[CheatEngine] Memory analysis of BCR

0x00 Preface

With the improvement of the academic level, the more the number and types of tasks, the more time I feel, the more time I hesitate to decide to abandon the hobbies that kill time but don’t have much improvement, the first thing to do is to take up more fragmented time And mobile games before going to bed.
In each mobile game of Abandoned Pit, we will post the warehouse and BOX as the open server player on Weibo. In order to talk about this game with others in the distant future, I can use these screenshots to prove that I am not a cloud player. , But actually participated in it.
But if this is the case, I think it’s not enough. It’s better to take a computer major’s perspective, from a perspective that others don’t often see, and by the way record the time spent on this game due to temporary interest. .

Write to the abandoned BCR mobile game, tell me the data of these games, wartime memory and some suggestions for anti-modification.
(I originally wanted to send it to 52pojie, but I haven't logged in to the account for too long and I lost QvQ)

PS This article is mainly used for learning and communication (and keeping files) for Coder who are already proficient in data mining and memory understanding.
This article only provides analysis, does not give the positioning and modification process, and will deliberately omit zero-based players to memory analysis The gap knowledge points in
this article prevent ordinary players from arbitrarily modifying the game based on this article and destroying the game environment.

0x01 data analysis

In this section, we briefly analyze the main attributes and uses of the characters in this game. The analysis often needs to be based on the understanding of the data.

The above two pictures are a character's property panel, which is a fairly satisfactory property design.
Briefly describe a few of these values:

• Physical defense, magic defense: using a calculation method similar to League of Legends: $Dmg=Dm{g}_{origin}\times \frac{Def}{100+Def}$
  • Look at Eagle Horn! Does he not fragrant ready-made formulas? ! What the hell is the subtraction of attack minus defense! ! !
• Reduced skill value consumption: After the skill value (called TP) in this game is full, the ultimate move (called UB) can be released. After the ultimate move is released, the TP will be cleared, but if this attribute has a value, it will remain The amount of TP as a percentage of the value. For example, if the skill cost is reduced to 10, there will be 10% of TP slots left after the UB is released. This item is not allowed to exceed 100.
• Life value absorption: For each attack, skill, and UB, restore its own health value according to a certain percentage. It seems that it may be a percentage at present. The value is allowed to exceed 100, which means that the amount of damage that is allowed to recover more than 100% of damage.

0x02 memory analysis

After knowing that there are so many attributes, we will naturally think that for each role, these attributes are an example member variable,
then-these values ​​should be very close? The encryption of these values ​​should be the same, right? Are these values ​​temporary variables or fixed variables?

Wartime memory overview

First, let's conclude that in memory, they are probably the relative position of such a distribution:

• In the memory, each character is a piece of its own, and the memory occupied by the 5 characters are not adjacent to each other.
• The data is divided into two groups, the first half is the basic value of these attributes of the character, and the second half is the current value. For example, when a buff with a short increase in attack power is released during a battle, the attack power in the second half will increase, while the first half will not.
• For each character, the relative offset between different attribute parameters is fixed. For example, the magic attack power is fixed to the three grids to the right of the physical attack power (the "frame" here is a colloquial way of saying "4 byte DEC representation")
• For each character, the memory address where the parameter is located is a temporary address, which is generated at the beginning of each battle and recovered after the battle. It is also because of this observation that I can conclude that the data is calculated locally and sent back to the server after the battle. Only then can I dare to test wantonly in each battle, and then record the required data and kill the game process to prevent it from completing the battle (and then lose a little physical strength, hahaha)
• In order not to be used for malicious development, the table simply hides the definition legend of the ox symbol, some attribute parameters, and directly modify the position of HP/TP (hint: TP is single precision, with an upper limit of 1000.0)

Wartime memory application

As shown in the above figure, after entering the battle, all characters will start from a certain initial value (usually when HP is full and TP is empty, except for special occasions such as dungeons that will be reserved), and will continue to change as the battle progresses.
So, which are invariants, which are variables, and which are controllable variables, which are the basics of positioning data:

• The time in the upper right corner is a controllable variable, because we can stop the time by pressing Pause. The time is usually not a discrete integer to jump, otherwise there will be many problems, we can directly round off by single precision Way to get the address of the time.
• Before the mission ran into the field and released the first skill, their attributes were the basic attributes that had not been buffed, and they could be suspended at this time. At this time, it is the best time to search for specific variables in the ocean of memory. Those with larger values ​​and lower repetition rate (such as physical attack power or magic attack power) can control the search results to 2-10.
• The location of time is detached, but the attributes are adjacent, and the entire memory can be found by locating a single attribute.

0x03 Development history and brief revision suggestions

Hard development course

So, some children who are good at using CE to dominate in Monster Hunter World are not happy: "I searched, but I can't find it! You cheat the paper!", very good, this layer of cellophane as thin as a cicada wing can still be used To prevent some people, I am relieved... The
common ways to locate memory are as follows:

• Give a value first, change it in small increments, and then search for the changed value. It is common in MHW to change beads and FGO to change blood volume.
• For a variable whose initial value is unknown, increase it and traverse all the increased values, and then decrease it to find out who gets smaller. It is common in FF14 to change the field of view and MC to change the coordinates.

But even though BCR is an almost streaking game, it still thinks of a solution that prevents these two beginners from being able to easily modify it, that is, reversible mapping:

Small class: For any value $x$ , there is a function$f$ , allowing$f^{-1}(f(x))=x$ , then we call this mapping reversible

It is a pity that the programmers of BCR were lazy and chose a $f^{-1}$ and$F\; is$ equivalent to the mapping operation. The feature values ​​involved in the mapping operation flood the memory for fear of being invisible (because there are too many variables with an initial value of 0, the feature value is equivalent to being sent, which is the password of modern war It is also very common in deciphering), which led to the wave of fairy tales that once appeared in the arena. Later, the feature value was reduced by 1 (smoke bomb), which resulted in a lot of fewer people who would use this operation. Probably the researcher decided to enclose themselves and not send programs downstream.
"After an update, intervening in the battle log query function, people who make changes will be found in the battle information record..."
-Really? I hope it is true, but in fact, the traversal of battle information consumes too many resources. It can be seen from the fact that each person in a guild battle needs to check for a week at most. The operator is also very difficult. First, it is not very good to make major changes to the code in Search (the original company). In the original logic, the package will send information, but the amount is too small, and there are too few things that can be used for verification. In most cases, it still relies on a few limited battle record slots for players to report.

Possible solutions

Eigenvalues regularly change
the current position calculation map is a very commendable program, eigenvalues do not know to write dead or variable, you can learn next to FF14 each small version update will change the op_dictmap, so at least you can significantly reduce the modified universal non-professional players Rate (more changes will be made, but fewer people will be found, and it will be n-hop jump from the root node not long after spreading)

Increase the check value After the
battle is over, a check value can be sent so that as much information as possible can be contained with the lowest number of bytes, for example:

• The highest possible damage of the current team, and the actual settlement damage caused
  • For accurate calculation, you may need to use DP multiple backpack, not recommended
  • For rough calculations, calculate the highest possible TP value to calculate the number of UBs, and calculate the number of common skill cycles in time, without considering interruptions and delays, only considering the full time buff, rounding up
• If you don't consider the damage, you can secretly add a counter or flag for the number of UB releases and the change in attack power, and send it back together with the check code after encryption.

I hope this game gets better and better. This knight will bid farewell to Landsauer, and see you by chance!