Well, let’s talk about how to use IDA Pro with a video game.
The game that I use to write this post is “Tzar – Edicion de Oro” also it’s called Tsar.
This game allows us to change the game speed by default using a slider that it’s inside the Options panel.
Our goal it’s try to find our “static pointer + offset” that contains the game speed.
The first thing we need to do it’s open IDA and select File > Open > Search for Tzar.exe
Now, we wait for IDA loads all modules of the file.
There are a lot of things that we can do now, i’m going to tell you how to change/set the speed of the game to a value whatever you want. Now press SHIFT + 12 and wait for the process being complete, IDA will search for all text string that are compiled at Tzar.exe
Here it is:
Press ALT + T, this will perform a search inside all referenced text strings that we have, search for this value “speed”:
Hit OK and then press CTRL + T to search again and then stop when you see something like this:
Well, we can see a interesting part of the game that probably control the speed of the game. Now select “game_speed_control” and press ENTER, this will take you to the “IDA View-A” and we’ll see some ASM functions and the DATA XREF list.
Point your mouse to the DATA XREF: sub_43F0A0 and “IDA Pro” will highlight in yellow the code and will show a traytip that will show you the ASM code of this function.
Then press F5 and IDA Pro will generate a new window with a Pseudo code in C, this help us to understand what does this function. The interesting part of this function is this code:?
if ( (unsigned int)v3 >= 5 )
{
if ( (unsigned int)v3 >= 0xA )
{
if ( (unsigned int)v3 >= 0xF )
{
if ( (unsigned int)v3 >= 0x14 )
{
v24 = 0;
if ( (unsigned int)v3 >= 0x1E )
v23 = (int)"game_speed_turbo";
else
v23 = (int)"game_speed_fastest";
}
else
{
v24 = 0;
v23 = (int)"game_speed_fast";
}
}
else
{
v24 = 0;
v23 = (int)"game_speed_normal";
}
}
else
{
v24 = 0;
v23 = (int)"game_speed_slow";
}
}
else
{
v24 = 0;
v23 = (int)"game_speed_slowest";
}If we convert the hexadecimal numbers to decimal we will obtain something like this:?
5 = 5
A = 10
F = 15
14 = 20
So the values of the speed when you change the slider of the speed are 5,10,15,20
Now open “tzar” and start a game, when you are playing go to Menu > Options > Speed and set the value whatever you want, this picture shows you the value that will have the speed of the game when you change the slider:
So now you know the speed of the game Weah! Try to search with Cheat Engine this value or debug a little bit with IDA.
If you want to know what is the static address for this offset take a look at the pseudo window, at the top, you ‘ll find this line of code:?
v3 = a1;
dword_587748 = a1;
*(_DWORD *)(dword_9DD3EC + 74) = a1;
So the static pointer for this offset is 0x009DD3EC and + 70 for speed. With Cheat Engine you can use this method to change the game speed:
Cheers!!!