KongHack
Hacking Games Since 2007
konghack.com
Quote from: "maximillian"


You will need:
Flasm: http://flasm.sourceforge.net/
sothink: http://isohunt.com/download/69837813/sothink.torrent
notepad++: http://notepad-plus.sourceforge.net/uk/site.htm

Like I said follow ROUGHLY what I do, there are differences between games.

Wildcards.

Sorry for stealing your post PK but I wanted this on the front page.
 


Link to more info: http://www.anotherbigidea.com/javaswf/avm2/AVM2Instructions.html

 
Quote from: "ActionScript 1 OpCodes"
No Operation (NOP) = 0x02,
ActionCall = 0x9E,
ActionDefineLocal = 0x3C,
ActionDefineLocal2 = 0x41,
ActionSetMember = 0x4F,
ActionAdd = 0x0A,
ActionAdd2 = 0x47,
ActionAnd = 0x10,
ActionAsciiToChar = 0x33,
ActionBitAnd = 0x60,
ActionBitLShift = 0x63,
ActionBitOR = 0x61,
ActionBitRShift = 0x64,
ActionBitURShift = 0x65,
ActionBitXor = 0x62,
ActionCharToAscii = 0x32,
ActionCloneSprite = 0x24,
ActionConstantPool = 0x88,
ActionDecrement = 0x51,
ActionDelete = 0x3A,
ActionDelete2 = 0x3B,
ActionDivide = 0x0D,
ActionEndDrag = 0x28,
ActionEnumerate = 0x46,
ActionEnumerate2 = 0x55,
ActionEquals = 0x0E,
ActionEquals2 = 0x49,
ActionGetMember = 0x4E,
ActionGetProperty = 0x22,
ActionGetTime = 0x34,
ActionGetVariable = 0x1C,
ActionGotoFrame = 0x81,
ActionGotoFrame2 = 0x9F,
ActionGoToLabel = 0x8C,
ActionGreater = 0x67,
ActionIncrement = 0x50,
ActionInitArray = 0x42,
ActionInitObject = 0x43,
ActionInstanceOf = 0x54,
ActionLess = 0x0F,
ActionLess2 = 0x48,
ActionMBAsciiToChar = 0x37,
ActionMBCharToAscii = 0x36,
ActionMBStringExtract = 0x35,
ActionMBStringLength = 0x31,
ActionModulo = 0x3F,
ActionMultiply = 0x0C,
ActionNextFrame = 0x04,
ActionNone = 0x0,
ActionNot = 0x12,
ActionOr = 0x11,
ActionPlay = 0x06,
ActionPop = 0x17,
ActionPreviousFrame = 0x05,
ActionPush = 0x96,
ActionPushDuplicate = 0x4C,
ActionRandomNumber = 0x30,
ActionRemoveSprite = 0x25,
ActionReturn = 0x3E,
ActionSetProperty = 0x23,
ActionSetTarget = 0x8B,
ActionSetTarget2 = 0x20,
ActionSetVariable = 0x1D,
ActionStackSwap = 0x4D,
ActionStartDrag = 0x27,
ActionStop = 0x07,
ActionStopSounds = 0x09,
ActionStoreRegister = 0x87,
ActionStrictEquals = 0x66,
ActionStringAdd = 0x21,
ActionStringEquals = 0x13,
ActionStringExtract = 0x15,
ActionStringGreater = 0x68,
ActionStringLength = 0x14,
ActionStringLess =  0x29,
ActionSubtract = 0x0B,
ActionTargetPath = 0x45,
ActionToggleQuality = 0x08,
ActionToInteger = 0x18,
ActionToNumber = 0x4A,
ActionToString = 0x4B,
ActionTrace = 0x26,
ActionTypeOf = 0x44,
ActionWaitForFrame = 0x8A,
ActionWaitForFrame2 = x8D,
ActionWith = 0x94,
ActionCallFunction = 0x3D,
ActionCallMethod = 0x52,
ActionNewMethod = 0x53,
ActionNewObject = 0x40,
ActionDefineFunction = 0x9B,
ActionDefineFunction2 = x8E,
ActionIf = 0x9D,
ActionJump = 0x99,
 
 
Quote from: "ActionScript 3 opcodes"
      final int OP_bkpt = 0x01;
      final int OP_nop = 0x02;
      final int OP_throw = 0x03;
      final int OP_getsuper = 0x04;
      final int OP_setsuper = 0x05;
      final int OP_dxns = 0x06;
      final int OP_dxnslate = 0x07;
      final int OP_kill = 0x08;
      final int OP_label = 0x09;
      final int OP_ifnlt = 0x0C;
      final int OP_ifnle = 0x0D;
      final int OP_ifngt = 0x0E;
      final int OP_ifnge = 0x0F;
      final int OP_jump = 0x10;
      final int OP_iftrue = 0x11;
      final int OP_iffalse = 0x12;
      final int OP_ifeq = 0x13;
      final int OP_ifne = 0x14;
      final int OP_iflt = 0x15;
      final int OP_ifle = 0x16;
      final int OP_ifgt = 0x17;
      final int OP_ifge = 0x18;
      final int OP_ifstricteq = 0x19;
      final int OP_ifstrictne = 0x1A;
      final int OP_lookupswitch = 0x1B;
      final int OP_pushwith = 0x1C;
      final int OP_popscope = 0x1D;
      final int OP_nextname = 0x1E;
      final int OP_hasnext = 0x1F;
      final int OP_pushnull = 0x20;
      final int OP_pushundefined = 0x21;
      final int OP_pushintant = 0x22;
      final int OP_nextvalue = 0x23;
      final int OP_pushbyte = 0x24;
      final int OP_pushshort = 0x25;
      final int OP_pushtrue = 0x26;
      final int OP_pushfalse = 0x27;
      final int OP_pushnan = 0x28;
      final int OP_pop = 0x29;
      final int OP_dup = 0x2A;
      final int OP_swap = 0x2B;
      final int OP_pushstring = 0x2C;
      final int OP_pushint = 0x2D;
      final int OP_pushuint = 0x2E;
      final int OP_pushdouble = 0x2F;
      final int OP_pushscope = 0x30;
      final int OP_pushnamespace = 0x31;
      final int OP_hasnext2 = 0x32;
      final int OP_newfunction = 0x40;
      final int OP_call = 0x41;
      final int OP_construct = 0x42;
      final int OP_callmethod = 0x43;
      final int OP_callstatic = 0x44;
      final int OP_callsuper = 0x45;
      final int OP_callproperty = 0x46;
      final int OP_returnvoid = 0x47;
      final int OP_returnvalue = 0x48;
      final int OP_constructsuper = 0x49;
      final int OP_constructprop = 0x4A;
      final int OP_callsuperid = 0x4B;
      final int OP_callproplex = 0x4C;
      final int OP_callinterface = 0x4D;
      final int OP_callsupervoid = 0x4E;
      final int OP_callpropvoid = 0x4F;
      final int OP_newobject = 0x55;
      final int OP_newarray = 0x56;
      final int OP_newactivation = 0x57;
      final int OP_newclass = 0x58;
      final int OP_getdescendants = 0x59;
      final int OP_newcatch = 0x5A;
      final int OP_findpropstrict = 0x5D;
      final int OP_findproperty = 0x5E;
      final int OP_finddef = 0x5F;
      final int OP_getlex = 0x60;
      final int OP_setproperty = 0x61;
      final int OP_getlocal = 0x62;
      final int OP_setlocal = 0x63;
      final int OP_getglobalscope = 0x64;
      final int OP_getscopeobject = 0x65;
      final int OP_getproperty = 0x66;
      final int OP_getpropertylate = 0x67;
      final int OP_initproperty = 0x68;
      final int OP_setpropertylate = 0x69;
      final int OP_deleteproperty = 0x6A;
      final int OP_deletepropertylate = 0x6B;
      final int OP_getslot = 0x6C;
      final int OP_setslot = 0x6D;
      final int OP_getglobalslot = 0x6E;
      final int OP_setglobalslot = 0x6F;
      final int OP_convert_s = 0x70;
      final int OP_esc_xelem = 0x71;
      final int OP_esc_xattr = 0x72;
      final int OP_convert_i = 0x73;
      final int OP_convert_u = 0x74;
      final int OP_convert_d = 0x75;
      final int OP_convert_b = 0x76;
      final int OP_convert_o = 0x77;
      final int OP_coerce = 0x80;
      final int OP_coerce_b = 0x81;
      final int OP_coerce_a = 0x82;
      final int OP_coerce_i = 0x83;
      final int OP_coerce_d = 0x84;
      final int OP_coerce_s = 0x85;
      final int OP_astype = 0x86;
      final int OP_astypelate = 0x87;
      final int OP_coerce_u = 0x88;
      final int OP_coerce_o = 0x89;
      final int OP_negate = 0x90;
      final int OP_increment = 0x91;
      final int OP_inclocal = 0x92;
      final int OP_decrement = 0x93;
      final int OP_declocal = 0x94;
      final int OP_typeof = 0x95;
      final int OP_not = 0x96;
      final int OP_bitnot = 0x97;
      final int OP_concat = 0x9A;
      final int OP_add_d = 0x9B;
      final int OP_add = 0xA0;
      final int OP_subtract = 0xA1;
      final int OP_multiply = 0xA2;
      final int OP_divide = 0xA3;
      final int OP_modulo = 0xA4;
      final int OP_lshift = 0xA5;
      final int OP_rshift = 0xA6;
      final int OP_urshift = 0xA7;
      final int OP_bitand = 0xA8;
      final int OP_bitor = 0xA9;
      final int OP_bitxor = 0xAA;
      final int OP_equals = 0xAB;
      final int OP_strictequals = 0xAC;
      final int OP_lessthan = 0xAD;
      final int OP_lessequals = 0xAE;
      final int OP_greaterthan = 0xAF;
      final int OP_greaterequals = 0xB0;
      final int OP_instanceof = 0xB1;
      final int OP_istype = 0xB2;
      final int OP_istypelate = 0xB3;
      final int OP_in = 0xB4;
      final int OP_increment_i = 0xC0;
      final int OP_decrement_i = 0xC1;
      final int OP_inclocal_i = 0xC2;
      final int OP_declocal_i = 0xC3;
      final int OP_negate_i = 0xC4;
      final int OP_add_i = 0xC5;
      final int OP_subtract_i = 0xC6;
      final int OP_multiply_i = 0xC7;
      final int OP_getlocal0 = 0xD0;
      final int OP_getlocal1 = 0xD1;
      final int OP_getlocal2 = 0xD2;
      final int OP_getlocal3 = 0xD3;
      final int OP_setlocal0 = 0xD4;
      final int OP_setlocal1 = 0xD5;
      final int OP_setlocal2 = 0xD6;
      final int OP_setlocal3 = 0xD7;
      final int OP_debug = 0xEF;
      final int OP_debugline = 0xF0;
      final int OP_debugfile = 0xF1;
      final int OP_bkptline = 0xF2;
 

I started to bytecode hack with CE myself I picked it pretty quickly it's very fun to create these kind of hacks its like editing assembly in native programs to create hacks like I used to in MMORPGS but one problem with editing bytecode in SWF.. my question is how do I NOP.. data in order to keep the size limit the same.


Okay so here is some original data for a example game I want to hack
 
Code: 
//96 10 00 00 73 63 6f 72 65 00 06 00 00 00 00 00 00 00 00 
_push "score" 0
//1d 
_setVariable
//96 0b 00 00 61 6d 6d 6f 00 07 05 00 00 00 
_push "ammo" 5
//1d 
_setVariable



which means
 
Code: 
score = 0;
ammo = 5;


of course this is the initializer for start of game.. so if I initialize a higher ammo or score.. I'll hack the game

now the values are 4 bytes aka DWORD but it's saved in reverse order small endian or idk..

but i know in C++ programming its easy to replicate using Lo/Hi's


So changing ammo is easy I just modify these
Code: 
05 00 00 00
now what about score? when I try to edit score.. it changes assembly completely.
 
Code: 
//96 0c 00 00 73 63 6f 72 65 00 07 [a3 07 64 00] 
_push "score" 6555555
//1d 
_setVariable
//96 0b 00 00 61 6d 6d 6f 00 07 05 00 00 00 
_push "ammo" 5
//1d 
_setVariable


I just changed it to
 
Code:
score = 6555555;
ammo = 5;


of course I still managed to change the score.. but I changed the algorithm that generates the score like changing addition to multiplication making my score increase much more rapidly(easy bytecode hacks).

But I want to modify the score to anything I want but you see the assembly is different.. so what must I do?

so i'm changing
This ->
96 10 00 00 73 63 6f 72 65 00 06 00 00 00 00 00 00 00 00 
To This ->
96 0c 00 00 73 63 6f 72 65 00 07 a3 07 64 00 1d

I have to nop 5 bytes in order for flash not to mess up the data by considering the extra 00 00 00 00 as another opcode.. and screwing up the flow.