|
| Author |
Message |
¹³³7
Site Admin
Joined: 10 Jan 2008
Posts: 89
Location: Australia. |
|
 Variables, A Guide To Hacking. |
 |
Alrighty, welcome to flash decomp 101 for newbies.
First off, I'm not going to go into hacking flash games with Cheat Engine, theres already a tutorial stickied for that, I'm just going to deal with finding and using the variables that game developers put into their games.
Q. So, what is a variable?
A. Variables are areas of memory allocated to hold data that the program or game needs to save for later use. Anything with a numeric value (eg. Health, Mana, Money, or Ammo) is assigned a variable inside a game. The game refers to each of these by a variable name assigned to it by the programmer who wrote the game. These can be simple to guess, or be something that has nothing to do with what the variable name represents. For instance, there is no reason that, as a programmer, you couldn't make a variable named 904883A for health, or even have Ammo control health. This is what makes flash hacking very challenging at times.
Q. What are they good for?
A. Using a programming language and a tool called an ActiveX Flash Control, we can make programs that change these variables IF we know the variable name attached to it.
Q. How do you know what the variables are named, for sure?
A. Often you don't. The easiest way is to guess. Often programmers are not a very creative sort, and definitely not a hacker(with a few exceptions). Should that fail, there are a few programs floating around the internet that allow you to take apart a Flash game to look at the original code in a way that makes the code very similar to what the programmer wrote. You'll be viewing variables, functions and classes and you should probably brush up on some ActionScript to make sense of what you are seeing. The two most common programs to do this with are Flasm and Sothink SWF Decompiler.
Q. You just lost me....
A. Ok, we just talked about variables, they hold stuff. Well, functions DO stuff with the data that the variables hold. Like add to them, subtract from them, or move them from place to place. Classes are like giant variables that hold a whole bunch of smaller variables inside them.
Q. Why do I need to know that?
A. Often when looking at someone's code, if you can't find a variable name your looking for, you can look for a function that changes it. For example, you are looking for the variable name for health, but you can't find it. A good approach would be to look for a function called "Player_Shot". If you get shot, your health drops a little, so the variable name HAS to be in this function somewhere. If you find a variable name, and it just doesn't work, often that means it is part of a class. A typical variable name is "_level0.health" or "_root.health". If you figure out that health is a variable contained in the class "Player" the variable name we would need to use would be, "_root.Player.health". You should also note that in most cases "_level0" and "_root" are interchangable, they both mean that the following variable name is not contained within a class.
Q. Can't game writers do anything to stop this?
A. Sure they can. Usually however they don't. Flash programmers are far more worried about a rival company trying to pirate their game to worry about cheaters as well. Most of the games that stop me in my tracks for a bit do so completely by accident.
Q. What options are there to protect a game?
A. Well, you can scramble the variable names into something with no meaning like G34523 for health, this is referred to as obfuscation. You could put extra code into your game to make it nearly impossible to decomile, this is called encryption. Or you can embed all your variables inside a class, inside another class, inside a wrapper program. Or you could do all three.
Q. How often do you find these protections in place?
A. Not as often as you might think. Encryption is fairly common, when you stumble across it, you can either guess until you hit a good variable name, or use Cheat Engine to search for strings in your memory that will give you good clues. This is still usually a guessing game. When a game is obfuscated the surest way of discovering the variable names is to try them ALL. This is a time consuming process, but it's not difficult at all. Obfuscation is pretty rare.
Q. Okay, so now I know what a variable is, how to find it, and what it's good for. How do I USE it?
A. Either build or download a Universal Flash Trainer. Usually these will have a box somewhere where you type the variable name EXACTLY, then in another box, you'll type the new value you want this variable to have. For instance, in Box A type "_root.player.health" in Box B type "1000000" there you go, 1 million health.
Q. Wow, that sounds really easy!
A. Yes it is.
Q. Thats kind of disturbing, how easy it is.
A Yes, yes it is.
Q. Hey, thanks for the tutorial, can I +Rep you?
A. If you must....
----Some time later----
Q. It's me again, I had a couple more questions.
A. ... Who are you?
Q. I'm you, but more newb-like.
A. ... Right. Whats the questions?
Q. Okay, so I understand what variables are, can you give me some more in depth advice on how to get the variable names?
A. I suppose I could. First we'll talk about Sothink. To use it, first double click the shortcut to open it. Use the 'Explorer' window in the top left to find the folder where your SWF file is located. Click on the SWF file in the window located below the 'Explorer'. The swf begins to play in the viewport, and a bunch of stuff pops up in the far right window, Shape, Image, Sound, etc. What you want is the 'Action' folder. Click the + sign next to that folder. You now see 'Main Movie' and a bunch of Frames. Click on 'Main Movie'. You should now see a bunch of code in the center of the screen. Now the real hunt begins. Browse through the code in either 'Main Movie' or any of the frames until you find something that looks useful, such as:
Code:
function stage_init()
{
getEnemyNum();
getRoleNum();
status_mc.gotoAndStop("status");
status_stage(stageID + 1);
status_self_num(role_num);
status_enemy_num(enemyNum);
status_gold(gold_total);
castle_life = castle_life_total;
if (mission[stageID] == "time")
There you see castle_life? Thats probably useful. Fire up your trainer you wrote (or downloaded) and attempt to use this code:
Code:
Name-Of-Flash-Control.GetVariable (_root.castle_life)
GetVariable will spit out what ever value is currently stored in this variable. Remember to have the game running, and to a point where this variable would have already been used as least once. The variable doesn't exist in the game until it has been used. Also remember, when using this code that you need to tell vb or delphi to store the value somewhere you can read it. Like in a textbox on the screen. If GetVariable doesn't find the variable it pops up an error that WILL kill your program. Remeber your error handling. (If your not a programmer, Katana and UFT MX 1.1 have variable testers that do this for you.)
Once you've found a variable that works and hopefully is something useful, it's easy to change it to whatever you want using another line of code.
Code:
Name-Of-Flash-Control.SetVariable (_root.castle_life, ##[this is the new value of the variable])
For the previously mentioned example, _root.castle_life, you could set it to something stupidly high and not have to worry about it again. Alternatively, you could just make a timer so that the amount is reset to what you choose every couple of seconds. With this method you don't have to worry about your variable hitting 0 for as long as you play. Either way works really. A third method is to set a numerical variable (lives, health, whatever) to a string value. The flash player is built to adapt to any errors that occur while it is running, without requiring the user to do anything. This works to our advantage in this instance because you can't subtract an amount from a string. Consider the following:
Code:
FlashPlayer.SetVariable(_root.castle_life,"Cat")
Then in the Flash Player, this code executes:
Code:
castle_life = castle_life - 50
So what the flash player ends up with is:
Code:
"Cat" - 50 = ?
ERROR
HIDE THE ERROR
IGNORE THIS COMMAND
CONTINUE
So nifty it's cruel.
Q. Wow, this guide really helped me, but I've noticed that there are some variables that I can't change. I know they are there because I decompiled the SWF and I found them, but they don't show up anywhere when I use my variable tester. Why is that?
A. I was waiting for you to notice this. What you are refering to are either registers or global variables. Normally, when a SWF file is loaded in the flash player, only the variables in the first frame are given space in memory. As the flash player runs, the SWF requires more variables, and so the player creates someplace to store the variable and attaches the variable name to the memory space. With global variables and registers this process is skipped. Anything that is stored under _global or _root.r# has memory allocated for it as soon as the player is ran regardless of it's position. This is important later, but more on why you can't reach it first.
You can't get to it because the external command we use, SetVariable or GetVariable, were never intended to reach them, so that functionality was never added. Perhaps this will change when the open source flash players now in development are released. We can only hope.
Q. Okay, so what about the games that ONLY use variables under _global or registers?
A. Remember earlier, how I talked about the differences between _global variables and _root variables? How _root variables are given memory space as the program runs and _global are given memory space right off the bat? Well theres one more important thing you need to know to answer this question. The flash player does it's best to be as efficient with memory as possible. If a variable is no longer in use, it is deleted from memory. When a variable is first used, it is created in memory. Flash doesn't stop by just turning that block or RAM into all zeros though. It shifts all the variables stored up or down to make sure it is always taking as little memory as is absolutely necessary. This is why hacking flash with a memory editor like cheat engine is so difficult, nothing likes to stay put. However with _global variables and registers, since they are the first things created in memory, at the top of the pile so to speak, they very very rarely need to be moved. It's because of this that they are so easy to break with a memory editor. Just use any of the tutorials available to learn to use Cheat Engine or a similar program. Oh and make sure to multiply your value by 8 when searching. If you don't understand this now, you will after you learn to use CE.
|
|
| Thu Jan 10, 2008 1:53 pm |
     |
 |
|
Jorg hi
¹³³7 Special User
Joined: 20 Jan 2008
Posts: 57
Location: XXX |
|
| MMM |
|
What if the game contains 10 shells for each variable and if any variable is changed it auto-detects it
and closes the game screen, and the auto-detect has 1 shell made sec by 1000 workers 
How can you bypass the shell lol.
_________________
I Like Pie
[img]http://forum.cheatengine.org/files/cc_599_178.jpg[img] |
|
| Sun Jan 20, 2008 10:41 pm |
  |
|
Jorg hi
¹³³7 Special User
Joined: 20 Jan 2008
Posts: 57
Location: XXX |
|
| Data Base |
|
How do you make a database for a game like dragonfable ect. and what are they used for?
_________________
I Like Pie
[img]http://forum.cheatengine.org/files/cc_599_178.jpg[img] |
|
| Sun Jan 20, 2008 10:48 pm |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
