Titan Quest Invincibility Cheat
In the last level of Titan Quest, every player will have to face the titan Typhon, Bane of the Gods. A task that is very far from easy…
After fighting against it one time, it was clear that it was going to be an hard bone to shew. At that time I was tired of the game, and since I haven’t reverse engineered a game in quite some time, I decided to have a look at what I could do to win this last battle without having to level up my character through farming.
Poking around with IDA revealed that the game is completely written in C++ and imports functions from two libraries, engine.dll and game.dll. The first exposes a game engine, and the second the specific Titan Quest game logic.
After finding the main game loop, I stumbled upon the ?GetMainPlayer@GameEngine@GAME@@QBEPAVPlayer@2@XZ function which is exported by game.dll. Decoding the C++ name mangling reveals the following code.
1namespace GAME {
2 class GameEngine {
3 Player GetMainPlayer();
4 }
5}
This made things easier since now I had a way of getting the memory address where the Player instance of my character is stored. The next step was to put my character in a combat situation and add a 4 bytes hardware read/write breakpoint in that address.
After stepping through the code at each memory read in that address, I was able to find the function that handled combat and that dealt damage to the characters involved (?Update@ControllerCombat@GAME@@UAEXH@Z).
Following the flow of execution (i.e., single stepping through the code), I found another interesting function called ?IsInvincible@Character@GAME@@QBE_NX. Decoding the C++ name mangling reveals the following code.
1namespace GAME {
2 class Character {
3 bool IsInvincible();
4 }
5}
At this point, I now had the offset at which the invincibility flag is stored in instances of the Player class. Using API Monitor memory editor, I changed the value from zero, to one. From this point onwards, my character became invulnerable to attack.
Searching in the exports of game.dll for the word "invincible", revealed the function that sets the invincibility flag (I have been reversing malware for so long that I forgot that in non-malicious software you can actually trust the exports ;)
To make things easier, I have created a library, that when injected into Titan Quest process, will set the invincibility flag. There is a caveat though, the user must be in-game world, otherwise it won’t work as there is no player character to set the invincible flag to true. Follows a demonstration of the results.
The library can be injected multiple times, as it will return the unsuccessful load status, leading Windows to unload it from the process memory (this will only happen if the library is injected using the CreateRemoteThread on LoadLibrary method).
Cheers x)