 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
MixerMax
How do I cheat?
![]() Reputation: 0
Joined: 23 Aug 2009
Posts: 7
|
 Posted: Wed Dec 11, 2013 7:18 pm Post subject: Finding a flash game var's MULTINAME ID? |
 |
|
I have a cheat for a game, which for some reason keeps changing the MULTINAME ID of the var I'm accessing.
| Code: |
package somePackage.someOtherPackage;
public class someClass
{
public function someFunction(): void
{
var someVar: Int;
var innerFunction: Function = function (params) : void
{
.cheat modifies this code, uses cheatVar.
}
var cheatVar: Array;
.several uses of cheatVar.
.call to innerFunction(params, not cheatVar).
}
}
|
Using JPEXS FFDEC.
And I don't know THAT much about AVM2 byte code, only enough to do some small cheating 
For some reason the code referring to cheatVar refers to it as "slot 2", not as a property with Q/MULTINAME.
And using "getslot 2" in innerFunction() generates code, but with an var called "UnkownSlot", and I don't know if that works.
Using finpropstrict and getproperty with the MULTINAME ID I found in the constants table, I was able to use the var; and make my cheat.
But since the ID for cheatVar keeps changing.
I have to decompile the new swf and manually find the ID for the var in the constants table over and over.
I know the constants table is there in the memory, but I dunno how to read it, or how would the lua script go for finding the ID.
So I can automatically store it in an allocated symbol to refer from the auto assemble cheat.
Any help will greatly be appreciated.
|
|
| Back to top |
|
 |
DaSpamer
Grandmaster Cheater Supreme
 Reputation: 52
Joined: 13 Sep 2011
Posts: 1578
|
| Posted: Thu Dec 12, 2013 11:23 am Post subject: |
|
|
I faced some issues like you have.
For example, I have a slots game that I wish to hack (non server-based).
They set the rewards locally, so I could force a winning amount (the problem here, if it's too high, you get banned via server (when sending the packet with the data)), which could be risky.
Also winning the same rewards all over again are quite hard.
So I've done the following.
nopped all the operations that comes before (like combos, or anything special).
To avoid any rewards multiplaying (beyond the maximum you want).
So I end up with AoB with size of like 400 characters (long AS3 script).
(read the following steps that I perform, so you could apply it by yourself).
So to avoid ban of having consist reward, I looked for math.random function (you can look for anything that uses the var), I read the memory, also looked math.round and also multiplied it by max reward I want (for example 10).
So this example of how I ended up.
| Code: | | math.floor(math.round()*10) |
By reading the memory and calling the vars.
This is the AoB I looked for
| Code: | | 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? ?? 24 0A a2 46 ?? ?? ?? ?? |
Translation of this code (of what I understand how it works).
| Code: | 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? ?? 24 0A a2 46 ?? ?? ?? ??
prepare math.round prepare math.random call math.random() multiply it by 10 call math.round(with the math.random()*10 output) |
So I basically read all of that memory range (all AoB length).
And just used it where I needed.
So now I got the function I want to edit, disabled stuff I dont need (since the AoB is quite long, we need to get rid of stuff, by placing 02 in the memory locations where we don't touch, to avoid errors, 02 represents no operation).
Then inserted the AoB above (reading it).
Wrote some actions I want to perform before (checking stuff, like if param1 is something specific..).
And some actions to perform after calling the math.round(math.random()*10) thing
(like set rewardAmount var with the output of math.round perform).
Here's example of how I can do it with C.E (Ignore the Function Aob, I made it up).
Pay attention to the part where I use Math operation and skip the part where I fix the function and perform more actions, if you're NOT re-writing an AS3 script (Like using it in assembly).
| Code: | Aobscan(Math, 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? ?? 24 0A a2 46 ?? ?? ?? ??)
// 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21
Aobscan(Function, d0 66 ?? ?? 66 ?? ?? 66 ?? ?? 12 ?? ?? ?? d0 66 ?? ?? d0 66 ?? ?? 66 ?? ?? 66 ?? ?? 4f ?? ?? ?? d0 66 ?? ?? 66 ?? ?? a2 75 61)
// 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f 10 11 12 13 14 15 16 17 18 19 1a 1b 1c 1d 1e 1f 20 21 22 // offset to write
Function+e:
readMem(Math, 21)
// Function AoB would look like this
// d0 66 ?? ?? 66 ?? ?? 66 ?? ?? 12 ?? ?? ?? d0 66 ?? ?? d0 66 ?? ?? 66 ?? ?? 66 ?? ?? 4f ?? ?? ?? d0 66 ?? ?? 66 ?? ?? a2 75 61
// d0 66 ?? ?? 66 ?? ?? 66 ?? ?? 12 ?? ?? ?? 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? ?? 24 0A a2 46 ?? ?? ?? ?? + ?? 66 ?? ?? a2 75 61 // Note the first ?? after the + are corrupt, remember to 02 them out, else they'll break the game.
// since we want to set the value without messing around or touching any other vars that can modify value, we should disable this ?? 66 ?? ?? a2 75, but keep 61 (unless we want to set var value from different position, if so you'll need read var again..
db 02 02 02 02 02 02
// So now Function would look like this
// d0 66 ?? ?? 66 ?? ?? 66 ?? ?? 12 ?? ?? ?? 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? ?? 24 0A a2 46 ?? ?? ?? ?? 02 02 02 02 02 02 61 // Now the function code should operate perfectly.
//
// So math.random returns any value between 0 and 1, for example it's 0.2310694
// Now the function multiplies it by 10 --> 2.310694
// Now we call math.round(2.310694) function --> 2
// So we're done with the math functions
//
// Now the function will set the variable value to 2. |
Bottom line:
The examples and information above are methods of how to access 'dynamic' values of vars (each .swf complied obtains different byte meanings for each var and var).
The example code above can help you achieve the same thing I've achieved, in case you come across it (and others of course), we're not capable of writing our own functions, and rewriting a function completely is challenge.
Notes:
I've gotten the math.round() math.random() function FROM inside the .swf, you should look for your variable AoB as well.
If you're trying to re-write a function, ALWAYS look for the action you want to perform in the search (I recommend Sothink SWF decomplier for that), Copy the raw data and don't delete it, because you'll forget what you've done, since you must build up a function as an AoB.
Hope this helps you, if you have any other questions, or I didn't explain something exactly clear, let me know.
_________________
|
|
| Back to top |
|
|
MixerMax
How do I cheat?
![]() Reputation: 0
Joined: 23 Aug 2009
Posts: 7
|
| Posted: Fri Dec 13, 2013 7:17 pm Post subject: |
|
|
Thanks DaSpamer for the tip, though it doesn't work for this exact scenario I have, I do the same for other variables.
e.g: The innerFunction() accesses other variables from the main function, which are ints and I have to rewrite those references.
So just like you do I'm saving the ID for those vars:
| Code: |
// script 1 - prepare
aobscan(_innerFunction, ........)
registersymbol(_innerFunction)
alloc(_int1, 2)
registersymbol(_int1)
alloc(_int2, 2)
registersymbol(_int2)
alloc(_int3, 2)
registersymbol(_int3)
int1:
readmem(_innerFunction+xx, 2)
int2:
readmem(_innerFunction+xx, 2)
int3:
readmem(_innerFunction+xx, 2)
|
I register the symbols just so I can refer to them in other scripts and the cheat table, to check everything went ok
Another ID I get from the code this way is method indexOf() of the array class.
My only problem is, the actual cheatVar array variable is always referenced with "getslot 2" (6C 02), so I can't use the same trick for this one.
BTW,
| DaSpamer wrote: | This is the AoB I looked for
| Code: | | 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? ?? 24 0A a2 46 ?? ?? ?? ?? |
Translation of this code (of what I understand how it works).
| Code: | 60 ?? ?? ?? 60 ?? ?? ?? 46 ?? ?? ?? ?? 24 0A a2 46 ?? ?? ?? ??
prepare math.round prepare math.random call math.random() multiply it by 10 call math.round(with the math.random()*10 output) |
|
getlex() (60) gets the object (Math class) which holds the property (method), doesn't prepare the call.
I clarify this because of your comment; and in case you misunderstood what it does.
And hope this clarification helps you in you in future code analysis
In case you don't, I use this which I stood upon after reading one of bmanatee's tutorials, to understand what the dissasembly means
anotherbigidea com/ javaswf/ avm2/ AVM2Instructions html
So, my original question still stands;
I realized I could download JPEXS FFDEC's code to understand how they do it.
Including locating the whole SWF in memory, as their "Search SWFs in memory" tool does.
But I really don't have the time to be messing with this for so long.
So if anyone already did, or this little realization motivates them to do it  I will really appreciate if they share it.
Thanks!!!
|
|
| Back to top |
|
|
DaSpamer
Grandmaster Cheater Supreme
Reputation: 52
Joined: 13 Sep 2011
Posts: 1578
|
| Posted: Sat Dec 14, 2013 2:28 am Post subject: |
|
|
I know what getlex() means, I wasn't sure you know.. it goes like
get math and getl random (from math) then call it.. same for random.
I said prepare math.random() because basically, before you can call it, you must get it (prepare it) else you'll face up with error, calling non-exist function (It'll try to call random() function that is inside the AS3).
I've been using AS3 for pretty long time, maybe give me the game name and I'll check it out (message me, with game name, the variable you're trying to get and etc.).
Also, the ID is static?
I mean, if it has like this:
var id = something.somewhere.fb._id
you won't be able to get the id from that.
_________________
|
|
| Back to top |
|
|
MixerMax
How do I cheat?
![]() Reputation: 0
Joined: 23 Aug 2009
Posts: 7
|
| Posted: Mon Dec 16, 2013 6:04 pm Post subject: |
|
|
| DaSpamer wrote: | Also, the ID is static?
I mean, if it has like this:
var id = something.somewhere.fb._id
you won't be able to get the id from that. |
Nope, it's a variable's MULTINAME ID what I'm trying to get, not a variable's value.
Don't worry; I won't bother anymore with this.
They have stopped changing the swf so rapidly. so I just have to change the ID once every few days. Good enough 
Thanks
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
