Basic File/Program Hacking Information Ever wondered what "hex editing" is? Want to learn how to cheat on PC games? Have you ever wanted to "crack" a program? This guide has some basic info to get you started. Files Information Gathering Hex Editing Programs Information Gathering Editing RAM Editing ASM Extra Info - Files - Information Gathering So let's say that you have a file, and you don't know what it is... but you want to check it out. The most basic information can be gathered by checking out the file's properties (via the right-click menu). I know this seems really basic, but it shows you some important info such as the program that will be used to open the file when you double click on it, and the timestamp of when the file was last edited. In this example we can plainly see that this is a Word document... but what if the right program to open a file isn't known? Generally googling the extension can lead you to a multitude of programs used to open whatever file type that is. If you do have the proper program installed but it's not set as the default, you can change the default from the Open With section of the right-click menu. This is sometimes needed when some installed programs change the association in ways you don't want. Now, what if there's no extension at all? We can see in this version that Windows doesn't know what the file is. That's because Windows goes by the file's extension (the letters after the final period in the name). The extension is easy to change, you can simply go into the Windows folder options and uncheck the setting to hide extensions for known types. Because of this the file extension is not concrete, and it does not determine the format of a file. It's used for Windows to know what program to open the file with, so don't assume it's always correct because it's not. So how else can we figure out what type of file it is? If you don't know what a file contains or you need internal information without an official editor, you can always use a Hex editor. A Hex editor can open any file out there and make raw, direct changes to the recorded data, so it's an invaluable tool to have around if you're going to be doing this type of thing. There's lots out there both paid and free (Hex Workshop, XVI32, Catch22), but I prefer the free HxD for ease of use so that's what the screenshots will show. So the first think we'll do is fire up HxD and open the file in it. On the left is the raw hexadecimal information contained in the file, and on the right is a representation of it in plain text, but we'll get into that later. What we're interested in right now are the first few pieces of hexadecimal data. In general, the first 2-16 bytes/pieces (4 is most common) are known as the "magic number", or "file signature". This is often a certain sequence that is used to identify a file format. For our example file, it's "D0 CF 11 E0 A1 B1 1A E1", and from a google result, it points out that's the ID for a Microsoft Word (pre-07) document. So if you have a missing extension or you think the [strike]cake[/strike] extension is a lie, check out the first few bytes in a hex editor and do a little googling. More information... File Attributes File Extension File Association Hexadecimal Magic Number (File Signature) File Signature Table Hex Editing Well we can view the file, what about editing it? First we need to learn about character encoding. If we scroll down a bit in the example file, we can find some of the text that the file actually contains. You can see the hex version of the data on the left, and the text version on the right. More specifically, this is ASCII (or sometimes you'll see "ANSI"). The "encoding" describes the mapping of hex to normal letters. In this case you can the value 0x48 in hex equals the capital "H", 0x69 is the lowercase "i", 20 is the space, and so on. (Generally hex numbers have "0x" in front of them or "h" after them to point out they're hex, not decimal.) Now in most cases a hex editor will be able to show the text, but it may not always be in the format you'd expect. For an example, let's take a different file that has some text in the UCS-2 (BE) format. Notice that, even though the text is readable, it seems broken up. That's because UCS-2 uses TWO bytes per letter instead of one, but the editor is still trying to display it as if it was ASCII, which is why the (TM) symbol at the end is not displaying properly, because that character is not in ASCII. You'll notice that while most characters are "00" and then something, the TM symbol is different in that it actually does use two bytes for it's value. The rest of the text is displaying something we can at least make out, but this is not always the case, and viewing something in the wrong encoding can result in something totally unreadable, so it's important to try viewing data with a few different encodings. If you're going to be viewing things with a lot of special characters or especially foreign languages, it's important to get an editor that supports the kind of encodings you'll be working with. Well since for the original example we're dealing with normal ASCII (within the word document), we can edit it right away. We can either edit the direct directly on the right by clicking and typing to overwrite the symbols, or we can look up the character encoding in the ASCII table and edit the hex side. Either way, we can edit the file and then save it. Then upon opening it in Word, we can see the changes. More information... ASCII Hex-Decimal Converter Character Encoding ROM Hacking Hex Editors Comparison Of Hex Editors - Programs - Information Gathering For basic information about a program's file, you'd simply check the properties like before, but with a running program there's a lot more. For most basic information Windows' Task Manager works. It doesn't show much information by default, but if you go to View - Select Columns and you can have it show you more. Of course, there's tools that can show you a lot more than that. A good one is Process Explorer, and it can certainly give you more information about what a program is doing internally. Wanna' know what sort of connections a program is making? Want to see how many threads it's launched? Want to see how much of your GPU's power a game is using? Process Explorer can show you. More information... What's the difference between an Application, Process, and Services? Threads MSconfig Guide Editing RAM How can we see what data a program is actually holding, and modify it? Programs hold their working data in RAM, so you'd use a RAM editor. RAM editors generally attach to a running program and then allow you to find RAM values that have the data you want, using the process of elimination to narrow down the addresses. While many hex editors have the ability to look into and modify the RAM of a program, in this case we're going to want a tool specially designed for the job; Cheat Engine. So we'll get Cheat Engine, and open it up. We'll also download Cave Story (and the translation patch, if you care). Run Cave Story (Doukutsu.exe), start a new game, wait for the intro cutscene to be over, then head through the door at the top (DOWN enters doors in this game). So we can see that we have three HP, that's the value we want to take control of. Open up Cheat Engine, and click the "open process" button (it glows red and green), find Doukutsu.exe in the list, and select it. Look at your health, and then type that number into the "value" box and click "first scan". This scans the RAM of Doukutsu.exe for anything that's set to the value "3" (in this example), and returns all the results on the left. That's too many, it looks like there's a lot of pieces of data with the value "3" (which is to be expected). How do we find which address holds the value we want? Well, play until you get hit by something (such as the enemy to the right) and your HP is reduced. Then we can search for the new value as well, and it'll filter the search results using the process of elimination. After doing this a few times, we end up with just two addresses. Sometimes you'll end up with just one, sometimes more. If you have more than one you'll just need to guess. To start editing the contents of an address, double-click it in the results column on the left to bring it down to the bottom of the window. From there you can double-click the value and change it as you like. So since we changed the value and the actual health changed in-game, we know this is the right address. In addition to simply changing the value, we can use the checkmart at the very left to "freeze" it, where Cheat Engine will try to keep the value from changing automatically (it's not perfect, but it's good enough for most cases). Keep Cheat Engine and Cave Story running, because we'll be using them in the next lesson. Now, this was a very simple example. For many real-world programs and games you'll have to deal with things like pointers and varying types of data (flag, 4-byte, float, string) so I highly suggest you check out the tutorial program included with Cheat Engine (Start -> All Programs -> Cheat Engine -> Cheat Engine Tutorial), as it gives you basic instructions and an interactive program to hack in order to learn about these things. More information... Cheat Engine Tutorials Data Type (Int, Float, Double, String, etc.) Endianness Editing ASM While you can find and edit RAM values, sometimes you'll want to change the behavior of the program itself. When programs are created in programming languages like C++ and Java they're written in human-readable code, like this. Then they're run through a compiler which takes that code and transforms the instructions into machine code that the computer can actually run (such as an EXE file). (In the case of interpreted languages like Python and Java, the programs are compiled on-the-fly when they're run.) This means that for most programs we don't have the source code (including the descriptive comments), only the machine code... but we can still edit it! While you may need the source code to make big official changes, smaller changes can be done by editing the compiled program. This means we don't have the human-readable source code or comments, so finding what to modify and how to change it involves a bit of exploration and tinkering, but ASM modification is a key tool in cracking programs. In order to look into the actual machine code that's being run so we can modify it, we'll need a debugger. There's many debugging programs out there and we'll use one later, but for now we'll keep using Cheat Engine since it has a debugger as well that ties right into the stuff we've already done. So, with Cheat Engine and Cave Story open, and the address to your health found, right-click it and choose "Find what writes to this address", and tell Cheat Engine yes, attach the debugger. Now not all programs like being debugged and there's a couple things they can do to detect and stop it, but for now we don't have to worry about that. A new window will come up, empty for now. This window will list code snippets that (try to) change the health value, so go ahead and get hit by an enemy so an entry appears. That entry is the line of assembly that modifies the health value, so it's what we want to blank out. Click it once, and then click the "Show disassembler" button, and you'll see this window. Let's run over the information from left to right. First we have the address (in RAM) of the code. Next we have the raw hex that makes up the code. Then we have the translated version of that hex. Last we have a comment field (contents vary). Now, if we want, we can just right-click the code and choose "Replace with code that does nothing" (or hell, we could click the "Replace" button back in the main debug window without having to open the disassembler), but that will only patch it in RAM. It will make the change so you won't take damage from contacting enemies, but the changes will only exist for this run. If you close and re-open the program, it's back to normal and you need to do these steps again. So for this tutorial we want to modify the EXE itself. The first thing to do is look at the hex data, and see how many bytes (pairs) there are. In this case we have 7. We'll also want to go to tghe "View" menu and check "Show module addresses" so we can see the EXE addresses instead of the RAM ones (left-hand column). So in this case the address is 1997A, and we have 7 bytes/pairs to replace. That address is a hex address, and we're wanting to modify the EXE itself, so let's make a copy of the main game program (let's call it Doukutsu_cracked.exe), and we fire up a hex editor and open that in it. Most hex editors will have a "go to line" or "go to offset" function, in this case we'll use it and go to entry 0x1997A. And what do we have here? This certainly looks familiar. Yup, the seven pairs/digits of hex starting from that point are the actual hex code we saw in the disassembler! So now we have the actual values that we need to replace, so we need to find how to replace them. Unfortunately simply deleting them is no good, we need to keep everything the same size... so we simply replace those 7 codes with "nop" or "no operation" codes, which tell the processor to do nothing on that line. In x86 assembly the noop code is hex value 90 (it varies for other platforms), so we can replace those 7 bytes with 90. Just click at the beginning of the 66, and start typing "90" until you've overwritten the original 7 pairs. (You'll notice that if you chose the "replace with a code that does nothing" option in Cheat Engine's debugger it would do the same thing.) Well, save the changes and then check it out. If you edited the right information, then the modified copy of Cave Story shouldn't reduce your health when you get hit. More information... x86 Assembly x86 Disassembly Debugger Detectors Extra Info Now, these examples were sort of narrow, the main point of them was just to show you some of the tools and how they're used. When it comes to actually hacking/cracking programs there's all sorts of approaches to it depending on what's actually being done, so here's some ideas for you about common restrictions. Is the program fully-installed and simply checking for a serial on startup? See if you can search for the text the box has and look around in that area for the jump done when the serial is checked, see if you can force it to always jump to the "serial okay" routine (and then of course modify the EXE so it always thinks the serial is good). Is the program checking for something online? Use Process Explorer to see what it's connecting to, then perhaps try out Wireshark to see the actual data being sent. See how the program reacts when you take away it's ability to access the server it checks into, then see if you can exploit/modify that behavior. Barring that, you could always try to forge the response (or keep the files on you) with locally-installed server software, but this is rarely needed. Does the program have a time limit you want to bypass? Use something like Process Monitor to watch it's file actions, see if it's actually storing a file with a timestamp somewhere (or in the registry) and then doing a comparison later to see how much time has elapsed. It may simply be checking the system time instead (in the form of a unix timestamp), so you can try forging that or using it's reading of that value to see what you need to modify.