Home › Forum › MultiPlayer Game Hacks & Cheats › Other MMORPG Hacks › Trove Hacks & Cheats › True Trove
True Trove
True Trove
Honestly, I’ve spent so much on commercial software development, but I’m just exhausted. I have neither the energy nor the money left for this project. To be real, Trove is dead. Especially after what they started doing in public on the 9th. It’s a joke considering their game structure and what they’re actually doing—literally ADDING dev software right into the game root, and they couldn't care less. I just hope my data and the time I put in—working like 40 hours a day—didn't go to waste, and that someone will find my ideas and discoveries useful. I would code something myself, but again, I have zero money and zero desire to bang my head against a wall. I hope Trove dies for good, and the players finally escape this hell of pixelated, brain-dead engineering and developer laziness."
# [Release/Analysis] Trove x64 — Deep Forensic Architecture Research & Voxel Matrix R&D (June Patch)
After investing 100+ hours into reverse-engineering this voxel Frankenstein, dumping gigabytes of runtime heap metadata, and debugging complex initialization cascades, we are releasing our complete, unfiltered R&D documentation to the public.
The developers have demonstrated monumental laziness by leaving developer tools, raw debug strings, and mixed privilege boundary tables directly inside the retail client distribution. Below is the ultimate technical specification map for anyone who wants to build robust external/internal tools for this engine without wasting months staring at blind memory zones.
---
### 1. CORE ENGINE TOPOGRAPHY & MASTER VERTECES
During the latest June patch cycles, static pointers consistently shift, but the core structural конвейер remains identical. There are two entirely different base roots that the community frequently mistakes for one another:
* **The Network Entity Manager Root (The Source of False Positions):**
`GLOBAL_ENTITY_MGR_RVA = 0x01396BE8` (Varies slightly post-server restarts). It processes transient network entities (mobs, players, local visual presentation layers). Navigating this via traditional 6-level pointer cascades `{ 0x8, 0x18, 0xB0, 0xB8, 0x30, 0x38 }` will frequently return unpopulated `0 0 0 0` matrices due to lazy runtime instantiation.
* **The Master Root Array (Authoritative Structural Stream):**
`MASTER_ROOT_ARRAY_RVA = 0x013A2450` ( Authoritative RVA relative to `Trove_x64.exe`). This is a flat linear array holding exactly 128 global stride object slots with a fixed stride step of `0x1C10` bytes.
**Pointer Decryption Mask:** Every raw pointer in this array utilizes a low-bit state flag lock. Before querying fields, you must decrypt the address context via:
`uintptr_t cleanAddress = rawEncryptedPtr & 0xFFFFFFFFFFFFFFFEULL;`
---
### 2. COMPACT FIELD MATRIX & GEOMETRY (FLOAT ARCHITECTURE)
Deep forensic analysis of massive execution footprints confirms that **ALL authoritative spatial orientation coordinates in this engine utilize 4-byte Single-Precision FLOAT structures**, not 8-byte doubles.
Inside any resolved valid object memory block, apply the following strict offset map:
* `+0x08` : `DWORD` ClassHash / Type Identifier
* `+0x18` : `DWORD` ResourceID (Operational index)
* `+0x128` : `float` Client Presentation Node X (Visual positional display)
* `+0x12C` : `float` Client Presentation Node Y
* `+0x130` : `float` Client Presentation Node Z
* `+0x3C8` : `QWORD` ActorID (Machine Network Session Hash. Crucial: For world voxel objects/ore nodes, this field is always forced to `0` by the incoming stream demuxer).
* `+0xF30` : `float` Server Authoritative Position X (Physics calculation node)
* `+0xF34` : `float` Server Authoritative Position Y
* `+0xF38` : `float` Server Authoritative Position Z
---
### 3. PERSISTENT IDENTIFIERS & FILTERS
* **Local Player (Boomeranger Archetype ClassHash):** `3554093936` (`0xD3D0D9D0`)
* **Baseline World Voxel Voxel/Terrain Descriptor (Exclusion Mask):** `3545432736` (`0xD34E3AA0`)
* **Quest-Specific / Biome Resource Nodes (e.g., Geode / Blazine):** Do not possess a single static ID. The engine initializes strings sequentially (`ore_blazine_00`, `ore_blazine_01`, `ore_blazine_02`) through the resource registration pipeline.
---
### 4. DISASSEMBLY ANALYSIS: THE RESOURCE GENERATION PIPELINE
The strings for resource initialization (`.rdata`) are processed sequentially inside the monolithic routine **`sub_14044AEB0`** before hitting the stack allocation frame cleanup (`add rsp, 3278h`).
The engine passes descriptors to a universal registration subroutine:
```assembly
mov edx, 0Ah ; Hardcoded Group Resource Type (e.g., Minerals Class)
mov rcx, rbx ; Base World Context Manager
mov r8, [rax] ; Generated asset pointer
call sub_14044A530 ; Authoritative ClassHash Assignment
```
By intercepting or tracking execution at `sub_14044A530`, you can dynamically harvest every runtime `ClassHash` pair (`ore_blazine` ↔ `DWORD Hash`) instantly upon world initialization on any user account, entirely bypassing memory array scanning limitations.
---
### 5. THE LEAKED DEVELOMENT PRIVILEGE GATEWAYS
The most critical architectural vulnerabilities are the leftover developer routines that remain fully compiled inside the production retail client binary:
1. **The Consolidated Command Dispatcher (`sub_140050AC0`):**
The developers mixed ordinary player interactions with critical GM macros into a single, massive monolithic switch-table to save development time. In `.rdata`, string literals like `"Inventory_RemoveItem"`, `"Dev_RunMacro1"`, `"Dev_RunMacro5"`, and `"Dev_ReloadShaders"` route through this exact same execution gateway.
2. **The Parameter Preprocessor Overload:**
At the base of the standard initialization layout parsing `Trove.cfg`, the client actively evaluates preprocessor include commands:
`.includeoptional Trove_dev.cfg`
`.includeoptional Trove_local.cfg`
The text condition parsing system inside **`sub_140840400`** sequentially evaluates raw character arrays like `"Patron"` and `"Requirement"` using standard register assignments (`R8`/`R9`).
3. **The Exposed Launcer Auth Pipeline (`GlyphClient.cfg`):**
The Glyph client persistently stores active sessions in plaintext directly inside the configuration layout. It exposes `SytemProfileHash = [BASE64_TOKEN_HERE]` (compiled with a native typo `Sytem`). This raw machine-token context is accepted raw by the server gateways without secondary cryptographic validation loops.
---
### 6. DETAILED NETWORK STREAM DEMUXER CASCADE (`sub_140EB6B40`)
When processing incoming bytes under the OpenSSL network stream layers (`ssl\\t1_lib.c`), the packet handler evaluates chunks using hardcoded byte-shifting logic to assemble 16-bit length descriptors:
```assembly
movzx eax, byte ptr [rdx] ; Extract raw network stream byte 0
movzx ebx, byte ptr [rdx+1] ; Extract raw network stream byte 1
shl eax, 8 ; Endian alignment translation
or ebx, eax ; Final assembled packet token validation
```
All distinct packet processing branches (including token headers like `32h` / decimal `50`) ultimately merge back into a single massive Switch-Table Fan-In воронка bottleneck at block **`loc_140EB76B7`** before hitting the function epilogue. Hooking this terminal convergence layer provides access to a fully decrypted, stable data pipeline of all ambient game world changes.
Feel free to use these offsets, structures, and behavior patterns to build your own passive diagnostics tools. The matrix is completely open.
*Shoutout to everyone pushing boundaries in low-level game research!*
# [Release/Analysis] Trove x64 — Deep Forensic Architecture Research & Voxel Matrix R&D (June Patch)
After investing 100+ hours into reverse-engineering this voxel Frankenstein, dumping gigabytes of runtime heap metadata, and debugging complex initialization cascades, we are releasing our complete, unfiltered R&D documentation to the public.
The developers have demonstrated monumental laziness by leaving developer tools, raw debug strings, and mixed privilege boundary tables directly inside the retail client distribution. Below is the ultimate technical specification map for anyone who wants to build robust external/internal tools for this engine without wasting months staring at blind memory zones.
---
### 1. CORE ENGINE TOPOGRAPHY & MASTER VERTECES
During the latest June patch cycles, static pointers consistently shift, but the core structural конвейер remains identical. There are two entirely different base roots that the community frequently mistakes for one another:
* **The Network Entity Manager Root (The Source of False Positions):**
`GLOBAL_ENTITY_MGR_RVA = 0x01396BE8` (Varies slightly post-server restarts). It processes transient network entities (mobs, players, local visual presentation layers). Navigating this via traditional 6-level pointer cascades `{ 0x8, 0x18, 0xB0, 0xB8, 0x30, 0x38 }` will frequently return unpopulated `0 0 0 0` matrices due to lazy runtime instantiation.
* **The Master Root Array (Authoritative Structural Stream):**
`MASTER_ROOT_ARRAY_RVA = 0x013A2450` ( Authoritative RVA relative to `Trove_x64.exe`). This is a flat linear array holding exactly 128 global stride object slots with a fixed stride step of `0x1C10` bytes.
**Pointer Decryption Mask:** Every raw pointer in this array utilizes a low-bit state flag lock. Before querying fields, you must decrypt the address context via:
`uintptr_t cleanAddress = rawEncryptedPtr & 0xFFFFFFFFFFFFFFFEULL;`
---
### 2. COMPACT FIELD MATRIX & GEOMETRY (FLOAT ARCHITECTURE)
Deep forensic analysis of massive execution footprints confirms that **ALL authoritative spatial orientation coordinates in this engine utilize 4-byte Single-Precision FLOAT structures**, not 8-byte doubles.
Inside any resolved valid object memory block, apply the following strict offset map:
* `+0x08` : `DWORD` ClassHash / Type Identifier
* `+0x18` : `DWORD` ResourceID (Operational index)
* `+0x128` : `float` Client Presentation Node X (Visual positional display)
* `+0x12C` : `float` Client Presentation Node Y
* `+0x130` : `float` Client Presentation Node Z
* `+0x3C8` : `QWORD` ActorID (Machine Network Session Hash. Crucial: For world voxel objects/ore nodes, this field is always forced to `0` by the incoming stream demuxer).
* `+0xF30` : `float` Server Authoritative Position X (Physics calculation node)
* `+0xF34` : `float` Server Authoritative Position Y
* `+0xF38` : `float` Server Authoritative Position Z
---
### 3. PERSISTENT IDENTIFIERS & FILTERS
* **Local Player (Boomeranger Archetype ClassHash):** `3554093936` (`0xD3D0D9D0`)
* **Baseline World Voxel Voxel/Terrain Descriptor (Exclusion Mask):** `3545432736` (`0xD34E3AA0`)
* **Quest-Specific / Biome Resource Nodes (e.g., Geode / Blazine):** Do not possess a single static ID. The engine initializes strings sequentially (`ore_blazine_00`, `ore_blazine_01`, `ore_blazine_02`) through the resource registration pipeline.
---
### 4. DISASSEMBLY ANALYSIS: THE RESOURCE GENERATION PIPELINE
The strings for resource initialization (`.rdata`) are processed sequentially inside the monolithic routine **`sub_14044AEB0`** before hitting the stack allocation frame cleanup (`add rsp, 3278h`).
The engine passes descriptors to a universal registration subroutine:
```assembly
mov edx, 0Ah ; Hardcoded Group Resource Type (e.g., Minerals Class)
mov rcx, rbx ; Base World Context Manager
mov r8, [rax] ; Generated asset pointer
call sub_14044A530 ; Authoritative ClassHash Assignment
```
By intercepting or tracking execution at `sub_14044A530`, you can dynamically harvest every runtime `ClassHash` pair (`ore_blazine` ↔ `DWORD Hash`) instantly upon world initialization on any user account, entirely bypassing memory array scanning limitations.
---
### 5. THE LEAKED DEVELOMENT PRIVILEGE GATEWAYS
The most critical architectural vulnerabilities are the leftover developer routines that remain fully compiled inside the production retail client binary:
1. **The Consolidated Command Dispatcher (`sub_140050AC0`):**
The developers mixed ordinary player interactions with critical GM macros into a single, massive monolithic switch-table to save development time. In `.rdata`, string literals like `"Inventory_RemoveItem"`, `"Dev_RunMacro1"`, `"Dev_RunMacro5"`, and `"Dev_ReloadShaders"` route through this exact same execution gateway.
2. **The Parameter Preprocessor Overload:**
At the base of the standard initialization layout parsing `Trove.cfg`, the client actively evaluates preprocessor include commands:
`.includeoptional Trove_dev.cfg`
`.includeoptional Trove_local.cfg`
The text condition parsing system inside **`sub_140840400`** sequentially evaluates raw character arrays like `"Patron"` and `"Requirement"` using standard register assignments (`R8`/`R9`).
3. **The Exposed Launcer Auth Pipeline (`GlyphClient.cfg`):**
The Glyph client persistently stores active sessions in plaintext directly inside the configuration layout. It exposes `SytemProfileHash = [BASE64_TOKEN_HERE]` (compiled with a native typo `Sytem`). This raw machine-token context is accepted raw by the server gateways without secondary cryptographic validation loops.
---
### 6. DETAILED NETWORK STREAM DEMUXER CASCADE (`sub_140EB6B40`)
When processing incoming bytes under the OpenSSL network stream layers (`ssl\\t1_lib.c`), the packet handler evaluates chunks using hardcoded byte-shifting logic to assemble 16-bit length descriptors:
```assembly
movzx eax, byte ptr [rdx] ; Extract raw network stream byte 0
movzx ebx, byte ptr [rdx+1] ; Extract raw network stream byte 1
shl eax, 8 ; Endian alignment translation
or ebx, eax ; Final assembled packet token validation
```
All distinct packet processing branches (including token headers like `32h` / decimal `50`) ultimately merge back into a single massive Switch-Table Fan-In воронка bottleneck at block **`loc_140EB76B7`** before hitting the function epilogue. Hooking this terminal convergence layer provides access to a fully decrypted, stable data pipeline of all ambient game world changes.
Feel free to use these offsets, structures, and behavior patterns to build your own passive diagnostics tools. The matrix is completely open.
*Shoutout to everyone pushing boundaries in low-level game research!*
Stop try to scam ppls DOG. Its just 10 min shit from claude sonnet
u just fucking animal
u just fucking animal
bobo
What kind of scan is this? How exactly is it done? Why didn't you write this data first? Why are you talking about Claude when he has security protection against hacks and a packet level? Come on, I'm waiting for your takes, trash.
Similar Threads
- 10Last post
- 0Last post
- 7Last post
- 0Last post
- 15Last post