Help/Support Finding timer offset

steelabood1 · July 8, 2016

Hey guys,

Well, as some of you might know, I am totally noob in modding. So please bear with me..

I am trying to stop a timer in a game. However, I do not know how to I find it. Please keep in mind that strings method does not work because I cannot find anything related.

My question is, is there a method to do this using GDB + IDA pro ? Or, is there another method to do this?

Thanks...

XxGam3Ma2t3rxX · July 8, 2016

First, start the game with the timer counting down then pause. Go into whatever game editor and search for all value types. Many different games store many different timers as floats, 2 bytes, 4 bytes, or 8 bytes. Then, search for an unknown initial value. After you find your (many) results, unpause the game, allow the timer to decrease, and go into your game editor of choice and scan for a decreased value. If it is possible to add time in the game, you could then search for an increased value to greatly narrow the results. This should, lead you to the address that controls the timer. From there, you could either freeze the value or nop the code that decreases it.

Edit: Be back in an hour or two

Edit2: Back!

steelabood1 · July 8, 2016

First, start the game with the timer counting down then pause. Go into whatever game editor and search for all value types. Many different games store many different timers as floats, 2 bytes, 4 bytes, or 8 bytes. Then, search for an unknown initial value. After you find your (many) results, unpause the game, allow the timer to decrease, and go into your game editor of choice and scan for a decreased value. If it is possible to add time in the game, you could then search for an increased value to greatly narrow the results. This should, lead you to the address that controls the timer. From there, you could either freeze the value or nop the code that decreases it.

Edit: Be back in an hour or two

I found it I will try to nop it and get back to u.

XxGam3Ma2t3rxX · July 8, 2016

I found it I will try to nop it and get back to u.

Congratulations!

steelabood1 · July 8, 2016

Congratulations!

Well, nopping the instruction does not work. When I nop it, in gdb I receive a lot of illegal instructions when I try to continue the game.

XxGam3Ma2t3rxX · July 8, 2016

@@steelabood1

Oh this is also important as well!

Time is stored in two ways and two types.

The first type is a float or double representing seconds.
When searching this method, always search a range between plus/minus one of the display time.
So for example > 5:43, you want to search between 342 and 344.

The second type is a 4-byte or 8-byte representing milliseconds.
Similarly, you want to search a range of values.
So for example > 5:43, you want to search between 342000 and 344000.

In addition to these types, games don't always store the value as total time left.
Sometimes, they use total elapsed time and count up from zero.
So if the game starts at 10:00, when it reaches 5:43, you want to search ranges around 4:17.
Increase that range to 3 seconds just in case buddy .

Well, nopping the instruction does not work. When I nop it, in gdb I receive a lot of illegal instructions when I try to continue the game.

Illegal instructions? As in it does not let you continue?

Edit: What game are you trying to do this on? If it is server-sided this will not work most of the time. However sometimes you can slip it in and freeze the timer for games such as pokemon shuffle. However I believe the timer is not server sided until you finish that puzzle match and then the data you just got from completing that round is transferred to the server. Everything else on that game such as their gem system aka diamonds would not be hackable. Coins can be with scripts that multiply them.

steelabood1 · July 8, 2016

@@steelabood1

Oh this is also important as well!

Time is stored in two ways and two types.

The first type is a float or double representing seconds.

When searching this method, always search a range between plus/minus one of the display time.

So for example > 5:43, you want to search between 342 and 344.

The second type is a 4-byte or 8-byte representing milliseconds.

Similarly, you want to search a range of values.

So for example > 5:43, you want to search between 342000 and 344000.

In addition to these types, games don't always store the value as total time left.

Sometimes, they use total elapsed time and count up from zero.

So if the game starts at 10:00, when it reaches 5:43, you want to search ranges around 4:17.

Increase that range to 3 seconds just in case buddy .

Illegal instructions? As in it does not let you continue?

Edit: What game are you trying to do this on? If it is server-sided this will not work most of the time. However sometimes you can slip it in and freeze the timer for games such as pokemon shuffle.

Yeah I found time address using seconds and it was DW. I found two addresses. one leads me to an instruction and the other leads me to another instruction in the same subroutine. I basically want to speed up the timer or decrease the "time left" until the thing happens. I do not know how to go about that.

@@steelabood1

Illegal instructions? As in it does not let you continue?

Edit: What game are you trying to do this on? If it is server-sided this will not work most of the time. However sometimes you can slip it in and freeze the timer for games such as pokemon shuffle. However I believe the timer is not server sided until you finish that puzzle match and then the data you just got from completing that round is transferred to the server. Everything else on that game such as their gem system aka diamonds would not be hackable. Coins can be with scripts that multiply them.

I am trying to hack Rodeo Stampede, and I do not think it is server sided because I was able to hack the coins + play offline.

XxGam3Ma2t3rxX · July 8, 2016

Yeah I found time address using seconds and it was DW. I found two addresses. one leads me to an instruction and the other leads me to another instruction in the same subroutine. I basically want to speed up the timer or decrease the "time left" until the thing happens. I do not know how to go about that.

I am trying to hack Rodeo Stampede, and I do not think it is server sided because I was able to hack the coins + play offline.

Your stumping me...The timer could be a different byte value haha.

However considering iGG or iGameGuardian is the same thing as cheat engine maybe this example can help you out some.

The assasins creed series was built like this for example since many failed to adjust the timers for the series

Countdown and stopwatch timers for this game are built this way:

Two 8byte integers. One second is 30000.

While initializing:

- stopwatch: value1 = systemtime, value2 = systemtime

- countdown: value1 = systemtime, value2 = systemtime + 30000*startingTimerValueInSeconds

For "stopwatch" you see 00:00.00 on screen. For "countdown" you see 00:45.00 on screen (example).

Every cycle:

- stopwatch: value2 = systemtime, onscreenstring = converttohumanreadabletime( (value2 - value1)/30000 )

- countdown: value1 = systemtime, onscreenstring = converttohumanreadabletime( (value2 - value1)/30000 )

The problem is..the timer can be

- ANY TYPE

- one value increasing (or decreasing) from 0(or some non zero value) up to (down to) some non zero value (or zero). <<< Pretty sure this seems to be your issue

- two values (two integers, or two floating point). Both are initialized. Only one is changing every cycle. Every cycle there is calculated difference, and it is converted to other type. At the end, it is converted to string or progress bar width, or arrow angle, or sand, or .... whatever.

- three, four or even more

Then there are temporary values, that said I looked into your game a bit and it seems scripting might be best for this scenario rather than an engine of any sort.

steelabood1 · July 8, 2016

Your stumping me...The timer could be a different byte value haha.

However considering iGG or iGameGuardian is the same thing as cheat engine maybe this example can help you out some.

The assasins creed series was built like this for example since many failed to adjust the timers for the series

Countdown and stopwatch timers for this game are built this way:

Two 8byte integers. One second is 30000.

While initializing:

- stopwatch: value1 = systemtime, value2 = systemtime

- countdown: value1 = systemtime, value2 = systemtime + 30000*startingTimerValueInSeconds

For "stopwatch" you see 00:00.00 on screen. For "countdown" you see 00:45.00 on screen (example).

Every cycle:

- stopwatch: value2 = systemtime, onscreenstring = converttohumanreadabletime( (value2 - value1)/30000 )

- countdown: value1 = systemtime, onscreenstring = converttohumanreadabletime( (value2 - value1)/30000 )

The problem is..the timer can be

- ANY TYPE

- one value increasing (or decreasing) from 0(or some non zero value) up to (down to) some non zero value (or zero). <<< Pretty sure this seems to be your issue

- two values (two integers, or two floating point). Both are initialized. Only one is changing every cycle. Every cycle there is calculated difference, and it is converted to other type. At the end, it is converted to string or progress bar width, or arrow angle, or sand, or .... whatever.

- three, four or even more

Then there are temporary values, that said I looked into your game a bit and it seems scripting might be best for this scenario rather than an engine of any sort.

Well, as I am new to all of this, I have to read what you wrote carefully and try to understand it. Thanks for your help!

XxGam3Ma2t3rxX · July 8, 2016

Well, as I am new to all of this, I have to read what you wrote carefully and try to understand it. Thanks for your help!

Sure. I am gonna take a shower my friend. Will add a note when I am back.

Edit: Back @@steelabood1

Back to this case, I feel like a script should be better as that is what a lot of these timer hacks use is scripts, now do not get me wrong some timer hacks use engines such as cheat engine but it is more-over a script which involves hex editing, javascript knowledge, etc.