AI Signal trigger exploit - Age of Kings Heaven Forums

Topic Subject: AI Signal trigger exploit

JustTesting1234
Squire

posted 03-08-14 11:56 AM CT (US)

just found this while i was adding new triggers into the game

the AI Signal and AI Script Goal triggers read/write from/to some buffers in the game memory, but the game developers forgot to add a basic check to make sure the value is not < 0 or > 255 which allows a buffer overflow

so basically, you can read or write '01 00 00 00' anywhere in the game memory (must be a multiplier of 4). and using invert condition trick you can check if a value is different than '01 00 00 00'

you only need some tool or a modified aokts that allows to specify any amount < 0 or > 255

Condition 'AI Signal' (set with: set-signal) reads from 0x006B45B8
Effect 'AI Script Goal' (check with: event-detected; reset with: acknowledge-event) writes to 0x006B39A0

# examples:

1. if you want to write to address 0x0066B000: (66B000 - 6B39A0) / 4 = FFFEDD98 (-74344 in decimal) so you just need to type: AI Script Goal '-74344'

2. here is an useful example to detect if the map is being played in singleplayer or in multiplayer: http://www.mediafire.com/download/d3qtk1w4dg6jlrk/AI_Signal_Exploit_Example.scx

3. detecting player 1 taunts (1 to 44):
http://www.mediafire.com/download/iu8y1yyg7dcjvld/Detect_Taunts_Example.scx

# known values for condition AI Signal:
- detect AI Script Goal: -774 + ID
- detect single-player game: -1034
- detect taunts: -518 + ((PLAYER - 1) * 64) + (TAUNT - 1) / 4
- detect Starting Resources - Standard: -1036

# known values for effect AI Script Goal:
- set AI Signal: 774 + ID
- set AI Shared Goal: -258 + ID

[This message has been edited by JustTesting1234 (edited 05-26-2014 @ 12:16 PM).]

Author

Replies:

HockeySam18
D�nadan

posted 03-08-14 04:56 PM CT (US) 1 / 12

This sounds rather interesting, but it is a little too confusing for someone like me who isn't the tech savviest person. What exactly is the exploit and what does it allow with regard to modding and scenario design?

~ Forgotten Empires ~

Storm on the Steppe | Galderton Hill RP | Proud member of Stormwind Studios

"Deyr f�, deyja fr�ndr, deyr sj�lfr it sama; ek veit einn at aldri deyr, d�mr um dau�an hvern." - H�vam�l 77.

JustTesting1234
Squire

posted 03-09-14 11:14 AM CT (US) 2 / 12

you can read and write in game memory like with cheat engine but using the AI signal triggers. for example i managed to pause the game with one value

JustTesting1234
Squire

posted 03-15-14 12:16 PM CT (US) 3 / 12

updated with an example map that uses the AI Signal condition exploit

[This message has been edited by JustTesting1234 (edited 03-15-2014 @ 12:18 PM).]

Basse
Squire

posted 03-15-14 06:22 PM CT (US) 4 / 12

That is actually pretty darn cool!

HockeySam18
D�nadan

posted 03-15-14 08:30 PM CT (US) 5 / 12

Indeed- quite amazing!

jizzbomb
Squire

posted 03-17-14 00:58 AM CT (US) 6 / 12

Nice! I wonder what else is possible.

jizzbomb
Squire

posted 05-07-14 10:27 PM CT (US) 7 / 12

Just wondering if it's possible to automatically save the game with this method?

JustTesting1234
Squire

posted 05-09-14 11:40 AM CT (US) 8 / 12

very unlikely

JustTesting1234
Squire

posted 05-24-14 09:37 AM CT (US) 9 / 12

added example for detecting taunts. sadly taunts are stored in 1 byte and this reads 4 bytes, so its only possible to detect groups of 4 taunts. eg you can detect if sent any taunt betwen 1 - 4, but not exactly 1, 2, 3 or 4. also once the taunt is typed, it wont get reset (condition will always be met)

you can detect up to 256 taunts per player that are in 64 groups of 4:
GROUP 1: taunts 1 to 4
GROUP 2: taunts 5 to 8
GROUP 3: taunts 9 to 12
...
GROUP 64: taunts 253 to 256

taunts GROUP can be calculated with the formula:
GROUP = (TAUNT - 1) / 4 + 1

the base to detect taunts is -518:
VALUE = -518

so the complete formula is:
AI Signal = VALUE + ([PLAYER - 1] * 64) + GROUP - 1

eg, to detect if player 4 type some taunt betwen 13 and 16 (GROUP 4):
AI Signal = -518 + ((4 - 1) * 64) + 4 - 1 = -323

[This message has been edited by JustTesting1234 (edited 05-24-2014 @ 09:54 AM).]

AOHH
Squire

posted 06-11-14 11:17 PM CT (US) 10 / 12

This AI signal exploit is EXTREMELY IMPORTANT!!!

We need to find more of these values.
There must be plenty of useful ones waiting to be uncovered.
I have seen many memory addresses which are known.

GENIE-STUDIO (manipulate Genie-Engine files with JSON)

[This message has been edited by AOHH (edited 06-11-2014 @ 11:27 PM).]

rewaider
Squire

posted 06-12-14 11:35 AM CT (US) 11 / 12

That's awesome! I never thought it was possible to detect taunts in multiplayer maps, and now it is.

The Fall of Hummaria -- Teaser [4.2] -- Project's Thread
Cavern Pirates -- The Treasure Hunt [4.6] -- Captain's Revenge
My Blacksmith

AOHH
Squire

posted 06-14-14 06:41 AM CT (US) 12 / 12

It basically allows you to use triggers to almost hack the game engine in realtime; thats why its so important.

GENIE-STUDIO (manipulate Genie-Engine files with JSON)

Age of Kings Heaven » Forums » Scenario Design and Discussion » AI Signal trigger exploit

Top