Tutorial Basic File/Program Hacking Information

Rydian

Resident Furvert™
OP
Member
Joined
Feb 4, 2010
Messages
27,880
Trophies
0
Age
34
Location
Cave Entrance, Watching Cyan Write Letters
Website
rydian.net
XP
8,904
Country
United States
Basic File/Program Hacking Information

Ever wondered what "hex editing" is?
Want to learn how to cheat on PC games?
Have you ever wanted to "crack" a program?

This guide has some basic info to get you started.​
  • Files
    • Information Gathering
    • Hex Editing
  • Programs
    • Information Gathering
    • Editing RAM
    • Editing ASM
  • Extra Info


- Files -

Information Gathering
So let's say that you have a file, and you don't know what it is... but you want to check it out.
The most basic information can be gathered by checking out the file's properties (via the right-click menu).
I know this seems really basic, but it shows you some important info such as the program that will
be used to open the file when you double click on it, and the timestamp of when the file was last edited.

54g8ps.png


In this example we can plainly see that this is a Word document... but what if the right program to open
a file isn't known? Generally googling the extension can lead you to a multitude of programs used to open
whatever file type that is. If you do have the proper program installed but it's not set as the default,
you can change the default from the Open With section of the right-click menu. This is sometimes needed
when some installed programs change the association in ways you don't want.

Now, what if there's no extension at all?

1zgs1o3.png


We can see in this version that Windows doesn't know what the file is. That's because Windows goes by the
file's extension (the letters after the final period in the name). The extension is easy to change, you
can simply go into the Windows folder options and uncheck the setting to hide extensions for known types.
Because of this the file extension is not concrete, and it does not determine the format of a file.
It's used for Windows to know what program to open the file with, so don't assume it's always correct
because it's not. So how else can we figure out what type of file it is?

If you don't know what a file contains or you need internal information without an official editor, you
can always use a Hex editor. A Hex editor can open any file out there and make raw, direct changes to the
recorded data, so it's an invaluable tool to have around if you're going to be doing this type of thing.
There's lots out there both paid and free (Hex Workshop, XVI32, Catch22), but I prefer the free
HxD for ease of use so that's what the screenshots will show.

So the first think we'll do is fire up HxD and open the file in it.

s6rwn5.png


On the left is the raw hexadecimal information contained in the file, and on the right is a representation
of it in plain text, but we'll get into that later. What we're interested in right now are the first few
pieces of hexadecimal data. In general, the first 2-16 bytes/pieces (4 is most common) are known as the
"magic number", or "file signature". This is often a certain sequence that is used to identify a file
format. For our example file, it's "D0 CF 11 E0 A1 B1 1A E1", and from a google result,
it points out that's the ID for a Microsoft Word (pre-07) document.

So if you have a missing extension or you think the [strike]cake[/strike] extension is a lie, check out the first few bytes in a hex editor and do a little googling.

More information...
File Attributes
File Extension
File Association
Hexadecimal
Magic Number (File Signature)
File Signature Table



Hex Editing
Well we can view the file, what about editing it?

First we need to learn about character encoding. If we scroll down a bit in the example file,
we can find some of the text that the file actually contains.

2nrq8p5.png


You can see the hex version of the data on the left, and the text version on the right. More specifically,
this is ASCII (or sometimes you'll see "ANSI"). The "encoding" describes the mapping of hex to normal letters.
In this case you can the value 0x48 in hex equals the capital "H", 0x69 is the lowercase "i", 20 is the space, and so on.
(Generally hex numbers have "0x" in front of them or "h" after them to point out they're hex, not decimal.)

Now in most cases a hex editor will be able to show the text, but it may not always be in the format you'd expect.
For an example, let's take a different file that has some text in the UCS-2 (BE) format.

raxcpj.png


Notice that, even though the text is readable, it seems broken up. That's because UCS-2 uses TWO bytes per letter
instead of one, but the editor is still trying to display it as if it was ASCII, which is why the (TM) symbol at
the end is not displaying properly, because that character is not in ASCII. You'll notice that while most characters
are "00" and then something, the TM symbol is different in that it actually does use two bytes for it's value. The
rest of the text is displaying something we can at least make out, but this is not always the case, and viewing
something in the wrong encoding can result in something totally unreadable, so it's important to try viewing data with
a few different encodings. If you're going to be viewing things with a lot of special characters or especially foreign
languages, it's important to get an editor that supports the kind of encodings you'll be working with.

Well since for the original example we're dealing with normal ASCII (within the word document), we can edit it right
away. We can either edit the direct directly on the right by clicking and typing to overwrite the symbols, or we can
look up the character encoding in the ASCII table and edit the hex side. Either way, we can edit the file and then save it.

17b79j.png


Then upon opening it in Word, we can see the changes.

245lc05.png


More information...
ASCII
Hex-Decimal Converter
Character Encoding
ROM Hacking Hex Editors
Comparison Of Hex Editors




- Programs -

Information Gathering
For basic information about a program's file, you'd simply check the properties like before, but with a
running program there's a lot more. For most basic information Windows' Task Manager works. It doesn't show
much information by default, but if you go to View - Select Columns and you can have it show you more.

350um83.png


Of course, there's tools that can show you a lot more than that. A good one is Process Explorer, and it can certainly
give you more information about what a program is doing internally. Wanna' know what sort of connections a program is making?
Want to see how many threads it's launched? Want to see how much of your GPU's power a game is using?
Process Explorer can show you.

33cynw3.png


More information...
What's the difference between an Application, Process, and Services?
Threads
MSconfig Guide



Editing RAM
How can we see what data a program is actually holding, and modify it? Programs hold their working
data in RAM, so you'd use a RAM editor. RAM editors generally attach to a running program and then allow you
to find RAM values that have the data you want, using the process of elimination to narrow down the addresses.
While many hex editors have the ability to look into and modify the RAM of a program, in this case we're going
to want a tool specially designed for the job; Cheat Engine.

So we'll get Cheat Engine, and open it up. We'll also download Cave Story (and the translation patch, if you care).
Run Cave Story (Doukutsu.exe), start a new game, wait for the intro cutscene to be over, then head through the
door at the top (DOWN enters doors in this game).

k9x5s0.png


So we can see that we have three HP, that's the value we want to take control of. Open up Cheat Engine, and click
the "open process" button (it glows red and green), find Doukutsu.exe in the list, and select it. Look at
your health, and then type that number into the "value" box and click "first scan". This scans the RAM of
Doukutsu.exe for anything that's set to the value "3" (in this example), and returns all the results on the left.

2wdx7di.png


That's too many, it looks like there's a lot of pieces of data with the value "3" (which is to be expected). How do we find
which address holds the value we want? Well, play until you get hit by something (such as the enemy to the right) and your
HP is reduced. Then we can search for the new value as well, and it'll filter the search results using the process of elimination.

wstk5j.png


After doing this a few times, we end up with just two addresses. Sometimes you'll end up with just one,
sometimes more. If you have more than one you'll just need to guess. To start editing the contents of
an address, double-click it in the results column on the left to bring it down to the bottom of the window.
From there you can double-click the value and change it as you like.

254zzb7.png


So since we changed the value and the actual health changed in-game, we know this is the right address.
In addition to simply changing the value, we can use the checkmart at the very left to "freeze" it, where
Cheat Engine will try to keep the value from changing automatically (it's not perfect, but it's good
enough for most cases). Keep Cheat Engine and Cave Story running, because we'll be using them in the next lesson.

Now, this was a very simple example. For many real-world programs and games you'll have to deal with things like pointers
and varying types of data (flag, 4-byte, float, string) so I highly suggest you check out the tutorial program included with
Cheat Engine (Start -> All Programs -> Cheat Engine -> Cheat Engine Tutorial), as it gives you basic instructions and an
interactive program to hack in order to learn about these things.

More information...
Cheat Engine Tutorials
Data Type (Int, Float, Double, String, etc.)
Endianness




Editing ASM
While you can find and edit RAM values, sometimes you'll want to change the behavior of the program itself. When programs
are created in programming languages like C++ and Java they're written in human-readable code, like this.

np0z15.png


Then they're run through a compiler which takes that code and transforms the instructions into machine code that the computer
can actually run (such as an EXE file). (In the case of interpreted languages like Python and Java, the programs are compiled
on-the-fly when they're run.) This means that for most programs we don't have the source code (including the descriptive comments),
only the machine code... but we can still edit it! While you may need the source code to make big official changes, smaller changes
can be done by editing the compiled program. This means we don't have the human-readable source code or comments, so finding
what to modify and how to change it involves a bit of exploration and tinkering, but ASM modification is a key tool in cracking programs.

In order to look into the actual machine code that's being run so we can modify it, we'll need a debugger. There's many debugging
programs out there and we'll use one later, but for now we'll keep using Cheat Engine since it has a debugger as well that ties
right into the stuff we've already done. So, with Cheat Engine and Cave Story open, and the address to your health found, right-click
it and choose "Find what writes to this address", and tell Cheat Engine yes, attach the debugger. Now not all programs like being
debugged and there's a couple things they can do to detect and stop it, but for now we don't have to worry about that.

A new window will come up, empty for now. This window will list code snippets that (try to)
change the health value, so go ahead and get hit by an enemy so an entry appears.

unern.png


That entry is the line of assembly that modifies the health value, so it's what we want to blank out.
Click it once, and then click the "Show disassembler" button, and you'll see this window.

4qle14.png


Let's run over the information from left to right. First we have the address (in RAM) of the code. Next we have the raw hex
that makes up the code. Then we have the translated version of that hex. Last we have a comment field (contents vary). Now, if we
want, we can just right-click the code and choose "Replace with code that does nothing" (or hell, we could click the "Replace"
button back in the main debug window without having to open the disassembler), but that will only patch it in RAM. It will
make the change so you won't take damage from contacting enemies, but the changes will only exist for this run. If you close and
re-open the program, it's back to normal and you need to do these steps again.

So for this tutorial we want to modify the EXE itself. The first thing to do is look at the hex data, and see how
many bytes (pairs) there are. In this case we have 7. We'll also want to go to tghe "View" menu and check
"Show module addresses" so we can see the EXE addresses instead of the RAM ones (left-hand column).

1629stt.png


So in this case the address is 1997A, and we have 7 bytes/pairs to replace. That address is a hex address, and we're wanting to modify
the EXE itself, so let's make a copy of the main game program (let's call it Doukutsu_cracked.exe), and we fire up a hex editor and open
that in it. Most hex editors will have a "go to line" or "go to offset" function, in this case we'll use it and go to entry 0x1997A.

eg4e39.png


And what do we have here? This certainly looks familiar.

w82afr.png


Yup, the seven pairs/digits of hex starting from that point are the actual hex code we saw in the disassembler! So now we have the actual values that we need to replace, so we need to find how to replace them. Unfortunately simply deleting them is no good, we need to keep everything the same size... so we simply replace those 7 codes with "nop" or "no operation" codes, which tell the processor to do nothing on that line. In x86 assembly the noop code is hex value 90 (it varies for other platforms), so we can replace those 7 bytes with 90. Just click at the beginning of the 66, and start typing "90" until you've overwritten the original 7 pairs.

2s69gew.png


(You'll notice that if you chose the "replace with a code that does nothing" option in Cheat Engine's debugger it would do the same thing.)

Well, save the changes and then check it out. If you edited the right information, then the modified copy of Cave Story shouldn't reduce your health when you get hit.

More information...
x86 Assembly
x86 Disassembly
Debugger Detectors




Extra Info
Now, these examples were sort of narrow, the main point of them was just to show you some of the tools and how they're used. When it comes to actually hacking/cracking programs there's all sorts of approaches to it depending on what's actually being done, so here's some ideas for you about common restrictions.

  • Is the program fully-installed and simply checking for a serial on startup? See if you can search for the text the box has and look around in that area for the jump done when the serial is checked, see if you can force it to always jump to the "serial okay" routine (and then of course modify the EXE so it always thinks the serial is good).
  • Is the program checking for something online? Use Process Explorer to see what it's connecting to, then perhaps try out Wireshark to see the actual data being sent. See how the program reacts when you take away it's ability to access the server it checks into, then see if you can exploit/modify that behavior. Barring that, you could always try to forge the response (or keep the files on you) with locally-installed server software, but this is rarely needed.
  • Does the program have a time limit you want to bypass? Use something like Process Monitor to watch it's file actions, see if it's actually storing a file with a timestamp somewhere (or in the registry) and then doing a comparison later to see how much time has elapsed. It may simply be checking the system time instead (in the form of a unix timestamp), so you can try forging that or using it's reading of that value to see what you need to modify.



Changelog said:
5/14/2012 - Added a link to FAST's thread on hex editors.
5/9/2012 - Added the "extra info" section with various ideas.
5/9/2012 - First version.
 

Costello

Headmaster
Administrator
Joined
Oct 24, 2002
Messages
14,087
Trophies
2
XP
17,832
1) why didnt you post this in the tutorials/guides section?
2) why did you put all the content in spoilers? it cannot be indexed by google properly, which means people cannot stumble upon your guide while searching google
3) nice guide :)
 

Anon10W1z

Well-Known Member
Member
Joined
Feb 18, 2012
Messages
1,112
Trophies
0
Location
Somewhere over the rainbow
XP
173
Country
United States
I have the spoilered post code here :)

Sorry, the images didn't show up.
Code:
Basic File/Program Hacking Information

Ever wondered what "hex editing" is?
Want to learn how to cheat on PC games?
Have you ever wanted to "crack" a program?

This guide has some basic info to get you started.

•Files
◦Information Gathering
◦Hex Editing
•Programs
◦Information Gathering
◦Editing RAM
◦Editing ASM
•Extra Info

- Files -

Information Gathering
[spoiler]
So let's say that you have a file, and you don't know what it is... but you want to check it out.
The most basic information can be gathered by checking out the file's properties (via the right-click menu).
I know this seems really basic, but it shows you some important info such as the program that will
be used to open the file when you double click on it, and the timestamp of when the file was last edited.

In this example we can plainly see that this is a Word document... but what if the right program to open
a file isn't known?  Generally googling the extension can lead you to a multitude of programs used to open
whatever file type that is.  If you do have the proper program installed but it's not set as the default,
you can change the default from the Open With section of the right-click menu.  This is sometimes needed
when some installed programs change the association in ways you don't want.

Now, what if there's no extension at all?

We can see in this version that Windows doesn't know what the file is.  That's because Windows goes by the
file's extension (the latters after the final period in the name).  The extension is easy to change, you
can simply go into the Windows folder options and uncheck the setting to hide extensions for known types.
Because of this the file extension is not concrete, and it does not determine the format of a file.
It's used for Windows to know what program to open the file with, so don't assume it's always correct
because it's not.  So how else can we figure out what type of file it is?

If you don't know what a file contains or you need internal information without an official editor, you
can always use a Hex editor.  A Hex editor can open any file out there and make raw, direct changes to the
recorded data, so it's an invaluable tool to have around if you're going to be doing this type of thing.
There's lots out there both paid and free (Hex Workshop, XVI32, Catch22), but I prefer the free
HxD for ease of use so that's what the screenshots will show.

So the first think we'll do is fire up HxD and open the file in it.

On the left is the raw hexadecimal information contained in the file, and on the right is a representation
of it in plain text, but we'll get into that later.  What we're interested in right now are the first few
pieces of hexadecimal data.  In general, the first 2-16 bytes/pieces (4 is most common) are known as the
"magic number", or "file signature".  This is often a certain sequence that is used to identify a file
format.  For our example file, it's "D0 CF 11 E0 A1 B1 1A E1", and from a google result,
it points out that's the ID for a Microsoft Word (pre-07) document.

So if you have a missing extension or you think the cake extension is a lie, check out the first few bytes in a hex editor and do a little googling.

More information...
File Attributes
File Extension
File Association
Hexadecimal
Magic Number (File Signature)
File Signature Table
[/spoiler]
Hex Editing
[spoiler]
Well we can view the file, what about editing it?

First we need to learn about character encoding.  If we scroll down a bit in the example file,
we can find some of the text that the file actually contains.

You can see the hex version of the data on the left, and the text version on the right.  More specifically,
this is ASCII (or sometimes you'll see "ANSI").  The "encoding" describes the mapping of hex to normal letters.
In this case you can the value 0x48 in hex equals the capital "H", 0x69 is the lowercase "i", 20 is the space, and so on.
(Generally hex numbers have "0x" in front of them or "h" after them to point out they're hex, not decimal.)

Now in most cases a hex editor will be able to show the text, but it may not always be in the format you'd expect.
For an example, let's take a different file that has some text in the UCS-2 (BE) format.

Notice that, even though the text is readable, it seems broken up.  That's because UCS-2 uses TWO bytes per letter
instead of one, but the editor is still trying to display it as if it was ASCII, which is why the ™ symbol at
the end is not displaying properly, because that character is not in ASCII.  You'll notice that while most characters
are "00" and then something, the TM symbol is different in that it actually does use two bytes for it's value.  The
rest of the text is displaying something we can at least make out,  but this is not always the case, and viewing
something in the wrong encoding can result in something totally unreadable, so it's important to try viewing data with
a few different encodings.  If you're going to be viewing things with a lot of special characters or especially foreign
languages, it's important to get an editor that supports the kind of encodings you'll be working with.

Well since for the original example we're dealing with normal ASCII (within the word document), we can edit it right
away.  We can either edit the direct directly on the right by clicking and typing to overwrite the symbols, or we can
look up the character encoding in the ASCII table and edit the hex side.  Either way, we can edit the file and then save it.

Then upon opening it in Word, we can see the changes.

More information...
ASCII
Hex-Decimal Converter
Character Encoding
ROM Hacking Hex Editors
Comparison Of Hex Editors
[/spoiler]


- Programs -

Information Gathering
[spoiler]
For basic information about a program's file, you'd simply check the properties like before, but with a
running program there's a lot more.  For most basic information Windows' Task Manager works.  It doesn't show
much information by default, but if you go to View - Select Columns and you can have it show you more.

Of course, there's tools that can show you a lot more than that.  A good one is Process Explorer, and it can certainly
give you more information about what a program is doing internally.  Wanna' know what sort of connections a program is making?
Want to see how many threads it's launched?  Want to see how much of your GPU's power a game is using?
Process Explorer can show you.

More information...
What's the difference between an Application, Process, and Services?
Threads
MSconfig Guide
[/spoiler]

Editing RAM
[spoiler]
How can we see what data a program is actually holding, and modify it?  Programs hold their working
data in RAM, so you'd use a RAM editor.  RAM editors generally attach to a running program and then allow you
to find RAM values that have the data you want, using the process of elimination to narrow down the addresses.
While many hex editors have the ability to look into and modify the RAM of a program, in this case we're going
to want a tool specially designed for the job; Cheat Engine.

So we'll get Cheat Engine, and open it up.  We'll also download Cave Story (and the translation patch, if you care).
Run Cave Story (Doukutsu.exe), start a new game, wait for the intro cutscene to be over, then head through the
door at the top (DOWN enters doors in this game).

So we can see that we have three HP, that's the value we want to take control of.  Open up Cheat Engine, and click
the "open process" button (it glows red and green), find Doukutsu.exe in the list, and select it.  Look at
your health, and then type that number into the "value" box and click "first scan".  This scans the RAM of
Doukutsu.exe for anything that's set to the value "3" (in this example), and returns all the results on the left.

That's too many, it looks like there's a lot of pieces of data with the value "3" (which is to be expected). How do we find
which address holds the value we want?  Well, play until you get hit by something (such as the enemy to the right) and your
HP is reduced.  Then we can search for the new value as well, and it'll filter the search results using the process of elimination.

After doing this a few times, we end up with just two addresses.  Sometimes you'll end up with just one,
sometimes more. If you have more than one you'll just need to guess.  To start editing the contents of
an address, double-click it in the results column on the left to bring it down to the bottom of the window.
From there you can double-click the value and change it as you like.

So since we changed the value and the actual health changed in-game, we know this is the right address.
In addition to simply changing the value, we can use the checkmart at the very left to "freeze" it, where
Cheat Engine will try to keep the value from changing automatically (it's not perfect, but it's good
enough for most cases).  Keep Cheat Engine and Cave Story running, because we'll be using them in the next lesson.

Now, this was a very simple example.  For many real-world programs and games you'll have to deal with things like pointers
and varying types of data (flag, 4-byte, float, string) so I highly suggest you check out the tutorial program included with
Cheat Engine (Start -> All Programs -> Cheat Engine -> Cheat Engine Tutorial), as it gives you basic instructions and an
interactive program to hack in order to learn about these things.

More information...
Cheat Engine Tutorials
Data Type (Int, Float, Double, String, etc.)
Endianness
[/spoiler]

Editing ASM
[spoiler]
While you can find and edit RAM values, sometimes you'll want to change the behavior of the program itself.  When programs
are created in programming languages like C++ and Java they're written in human-readable code, like this.

Then they're run through a compiler which takes that code and transforms the instructions into machine code that the computer
can actually run (such as an EXE file).  (In the case of interpreted languages like Python and Java, the programs are compiled
on-the-fly when they're run.)  This means that for most programs we don't have the source code (including the descriptive comments),
only the machine code... but we can still edit it!  While you may need the source code to make big official changes, smaller changes
can be done by editing the compiled program.  This means we don't have the human-readable source code or comments, so finding
what to modify and how to change it involves a bit of exploration and tinkering, but ASM modification is a key tool in cracking programs.

In order to look into the actual machine code that's being run so we can modify it, we'll need a debugger.  There's many debugging
programs out there and we'll use one later, but for now we'll keep using Cheat Engine since it has a debugger as well that ties
right into the stuff we've already done.  So, with Cheat Engine and Cave Story open, and the address to your health found, right-click
it and choose "Find what writes to this address", and tell Cheat Engine yes, attach the debugger.  Now not all programs like being
debugged and there's a couple things they can do to detect and stop it, but for now we don't have to worry about that.

A new window will come up, empty for now.  This window will list code snippets that (try to)
change the health value, so go ahead and get hit by an enemy so an entry appears.

That entry is the line of assembly that modifies the health value, so it's what we want to blank out.
Click it once, and then click the "Show disassembler" button, and you'll see this window.

Let's run over the information from left to right.  First we have the address (in RAM) of the code.  Next we have the raw hex
that makes up the code.  Then we have the translated version of that hex.  Last we have a comment field (contents vary).  Now, if we
want, we can just right-click the code and choose "Replace with code that does nothing" (or hell, we could click the "Replace"
button back in the main debug window without having to open the disassembler), but that will only patch it in RAM.  It will
make the change so you won't take damage from contacting enemies, but the changes will only exist for this run.  If you close and
re-open the program, it's back to normal and you need to do these steps again.

So for this tutorial we want to modify the EXE itself.  The first thing to do is look at the hex data, and see how
many bytes (pairs) there are.  In this case we have 7.  We'll also want to go to tghe "View" menu and check
"Show module addresses" so we can see the EXE addresses instead of the RAM ones (left-hand column).

So in this case the address is 1997A, and we have 7 bytes/pairs to replace.  That address is a hex address, and we're wanting to modify
the EXE itself, so let's make a copy of the main game program (let's call it Doukutsu_cracked.exe), and we fire up a hex editor and open
that in it.  Most hex editors will have a "go to line" or "go to offset" function, in this case we'll use it and go to entry 0x1997A.

And what do we have here?  This certainly looks familiar.

Yup, the seven pairs/digits of hex starting from that point are the actual hex code we saw in the disassembler!  So now we have the actual values that we need to replace, so we need to find how to replace them.  Unfortunately simply deleting them is no good, we need to keep everything the same size... so we simply replace those 7 codes with "nop" or "no operation" codes, which tell the processor to do nothing on that line.  In x86 assembly the noop code is hex value 90 (it varies for other platforms), so we can replace those 7 bytes with 90.  Just click at the beginning of the 66, and start typing "90" until you've overwritten the original 7 pairs.

(You'll notice that if you chose the "replace with a code that does nothing" option in Cheat Engine's debugger it would do the same thing.)

Well, save the changes and then check it out.  If you edited the right information, then the modified copy of Cave Story shouldn't reduce your health when you get hit.

More information...
x86 Assembly
x86 Disassembly
Debugger Detectors
[/spoiler]

Extra Info
[spoiler]
Now, these examples were sort of narrow, the main point of them was just to show you some of the tools and how they're used.  When it comes to actually hacking/cracking programs there's all sorts of approaches to it depending on what's actually being done, so here's some ideas for you about common restrictions.
•Is the program fully-installed and simply checking for a serial on startup?  See if you can search for the text the box has and look around in that area for the jump done when the serial is checked, see if you can force it to always jump to the "serial okay" routine (and then of course modify the EXE so it always thinks the serial is good).

•Is the program checking for something online?  Use Process Explorer to see what it's connecting to, then perhaps try out Wireshark to see the actual data being sent.  See how the program reacts when you take away it's ability to access the server it checks into, then see if you can exploit/modify that behavior.  Barring that, you could always try to forge the response (or keep the files on you) with locally-installed server software, but this is rarely needed.

•Does the program have a time limit you want to bypass?  Use something like Process Monitor to watch it's file actions, see if it's actually storing a file with a timestamp somewhere (or in the registry) and then doing a comparison later to see how much time has elapsed.  It may simply be checking the system time instead (in the form of a unix timestamp), so you can try forging that or using it's reading of that value to see what you need to modify.
[/spoiler]
[quote="Changelog"]
5/14/2012 - Added a link to FAST's thread on hex editors.
5/9/2012 - Added the "extra info" section with various ideas.
5/9/2012 - First version.
[/quote]
 

SifJar

Not a pirate
Member
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,172
Country
I was trying to replicate what you did with Cave Story on a game called Jasper's Journeys (just some game I had on my computer from a Humble Indie bundle). All went well to begin with, easily managed to increase my health and find the function that changed the health, and replace it with NOPs in RAM, but when I opened the EXE in HxD and went to the address shown in Cheat Engine, it wasn't the same bytes as were shown in Cheat Engine. I even searched for the same bytes, they weren't in the EXE at all. Any ideas what the next step would be? Or is this EXE likely to be too heavily obfuscated to be able to do this?

EDIT: (I even managed to take it a little further - in this game you pick up these fruit things. Normally each you pick up increases your fruit count by 2. I changed it to increase it by 100; again this is something that would be cool to be able to do permanently in the EXE I think)
 

Anon10W1z

Well-Known Member
Member
Joined
Feb 18, 2012
Messages
1,112
Trophies
0
Location
Somewhere over the rainbow
XP
173
Country
United States
I was trying to replicate what you did with Cave Story on a game called Jasper's Journeys (just some game I had on my computer from a Humble Indie bundle). All went well to begin with, easily managed to increase my health and find the function that changed the health, and replace it with NOPs in RAM, but when I opened the EXE in HxD and went to the address shown in Cheat Engine, it wasn't the same bytes as were shown in Cheat Engine. I even searched for the same bytes, they weren't in the EXE at all. Any ideas what the next step would be? Or is this EXE likely to be too heavily obfuscated to be able to do this?

EDIT: (I even managed to take it a little further - in this game you pick up these fruit things. Normally each you pick up increases your fruit count by 2. I changed it to increase it by 100; again this is something that would be cool to be able to do permanently in the EXE I think)
Can you explain yourself with pictures?
 

Rydian

Resident Furvert™
OP
Member
Joined
Feb 4, 2010
Messages
27,880
Trophies
0
Age
34
Location
Cave Entrance, Watching Cyan Write Letters
Website
rydian.net
XP
8,904
Country
United States
I grabbed the demo (assuming it's using the same base code as the full, minus specific offsets and junk) to see what's up.

00407A9E - 89 81 D8000000 - mov [ecx+000000D8],eax
That, right?

Seems to be a static address (showing up in green in the results) but yeah it's not located in the binary (in fact the binary doesn't even go into that range) so I'm guessing it's packed or compressed to save space (assuming this game's not using a lot of managed/dynamic code, in which case another approach would be needed). I don't have much experience with this sort of thing, but from opening it in the PE Explorer trial, it doesn't look like it's packed with any of the most common tools.

21.06.2012 06:46:08 : Open File: C:\Users\Rydian\Desktop\jaspers-journeys_win32\jasper.exe
21.06.2012 06:46:11 : File size: 790985 bytes.
21.06.2012 06:46:11 : Using the Plug-in subsystem...
21.06.2012 06:46:11 : NsPack Unpacker Plug-in: Executing...
21.06.2012 06:46:11 : NsPack Unpacker Plug-in: The file is not NsPacked
21.06.2012 06:46:11 : NsPack Unpacker Plug-in: not accomplished.
21.06.2012 06:46:11 : Upack Unpacker Plug-in: Executing...
21.06.2012 06:46:11 : Upack Unpacker Plug-in: The file is not Upacked
21.06.2012 06:46:11 : Upack Unpacker Plug-in: not accomplished.
21.06.2012 06:46:11 : UPX Unpacker Plug-in: Executing...
21.06.2012 06:46:11 : UPX Unpacker Plug-in: The file is not UPX-packed
21.06.2012 06:46:11 : UPX Unpacker Plug-in: not accomplished.

So Idunno' what's going on here, like most cases. I usually just make a trainer. XD
 

SifJar

Not a pirate
Member
Joined
Apr 4, 2009
Messages
6,022
Trophies
0
Website
Visit site
XP
1,172
Country
I grabbed the demo (assuming it's using the same base code as the full, minus specific offsets and junk) to see what's up.

00407A9E - 89 81 D8000000 - mov [ecx+000000D8],eax
That, right?

Seems to be a static address (showing up in green in the results) but yeah it's not located in the binary (in fact the binary doesn't even go into that range) so I'm guessing it's packed or compressed to save space (assuming this game's not using a lot of managed/dynamic code, in which case another approach would be needed). I don't have much experience with this sort of thing, but from opening it in the PE Explorer trial, it doesn't look like it's packed with any of the most common tools.

21.06.2012 06:46:08 : Open File: C:\Users\Rydian\Desktop\jaspers-journeys_win32\jasper.exe
21.06.2012 06:46:11 : File size: 790985 bytes.
21.06.2012 06:46:11 : Using the Plug-in subsystem...
21.06.2012 06:46:11 : NsPack Unpacker Plug-in: Executing...
21.06.2012 06:46:11 : NsPack Unpacker Plug-in: The file is not NsPacked
21.06.2012 06:46:11 : NsPack Unpacker Plug-in: not accomplished.
21.06.2012 06:46:11 : Upack Unpacker Plug-in: Executing...
21.06.2012 06:46:11 : Upack Unpacker Plug-in: The file is not Upacked
21.06.2012 06:46:11 : Upack Unpacker Plug-in: not accomplished.
21.06.2012 06:46:11 : UPX Unpacker Plug-in: Executing...
21.06.2012 06:46:11 : UPX Unpacker Plug-in: The file is not UPX-packed
21.06.2012 06:46:11 : UPX Unpacker Plug-in: not accomplished.

So Idunno' what's going on here, like most cases. I usually just make a trainer. XD
OK thanks, I thought it might be compressed but I tried some program meant to detect compression and also couldn't find anything. Thanks anyway.
 

Gleasonator

New Member
Newbie
Joined
Jun 7, 2007
Messages
3
Trophies
0
XP
112
Country
United States
254zzb7.png


So since we changed the value and the actual health changed in-game, we know this is the right address.
In addition to simply changing the value, we can use the checkmart at the very left to "freeze" it, where
Cheat Engine will try to keep the value from changing automatically (it's not perfect, but it's good
enough for most cases). Keep Cheat Engine and Cave Story running, because we'll be using them in the next lesson.

Do these memory addresses change each time you play the game? And if so, is it because the game is loading into different sections of your computer's memory each time, or is it because the game itself spreads data throughout memory based on available empty spots (or both)?
 

Rydian

Resident Furvert™
OP
Member
Joined
Feb 4, 2010
Messages
27,880
Trophies
0
Age
34
Location
Cave Entrance, Watching Cyan Write Letters
Website
rydian.net
XP
8,904
Country
United States
Do these memory addresses change each time you play the game?
That depends on the game. Addresses that show up in green (like the example) are static addresses and therefore unlikely to change, but the majority of software you'll find nowadays will use dynamic addresses.

And if so, is it because the game is loading into different sections of your computer's memory each time, or is it because the game itself spreads data throughout memory based on available empty spots (or both)?
The memory is relative to the program itself, so it's the second one, sort of.

There's lots of reasons addresses are different on each boot, such as code (and resource data) being loaded into RAM at different rates but having to share the same main space, so sections of code might be in different spaces relative to each other depending on how they loaded. As far as programs see it when they first load they get their own virtual spot in RAM that, as far as they see, is unbroken (this is seen when checking out RAM addresses of games and programs, they're relative to an imaginary starting point). Programs will load things into their own virtual RAM space differently depending on various factors.

The reason that Cave Story's addresses don't change are because it's a relatively-simple game coded by hand, it's not using a bunch of fancy self-referencing code and such because the engine was programmed to work a very specific way. The reason that the addresses in RAM are the same as in the program is because the program reads itself into memory to execute, it's not using any compresession (like programs that start up a small piece of code to decompress themselves and then put the decompressed copy of the program into RAM) or fancy techniques like that.

An example is Terraria, written in .NET 4.0 with XNA. Because of some stuff to do with the framework it was built on, Terraria only loads code as it's needed... so for example the values/addresses involving health aren't made on startup, they're only created when you actually start a level. Depending on what you do in the title screen or main menus beforehand (or even the size of the level that has to load before the game starts), the values for health will load into different places. This kind of thing means the values are very rarely in the same place twice.

Hell, in some other games player stat addresses change when going from one level to another (as certain code is unloaded and then reloaded).

Addresses like this that change are most often referenced with pointers, check out some cheat engine pointer tutorials (or run the tutorial program it installs alongside itself) to get a better idea of how that works and how to mess with them (and for more info than the basic outline I gave).
 

Rydian

Resident Furvert™
OP
Member
Joined
Feb 4, 2010
Messages
27,880
Trophies
0
Age
34
Location
Cave Entrance, Watching Cyan Write Letters
Website
rydian.net
XP
8,904
Country
United States
I loled at cake is a lie cuz thats from sm64.
No, it's from Portal.

[youtube]http://www.youtube.c...h?v=0pig3PbHyJY[/youtube]
Whitch came from SM64
No, nothing in Portal references that game. After portal came out, people jokingly referenced SM64's intro in it.

The phrase "the cake is a lie" (and "the x is a lie" reference jokes) are from Portal, where the promise of Cake (and understanding that there is no cake) is part of the plot. "The cake is a lie" is even the graffiti on some walls in extra chambers (as the video shows).

SM64 mentions the cake once in the intro as reason for coming to the castle, and then at the ending where you go off to make it. So in SM64, the cake isn't even a lie.
 

TVNewsIsBiased

Developer
Newcomer
Joined
Nov 28, 2012
Messages
10
Trophies
0
Age
82
Website
planet.gnome.org
XP
22
Country
Gambia, The
This reminded me of making cheats for Diablo back in the 1990s. Epic lulz.

I was trying to replicate what you did with Cave Story on a game called Jasper's Journeys (just some game I had on my computer from a Humble Indie bundle). All went well to begin with, easily managed to increase my health and find the function that changed the health, and replace it with NOPs in RAM, but when I opened the EXE in HxD and went to the address shown in Cheat Engine, it wasn't the same bytes as were shown in Cheat Engine.

Like Rydian was explaining, an EXE is a compiled binary. Binary is a base 2 number system. In fact "binary" in latin loosely means 'made of 2 parts'. Hense the 1s and/or 0s. Hexadecimal is also a numbering system, with a base of 16 (0 - 9 and then a - f)

What HxD (Or any hex editor) does when you open an EXE is it transcodes the binary into hex. That's really all it does.

Now, Memory Editors such as whatever you were using (I forgot, sorry LOL) will show you the instructions as they are stored in your machine's memory. This is where the address mismatch occurs. When you're looking at the address' in a memory editor, they're actually the offset position in your machine. The address' you're looking at in a Hex editor are better understood as line numbers.

For persistent cheats, you don't want to change values but instead change routines in the game. For example, in Diablo the way we made "God Mode" was by using a memory editor to find the address for a value, say health, then we used a debugger (softICE) to set a breakpoint on that value's memory position so that if it ever changes, softICE will suspend diablo.exe and take fullscreen, showing you the exact procedure (In the diablo.exe assembly, not in memory..) of the procedure/routine that affected the change. In this case, it was a routine called by another routine that you could scroll/page-up to find. The first routine subtracted the damage but the first routine was a comparison-jump.. It was comparing a value to 0 and if it did not match 0 it would continue to jump to the damage routine. If it did match 0, no health would be subtracted. After going further back in softICE to find where that value was set, we discovered that value was the current tileset... tileset 0 was the tileset for town (And that's why you can't attack players in town) so the solution was to change that routine so that it always returned false, as if it always failed to compare the value.
 
General chit-chat
Help Users
  • No one is chatting at the moment.
  • KenniesNewName @ KenniesNewName:
    Next gen will probably be all portable
    Gift
  • T @ trimesh:
    Some things (like Super Famicom games) just feel right when you play them using the original hardware and a CRT
    Gift
  • KenniesNewName @ KenniesNewName:
    The PS tablet
    Gift
  • mthrnite tempBOT: @ mthrnite
    switches the box from tv to game
    Gift
  • T @ trimesh:
    Not so sure about that - the tendency for "graphics uber alles" tends to lead to very high power consumption
    Gift
  • KenniesNewName @ KenniesNewName:
    If you look at what's now portability graphics are catching up to console quality
    Gift
  • KenniesNewName @ KenniesNewName:
    Nintendy is a huge example of not everyone caring about powerful specs most that do will be hardcore PC players anyway
    Gift
  • T @ trimesh:
    The thing is that the IATA rules impose a pretty hard limit of 100Wh on battery sizes for lithium batteries - and it doesn't look like Li is going away soon
    Gift
  • T @ trimesh:
    So if you want (say) 4 hours of runtime you need a maximum system-level power consumption of 25W
    Gift
  • KenniesNewName @ KenniesNewName:
    Yeah but we already have AAA titles looking fine on tablet form 1080p displays
    Gift
  • KenniesNewName @ KenniesNewName:
    Human eye can only tell so much of a difference
    Gift
  • T @ trimesh:
    For reference, the PS5 is rated at 350W and the Xbox series X at 275W - and that's console only, without any display
    Gift
  • KenniesNewName @ KenniesNewName:
    But the future always holds performance never know what the aliens will donate from their left over tech
    Gift
  • T @ trimesh:
    Maybe :) - but batteries have turned out to be a pretty hard problem
    Gift
  • KenniesNewName @ KenniesNewName:
    Like I said most that will truly care will already be hard core gaming pcers
    Gift
  • T @ trimesh:
    And DF subscribers :)
    Gift
  • KenniesNewName @ KenniesNewName:
    I bet you could find a neighbor with a ps5 and they'd have no idea what the word spec means
    Gift
  • T @ trimesh:
    Yeah probably - people on forums seem to care a lot, but they are heavily self-selected
    Gift
  • KenniesNewName @ KenniesNewName:
    Most on forums try to get a good learning of actual tech
    Gift
  • Dark_Phoras @ Dark_Phoras:
    Papaya, so good
    Gift
  • KenniesNewName @ KenniesNewName:
    Only 13 more titles to go on ps3 yay
    Gift
  • Dark_Phoras @ Dark_Phoras:
    I still have a remnant of the taste of the papaya
    Gift
  • Dark_Phoras @ Dark_Phoras:
    @KenniesNewName June will come sooner than the end of that process
    Gift
  • Psionic Roshambo @ Psionic Roshambo:
    PS3 had horrible speeds off the drive
    Gift
  • Psionic Roshambo @ Psionic Roshambo:
    I always wondered why, but I am pretty sure it was trying to reduce costs
    Gift
    Psionic Roshambo @ Psionic Roshambo: I always wondered why, but I am pretty sure it was trying to reduce costs