BATTD? + how were these passwords found?

[Roshi617]

Hello,

Bloons Adventure Time TD uses the same engine (Unity) as BTD6 and also the same encryption method for the Profile.save. I've tried simply guessing passwords for this game but not a single number between 12 - 50 works (it shouldn't be anywhere near 50, it should be <20 but it isn't). Also 8 & 11 don't work, obviously.

I've also noticed that the encrypted BATTD Profile.save is 9KB, while (in my case) BTD6's is 26KB. Much smaller for some reason.

So then that made me wonder: what steps did you take to find Kingdom Rush's and BTD6's passwords?

[codeshaunted]

Hello,

Bloons Adventure Time TD uses the same engine (Unity) as BTD6 and also the same encryption method for the Profile.save. I've tried simply guessing passwords for this game but not a single number between 12 - 50 works (it shouldn't be anywhere near 50, it should be <20 but it isn't). Also 8 & 11 don't work, obviously.

I've also noticed that the encrypted BATTD Profile.save is 9KB, while (in my case) BTD6's is 26KB. Much smaller for some reason.

So then that made me wonder: what steps did you take to find Kingdom Rush's and BTD6's passwords?

Assuming it is the same format, using Mono memory inspection it should be relatively simple to find it. I'll look into this when I get home today.

[codeshaunted]

Looked into this a bit, couldn’t pull an appID from memory that would unlock the files. I also attempted to brute force it, but it was taking far too long. I’ll do a bit more digging soon.

[Roshi617]

That sounds very weird. Keep me updated.

[codeshaunted]

Looking at it some more, it seems like this game uses a different "password index" than the others. It uses index 3 rather than 2, which is odd because in all other NinjaKiwi Unity games that I have looked at, the password generator only generates passwords up to index 2. I would just decompile the IL code to check how it generates this password, but this game uses il2cpp. Do you know of any other NinjaKiwi games written in Unity that I could look at (besides Tower Keepers) for possible reference?

[Roshi617]

Unfortunately, the only games I can think of are BTD6, BATTD and Tower Keepers. Bloons TD Battles 2, as far as I understand, was written partially in Unity but it isn't moddable (for example, you cannot install MelonLoader or BepInEx on it).

I had a feeling something was up with this game...

[codeshaunted]

Unfortunately, the only games I can think of are BTD6, BATTD and Tower Keepers. Bloons TD Battles 2, as far as I understand, was written partially in Unity but it isn't moddable (for example, you cannot install MelonLoader or BepInEx on it).

I had a feeling something was up with this game...

Alright, I'm not very familiar with Unity modding, but I'm going to try to use MelonLoader and extract the password by directly calling the password generate functions.

[Roshi617]

Any update on that?

I might be able to figure something out, I have a little bit of experience modding BATTD with MelonLoader, I just need to know where the password generate functions are located (couldnt find them myself)

[Roshi617]

Any luck?

[codeshaunted]

Any luck?

Not yet, haven’t had much time to look into it.

[Roshi617]

Still interested in this. No rush obviously but it's been a while.

[codeshaunted]

I’m really bogged down with exams and other obligations right now. I can’t promise that I’ll get to it any time soon. If you want to attempt to look into it yourself, I’d recommend using MelonLoader or CheatEngine’s MonoDissect to try and pull out the password from memory. I recall there are some classes labeled “PasswordGenerator” or similar. If you want reference of a similar password system I’d recommend using a tool like dnSpy to look at the code for Tower Keepers (as it doesn’t use il2cpp and is just plain Mono). Tower Keepers has nearly identical utility classes to BTD6, I’d assume the same is true for BATTD.

On Mon, Mar 20, 2023 at 12:07 PM Xaiver Charles Wilhoyt < @.***> wrote:

Still interested in this. No rush obviously but it's been a while.

— Reply to this email directly, view it on GitHub https://github.com/codeshaunted/monke/issues/12#issuecomment-1476521977, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEFZ7T62JMVKRRPMQXSPLRDW5B6ETANCNFSM6AAAAAATGA4TRY . You are receiving this because you commented.Message ID: @.***>

[Roshi617]

Alright thank you. I'll try searching for said class

[GrahamKracker]

password is 16, monke doesn't seem to work with it though

[codeshaunted]

Just a theory, but perhaps BATTD doesn’t run a compression routine like all the other games? I could test this later….

On Sun, Apr 9, 2023 at 2:30 PM GrahamKracker @.***> wrote:

[image: image] https://user-images.githubusercontent.com/86011515/230790244-3b9dddcd-27b8-40ef-bc97-73b21021c3f7.png password is their, monke doesnt seem to work with it though

— Reply to this email directly, view it on GitHub https://github.com/codeshaunted/monke/issues/12#issuecomment-1501187319, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEFZ7TYDPHJAZG5GDRONWBDXAL53JANCNFSM6AAAAAATGA4TRY . You are receiving this because you commented.Message ID: @.***>

[Roshi617]

Closing. If you ever figure it out I am watching the repo, so I will likely know