Go Back

Defense Grid continues to be populair :) (again)

So I figured I'd update it again, it should work with the You Monster DLC from 28/01/2012. You can download it here .

I have been severely slacking with blog posts, been busy with things not related to computers. But I'll see if I can spend some more time blogging about things :)

EDIT:
Updated on 25/03/2012, same link as above.

Posted by: Da_Teach on Saturday, January 28, 2012  •  Comments (12)  •  Full story  •  Defense Grid

Defense Grid Updated (again, by populair demand)

It seems that there was some type of point-gather-thing during my vacation which made you able to earn goodies, or something. But I couldn't update the trained on account of me being on vacation :)

I'm back but I think reason people wanted the trainer might be over. Still it's updated and you can download it here.

Posted by: Da_Teach on Friday, July 15, 2011  •  Comments (12)  •  Full story  •  C# Trainer Defense Grid

Defense Grid Updated

It seems a new DLC made Defense Grid popular again, so here's an updated trainer.

If any other trainer is not working, let me know and I'll update them. If you have any requests for game-trainers, also let me know. I can't promise anything, but sometimes I'm bored and I'll do trainer-requests.

Posted by: Da_Teach on Sunday, May 01, 2011  •  Comments (11)  •  Full story  •  Trainer Defense Grid

Defense Grid - Updated (again :)

It's been a few months since I was able to update the site. I've been so busy with work that I haven't had any free time that I was willing to spend on hacking ;)

However, I noticed Defense Grid got updated. They added a few DLC packs. So here's a new version. I only updated the offsets, and I only tested it after I downloaded one DLC. Perhaps the executable changes every DLC, but I doubt it.

With the steam bargains I have bought a few 'new' games which I will probably hack just because its possible ;)

I will probably also add either an additional blog to the site, or just add it on this blog with other tags, where I will post a bit more on problems that I play with at the work place. I run into "fun" issues every so often, which could be fun to share :)

Posted by: Da_Teach on Friday, June 25, 2010  •  Comments (6)  •  Full story  •  C# Trainer Defense Grid

Defense Grid: The Awakening - Updated

It seems there has been a patch for Defense Grid. Well let me rephrase, they added Borderlands DLC pack. In the process they changed the executable a bit, so hence my updated trainer.

Since I was a little bored (just a bit ;) I added a couple of options to the trainer, bring it to a whopping +3.

Have fun with it !  You can download it here.

Posted by: Da_Teach on Saturday, March 20, 2010  •  Comments (1)  •  Full story  •  C# Trainer Defense Grid

Defense Grid: The Awakening Part #3

Now that we have identified the two functions which lookup the pointer to the credits spent value, there are actually two options we could go for to create a trainer. I'm going for the easiest solution which is to copy the two function's into a C# program. The other option would be to inject code into the Defense Grid: The Awakening process and execute the two functions inside the game.

There are reasons why you'd want to inject code into the game to execute the function. For example, if you are trying to write a bot (automated game play) for a game, you might want to execute certain functions within the game. For example "MoveForward" function, or "Pickup Item" function, or "Cast Spell" function, etc.

However since we only want to lookup a pointer and the functions are relatively easy to duplicate, I've chosen to do that instead of inject code. I have also chosen for C# as my programming language mostly because I love writing programs in it :)

I've written a class for C# which uses Win32 functions like ReadProcessMemory and WriteProcessMemory to allow for the trainer to update the game's memory. Its included in the trainer zip file (it includes the source).

The conversion of the functions is rather straight forward, I have created two functions, one called GetBasePointer which is a conversion of sub_47E1B0 and one called GetValuePointer which is a conversion of sub_47E6E0.

Here's the code for GetBasePointer:
private int GetBasePointer()
{
    int type = _memory.ReadInteger(_memory.ReadInteger(0xB458C4) + 212);
    int basePointer = _memory.ReadInteger(_memory.ReadInteger(0xB458E8) + 44 + 4);

    int result = _memory.ReadInteger(basePointer + 4);
    int pointer = _memory.ReadInteger(result + 4);

    while (_memory.ReadByte(pointer + 29) == 0)
    {
        if (_memory.ReadInteger(pointer + 12) >= type)
        {
            result = pointer;
            pointer = _memory.ReadInteger(pointer);
        }
        else
            pointer = _memory.ReadInteger(pointer + 8);
    }

    if (result == _memory.ReadInteger(basePointer + 4) || type < _memory.ReadInteger(result + 12))
        result = _memory.ReadInteger(basePointer + 4);

    return result;
}

And here's GetValuePointer:
private int GetValuePointer(int type)
{
    int basePointer = GetBasePointer() + 16;

    int result = _memory.ReadInteger(basePointer + 4);
    int pointer = _memory.ReadInteger(result + 4);

    while (_memory.ReadByte(pointer + 21) == 0)
    {
        if (_memory.ReadInteger(pointer + 12) >= type)
        {
            result = pointer;
            pointer = _memory.ReadInteger(pointer);
        }
        else
            pointer = _memory.ReadInteger(pointer + 8);
    }

    if (result == _memory.ReadInteger(basePointer + 4) || type < _memory.ReadInteger(result + 12))
        result = _memory.ReadInteger(basePointer + 4);

    return result;
}

Note that I have removed several checks which the game has, so in theory this could return incorrect values.

Once you put everything together, you can get a trainer which will allow you to change the values within the game. I've created a +1 trainer with source included, which you can download here. Please note that .NET 3.5 SP1 is required for this trainer and the game has to be started before running this trainer (it might also need administrator privileges).

Posted by: Da_Teach on Sunday, January 03, 2010  •  Comments (3)  •  Full story  •  C# Trainer Defense Grid

Defense Grid: The Awakening Part #2

Since Defense Grid: The Awakening used a, for me, unknown PE Packer, the easiest way to disassemble it is to dump the executable once you have started it. There are various tools out there which allow you to do this, I used LordPE it's easy to use and has a ton of options which I didn't use ;)

The output of this dump is not a working executable. It is possible to create a working executable, but it requires more work which is often not worth the effort. The only reason I could think of would be if you wanted to pre-patch the executable, however this often is only required for cracks.

Anyways, back to the game. We now have a dumped executable which IDA Pro can actually disassemble and with the help of the Hex-Ray's wonderfull decompiler add-on, we where able to convert the function which contained the credit-modification code to semi-readable C/C++ code. While I can read assembly code, its a lot harder and more error prone.

The decompiler has some limitations, for example it can't decompile MMX instructions. If it could, the code would probably be a lot easier to understand. But here's the decompiled function (sub_8BB110)(note that I have circled parts of the function which are of interest):

sub_8BB110

As you can see, just before the instruction that modifies the credits, _EBX is filled with variable v27, that variable in turn is filled by sub_47E6E0. This might not be clear until you disassemble sub_47E6E0. As you can see in the disassembled code of function sub_8BB110, a pointer was given to v26 but in sub_47E6E0 the result is actually put into v26 and v26 + 4. The last addition actually causes function sub_47E6E0 to write into v26 and v27.

Here's what sub_47E6E0 looks like:

sub_47E6E0

I've added some names to the parameters, one of the parameters "basePointer" is especially interesting. In sub_8BB110 you will see that "basePointer" is v25 + 16. Now the fun part is that if you look back in sub_8BB110 you will see that its filled by v6 + 4. Now its not hard to guess that the same trick done by sub_47E6E0 was done by sub_47E1B0 as well. If you look at sub_47E1B0 you will see a very similar function:

sub_47E1B0

Note that the basePointer for this function is dword_B458E8 + 44.

This however only explains 2 of the 3 parameters to get the pointer to the value we're interested in. The 3rd parameter of function sub_47E1B0 and sub_47E6E0 are actually lookup values. I've called them type values in my disassembly though. These type values originate from a2 (v23 is filled with a2) and a3.

We know that the value that we are looking at is at pointer + 0x10 and if you look at sub_47E6E0 you will see that type-value that it looks for is at 0xC (12). So if we go back to Cheat Engine and decrease the pointer of "credits spent" by 4, we will know the lookup value for the "credit spent". In our case its 9. It wouldnt be hard to find the starting-credit lookup value either, but you can do that yourself ;)

This still leaves the lookup value for sub_47E1B0 (a2), for this we look at the usage of sub_8BB110. If we look at the cross reference of that function and goto the first usage of sub_8BB110, we will see that a2 is filled with dword_B458C4+212. Now I havent fully tested it, but I assume that value always has the right lookup/type value. In testing that turned out to be true anyway.

Now that we have the pointer-lookup scheme of the game, we can write a trainer which uses this information to increase / decrease the credits spent. In part #3 I'll show you how I converted the pointer-code into an external program (trainer) which will increase or decrease the credits spent.

Posted by: Da_Teach on Saturday, January 02, 2010  •  Comments (0)  •  Full story  •  Decompiler IDA Pro Defense Grid

Defense Grid: The Awakening Part #1

With Steam having those amazing sales, I picked up Defense Grid: The Awakening for something like 2-3 euro. I was bored, so sue me. I found that it was actually a pretty funny game for a few hours and then I figured, what the hell lets start hacking :D

Started up Cheat Engine and started searching for some values. Interestingly enough this game had some unexpected anti-cheat mechanisms in place.

Anyways, I went through the usual tricks, search for the credits as a integer, float, double, etc. Funny enough it seemed it was stored both as a float and a double. But changing those values did not do anything to the ingame credits.

That got me intrigued, apparently this game was either using memory-encryption or some other form of anti-cheat mechanisms. I then remembered that the first level starts off with 0 credits and a bit later in the level you got 200 credits to finish the mission. So I put Cheat Engine to work.

A minute or so later I had the starting-credits and I saw something strange. The value at this pointer never went down and in fact (by killing enemies) only went up, regardless of the amount of credits I spent.

This got me thinking, if this value does not go down, another value must be somewhere in memory that keeps track of what has been spent. So started a new mission,searched for the amount of credits spent on towers and found the value that keeps track of the amount of credits that have been spent.

Now having two values in memory it was time to find out what static addresses point to these values so I can create a trainer for the game. This is where things got funky. Normally I would use the pointer-scanner in Cheat Engine and it'll quickly tell you what base pointer points to the value. However that would be too easy wouldn't it ;)

With that not getting anywhere, I used Cheat Engine's "what changes this address" only to crash the game seconds later. I should have known because its a Steam game, it has anti-debugger protection. So I booted up my VMware image with Syser and repeated the whole process.

I found out that the code-address changing was at 8BB1FCh, the instruction in question as "movss dword ptr [ebx+10h], xmm0", great.

As I was interested in base address of the value, I booted up IDA Pro Disassembler which has to be the best disassembler on the market at this moment. Only to find out that there was yet another protection in place, the executable had been packed by a PE Packer.

For 2-3 euro, I didnt expect this many protections in place, but it sure made hacking this game so much more interesting. Anyways, check out part 2 which will be posted later to find out a way to get around a PE Packer. Its only one of the possible ways, but its probably the easiest way.

Posted by: Da_Teach on Friday, January 01, 2010  •  Comments (0)  •  Full story  •  Syser IDA Pro Cheat Engine Defense Grid