In this practical gamehacking tutorial we will take a look at the RPG / rogue-like game Dungeons of Dredmor.
After you are done with this tutorial you will have made a ReClass-project. If you just want to grab the project now rather than later, Dungeons of Dredmor ReClass project
Alright, let’s start with the very basics gamehacking, unlimited health/mana, and so on. Then we will move on to more real reverse engineering of the game to see what we can come up with 🙂
To start this off, fire up the game and the tools. Make a new game, character and get ready.
First we start by hacking our mana. In Cheat Engine set “Scan type” to “Exact Value”, set “Value type” to “4 bytes” and search for the amount of mana you now have (I have 37, so I search for 37).
Now cast a spell so your mana decreases. Enter the new value and click on “Next Scan”.
Repeat this until you only find one address.
Freeze it or change it so that you see that the change reflects in the game, that way you know you have found the correct address.
Now, right-click the value in your address list and run the “Find out what writes to this address”, then cast a spell (or something else that uses mana) in-game.
You will get this
Dungeons of Dredmor.exe+128D10 - 29 06 - sub [esi],eax .. or similar
Now, we could simply place NOP on this instruction (right-click -> Replace with code that does nothing) to have unlimited mana, but we will soon delve deeper. Before we do so, take note that you can use pretty much the exact steps above to find your health, buff-duration and other things.
Instead we take a look around in this function the instruction is inside of ..
// called when casting a spell 00528CF9 - 8B 35 2C3C6000 - mov esi,[PHYSFS_utf8FromLatin1+A401C] 00528CFF - 8B 0D A0416000 - mov ecx,[PHYSFS_utf8FromLatin1+A4590] 00528D05 - 81 C6 30010000 - add esi,00000130 00528D0B - E8 00E1FEFF - call 00516E10 00528D10 - 29 06 - sub [esi],eax ; this instruction removes mana 00528D12 - 8B 0D A0416000 - mov ecx,[PHYSFS_utf8FromLatin1+A4590] 00528D18 - 83 B9 B8000000 00 - cmp dword ptr [ecx+000000B8],00 00528D1F - 74 1D - je 00528D3E 00528D21 - A1 2C3C6000 - mov eax,[PHYSFS_utf8FromLatin1+A401C] 00528D26 - 8B 30 - mov esi,[eax]
So let’s analyze this piece of code a bit. We see
sub [esi],eax which means to subtract the value in EAX from the pointed-to value in ESI. “Pointed-to value”? Yes, the ESI register holds a memory-pointer (an address) to where the mana-value is stored.
Let’s go back/up a bit in the disassembly, we see
mov esi,[PHYSFS_utf8FromLatin1+A401C], this is where the pointer to our mana value is loaded into the ESI register, after that we see
add esi,00000130 which adds 0x130 to the pointer.
This means that the mana-value is 0x130 offsets into a data-structure, such as a class or a struct.
You still with me?
So what we know now is that at the line
00528CF9 - 8B 35 2C3C6000 - mov esi,[PHYSFS_utf8FromLatin1+A401C] a pointer is put into the ESI register. This pointer + 0x130 holds the value of our current mana.
What can we deduce from this?
– ESI holds a pointer to a data-structure with player values
– We can probably find more interesting values in that data-structure
Put a breakpoint on
00528D05 - 81 C6 30010000 - add esi,00000130 and check what value (pointer) is in the ESI register. You will have to cast a spell in the game or do something else that modifies your mana to make the breakpoint trigger. In my case it holds 0x0F48FAD8 (as you can see in the screenshot)
“Select” the process “Dungeons of Dredmor.exe”, create a New class, fill in the address we got from ESI (for me 0x0F48FAD8) as base of the class.
Add more offsets (Modify tab -> Add 1024) then scroll down to 0130
Click to mark the line then go to Modify tab and set as “Int 32”, name it something like “mana” if you want to.
This is how you start to reverse data-structures using ReClass.
Check out this screenshot and you see that I have filled out the mana variable at 0130. Now if we look right above the mana value we see an integral value of 23 .. Hmm, look back at the game and notice that my health ingame is 23. Coincidence? I think not!
We add the address of that value (0F48FC04) into Cheat Engine and change/freeze it, then we see that it really is the health value for the player. Let’s mark it as health in ReClass so we remember where that is at (012C).
Wonder what more is in this data-structure.. It would seem it holds player values, so let’s pull up our character sheet/stats and see if we can find some of those.
Now that we know what class we want to search in we can set the Memory Scan Options in Cheat Engine to Start where our class starts (in my case 0F48FAD8) and make up the value for Stop by adding a number higher than what we think the size of the class is, such as 0x00010000 since it is unlikely that the class is that big. This speeds up the scanning a bit as well as only gives us addresses in the range we want to scan in.
Nice! Only 8 hits. Now I take the coat off and my Sagacity will decrease by 1, so we search for 13. Now I only got 1 address, which is good. If you got more than one just repeat by taking on the coat and searching for 14 and vice-versa.
The address I found was 0F48FD8C, so we take that and subtract the base address of our class (0F48FAD8), the result is 2B4. This means that Sagacity is stored at 2B4 in our class.
After marking sagacity at 2B4 we can see that around that value are the other player stats (see screenshot) and a bit above them are what appears to be the maximum values for health and mana!
Keep looking around, changing values in ReClass and looking in-game for changes. See the screenshot and you see what I got by doing this for a few minutes. My ReClass project file will be available at the bottom of this post.
This concludes the first part of this tutorial. In the next part we look at the inventory-system.
You can download the complete Dungeons of Dredmor Player-class ReClass project
Got any questions or feedback? Leave a comment 🙂
Incoming search terms:
- dungeon of dredmor hack