Need help hacking ARCANUM of MAGIC OBSCURA

get your superiourity here ! be an offline or online GOD of the game. infinite ammo, unlimited nitro, turbo boost, god mode, you name it !
Post Reply
ruprecht
Newbie..
Newbie..
Posts: 12
Joined: Fri Nov 16, 2012 3:55 pm

Need help hacking ARCANUM of MAGIC OBSCURA

Post by ruprecht »

Hey guys,

So I got to playing Arcanum Magick Obscura or whatnot and I love the game.

Now I wanted to make a trainer for it.

I got to changing Points first. These are like skill points.

Regular mem scanning for a base ptr doesn't work here, because it shows up as a display element, like:
004E7726 - F3 A5 - repe movsd

Now what I did was use the Pointer scan for this address feature.

I got a base pointer, or at least I thought I did.

Basically, if I make a char of a certain race/type, my base address ptr works fine and shows up every time I relaunch the game.

But if I change the race of the char, the base ptr stops working and I get the usual ?? for the ptrs.

Anyone ever run into stuff like this in other games, CRPGs?

Why would changing character attributes, effect my base ptr?

Basically this game is a real PITA to find base ptrs for, very surprising for a 2001 game...

I've tried just about all I could. Anyone any ideas?

ps
using CE 6.2 for finding the addresses.
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by Sethioz »

pointers are not always global, that's why.
what are your pointer scan settings?
i recommend using 2000 - 2500 offset and level 5 pointer scan.
after scan is done, change the race (or whatever you changed) and rescan, see if you get even a single result. if not, then you must just do pointer scan more than once.
you keep the pointer you got, change race, find the address again, pointer scan and keep that one too. so you have 2 pointers now.
so you have 1 pointer for each race.
in CE, you can put other pointers under 1 pointer (like sub-pointers or group), so whenever you change 1 value, all change. you just have 1 hotkey for all.

we always use more than 1 computer to make sure that pointers are static, but even then sometimes we got like over 100 to choose from. in that case, i sometimes choose like 10 of them and put them in same group with 1 hotkey to make sure trainer will work.

This Knowledge Database article might interest you too > Pointer Scanning
ruprecht
Newbie..
Newbie..
Posts: 12
Joined: Fri Nov 16, 2012 3:55 pm

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by ruprecht »

Hi Seth,

Thanks for the reply!! I definitely thought about multiple ptrs for each race. But, this game seems even more messed up. It seems that character Name has an effect on the ptr for points. Besides this, I was not able to find stored char attributes at all!! This is a first for me. Basically I tried looking for Charisma or Strength, and using the points I have to change them, and then scan memory for the modified values. Nothing showed up.... how do I search for something like that?

I'm making the trainer in C++, so I will have to find ALL ptrs for each race as you've said most likely, by using another computer, you mean to load up the pointer files I save from my PC onto another PC and test it there, right?
ruprecht
Newbie..
Newbie..
Posts: 12
Joined: Fri Nov 16, 2012 3:55 pm

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by ruprecht »

Forgot to answer your question and couldnt find the edit post button. I do a level 5 pointer scan and the range of addresses is 00000000 - FFFFFFFF
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by Sethioz »

is this MMO?

if so, then you CANT edit any of what you are trying.
ruprecht
Newbie..
Newbie..
Posts: 12
Joined: Fri Nov 16, 2012 3:55 pm

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by ruprecht »

Sethioz wrote:is this MMO?

if so, then you CANT edit any of what you are trying.
No no, i would never try to do something that stupid and post about it ;-)

It's a pretty famous CRPG from 2001. Available from GOG.com.

It's a typical RPG a la Baldur's Gate 2. You create a character, and voila. You start the game and you have 5 points to assign to your attributes if you didn't spend them during creation.

That's what's weird about so much difficulty finding base ptrs for this game.

It seems that every time you switch a character or even progress in the game, the pointer to the attribute points pool changes.

Doing a level 6 pointer scan right now. Taking a really long time.... I'm running on AMD Phenom II, 2.6 Ghz CPU & 4 GB RAM.
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by Sethioz »

pointer scan doesn't work in every game. in some games you need different approach.
older games actually have a lot better security, nowdays it is only about money, no one cares about security.
in old days, games were made to be played by professionals and to make them real, since they lacked graphics, they made cool story lines and better security, nowdays its complete opposite, they only go for graphics.

so there's nothing strange that pointer scan doesn't work.
aliens vs predator 2 (2002 i think) is also quite hard to write a trainer for, because of highly dynamic memory allocations.

back to the problem, breakpoint the address, see what happens.
find your points, breakpoint on write (find out what writes to this address), then nop the function.
it should prevent these points from decreasing, but still allowing increasing.

if you can't find it at all, use unknown search to start with, using type "all".
ruprecht
Newbie..
Newbie..
Posts: 12
Joined: Fri Nov 16, 2012 3:55 pm

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by ruprecht »

Sethioz wrote:pointer scan doesn't work in every game. in some games you need different approach.
older games actually have a lot better security, nowdays it is only about money, no one cares about security.
in old days, games were made to be played by professionals and to make them real, since they lacked graphics, they made cool story lines and better security, nowdays its complete opposite, they only go for graphics.

so there's nothing strange that pointer scan doesn't work.
aliens vs predator 2 (2002 i think) is also quite hard to write a trainer for, because of highly dynamic memory allocations.

back to the problem, breakpoint the address, see what happens.
find your points, breakpoint on write (find out what writes to this address), then nop the function.
it should prevent these points from decreasing, but still allowing increasing.

if you can't find it at all, use unknown search to start with, using type "all".
Interesting. Yeah, this 6 lvl pointer scan is taking forever.
I will try your suggestions once its done.

The thing is, I was able to find a base ptr using pointer scanning @ level 5 a day ago. However, like I said, if I change character or even load my regular save game, it points to nothing. As soon as I load my test game for which I found the pointer, even after restarting the game or rebooting, it points to the right address, but only in that saved game.
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by Sethioz »

don't think lvl 6 helps much. if level 5 won't do, then level 6 won't help and yes, it takes ages.
also it takes a lot of disk space. ive had level 5 scan take as much as 80gb space. so make sure you got enought.

What is the "maximum offset value" ? that plays a significant role in scan speeds and sizes. level 5 @ 4000 takes like 10 times more space and time, while default is 2048 and it takes usually less than 5 minutes to complete.
you could try level 6-10, but by decreasing the offset to like 100 - 500.
i have never seen offset bigger than 500 anyway.

you just have to test, there is no golden rule. each game is different, what works in one game, doesn't work in other.
for example, it also might be that offset is a lot more and you might need just level 1 with offset of like 10000. never know.
if scan takes more than 30m, then you should stop it and rethink what settings you used and don't use them again.
ruprecht
Newbie..
Newbie..
Posts: 12
Joined: Fri Nov 16, 2012 3:55 pm

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by ruprecht »

Ok. Something was probably wrong, my level 7, offset 2048 scan took 4+ hours. I stopped it.

Anyway, I tried the 2 computer strategy, from about 200 million results I got, I got 2 pointers right away on my 2nd computer. But the problem with them, is that they keep constantly changing in CE. And sometimes they switch to the proper value for the points amount, i tested it because when I set it, it reflected in my save game. In fact the save game I used, was from my current game, not my debug save game.

But when I loaded this saved table on my first pc, the pointers stopped pointing anywhere proper.

So I think it might be a lvl 6 pointer. I will change the offsets though! That's a good idea! I'm using my 1.5 TB drive thankfully for the pointer dumps.

EDIT:

Meant my level 6 pointer scan took 4+ hours. Not 7.
Ok Seth,

I at least managed to find out, using your method of searching unknown value/all type, decreasing value and found 4 types which all are of the same address. But it seems like the points are stored as a simple, 1 byte value, so it's not a floating value or anything weird at least.

I will try searching for a byte type now. Will be trying different offset values for lvl 5 pointer.

Decided to throw this picture in. I decided to look at the debugger. Does the instruction mov edi, [edi+18] tell you anything in this case. Is the 18 offset anything useful?

Here's a full view of the disassembler that got cut off above for some reason...

Note: Try not to write every sentence in a new reply, and use attachments for images, the links you added were not working.
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by Sethioz »

as i said, if you're doing above level 5 scan, you must decrease the offset.
try level 6 with offset of 1000 or less. should finish within 30 min.

if it doesn't work, just breakpoint it.
in ce they use retarded term which doesn't even exist in computing, so do "find out what writes to this address" < i just hate using retarded terms that doesn't even exist. it is called "breakpoint on write".

now once you set it, use one of your skill points and breakpoint should pop up.
then just nop it. as i said before.

> I assume it was Ken who edited the post, follow what he said, don't keep on replying. think thru what you're posting and then post. if you're not sure, use "save draft". then later once ready, post it. and use attachments for images.
ruprecht
Newbie..
Newbie..
Posts: 12
Joined: Fri Nov 16, 2012 3:55 pm

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by ruprecht »

Thanks Seth.

I will be doing that today. Sorry for the spam, it's just that I miss the edit button. I'll post when I'm ready. Also, here are the images as attachments.
Attachments
arcanum.jpg
ruprecht
Newbie..
Newbie..
Posts: 12
Joined: Fri Nov 16, 2012 3:55 pm

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by ruprecht »

Sethioz wrote:as i said, if you're doing above level 5 scan, you must decrease the offset.
try level 6 with offset of 1000 or less. should finish within 30 min.

if it doesn't work, just breakpoint it.
in ce they use retarded term which doesn't even exist in computing, so do "find out what writes to this address" < i just hate using retarded terms that doesn't even exist. it is called "breakpoint on write".

now once you set it, use one of your skill points and breakpoint should pop up.
then just nop it. as i said before.

> I assume it was Ken who edited the post, follow what he said, don't keep on replying. think thru what you're posting and then post. if you're not sure, use "save draft". then later once ready, post it. and use attachments for images.

Hi Seth,

Ok i'm back with an update. I tried your method. I set a breakpoint on the repe movsd for my points addy. Then when it got hit, I set it to NOP. This basically froze the points in the game, not allowing me to increase or decrease them. Then I tried changing the addy's value that I found, this froze the game, because it probably ran into the NOP instruction.

So i'm still stumped.

I have tried various scans with varying offsets, up to level 6 with 1024 offset. Then rescanned pointer dump on a 2nd PC. Nothing.....

Any ideas? Also attaching a fresh screenshot of the instructions I get when just searching for the addy. Just so everything is in view.
Attachments
arcanum pic scanning.jpg
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by Sethioz »

you're making a mess. its hard to explain, if you know nothing about debugging.
you only need to NOP the function that decreases the value, not increases.
and yes, you should not change it after its nopped or well actually you can, works for me on other games.

you also have to make sure that instruction is not used by anything else. you have to reverse it and see which addresses this instruction effects, then only nop out the one that effects points increasing.
might be that you can't just nop it, but have to write asm script and inject it into that place. re-write the original code with modification and then place jmp (jump) at the original location, jump to new location where you injected your modified code and at end of modified code you make it jump back.

however from screenshot i can tell you don't know much. you have added SAME address like 5 times in the list under different lenghts. what is the use of that lol?
do you even know what these byte, 2 bytes..etc mean?
ruprecht
Newbie..
Newbie..
Posts: 12
Joined: Fri Nov 16, 2012 3:55 pm

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by ruprecht »

Hmm, you must've misunderstood me. I know perfectly what a byte is. I'm pretty new to asm, but debugging I do daily for work.

The address I NOPd was the one that increased the value. There is no way to decrease the points in game, once you click plus, it won't let you subtract them.

The list you see where I double clicked on each of the different byte sizes was simply to figure out if they all refer to the same addy and find the smallest type that the game stores the value in. That was purely experimental.

Also, there's really no need to be so dismissive, we were all newbies at first. I have made progress today and actually managed to finally find what looks like a base pointer. It was from a lvl 7 ptr scan with 1024 offset size. The only problem is that it still only works for one character, but that can be bypassed by finding the needed addresses for all characters and based on class check from my hack, change the right address. But it finally works for any location/level in the game!

Here's an updated screenshot of what I got from debugger, on what accesses this my pointer. Does this show anything useful?
arcanum found something.jpg
Additional shot to go with the previous one.
arcanum found something.jpg
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by Sethioz »

there's nothing to test. most games allocate 4 bytes, even if value never goes past 1 byte.
so 4 bytes is best to start with and keep it, unless you see that game allocates less, but i doubt it ever happens.

it's hard to tell by just screenshot. as i said, you need to seperate the points decrease. if not possible, you have to write your own ASM script. if you do debugging, you should know assembly very well.
just make it add like 900 instead of 1 (or whatever is max that one character can have).
so when you earn a point, you would get 900 instead of 1.
ruprecht
Newbie..
Newbie..
Posts: 12
Joined: Fri Nov 16, 2012 3:55 pm

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by ruprecht »

Ok. Thanks.

And no, you don't need deep assembly knowledge for debugging 99.9% of C#/C++ MFC apps.
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by Sethioz »

first time i ever hear that, but ok ..

in short:
- find address
- breakpoint, on write
- examine the instruction
- in cheat engine, open the "memory view" > tools > auto assemble
- this is where you write your code.

you can use templates that ce gives. choose "code injection"
if you do debugging, it should be np for you.
ruprecht
Newbie..
Newbie..
Posts: 12
Joined: Fri Nov 16, 2012 3:55 pm

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by ruprecht »

Sethioz wrote:first time i ever hear that, but ok ..

in short:
- find address
- breakpoint, on write
- examine the instruction
- in cheat engine, open the "memory view" > tools > auto assemble
- this is where you write your code.

you can use templates that ce gives. choose "code injection"
if you do debugging, it should be np for you.
For the point pool address, I only have the repe movsd instruction, repeat move op until eax == 0. And it's usually just a display address. So when I breakpoint on it from "what writes to this address", that's the only instruction that's there. It doesn't have any useful [offset] data in disassembler.

For the pointer I found already, when I do a "what writes to this address" i get nothing. But that doesn't surprise me because the pointer is already pointing to the address for the skill location, so nothing is trying to change it atm.

For "what accesses this address" I get a
mov edx, [Arcanum.exe+202894].

So not exactly sure if this is the place to inject, if i were to inject the skill points here.

Also right now, I can actually do the trainer just fine, because I don't need to inject anything. I managed to find good pointers for each class. And I can always check the class string in memory to see which address to use, based on that.
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by Sethioz »

you're probably getting wrong place. you need to replace the opcode (one that changes your points) with jmp and make it jmp to "newmem" and write your script there, then make it jmp back.
I don't have good article on wiki of this, but i'll put it in my "to do list". Will write article on how to find address, breakpoint it and write simple asm script.

as for now, just keep on testing.
you can find some examples of what i did on my wiki. like avp3 hacking and resident evil 5 hacking are good articles where you can get an idea how to write such scripts.
ruprecht
Newbie..
Newbie..
Posts: 12
Joined: Fri Nov 16, 2012 3:55 pm

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by ruprecht »

Thank you. Yes, i'm reading a lot and learning in the process. Very helpful stuff. The great thing about this game in particular, is that it's not an easy example, so I get a lot more insight then a quick find would bring. Working on a script to inject now.
User avatar
Sethioz
Admin
Admin
Posts: 4762
Joined: Fri Jul 27, 2007 5:11 pm
Custom: Gaming YT > https://youtube.com/SethiozEntertainment
Game Hacking YT > https://youtube.com/sethioz
Game Hacks Store > https://sethioz.com/shopz
Location: unknown
Contact:

Re: Need help hacking ARCANUM of MAGIC OBSCURA

Post by Sethioz »

do this:

- find address to these points
- breakpoint it (find out what writes to this address)
- force game to change the points (like spend one point or earn one point)
- post the breakpoint instruction here (make sure to specify which one it is, either spending point or earning one)
Post Reply