Jump to content

XOR search Guide - GG 8.29.0+


NoFear
 Share

Recommended Posts

4 hours ago, CmP said:

You need to use "Changed/Unchanged" if you want to find xor-encrypted value with fuzzy search. "Increased/Decreased" won't work out because of how xor-encryption works.

I knew it. Just wanted to be sure. But the problem is changed/unchanged returns too many values and I have never made it to less than 20-50 results with searching only changed/unchanged. Also I have 1gb ram phone so it takes a long time every search. I have given up on hacking iMonster because of this.

 

 

Link to comment
Share on other sites

  • Moderators
29 minutes ago, Amizz said:

I knew it. Just wanted to be sure. But the problem is changed/unchanged returns too many values and I have never made it to less than 20-50 results with searching only changed/unchanged. Also I have 1gb ram phone so it takes a long time every search. I have given up on hacking iMonster because of this.

 

 

Even worse what a developer can do. Every value change just in game results in All xor key changes.

Let's say you are trying to find gold.

Gain 1 unknown changed. Gain 0 unknown unchanged. Gain 1 GEM unknown unchanged. You've now lost your gold value. For the value is still 1 but xor key changed due to another value changing....  

When you get 50 results, that's good....  Go through, freeze a couple at a time. Until you get it. THEN study EVERYTHING nearby. Other values, pointers, pointer searches. Create a map of this entire area. Because once you've learned everything in that area. You don't need to find your value. You find this area, and then navigate to your value.

The best gg hack method, doesn't rely on data changing. If you can achieve a search and edit of and encrypted changing value without needing it to change, that's perfect. 

I try to avoid guides with finding a value that's changing. It's much more time consuming initially... But will be worth it later.

Link to comment
Share on other sites

  • 2 weeks later...

Okay guys. I'm trying to understand XOR and been browsing and reading many post for past couple of hours. The only thing I don't understand it after doing 'changed/unchanged', we end up with couple of 'memory address' which might be responsible for the thing we are looking to modify - gems, gold, stars or just about any in-game currency.

The only step I don't get is how do the author pick a value which magically leads to the memory address she is looking for. Example here at 0:50 … The in-game gold is 7292. Yet she searches from `1~9x4` to `53x4`. This 53 value leads to the memory address. 

Where did this value come from?

Later steps are equally confusing with no links to previous steps in her logic. After picking `CAF50D18`, she selects the value top of it and sets to `0`. And later, changes the `CAF50D18` to a huge number, and presto, free gold!

 

!!!! 

 

I hope I will be able to use this knowledge - after understanding it - to hack/cheat/modify Identity V.

Link to comment
Share on other sites

3 hours ago, lonejava said:

Okay guys. I'm trying to understand XOR and been browsing and reading many post for past couple of hours. The only thing I don't understand it after doing 'changed/unchanged', we end up with couple of 'memory address' which might be responsible for the thing we are looking to modify - gems, gold, stars or just about any in-game currency.

The only step I don't get is how do the author pick a value which magically leads to the memory address she is looking for. Example here at 0:50 … The in-game gold is 7292. Yet she searches from `1~9x4` to `53x4`. This 53 value leads to the memory address. 

Where did this value come from?

Later steps are equally confusing with no links to previous steps in her logic. After picking `CAF50D18`, she selects the value top of it and sets to `0`. And later, changes the `CAF50D18` to a huge number, and presto, free gold!

 

!!!! 

 

I hope I will be able to use this knowledge - after understanding it - to hack/cheat/modify Identity V.

Good intuition... magic is still not part of hacking, sorry. ?

I think you didn't really get what is this [value] in the video: "[value]X4"

Just to be sure I say this, but I think you already know that and it's not the problem here. Let's say you search for Dword:

 Searching for "[value]X4" means: "find a Dword, containing [value] (not encrypted) xored with the Dword (see nofear following post) 4 bytes after or before (= just the length of the Dword containing [value], so the following/preceding Dword)"

Well if you understand that, you have to know what [value] you want to search for.

I think you were confused because it wasn't maybe the best example. Nofear is searching for an odd thing. He's looking for the number of coins here, not the actual money value you see. So he does "1~9X4" first because he just collected between 1 and 9 coins, and then he searches for "53X4" because he counted the number of coins the arrow of coins he collected was made of, which is exactly 53 coins ^-^.

Why? Because the money is probably not Xor encrypted, and the numbers of coins collected are xor encrypted and can indirectly change money, and/or Nofear just wanted to show another way to hack money that the way you'll first think about, which is directly changing the money.

You second problem is related to the definition of "[value]X4" I wrote, or most probably to the xor encryption itself. Xor operation is reversible: the value which is xored with [value] can be after or before it. In this case it is before. Plus you have to know that [value] xor 0 = [value]. So eventually, in this case, nofear sets the xor key to 0 and then he can simply change the encrypted coins number as if it wasn't encrypted at all!

Edited by Rastakiwi
Link to comment
Share on other sites

  • Moderators
10 minutes ago, Rastakiwi said:

Good intuition... magic is still not part of hacking, sorry. ?

I think you didn't really get what is this [value] in the video: "[value]X4"

Just to be sure I say this, but I think you already know that and it's not the problem here. Let's say you search for Dword:

 Searching for "[value]X4" means: "find a Dword, containing [value] (not encrypted) xored with the Dword (it is always a Dword, no matter the type you chose for the search) 4 bytes after (= just the length of the Dword containing [value], so the following Dword)"

Well if you understand that, you have to know what [value] you want to search for.

I think you were confused because it wasn't maybe the best example. Nofear is searching for an odd thing. He's looking for the number of coins here, not the actual money value you see. So he does "1~9X4" first because he just collected between 1 and 9 coins, and then he searches for "53X4" because he counted the number of coins the arrow of coins he collected was made of, which is exactly 53 coins ^-^.

Why? Because the money is probably not Xor encrypted, or Nofear just wanted to show another way to hack money that the way you'll first think about, which is directly changing the money.

You can actually choose word or byte and do I think x1 or x2 for values using xor but not dword.

Blade crafter is an exact example of this. Using word value and xor Encryption x2.

Link to comment
Share on other sites

6 minutes ago, NoFear said:

You can actually choose word or byte and do I think x1 or x2 for values using xor but not dword.

Blade crafter is an exact example of this. Using word value and xor Encryption x2.

Oh ok thanks, I corrected it. Can it be a Qword if we precise X8, or did you mean "not Qword" instead of "not Dword"?

Edited by Rastakiwi
Link to comment
Share on other sites

  • Moderators
1 minute ago, Rastakiwi said:

Oh ok thanks, I corrected it. Can it be a Qword if we precise X8?

Yes. Harry Potter is a good example of that. But you need to edit the plain qword above too.

Link to comment
Share on other sites

11 hours ago, Rastakiwi said:

Good intuition... magic is still not part of hacking, sorry. ?

I think you didn't really get what is this [value] in the video: "[value]X4"

Just to be sure I say this, but I think you already know that and it's not the problem here. Let's say you search for Dword:

 Searching for "[value]X4" means: "find a Dword, containing [value] (not encrypted) xored with the Dword (see nofear following post) 4 bytes after or before (= just the length of the Dword containing [value], so the following/preceding Dword)"

Well if you understand that, you have to know what [value] you want to search for.

I think you were confused because it wasn't maybe the best example. Nofear is searching for an odd thing. He's looking for the number of coins here, not the actual money value you see. So he does "1~9X4" first because he just collected between 1 and 9 coins, and then he searches for "53X4" because he counted the number of coins the arrow of coins he collected was made of, which is exactly 53 coins ^-^.

Why? Because the money is probably not Xor encrypted, and the numbers of coins collected are xor encrypted and can indirectly change money, and/or Nofear just wanted to show another way to hack money that the way you'll first think about, which is directly changing the money.

You second problem is related to the definition of "[value]X4" I wrote, or most probably to the xor encryption itself. Xor operation is reversible: the value which is xored with [value] can be after or before it. In this case it is before. Plus you have to know that [value] xor 0 = [value]. So eventually, in this case, nofear sets the xor key to 0 and then he can simply change the encrypted coins number as if it wasn't encrypted at all! 

Thanks so much for putting out the details. I can confidently say I learned something. 

Only part I don't get is the last paragraph which deals with changing the previous value. My understanding is the value which we search is either before or after the xor key [4 bytes in our case] we used. In the last step, I'm assuming that in NoFear previous attempt, he modified the memory address after the one we are looking for [the unencrypted] to 0 and saw no changes. In his next attempt, he made the previous one set to zero and it worked. Is this reasoning correct? Or is the following the reason ->

The formula which we are trying to satisfy is 53 xor 0 = 53... -> [MEMORY ADDRESS #1 VAL] xor [MEMORY ADDRESS #2 VAL] = [MEMORY ADDRESS #1 VAL]. The location of memory address #2 can be AFTER or BEFORE memory address #1 [our target] 

Link to comment
Share on other sites

  • Moderators
6 hours ago, lonejava said:

Thanks so much for putting out the details. I can confidently say I learned something. 

Only part I don't get is the last paragraph which deals with changing the previous value. My understanding is the value which we search is either before or after the xor key [4 bytes in our case] we used. In the last step, I'm assuming that in NoFear previous attempt, he modified the memory address after the one we are looking for [the unencrypted] to 0 and saw no changes. In his next attempt, he made the previous one set to zero and it worked. Is this reasoning correct? Or is the following the reason ->

The formula which we are trying to satisfy is 53 xor 0 = 53... -> [MEMORY ADDRESS #1 VAL] xor [MEMORY ADDRESS #2 VAL] = [MEMORY ADDRESS #1 VAL]. The location of memory address #2 can be AFTER or BEFORE memory address #1 [our target] 

Xor key then is the xor'd value.  If editing the first value to 0 doesn't result in error or crash, this means the game isn't forcing xor key. Which now at this point, you can ignore xor. Goto the xor'd value and type in the value you want. Xor with key of 0, isn't encrypted. 

Address 1,  xor 53 = address 2. If address 1 = 0 address 2 =  53.

Link to comment
Share on other sites

8 hours ago, lonejava said:

Thanks so much for putting out the details. I can confidently say I learned something. 

Only part I don't get is the last paragraph which deals with changing the previous value. My understanding is the value which we search is either before or after the xor key [4 bytes in our case] we used. In the last step, I'm assuming that in NoFear previous attempt, he modified the memory address after the one we are looking for [the unencrypted] to 0 and saw no changes. In his next attempt, he made the previous one set to zero and it worked. Is this reasoning correct? Or is the following the reason ->

The formula which we are trying to satisfy is 53 xor 0 = 53... -> [MEMORY ADDRESS #1 VAL] xor [MEMORY ADDRESS #2 VAL] = [MEMORY ADDRESS #1 VAL]. The location of memory address #2 can be AFTER or BEFORE memory address #1 [our target] 

Do you mean you think he first edited the dword value following the xored number of coins (target) to 0, but this didn't change anything so he assumed the xor key was before the target?

No, because as you can see, there is no former value under parentheses next to the 0 (which is how GG displays the backup of an edited value). Even if the following value wasn't originally 0, there would probably be no point testing it because you can also suppose by a first look that the xor key is just before the target because you know it is 53 decrypted, so the difference between the xor key and the target shouldn't be very high (about 100~200 max I suppose).

Link to comment
Share on other sites

5 hours ago, Rastakiwi said:

Do you mean you think he first edited the dword value following the xored number of coins (target) to 0, but this didn't change anything so he assumed the xor key was before the target?

No, because as you can see, there is no former value under parentheses next to the 0 (which is how GG displays the backup of an edited value). Even if the following value wasn't originally 0, there would probably be no point testing it because you can also suppose by a first look that the xor key is just before the target because you know it is 53 decrypted, so the difference between the xor key and the target shouldn't be very high (about 100~200 max I suppose).

 

7 hours ago, NoFear said:

Xor key then is the xor'd value.  If editing the first value to 0 doesn't result in error or crash, this means the game isn't forcing xor key. Which now at this point, you can ignore xor. Goto the xor'd value and type in the value you want. Xor with key of 0, isn't encrypted. 

Address 1,  xor 53 = address 2. If address 1 = 0 address 2 =  53.

 

 I honestly have no idea what is being said here. GG displaying a backup of an edit value? Xor key being before the target? But why. Assuming the key is '4 bytes' away, it doesn't mean it the target will lie before the key being modified. 

 

I see xor as an alternate way of finding memory address without directly doing exact search on a value. Instead, we jump around the memory spaces until we hone into our target. But when we 'reach' that point, we mess the value before or after the address. Why? ?

Link to comment
Share on other sites

  • Moderators
2 hours ago, lonejava said:

 

 

 I honestly have no idea what is being said here. GG displaying a backup of an edit value? Xor key being before the target? But why. Assuming the key is '4 bytes' away, it doesn't mean it the target will lie before the key being modified. 

 

I see xor as an alternate way of finding memory address without directly doing exact search on a value. Instead, we jump around the memory spaces until we hone into our target. But when we 'reach' that point, we mess the value before or after the address. Why? ?

When you edit a value, beside it, puts the previous value inside ( ).

Xor is an Encryption method. It's a very basic Encryption.

When you search #x#

It's    value#offset to key

So if you are searching dword, the xor key has to be increment of 4, x4, x8, x12.....  If qword, increment of 8. If word, increment of 2 and if byte increment of 1.

So some developers are using 2 values to protect a value. 1 is the xor key and the other is the result of the encryption. Using this #x# method, you don't need to know the xor key and the xor key can change every value change.  Essentially this method used by developers is now pointless, for gg can find them without a problem.

Games by Nintendo posed a huge problem, the xor key changes every value change. Meaning unknown increased, decrease or encryption search would NEVER work. You only could find values with unknown changed and unchanged then manually scrolled through hundreds of values until you found it.

 

Link to comment
Share on other sites

On ‎12‎/‎25‎/‎2018 at 12:32 AM, NoFear said:

When you edit a value, beside it, puts the previous value inside ( ).

Xor is an Encryption method. It's a very basic Encryption.

When you search #x#

It's    value#offset to key

So if you are searching dword, the xor key has to be increment of 4, x4, x8, x12.....  If qword, increment of 8. If word, increment of 2 and if byte increment of 1.

So some developers are using 2 values to protect a value. 1 is the xor key and the other is the result of the encryption. Using this #x# method, you don't need to know the xor key and the xor key can change every value change.  Essentially this method used by developers is now pointless, for gg can find them without a problem.

Games by Nintendo posed a huge problem, the xor key changes every value change. Meaning unknown increased, decrease or encryption search would NEVER work. You only could find values with unknown changed and unchanged then manually scrolled through hundreds of values until you found it.

 

I'm beginning to see it. I had to read through this as well to improve my understanding https://www.gamecheetah.org/blog/bypassing-xor-encryption-game-guardian/

I'm going to mess with xOR encryption on the game, Love Nikki and see how it goes.

Edited by lonejava
info
Link to comment
Share on other sites

  • 3 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.