HACKING FAQ TO THE RESCUE

[spoiler= how to use:vmpbex3p][id=AoB:vmpbex3p]Array of Byte hacking[/id:vmpbex3p]

1) Find the AOB hack.  Chances are, if you're here, you'll find it here.  For an example, we'll use the following AOB hack from "Platform Racing 2" (credits to blahblahman)

Speedburst lasts for a long long time
86 19 25 88 27 10 -> 86 19 2d 04 02 10

2) Load up the game.  DO NOT proceed past the initial screen/loader.  Most games require that the game be freshly loaded into memory to apply the AOB hack - some even require you to apply the hack during the loader itself, which can get tricky as you try to do things quickly enough.  CE's speedhack works well to help with that.

3) Start a search using "Array of Bytes" type of variable in CE.  You want to search for the first value listed (in this case, 86 19 25 88 27 10).  AOBs are usually of sufficient length and complexity that you will only get one result, unless the operation occurs multiple times in the code.  So you should only have to search once.  Select your result (or all of them, if multiples come up) and add them to your CE variable list.

4) Change the value of your result(s) to the indicated value - in this case, 86 19 2d 04 02 10.  You'll note that the arrays are nearly identical, the only difference being that 25 88 27 of the code changed to 2d 04 02.  Be sure that you get all the changes, sometimes more than one value changes.

5) You're done, go ahead and play the game.

One of the disadvantages of AOB hacks is that often, an update to the game will change the code enough that the AOB hack no longer works.  If you're sure you've done everything properly - ESPECIALLY the part about searching for the AOB right after the game loads - then that may be the case.  There is no easy way to make an incorrect AOB work, you'll either have to wait for someone to come out with an updated one, or learn how to do it yourself.  :)

[spoiler=how to find:vmpbex3p]

http://www.youtube.com/watch?v=jrhKRcC1Mb0&fmt=18

You will need:
Flasm: http://flasm.sourceforge.net/
sothink: http://isohunt.com/download/69837813/sothink.torrent
notepad++: http://notepad-plus.sourceforge.net/uk/site.htm

Like I said follow ROUGHLY what I do, there are differences between games.

http://www.youtube.com/watch?v=r9HpcnkqF1E

Wildcards.

No Operation (NOP) = 0x02,
ActionCall = 0x9E,
ActionDefineLocal = 0x3C,
ActionDefineLocal2 = 0x41,
ActionSetMember = 0x4F,
ActionAdd = 0x0A,
ActionAdd2 = 0x47,
ActionAnd = 0x10,
ActionAsciiToChar = 0x33,
ActionBitAnd = 0x60,
ActionBitLShift = 0x63,
ActionBitOR = 0x61,
ActionBitRShift = 0x64,
ActionBitURShift = 0x65,
ActionBitXor = 0x62,
ActionCharToAscii = 0x32,
ActionCloneSprite = 0x24,
ActionConstantPool = 0x88,
ActionDecrement = 0x51,
ActionDelete = 0x3A,
ActionDelete2 = 0x3B,
ActionDivide = 0x0D,
ActionEndDrag = 0x28,
ActionEnumerate = 0x46,
ActionEnumerate2 = 0x55,
ActionEquals = 0x0E,
ActionEquals2 = 0x49,
ActionGetMember = 0x4E,
ActionGetProperty = 0x22,
ActionGetTime = 0x34,
ActionGetVariable = 0x1C,
ActionGotoFrame = 0x81,
ActionGotoFrame2 = 0x9F,
ActionGoToLabel = 0x8C,
ActionGreater = 0x67,
ActionIncrement = 0x50,
ActionInitArray = 0x42,
ActionInitObject = 0x43,
ActionInstanceOf = 0x54,
ActionLess = 0x0F,
ActionLess2 = 0x48,
ActionMBAsciiToChar = 0x37,
ActionMBCharToAscii = 0x36,
ActionMBStringExtract = 0x35,
ActionMBStringLength = 0x31,
ActionModulo = 0x3F,
ActionMultiply = 0x0C,
ActionNextFrame = 0x04,
ActionNone = 0x0,
ActionNot = 0x12,
ActionOr = 0x11,
ActionPlay = 0x06,
ActionPop = 0x17,
ActionPreviousFrame = 0x05,
ActionPush = 0x96,
ActionPushDuplicate = 0x4C,
ActionRandomNumber = 0x30,
ActionRemoveSprite = 0x25,
ActionReturn = 0x3E,
ActionSetProperty = 0x23,
ActionSetTarget = 0x8B,
ActionSetTarget2 = 0x20,
ActionSetVariable = 0x1D,
ActionStackSwap = 0x4D,
ActionStartDrag = 0x27,
ActionStop = 0x07,
ActionStopSounds = 0x09,
ActionStoreRegister = 0x87,
ActionStrictEquals = 0x66,
ActionStringAdd = 0x21,
ActionStringEquals = 0x13,
ActionStringExtract = 0x15,
ActionStringGreater = 0x68,
ActionStringLength = 0x14,
ActionStringLess =  0x29,
ActionSubtract = 0x0B,
ActionTargetPath = 0x45,
ActionToggleQuality = 0x08,
ActionToInteger = 0x18,
ActionToNumber = 0x4A,
ActionToString = 0x4B,
ActionTrace = 0x26,
ActionTypeOf = 0x44,
ActionWaitForFrame = 0x8A,
ActionWaitForFrame2 = x8D,
ActionWith = 0x94,
ActionCallFunction = 0x3D,
ActionCallMethod = 0x52,
ActionNewMethod = 0x53,
ActionNewObject = 0x40,
ActionDefineFunction = 0x9B,
ActionDefineFunction2 = x8E,
ActionIf = 0x9D,
ActionJump = 0x99,

      final int OP_bkpt = 0x01;
      final int OP_nop = 0x02;
      final int OP_throw = 0x03;
      final int OP_getsuper = 0x04;
      final int OP_setsuper = 0x05;
      final int OP_dxns = 0x06;
      final int OP_dxnslate = 0x07;
      final int OP_kill = 0x08;
      final int OP_label = 0x09;
      final int OP_ifnlt = 0x0C;
      final int OP_ifnle = 0x0D;
      final int OP_ifngt = 0x0E;
      final int OP_ifnge = 0x0F;
      final int OP_jump = 0x10;
      final int OP_iftrue = 0x11;
      final int OP_iffalse = 0x12;
      final int OP_ifeq = 0x13;
      final int OP_ifne = 0x14;
      final int OP_iflt = 0x15;
      final int OP_ifle = 0x16;
      final int OP_ifgt = 0x17;
      final int OP_ifge = 0x18;
      final int OP_ifstricteq = 0x19;
      final int OP_ifstrictne = 0x1A;
      final int OP_lookupswitch = 0x1B;
      final int OP_pushwith = 0x1C;
      final int OP_popscope = 0x1D;
      final int OP_nextname = 0x1E;
      final int OP_hasnext = 0x1F;
      final int OP_pushnull = 0x20;
      final int OP_pushundefined = 0x21;
      final int OP_pushintant = 0x22;
      final int OP_nextvalue = 0x23;
      final int OP_pushbyte = 0x24;
      final int OP_pushshort = 0x25;
      final int OP_pushtrue = 0x26;
      final int OP_pushfalse = 0x27;
      final int OP_pushnan = 0x28;
      final int OP_pop = 0x29;
      final int OP_dup = 0x2A;
      final int OP_swap = 0x2B;
      final int OP_pushstring = 0x2C;
      final int OP_pushint = 0x2D;
      final int OP_pushuint = 0x2E;
      final int OP_pushdouble = 0x2F;
      final int OP_pushscope = 0x30;
      final int OP_pushnamespace = 0x31;
      final int OP_hasnext2 = 0x32;
      final int OP_newfunction = 0x40;
      final int OP_call = 0x41;
      final int OP_construct = 0x42;
      final int OP_callmethod = 0x43;
      final int OP_callstatic = 0x44;
      final int OP_callsuper = 0x45;
      final int OP_callproperty = 0x46;
      final int OP_returnvoid = 0x47;
      final int OP_returnvalue = 0x48;
      final int OP_constructsuper = 0x49;
      final int OP_constructprop = 0x4A;
      final int OP_callsuperid = 0x4B;
      final int OP_callproplex = 0x4C;
      final int OP_callinterface = 0x4D;
      final int OP_callsupervoid = 0x4E;
      final int OP_callpropvoid = 0x4F;
      final int OP_newobject = 0x55;
      final int OP_newarray = 0x56;
      final int OP_newactivation = 0x57;
      final int OP_newclass = 0x58;
      final int OP_getdescendants = 0x59;
      final int OP_newcatch = 0x5A;
      final int OP_findpropstrict = 0x5D;
      final int OP_findproperty = 0x5E;
      final int OP_finddef = 0x5F;
      final int OP_getlex = 0x60;
      final int OP_setproperty = 0x61;
      final int OP_getlocal = 0x62;
      final int OP_setlocal = 0x63;
      final int OP_getglobalscope = 0x64;
      final int OP_getscopeobject = 0x65;
      final int OP_getproperty = 0x66;
      final int OP_getpropertylate = 0x67;
      final int OP_initproperty = 0x68;
      final int OP_setpropertylate = 0x69;
      final int OP_deleteproperty = 0x6A;
      final int OP_deletepropertylate = 0x6B;
      final int OP_getslot = 0x6C;
      final int OP_setslot = 0x6D;
      final int OP_getglobalslot = 0x6E;
      final int OP_setglobalslot = 0x6F;
      final int OP_convert_s = 0x70;
      final int OP_esc_xelem = 0x71;
      final int OP_esc_xattr = 0x72;
      final int OP_convert_i = 0x73;
      final int OP_convert_u = 0x74;
      final int OP_convert_d = 0x75;
      final int OP_convert_b = 0x76;
      final int OP_convert_o = 0x77;
      final int OP_coerce = 0x80;
      final int OP_coerce_b = 0x81;
      final int OP_coerce_a = 0x82;
      final int OP_coerce_i = 0x83;
      final int OP_coerce_d = 0x84;
      final int OP_coerce_s = 0x85;
      final int OP_astype = 0x86;
      final int OP_astypelate = 0x87;
      final int OP_coerce_u = 0x88;
      final int OP_coerce_o = 0x89;
      final int OP_negate = 0x90;
      final int OP_increment = 0x91;
      final int OP_inclocal = 0x92;
      final int OP_decrement = 0x93;
      final int OP_declocal = 0x94;
      final int OP_typeof = 0x95;
      final int OP_not = 0x96;
      final int OP_bitnot = 0x97;
      final int OP_concat = 0x9A;
      final int OP_add_d = 0x9B;
      final int OP_add = 0xA0;
      final int OP_subtract = 0xA1;
      final int OP_multiply = 0xA2;
      final int OP_divide = 0xA3;
      final int OP_modulo = 0xA4;
      final int OP_lshift = 0xA5;
      final int OP_rshift = 0xA6;
      final int OP_urshift = 0xA7;
      final int OP_bitand = 0xA8;
      final int OP_bitor = 0xA9;
      final int OP_bitxor = 0xAA;
      final int OP_equals = 0xAB;
      final int OP_strictequals = 0xAC;
      final int OP_lessthan = 0xAD;
      final int OP_lessequals = 0xAE;
      final int OP_greaterthan = 0xAF;
      final int OP_greaterequals = 0xB0;
      final int OP_instanceof = 0xB1;
      final int OP_istype = 0xB2;
      final int OP_istypelate = 0xB3;
      final int OP_in = 0xB4;
      final int OP_increment_i = 0xC0;
      final int OP_decrement_i = 0xC1;
      final int OP_inclocal_i = 0xC2;
      final int OP_declocal_i = 0xC3;
      final int OP_negate_i = 0xC4;
      final int OP_add_i = 0xC5;
      final int OP_subtract_i = 0xC6;
      final int OP_multiply_i = 0xC7;
      final int OP_getlocal0 = 0xD0;
      final int OP_getlocal1 = 0xD1;
      final int OP_getlocal2 = 0xD2;
      final int OP_getlocal3 = 0xD3;
      final int OP_setlocal0 = 0xD4;
      final int OP_setlocal1 = 0xD5;
      final int OP_setlocal2 = 0xD6;
      final int OP_setlocal3 = 0xD7;
      final int OP_debug = 0xEF;
      final int OP_debugline = 0xF0;
      final int OP_debugfile = 0xF1;
      final int OP_bkptline = 0xF2;

I started to bytecode hack with CE myself I picked it pretty quickly it's very fun to create these kind of hacks its like editing assembly in native programs to create hacks like I used to in MMORPGS but one problem with editing bytecode in SWF.. my question is how do I NOP.. data in order to keep the size limit the same.


Okay so here is some original data for a example game I want to hack

//96 10 00 00 73 63 6f 72 65 00 06 00 00 00 00 00 00 00 00
_push "score" 0
//1d
_setVariable
//96 0b 00 00 61 6d 6d 6f 00 07 05 00 00 00
_push "ammo" 5
//1d
_setVariable


which means

score = 0;
ammo = 5;

of course this is the initializer for start of game.. so if I initialize a higher ammo or score.. I'll hack the game

now the values are 4 bytes aka DWORD but it's saved in reverse order small endian or idk..

but i know in C++ programming its easy to replicate using Lo/Hi's


So changing ammo is easy I just modify these
05 00 00 00
now what about score? when I try to edit score.. it changes assembly completely.

//96 0c 00 00 73 63 6f 72 65 00 07 [a3 07 64 00]
_push "score" 6555555
//1d
_setVariable
//96 0b 00 00 61 6d 6d 6f 00 07 05 00 00 00
_push "ammo" 5
//1d
_setVariable

I just changed it to

score = 6555555;
ammo = 5;

of course I still managed to change the score.. but I changed the algorithm that generates the score like changing addition to multiplication making my score increase much more rapidly(easy bytecode hacks).

But I want to modify the score to anything I want but you see the assembly is different.. so what must I do?

so i'm changing
This ->
96 10 00 00 73 63 6f 72 65 00 06 00 00 00 00 00 00 00 00
To This ->
96 0c 00 00 73 63 6f 72 65 00 07 a3 07 64 00 1d

I have to nop 5 bytes in order for flash not to mess up the data by considering the extra 00 00 00 00 as another opcode.. and screwing up the flow.

[spoiler=another guide on how to find aobs:vmpbex3p]The purpose of this guide  is to introduce you to the art of bytecode hacking, also known as looking for array of bytes (AoBs). Now, if you are already a proficient bytecode hacker, these guides will probably do very little to help you, as most of my knowledge comes from this forum.

Step 1: Download the .swf file
In Firefox, the most common way is through AdBlock Plus, in which you simply look for the .swf file that has loaded on the page. More details here.
In Google Chrome, one can use a slightly different method as outlined here.

Kongregate:
This will work for most kongregate games, and it is usually in the form of
http://chat.kongregate.com/gamez/####/####/live/GAME_NAME.swf?kongregate_game_version=###########. For example, for Robot Wants Kitty, the file is http://chat.kongregate.com/gamez/0007/3913/live/robotkitty_kong.swf?kongregate_game_version=1268274573Newgrounds:
This will work for most Newgrounds games, and is usually in the form of http://uploads.ungrounded.net/#####/#####_GAME_NAME.swf For example, the game Hippolyta is at http://uploads.ungrounded.net/530000/530069_Amazon.swf
Note: Sometimes, due to encryption or something, you will not be able to find the correct file, or perhaps the file is unreadable. This can often be circumvented using Mr.White's great tool called swfmdump, which dumps the file from the computer memory.

Step 2: Decompile the .swf file
The tool that is used by the members on this forum (and is highly recommended) is called SoThink. You can easily get a torrent for SoThink and its key (use from 5.5).

Now, open the .swf file with the installed decompiler. With SoThink, you can right-click on the file and click on SoThink, or alternatively, you can open the file through Sothink itself.
Navigating SoThink shouldn't be too difficult. After you open it, hopefully it should look something like this:
(broken image removed)
Expand on the right side (circled in red) and you should see the different components. Usually, all the code is under "Action" so let's see what's there. Let's look with the section that says "Game."

(broken image removed)
If you look on the top (circled in red), there's 3 different types of views for the same piece of code. Source Code is the human-readable code, or what it looks like before decompiling. P-Code is the computer instructions associated with this code.

(broken image removed)
Raw data is all the bytes that are fed to the computer. These bytes are stored in the computer's memory, and it is these bytes that we want to change.

Step 3: Changing the bytecode
This is the most difficult part to become proficient at, and knowing what to change and what to change the bytes to requires a lot of skill; it is what makes the greatest hackers on this forum so great. Any experience in coding really helps, but is not necessary at all.

Now, with AS2 (used in Flash 8 or before), you can use a tool called Flasm. Details are given in this video. However, most games these days are coded with AS3 (Flash 9 or later), so Flasm is useless.

Let's first see the basics of how bytecode works.

Take the game Creeper World Training Sim.
After decompiling and searching through it, I find a function called calculateDamage.
(broken image removed)
You can see at the top it defines several variables (that don't really matter to us), and then it goes right into calculating the damage and executing commands based on the damage.
The bytecode that corresponds to this code is here:
       private function calculateDamage() : Boolean
        {
//d0
_as3_getlocal <0>
//30
_as3_pushscope
//28
_as3_pushnan
//d5
_as3_setlocal <1>
//24 00
_as3_pushbyte 0
//63 04
_as3_setlocal <4>
//27
_as3_pushfalse
//d6
_as3_setlocal <2>
//24 ff
_as3_pushbyte -1
//d7
_as3_setlocal <3>
//10 6c 00 00
_as3_jump offset: 108
//09
_as3_label
//24 ff
_as3_pushbyte -1
//63 04
_as3_setlocal <4>
//10 59 00 00
_as3_jump offset: 89
//09
_as3_label
//60 1b
_as3_getlex com.wbwar.creeper::GameSpace
//66 f9 0d
_as3_getproperty instance
//66 b6 01
_as3_getproperty glop
//66 99 06
_as3_getproperty data
//60 8a 03
_as3_getlex gameSpaceX
//62 04
_as3_getlocal <4>
//a0
_as3_add
//60 8b 03
_as3_getlex gameSpaceY
//d3
_as3_getlocal <3>
//a0
_as3_add
//60 1b
_as3_getlex com.wbwar.creeper::GameSpace
//66 97 09
_as3_getproperty WIDTH
//a2
_as3_multiply
//a0
_as3_add
//66 e5 12
_as3_getproperty {}
//75
_as3_convert_d
//d5
_as3_setlocal <1>
//d1
_as3_getlocal <1>
//60 b7 01
_as3_getlex com.wbwar.creeper::Glop
//66 c4 0f
_as3_getproperty MIN_HEAT
//0f 29 00 00
_as3_ifnge offset: 41
//26
_as3_pushtrue
//d6
_as3_setlocal <2>
//5e f9 02
_as3_findproperty health
//60 f9 02
_as3_getlex health
//60 bf 03
_as3_getlex com.wbwar.creeper:Weapon::damageAmt
//a1
_as3_subtract
//68 f9 02
_as3_initproperty health
//60 f9 02
_as3_getlex health
//24 00
_as3_pushbyte 0
//0c 11 00 00
_as3_ifnlt offset: 17
//5e f9 02
_as3_findproperty health
//24 00
_as3_pushbyte 0
//68 f9 02
_as3_initproperty health
//5d a4 03
_as3_findpropstrict destroy
//4f a4 03 00
_as3_callpropvoid destroy(param count:0)
//26
_as3_pushtrue
//48
_as3_returnvalue
//c2 04
_as3_inclocal_i <4>
//62 04
_as3_getlocal <4>
//24 01
_as3_pushbyte 1
//16 9f ff ff
_as3_ifle offset: -97
//c2 03
_as3_inclocal_i <3>
//d3
_as3_getlocal <3>
//24 01
_as3_pushbyte 1
//16 8d ff ff
_as3_ifle offset: -115
//d2
_as3_getlocal <2>
//96
_as3_not
//2a
_as3_dup
//12 05 00 00
_as3_iffalse offset: 5
//29
_as3_pop
//60 8d 03
_as3_getlex building
//96
_as3_not
//12 1f 00 00
_as3_iffalse offset: 31
//5e f9 02
_as3_findproperty health
//60 f9 02
_as3_getlex health
//2f 15
_as3_pushdouble 0.01
//a0
_as3_add
//68 f9 02
_as3_initproperty health
//60 f9 02
_as3_getlex health
//60 99 03
_as3_getlex maxHealth
//0e 09 00 00
_as3_ifngt offset: 9
//5e f9 02
_as3_findproperty health
//60 99 03
_as3_getlex maxHealth
//68 f9 02
_as3_initproperty health
//d2
_as3_getlocal <2>
//48
_as3_returnvalue
        }// end function
Now we must decide which bytes corresponds to which code.

For now, we'll use key words such as "Destroy" or "health". So,
                           health = 0;
                            destroy();
                            return true;
                        }corresponds to something like this:
//5e f9 02
_as3_findproperty health
//24 00
_as3_pushbyte 0
//68 f9 02
_as3_initproperty health
//5d a4 03
_as3_findpropstrict destroy
//4f a4 03 00
_as3_callpropvoid destroy(param count:0)
//26
_as3_pushtrue
//48
_as3_returnvalue
Note that in structuring bytes, it first lists the variable such as health, and then it pushes the byte 0 to assign 0 to health. In later tutorials, I will go into more detail on pushing numbers and such.
Anyways, this piece of code corresponds to a structure that the player builds. Obviously, we don't want our own structures destroyed, so we'll NOP out the call to the function "destroy."
So, copy+paste the 2 lines of code that correspond to this line:
                           destroy();
which would be
//5d a4 03
_as3_findpropstrict destroy
//4f a4 03 00
_as3_callpropvoid destroy(param count:0)
The AoB we search for would be
5d a4 03 4f a4 03 00
and to NOP it out, we replace it with 02:
02 02 02 02 02 02 02

And there you have it! We have now found an AoB for invincible units!

Step 4: Using the bytecode hack
If you don't know how to use the Aob, look at the Hacking FAQ or the Guide to the Basics

Also, now you can give back to this community and post your newly-found AoB on the forums!

I help all the people I can.