# TutorialFruit Ninja Hack - Always critical hit - Auto Crit

#### till0sch

##### Respected Hacker
Dank Tier VIP
Dank Tier Donator
Hey guys,

This tutorial will be about how to reverse Fruit Ninja for PC (get it here: https://www.youtube.com/watch?v=58k60SzYXq8) in the aspect of how to do always crits.

Let's, first of collect what we've got:
- crit strikes give us 10 instead of 1 point / sliced fruit
- they occur randomly
- they are being COUNTED. If you do like 10 crit strikes regardless of whether that was in more than 1 game, you get an ACHIEVEMENT

So why not search an unknown 4 byte value which always increases by 1 if we crit. (use "increased value by 1")

That way we find
FruitNinja.exe+E0410 - FF 41 54 - inc [ecx+54]
as the instruction increasing our critical strike total count..

Breakpointing the top of the function
FruitNinja.exe+DF520 - 55 - push ebp

And stepping through will give us this:
FruitNinja.exe+DF727 - 80 BB 65010000 00 - cmp byte ptr [ebx+00000165],00

So either, [ebx+0x165] is 0 and we jump away and the part above (notice it says critical at FruitNinja.exe+DF771) or the critical stuff gets done.

Making it JNE will not be enough as we will notice.. But because we know some basic stuff, [ebx+0x165] will be a flag about crit or not crit.

We will have to breakpoint that instruction before (the CMP) however to find out where this flag is set. Now we breakpoint the beginning of the function again:
FruitNinja.exe+DF520 - 55 - push ebp
And see whether we can find that EBX value again. You will see that it's stored in ECX.

Now we add ecx+165 to the address list and see what writes it after breakpointing the beginning of the function again.
We will find out that
FruitNinja.exe+DF6D4 - 88 83 65010000 - mov [ebx+00000165],al
will write to it.

We'll do a code injection by being in the memory view and press ctrl+A and then ctrl+I and enter.
at newmem: we'll write mov al,1 because we know that if it is 0, the critical stuff will be skipped...

Here's the assembly injection script:
C++:
``````alloc(newmem,2048)
label(returnhere)
label(originalcode)
label(exit)

newmem: //this is allocated memory, you have read,write,execute access
mov al,1

originalcode:
mov [ebx+00000165],al

exit:
jmp returnhere

"FruitNinja.exe"+DF6D4:
jmp newmem
nop
returnhere:``````

Injecting this will give us always crit.

I hope this wasn't too complicated to understand, if it was feel free to ask..

here's a video

Last edited:

#### squeenie

##### Hacker
Meme Tier VIP
Dank Tier Donator
Another ripper from till0sch97! Nice one man.

#### Rake

Another great tutorial!

#### till0sch

##### Respected Hacker
Dank Tier VIP
Dank Tier Donator
Another ripper from till0sch97! Nice one man.
Another great tutorial!
Thanks guys this keeps me motivated to do some other tuts in the future

Dank Tier VIP
Great job!

#### TastyHorror

##### Coder
Dank Tier Donator
Nobleman
Looks good.

Attention! Before you post:

99% of questions are answered in the Beginner's Guide, do it before asking a question.

No Hack Requests. Post in the correct section.  Search the forum first. Read the rules.

How to make a good post:

• Fill out the form correctly
• Tell us the game name & coding language