Collectible Card Game Headquarters

Is there any way to set AI health to 0 or 1 in Duels Origins?
Im using Cheat Engine, but it always reverts to previous value right after i changed it.
There is also already exist a trainer, but you can get it only if you're premium user.

fraaaaaaancis wrote:Is there any way to set AI health to 0 or 1 in Duels Origins?
Im using Cheat Engine, but it always reverts to previous value right after i changed it.
There is also already exist a trainer, but you can get it only if you're premium user.

ALI213's trainer is free and works fine for me. It sets the AI health to 0 immediately.

http://pan.baidu.com/wap/link?uk=118197 ... 97&third=0

Click 下载(3.92MB) to download it.

I tried to run Cheat Engine on Magic Duels in order to scan its memory and find a "sequence" like the one spirolone pasted on the previous page. I found 3, but they are not what we're searching for, because they contain references to NVidia and Microsoft... they are keys indeed (for drivers I guess), but not for ZED files.

Screenshot | Open

My idea implied searching for "F7 0D 01 01 01" (you actually need to give it reverse to Cheat Engine, "01 01 01 0D F7") and it seems to work when searching for keys, it just doesn't find the right one. Maybe it stays in memory just for a brief moment when the ZED files need to be open... if that's the case I don't know if it's possible to use Cheat Engine in order to search for it.

EDIT: I'm still trying, anyway...
EDIT 2: I give up, for now.

thefiremind wrote:I tried to run Cheat Engine on Magic Duels in order to scan its memory and find a "sequence" like the one spirolone pasted on the previous page. I found 3, but they are not what we're searching for, because they contain references to NVidia and Microsoft... they are keys indeed (for drivers I guess), but not for ZED files.

Screenshot | Open

My idea implied searching for "F7 0D 01 01 01" (you actually need to give it reverse to Cheat Engine, "01 01 01 0D F7") and it seems to work when searching for keys, it just doesn't find the right one. Maybe it stays in memory just for a brief moment when the ZED files need to be open... if that's the case I don't know if it's possible to use Cheat Engine in order to search for it.

I'm experiencing a lot of problems with debugging; I tried CheatEngine too, but it crashed everytime I started debugger...
Actually, I didn't find the public key either. Sadly they improve protections against debugging, and it's very difficult to be successful on our task...

Good news are thet they didn't change profile management and we can easily unlock cards and manage decks...

When i disabled the WAD signature check in Magic 2015 then i found the public key for the ZED files. Unfortunately i didn't manage to run Magic Origins with a debugger yet so i can't check if it is in the same place...
What i can tell is that the game doesn't load WADs anymore (maybe it is disabled in the code and needs to be enabled, or the WAD, ZED format changed dramatically).
I will do some more investigations about that in the next days.

spirolone wrote:Good news are thet they didn't change profile management and we can easily unlock cards and manage decks...

Really? Is it working, did you try it? I thought that the information about your unlocked cards is stored on the servers...

merdok wrote:When i disabled the WAD signature check in Magic 2015 then i found the public key for the ZED files. Unfortunately i didn't manage to run Magic Origins with a debugger yet so i can't check if it is in the same place...
What i can tell is that the game doesn't load WADs anymore (maybe it is disabled in the code and needs to be enabled, or the WAD, ZED format changed dramatically).
I will do some more investigations about that in the next days.

spirolone wrote:Good news are thet they didn't change profile management and we can easily unlock cards and manage decks...

Really? Is it working, did you try it? I thought that the information about your unlocked cards is stored on the servers...

It's synced with the servers. If you play offline, you can still make decks, and when you reconnect, it tells you your local decks are different from the server's copy and asks which you'd like to keep. More than likely, which cards you've unlocked is handled the same way except that the game itself is set up to disallow the normal unlocking methods while you aren't online. I don't know though, since I've never tried opening a booster while disconnected.

Xander9009 wrote:It's synced with the servers. If you play offline, you can still make decks, and when you reconnect, it tells you your local decks are different from the server's copy and asks which you'd like to keep. More than likely, which cards you've unlocked is handled the same way except that the game itself is set up to disallow the normal unlocking methods while you aren't online. I don't know though, since I've never tried opening a booster while disconnected.

You can't open a booster when you are offline... I suspect that it is somewhere stored on their servers what cards you have unlocked.

spirolone wrote:Actually, I didn't find the public key either. Sadly they improve protections against debugging, and it's very difficult to be successful on our task...

What debugger did you use?

merdok wrote:Unfortunately i didn't manage to run Magic Origins with a debugger yet so i can't check if it is in the same place...

Please tell us as soon as you manage to do that.

merdok wrote:

Xander9009 wrote:You can't open a booster when you are offline... I suspect that it is somewhere stored on their servers what cards you have unlocked.

Unlocked cards are stored in profile, but I don't know if, when you connect to Steam, there is some check. I successful unlocked 5 cards (as test) of any offline, but, obviously, then I didn't connect to Steam with that profile.
As well, I think that it's possible to unlock all the cards and play online using SmartSteamEmu and Evolve with other players using same method...
Now I'm working on a patch to unlock "only" 100% of the cards, that is I want to unlock only 1 card if mythic, 2 if rare, 3 if uncommon, and then I'll upload it...

thefiremind wrote:What debugger did you use?

I tried with OllyDbg v1 and v2 too. My best results were with OllyDbg 2 and ScyllaHide plugin, but they weren't good enough to find the key. I think I have to try TitanHide or with a PC without Steam installed...

spirolone wrote:My best results were with OllyDbg 2 and ScyllaHide plugin, but they weren't good enough to find the key.

For some reason I couldn't hide OllyDbg 2 properly through ScyllaHide. Anyway, it's not like I could understand much by running the code through that, so I gave up quickly. Cheat Engine was very easy to use (at least for basic operations), but as I suspected, it might not be enough since the key could stay in memory for a very brief time and we don't know exactly when.

I also tried with IDA, but it's even more menacing than OllyDbg... I think it would be more powerful, if I knew how to use it, but I don't.

The paper here talks about a task similar to ours, but I don't think we can follow that road: dumping basically means making a snapshot of the current memory contents (correct me if I'm wrong), but it's likely that the key won't be in memory when we dump it. Anyway, the IDA plugin they use can be found here, and I tried to use their "pd" (Process Dumper) tool, but it doesn't work, maybe it doesn't like the executable or maybe it doesn't like the OS (it's an old tool and I'm on Windows 10 at the moment).

thefiremind wrote:I also tried with IDA, but it's even more menacing than OllyDbg... I think it would be more powerful, if I knew how to use it, but I don't.

The paper here talks about a task similar to ours, but I don't think we can follow that road: dumping basically means making a snapshot of the current memory contents (correct me if I'm wrong), but it's likely that the key won't be in memory when we dump it. Anyway, the IDA plugin they use can be found here, and I tried to use their "pd" (Process Dumper) tool, but it doesn't work, maybe it doesn't like the executable or maybe it doesn't like the OS (it's an old tool and I'm on Windows 10 at the moment).

The public key is loaded into memory right after the game has been started and it is just there for a very short time to decrypt the ZED files, after that it is removed. So in order to find the key we have to look for it BEFORE the files are loaded. That case was in Magic 2015 and i exactly know where the key is stored there. I suspect that it is again completely the same engine as the old Magic games so it will be handled similar.
I will try out OllyDbg 2 with the ScyllaHide plugin and see if that will work for me.

CheatEngine is in this case useless since when you hook into the Magic process then the public key is already long time removed from memory.

merdok wrote:The public key is loaded into memory right after the game has been started and it is just there for a very short time to decrypt the ZED files, after that it is removed. So in order to find the key we have to look for it BEFORE the files are loaded.

One of the (very) few things I learned how to do is to put a breakpoint when the executable reads the string "Data_0*" from itself. After that, I guess it searches for all the matching files inside the installation folder. Would it still be too late, or maybe too soon?

(By the way, I can't figure out what's the point in using 3 digits in the ZED file names if the hundreds must be 0...)

With Magic 2015 I started working with CheatEngine that likely should be enough to find key IF we could use its debugger. Key is often used by game exe cause anytime it accesses a zed file it needs it; problem is that likely only modulus is always stored somewhere in memory, that is, I think, in almost any dump we have it but not in a recognizable form...
With ScyllaHide, I set "Themida" profile adding time-based protection, but game "guard" some memory pages and crash often when I use breakpoints...

thefiremind wrote:One of the (very) few things I learned how to do is to put a breakpoint when the executable reads the string "Data_0*" from itself. After that, I guess it searches for all the matching files inside the installation folder. Would it still be too late, or maybe too soon?

(By the way, I can't figure out what's the point in using 3 digits in the ZED file names if the hundreds must be 0...)

I think that then game convert "Data_0*" in unicode standard (D a t a _ 0 * , where blanks are 00) and after it uses a system call to read installation folder; then it stores "DATA_000.ZED" name and it reads last 8 bytes of it; finally it reads central dir and NOW it needs to know modulus of key.
But are you able to use breakpoints without crashes?? What do you use? Still OllyDbg v1 with HideOD plugin?