In my last post, I mentioned Riivolution allowing memory-patching of games in real-time. There was another extremely conspicuous string in memory that had to be important. I had no idea what it was for, so I figured I’d change it then play the game and see what breaks!

What ended up breaking was the game’s ability to decrypt my stats.

\setpd\\pid\249190728\ptype\3\dindex\kv\1\lid\length\217\data\\record\
KdEh8LCzyfXX3avwYGI7Hsm_q4P+45FRFONgDJp3phZ2X4czTlsu4cc07Q95Cv3zXHz63
XJHuay10auZK0UXcPlvY+_81gIe4sSG_04aZm4rMeVRdbbo31UszxtcBrV9AJxsd+diGv
cjLy5qM71TpSaIyxLxJghrXp2+dLkucWWH3IaK0ZJFu3n_Ouve5UmyiD88PU6LNMagkD
Aq\final\

Earlier I said the above command, with that record string, sets me to 200 BP and it’s replaceable by any other valid record string from any other player. This implies that record string only contains universal values, nothing tied to any particular user - since I can use any valid record string successfully to change my stats, but not my identity.

There was a time I’d tamper with this string, and all my stats would become zero. No matter how subtle the change, that was always the result. This told me that the stats are definitely encrypted in some way that any change makes decryption fail and the game apparently defaults to all zeroes.

Since I observed the same behavior for all attempts at reading any record strings by changing the conspicuous unknown string, I believe it is safe to conclude this unknown string is used to decrypt record stings - and probably encrypt them as well.

So, the answer is now practically in-front of me:

3MRWZ0gyumuH4kUwtnVck2idXKbvVwTjWXCek+CYtlgQy8zk+wCGKch5zlZjRddLlAEy
VwJ5C6qPcSqOITNsSGx2M35OA3CAktNrshI2DTBMlDE_ElZGH8JVmbUH7gfOJp9hhC+7
BEC6z1TghszCo+1FM42HUekj4EKceXCFPtowQXBMfuT5AZ7r90pHfI6Ap1+fky6WBg12n
zbf

The above record string gives me 8032 BattlePoints, 3214 matches, 2091 wins, 831 losses and zero draws.(Yes, I’m aware losses+wins =/= total for some reason).

And the conspicuous mystery string I’ve been talking about is...

raGs+_oQweAPILx1RyCTWFhUMp0XqgZ9S54kdlNY2H3n6VtEbBfD7iJzOucKv8jm

I’m now 100% sure there is some kind of decryption/encryption process between these 2 strings.

And I’m 99% sure that the applying some kind of decryption algorithm, using the mystery string as the key and the record string as the encrypted message, will yield a decrypted binary string that will contain the values:

8032, 3214, 2091 and 831(and zero, but I can’t distinguish the zero from unused memory) in little and/or big endian. Similar to the data used to populate the game’s leader boards.