Twix
Advance Member
- 394
- 02/26/15
- 178
Here is a good tutorial for anyone who is willing to learn what the arm assembly language is and how do you understand it.
This is a very useful tutorial to understand the basic instructions in IDA
Steps of doing:
1. Check the Game --> What could be hacked? What names the functions could have?
2. Load the Binary(lib file in lib folder) in IDA -->Check if load resources is checked
3. Let the IDA time to load
4. After that open up a Hexeditor and put the Binary in it
______________________________________________
Useful searches:
(the big ones are the key words)
Player's Life: life,health,damage,hp,live,power
e.g: CSoldierHero::takeDamage
e.g: CPlayer::removeHealth
Points: points,score,mp
e.g: Game::UpdatePoints
e.g: Game::AddPoints
e.g: Game::loadScore
Ammo: ammo,shoot,shot,fire,weapon
e.g CPlayer:
rocessShooting
e.g CPlayer::fire
e.g xxx:Link DeadubAmmo
If you have other things like 'speed' or 'suns' or something just try different options
Extras:
-level -->level up cheats
-powerups -->megajump,doodlejump
-some keywords depend on the game.. rpg,action,fun,...
-kill -->splinter cell
-Unlock --> Unlock is an important keyword *
______________________________________________
WHAT TO DO...?
ADD(e.g score): set to MOV R0,#480000000*
set the registers or the value after #xx to very high
SUB(e.g ammo): change to ADD,NOP it. Or set the SUB to #0
RSB(reverse subtract --take damage): NOP it or set the registers to low or try to change to an ADD
LDR(e.g score,...): change the Register to Register 7(R7) or to an MOV R0,#480000000*
STR(e.g setLife): Change the register to R7 or MOV R0,#480000000*
SUBS/ADDS (same like SUB and ADD)
______________________________________________
CODES:
ADD R3,R3 #1 -->01 30 83 E2
SUB R3,R3 #1 --> 01 30 43 E2
ADD R1,R3,R3 --> 01 30 83 E0
SUB R1,R3,R3 --> 01 30 43 E0
MOV R0,#48000000 = 12 03 A0 E3 -->very high value (you know the PvZ Hack where the sun turns into 9999? thats a MOV R0, #48000000)
MOV R0,#1 = 01 00 A0 E3 (often used for functions like : isXXX or hasXXX (e.g: player::hasAllWeapons if you use an MOV R0,#1 it always returns the value 1 so you have all Weapons))
MOV R0,#0 = 00 00 A0 E3 (often used for isXXX and hasXXX functions(e.g: player::needFood if you use MOV R0,#0 it always returns 0 , so you do not need food))
2Byte BX LR : 7047 -->deletes a function
2Byte Nop : C046 -->NOP = No operation
4Byte BX LR : 1EFF2FE1 -->deletes a function
4Byte Nop : 0000A0E1 -->NOP = No operation
_____________________________________________________
Branches:
Above mostly all Branch commands there have to be a CMP(compare) and because of this CMP it branches
e.g: BEQ(branch if equal) above: CMP R3,R2
so it doesnt branch because R3 not equal to R2
if CMP R2,R2 and then BEQ then it branches
BEQ = Branch if equal (cmp r2,r2)
BNE = Branch if not equal (cmp r3,r11)
BLT = Branch if lower than(cmp r2,r3)
BGT = Branch if greater than(cmp r3,r1)
_______________________________________________________
ONE SENTENCE IS IMPORTANT: "try it!"
Without trying you can't succeed.
So go ahead and try!
Plist editing - Hex editing - IDA Hacking
Plist: Just download some Games and rehack plists
Hex: Download savefile and Compare and learn with it some hex.
IDA: 1. Use the Offset DB and go with IDA to the Location. Check the function and what was changed. 2. Download some Binarys and Compare them. 3. Read Tutorials
My knowledge:
BX LR - NOP - SUB - ADD - LDR - STR - MOV - RSB
Just one last Thing: GDB isnt the horror. I dont like GDB. I can't work with it.
I just sometimes use it for checking a functions and their registers(e.g when I don't know what registers are low in there and what high).
Unlock:
In Brothers in Arm: Hour of Heroes
CSoldierHero UnlockAllWeapons
Double click on it..
Make an XRef from the Ttle of the function (highlight the function and press X)
Then there should be an BNE(branch not equal) it branches if not equal
If you change it to and B(branch no conditions) it always branches and you have your weapons unlocked..
This means yo can't change the function directly.. you have to check from where it comes
BNE,BLT,BGT,BEQ --> B = Change the last byte to an EA if it is 4 Byte XX XX XX EA
BNE,BLT,BGT,BEQ --> B = Change the last byte to an E0 if it is 2 Byte XX E0
CMP
If you hack ammo and you know there is a SUB Rx, Rx #1 which sumtracts your ammo the look above there should be a CMP.
If there is a CMP which compares thesame register as the SUB subtracts then you are right and it could be the CMP that compares if Rx = 0
IF Rx = 0 it reloads your gun
so if you NOP (0100A0E1) the CMP it doesnt reload as it doesnt compare if Rx is equal 0
You often find CMPs above Branches. This means you have two options: Either you make the BXX to only aB so it branches all the time(look at branches). Or you set the CMP as neede: e.g:
BNE(BranchNotEqual) so it branches when the comparison result isnt equal --> CMP R2,R3 if R2 and R3 have different values it branches as they aren't equal
ALL CREDITS TO HACKJACK I DID NOT MAKE THIS TUTORIAL
For more info you can go here Link For Detailed Info
This is a very useful tutorial to understand the basic instructions in IDA
Steps of doing:
1. Check the Game --> What could be hacked? What names the functions could have?
2. Load the Binary(lib file in lib folder) in IDA -->Check if load resources is checked
3. Let the IDA time to load
4. After that open up a Hexeditor and put the Binary in it
______________________________________________
Useful searches:
(the big ones are the key words)
Player's Life: life,health,damage,hp,live,power
e.g: CSoldierHero::takeDamage
e.g: CPlayer::removeHealth
Points: points,score,mp
e.g: Game::UpdatePoints
e.g: Game::AddPoints
e.g: Game::loadScore
Ammo: ammo,shoot,shot,fire,weapon
e.g CPlayer:
rocessShootinge.g CPlayer::fire
e.g xxx:Link DeadubAmmo
If you have other things like 'speed' or 'suns' or something just try different options
Extras:
-level -->level up cheats
-powerups -->megajump,doodlejump
-some keywords depend on the game.. rpg,action,fun,...
-kill -->splinter cell
-Unlock --> Unlock is an important keyword *
______________________________________________
WHAT TO DO...?
ADD(e.g score): set to MOV R0,#480000000*
set the registers or the value after #xx to very high
SUB(e.g ammo): change to ADD,NOP it. Or set the SUB to #0
RSB(reverse subtract --take damage): NOP it or set the registers to low or try to change to an ADD
LDR(e.g score,...): change the Register to Register 7(R7) or to an MOV R0,#480000000*
STR(e.g setLife): Change the register to R7 or MOV R0,#480000000*
SUBS/ADDS (same like SUB and ADD)
______________________________________________
CODES:
ADD R3,R3 #1 -->01 30 83 E2
SUB R3,R3 #1 --> 01 30 43 E2
ADD R1,R3,R3 --> 01 30 83 E0
SUB R1,R3,R3 --> 01 30 43 E0
MOV R0,#48000000 = 12 03 A0 E3 -->very high value (you know the PvZ Hack where the sun turns into 9999? thats a MOV R0, #48000000)
MOV R0,#1 = 01 00 A0 E3 (often used for functions like : isXXX or hasXXX (e.g: player::hasAllWeapons if you use an MOV R0,#1 it always returns the value 1 so you have all Weapons))
MOV R0,#0 = 00 00 A0 E3 (often used for isXXX and hasXXX functions(e.g: player::needFood if you use MOV R0,#0 it always returns 0 , so you do not need food))
2Byte BX LR : 7047 -->deletes a function
2Byte Nop : C046 -->NOP = No operation
4Byte BX LR : 1EFF2FE1 -->deletes a function
4Byte Nop : 0000A0E1 -->NOP = No operation
_____________________________________________________
Branches:
Above mostly all Branch commands there have to be a CMP(compare) and because of this CMP it branches
e.g: BEQ(branch if equal) above: CMP R3,R2
so it doesnt branch because R3 not equal to R2
if CMP R2,R2 and then BEQ then it branches
BEQ = Branch if equal (cmp r2,r2)
BNE = Branch if not equal (cmp r3,r11)
BLT = Branch if lower than(cmp r2,r3)
BGT = Branch if greater than(cmp r3,r1)
_______________________________________________________
ONE SENTENCE IS IMPORTANT: "try it!"
Without trying you can't succeed.
So go ahead and try!
Plist editing - Hex editing - IDA Hacking
Plist: Just download some Games and rehack plists
Hex: Download savefile and Compare and learn with it some hex.
IDA: 1. Use the Offset DB and go with IDA to the Location. Check the function and what was changed. 2. Download some Binarys and Compare them. 3. Read Tutorials
My knowledge:
BX LR - NOP - SUB - ADD - LDR - STR - MOV - RSB
Just one last Thing: GDB isnt the horror. I dont like GDB. I can't work with it.
I just sometimes use it for checking a functions and their registers(e.g when I don't know what registers are low in there and what high).
Unlock:
In Brothers in Arm: Hour of Heroes
CSoldierHero UnlockAllWeapons
Double click on it..
Make an XRef from the Ttle of the function (highlight the function and press X)
Then there should be an BNE(branch not equal) it branches if not equal
If you change it to and B(branch no conditions) it always branches and you have your weapons unlocked..
This means yo can't change the function directly.. you have to check from where it comes
BNE,BLT,BGT,BEQ --> B = Change the last byte to an EA if it is 4 Byte XX XX XX EA
BNE,BLT,BGT,BEQ --> B = Change the last byte to an E0 if it is 2 Byte XX E0
CMP
If you hack ammo and you know there is a SUB Rx, Rx #1 which sumtracts your ammo the look above there should be a CMP.
If there is a CMP which compares thesame register as the SUB subtracts then you are right and it could be the CMP that compares if Rx = 0
IF Rx = 0 it reloads your gun
so if you NOP (0100A0E1) the CMP it doesnt reload as it doesnt compare if Rx is equal 0
You often find CMPs above Branches. This means you have two options: Either you make the BXX to only aB so it branches all the time(look at branches). Or you set the CMP as neede: e.g:
BNE(BranchNotEqual) so it branches when the comparison result isnt equal --> CMP R2,R3 if R2 and R3 have different values it branches as they aren't equal
ALL CREDITS TO HACKJACK I DID NOT MAKE THIS TUTORIAL
For more info you can go here Link For Detailed Info
