The art of hacking greatly depends on the degree of knowledge you have on the game you are hacking. As Sun Tzu said “Know yourself and know your enemies and thou shalt win every battle”. If you know how the game works, it'll be a lot easier to find those addresses.
For example: unlimited attack.
We all know that after a certain number of attacks on the same spot you can’t attack anymore. So we make use of that knowledge.
• Search 0 (byte since the number of attacks wont exceed 255) when entering a new map/channel (this is to ensure that the counter is reset).
• Then attack a few times, search increased.
• Repeat until u get a single address (you can also attack, search increased, then change channel and search 0 again. Use your creativity).
• Next thing to do is to freeze it at 0 (actually anything under 100 will do if u have noticed it'll only freeze your attack at 100).
Deep Analysis:
If you have discovered, the unlimited attack counter only starts to increment after the second consecutive hit on the same spot. This means initially it is 0, after 1 hit its still 0, then after the second hit it becomes 1, then 2 on the third hit and so on.
Having known this, you can alternatively search for 0 when first enter map, attack twice, search 1, then attack again, search 2. This will get you the address very fast.
Pointers:
What are pointers? What do they do? How do I find them?
A pointer is a method of accessing a dynamic address (see dynamic address below). Sometimes the address is created on the fly by the game and thus there is no fixed (static) address to specify. The pointer is used to take a known static address and with the help of an offset, to point to the dynamic address. The pointer is "created" by using the VALUE of the pointer aka the static address (not the address itself) plus the offset. This will give you the ADDRESS of the destination.
Pointer finding:
One way is to use Cheat Engine's pointer scanner (this might be slow so we go to the optional method). Let’s use the unlimited attack as example. When you have the address of the hack:
• Add it to the list.
• Then right click and select "see what writes\access\reads to this" and you should have a new window. Now go in game and attack a few times, the list in the window should increase. Now see the last (usually the last) address, its something like: mov ecx, [eax+13] (example). Now what this means is to copy the value pointed to by the ADDRESS eax+13 (in hex) to the ecx register.
• So what does that tells us? The brackets around [eax+13] tell us that it takes the VALUE of the enclosed address, which means the address is actually eax+13. The ADDRESS of the value (the unlimited attack counter) is pointed to by the adding the value of the address pointed to by the eax register plus 13(in hex). Thus the “13” is the offset where the “eax” is the base. If you click on that line and click on more information, you can see the "value needed to find" the address. In this case, that’ll be the eax value.
• Go back to Cheat Engine and do a hex search on the value given and you should get the pointer address, and as for the offset we've already found out, so put them to good use.
Extra Knowledge:
Dynamic addresses are used by programmers to specify an unknown address value, and also for those as-required-addresses. These addresses are usually caused by using a “malloc” (in c programming) or any other memory allocation methods other than declaring them outright. They are useful in the sense that they only consume the required memory space (for unknown length strings) since it can be declared as a varying length char* array, depending on the string size. It can also be used for other various purposes.
Searching for hacks using the right values:
Now we all know there’s byte, 2 bytes, 4 bytes and so on. So how do we know what type and what value to search for?
In the computer world, 32-bit is an adjective used to describe integers, memory addresses or other data units that are at most 32 bits wide, or to describe CPU architectures based on registers, address buses, or data buses of that size. The range of integer values that can be stored in 32 bits is 0 through 4294967295, or −2147483648 through 2147483647 using two's complement encoding. With this knowledge, all we need to know is the value we are searching for, take unlimited attack again for example, its max value is only 100, which falls within the “0 through 4294967295, or −2147483648 through 2147483647” part, however it’s a waste of memory to use 4 bytes to store an integer that maxes at 100.
So, we would expect the programmer to use a smaller size data structure to store it. (Note that I’m only mentioning the positive range)
• Byte : 2^8 numbers = 256 numbers or 0 – 255
• 2 Bytes: 2^16 numbers = 65536 numbers or 0 – 65535 (older games uses the 65535 rule)
• 4 Bytes: 2^32 numbers = 4294967296 numbers or 0 – 4294967295
• 8 Bytes: 2^64 numbers = 18446744073709551616 numbers and so on.
• Float: it’s a decimal capable number, obtained by multiplying a mantissa by a base. It basically handles float-point numbers or what we call decimals.
• Double: A 64 bit decimal capable type, obtained by multiplying a float by an exponent. It’s basically a float as well.
• Text: well its just text, ASCII/Unicode text. It’s also known as a string or char type in programming.
• Array of bytes: This basically allows the search for a portion of the machine language code if you use it carefully; otherwise it’s just a hex search of the value u wanted. An array is a list or perhaps more accurately, a collection of objects or data types.
So now having knowledge of the data types, the unlimited attack would conveniently fall into the Byte category, since its dynamic, meaning its allocated just sufficient memory, so a Byte best fits that.
Finding hacks using the memory view aka using array of bytes. Its one of the most powerful and dependent ways if you know how to accurately use it.
As I have touched on earlier, when a program is being executed, it gets translated to machine language, some like to call it assembly language. Each of the instructions of the assembly language can be represented by a specific hex value:
Some “common” ones
• jne = 74
• je = 75
• jz = 74
• add = 80/81
• and = 80/81
• cmp = 80/81
• sub = 80/81
• or = 80/81/83
• xor = 80/81/83
• test = 84/85
• mov = 88/89/8a/8b/8c/8e
• nop = 90
Each of these hex values represents a single instruction and some instructions can be represented by more than one hex value. So how does that help us find addresses?
Simple take this short piece of code for example (not taken from maple):
00400059 6d - insd
0040005A 20 63 61 - and [ebx+61],ah
0040005D 6e - outsb
0040005E 6e - outsb
0040005F 6f - outsb
00400060 74 20 - je 00400082
note that the statement je 00400082 is the one we are looking for, but we cannot just do a direct search sometimes since it consist of the address 00400082, and if that address changes, the search would fail.
So the trick here is to search for a “static” instructions, those that doesn’t involves hard coded addresses that might change, so if we look up, we can see that all the instruction above the je 00400082 doesn’t have anything hard coded in them and are good to be used as the search string.
What we do now is to copy down the hex codes of all those instructions, i.e. 6d 20 63 61 6e 6e 6e 6f. Now if we are to go to the memory view of Cheat Engine, we can see 2 sections, there’s the section with the instructions and the section (lower half) that shows the memory dump of the process:
• Right click on the lower half and select “search memory”
• Under type, select “[Array of ] byte”
• The range is to narrow down the search, if you know the approximate range then use it, else leave it alone.
• Under the text box u type in the array you’ve just copied “6d 20 63 61 6e 6e 6e 6f” and click “ok”
• You should see the first address of the lower half to point to 00400059, which is the address of the “insd” instructions that you’ve copied. Now scroll down a bit and viola! je 00400082.
This method doesn’t directly search for the address itself; instead it searches for similar instructions around that address, this is useful if you need to find a code for another version of the game, for example, the god mode in oms you know so u can use that to find the god mode address in jms without really knowing the “value” of the god mode (since its mostly likely different as the address pointed to by the je/jne is different).
Note: you can also use addresses after the “je” instruction, as long as its non dynamic. Use your creativity.
Some basic game concepts:
Most games rely on collision detection and vector based positioning to work. This means that all animated items in the game have a vector depicting its respective position on the map or the world. And usually a game event occurs when a “collision” is detected, i.e. when an object touches another. Let’s look at some basic game concepts that had been put to the advantage of hackers.
God mode: When you touch a mob what happens?
1. Calculate hit possibility (decides if the games proceed with steps 2-5)
2. If hit then, reduce hp
3. Flash
4. Knock back
5. Else Miss
Melee god and full god works on point 1, flash god works on point 3, miss hack works on point 5. There are many ways to achieve invulnerability, what I’ve mentioned is a couple of them. Melee god works only for physical collision detected by mob sprite and you. Full god mode works on point 1 in the sense that it nullifies all decisions to proceed to step 2 - 5.
Wall Vac: As we all know, when we walk until the border of a map, we can’t walk anymore or else we’ll “fall” off. Now the graphics itself won’t know of when we reach the edge, so there must be something there to tell the game that the character has reached the edge. The answer: a boundary. Yes most games 2d or 3d have map boundaries to prevent the character from going out-of-bounds. Same as in maplestory, there are 4 boundaries to each map (since the map is rectangular) and these boundaries control the rules of the characters and monsters in it.
By changing the boundaries, we have changed the rules of the map itself and newly spawn monsters will adopt the “latest” rules and thus this result in a vac-like effect when the boundaries of the walls are “compressed” to a point (think Indiana Jones when he get trapped by compressing walls). The reason why “old” monsters didn’t move is that when they spawn (before the wall vac is used) they’ve already been bound to the old wall boundaries. And obviously slopes, platforms, steps, etc have a higher priority over the boundaries since if not all mobs will fall right to the bottom, regardless of platforms. This explains why the monsters will get “stuck” on edges and slopes.
Other vacs: Some other vacs, like DupeVac uses another method. Instead of changing the boundaries of the walls, the vac directly changed each monster’s vector location on the map itself. This method allows the monsters to “overwrite” the rules of collision with platforms and slopes since I suppose the vectors (position of characters and monsters) are given the highest priority.
Registers List:
CF = Carry flag (check if there is any carry over for arimethic operations)
PF = Parity flag (indicate if the bits of an operation is even or odd, 0 for odd, 1 for even)
AF = Adjust flag (Auxiliary Flag - Set on a carry or borrow to the value of the loer order 4 bits)
ZF = Zero flag (bacsially a boolean flag, determines if a conditional jump is executed)
SF = Sign flag (determines the sign, negative or positive)
TP = Trap flag (single step, for 80886 emulation. When TP is enabled, interrupts are trapped.)
IF = Interrupt enable flag (self explanatory)
DF = Direction flag (determines the direction to move through the code (specific to repeat instructions))
OF = Overflow flag (determines if an operation result in an overflow)
All the registers are actually hardware accumulators to temporary store instructions or values for the cpu to process.
EAX (At 000) Dedicated accumulator which is used for all major calculations.
ECX (At 001) The universal loop counter which has a special interpretation for loops.
EDX (At 010) The data register, which is an extension to the accumulator, stores data relevant to the operation applied to the accumulator.
EBX (At 011) Currently used for free storage but was originally used as a pointer in 16-bit mode.
ESP (At 100) Stack pointer. Is used to hold the top address of the stack.
EBP (At 101) Base pointer. Is used to hold the address of the current stack frame. It is also sometimes used as free storage.
ESI (At 110) Source index. Commonly used for string operations. It has a one-byte opcode for loading data from memory to the accumulator.
EDI (At 111) Destination index. Commonly used for string operations. Has a one-byte STOS instruction to write data out of the accumulator.
EIP Instruction pointer. Holds the current instruction address.
No comments:
Post a Comment