again to undo variable obfuscation
        return InternalValue ^ Obfuscation;
    }
}

That kinda thing.

Sabranan · **Joined:**Wed Jan 16, 2008 4:52 pm **Posts:**66

Quote:

From what I can figure in Flash 9, variables are stored with a random obfuscation value. For example:

Code:

class Integer {
    private int InternalValue;
    private int Obfuscation;
    public void new() {
        Obfuscation = rand();
    }
    public void SetValue(int value) {
        // using xor operator ^ for variable obfuscation
        InternalValue = value ^ Obfuscation;
    }
    public int GetValue() {
        // using xor operator ^ again to undo variable obfuscation
        return InternalValue ^ Obfuscation;
    }
}

That kinda thing.

That being the case, even though the value is generated randomly it's still stored as a variable itself...

Should be a fairly simple matter for one to write a small program to retrieve the Obfuscation value and XOR it with the value being searched for.

Unfortunately this is beyond my abilities, or at least beyond my programming language knowledge which at present only extends to the old 16 bit Pascal and QuickBasic.

Hopefully we'll see this feature integrated into a new version of Artmoney.

Burningmace · PostPosted:Sat Jul 12, 2008 4:56 pm

There are a few problems with that:
1) We don't know the value, so we can't find it in the first place.
2) We know that the memory address of the obfuscation value is near that of the obfuscated value, but we don't know where either value is in memory.

The only way to do it really is to reverse engineer the Flash ActiveX component and find the random number generator code, then find all calls to it. After that, each instance must be evaluated to find the number class. Unfortunately that requires a high knowledge of ASM and reverse engineering. I'm not qualified

Lionheart5358 · **Joined:**Sun Jul 13, 2008 2:49 am **Posts:**2

Code:

#include <windows.h>
#include <tlhelp32.h>
#include <iostream>

int main()
{
	STARTUPINFO si;
	PROCESS_INFORMATION pi;
	ZeroMemory(&si, sizeof(si));
	ZeroMemory(&pi, sizeof(pi));
	si.cb = sizeof(si);
	HANDLE         hProcessSnapshot;
	PROCESSENTRY32 ProcessEntry32;  
	DWORD          dwProcessID;
	HANDLE         hProcessHandle;


	system("color 0c");//gotta love the red on black
   for (;;Sleep(5))
   {
      if((hProcessSnapshot = CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL)) == INVALID_HANDLE_VALUE)
         return FALSE;

      ProcessEntry32.dwSize = sizeof(PROCESSENTRY32);

      if(Process32First(hProcessSnapshot, &ProcessEntry32) == FALSE)
      {
         CloseHandle(hProcessSnapshot);
         return FALSE;
      }

      do
      {
         if(strcmp(ProcessEntry32.szExeFile, "Onlink-SSE2.exe") == NULL)
         {
            dwProcessID = ProcessEntry32.th32ProcessID;
            break;
         }

      } while(Process32Next(hProcessSnapshot, &ProcessEntry32) == TRUE);

      CloseHandle(hProcessSnapshot); 


	if((hProcessHandle = OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessID)) == NULL)
	{
		continue;
	}
	else
	{
		BYTE writethis[3] = {0x89, 0xA9, 0xCC};
		WriteProcessMemory(hProcessHandle, (PVOID)0x00518e06, &writethis, 3, NULL);
		exit(0);
	}
   }
}

gives infinite money. compiled in vs.net 2k3, only compatible with onlink sse2 0.1.2.

Tycho · PostPosted:Thu Sep 04, 2008 10:53 am

Quote:

There are a few problems with that:
1) We don't know the value, so we can't find it in the first place.
2) We know that the memory address of the obfuscation value is near that of the obfuscated value, but we don't know where either value is in memory.

The only way to do it really is to reverse engineer the Flash ActiveX component and find the random number generator code, then find all calls to it. After that, each instance must be evaluated to find the number class. Unfortunately that requires a high knowledge of ASM and reverse engineering. I'm not qualified

Actually, a lot of the "trainer creator" programs that popped up in the mid 90s use an inexact method for finding values. Instead of telling the program what the current value is, you just tell it whether it's increasing, decreasing, or has stayed the same between different periods of time. This eliminates all but a few points of memory, usually.

Sabranan · **Joined:**Wed Jan 16, 2008 4:52 pm **Posts:**66

Quote:

Actually, a lot of the "trainer creator" programs that popped up in the mid 90s use an inexact method for finding values. Instead of telling the program what the current value is, you just tell it whether it's increasing, decreasing, or has stayed the same between different periods of time. This eliminates all but a few points of memory, usually.

Yes, but with an obfuscation value when it's XOR'd it can change it so that when the true value goes up, the result actually goes down, and vice versa sometimes.

Such as in this example:

Current Value 83
Obfuscation value 11

Results in the XOR'd value 88

Wheras if I increase the current value by 1 the resulting value becomes 95, increasing it by 1 again leaves us with 94. You only have to get it doing that once to make searching for an increasing or decreasing value impossible, because you never know whether the result has increased or decreased, even if the true value follows a normal pattern.

Burningmace · PostPosted:Thu Sep 04, 2008 6:35 pm

Quote:

Actually, a lot of the "trainer creator" programs that popped up in the mid 90s use an inexact method for finding values. Instead of telling the program what the current value is, you just tell it whether it's increasing, decreasing, or has stayed the same between different periods of time. This eliminates all but a few points of memory, usually.

There are three simple ways to get around this:
1) XOR obfuscation - Often causes an increase of 1 in the true value to be an increase or decrease of an different amount in the obfuscated variable.
2) Randomize the obfuscation value each time you perform a read or write of the value and recalculate the new obfuscated value.
3) Store protection values - Create duplicate values that can be checked to see if the original was modified. For example:

Code:

/*
Written by Burningmace on 5th September 2008
Code is in C# so it should be easy to convert to C or C++
*/
class ProtectedInt
{
	private int internalValue;
	private int obfuscValue1;
	private int protectValue;

	ProtectedInt(int value)
	{
		obfuscValue = int.MinValue + (rnd() * (int.MaxValue - int.MinValue));
		internalValue = value ^ obfuscValue;
		/*
		 * Simple equation for protection variable.
		 * Ideally store multiple protection variables with complex
		 * equations.
		 * Using internalValue % 2 is useful if you have another
		 * algorithm, as it is very hard to find the right 0/1 in
		 * the entire process memory.
		 * I sometimes use hash algorithms like CRC32 and MD5 to store
		 * even more secure protection vars.
		 *
		*/
		protectValue = (int)((internalValue % 32) / 4) + 1;
	}

	int Read()
	{
		if(!Check()) {
			// Shouldn't ever get here, but just in case...
			return 0;
		}
		return internalValue ^ obfuscValue;
	}

	void Write(int value)
	{
		if(!Check()) {
			// Again, shouldn't ever get here.
			return 0;
		}
		internalValue = value ^ obfuscValue;
		protectValue = (int)((internalValue % 32) / 4) + 1;
	}

	bool Check()
	{
		if(protectValue != (int)((internalValue % 32) / 4) + 1) {
			Exception ex = new Exception("Error");
			throw ex;
			// Shouldn't be executed, but will be if exception was handled.
			return false;
		}
		// Re-generate the values with a new obfuscValue
		int realValue = internalValue ^ obfuscValue;
		obfuscValue = int.MinValue + (rnd() * (int.MaxValue - int.MinValue));
		internalValue = value ^ obfuscValue;
		protectValue = (int)((internalValue % 32) / 4) + 1;
	}
}

I actually coded a class in VB.NET a while back to do this. It uses multiple protection values including a hash function, securely obfuscates the value (uses RNGCryptoServiceProvider class to generate obfuscation values), puts the values in random offsets in an array in order to alter the memory offset and last but not least creates "chaff" variables that cause false positives to appear on memory scanner applications. If anyone wants it, shout up and I'll post it.

vcordie · **Joined:**Tue Sep 30, 2008 4:54 pm **Posts:**21

I know someone whos qualifed, Joseph Carter, He's a good friend of mine who knows over 20 different scripting languages, including Visual Basic and Asm, he has VERY high knowledge of ASM and reverse engineering. Ill see if i can direct him to this topic.

Burningmace · PostPosted:Sun Oct 05, 2008 7:33 am

Oh, and if you want any help in the area of code injection and memory scanning, take a look at the cheat engine forums. I go there every so often to ask about this and that, and to post some ideas and stuff.

eddieringle · PostPosted:Tue Oct 07, 2008 2:22 pm

Quote:

I know someone whos qualifed, Joseph Carter, He's a good friend of mine who knows over 20 different scripting languages, including Visual Basic and Asm, he has VERY high knowledge of ASM and reverse engineering. Ill see if i can direct him to this topic.

Assembly is not a scripting language...

Of course, you might be talking of something completely different, in that case, disregard this.

Burningmace · PostPosted:Fri Oct 10, 2008 9:52 am

VB isn't either. Nonetheless we understood him, so meh.

Onlink... Money... Video Guide

Who is online