Un-Advanced hacking FAQ

Mar 22, 2009 at 3:35 AM
Been here way too long...
"Ha! Ha! Ha! Mega Man is no match for my Mimiga Man!"
Join Date: Jun 22, 2008
Location:
Posts: 251
It seems like we have a lot of threads recently from first-time assemblers, so if you have any basic questions about how to disassemble, what commands do what, etc. you can ask them here (for a basic overview, read the Wikibooks assembly guide, especially the Instruction set. it doesn't go in to too much depth, but 90% of the code is jumps, MOV's, arithmetic, and CMP's anyway). For more depth, read this textbook, hosted by University of Illinois. Lace has also written this guide to all the commands you need to know to begin hacking (with a couple minor edits by me):


COMMANDS:
mov x,y -- Equals sign, x = y

cmp x,y -- Compares x and y, useless unless you have one of the following after it.
- je x -- If x and y are equal, jump to x.
- jne x -- If x and y are not equal, jump to x
- jl x -- If x is smaller than y, jump to x
- jle x -- If x is smaller than or equal to y, go to x.
- jr x -- Same as jl, but larger than
- jre x -- same as jle but larger than or equal to.
- disclaimer: if you see one of these with a z in it, the evil warlords are trying to kill you, just pretend it's an e.

Which leads us to:
jmp x -- teleports the script to x.
call x -- calls the function at x
ret -- jumps back to where the function was called.

push x -- pushes x onto the stack (not sure what a stack is? Look here!)
pop x -- pops x from the stack

add x,y -- adds y to x, saves to x
sub x,y -- subtracts y from x, saves to x
shl x,y -- multiples x by 2^y, a lot faster than mul.
shr x,y -- divides x by 2^y, rounding down. similar to shl

... ; -- equivalent of //, ends the line, and anything after it don't count, useful for comments or writing the original code in case you screw stuff up.

REGISTERS:
places where you can store stuff while you use it. There are nine, but you can only use 3 of them
EAX - you can use this one :)
EBX - reserved for something or other
ECX - you can use this one :)
EDX - you can use this one :)
ESP - reserved, points to the top of the stack
EBP - reserved, points to the base of the stack
ESI - reserved for something or other
EDI - reserved for something or other
EIP - reserved, points to the next instruction to be run

if you ever see AX, BX, CX, etc, that just means its only using half of EAX, EBX, ECX. And AL, BL, CL is only using half of AX, BX, CX

OFFSETS:
yeh, you can do all kinds of stuff now, but adding one to eax and setting edx equal to it really isn't that exciting. All the jazz is at offsets, some are codes, ie 419CB0 has ML+ at it, but other offsets, like 0049E6CC (current health) are just values which are accessed by the code to do cool things.

BRACKETS/POINTERS:
so, pretend eax holds 49E6D0.
if you have a bit of code that says:

mov eax,49E6D0
add eax,2

it will add two to eax (49E6D0), which is kinda useless since eax is now an offset to something random
However, if you have:

add [eax],2

with the brackets around eax, it doesn't add two to 49E6D0, but rather whatever is at that offset, the max health.



For absolute beginners, I will suggest you download OllyDbg. (Others may have different preferences, especially if you plan on writing a lot of new code rather than modifications to existing code.)

Basics of how to use OllyDbg:
To disassemble cave story: use file>open just like any other program. If you have a slow computer this could take awhile.

To jump to an address: use Ctrl+G. Before you try finding any addresses on your own, go to a few addresses that are in any of the various hacking guides around the forums. If you do this, it will be much easier to find out what the code is for. Note that addresses in OllyDbg always start with a 4 and are 6 digits long. so if you are given a 4 digit address like 0x1234, you need to change it into 0x401234.

To change a command: double click on it, but be careful: if the command you write takes up more space than the command you are replacing, it will delete the next command. (If it is shorter, it will fill the extra space with NOPs)

To set a breakpoint: double click on the hex representation of the command (to the left of the command itself) then the address should turn red. Then you can press the play button to start the game, but it will halt as soon as it reaches the command you have marked as a breakpoint. This is useful to see if a bit of code gets executed when you expect it to, and you can see what is in the registers and stuff.

To make a comment: double click on the white space to the right of the command you want to comment.

And to save your awesome new hack: right click and choose Copy to Executable, then choose all modifications. A window with 4 options will appear, choose Copy All, and then the main window will minimize and a new window will appear, close the new window and you will be given the option to save.


Example hack:
So you have OllyDbg up and running, you open your executable, and you see thousands of lines of confusing commands. What now? Well, thats what this section is for. Here I will try to step through the hacking process as simply as possible as an example, so that you can see my thought process and do the same thing on your own. Here we will hack the polar star.

Start by going to the weapon hacking thread and looking for the assembly address of the polar star. I recently posted a complete list of the assembly offsets of all the weapons, so it shouldn't be too hard to find. If you spend some time looking through the polar star code, you will see that it is divided into a few sections. First, there is some setup code, which prepares the weapon and increases the weapon timer and plays sounds and stuff like that. We will ignore this section for now. Then you get into a section with the weapon behavior. You can tell when you enter this section because it almost always starts with a command similar to this one:

Code:
JMP DWORD PTR DS:[EAX*4+404AFA]

This is called a pointer table and if you look at offset 404AFA you will see 4 different jump instructions. The code above will go to one of those instructions depending on what is in EAX at the time. In this case, the direction you are currently facing will be in EAX.

The weapon behavior code is done when you see a large block of code that looks like this:

Code:
MOV DWORD PTR SS:[EBP-20],80
MOV DWORD PTR SS:[EBP-1C],20
MOV DWORD PTR SS:[EBP-18],90
etc.

Those are the frame rects, and they determine where the graphic of the bullet is. After the frame rects you will see some more code that does other various things that we will ignore. So the part that we can do stuff with is the weapon behavior. If you look at the last 6 lines before the frame rects start, you will see this. I have commented what each line does so you can see how it works:

Code:
MOV EAX,[EBP+8]     ; this line is created for a process called pipelining that make the code run faster. Also because of this, [EAX+14], [ECX+14], and [EDX+14] will always be the same thing, as long as [EBP+8] is in EAX, ECX, or EDX. Any line that puts [EBP+8] in a register is doing this, and you can condense these to gain space if you need to (this is more advanced)
MOV ECX,[EAX+14]     ; this line takes the number that is in [EAX+14] and puts it in ECX so that we can do stuff with it. In a higher level language, [EAX+14] would be called a variable.
MOV EDX,[EBP+8]     ; pipelining
ADD ECX,[EDX+1C]     ; this line adds whatever is in [EDX+1C] to ECX (which currently contains [EAX+14] from before)
MOV EAX,[EBP+8]     ; pipelining
MOV [EAX+14],ECX     ; this takes whatever is in ECX and moves it back to [EAX+14]

So the overall result of the above code is to add [EDX+1C] to [EAX+14]. Lets try changing that to see exactly what [EDX+1C] and [EAX+14] are. Try changing the line ADD ECX,[EDX+1C] to ADD ECX,200 and play cave story and shoot the polar star to see what happens. You should find that when you shoot it, it will fall (independent of whether or not it is moving horizontally) This tells us that [EAX+14] is the current y-position of the bullet! And since [EAX+1C] is added to it every frame, then it must be the vertical velocity of the bullet! Now you can look through the code to find any instruction that changes the value of [EAX+1C]. You should see two: one saying: MOV DWORD PTR DS:[ECX+1C],1000 and one saying MOV DWORD PTR DS:[EDX+1C],-1000

In other words, it sets the vertical velocity to 1000 or -1000 respectively. Try changing those values, and you will see that it changes the speed of the bullet when you shoot up or down. But how do we change the speed for left and right? If you look in the general vicinity of the code that sets the vertical speed, you will see these lines: MOV DWORD PTR DS:[ECX+18],-1000 and MOV DWORD PTR DS:[EAX+18],1000 could this be setting the horizontal speed? Try changing it, and you will see that it does! That means [E_X+18] is the horizontal speed! Now if you set all 4 of those values to be that same thing, you have changed the speed of the polar star! Hooray!


Now you try: here is a simple bit of code taken from the bubbler LV1, see if you can figure out what it does. (since its a weapon, all the offsets will be the same as the polar star ones, so since [E_X+18] is the horizontal speed in the polar star, it will be in the bubbler LV1, and every weapon in the game) this is at 0x40600B fyi. For your first few times hacking, I recommend commenting every single line in the space you want to know about, but don't worry, it comes quickly and won't be long before you can recognize complex code at a glance.

MOV EDX,[EBP+8]
MOV EAX,[EDX+1C]
ADD EAX,2A
MOV ECX,[EBP+8]
MOV [ECX+1C],EAX
 
Mar 28, 2009 at 9:18 AM
Hax on....Hax off....
"Keep on rollin'!"
Join Date: Jan 5, 2009
Location: Easter Island
Posts: 474
Okay I'm using that assembler program you put the link for but it's still a little confusing for me. I'm trying to practice by finding adresses or offsets or whatever they're called. So you use Ctrl+G and putting this adress in 0x00004160 but it always says: no memory at the specified adress. I'm not so sure whether i'm using the wrong command or what.
I suck so much at this >.<
 
Mar 28, 2009 at 1:19 PM
Been here way too long...
"Life begins and ends with Nu."
Join Date: Jan 4, 2008
Location: Lingerie, but also, like, fancy curtains
Posts: 3052
you need to put:
0x00404160
 
Mar 28, 2009 at 10:51 PM
Hax on....Hax off....
"Keep on rollin'!"
Join Date: Jan 5, 2009
Location: Easter Island
Posts: 474
Ahh thanks, now maybe I can actually get started...I'll try my very best to make sence of all this. I think I once saw a post you once made with some details about all those PUSH and MOV command things so I'll try and find that and work it out.
 
Mar 29, 2009 at 3:13 PM
Been here way too long...
"Life begins and ends with Nu."
Join Date: Jan 4, 2008
Location: Lingerie, but also, like, fancy curtains
Posts: 3052
I'm actually pretty clueless about push, never really cared enough to look into it. Mov is just an equal sign though, if you see

mov ebp,55
it means
ebp = 55

hope that helps.
 
Mar 29, 2009 at 4:00 PM
graters gonna grate
"Heavy swords for sale. Suitable for most RPG Protagonists. Apply now!"
Join Date: Jul 2, 2008
Location: &
Posts: 1886
Age: 32
Pronouns: he/him
Push pushes a value on to the stack. Pop removes it from the stack. This is useful for entering and exiting procedures because you can back up some data to the stack before calling the procedure, and then pop it back off the stack in reverse order after calling the procedure. That way, whatever data you backed up will be preserved regardless of what the procedure you called did. You have to be careful, though, that you balance the stack, in other words, that you pop the exact same amount of data that you push. Failure to do so will almost inevitably result in either a crash or a bizarre inexplicable bug.
 
Mar 29, 2009 at 8:55 PM
Been here way too long...
"Life begins and ends with Nu."
Join Date: Jan 4, 2008
Location: Lingerie, but also, like, fancy curtains
Posts: 3052
where does the random number return to?
 
Mar 30, 2009 at 1:31 AM
Been here way too long...
"Life begins and ends with Nu."
Join Date: Jan 4, 2008
Location: Lingerie, but also, like, fancy curtains
Posts: 3052
Mar 30, 2009 at 2:26 AM
Been here way too long...
"Life begins and ends with Nu."
Join Date: Jan 4, 2008
Location: Lingerie, but also, like, fancy curtains
Posts: 3052
well, you were really just showing me the purpose of push, so you din't need to add it, but it sure is helpful.
 
Mar 30, 2009 at 6:13 AM
Administrator
Forum Administrator
"Life begins and ends with Nu."
Join Date: Jul 15, 2007
Location: Australia
Posts: 6224
Age: 39
Pronouns: he/him
How does "ret" work after using jp and jpa (or was it jra?) to create a loop (after jpa, when the conditions are met)? Or how does it work in general?

I started playing around with assembly code over the weekend btw. :rolleyes:
 
Mar 30, 2009 at 12:41 PM
Been here way too long...
"Life begins and ends with Nu."
Join Date: Jan 4, 2008
Location: Lingerie, but also, like, fancy curtains
Posts: 3052
ret pops the code back to where a function was called, so if you used a function that turned decimal into hex a lot, you would have that function, and at the ned of it, you would have ret. when you call the function, it will run through it, and then go back to the point it was called at. As for how it works, I have no idea.

=P
 
Mar 30, 2009 at 4:57 PM
graters gonna grate
"Heavy swords for sale. Suitable for most RPG Protagonists. Apply now!"
Join Date: Jul 2, 2008
Location: &
Posts: 1886
Age: 32
Pronouns: he/him
It probably pushes your "location" in the code onto the stack and then when you use ret pops it back off the stack and goes to that location.
 
Mar 31, 2009 at 3:42 AM
Administrator
Forum Administrator
"Life begins and ends with Nu."
Join Date: Jul 15, 2007
Location: Australia
Posts: 6224
Age: 39
Pronouns: he/him
Lace said:
ret pops the code back to where a function was called, so if you used a function that turned decimal into hex a lot, you would have that function, and at the ned of it, you would have ret. when you call the function, it will run through it, and then go back to the point it was called at. As for how it works, I have no idea.

=P
Hmm, that makes sense. I'll go check this out. I guess the function ends right after the loop is finished.

p.s. Anyone want this thread stickied?
 
Mar 31, 2009 at 4:01 AM
Been here way too long...
"Ha! Ha! Ha! Mega Man is no match for my Mimiga Man!"
Join Date: Jun 22, 2008
Location:
Posts: 251
Personally I would rather not have this thread stickied, partly because I don't want to feel obliged to answer questions if the forum assassins get me, and partly because I think we have way too many stickies already. I wouldn't mind if someone else who would be more likely to maintain it and add info would copy/paste, though.
 
Mar 31, 2009 at 5:51 AM
Administrator
Forum Administrator
"Life begins and ends with Nu."
Join Date: Jul 15, 2007
Location: Australia
Posts: 6224
Age: 39
Pronouns: he/him
I thought this was an assembly help thread for beginners.
 
Mar 31, 2009 at 12:48 PM
Been here way too long...
"Life begins and ends with Nu."
Join Date: Jan 4, 2008
Location: Lingerie, but also, like, fancy curtains
Posts: 3052
nobody reads stickies.
 
Back
Top