Bengal: Game of Gods

Hacking Any Other Offline Single-Player Game

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Bengal: Game of Gods

Postby Aspras » Thu Apr 02, 2009 12:57 am

Ive been trying to hack this game but I wasnt able to find an address for anything, ive tried lives, score and shooting mode (it can either be normal or with an aiming beam just like in zuma deluxe). For lives I tried short, long, unsigned long , though I wasnt able to find an address. Apart from finding the addresses what concerns me most is the fact that i cant freeze addresses, at one point i had found 5 addresses that increased along with the in-game score, i tried freezing each one of them and some just wouldnt stay frozen while the game was running, any idea why this would happen?
User avatar
Aspras
NULL
 
Posts: 100
Joined: Mon Jan 05, 2009 12:42 am

Postby WhiteHat » Sun Apr 05, 2009 4:29 am

I’ve played this game and decided to search for game score address. Common searches for every data-type available had failed.

After several trial i found 2 addresses which was changed along with my score. They were static address (colored green in MHS Found Address window):
- 0x57CECC
- 0x57CED0

..their data-types were Unsigned Long.

Upon curiousity, i auto-hacked both addresses and MHS debugger landed on these code snipet:
Code: Select all
00402C98 - MOV     EAX, DWORD PTR [57CECC]
00402C9D - MOV     ECX, DWORD PTR [57CED0]
00402CA3 - XOR     EAX, ECX
00402CA5 - MOV     DWORD PTR [ESP+4], EAX
00402CA9 - JMP     00434E10

I paused the game and note these:
- My score = 8760
- [0x57CECC] = 2541496581
- [0x57CED0] = 2541488957


Based from the snipet above, we can tell how this game determines my score: 2541496581 xor 2541488957. Pay attention to the code at 0x00402CA3 from above snipet...

I put this into MHS Expression Evaluator: [0x0057CECC]^[0x0057CED0], and the result was 8760.. (The ‘^’ stands for bitwise XOR operator).

Such ‘encryption’ in this case causes any common methods of search/sub-search have failed...

Further, i made a simple experiment... I wanted to boost my score to 1 million. So here is what i did:
I put [0x0057CECC]^1000000 into MHS Expression Evaluator, and the result was 2540923717.

I modified one of those two addresses so that their value were:
- [0x57CECC] = 2541496581
- [0x57CED0] = 2540923717
<--- i changed this
Back to the game, my score was immediately changed to 1000000 (one million) even when it was still in pause mode...

Upon loosing the game, the score was recorded into High Score hall. So, i can say this score hack is at least 50% legit (i can’t tell if this score affects to other game elements such as live bonus yet).. It was just a quick experiment and there are still lots to find...

PS:
- The target process is “Bengal.RWG”, and not “Bengal.exe”.
- I recommend to utilize MHS Speed Hack at its best for hacking this game.
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby Aspras » Tue Apr 07, 2009 8:45 pm

I hadnt noticed someone had replied to this >< . All along I was attaching to Bengal.exe and not .RWG. That explains how I wasnt able to reach those 2 addresses that changed along with the score, I was always left with around 30 but none would modify score and none could be frozen. Also, I searched on google for XOR and according to most sites its the "OR" logical operator, I do use that operator when I write c++ applications though its supposed to check if any of the 2 values is true and if 1 or both of them are true it returns true. Could you explain how the one in your example works?
User avatar
Aspras
NULL
 
Posts: 100
Joined: Mon Jan 05, 2009 12:42 am

Postby spunge » Wed Apr 08, 2009 1:57 am

http://en.wikipedia.org/wiki/Exclusive_or
Convert the values to binary and then perform XOR transformations manually if you truly desire to learn how XOR works.
spunge
NULL
 
Posts: 121
Joined: Sun Jul 27, 2008 4:58 am
Location: VEH callback

Postby Aspras » Wed Apr 08, 2009 2:14 am

Both 57CECC and 57CED0 are true because both are non-zero , how can [0x0057CECC]^[0x0057CED0] return 8760 when its supposed to return false(0) ?
User avatar
Aspras
NULL
 
Posts: 100
Joined: Mon Jan 05, 2009 12:42 am

Postby spunge » Wed Apr 08, 2009 2:17 am

Aspras wrote:Both 57CECC and 57CED0 are true because both are non-zero , how can [0x0057CECC]^[0x0057CED0] return 8760 when its supposed to return false(0) ?
The brackets means they are xoring the values of both dwords. Like I said, XOR is a bitwise operator, you cannot look at the bigger picture. Convert the values to binary and perform the xor transformations.
http://en.wikipedia.org/wiki/Exclusive_ ... er_science
spunge
NULL
 
Posts: 121
Joined: Sun Jul 27, 2008 4:58 am
Location: VEH callback

Postby Aspras » Wed Apr 08, 2009 2:55 am

I see what you mean now, the bitwise XOR will compare each bit in the number individually and place the results in a row forming a new number out of the results.
User avatar
Aspras
NULL
 
Posts: 100
Joined: Mon Jan 05, 2009 12:42 am

Postby WhiteHat » Wed Apr 08, 2009 2:28 pm

That’s why it’s called ‘bitwise’ XOR.
I thought i wrote it in my previous reply...

Anyway, this also documented neatly in MHS Help..
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...


Return to Others (Offline)

Who is online

Users browsing this forum: No registered users and 0 guests

cron