 |
Cheat Engine
The Official Site of Cheat Engine
|
| View previous topic :: View next topic |
| Author |
Message |
daspamer
Grandmaster Cheater Supreme
 Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
 Posted: Sat Dec 08, 2012 4:18 pm Post subject: [Suggestion] AA script to extend script size of .swf script |
 |
|
Hey,
I got a suggestion,
Me and my friend mainly hacking only flashgames,
The thing is that it uses AS3 (Action script 3), very limited language..
Now, we want to write a script for some flash game but the space not enough
(aob 24 02 a2 61 9d 05, change with 24 02 a3 a3 a3 61 9d 05)
like got to the maximum closet reesult..
But then game froze,
(wanted it to jmp into new mem, write these byte and jump.. yah didn't work so i modify the code to make it work by adding as3 nops which are 02..)
Dark byte can you make this be possible?
the lack of space is ruining everything...
(also, i don't think AS3 reads jmp as jmp, it has it over definitions... more information here https://learn.adobe.com/wiki/display/AVM2/5.+AVM2+instructions , at the left side of the screen look for AVM2 instructions, and each definition has a value in hex...a2=multiply a3=divide a0=add a1=subtract etc.)
Hope this will be possible,
Thanks for reading.
DaSpamer
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
 |
Dark Byte
Site Admin
 Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sat Dec 08, 2012 4:45 pm Post subject: |
|
|
best post this in the flash section as I never touch that stuff
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
daspamer
Grandmaster Cheater Supreme
Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
| Posted: Sat Dec 08, 2012 5:07 pm Post subject: |
|
|
I doubt that they can make this (jump to empty space in memory and jmp back without causing a crash, because cheat engine jmp hex values means something else in AS3).
The solution that I don't like is editing the .swf and adding that line.. (by line i meant the AS3 line that will hack/edit value)
Or
making some script that will translate call in AS3 to jump in c.e and jump back, and i really don't know what&how.
(like making in LUA script that define a jmp to call the address of the edited bytes, and continue from there and add to the end of the edited bytes a call that should jump back to the original script...
helping defining it in as3:
https://learn.adobe.com/wiki/display/AVM2/call
https://learn.adobe.com/wiki/display/AVM2/callmethod
https://learn.adobe.com/wiki/display/AVM2/callproperty
https://learn.adobe.com/wiki/display/AVM2/callproplex
https://learn.adobe.com/wiki/display/AVM2/callpropvoid
https://learn.adobe.com/wiki/display/AVM2/callstatic
https://learn.adobe.com/wiki/display/AVM2/callsuper
https://learn.adobe.com/wiki/display/AVM2/callsupervoid )
Like I managed to show the value I want in hex exactly as i wanted, but the jmp scrwd it over..
Dark Byte, if you could somehow make this, it'll be a HUGE improve for flash games hacking, since there lots of games that are hackable easily with .swfs rather then with cheat engine, but these .swf needs to be updated everytime game is being updated.. while c.e edits only 1 part of it, so it doesn't needs to be updated.
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sat Dec 08, 2012 5:23 pm Post subject: |
|
|
It is impossible for ce to add extra space, once the memory has been allocated (based on the swf header) the size of the memory block can not be modified anymore without extensive pointer updates
Your best bet is to modify the swf and make it allocate more memory and adjust it in the swf, and i don't think ce will be of much use with that, besides finding the uncompressed swf binary and save it to disk.
At most you could do a hook at the loadMovie api and adjust the path to the swf to your modified one
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
daspamer
Grandmaster Cheater Supreme
Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
| Posted: Sat Dec 08, 2012 5:29 pm Post subject: |
|
|
:L
sucks to hear it,
I don't like .swf editing because it has to be updated a lot, most of my trainers survive couple of months while .swfs can barely survive 1 day-1 week.
and i didn't mean like add extra space,
I meant, to make it jump to empty space in memory (like code injection but for flash), and from there return back(using AS3) to the original script and continue.
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sat Dec 08, 2012 5:41 pm Post subject: |
|
|
I know, but that's not possible without first editing the swf beforehand
https://learn.adobe.com/wiki/display/AVM2/3.1+Overview
| Quote: |
During execution, the bytecodes representing compiled code in the ABC file are run through an interpreter, thus performing computation. Verification at this stage is relative to the stream of instructions and the contents of the execution stack: instructions must not jump outside the bytecode array; instructions that require certain operand types can be applied only to operands whose known type is the correct one; the code must not use more stack and register space than it has reserved; and so on.
|
Meaning that it can only jump to locations inside the same block. A code injection allocates a new block to jump to so isn't possible.
At most a codecave is an option, but then there needs to be some memory reserved for that beforehand
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
daspamer
Grandmaster Cheater Supreme
Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
| Posted: Sat Dec 08, 2012 5:50 pm Post subject: |
|
|
| Dark Byte wrote: | I know, but that's not possible without first editing the swf beforehand
https://learn.adobe.com/wiki/display/AVM2/3.1+Overview
| Quote: |
During execution, the bytecodes representing compiled code in the ABC file are run through an interpreter, thus performing computation. Verification at this stage is relative to the stream of instructions and the contents of the execution stack: instructions must not jump outside the bytecode array; instructions that require certain operand types can be applied only to operands whose known type is the correct one; the code must not use more stack and register space than it has reserved; and so on.
|
Meaning that it can only jump to locations inside the same block. A code injection allocates a new block to jump to so isn't possible.
At most a codecave is an option, but then there needs to be some memory reserved for that beforehand |
Never read that file  , bit sucks that instruction must not jump outside of the bytecode array..
codecave is option, erm no clue how to make it  .
But "memory reserved for that ", you mean you need to allocate some memory before game loading?
(so like lets say, you crash flash, and then open something that require small amount of memory of flash, can you allocate with, just to turn "on" the flash, so after that you can reserve memory for it, and then open game and like do it?)..
like I can make a small .swf that will load 1 picture (low memory usage), host in my website, and in upcoming trainer to tell user crash flashplayerplugin, then visit that page wtih the .swf, then press a button, and continue to the game..
hope I got you right..
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
|
Dark Byte
Site Admin
Reputation: 470
Joined: 09 May 2003
Posts: 25788
Location: The netherlands
|
| Posted: Sat Dec 08, 2012 6:10 pm Post subject: |
|
|
Something like that. More a hook in flash or the socket api and adjust the size of the swf in the header and add some extra bytes
Also another method for code injections is to overwrite a useless function and jump to there. For example if you do godmode you might as well use the code that deals with your death for something else
_________________
Do not ask me about online cheats. I don't know any and wont help finding them.
Like my help? Join me on Patreon so i can keep helping |
|
| Back to top |
|
|
daspamer
Grandmaster Cheater Supreme
Reputation: 54
Joined: 13 Sep 2011
Posts: 1588
|
| Posted: Sat Dec 08, 2012 6:16 pm Post subject: |
|
|
I see, I'll check it out with my friend tomorrow (the second part to use death for example..),
Gonna go sleep right now (2AM).
Thanks for the help, much appreciated !
_________________
I'm rusty and getting older, help me re-learn lua. |
|
| Back to top |
|
|
mgr.inz.Player
I post too much
 Reputation: 222
Joined: 07 Nov 2008
Posts: 4438
Location: W kraju nad Wisla. UTC+01:00
|
| Posted: Sat Dec 08, 2012 6:44 pm Post subject: |
|
|
(I don't know how Action script 3 really works)
To be sure, you want this
| Code: |
bytecode X X X X X X X X X X X X X X X X
# 0 1 2 3 4 5 6 7 8 9 a b c d e f
|
to be this
| Code: |
bytecode X X X X X X Y Y Y Y Y Y Y Y Y Y X X X
# 0 1 2 3 4 5 6 7 8 9 a b c d e f 10 11 12
|
(X - original bytecodes, Y - altered bytecodes,
but you can alter only from 0x6 up to 0xc)
Just an idea,
Is there an "instruction pointer" or something? Something like EIP/RIP register?
If so, we can try freeze "flash process" (pause/breakpoint) when instruction pointer hit certain value.
for example 6 (trap1)
| Code: |
[instruction pointer]
I
trap1
I
bytecode X X X X X X X X X X X X X X X X
# 0 1 2 3 4 5 6 7 8 9 a b c d e f
|
freeze flash process
change [instruction pointer], so it points few bytes before,
overwrite bytecodes
for example we need 3 extra bytes, ( [instruction pointer]:=3 )
So it looks like this:
| Code: |
[instruction pointer]
I
I trap2
I I
bytecode X X X Y Y Y Y Y Y Y Y Y Y X X X
# 0 1 2 3 4 5 6 7 8 9 a b c d e f
|
(Y - altered bytecodes)
resume flash process,
if it hit 0xd (trap2), freeze gameprocess again
restore original bytecodes, resume process.
instead of freeze we can use infinite loop, something similar to
process.exe+234500 - EB FE - jmp process.exe+234500
EDIT:
just send me SWF file with AS3. And give me aobs ("target" and "replace with"). I can try something.
(no guarantee)
_________________
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
|
FAQ
Search
Memberlist
Usergroups
Register
Profile
Log in to check your private messages
Log in
