[spoiler=Example level up AoB:1br1fszb]So I want something to instantly level up. A quick search all for level_up gives me this.

Action > com > arc > glissaria > _-72 for those without search all. I rely on it far too much nowadays >.> You really can't beat manually looking through each individual actionscript. Much more informative.

Code: [Select]

_-BA.play("level_up");So It's going to play a animation for level up. That means this must be the function to level up. Looking up a little we see the functions name listed as:

Code: [Select]

public function _-E3(param1:int = 1) : BooleanWell I would have never guessed that it codes for level up. But now we know.

So back to that piece of code. Looking a line above it we see:

Code: [Select]

while (this._-D9 >= this._-8l)So when something (_-D9) is greater than or equal to something else (_-8l) it plays the level up animation. Well as you need experience to level then the only logical conclusion is that if current experience (_-D9) is greater than experience needed to level (_-8l) then level up.
So we could change this so that it's always true but then it would get stuck in an infinite loop. That is potentially gamebreaking so avoid it at all costs. Therefore we need to think of something else.
Looking up another line we see:

Code: [Select]

this._-D9 = this._-D9 + param1;Ok then. We just figured out _-D9 is current experience so this section of code is saying that our new value for current experience is equal to our old value + a number (param1). Therefore logic tells us that this must be the bit where it adds whatever experience we just got on to our current value.
Now this we can change.
So two options here we can either change it so that param1 is a reeaaally big number. Slight issue is it will give us a huge number of levels. Not good for the highscores really. The second option is to think back and remember the while command. We could set it so that the current experience (_-D9) is equal to the experience needed to level up (_-8l). That way we would only level up once each time the code is run and there wouldn't be any infinite loops or huge level increases.

So having decided on a method we need to start looking at the byte code. Firstly we need to find out the byte code for _-8l and _-D9 are. So lets find the bytecode for the while command which has both. (2 birds one stone).
PROTIP:While commands are normally run at the end of the function before jumping back to run a loop.

So looking in raw data mode we see this:

Code: [Select]

//d0
_as3_getlocal <0>
//66 b6 01
_as3_getproperty _-D9
//d0
_as3_getlocal <0>
//66 c8 0c
_as3_getproperty _-8l
//18 c1 fe ff
_as3_ifge offset: -319
//d2
_as3_getlocal <2>
//48
_as3_returnvalue

Code: [Select]

d0 66 b6 01 d0 66 c8 0c 18 c1 fe ff d2 48 HOWEVER we have decrypted the swf so the bytecode has changed. Because of this we need to use wildcards to find out the true bytecode.
PROTIP2: The base opcodes at the start of each line will ALWAYS stay the same.

So due to changes in the bytecode we want to search for this in Cheat engine first

Code: [Select]

d0 66 ?? ?? d0 66 ?? ?? 18 ?? ?? ?? d2 48 Which returns this:

Code: [Select]

d0 66 fc 01 d0 66 8c 02 18 c6 fe ff d2 48So referring to Sothink we can deduce the following

66 fc 01 codes for getproperty _-D9
66 8c 02 codes for getproperty _-8l

So now we have the stuff we need lets get to changing stuff. First up find the part we want to change:

Code: [Select]

//d0
_as3_getlocal <0>
//66 b6 01
_as3_getproperty _-D9
//d1
_as3_getlocal <1>
//a0
_as3_add
//68 b6 01
_as3_initproperty _-D9

Code: [Select]

d0 66 b6 01 d1 a0 68 b6 01Again note that due to it being a decrypted swf the bytecode has changed. So lets replace the _-D9's with the true bytecode that we just figured out. (change b6 01 to fc 01)

Therefore this actually gives us:

Code: [Select]

//d0
_as3_getlocal <0>
//66 fc 01
_as3_getproperty _-D9
//d1
_as3_getlocal <1>
//a0
_as3_add
//68 fc 01
_as3_initproperty _-D9

Code: [Select]

d0 66 fc 01 d1 a0 68 fc 01OK then. Lets split this up into parts first so we know what to change. It gets the value of _-D9 (66 fc 01), gets the value of param1 (d1), adds them together (a0) and then sets this as the new value for _-D9 (68 fc 01)
So we don't want it to do the first 3 parts and just want it to get the value of _-8l (66 8c 02) and set this as the value for _-D9 (68 fc 01).
So we would search for and change to the following:

Code: [Select]

d0 66 fc 01 d1 a0 68 fc 01
d0 66 8c 02 68 fc 01ZOMG!!!1!1! IT'S TWO TOO SHORT. NOP to the rescue. The Nop opcode (02) is mainly used to either make two AoB's the same length or remove sections of code. Nop does nothing hence why it is used. So we would add in two nop opcode's somewhere and our AoB would be like this:

Code: [Select]

d0 66 fc 01 d1 a0 68 fc 01
d0 66 8c 02 02 02 68 fc 01I chose to add the nop opcodes in after the getproperty _-8l. Location doesn't really matter as long as it's not placed within one of the bytecode command strings. i.e it couldn't be placed inbetween the 68 & fc or fc & 01 as it would kill the intproperty command.

So there we have our finished AoB. Woo?

Obviously methods will vary but that was just my thought process as I went through making that particular AoB.

I could complicate it even more by saying there's hidden jump commands throughout the bytecode to stop certain bytecode searching but thats why I specifically chose to explain a portion of the code without them

Proofread several times but you can guaratee I've still screwed up somewhere.