Old topic!
Guest, the last post in this thread is over 60 days old. Posting in this thread will be considered a bump, so please make an attempt to be courteous if you go ahead with it.

If the last post is over 6 months old, it may instead be a better idea to start a new topic. If you aren't sure about what to do, feel free to ask a staff member for help, or try to locate a 'general questions'-type thread if it exists in this (sub-)forum.

109 replies to this topic

### #1 22 March 2009 - 03:35 AM

Offline
Been here way too long...
 "Ha! Ha! Ha! Mega Man is no match for my Mimiga Man!"
Join Date: 22 Jun 2008
Location:
Posts: 254

It seems like we have a lot of threads recently from first-time assemblers, so if you have any basic questions about how to disassemble, what commands do what, etc. you can ask them here (for a basic overview, read the Wikibooks assembly guide, especially the Instruction set. it doesn't go in to too much depth, but 90% of the code is jumps, MOV's, arithmetic, and CMP's anyway). For more depth, read this textbook, hosted by University of Illinois. Lace has also written this guide to all the commands you need to know to begin hacking (with a couple minor edits by me):

COMMANDS:
mov x,y -- Equals sign, x = y

cmp x,y -- Compares x and y, useless unless you have one of the following after it.
- je x -- If x and y are equal, jump to x.
- jne x -- If x and y are not equal, jump to x
- jl x -- If x is smaller than y, jump to x
- jle x -- If x is smaller than or equal to y, go to x.
- jr x -- Same as jl, but larger than
- jre x -- same as jle but larger than or equal to.
- disclaimer: if you see one of these with a z in it, the evil warlords are trying to kill you, just pretend it's an e.

jmp x -- teleports the script to x.
call x -- calls the function at x
ret -- jumps back to where the function was called.

push x -- pushes x onto the stack (not sure what a stack is? Look here!)
pop x -- pops x from the stack

sub x,y -- subtracts y from x, saves to x
shl x,y -- multiples x by 2^y, a lot faster than mul.
shr x,y -- divides x by 2^y, rounding down. similar to shl

... ; -- equivalent of //, ends the line, and anything after it don't count, useful for comments or writing the original code in case you screw stuff up.

REGISTERS:
places where you can store stuff while you use it. There are nine, but you can only use 3 of them
EAX - you can use this one
EBX - reserved for something or other
ECX - you can use this one
EDX - you can use this one
ESP - reserved, points to the top of the stack
EBP - reserved, points to the base of the stack
ESI - reserved for something or other
EDI - reserved for something or other
EIP - reserved, points to the next instruction to be run

if you ever see AX, BX, CX, etc, that just means its only using half of EAX, EBX, ECX. And AL, BL, CL is only using half of AX, BX, CX

OFFSETS:
yeh, you can do all kinds of stuff now, but adding one to eax and setting edx equal to it really isn't that exciting. All the jazz is at offsets, some are codes, ie 419CB0 has ML+ at it, but other offsets, like 0049E6CC (current health) are just values which are accessed by the code to do cool things.

BRACKETS/POINTERS:
so, pretend eax holds 49E6D0.
if you have a bit of code that says:

mov eax,49E6D0

it will add two to eax (49E6D0), which is kinda useless since eax is now an offset to something random
However, if you have:

with the brackets around eax, it doesn't add two to 49E6D0, but rather whatever is at that offset, the max health.

For absolute beginners, I will suggest you download OllyDbg. (Others may have different preferences, especially if you plan on writing a lot of new code rather than modifications to existing code.)

Basics of how to use OllyDbg:
To disassemble cave story: use file>open just like any other program. If you have a slow computer this could take awhile.

To jump to an address: use Ctrl+G. Before you try finding any addresses on your own, go to a few addresses that are in any of the various hacking guides around the forums. If you do this, it will be much easier to find out what the code is for. Note that addresses in OllyDbg always start with a 4 and are 6 digits long. so if you are given a 4 digit address like 0x1234, you need to change it into 0x401234.

To change a command: double click on it, but be careful: if the command you write takes up more space than the command you are replacing, it will delete the next command. (If it is shorter, it will fill the extra space with NOPs)

To set a breakpoint: double click on the hex representation of the command (to the left of the command itself) then the address should turn red. Then you can press the play button to start the game, but it will halt as soon as it reaches the command you have marked as a breakpoint. This is useful to see if a bit of code gets executed when you expect it to, and you can see what is in the registers and stuff.

To make a comment: double click on the white space to the right of the command you want to comment.

And to save your awesome new hack: right click and choose Copy to Executable, then choose all modifications. A window with 4 options will appear, choose Copy All, and then the main window will minimize and a new window will appear, close the new window and you will be given the option to save.

Example hack:
So you have OllyDbg up and running, you open your executable, and you see thousands of lines of confusing commands. What now? Well, thats what this section is for. Here I will try to step through the hacking process as simply as possible as an example, so that you can see my thought process and do the same thing on your own. Here we will hack the polar star.

Start by going to the weapon hacking thread and looking for the assembly address of the polar star. I recently posted a complete list of the assembly offsets of all the weapons, so it shouldn't be too hard to find. If you spend some time looking through the polar star code, you will see that it is divided into a few sections. First, there is some setup code, which prepares the weapon and increases the weapon timer and plays sounds and stuff like that. We will ignore this section for now. Then you get into a section with the weapon behavior. You can tell when you enter this section because it almost always starts with a command similar to this one:

`JMP DWORD PTR DS:[EAX*4+404AFA]`

This is called a pointer table and if you look at offset 404AFA you will see 4 different jump instructions. The code above will go to one of those instructions depending on what is in EAX at the time. In this case, the direction you are currently facing will be in EAX.

The weapon behavior code is done when you see a large block of code that looks like this:

```MOV DWORD PTR SS:[EBP-20],80
MOV DWORD PTR SS:[EBP-1C],20
MOV DWORD PTR SS:[EBP-18],90```
etc.

Those are the frame rects, and they determine where the graphic of the bullet is. After the frame rects you will see some more code that does other various things that we will ignore. So the part that we can do stuff with is the weapon behavior. If you look at the last 6 lines before the frame rects start, you will see this. I have commented what each line does so you can see how it works:

```MOV EAX,[EBP+8]     ; this line is created for a process called pipelining that make the code run faster. Also because of this, [EAX+14], [ECX+14], and [EDX+14] will always be the same thing, as long as [EBP+8] is in EAX, ECX, or EDX. Any line that puts [EBP+8] in a register is doing this, and you can condense these to gain space if you need to (this is more advanced)
MOV ECX,[EAX+14]     ; this line takes the number that is in [EAX+14] and puts it in ECX so that we can do stuff with it. In a higher level language, [EAX+14] would be called a variable.
MOV EDX,[EBP+8]     ; pipelining
ADD ECX,[EDX+1C]     ; this line adds whatever is in [EDX+1C] to ECX (which currently contains [EAX+14] from before)
MOV EAX,[EBP+8]     ; pipelining
MOV [EAX+14],ECX     ; this takes whatever is in ECX and moves it back to [EAX+14]```

So the overall result of the above code is to add [EDX+1C] to [EAX+14]. Lets try changing that to see exactly what [EDX+1C] and [EAX+14] are. Try changing the line ADD ECX,[EDX+1C] to ADD ECX,200 and play cave story and shoot the polar star to see what happens. You should find that when you shoot it, it will fall (independent of whether or not it is moving horizontally) This tells us that [EAX+14] is the current y-position of the bullet! And since [EAX+1C] is added to it every frame, then it must be the vertical velocity of the bullet! Now you can look through the code to find any instruction that changes the value of [EAX+1C]. You should see two: one saying: MOV DWORD PTR DS:[ECX+1C],1000 and one saying MOV DWORD PTR DS:[EDX+1C],-1000

In other words, it sets the vertical velocity to 1000 or -1000 respectively. Try changing those values, and you will see that it changes the speed of the bullet when you shoot up or down. But how do we change the speed for left and right? If you look in the general vicinity of the code that sets the vertical speed, you will see these lines: MOV DWORD PTR DS:[ECX+18],-1000 and MOV DWORD PTR DS:[EAX+18],1000 could this be setting the horizontal speed? Try changing it, and you will see that it does! That means [E_X+18] is the horizontal speed! Now if you set all 4 of those values to be that same thing, you have changed the speed of the polar star! Hooray!

Now you try: here is a simple bit of code taken from the bubbler LV1, see if you can figure out what it does. (since its a weapon, all the offsets will be the same as the polar star ones, so since [E_X+18] is the horizontal speed in the polar star, it will be in the bubbler LV1, and every weapon in the game) this is at 0x40600B fyi. For your first few times hacking, I recommend commenting every single line in the space you want to know about, but don't worry, it comes quickly and won't be long before you can recognize complex code at a glance.

MOV EDX,[EBP+8]
MOV EAX,[EDX+1C]
MOV ECX,[EBP+8]
MOV [ECX+1C],EAX

Edited by dooey100, 20 May 2009 - 01:09 AM.

### #2 28 March 2009 - 09:18 AM

Offline
Hax on....Hax off....
 "Big Joe Tire and Battery Restaurant! Opening Soon! Eat at Big Joes!"
Join Date: 05 Jan 2009
Location: LocationEaster Island
Posts: 481

Okay I'm using that assembler program you put the link for but it's still a little confusing for me. I'm trying to practice by finding adresses or offsets or whatever they're called. So you use Ctrl+G and putting this adress in 0x00004160 but it always says: no memory at the specified adress. I'm not so sure whether i'm using the wrong command or what.
I suck so much at this >.<

### #3 28 March 2009 - 01:19 PM

Offline
Lesbian Seagull
 "Life begins and ends with Nu."
Join Date: 04 Jan 2008
Location: LocationHunky Dory
Posts: 3,062

you need to put:
0x00404160

### #4 28 March 2009 - 10:51 PM

Offline
Hax on....Hax off....
 "Big Joe Tire and Battery Restaurant! Opening Soon! Eat at Big Joes!"
Join Date: 05 Jan 2009
Location: LocationEaster Island
Posts: 481

Ahh thanks, now maybe I can actually get started...I'll try my very best to make sence of all this. I think I once saw a post you once made with some details about all those PUSH and MOV command things so I'll try and find that and work it out.

### #5 29 March 2009 - 02:13 PM

Offline
Lesbian Seagull
 "Life begins and ends with Nu."
Join Date: 04 Jan 2008
Location: LocationHunky Dory
Posts: 3,062

I'm actually pretty clueless about push, never really cared enough to look into it. Mov is just an equal sign though, if you see

mov ebp,55
it means
ebp = 55

hope that helps.

### #6 29 March 2009 - 03:00 PM

Offline
If you snoose, you loose
 "Heavy swords for sale. Suitable for most RPG Protagonists. Apply now!"
Join Date: 02 Jul 2008
Location: Locationtrapped in mspaint
Posts: 1,911
Age: 20

Push pushes a value on to the stack. Pop removes it from the stack. This is useful for entering and exiting procedures because you can back up some data to the stack before calling the procedure, and then pop it back off the stack in reverse order after calling the procedure. That way, whatever data you backed up will be preserved regardless of what the procedure you called did. You have to be careful, though, that you balance the stack, in other words, that you pop the exact same amount of data that you push. Failure to do so will almost inevitably result in either a crash or a bizarre inexplicable bug.

### #7 29 March 2009 - 05:14 PM

Offline
Been here way too long...
 "Ha! Ha! Ha! Mega Man is no match for my Mimiga Man!"
Join Date: 22 Jun 2008
Location:
Posts: 254

You have to use PUSH for the built in random number generator, which you could call like this:

PUSH xxxx
PUSH yyyy
CALL 0040F350

where xxxx is the maximum value you want to get, and yyyy is the minimum value.

### #8 29 March 2009 - 07:55 PM

Offline
Lesbian Seagull
 "Life begins and ends with Nu."
Join Date: 04 Jan 2008
Location: LocationHunky Dory
Posts: 3,062

### #9 29 March 2009 - 10:10 PM

Offline
Been here way too long...
 "Ha! Ha! Ha! Mega Man is no match for my Mimiga Man!"
Join Date: 22 Jun 2008
Location:
Posts: 254

oops sorry, its EAX

### #10 30 March 2009 - 12:31 AM

Offline
Lesbian Seagull
 "Life begins and ends with Nu."
Join Date: 04 Jan 2008
Location: LocationHunky Dory
Posts: 3,062

why oops?

Old topic!
Guest, the last post in this thread is over 60 days old. Posting in this thread will be considered a bump, so please make an attempt to be courteous if you go ahead with it.

If the last post is over 6 months old, it may instead be a better idea to start a new topic. If you aren't sure about what to do, feel free to ask a staff member for help, or try to locate a 'general questions'-type thread if it exists in this (sub-)forum.

#### 0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users