mov x,y -- Equals sign, x = y
cmp x,y -- Compares x and y, useless unless you have one of the following after it.
- je x -- If x and y are equal, jump to x.
- jne x -- If x and y are not equal, jump to x
- jl x -- If x is smaller than y, jump to x
- jle x -- If x is smaller than or equal to y, go to x.
- jr x -- Same as jl, but larger than
- jre x -- same as jle but larger than or equal to.
- disclaimer: if you see one of these with a z in it, the evil warlords are trying to kill you, just pretend it's an e.
Which leads us to:
jmp x -- teleports the script to x.
call x -- calls the function at x
ret -- jumps back to where the function was called.
push x -- pushes x onto the stack (not sure what a stack is? Look here!)
pop x -- pops x from the stack
add x,y -- adds y to x, saves to x
sub x,y -- subtracts y from x, saves to x
shl x,y -- multiples x by 2^y, a lot faster than mul.
shr x,y -- divides x by 2^y, rounding down. similar to shl
... ; -- equivalent of //, ends the line, and anything after it don't count, useful for comments or writing the original code in case you screw stuff up.
places where you can store stuff while you use it. There are nine, but you can only use 3 of them
EAX - you can use this one
EBX - reserved for something or other
ECX - you can use this one
EDX - you can use this one
ESP - reserved, points to the top of the stack
EBP - reserved, points to the base of the stack
ESI - reserved for something or other
EDI - reserved for something or other
EIP - reserved, points to the next instruction to be run
if you ever see AX, BX, CX, etc, that just means its only using half of EAX, EBX, ECX. And AL, BL, CL is only using half of AX, BX, CX
yeh, you can do all kinds of stuff now, but adding one to eax and setting edx equal to it really isn't that exciting. All the jazz is at offsets, some are codes, ie 419CB0 has ML+ at it, but other offsets, like 0049E6CC (current health) are just values which are accessed by the code to do cool things.
so, pretend eax holds 49E6D0.
if you have a bit of code that says:
it will add two to eax (49E6D0), which is kinda useless since eax is now an offset to something random
However, if you have:
with the brackets around eax, it doesn't add two to 49E6D0, but rather whatever is at that offset, the max health.
For absolute beginners, I will suggest you download OllyDbg. (Others may have different preferences, especially if you plan on writing a lot of new code rather than modifications to existing code.)
Basics of how to use OllyDbg:
To disassemble cave story: use file>open just like any other program. If you have a slow computer this could take awhile.
To jump to an address: use Ctrl+G. Before you try finding any addresses on your own, go to a few addresses that are in any of the various hacking guides around the forums. If you do this, it will be much easier to find out what the code is for. Note that addresses in OllyDbg always start with a 4 and are 6 digits long. so if you are given a 4 digit address like 0x1234, you need to change it into 0x401234.
To change a command: double click on it, but be careful: if the command you write takes up more space than the command you are replacing, it will delete the next command. (If it is shorter, it will fill the extra space with NOPs)
To set a breakpoint: double click on the hex representation of the command (to the left of the command itself) then the address should turn red. Then you can press the play button to start the game, but it will halt as soon as it reaches the command you have marked as a breakpoint. This is useful to see if a bit of code gets executed when you expect it to, and you can see what is in the registers and stuff.
To make a comment: double click on the white space to the right of the command you want to comment.
And to save your awesome new hack: right click and choose Copy to Executable, then choose all modifications. A window with 4 options will appear, choose Copy All, and then the main window will minimize and a new window will appear, close the new window and you will be given the option to save.
So you have OllyDbg up and running, you open your executable, and you see thousands of lines of confusing commands. What now? Well, thats what this section is for. Here I will try to step through the hacking process as simply as possible as an example, so that you can see my thought process and do the same thing on your own. Here we will hack the polar star.
Start by going to the weapon hacking thread and looking for the assembly address of the polar star. I recently posted a complete list of the assembly offsets of all the weapons, so it shouldn't be too hard to find. If you spend some time looking through the polar star code, you will see that it is divided into a few sections. First, there is some setup code, which prepares the weapon and increases the weapon timer and plays sounds and stuff like that. We will ignore this section for now. Then you get into a section with the weapon behavior. You can tell when you enter this section because it almost always starts with a command similar to this one:
JMP DWORD PTR DS:[EAX*4+404AFA]
This is called a pointer table and if you look at offset 404AFA you will see 4 different jump instructions. The code above will go to one of those instructions depending on what is in EAX at the time. In this case, the direction you are currently facing will be in EAX.
The weapon behavior code is done when you see a large block of code that looks like this:
MOV DWORD PTR SS:[EBP-20],80 MOV DWORD PTR SS:[EBP-1C],20 MOV DWORD PTR SS:[EBP-18],90etc.
Those are the frame rects, and they determine where the graphic of the bullet is. After the frame rects you will see some more code that does other various things that we will ignore. So the part that we can do stuff with is the weapon behavior. If you look at the last 6 lines before the frame rects start, you will see this. I have commented what each line does so you can see how it works:
MOV EAX,[EBP+8] ; this line is created for a process called pipelining that make the code run faster. Also because of this, [EAX+14], [ECX+14], and [EDX+14] will always be the same thing, as long as [EBP+8] is in EAX, ECX, or EDX. Any line that puts [EBP+8] in a register is doing this, and you can condense these to gain space if you need to (this is more advanced) MOV ECX,[EAX+14] ; this line takes the number that is in [EAX+14] and puts it in ECX so that we can do stuff with it. In a higher level language, [EAX+14] would be called a variable. MOV EDX,[EBP+8] ; pipelining ADD ECX,[EDX+1C] ; this line adds whatever is in [EDX+1C] to ECX (which currently contains [EAX+14] from before) MOV EAX,[EBP+8] ; pipelining MOV [EAX+14],ECX ; this takes whatever is in ECX and moves it back to [EAX+14]
So the overall result of the above code is to add [EDX+1C] to [EAX+14]. Lets try changing that to see exactly what [EDX+1C] and [EAX+14] are. Try changing the line ADD ECX,[EDX+1C] to ADD ECX,200 and play cave story and shoot the polar star to see what happens. You should find that when you shoot it, it will fall (independent of whether or not it is moving horizontally) This tells us that [EAX+14] is the current y-position of the bullet! And since [EAX+1C] is added to it every frame, then it must be the vertical velocity of the bullet! Now you can look through the code to find any instruction that changes the value of [EAX+1C]. You should see two: one saying: MOV DWORD PTR DS:[ECX+1C],1000 and one saying MOV DWORD PTR DS:[EDX+1C],-1000
In other words, it sets the vertical velocity to 1000 or -1000 respectively. Try changing those values, and you will see that it changes the speed of the bullet when you shoot up or down. But how do we change the speed for left and right? If you look in the general vicinity of the code that sets the vertical speed, you will see these lines: MOV DWORD PTR DS:[ECX+18],-1000 and MOV DWORD PTR DS:[EAX+18],1000 could this be setting the horizontal speed? Try changing it, and you will see that it does! That means [E_X+18] is the horizontal speed! Now if you set all 4 of those values to be that same thing, you have changed the speed of the polar star! Hooray!
Now you try: here is a simple bit of code taken from the bubbler LV1, see if you can figure out what it does. (since its a weapon, all the offsets will be the same as the polar star ones, so since [E_X+18] is the horizontal speed in the polar star, it will be in the bubbler LV1, and every weapon in the game) this is at 0x40600B fyi. For your first few times hacking, I recommend commenting every single line in the space you want to know about, but don't worry, it comes quickly and won't be long before you can recognize complex code at a glance.
Edited by dooey100, 20 May 2009 - 01:09 AM.
Added example hack