Guide How to Find Encrypted or Obfuscated Variables in Cheat Engine Guide

Hexui Undetected CSGO Cheats PUBG Accounts

Rake

I'm not your friend
Administrator
Jan 21, 2014
13,058
79,068
2,472
Game Name
N/A
Anticheat
N/A
Coding Language
N/A
What you need
Self Confidence and strength of will
Just a quick guide on this stuff since it gets asked alot. Please share your resources and knowledge with GH.

Note that there are 4 possible situations that lead you to not being able to change or find a variable:
  • variable is over written by server
  • variable is for the GUI
  • variable is overwritten by some routine
  • variable is encrypted somewhere else

Each situation, you need to reverse engineer it and figure it out, one ASM instruction at a time, one function at a time until you make sense of it.

It's not always as simple as writing to an address. Let's say it's encrypted somewhere, and the results from your scan are just visual or intermediary values for the ammo/health. Let's call it ammoDisplay, and it's 10 cuz you have 10 bullets. Now let's say what you need to really find is ammoREAL, which is 100, because the "obfuscation" method they're using is to store the # of bullets by multiplying it by 10.

So you have a function like this

C++:
int DeobfuscateAmmo(int ammo)
{
    return ammo / 10;
}

int ObfuscateAmmo(int ammo)
{
    return ammo * 10;
}

void DecAmmo()
{
    int ammoTEMP = DeobfuscateAmmo(ammoREAL);
    ammoTemp--;
    ammoDisplay = ammoTemp;
    ammoREAL = ObfuscateAmmo(ammoTemp);
}
In cheat engine if you did "find what accesses/writes" on ammoDisplay you would find DecAmmo(), you'd reverse engineer that function and discover the obfuscation and find the ammoREAL variable. Now at this point you can overwrite ammoREAL, hook that function, NOP some stuff, really anything that gives you unlimited ammo will work. This is just a basic idea so you can understand the process.

Often even if the variable is not obfuscated, there is a function like that one that utilizes multiple addresses, a temporary variable or perhaps the variable is only calculated at certain times, and not stored globabally anywhere. To figure it out, you gotta start with "find what accesses" and trace backwards.

Learn more:
https://guidedhacking.com/threads/reversing-games-with-encrypted-variables.13766/

Here are some guides from @ChrisFayte
 
Last edited:

XdarionX

Dying Light Hacker
Dank Tier VIP
Trump Tier Donator
Dank Tier Donator
Mar 30, 2018
896
24,908
118
CE has by default checked fast scan but the thing is that the value may also be shifted/unaligned in memory so when you are trying to find obfuscated value, good idea is to disable the fast scan: (will also give much more results)

1579965323610.png
 

dhanax26

0xF9D8C3F5D6D3
Dank Tier Donator
Nov 16, 2018
24
298
0
You are right on this -> "variable is encrypted somewhere else" some weeks ago i have got stuck on a game that have "encrypted" ammo, yes encrypted into quotes cause its not really an encryption they are multipliying the displayed value of the GUI to "encrypt" the real one, i solved they after other 4 days of reading this guide and now i am here to give my like to your post, Thank you.

PS: Before know the multiply method i have found an solved some encrypted addresses, the most "annoying" thing i have found has been the server overwrite and the multiply, solving encrypted addresses ins't really hard you just need to reverse a bit the correct function and get/make the key to decrypt the value depeding of the encryption type, i have found games using Value to Decimal, Xors and 1 game for now that uses Primitives to encrypt the correct value.
 
Last edited:
Community Mods