[Sticky] Intro to Bytecode Hacking
-migrated-
[Sticky] Intro to Bytecode Hacking Posted on: 03/18/2010 5:45pm
Quote Post
The purpose of this guide is to introduce you to the art of bytecode hacking, also known as looking for array of bytes (AoBs). Now, if you are already a proficient bytecode hacker, these guides will probably do very little to help you, as most of my knowledge comes from this forum. However, my knowledge has accumulated over months of looking through various tips here and there in different threads, and I wished to compile it all into one place. So, this thread is the start of a series of guides that will hopefully inspire many more bytecode hackers.

Myself, I started with limited experience in C++ and absolutely no knowledge of ActionScript, the language used in Flash. I would suggest learning the basics of coding, perhaps through an online tutorial. Coding in any programming language helps immensely, but is not necessary to learning how to bytecode hack. You just need to be able to adapt quickly and be very patient.
I first learned about bytecode hacking through this guide. This is pretty basic and the tools in this video guide are, for the most part, outdated. However, there are some extremely helpful discussions in this thread (if you care to look through ~19 pages of posts).
One of the most amazing hacks is shown in Ignored's tutorial on the Farmville game here.
A great tutorial by deity on how to find functions through sprites and changing them accordingly here.


Now, let's begin by becoming acquainted with the tools and how bytecode hacking works.

Step 1: Download the .swf file
In Firefox, the most common way is through AdBlock Plus, in which you simply look for the .swf file that has loaded on the page. More details here.
In Google Chrome, one can use a slightly different method as outlined here.

Kongregate
:
This will work for most kongregate games, and it is usually in the form of
Code: [Select]
http://chat.kongregate.com/gamez/####/####/live/GAME_NAME.swf?kongregate_game_version=###########. For example, for Robot Wants Kitty, the file is
Code: [Select]
http://chat.kongregate.com/gamez/0007/3913/live/robotkitty_kong.swf?kongregate_game_version=1268274573Newgrounds:
This will work for most Newgrounds games, and is usually in the form of
Code: [Select]
http://uploads.ungrounded.net/#####/#####_GAME_NAME.swf For example, the game Hippolyta is at
Code: [Select]
http://uploads.ungrounded.net/530000/530069_Amazon.swf
Note: Sometimes, due to encryption or something, you will not be able to find the correct file, or perhaps the file is unreadable. This can often be circumvented using Mr.White's great tool called swfmdump, which dumps the file from the computer memory.

Step 2: Decompile the .swf file
The tool that is used by the members on this forum (and is highly recommended) is called SoThink. You can easily get a torrent for SoThink and its key (newest version is ~5.4).

Now, open the .swf file with the installed decompiler. With SoThink, you can right-click on the file and click on SoThink, or alternatively, you can open the file through Sothink itself.
Navigating SoThink shouldn't be too difficult. After you open it, hopefully it should look something like this:
(broken image removed)
Expand on the right side (circled in red) and you should see the different components. Usually, all the code is under "Action" so let's see what's there. Let's look with the section that says "Game."

(broken image removed)
If you look on the top (circled in red), there's 3 different types of views for the same piece of code. Source Code is the human-readable code, or what it looks like before decompiling. P-Code is the computer instructions associated with this code.


Raw data is all the bytes that are fed to the computer. These bytes are stored in the computer's memory, and it is these bytes that we want to change.

Step 3: Changing the bytecode
This is the most difficult part to become proficient at, and knowing what to change and what to change the bytes to requires a lot of skill; it is what makes the greatest hackers on this forum so great. Any experience in coding really helps, but is not necessary at all.

Now, with AS2 (used in Flash 8 or before), you can use a tool called Flasm. Details are given in this video guide. However, most games these days are coded with AS3 (Flash 9 or later), so Flasm is useless.

Let's first see the basics of how bytecode works.

Take the game Creeper World Training Sim.
After decompiling and searching through it, I find a function called calculateDamage.

You can see at the top it defines several variables (that don't really matter to us), and then it goes right into calculating the damage and executing commands based on the damage.
The bytecode that corresponds to this code is here:
Code: [Select]
private function calculateDamage() : Boolean
{
//d0
_as3_getlocal <0>
//30
_as3_pushscope
//28
_as3_pushnan
//d5
_as3_setlocal <1>
//24 00
_as3_pushbyte 0
//63 04
_as3_setlocal <4>
//27
_as3_pushfalse
//d6
_as3_setlocal <2>
//24 ff
_as3_pushbyte -1
//d7
_as3_setlocal <3>
//10 6c 00 00
_as3_jump offset: 108
//09
_as3_label
//24 ff
_as3_pushbyte -1
//63 04
_as3_setlocal <4>
//10 59 00 00
_as3_jump offset: 89
//09
_as3_label
//60 1b
_as3_getlex com.wbwar.creeper::GameSpace
//66 f9 0d
_as3_getproperty instance
//66 b6 01
_as3_getproperty glop
//66 99 06
_as3_getproperty data
//60 8a 03
_as3_getlex gameSpaceX
//62 04
_as3_getlocal <4>
//a0
_as3_add
//60 8b 03
_as3_getlex gameSpaceY
//d3
_as3_getlocal <3>
//a0
_as3_add
//60 1b
_as3_getlex com.wbwar.creeper::GameSpace
//66 97 09
_as3_getproperty WIDTH
//a2
_as3_multiply
//a0
_as3_add
//66 e5 12
_as3_getproperty {}
//75
_as3_convert_d
//d5
_as3_setlocal <1>
//d1
_as3_getlocal <1>
//60 b7 01
_as3_getlex com.wbwar.creeper::Glop
//66 c4 0f
_as3_getproperty MIN_HEAT
//0f 29 00 00
_as3_ifnge offset: 41
//26
_as3_pushtrue
//d6
_as3_setlocal <2>
//5e f9 02
_as3_findproperty health
//60 f9 02
_as3_getlex health
//60 bf 03
_as3_getlex com.wbwar.creeper:Weapon::damageAmt
//a1
_as3_subtract
//68 f9 02
_as3_initproperty health
//60 f9 02
_as3_getlex health
//24 00
_as3_pushbyte 0
//0c 11 00 00
_as3_ifnlt offset: 17
//5e f9 02
_as3_findproperty health
//24 00
_as3_pushbyte 0
//68 f9 02
_as3_initproperty health
//5d a4 03
_as3_findpropstrict destroy
//4f a4 03 00
_as3_callpropvoid destroy(param count:0)
//26
_as3_pushtrue
//48
_as3_returnvalue
//c2 04
_as3_inclocal_i <4>
//62 04
_as3_getlocal <4>
//24 01
_as3_pushbyte 1
//16 9f ff ff
_as3_ifle offset: -97
//c2 03
_as3_inclocal_i <3>
//d3
_as3_getlocal <3>
//24 01
_as3_pushbyte 1
//16 8d ff ff
_as3_ifle offset: -115
//d2
_as3_getlocal <2>
//96
_as3_not
//2a
_as3_dup
//12 05 00 00
_as3_iffalse offset: 5
//29
_as3_pop
//60 8d 03
_as3_getlex building
//96
_as3_not
//12 1f 00 00
_as3_iffalse offset: 31
//5e f9 02
_as3_findproperty health
//60 f9 02
_as3_getlex health
//2f 15
_as3_pushdouble 0.01
//a0
_as3_add
//68 f9 02
_as3_initproperty health
//60 f9 02
_as3_getlex health
//60 99 03
_as3_getlex maxHealth
//0e 09 00 00
_as3_ifngt offset: 9
//5e f9 02
_as3_findproperty health
//60 99 03
_as3_getlex maxHealth
//68 f9 02
_as3_initproperty health
//d2
_as3_getlocal <2>
//48
_as3_returnvalue
}// end function

Now we must decide which bytes corresponds to which code.

For now, we'll use key words such as "Destroy" or "health". So,
Code: [Select]
health = 0;
destroy();
return true;
}
corresponds to something like this:
Code: [Select]
//5e f9 02
_as3_findproperty health
//24 00
_as3_pushbyte 0
//68 f9 02
_as3_initproperty health
//5d a4 03
_as3_findpropstrict destroy
//4f a4 03 00
_as3_callpropvoid destroy(param count:0)
//26
_as3_pushtrue
//48
_as3_returnvalue

Note that in structuring bytes, it first lists the variable such as health, and then it pushes the byte 0 to assign 0 to health. In later tutorials, I will go into more detail on pushing numbers and such.
Anyways, this piece of code corresponds to a structure that the player builds. Obviously, we don't want our own structures destroyed, so we'll NOP out the call to the function "destroy."
So, copy+paste the 2 lines of code that correspond to this line:
Code: [Select]
destroy();
which would be
Code: [Select]
//5d a4 03
_as3_findpropstrict destroy
//4f a4 03 00
_as3_callpropvoid destroy(param count:0)

The AoB we search for would be
5d a4 03 4f a4 03 00
and to NOP it out, we replace it with 02:
02 02 02 02 02 02 02

And there you have it! We have now found an AoB for invincible units!

Step 4: Using the bytecode hack
If you don't know how to use the Aob, look at the Hacking FAQ or the Guide to the Basics

Also, now you can give back to this community and post your newly-found AoB on the forums! (Sorry, but the one for Creeper World Training Sim has already been posted! (broken image removed) )

Finally, thanks to KH for hosting this awesome forum, and thanks to all you crazy hackers who have taught me everything I know about hacking!
Newgrounds medals hack Posted on: 03/19/2010 8:54am
Quote Post
Umn, i dont know if it belongs here or not, but i would like to post my most favourite hack of all, switching medals. Screenshots are mainly same as pythag12s

Step 1 is exactly same, Step 2 aswell

In Step 3 we are looking mostly for: MainMovie, Main Timeline, Game, Player, EndGame, and anything else like this. To easily find where are medals, you can look on top of panel with code and look for Import (mostly you will find com.newgrounds or something and there it is). Next thing is to find exact medal.
Devs use only 3 methods. First one is to actually write medal name in format API.MedalNameNG and name (before you kill me for lying, it is example). Name of medals are ALWAYS in green if you have coloured SoThink. (Example = Larry: Dough Out)
Other one is more tricky, but it only requires bit of looking. You will find names of medals, but in _root, which wont help us. If there is MedalName = medal 1, you will continue searching for medal 1. (Example = no examples in my mind now)
Last one is insanely hard, you dont see actual medal name, but you see requirements for said game. I will use Remnants Lost Legacy as example (MFZ game). I tried to look for name, when i found Act1Veteran, which is actually medal requirement. It tells you to beat few levels on insane difficulty. Dogtags is other one, it is for finding all tags in game and so on. (Example = Remnants Lost Legacy)

Step 4
Very simple, once you located all medals and wrote AoBs somewhere (switch to Code view and look for medals), you can find easiest one. Once you found it, open Cheat Engine, switch to AoB search and insert your AoB. After you found 1 or 2 values (Rarely more) you change them with medal you would like to get. Then go to game, complete requirements for medal requirements you changed and get the medal you want

Example (Practice with me (broken image removed) )
We are looking for medals for Larry
(Sorry, cant do it as awesome as pythag)
Step 2
Code: [Select]
http://tinypic.com/view.php?pic=dabl&s=5In red circle you see import, and place where are some medals, other are in UpgradeWindow

Step 3
If you look into UpgradeWindow, you will see medal named Massive Score. This one requires to get 1M points which is way too time consuming. If you use search and search for Maxed, you will find medal Maxed Weapons, which is upgrading weapon to max. Also, Best Quality In Town medal requires you to fully upgrade your ale. Both are very easy to get with changing value of money earned with CE. Change to code view and find them again
Code: [Select]
//2c ea 0f
_as3_pushstring "Massive Score"
ALWAYS, arrays are above what they resemble. What does this mean? Massive score is medal and this function sends informations to NG, in this example, that it should give you this medal. By altering array, it will change name of medal resulting in change of medal achieved

So in the end, it looks like this
2c f6 0f (Maxed Weapons) => 2c ea 0f (Massive Score)

Exception: There are games in which you cant do this, like Sideways, because lenght of array isnt same. If something like this occurs and you change smaller to bigger, your browser may crash. For this, use pythag12s method or pick more simple game when you are in learning process
True/False values Posted on: 04/08/2010 5:42pm
Quote Post
True and False

In bytecode hacking, True/False values are just that: stating if a function is true, or false. So, if we find a function that says for example "Player loses health=true", its counterpart AoB will have 01 at the end; making the function true - the player loses health. If it would be "Player loses health=false", the AoB will end with a 00, making it false - the player does not lose health.
In AS3 (Action Script 3), we can also find in the Raw Data functions that say "_pushtrue" or "_pushfalse". They are independent functions, coming normally after _findproperty and before _initproperty. What they say is that the above is true, or false. Example:
Code: [Select]
//5e c0 05
_as3_findproperty TriShot
//27
_as3_pushfalse
//68 c0 05
_as3_initproperty TriShot
...says that TriShot is false. In cases like this we cannot use the simple True/False.

00 and 01

A small thing to know before we begin:
  • 00 = false
  • 01 = true
  • The end of an AoB is its value.
  • A sprite is an image that can contain an action. Connected with other sprites it makes up what we see on the screen.

Let's take the game The Flood Runner 2. Using the method in pythag's first tutorial, we look at its .swf. As you can see, this game is made out of MainMovie and tons of sprites. MainMovie is usually where you can see what happens in general, and it has redirects to Sprites.

We're searching for infinite lives. If you've played the game, you know that when you fall starting a certain point, you have a surfboard that rescues you once. So, if we make it so that you'll always have a surfboard, voila, infinite lives.

Searching for Surf in MainMovie leads us to...nothing. So we're looking at the wrong place. But, if we expand our search, we can find Surf in several sprites. But when you look at some of them, they only check if you can surf. For example, in Sprite 242 (Bat):
Code: [Select]
_root.canSurf_mc.gotoAndStop(3);
It says 'goto', meaning it doesn't define canSurf, it goes to canSurf.

It is the case with the other sprites with slight variation, except in Sprite 985.



Code: [Select]
// [Action in Frame 1]
stop ();
_global.canSurfit = false;

// [Action in Frame 2]
stop ();
_global.canSurfit = true;

// [Action in Frame 3]
stop ();
_global.canSurfit = false;

Now, that's something we can work with! It actually tells us if we can surf; true or false.

And now we look at the Raw Data to find the AoB.



Code: [Select]
//96 0d 00 00 63 61 6e 53 75 72 66 69 74 00 05 00
_push "canSurfit" false

//96 0d 00 00 63 61 6e 53 75 72 66 69 74 00 05 01
_push "canSurfit" true

//96 0d 00 00 63 61 6e 53 75 72 66 69 74 00 05 00
_push "canSurfit" false
See the similarities and difference? When "canSurfit" is false, it has a 00 at the end, but when true, it has a 01. Idea idea?
What we can firmly state here is if we take '_push "canSurfit" false' and turn it true in every case, we can always surf!

So, our AoB will be:

96 0d 00 00 63 61 6e 53 75 72 66 69 74 00 05 00 =>
96 0d 00 00 63 61 6e 53 75 72 66 69 74 00 05 01

And we change both addresses.

_pushtrue and _pushfalse
credits to Derek for finding the AoB.

2 important things to know:
  • pushtrue = 26
  • pushfalse = 27

Let's take a game from OMGPop. Gemmers is a good idea. Unlike in Kongregate, finding the swf is a little harder, as it doesn't go by Gemmers, so we have to scroll by looking for the .swf extension. It's a random array of letters and numbers.

What we're looking for is Jewel Vision. Jewel Vision lets you see which groups of gems you can destroy, giving you an advantage.
Since we know that we're looking for a pushtrue or pushfalse, we switch to Raw Data view and scan for findproperty jewelVision. All the results we get are in BaseBoard.

When we look at the first result, we got what we find:
Code: [Select]
//5e 9e 02
_as3_findproperty jewelVisionMode
//27
_as3_pushfalse
//68 9e 02
_as3_initproperty jewelVisionMode

We want to make jewelVisionMode true. Currently, it is pushed to false. So, we will replace pushfalse with pushtrue:

5e 9e 02 27 68 9e 02 =>
5e 9e 02 26 68 9e 02

I searched a little, and found out there were two cases where jewelVisionMode was pushed false. So we change both results.
Algebraic Actions Posted on: 05/13/2010 3:37pm
Quote Post
Add, Subtract, Divide, Multiply, Increment and Decrement

Usually, when you buy an item using gold, the gold number your character has is subtracted by the item's cost. A small example for a vast subject: You can use basic algebraic methods to calculate things. If you're hit, HP-Damage. You pick an upgrade, UpgradeLevel+1. You can use multiplication and division for things more complex; for example, making an HP Bar and even encoding.
Increment and Decrement are very basic aspects. Increment is +1, decrement is -1. They have two uses: One is to confuse, the other is to save space (in as3 for example, instead of writing 24 01 a1, you can instead write 93 [see below to understand.])

In this type of hacking, we can either change the algebraic command to another one to our benefit (like instead of subtracting points, adding points) or we can just NOP the command, so that it won't do anything.

A thing before we begin (left is in AS2, right is AS3):
  • Add - 47 a0
  • Subtract - 0b a1
  • Divide - 0D a3
  • Multiply - 0C a2
  • Increment - 50 91
  • Decrement - 51 93

For the first example, let's take Warfare: 1917.
Now, let's look for the upgrade points. So, instead of just searching for upgradePoints, which will give us a lot of results, we can instead search for "upgradePoints - " (without the brackets). That only gives us two results: both of which are the same.
Code: [Select]
function buyUpgrade(upgradeSlot)
{
if (upgradeSlot.objectRef.unlocked && upgradeSlot.objectRef.active == false && upgradePoints >= upgradeSlot.objectRef.cost)
{
upgradePoints = upgradePoints - upgradeSlot.objectRef.cost;
upgradeSlot.objectRef.active = true;
checkUpgrades(playerTeam.team);
hud.upgrades.upgradePointsText.text = upgradePoints;
_root.menu.upgrades.upgradePointsText.text = upgradePoints;
showQuickMessage("UPGRADE PURCHASED");
saveGame();
} // end if
} // End of the function
Now, it's counterpart Raw Data is very large. So inside it, we search for upgradePoints. When you get to what we actually care about, it should look like this:
Code: [Select]
//96 04 00 08 17 08 17
_push "upgradePoints" "upgradePoints"
//1c
_getVariable
//96 05 00 04 02 09 44 04
_push register2 "objectRef"
//4e
_getMember
//96 03 00 09 d7 03
_push "cost"
//4e
_getMember
//0b
_subtract
//1d
_setVariable

What this does is taking the upgrade points and the object ref. It then subtracts it from the cost. So, if we change the subtract to add, every time we purchase an upgrade, instead of losing upgrade points, we get them! Since this is AS2, 0b is subtract. So we change the subtract to add (47 in AS2.)

We can now make the AoB:
96 04 00 08 17 08 17 1c 96 05 00 04 02 09 44 04 4e 96 03 00 09 d7 03 4e 0b 1d =>
96 04 00 08 17 08 17 1c 96 05 00 04 02 09 44 04 4e 96 03 00 09 d7 03 4e 47 1d


Next, for a little challenge, take Khronos. What I'm gonna do here is give you two functions...you need to go to them in Khronos' .swf and hack them yourself! The answer is in the end of this tutorial.
Code: [Select]
public function playHit(param1:int = 1, param2:int = 0, param3:int = 0, param4:Number = 1)
{
var _loc_5:* = undefined;
var _loc_6:* = undefined;
if (objMC.currentLabel != "dead")
{
hitEffect(this.x, this.y - param3, param4);
_health = Math.max(_health - param2, 0);
_loc_5 = null;
if (_health <= 0)
{
objMC.gotoAndPlay("dead");
_loc_5 = new se_hit3();
_loc_5.playSound(coreSys.gmSound);
_loc_6 = new Splash();
_loc_6.initialise(coreSys, this.x, this.y);
_loc_6.scaleX = 1.5;
_loc_6.scaleY = 1.2;
objMenu.showResult();
}
Code: [Select]
private function playSpecial()
{
if (objMC.currentLabel == "standby" || objMC.currentLabel == "walk" || objMC.currentLabel == "run")
{
if (_overdrive >= 200)
{
objMC.gotoAndPlay("special");
_overdrive = Math.max(_overdrive - 200, 0);
objMenu.setOverdrive(_overdrive, 1000);
objMenu.addSpecial();
}
}


Now...for a little twist. Instead of just algebraic commands, we use cause and effect to our advantage. We use the game Neon Rider for that.

Open the .swf. What we want here is invincibility. If we would search for health, there would be a lot of results...so we use a little trick here. Search for "health -" (without the quotation marks), since we're looking for what decreases health. We only get 1 result:
Code: [Select]
public function hurt(param1:Number) : void
{
this.health = this.health - param1 / 2;
this.visuals.updateHealth(this.health);
return;
}// end function

It's counterpart in Raw Data is:
Code: [Select]
public function hurt(param1:Number) : void
{
//d0
_as3_getlocal <0>
//30
_as3_pushscope
//d0
_as3_getlocal <0>
//d0
_as3_getlocal <0>
//66 fe 02
_as3_getproperty health
//d1
_as3_getlocal <1>
//24 02
_as3_pushbyte 2
//a3
_as3_divide
//a1
_as3_subtract
//68 fe 02
_as3_initproperty health
//d0
_as3_getlocal <0>
//66 93 03
_as3_getproperty visuals
//d0
_as3_getlocal <0>
//66 fe 02
_as3_getproperty health
//4f 9e 03 01
_as3_callpropvoid updateHealth(param count:1)
//47
_as3_returnvoid
}// end function
But we only care about 1 little part in it. Specifically, the one which deals with what happens to our HP:
Code: [Select]
//66 fe 02
_as3_getproperty health
//d1
_as3_getlocal <1>
//24 02
_as3_pushbyte 2
//a3
_as3_divide
//a1
_as3_subtract
//68 fe 02
_as3_initproperty health

Let's see what we have in here. It gets health, gets damage (local), divides by 2, subtracts health to result. Normally, we can change the subtract to 02, NOP it out. But we can do a little something else.
Since something is also being done to the damage (divide by two), we can multiply the damage by 0. Meaning, that if I got 6 damage: Lost health=Health-6*0=0; we get no damage!
So our AoB will be:
66 fe 02 d1 24 02 a3 a1 68 fe 02 =>
66 fe 02 d1 24 00 a2 a1 68 fe 02


[spoiler=Khronos Solutions:38z60xjb]Health:
Code: [Select]
5e f4 05 60 8f 0a 60 f4 05 d2 a1 => 5e f4 05 60 8f 0a 60 f4 05 d2 a0Special:
Code: [Select]
5e 85 06 60 8f 0a 60 85 06 25 c8 01 a1 => 5e 85 06 60 8f 0a 60 85 06 25 c8 01 a0
Hexadecimal Counting System Posted on: 06/05/2010 5:20pm
Quote Post
(I'm not sure if this should be in a different topic...but oh well)

Hexadecimal(=Hex) is the system we use in Bytecode Hacking, wherein the symbols 0-9 and a-f are used. To the untrained eye, it all seems like a huge jumble and makes no sense at all, but there is a lot of sense in it. Hopefully I can help you see how it works.

Base 16
Hexadecimal is a fancy way of saying "Base 16". What is Base 16, you ask? Wonderful question!

We count in the Decimal system, where the symbols 0-9 are in use. What do we do after the 9? We add a "1" to the next column, and a 0 as a placeholder (9+1=10). That is called Base 10; count the digits in use, and you will find that they're exactly 10.
The Binary system is in Base 2. We begin in 0, then in 1. But then, we add a "1" to the next column, and a 0 as a placeholder. It can be illustrated as such: (decimal in blue, Binary in red)
0=0
1=1
2=10
3=11
etc. If you don't believe me, open Calculator in Scientific mode.

Now, the Hexadecimal system is Base 16. The numbers 10-15 in this method are the letters a-f. The exact same rules are applied as in the Decimal and Binary system. Illustration:(decimal in blue, Hexadecimal in red...I'm also starting the list in 9)
9=9
10=a
11=b
12=c
[...]
15=f
16=10

See? Piece of cake! But wait...the last one? Confused? Well, it's just like going over to the next number. In Hexadecimal, "a" is the number that follows 9, and "f" is the last in the chain, so when we go to "f+1", we put a 1 in the next block, and 0 as the placeholder, just like we did with "9+1". Yes, it can be hard to adjust to, and seems odd at first, but no worries.

Taking it up a notch
Now that you understand the basics, it's important to know the concept behind those numbers. It should be said in a WARNING that this requires basic knowledge of Arithmetic (meaning, things like plus signs and "to the power of..."), but it really isn't that difficult. I was able to explain it to a bunch of Elementary School children.

Let's take a nice number like 3871 (this time, we're using this number in base 10). It's an everyday number going to work in the Nuclear Waste facility and father of 12 children (12 in Hexadecimal, that is). But just like your body is constructed of hydrogen, carbon, oxygen, iron and many other stuff, 3871's body is constructed of 4 objects:
(3*10[sup:2a15cwao]3[/sup:2a15cwao]) + (8*10[sup:2a15cwao]2[/sup:2a15cwao]) + (7*10[sup:2a15cwao]1[/sup:2a15cwao]) + (1*10[sup:2a15cwao]0[/sup:2a15cwao]) , or 300+80+70+1.

3871 has a wife called 2A9. Despite the fact that 2A9 is in Hex, she and her husband can get past their differences and live a happy life in the Bahamas. Just like 3871 and everybody else, 2A9 is also made out of several objects. All those objects are, of course, in Base 16. But she can be turned into Decimal any time using this way: (note that we convert what the letters mean into base 10 numbers)
(2*16[sup:2a15cwao]2[/sup:2a15cwao]) + (10*16[sup:2a15cwao]1[/sup:2a15cwao]) + (9*16[sup:2a15cwao]0[/sup:2a15cwao]) = (2*256) + (10*16) + (9*1) = 512 + 160 + 9 = 681.

If you don't believe me that 2A9=681, try it out in Calculator.

---
I extremely apologize, but I've not yet thoroughly figured out how to turn into Negative Values. If it's on any comfort, you can use Calculator or the TSearch Calculator (the program itself sucks, only the calculator's cool). For single bytes, take the last two letters of the result in Calculator (e.g. if you search for -100, you'll get like FFFFFFFFFFFF9C, the 9C is what you're looking for.)
Negative values are dependent on the size of the integer - basically, takes the two's compliment of the value and convert it to hex.

The two's compliment is the opposite of the bit pattern, for example if we have the number 100 (0x64 in hex - 0x is the C standard notation for hex), this is, in binary:
Code: [Select]
0110 0100The two's compliment it with all bits flipped, so:
Code: [Select]
1001 1011Which is 0x9C, if it was an 8-bit integer size (i.e. a byte). If it's a 16 bit integer (not a word - that's something totally different), then we'd have:
Number:
Code: [Select]
0000 0000 0110 0100Two's compliment:
Code: [Select]
1111 1111 1001 1011Which is 0xff9c. Repeat ad nauseam for 32 bit or 64 bit integers.

Note, the advantage of hex is that each digit nicely maps to a nybble: 4 bits, representing a value from 0 - 15 (or 0 - 0xf), so you can mentally word out the hex to binary and vice versa without using a calculator.
Equal Signs and If statements Posted on: 08/07/2010 10:38am
Quote Post
One equal sign, two equal signs, three equal signs. And a little bit about if statements

One of the biggest 'what is this?' that I had when beginning to hack was when seeing this sign: ==, and this sign: ===.
To save you despair, here is their difference:

Think about what the equal sign means. When I say "an apple is green", I am using the = operator: apple=green.

But what if I want to ask "Is an apple green?" That's where the == and === signs come into play. Whilst their one letter brother is an assignment, they are comparison.
So you may now think "Cool, but why is it good?"

Think of the following piece of code: if (health=5)[..some code..]. You may be thinking, "If health is 5, then run the code." NO, that is incorrect. As said, the one equal sign is an assignment. So what your statement says is "health equals 5".
Now, if (and else if) statements act upon Boolean data type; True and False. So when an if statement encounters a "health is 5" statement, it says "Okay. Health is five. That sounds good", and executes the code, no matter if health is equal to 38 bagillion, because you now assigned health a new value, 5.

That's where you use the == and === signs. The correct if statement would be: if (health===5)[...some code...]. When the player gets to that point, the computer says "Let's see...is health equal to five? Yes? Cool, let's continue!" or, if it isn't five, "Nope, doesn't equal. Moving on." (more about abusing if...else statements shortly)

The difference between == and === is very minimal, and doesn't really matter unless you're building your own game. For hacking, you can use both for the same effect.

Abusing If...Else statements

Recently, I thought of a way to abuse the nature of if...else statements. As said, they act upon boolean data. Let's take the if statement I used (if (health===5)[...some code...]). I want the piece of code to always run. Think about it for a second. Got the answer yet? No? Why don't we change the statement into true?
Consider this statement: 1==1. That's true, isn't it? In AS3, it is amazingly easy to write such things. I won't go into that yet, as branching opcode tutorials having been written yet. But really, it isn't that hard. Just take a poke into some easy AS3 code, and it'll be very obvious.

Same thing goes if I don't want that code to ever run. I write a statement that will always be false. 1==2 is the simplest and easiest example to write.

That's it for this tutorial, even though it was more theory than action, hopefully it will harvest many more hacks. Maybe the next one will be upon branch-comparison statements?
Re: [Sticky] Intro to Bytecode Hacking Posted on: 08/08/2010 6:40am
Quote Post
If- opcodes. I'm not adding more details (yet) because I'm not too sure about them myself. I'm more of asking a question than making a tutorial >_> Any mistakes? (broken image removed)


ifnlt(0C) and ifge(18) - if not less than - also means if greater than or equal to, jump that number of bytes
iflt(15) and ifnge(0F) - if less than - also means if not greater than or equal to, jump that number of bytes

ifnle(0D) and ifgt(17) - if not less than or equal to - also means if greater than, jump that number of bytes
ifle(16) and ifngt(0E) - if not greater than - also means if less than or equal to, jump that number of bytes

jump(10) - doesn't check for anything, jumps specified number of bytes

iftrue(11) - if true, jumps specified number of bytes
iffalse(12) - if false, jumps specified number of bytes

ifeq(13) - if equal to, jumps specified number of bytes
ifne(14) - if not equal to, jumps specified number of bytes
Re: [Sticky] Intro to Bytecode Hacking Posted on: 05/02/2011 12:48pm
Quote Post
idk why, but this doesn't seem to be working for me
i thinki might be doing something wrong :/
Re: [Sticky] Intro to Bytecode Hacking Posted on: 05/02/2011 12:54pm
Quote Post
cum here
Quote from: "awsomeicy"
idk why, but this doesn't seem to be working for me
i thinki might be doing something wrong :/

Well you haven't explained what you did wrong, so we can't really help without knowing the problem.



Re: [Sticky] Intro to Bytecode Hacking Posted on: 05/10/2011 11:44am
Quote Post
to tell u the truth.. i dont even get whats going on :S
Re: [Sticky] Intro to Bytecode Hacking Posted on: 05/10/2011 2:33pm
Quote Post
Quote from: "awsomeicy"
to tell u the truth.. i dont even get whats going on :S
"Doctor, I'm sick!"
"What's wrong?"
"I dunno"
Re: [Sticky] Intro to Bytecode Hacking Posted on: 05/10/2011 10:24pm
Quote Post
Thanks a lot for this tutorial, I'm thinking about learning how to hack with AoB.
About the link concerning Ignored's tutorial/the FarmVille hack: the link doesn't work for me ("You are not authorised to read this forum." message). Is it because of a wrong URI, or because there are sections I'm not allowed to see? Thx!
Re: [Sticky] Intro to Bytecode Hacking Posted on: 05/11/2011 12:04pm
Quote Post
... i dont know where u guys are taking the exact amounts and changing to 20 a4 s2 :S
it really confuses me.. and the tut. want of any help at all
Re: [Sticky] Intro to Bytecode Hacking Posted on: 05/11/2011 12:47pm
Quote Post
Quote from: "awsomeicy"
... i dont know where u guys are taking the exact amounts and changing to 20 a4 s2 :S
it really confuses me.. and the tut. want of any help at all

I thought the tutorial was fine. I used it to teach myself the basics of bytecode hacking just last week.