Un-Advanced hacking FAQ

Okay, I understand how to edit stuff but still don't understand how to make sence of everything but i'll work out all that in my spare time. I'm trying to edit my title screen with a little guide from runelancer but I'm not too sure what you mean by: right click and choose copy to exe. I don't quite understand where to right click cause I haven't found that option by right clicking the edited value, toolbars at the top and all that. I'm really sorry that it's very simple but It's annoying when I can't understand the simplest and most important things.

Edit: Never mind it took me a while but I've worked out how to save it into the exe.

Edit 2: Okay so I understand how to save now so I've saved my new exe with a few new title screen changes and now I want to add to what I've already done. Now whenever I try to load it, it works fine and shows all the offsets but when I use ctrl G every single offset sort of hides itself and most of the just say something like: ADD BYTE PTR DS:[EAX],AL
Is this somekind of thing that stops people from looking into your exe assembly and copiying things from it?
Is there a way to stop it from doing that so I can continue with it or do I just have to assemble everything at once?

 

the BYTE tells the computer how long the thing you are trying to add is. so BYTE is one byte, DWORD I think is 4 (not sure, feel free to correct me) and PTR stands for pointer, which doesn't really serve much purpose as far as I know. If you are changing a value from one to another just use the same length as it was before

also, if you are asking a new question, its usually best to double post, rather than edit. when you make a new post everyone can tell a new post has been made. edit is best for fixing typos and changing things only a few minutes after the original post

 

I have a question!

How does MUL work? according to wikipedia it takes one argument then multiplies it by whats in AL or something like that, but that doesn't really tell my how I can use it. Say I want to multiply something by -1, what would I do?

 

Alright, I've been doing some hacking and so far I haven't needed to use more space than the code that was there before. But now I do. I know that it involves going to the address 0x040004E, and according to Wedge of Cheese in the weapon hacking thread it must be called to, rather than jumped to. But both call and jump crash the program. I did use return after the function, but that didn't help. According to a post by sshsgi (sp?) call pushes the current location onto the stack, which I think adds 4 bytes IIRC. So instead of using EBP+8 everywhere (which was only once for my quick test), I used EBP+12. Which caused a crash as well. What am I doing wrong?


tl;dr version: how do I use free space to add code where I need it?

ALSO: anyone who helps me gets to see what I've done so far. Which is pretty neat, if I do say so myself.

 

Unfortunately, I have no idea. When I tried to do this, I experienced pretty much the same problems, but I think ret doesn't work after a jump, only a call, since call pushes the location onto the stack and jump doesn't.

get lucky,
lace

 

My only suggestion is don't use the weird registers like ebp or whatever, since they're evidently "used in entry/exit of procedures" whatever that means. I would just stick to using eax/ebx/ecx/edx if I were you.

Also, about how MUL works I think it just multiplies the two arguments together and stores the result in the first argument. I'm pretty sure it has nothing to do with what's stored in AL.

 

it would seem, but when I tried it that way, discrete said it was wrong, and when I put it in manually, it crashed. so, yeh.

 

Alright, I've been doing some hacking and so far I haven't needed to use more space than the code that was there before. But now I do. I know that it involves going to the address 0x040004E, and according to Wedge of Cheese in the weapon hacking thread it must be called to, rather than jumped to. But both call and jump crash the program. I did use return after the function, but that didn't help. According to a post by sshsgi (sp?) call pushes the current location onto the stack, which I think adds 4 bytes IIRC. So instead of using EBP+8 everywhere (which was only once for my quick test), I used EBP+12. Which caused a crash as well. What am I doing wrong?


tl;dr version: how do I use free space to add code where I need it?

ALSO: anyone who helps me gets to see what I've done so far. Which is pretty neat, if I do say so myself.

I am only familiar with z80 at the moment, but here I go:

CALL and RET are usually used to create what is known in high level languages as a "function". Since CALL pushes the address to the stack it doesn't matter where your code finishes up, it will return to the offset after the initial CALL instruction when you use RET. So you can use JP (JR is only used for loops, so don't use it) to continue the function elsewhere since JP doesn't add to the stack.

Eg: CALL (to location b) > (code) > JP (to location c) > (code) > RET (to location a)

If you want to move elsewhere and then return to the function then use a CALL within your function.

Eg: CALL (to location b) > (code) > CALL (to location c) > (code) > RET (to location b) > (code) > RET (to location a)

Does that help? I'm not quite sure the specifics of what you are asking.

 

Neither of those have worked the general idea is right, but using those exactly as stated causes crashes.

 

I feel your pain.
I don't even get how rune did it, looks like what we're doing here to me...

 

Added a section on how do a simple hack that should hopefully teach you to find variables on your own. Also, woot, woot, my 100th post!

 

thanks, really helpful since I am almost entirely self-taught, and therefore missing some concepts.

 

thanks, really helpful since I am almost entirely self-taught, and therefore missing some concepts.

Actually, you might not want to take my word on everything I said. I'm not completely sure thats what a pointer table is, I'm pretty much guessing based on the name "pointer table" and some descriptions about what it does.

 

I am an absolute beginner, so I followed the guide, but got nothing. I am confused.

 

I am an absolute beginner, so I followed the guide, but got nothing. I am confused.

My guide doesn't include anything about registers or commands, you need to look at the wikibooks article I linked for that. There is also a quick guide by Lace the the commands somewhere (I can't find it atm though)

 

Yeh, It was pretty impossible to find. =P
(I also added two more quickie guides)

This guide is in no way complete, but should help some people.

COMMANDS:
mov x,y -- Equals sign, x = y

cmp x,y -- Compares x and y, useless unless you have one of the following after it.
- je x -- If x and y are equal, jump to x.
- jne x -- If x and y are not equal, jump to x
- jl x -- If x is smaller than y, jump to x
- jle x -- If x is smaller than or equal to y, go to x.
- jr x -- Same as jl, but larger than
- jre x -- same as jle but larger than or equal to.
- disclaimer: if you see one of these with a z in it, the evil warlords I trying to kill you, just pretend it's an e.

Which leads us to:
jmp x -- teleports the script to x.
call x -- calls the function at x
ret -- jumps back to where the function was called.

push x -- pushes x onto the stack
pop x -- pops x from the stack

add x,y -- adds x and y, saves to x
sub x,y -- subtracts x and y, saves to x
mul x,y -- multiplies x and y, saves to x
div x,y -- divides x and y, saves to x.
(I'm a bit sketchy on how mul and div work - it's probably as stated above, but they might be one variable things)
shl x,1 -- multiples x by two, a lot faster than mul. the number is the amount of times to repeat shl

... ; -- equivalent of //, ends the line, and anything after it don't count, useful for comments or writing the original code in case you screw stuff up.

REGISTERS:
places where you can save stuff to without screwing up the code.
ax, bx, cx, dx, eax, ebx, ecx, edx. (variables)
the fine print: screwing with bx or ebx can do wacky things, as they are reserved for something, forget wut tho.

OFFSETS:
yeh, you can do all kinds of stuff now, but adding one to eax and setting edx equal to it really isn't that exciting. All the jazz is at offsets, some are codes, ie 419CB0 has ML+ at it, but other offsets, like 0049E6CC (current health) are just values which are accessed by the code to do cool things.

BRACKETS/POINTERS:
so, pretend eax holds 49E6D0.
if you have a bit of code that sez:

mul eax,2

it will multiply eax (49E6D0) by two, doing nuthing in particular.
However, if you have:

mul [eax],2

with the brackets around eax, it doesn't multiply 49E6D0 by two, but rather whatever is at that offset, the max health.

OFFSETS AMENDUM

CODES:
004156D7 thru 00415750 -- Agility Code, How fast you move in water or on land
00414B20 thru 00414B39 -- Pushes reserved space onto the ram. used for maps, so the higher you set push 80, the more possible maps.
00415BF7 -- the jump function
00404D61 -- handles the angle of the fireball shot
0040F350 -- random number generator
00419CB0 -- ml+
004242DA -- cmu
0040DB70 -- xx1
00422510 -- tsc parser
00421900 -- ascii to # macro
00408FC0 -- calls to weapons
004047B0 -- Polar Star (all levels)
00404B30 -- Fireball (all levels)
00405120 -- Machinegun (all levels)
004055A0 -- Missile Launcher (all levels)
00405F30 -- Bubbler level 1
00409190 -- Bubbler level 2
004064D0 -- Bubbler level 3
004068B0 -- Bubbler level 3 shot
004075E0 -- Blade level 3 slash
004078A0 -- [unused]
00406BB0 -- Blade level 1
00406E60 -- Blade level 2
00407110 -- Blade level 3
00407910 -- Super Missile Launcher (all levels)
00408230 -- Nemesis (all levels)
00408710 -- Chargeless spur (all levels)
00408AE0 -- Non moving spur (all levels)
00408230 -- Spur level 1
00408F40 -- Spur level 2
00408F90 -- Spur level 3

VARIABLES:
0049E6D0 -- Max Health
0049E6CC -- Current Health
0049E6D4 -- Displayed health
and about 30 other ones I can't seem to find right now.

NEAT TRICKS:
shl is a lot faster than mul, so instead of
mul bx,4 use
shl bx,2
and it also works for other numbers, say,
mul, bx,9 translates to
mov ax,bx
shl bx,3
add bx,ax
as you can see, numbers such as nine take a lot of space to do, but if you have that space, your game will run much smoother.

TSC COMMAND MINI GUIDE:
To make a new command, find a command that you're not going to use. - I chose XX1, because it is very easy to find, and it is relatively useless. Then convert its letters into hex ascii values, so we have 58, 58, 31.

Search for a cmp with these in it, first 58, then 58, then 51, and the "mov eax,[004A5AD8]" somewhere above the first CMP is the start of your code. Changing the ascii values will change what the TSC command is. In my case, I'm going to change it to the values 4D, 4C, 2D, for an ML-.

(Code is at 00425149 btw)

Okay, to change the command, find the last call in the command you chose, and then go to that offset. There is the code for the TSC command.

now go after the push, and write in your own code, it's okay to go under, but DO NOT EXCEED the length of the existing code.

for ML-, it would be:

push ebp
mov ebp,esp
mov ecx,[0049E6D0]
sub ecx,[ebp+0008]
mov [0049E6CC],ecx
mov [0049E6D0],ecx0040DB8B nop
nop
pop ebp
ret

 

Thanks, mind if I add that to the OP?

 

you can add it.

 

Added, with some minor changes, as well as added a bit at the end that beginners can step through to figure stuff out. Its VERY simple, so no one should have any trouble seeing how it works.

Also I didn't put the function offsets list in as I think that would be better suited in the offsets thread. Although they have been copied to my notes

also, wtf is with "sort of dooeys" i found like half the offsets in that list

oh, and speaking of notes, here is some other stuff I have that you can add to that list:

*disclaimer: only about half of this stuff was found by my, the rest was found through trawling through old topics. Also most of these are untested, so you might have to fix the stack pointer after calling some of the functions. Look for places the function is called from (in OllyDbg you can do that by clicking on the first instruction in the function and all the calls to it will appear in the white window below all the code) then see what happens before and after the function call. Also its still pretty incomplete. Also also since i copied this from other people I don't fully understand everything they meant.

Play a sound

PUSH (?)number of channels
PUSH sound ID
PUSH [49E658] + ????
PUSH [49E654] + ????
CALL 40AC90



Play a song

PUSH songID
CALL 420EE0



Get number of existing objects

PUSH objectID
CALL 403C40

returns to EAX



Render a graphic

PUSH constant
PUSH frame
PUSH constant
PUSH constant
PUSH Full Screen Rect
CALL 40C3C0




Create an NPC

PUSH 0x0100 ; ?
PUSH 0x00 ; ?
PUSH [[ebp + 08] + 4c] ; ?
PUSH 0x00 ; ?
PUSH 0x00 ; ?
PUSH XPOSITION
PUSH YPOSITION
PUSH NPC_ID
CALL 0x0046efd0.



Render Underwater Timer

PUSH x-position
PUSH y-position
CALL 41A350



Kill quote (drown?)

PUSH constant
CALL 421990


=====================
===Quotes movement===
=====================

Equipped weapon = $499C68
direction = $49E640
X-Velocity = $49E66C
Y-Velocity = $49E670
Max Health = $49E6D0
Underwater Timer = $49E6DC
Something to do with booster = $49E6E8

 

sort of dooeys sounded better than mostly dooeys, but hey.
=D