Basic File/Program Hacking Information

Discussion in 'General Tutorials' started by Rydian, May 8, 2012.

May 8, 2012
  1. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    Basic File/Program Hacking Information

    Ever wondered what "hex editing" is?
    Want to learn how to cheat on PC games?
    Have you ever wanted to "crack" a program?

    This guide has some basic info to get you started.​
    • Files
      • Information Gathering
      • Hex Editing
    • Programs
      • Information Gathering
      • Editing RAM
      • Editing ASM
    • Extra Info


    - Files -

    Information Gathering
    So let's say that you have a file, and you don't know what it is... but you want to check it out.
    The most basic information can be gathered by checking out the file's properties (via the right-click menu).
    I know this seems really basic, but it shows you some important info such as the program that will
    be used to open the file when you double click on it, and the timestamp of when the file was last edited.

    [​IMG]

    In this example we can plainly see that this is a Word document... but what if the right program to open
    a file isn't known? Generally googling the extension can lead you to a multitude of programs used to open
    whatever file type that is. If you do have the proper program installed but it's not set as the default,
    you can change the default from the Open With section of the right-click menu. This is sometimes needed
    when some installed programs change the association in ways you don't want.

    Now, what if there's no extension at all?

    [​IMG]

    We can see in this version that Windows doesn't know what the file is. That's because Windows goes by the
    file's extension (the letters after the final period in the name). The extension is easy to change, you
    can simply go into the Windows folder options and uncheck the setting to hide extensions for known types.
    Because of this the file extension is not concrete, and it does not determine the format of a file.
    It's used for Windows to know what program to open the file with, so don't assume it's always correct
    because it's not. So how else can we figure out what type of file it is?

    If you don't know what a file contains or you need internal information without an official editor, you
    can always use a Hex editor. A Hex editor can open any file out there and make raw, direct changes to the
    recorded data, so it's an invaluable tool to have around if you're going to be doing this type of thing.
    There's lots out there both paid and free (Hex Workshop, XVI32, Catch22), but I prefer the free
    HxD for ease of use so that's what the screenshots will show.

    So the first think we'll do is fire up HxD and open the file in it.

    [​IMG]

    On the left is the raw hexadecimal information contained in the file, and on the right is a representation
    of it in plain text, but we'll get into that later. What we're interested in right now are the first few
    pieces of hexadecimal data. In general, the first 2-16 bytes/pieces (4 is most common) are known as the
    "magic number", or "file signature". This is often a certain sequence that is used to identify a file
    format. For our example file, it's "D0 CF 11 E0 A1 B1 1A E1", and from a google result,
    it points out that's the ID for a Microsoft Word (pre-07) document.

    So if you have a missing extension or you think the [strike]cake[/strike] extension is a lie, check out the first few bytes in a hex editor and do a little googling.

    More information...
    File Attributes
    File Extension
    File Association
    Hexadecimal
    Magic Number (File Signature)
    File Signature Table



    Hex Editing
    Well we can view the file, what about editing it?

    First we need to learn about character encoding. If we scroll down a bit in the example file,
    we can find some of the text that the file actually contains.

    [​IMG]

    You can see the hex version of the data on the left, and the text version on the right. More specifically,
    this is ASCII (or sometimes you'll see "ANSI"). The "encoding" describes the mapping of hex to normal letters.
    In this case you can the value 0x48 in hex equals the capital "H", 0x69 is the lowercase "i", 20 is the space, and so on.
    (Generally hex numbers have "0x" in front of them or "h" after them to point out they're hex, not decimal.)

    Now in most cases a hex editor will be able to show the text, but it may not always be in the format you'd expect.
    For an example, let's take a different file that has some text in the UCS-2 (BE) format.

    [​IMG]

    Notice that, even though the text is readable, it seems broken up. That's because UCS-2 uses TWO bytes per letter
    instead of one, but the editor is still trying to display it as if it was ASCII, which is why the (TM) symbol at
    the end is not displaying properly, because that character is not in ASCII. You'll notice that while most characters
    are "00" and then something, the TM symbol is different in that it actually does use two bytes for it's value. The
    rest of the text is displaying something we can at least make out, but this is not always the case, and viewing
    something in the wrong encoding can result in something totally unreadable, so it's important to try viewing data with
    a few different encodings. If you're going to be viewing things with a lot of special characters or especially foreign
    languages, it's important to get an editor that supports the kind of encodings you'll be working with.

    Well since for the original example we're dealing with normal ASCII (within the word document), we can edit it right
    away. We can either edit the direct directly on the right by clicking and typing to overwrite the symbols, or we can
    look up the character encoding in the ASCII table and edit the hex side. Either way, we can edit the file and then save it.

    [​IMG]

    Then upon opening it in Word, we can see the changes.

    [​IMG]

    More information...
    ASCII
    Hex-Decimal Converter
    Character Encoding
    ROM Hacking Hex Editors
    Comparison Of Hex Editors




    - Programs -

    Information Gathering
    For basic information about a program's file, you'd simply check the properties like before, but with a
    running program there's a lot more. For most basic information Windows' Task Manager works. It doesn't show
    much information by default, but if you go to View - Select Columns and you can have it show you more.

    [​IMG]

    Of course, there's tools that can show you a lot more than that. A good one is Process Explorer, and it can certainly
    give you more information about what a program is doing internally. Wanna' know what sort of connections a program is making?
    Want to see how many threads it's launched? Want to see how much of your GPU's power a game is using?
    Process Explorer can show you.

    [​IMG]

    More information...
    What's the difference between an Application, Process, and Services?
    Threads
    MSconfig Guide



    Editing RAM
    How can we see what data a program is actually holding, and modify it? Programs hold their working
    data in RAM, so you'd use a RAM editor. RAM editors generally attach to a running program and then allow you
    to find RAM values that have the data you want, using the process of elimination to narrow down the addresses.
    While many hex editors have the ability to look into and modify the RAM of a program, in this case we're going
    to want a tool specially designed for the job; Cheat Engine.

    So we'll get Cheat Engine, and open it up. We'll also download Cave Story (and the translation patch, if you care).
    Run Cave Story (Doukutsu.exe), start a new game, wait for the intro cutscene to be over, then head through the
    door at the top (DOWN enters doors in this game).

    [​IMG]

    So we can see that we have three HP, that's the value we want to take control of. Open up Cheat Engine, and click
    the "open process" button (it glows red and green), find Doukutsu.exe in the list, and select it. Look at
    your health, and then type that number into the "value" box and click "first scan". This scans the RAM of
    Doukutsu.exe for anything that's set to the value "3" (in this example), and returns all the results on the left.

    [​IMG]

    That's too many, it looks like there's a lot of pieces of data with the value "3" (which is to be expected). How do we find
    which address holds the value we want? Well, play until you get hit by something (such as the enemy to the right) and your
    HP is reduced. Then we can search for the new value as well, and it'll filter the search results using the process of elimination.

    [​IMG]

    After doing this a few times, we end up with just two addresses. Sometimes you'll end up with just one,
    sometimes more. If you have more than one you'll just need to guess. To start editing the contents of
    an address, double-click it in the results column on the left to bring it down to the bottom of the window.
    From there you can double-click the value and change it as you like.

    [​IMG]

    So since we changed the value and the actual health changed in-game, we know this is the right address.
    In addition to simply changing the value, we can use the checkmart at the very left to "freeze" it, where
    Cheat Engine will try to keep the value from changing automatically (it's not perfect, but it's good
    enough for most cases). Keep Cheat Engine and Cave Story running, because we'll be using them in the next lesson.

    Now, this was a very simple example. For many real-world programs and games you'll have to deal with things like pointers
    and varying types of data (flag, 4-byte, float, string) so I highly suggest you check out the tutorial program included with
    Cheat Engine (Start -> All Programs -> Cheat Engine -> Cheat Engine Tutorial), as it gives you basic instructions and an
    interactive program to hack in order to learn about these things.

    More information...
    Cheat Engine Tutorials
    Data Type (Int, Float, Double, String, etc.)
    Endianness




    Editing ASM
    While you can find and edit RAM values, sometimes you'll want to change the behavior of the program itself. When programs
    are created in programming languages like C++ and Java they're written in human-readable code, like this.

    [​IMG]

    Then they're run through a compiler which takes that code and transforms the instructions into machine code that the computer
    can actually run (such as an EXE file). (In the case of interpreted languages like Python and Java, the programs are compiled
    on-the-fly when they're run.) This means that for most programs we don't have the source code (including the descriptive comments),
    only the machine code... but we can still edit it! While you may need the source code to make big official changes, smaller changes
    can be done by editing the compiled program. This means we don't have the human-readable source code or comments, so finding
    what to modify and how to change it involves a bit of exploration and tinkering, but ASM modification is a key tool in cracking programs.

    In order to look into the actual machine code that's being run so we can modify it, we'll need a debugger. There's many debugging
    programs out there and we'll use one later, but for now we'll keep using Cheat Engine since it has a debugger as well that ties
    right into the stuff we've already done. So, with Cheat Engine and Cave Story open, and the address to your health found, right-click
    it and choose "Find what writes to this address", and tell Cheat Engine yes, attach the debugger. Now not all programs like being
    debugged and there's a couple things they can do to detect and stop it, but for now we don't have to worry about that.

    A new window will come up, empty for now. This window will list code snippets that (try to)
    change the health value, so go ahead and get hit by an enemy so an entry appears.

    [​IMG]

    That entry is the line of assembly that modifies the health value, so it's what we want to blank out.
    Click it once, and then click the "Show disassembler" button, and you'll see this window.

    [​IMG]

    Let's run over the information from left to right. First we have the address (in RAM) of the code. Next we have the raw hex
    that makes up the code. Then we have the translated version of that hex. Last we have a comment field (contents vary). Now, if we
    want, we can just right-click the code and choose "Replace with code that does nothing" (or hell, we could click the "Replace"
    button back in the main debug window without having to open the disassembler), but that will only patch it in RAM. It will
    make the change so you won't take damage from contacting enemies, but the changes will only exist for this run. If you close and
    re-open the program, it's back to normal and you need to do these steps again.

    So for this tutorial we want to modify the EXE itself. The first thing to do is look at the hex data, and see how
    many bytes (pairs) there are. In this case we have 7. We'll also want to go to tghe "View" menu and check
    "Show module addresses" so we can see the EXE addresses instead of the RAM ones (left-hand column).

    [​IMG]

    So in this case the address is 1997A, and we have 7 bytes/pairs to replace. That address is a hex address, and we're wanting to modify
    the EXE itself, so let's make a copy of the main game program (let's call it Doukutsu_cracked.exe), and we fire up a hex editor and open
    that in it. Most hex editors will have a "go to line" or "go to offset" function, in this case we'll use it and go to entry 0x1997A.

    [​IMG]

    And what do we have here? This certainly looks familiar.

    [​IMG]

    Yup, the seven pairs/digits of hex starting from that point are the actual hex code we saw in the disassembler! So now we have the actual values that we need to replace, so we need to find how to replace them. Unfortunately simply deleting them is no good, we need to keep everything the same size... so we simply replace those 7 codes with "nop" or "no operation" codes, which tell the processor to do nothing on that line. In x86 assembly the noop code is hex value 90 (it varies for other platforms), so we can replace those 7 bytes with 90. Just click at the beginning of the 66, and start typing "90" until you've overwritten the original 7 pairs.

    [​IMG]

    (You'll notice that if you chose the "replace with a code that does nothing" option in Cheat Engine's debugger it would do the same thing.)

    Well, save the changes and then check it out. If you edited the right information, then the modified copy of Cave Story shouldn't reduce your health when you get hit.

    More information...
    x86 Assembly
    x86 Disassembly
    Debugger Detectors




    Extra Info
    Now, these examples were sort of narrow, the main point of them was just to show you some of the tools and how they're used. When it comes to actually hacking/cracking programs there's all sorts of approaches to it depending on what's actually being done, so here's some ideas for you about common restrictions.

    • Is the program fully-installed and simply checking for a serial on startup? See if you can search for the text the box has and look around in that area for the jump done when the serial is checked, see if you can force it to always jump to the "serial okay" routine (and then of course modify the EXE so it always thinks the serial is good).
    • Is the program checking for something online? Use Process Explorer to see what it's connecting to, then perhaps try out Wireshark to see the actual data being sent. See how the program reacts when you take away it's ability to access the server it checks into, then see if you can exploit/modify that behavior. Barring that, you could always try to forge the response (or keep the files on you) with locally-installed server software, but this is rarely needed.
    • Does the program have a time limit you want to bypass? Use something like Process Monitor to watch it's file actions, see if it's actually storing a file with a timestamp somewhere (or in the registry) and then doing a comparison later to see how much time has elapsed. It may simply be checking the system time instead (in the form of a unix timestamp), so you can try forging that or using it's reading of that value to see what you need to modify.



     
    Vinnymac, Kiaku and Anon10W1z like this.


  2. Anon10W1z

    Member Anon10W1z GBAtemp Maniac

    Joined:
    Feb 18, 2012
    Messages:
    1,112
    Location:
    Somewhere over the rainbow
    Country:
    United States
    Sweet explanations man!
     
  3. Costello

    Administrator Costello Headmaster

    Joined:
    Oct 24, 2002
    Messages:
    12,031
    1) why didnt you post this in the tutorials/guides section?
    2) why did you put all the content in spoilers? it cannot be indexed by google properly, which means people cannot stumble upon your guide while searching google
    3) nice guide :)
     
    Vinnymac and Anon10W1z like this.
  4. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    Ahh I keep forgetting about that forum as I usually jump here... I'll edit the thread later, try to space it so it still looks good and all that jazz.
     
  5. Anon10W1z

    Member Anon10W1z GBAtemp Maniac

    Joined:
    Feb 18, 2012
    Messages:
    1,112
    Location:
    Somewhere over the rainbow
    Country:
    United States
    I have the spoilered post code here :)

    Sorry, the images didn't show up.
    Code:
    Basic File/Program Hacking Information
    
    Ever wondered what "hex editing" is?
    Want to learn how to cheat on PC games?
    Have you ever wanted to "crack" a program?
    
    This guide has some basic info to get you started.
    
    •Files
    ◦Information Gathering
    ◦Hex Editing
    •Programs
    ◦Information Gathering
    ◦Editing RAM
    ◦Editing ASM
    •Extra Info
    
    - Files -
    
    Information Gathering
    [spoiler]
    So let's say that you have a file, and you don't know what it is... but you want to check it out.
    The most basic information can be gathered by checking out the file's properties (via the right-click menu).
    I know this seems really basic, but it shows you some important info such as the program that will
    be used to open the file when you double click on it, and the timestamp of when the file was last edited.
    
    In this example we can plainly see that this is a Word document... but what if the right program to open
    a file isn't known?  Generally googling the extension can lead you to a multitude of programs used to open
    whatever file type that is.  If you do have the proper program installed but it's not set as the default,
    you can change the default from the Open With section of the right-click menu.  This is sometimes needed
    when some installed programs change the association in ways you don't want.
    
    Now, what if there's no extension at all?
    
    We can see in this version that Windows doesn't know what the file is.  That's because Windows goes by the
    file's extension (the latters after the final period in the name).  The extension is easy to change, you
    can simply go into the Windows folder options and uncheck the setting to hide extensions for known types.
    Because of this the file extension is not concrete, and it does not determine the format of a file.
    It's used for Windows to know what program to open the file with, so don't assume it's always correct
    because it's not.  So how else can we figure out what type of file it is?
    
    If you don't know what a file contains or you need internal information without an official editor, you
    can always use a Hex editor.  A Hex editor can open any file out there and make raw, direct changes to the
    recorded data, so it's an invaluable tool to have around if you're going to be doing this type of thing.
    There's lots out there both paid and free (Hex Workshop, XVI32, Catch22), but I prefer the free
    HxD for ease of use so that's what the screenshots will show.
    
    So the first think we'll do is fire up HxD and open the file in it.
    
    On the left is the raw hexadecimal information contained in the file, and on the right is a representation
    of it in plain text, but we'll get into that later.  What we're interested in right now are the first few
    pieces of hexadecimal data.  In general, the first 2-16 bytes/pieces (4 is most common) are known as the
    "magic number", or "file signature".  This is often a certain sequence that is used to identify a file
    format.  For our example file, it's "D0 CF 11 E0 A1 B1 1A E1", and from a google result,
    it points out that's the ID for a Microsoft Word (pre-07) document.
    
    So if you have a missing extension or you think the cake extension is a lie, check out the first few bytes in a hex editor and do a little googling.
    
    More information...
    File Attributes
    File Extension
    File Association
    Hexadecimal
    Magic Number (File Signature)
    File Signature Table
    [/spoiler]
    Hex Editing
    [spoiler]
    Well we can view the file, what about editing it?
    
    First we need to learn about character encoding.  If we scroll down a bit in the example file,
    we can find some of the text that the file actually contains.
    
    You can see the hex version of the data on the left, and the text version on the right.  More specifically,
    this is ASCII (or sometimes you'll see "ANSI").  The "encoding" describes the mapping of hex to normal letters.
    In this case you can the value 0x48 in hex equals the capital "H", 0x69 is the lowercase "i", 20 is the space, and so on.
    (Generally hex numbers have "0x" in front of them or "h" after them to point out they're hex, not decimal.)
    
    Now in most cases a hex editor will be able to show the text, but it may not always be in the format you'd expect.
    For an example, let's take a different file that has some text in the UCS-2 (BE) format.
    
    Notice that, even though the text is readable, it seems broken up.  That's because UCS-2 uses TWO bytes per letter
    instead of one, but the editor is still trying to display it as if it was ASCII, which is why the ™ symbol at
    the end is not displaying properly, because that character is not in ASCII.  You'll notice that while most characters
    are "00" and then something, the TM symbol is different in that it actually does use two bytes for it's value.  The
    rest of the text is displaying something we can at least make out,  but this is not always the case, and viewing
    something in the wrong encoding can result in something totally unreadable, so it's important to try viewing data with
    a few different encodings.  If you're going to be viewing things with a lot of special characters or especially foreign
    languages, it's important to get an editor that supports the kind of encodings you'll be working with.
    
    Well since for the original example we're dealing with normal ASCII (within the word document), we can edit it right
    away.  We can either edit the direct directly on the right by clicking and typing to overwrite the symbols, or we can
    look up the character encoding in the ASCII table and edit the hex side.  Either way, we can edit the file and then save it.
    
    Then upon opening it in Word, we can see the changes.
    
    More information...
    ASCII
    Hex-Decimal Converter
    Character Encoding
    ROM Hacking Hex Editors
    Comparison Of Hex Editors
    [/spoiler]
    
    
    - Programs -
    
    Information Gathering
    [spoiler]
    For basic information about a program's file, you'd simply check the properties like before, but with a
    running program there's a lot more.  For most basic information Windows' Task Manager works.  It doesn't show
    much information by default, but if you go to View - Select Columns and you can have it show you more.
    
    Of course, there's tools that can show you a lot more than that.  A good one is Process Explorer, and it can certainly
    give you more information about what a program is doing internally.  Wanna' know what sort of connections a program is making?
    Want to see how many threads it's launched?  Want to see how much of your GPU's power a game is using?
    Process Explorer can show you.
    
    More information...
    What's the difference between an Application, Process, and Services?
    Threads
    MSconfig Guide
    [/spoiler]
    
    Editing RAM
    [spoiler]
    How can we see what data a program is actually holding, and modify it?  Programs hold their working
    data in RAM, so you'd use a RAM editor.  RAM editors generally attach to a running program and then allow you
    to find RAM values that have the data you want, using the process of elimination to narrow down the addresses.
    While many hex editors have the ability to look into and modify the RAM of a program, in this case we're going
    to want a tool specially designed for the job; Cheat Engine.
    
    So we'll get Cheat Engine, and open it up.  We'll also download Cave Story (and the translation patch, if you care).
    Run Cave Story (Doukutsu.exe), start a new game, wait for the intro cutscene to be over, then head through the
    door at the top (DOWN enters doors in this game).
    
    So we can see that we have three HP, that's the value we want to take control of.  Open up Cheat Engine, and click
    the "open process" button (it glows red and green), find Doukutsu.exe in the list, and select it.  Look at
    your health, and then type that number into the "value" box and click "first scan".  This scans the RAM of
    Doukutsu.exe for anything that's set to the value "3" (in this example), and returns all the results on the left.
    
    That's too many, it looks like there's a lot of pieces of data with the value "3" (which is to be expected). How do we find
    which address holds the value we want?  Well, play until you get hit by something (such as the enemy to the right) and your
    HP is reduced.  Then we can search for the new value as well, and it'll filter the search results using the process of elimination.
    
    After doing this a few times, we end up with just two addresses.  Sometimes you'll end up with just one,
    sometimes more. If you have more than one you'll just need to guess.  To start editing the contents of
    an address, double-click it in the results column on the left to bring it down to the bottom of the window.
    From there you can double-click the value and change it as you like.
    
    So since we changed the value and the actual health changed in-game, we know this is the right address.
    In addition to simply changing the value, we can use the checkmart at the very left to "freeze" it, where
    Cheat Engine will try to keep the value from changing automatically (it's not perfect, but it's good
    enough for most cases).  Keep Cheat Engine and Cave Story running, because we'll be using them in the next lesson.
    
    Now, this was a very simple example.  For many real-world programs and games you'll have to deal with things like pointers
    and varying types of data (flag, 4-byte, float, string) so I highly suggest you check out the tutorial program included with
    Cheat Engine (Start -> All Programs -> Cheat Engine -> Cheat Engine Tutorial), as it gives you basic instructions and an
    interactive program to hack in order to learn about these things.
    
    More information...
    Cheat Engine Tutorials
    Data Type (Int, Float, Double, String, etc.)
    Endianness
    [/spoiler]
    
    Editing ASM
    [spoiler]
    While you can find and edit RAM values, sometimes you'll want to change the behavior of the program itself.  When programs
    are created in programming languages like C++ and Java they're written in human-readable code, like this.
    
    Then they're run through a compiler which takes that code and transforms the instructions into machine code that the computer
    can actually run (such as an EXE file).  (In the case of interpreted languages like Python and Java, the programs are compiled
    on-the-fly when they're run.)  This means that for most programs we don't have the source code (including the descriptive comments),
    only the machine code... but we can still edit it!  While you may need the source code to make big official changes, smaller changes
    can be done by editing the compiled program.  This means we don't have the human-readable source code or comments, so finding
    what to modify and how to change it involves a bit of exploration and tinkering, but ASM modification is a key tool in cracking programs.
    
    In order to look into the actual machine code that's being run so we can modify it, we'll need a debugger.  There's many debugging
    programs out there and we'll use one later, but for now we'll keep using Cheat Engine since it has a debugger as well that ties
    right into the stuff we've already done.  So, with Cheat Engine and Cave Story open, and the address to your health found, right-click
    it and choose "Find what writes to this address", and tell Cheat Engine yes, attach the debugger.  Now not all programs like being
    debugged and there's a couple things they can do to detect and stop it, but for now we don't have to worry about that.
    
    A new window will come up, empty for now.  This window will list code snippets that (try to)
    change the health value, so go ahead and get hit by an enemy so an entry appears.
    
    That entry is the line of assembly that modifies the health value, so it's what we want to blank out.
    Click it once, and then click the "Show disassembler" button, and you'll see this window.
    
    Let's run over the information from left to right.  First we have the address (in RAM) of the code.  Next we have the raw hex
    that makes up the code.  Then we have the translated version of that hex.  Last we have a comment field (contents vary).  Now, if we
    want, we can just right-click the code and choose "Replace with code that does nothing" (or hell, we could click the "Replace"
    button back in the main debug window without having to open the disassembler), but that will only patch it in RAM.  It will
    make the change so you won't take damage from contacting enemies, but the changes will only exist for this run.  If you close and
    re-open the program, it's back to normal and you need to do these steps again.
    
    So for this tutorial we want to modify the EXE itself.  The first thing to do is look at the hex data, and see how
    many bytes (pairs) there are.  In this case we have 7.  We'll also want to go to tghe "View" menu and check
    "Show module addresses" so we can see the EXE addresses instead of the RAM ones (left-hand column).
    
    So in this case the address is 1997A, and we have 7 bytes/pairs to replace.  That address is a hex address, and we're wanting to modify
    the EXE itself, so let's make a copy of the main game program (let's call it Doukutsu_cracked.exe), and we fire up a hex editor and open
    that in it.  Most hex editors will have a "go to line" or "go to offset" function, in this case we'll use it and go to entry 0x1997A.
    
    And what do we have here?  This certainly looks familiar.
    
    Yup, the seven pairs/digits of hex starting from that point are the actual hex code we saw in the disassembler!  So now we have the actual values that we need to replace, so we need to find how to replace them.  Unfortunately simply deleting them is no good, we need to keep everything the same size... so we simply replace those 7 codes with "nop" or "no operation" codes, which tell the processor to do nothing on that line.  In x86 assembly the noop code is hex value 90 (it varies for other platforms), so we can replace those 7 bytes with 90.  Just click at the beginning of the 66, and start typing "90" until you've overwritten the original 7 pairs.
    
    (You'll notice that if you chose the "replace with a code that does nothing" option in Cheat Engine's debugger it would do the same thing.)
    
    Well, save the changes and then check it out.  If you edited the right information, then the modified copy of Cave Story shouldn't reduce your health when you get hit.
    
    More information...
    x86 Assembly
    x86 Disassembly
    Debugger Detectors
    [/spoiler]
    
    Extra Info
    [spoiler]
    Now, these examples were sort of narrow, the main point of them was just to show you some of the tools and how they're used.  When it comes to actually hacking/cracking programs there's all sorts of approaches to it depending on what's actually being done, so here's some ideas for you about common restrictions.
    •Is the program fully-installed and simply checking for a serial on startup?  See if you can search for the text the box has and look around in that area for the jump done when the serial is checked, see if you can force it to always jump to the "serial okay" routine (and then of course modify the EXE so it always thinks the serial is good).
    
    •Is the program checking for something online?  Use Process Explorer to see what it's connecting to, then perhaps try out Wireshark to see the actual data being sent.  See how the program reacts when you take away it's ability to access the server it checks into, then see if you can exploit/modify that behavior.  Barring that, you could always try to forge the response (or keep the files on you) with locally-installed server software, but this is rarely needed.
    
    •Does the program have a time limit you want to bypass?  Use something like Process Monitor to watch it's file actions, see if it's actually storing a file with a timestamp somewhere (or in the registry) and then doing a comparison later to see how much time has elapsed.  It may simply be checking the system time instead (in the form of a unix timestamp), so you can try forging that or using it's reading of that value to see what you need to modify.
    [/spoiler]
    [quote="Changelog"]
    5/14/2012 - Added a link to FAST's thread on hex editors.
    5/9/2012 - Added the "extra info" section with various ideas.
    5/9/2012 - First version.
    [/quote]
    
     
  6. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    I was trying to replicate what you did with Cave Story on a game called Jasper's Journeys (just some game I had on my computer from a Humble Indie bundle). All went well to begin with, easily managed to increase my health and find the function that changed the health, and replace it with NOPs in RAM, but when I opened the EXE in HxD and went to the address shown in Cheat Engine, it wasn't the same bytes as were shown in Cheat Engine. I even searched for the same bytes, they weren't in the EXE at all. Any ideas what the next step would be? Or is this EXE likely to be too heavily obfuscated to be able to do this?

    EDIT: (I even managed to take it a little further - in this game you pick up these fruit things. Normally each you pick up increases your fruit count by 2. I changed it to increase it by 100; again this is something that would be cool to be able to do permanently in the EXE I think)
     
  7. Anon10W1z

    Member Anon10W1z GBAtemp Maniac

    Joined:
    Feb 18, 2012
    Messages:
    1,112
    Location:
    Somewhere over the rainbow
    Country:
    United States
    Can you explain yourself with pictures?
     
  8. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    I grabbed the demo (assuming it's using the same base code as the full, minus specific offsets and junk) to see what's up.

    00407A9E - 89 81 D8000000 - mov [ecx+000000D8],eax
    That, right?

    Seems to be a static address (showing up in green in the results) but yeah it's not located in the binary (in fact the binary doesn't even go into that range) so I'm guessing it's packed or compressed to save space (assuming this game's not using a lot of managed/dynamic code, in which case another approach would be needed). I don't have much experience with this sort of thing, but from opening it in the PE Explorer trial, it doesn't look like it's packed with any of the most common tools.

    21.06.2012 06:46:08 : Open File: C:\Users\Rydian\Desktop\jaspers-journeys_win32\jasper.exe
    21.06.2012 06:46:11 : File size: 790985 bytes.
    21.06.2012 06:46:11 : Using the Plug-in subsystem...
    21.06.2012 06:46:11 : NsPack Unpacker Plug-in: Executing...
    21.06.2012 06:46:11 : NsPack Unpacker Plug-in: The file is not NsPacked
    21.06.2012 06:46:11 : NsPack Unpacker Plug-in: not accomplished.
    21.06.2012 06:46:11 : Upack Unpacker Plug-in: Executing...
    21.06.2012 06:46:11 : Upack Unpacker Plug-in: The file is not Upacked
    21.06.2012 06:46:11 : Upack Unpacker Plug-in: not accomplished.
    21.06.2012 06:46:11 : UPX Unpacker Plug-in: Executing...
    21.06.2012 06:46:11 : UPX Unpacker Plug-in: The file is not UPX-packed
    21.06.2012 06:46:11 : UPX Unpacker Plug-in: not accomplished.

    So Idunno' what's going on here, like most cases. I usually just make a trainer. XD
     
  9. Issac

    Member Issac Mini-mod

    Joined:
    Apr 10, 2004
    Messages:
    4,465
    Location:
    Sweden
    Country:
    Sweden
    Really nice guide and easy to follow! Good work!
     
  10. SifJar

    Member SifJar Not a pirate

    Joined:
    Apr 4, 2009
    Messages:
    6,022
    Country:
    United Kingdom
    OK thanks, I thought it might be compressed but I tried some program meant to detect compression and also couldn't find anything. Thanks anyway.
     
  11. Anon10W1z

    Member Anon10W1z GBAtemp Maniac

    Joined:
    Feb 18, 2012
    Messages:
    1,112
    Location:
    Somewhere over the rainbow
    Country:
    United States
    Also @[member='Rydian'], can you explain how to hack more advanced games?
     
  12. Gleasonator

    Newcomer Gleasonator Newbie

    Joined:
    Jun 7, 2007
    Messages:
    3
    Country:
    United States
    Do these memory addresses change each time you play the game? And if so, is it because the game is loading into different sections of your computer's memory each time, or is it because the game itself spreads data throughout memory based on available empty spots (or both)?
     
  13. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    That depends on the game. Addresses that show up in green (like the example) are static addresses and therefore unlikely to change, but the majority of software you'll find nowadays will use dynamic addresses.

    The memory is relative to the program itself, so it's the second one, sort of.

    There's lots of reasons addresses are different on each boot, such as code (and resource data) being loaded into RAM at different rates but having to share the same main space, so sections of code might be in different spaces relative to each other depending on how they loaded. As far as programs see it when they first load they get their own virtual spot in RAM that, as far as they see, is unbroken (this is seen when checking out RAM addresses of games and programs, they're relative to an imaginary starting point). Programs will load things into their own virtual RAM space differently depending on various factors.

    The reason that Cave Story's addresses don't change are because it's a relatively-simple game coded by hand, it's not using a bunch of fancy self-referencing code and such because the engine was programmed to work a very specific way. The reason that the addresses in RAM are the same as in the program is because the program reads itself into memory to execute, it's not using any compresession (like programs that start up a small piece of code to decompress themselves and then put the decompressed copy of the program into RAM) or fancy techniques like that.

    An example is Terraria, written in .NET 4.0 with XNA. Because of some stuff to do with the framework it was built on, Terraria only loads code as it's needed... so for example the values/addresses involving health aren't made on startup, they're only created when you actually start a level. Depending on what you do in the title screen or main menus beforehand (or even the size of the level that has to load before the game starts), the values for health will load into different places. This kind of thing means the values are very rarely in the same place twice.

    Hell, in some other games player stat addresses change when going from one level to another (as certain code is unloaded and then reloaded).

    Addresses like this that change are most often referenced with pointers, check out some cheat engine pointer tutorials (or run the tutorial program it installs alongside itself) to get a better idea of how that works and how to mess with them (and for more info than the basic outline I gave).
     
  14. Luigi2012SM64DS

    Banned Luigi2012SM64DS G-old member

    Joined:
    Aug 27, 2011
    Messages:
    2,060
    Location:
    Minecrapt
    Country:
    Canada
    I loled at cake is a lie cuz thats from sm64.
     
  15. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    No, it's from Portal.

    [youtube]http://www.youtube.com/watch?v=0pig3PbHyJY[/youtube]
     
  16. Luigi2012SM64DS

    Banned Luigi2012SM64DS G-old member

    Joined:
    Aug 27, 2011
    Messages:
    2,060
    Location:
    Minecrapt
    Country:
    Canada
    Whitch came from SM64
     
  17. Rydian
    OP

    Member Rydian Resident Furvert™

    Joined:
    Feb 4, 2010
    Messages:
    27,883
    Location:
    Cave Entrance, Watching Cyan Write Letters
    Country:
    United States
    No, nothing in Portal references that game. After portal came out, people jokingly referenced SM64's intro in it.

    The phrase "the cake is a lie" (and "the x is a lie" reference jokes) are from Portal, where the promise of Cake (and understanding that there is no cake) is part of the plot. "The cake is a lie" is even the graffiti on some walls in extra chambers (as the video shows).

    SM64 mentions the cake once in the intro as reason for coming to the castle, and then at the ending where you go off to make it. So in SM64, the cake isn't even a lie.
     
  18. Anon10W1z

    Member Anon10W1z GBAtemp Maniac

    Joined:
    Feb 18, 2012
    Messages:
    1,112
    Location:
    Somewhere over the rainbow
    Country:
    United States
    Enough off-topic.
     
  19. boondoklife

    Member boondoklife GBAtemp Regular

    Joined:
    Sep 12, 2009
    Messages:
    187
    Location:
    Jah's Pocket
    Country:
    United States
    If only I had seen a well compiled post like this years ago when I started hacking lol. Great information and very reminiscent of my trolling on blacksun before it got nuked.

    Well done!
     
    1 person likes this.
  20. TVNewsIsBiased

    Newcomer TVNewsIsBiased Developer

    Joined:
    Nov 28, 2012
    Messages:
    10
    Country:
    Germany
    This reminded me of making cheats for Diablo back in the 1990s. Epic lulz.

    Like Rydian was explaining, an EXE is a compiled binary. Binary is a base 2 number system. In fact "binary" in latin loosely means 'made of 2 parts'. Hense the 1s and/or 0s. Hexadecimal is also a numbering system, with a base of 16 (0 - 9 and then a - f)

    What HxD (Or any hex editor) does when you open an EXE is it transcodes the binary into hex. That's really all it does.

    Now, Memory Editors such as whatever you were using (I forgot, sorry LOL) will show you the instructions as they are stored in your machine's memory. This is where the address mismatch occurs. When you're looking at the address' in a memory editor, they're actually the offset position in your machine. The address' you're looking at in a Hex editor are better understood as line numbers.

    For persistent cheats, you don't want to change values but instead change routines in the game. For example, in Diablo the way we made "God Mode" was by using a memory editor to find the address for a value, say health, then we used a debugger (softICE) to set a breakpoint on that value's memory position so that if it ever changes, softICE will suspend diablo.exe and take fullscreen, showing you the exact procedure (In the diablo.exe assembly, not in memory..) of the procedure/routine that affected the change. In this case, it was a routine called by another routine that you could scroll/page-up to find. The first routine subtracted the damage but the first routine was a comparison-jump.. It was comparing a value to 0 and if it did not match 0 it would continue to jump to the damage routine. If it did match 0, no health would be subtracted. After going further back in softICE to find where that value was set, we discovered that value was the current tileset... tileset 0 was the tileset for town (And that's why you can't attack players in town) so the solution was to change that routine so that it always returned false, as if it always failed to compare the value.
     

Share This Page