ci4 latest build is a joke lol.. just checked the exe with ida 9.3 and there is ZERO protection. no packer no nothing. its literally naked code.
found the engine init at sub_724C10 (searched for createUVE string). also found the main loop entry through the entering game loop log. the physics is handled in sub_5D6EB0 and its using timeGetTime for the delta. i think sub_5CE230 is the actual update function cause its full of double precision math and distance checks.
since there is no integrity check on the exe u can basically hook whatever u want. wont be posting any vids or screens tho cuz i dont want a copyright strike from the devs so ill just share the offsets here.
gonna dig more into sub_5CE230 later to map out the collision logic. let me know if u guys found any other useful subs.
go tinkering, great for your knowlegde
btw im just posting this as a heads-up for the devs. its crazy how the exe is totally naked with no obfuscation or anything. anyone can just jump in and mess with the core logic or make some malicious trainers easily.
u guys really should consider adding some basic protection or maybe integrity checks in the next update to secure the UVE engine. just sharing this to help u guys out and improve the game security, not trying to encourage piracy or anything like that.
hope this helps
Obfuscation in a compiled code?
The game server does quite a number of checks to make sure that whatever illegal stuff you do is not going through. Give it a go in CIU, and if you find something that does actually make the game easier for you, you may report it and get a medal for that. Although I doubt that’s easy to do, as most of that stuff was already patched.
I mean part CI4
Part 4 (if we are talking about the new, CIU engine one) at the moment does not utilise any sort of multiplayer or competitive stuff worth protecting, so if you break the game for you you’d be the only one benefitting from it. The original episode is indeed vulnerable, in a way, but if it wasn’t, people wouldn’t be able to “hack” multiplayer limit in it by hooking into a random DLL:
Something good, something bad, either way requires enough knowledge to pull this off.
(besides, barely anyone plays the original episodes competitively anyway at this point, although I agree that the leaderboards entries should validate the record somehow).
I will try
fair enough but the point stands.. the UVE engine itself is wide open. even if its not competitive or doesnt have a leaderboard leaving the core physics and game logic like this is just bad practice lol.
and u mentioning the random DLL injection just proves my point about how easy it is to hijack the game loop. anyway i was just analyzing the tech side of things and how the engine works
I found some functions like a\b\t\n\v and the function jjjjjjjjjjj. This is a simple encryption called xor. Some users, if they try it simply, will be able to decrypt it.
So it is indeed the original CI4, not the CIU one. XOR encryption was used for WAD files, we had to bypass it in order to mod the game assets a long time ago.
so i wrote this quick script to deal with that xor thing. it’s pretty basic but it should do the job for anyone using idapython. you just give it the start address, how many bytes you want to patch, and the xor key you found in the sub.
basically it loops through the bytes, xors them, and patches the database directly so the strings actually become readable in ida.
not sure if it’s 100% perfect for every string but it worked for the ones i tested. let me know if u guys find a better way or a different key for other parts.
Code: maybe this works for decrypting those strings. its a simple idapython script using xor.
import idc
def decrypt_data(start, size, key):
print(“starting…”)
for i in range(size):
current_byte = idc.get_wide_byte(start + i)
new_byte = current_byte ^ key
idc.patch_byte(start + i, new_byte)
print(“done”)
decrypt_data(0x00400000, 100, 0x55)
just find the key in the sub function and call it with the start address of the obfuscated strings. let me know if it helps with the engine analysis.