Hacking Broforce with Cheat Engine
Hey all! I have been reversing games recently for practice and have been running into a bunch of Unity games. I was familiar with decompiling .NET code, but now needed the ability to inspect Mono, so I turned to Cheat Engine (which can also be used to solve CTF challenges too). I was practicing with various Humble Bundle games and I wanted something a little more challenging than the simple 'scan memory for changing values' exercise. So I sought after God Mode, or the ability for damage not to kill me, something that didn't involve such variables but rather changing what happened to my character when they got shot. I started by using the Mono Dissector tool to view the Mono objects, and quickly located the game logic among all the Unity code.
I looked at a bunch of functions (some pretty funny ones in there) and eventually found some invulnerability functions in the Player object, this was a big break as I started looking for ways to abuse these. Then came the key to the mod, when you saved a prisoner in the game, you were granted this aforementioned invulnerability temporarily, while you gained a life and changed into the saved character. I was able to inspect the JIT compiled code in memory of the life gain function and modify it such that it exited in the invulnerable state when I rescued another bro and gained a life. I also hardcoded my lives to a stable two, in the get lives function, such that I could rotate bros by dropping and respawning and that way I didn't run out of lives when I fell off the map. All in all, this capability of deconstructing Mono objects and quickly targeting function assembly is extremely useful and provides a great amount of insight while saving a lot of time hacking. Likewise, the ability to read and modify process memory, in general, is invaluable; it helps to have OS X options available as well. You can see my mods in action in the following video:
I looked at a bunch of functions (some pretty funny ones in there) and eventually found some invulnerability functions in the Player object, this was a big break as I started looking for ways to abuse these. Then came the key to the mod, when you saved a prisoner in the game, you were granted this aforementioned invulnerability temporarily, while you gained a life and changed into the saved character. I was able to inspect the JIT compiled code in memory of the life gain function and modify it such that it exited in the invulnerable state when I rescued another bro and gained a life. I also hardcoded my lives to a stable two, in the get lives function, such that I could rotate bros by dropping and respawning and that way I didn't run out of lives when I fell off the map. All in all, this capability of deconstructing Mono objects and quickly targeting function assembly is extremely useful and provides a great amount of insight while saving a lot of time hacking. Likewise, the ability to read and modify process memory, in general, is invaluable; it helps to have OS X options available as well. You can see my mods in action in the following video: