Figuring out a map's cheats through Jass

[Aero]

Jass Noobs...I guess that's why I'm here =P

First of all, in this:

call TriggerRegisterPlayerChatEvent(uw,Player(0),"-",false)

The boolean argument here (The false value) means that "-" DOES NOT have to be an exact match. The chat message that could fire off this trigger could be... "-345fsfsd" ..could be " asdjadjaskld -" as long as it has a "-" in it.

As for the cheat...It's trivial where the checker lies

The condition...

Code: Select all

function vQ8 takes nothing returns boolean
if(not(CountUnitsInGroup(sA(GetTriggerPlayer(),1315990632))==1))then
return false
endif
return la(GetEventPlayerChatString())
endfunction

The actions

Code: Select all

function vZ8 takes nothing returns nothing
call DisableTrigger(GetTriggeringTrigger())
call ForGroupBJ(sA(GetTriggerPlayer(),1315990632),function vR8)
call CreateNUnitsAtLoc(1,1311781197,GetTriggerPlayer(),GetRectCenter(GetPlayableMapRect()),bj_UNIT_FACING)
if(v28())then
call SetUnitPositionLoc(GetLastCreatedUnit(),GetRandomLocInRect(cg))
else
call SetUnitPositionLoc(GetLastCreatedUnit(),GetRandomLocInRect(Dg))
endif
set J4[GetConvertedPlayerId(GetTriggerPlayer())]=GetLastCreatedUnit()
call SelectUnitForPlayerSingle(J4[GetConvertedPlayerId(GetTriggerPlayer())],GetTriggerPlayer())
call DisplayTextToForce(GetPlayersAll(),"Jiraiya starts to get serious...")
return
endfunction

Under actions, there is no string checks which means that the cheat is located in conditions.

This line here:
if(not(CountUnitsInGroup(sA(GetTriggerPlayer(),1315990632))==1))then

simply means "Number of Jiraiyas owned by the trigger player = 1"

This concludes that the string check occurs in this line:

return la(GetEventPlayerChatString())

So let's find out what happens...

Code: Select all

function ua takes real r returns integer
return r
return 0
endfunction

function Aa takes location ya returns integer
return ua(GetLocationX(ya))
endfunction

function aa takes location ya returns integer
return ua(GetLocationY(ya))
endfunction

function ua takes real r returns integer
return r
return 0
endfunction

function va takes integer i returns real
return i
return 0.
endfunction

function wa takes integer x,integer y returns location
return Location(va(x),va(y))
endfunction

function Ba takes string c returns integer
local string ba="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
local integer i=0
local integer Ca=StringLength(ba)
loop
exitwhen(c==SubString(ba,i,i+1))or(i>=Ca)
set i=i+1
endloop
return i
endfunction

function ca takes location Da,integer c returns nothing
local integer n=1
local integer Ea=11742
local integer Fa=0
local integer k1=5168478+c
local integer k2=2763741+c
local integer h1=Aa(Da)
local integer h2=aa(Da)
loop
exitwhen n>32
set h1=h1+((h2*16)+(h2/ 32))+h2+Fa+k1
set Fa=Fa+Ea
set h2=h2+((h1*16)+(h1/ 32))+h1+Fa+k2
set n=n+1
endloop
call za(Da,h1,h2)
endfunction

function za takes location ya,integer iX,integer iY returns nothing
call MoveLocation(ya,va(iX),va(iY))
endfunction

function xa takes location ya returns nothing
call RemoveLocation(ya)
endfunction

function la takes string s returns boolean
local integer Ha=0
local integer n=0
local integer Ca=StringLength(s)
local location Da=wa(0,0)
loop
exitwhen n>=Ca
set Ha=Ba(SubString(s,n,n+1))
call ca(Da,Ha)
set n=n+1
endloop
if(Aa(Da)==-223438418)then
if(aa(Da)==1501069220)then
call xa(Da)
set Da=null
return true
endif
endif
call xa(Da)
set Da=null
return false
endfunction

As you can see...the string checker is rather lengthy but here is the basics of how it works...

It creates a location at (0,0)
Based on the inputted string, it generates 2 integers and moves the location to these 2 integers
At the end of the algorithm, it checks to see if the location x and y value = some value
If they do, it returns true and the actions fire off

Best option here is to probably examine the algorithms and simplify the code.
Next, make estimates about it and quickly design a program to brute force the cheat.

[Niipaa]

wow, that's going to be a bummer to simplify. thanks so much Aero for breaking it down into pieces, you explained it very well. now i just gotta figure out the last part you told me; any other suggestions or advice is greatly appreciated

[Aero]

First of all, this system works by overflowing integers.

In wc3, an integer can be 2^32 (4,294,967,296) different possible integers.

These integers range from -2,147,483,648 to 2,147,483,647 (Since 0 counts as one of them)

If you overload an integer in wc3 (This is to say to go below or above the limit)
It will subtract (If the number is above limit) or add (If the number is below the limit) 2^32 until the number is within range.

ie: 2,147,483,647 + 1 = -2,147,483,648

ie: 2,147,483,647 * 2,147,483,647 = 1

ie: -2,147,483,648 - 1 = 2,147,483,647

I'll design a program to brute force the cheats in a bit (I'm busy right now)

[Niipaa]

hey, thanks a lot for your time! may i also ask where you learned this stuff? this integer system isn't common jass knowledge for me.

[Aero]

Read through wc3jass.com and wc3campaigns forums.
They contain nifty information.

Another good way is to look at the .j scripts of maps that interest you.
If you see a spell or something neat in the map and wonder how it was done--Open up the .j script and check it out.

The best way is to probably make maps and run experiments with world editor.

[weirdone2]

You just gotta make sure your matching the condition. o.0

[Niipaa]

First of all, this system works by overflowing integers.

In wc3, an integer can be 2^32 (4,294,967,296) different possible integers.

These integers range from -2,147,483,648 to 2,147,483,647 (Since 0 counts as one of them)

If you overload an integer in wc3 (This is to say to go below or above the limit)
It will subtract (If the number is above limit) or add (If the number is below the limit) 2^32 until the number is within range.

ie: 2,147,483,647 + 1 = -2,147,483,648

ie: 2,147,483,647 * 2,147,483,647 = 1

ie: -2,147,483,648 - 1 = 2,147,483,647

I'll design a program to brute force the cheats in a bit (I'm busy right now)

Sorry, it's been days but I haven't had any luck trying to figure this out. I think I am going to give up on this; this type of embedded cheat is very complicated to narrow out and decipher. If there is nothing more that can be done, we'll leave it at that; I don't want to inconvenient anyone. I would like to thank all of you, especially Aero for helping me out!

[Bartimaeus]

Uhh, you could still search playerchatevent and find it...
(Edit) Nevermind, he deleted his post...

[Penguin]

Sorry for bumping this 2 week+ old thread, but is there some way a simpler being, such as I, could create a brute forcing program?

I'd like to know the encrypted commands.

[Aero]

Just replicate the process and make sure you handle the overflow correctly.

Just remember that brute force takes a very long time.
To cut down on the time, restrict your charset to " -abcdefghijklmnoprstuvwy".

It's most likely that the code will be lower case and will not contain q,x,z