17th January 2006 02:28
[READ]Art of Hacking, Virus safety, Hacking tools, and more...
:: Hacking Tools for MapleStory
Used to compile the .dll of your UCE
Forces games into windowed mode
If someone has more links to hacking tools (not the hacks themselve), please post the name, use of the tool and a link to it.
If a tool or link stops working, post here or PM me, so I can remove or update it.
Thanks for the help:
Please do NOT post in this thread unless you're doing one of the things stated above.
Last edited by Diddle; 10th July 2006 at 05:05.
Your biological and technological distinctiveness will be added to our own.
Resistance is futile.
[TUTORIAL] The art of hacking
BASIC hacking guide compiled by me. Have fun reading.
@scruie if you might wanna sticky this.
The art of hacking greatly depends on the degree of knowledge you have on the game you are hacking. As Sun Tzu said “Know yourself and know your enemies and thou shalt win every battle”. If you know how the game works, it'll be a lot easier to find those addresses.
For example: unlimited attack.
We all know that after a certain number of attacks on the same spot you can’t attack anymore. So we make use of that knowledge.
• Search 0 (byte since the number of attacks wont exceed 255) when entering a new map/channel (this is to ensure that the counter is reset).
• Then attack a few times, search increased.
• Repeat until u get a single address (you can also attack, search increased, then change channel and search 0 again. Use your creativity).
• Next thing to do is to freeze it at 0 (actually anything under 100 will do if u have noticed it'll only freeze your attack at 100).
If you have discovered, the unlimited attack counter only starts to increment after the second consecutive hit on the same spot. This means initially it is 0, after 1 hit its still 0, then after the second hit it becomes 1, then 2 on the third hit and so on.
Having known this, you can alternatively search for 0 when first enter map, attack twice, search 1, then attack again, search 2. This will get you the address very fast.
What are pointers? What do they do? How do I find them?
A pointer is a method of accessing a dynamic address (see dynamic address below). Sometimes the address is created on the fly by the game and thus there is no fixed (static) address to specify. The pointer is used to take a known static address and with the help of an offset, to point to the dynamic address. The pointer is "created" by using the VALUE of the pointer aka the static address (not the address itself) plus the offset. This will give you the ADDRESS of the destination.
One way is to use Cheat Engine's pointer scanner (this might be slow so we go to the optional method). Let’s use the unlimited attack as example. When you have the address of the hack:
• Add it to the list.
• Then right click and select "see what writes\access\reads to this" and you should have a new window. Now go in game and attack a few times, the list in the window should increase. Now see the last (usually the last) address, its something like: mov ecx, [eax+13] (example). Now what this means is to copy the value pointed to by the ADDRESS eax+13 (in hex) to the ecx register.
• So what does that tells us? The brackets around [eax+13] tell us that it takes the VALUE of the enclosed address, which means the address is actually eax+13. The ADDRESS of the value (the unlimited attack counter) is pointed to by the adding the value of the address pointed to by the eax register plus 13(in hex). Thus the “13” is the offset where the “eax” is the base. If you click on that line and click on more information, you can see the "value needed to find" the address. In this case, that’ll be the eax value.
• Go back to Cheat Engine and do a hex search on the value given and you should get the pointer address, and as for the offset we've already found out, so put them to good use.
Dynamic addresses are used by programmers to specify an unknown address value, and also for those as-required-addresses. These addresses are usually caused by using a “malloc” (in c programming) or any other memory allocation methods other than declaring them outright. They are useful in the sense that they only consume the required memory space (for unknown length strings) since it can be declared as a varying length char* array, depending on the string size. It can also be used for other various purposes.
Searching for hacks using the right values:
Now we all know there’s byte, 2 bytes, 4 bytes and so on. So how do we know what type and what value to search for?
In the computer world, 32-bit is an adjective used to describe integers, memory addresses or other data units that are at most 32 bits wide, or to describe CPU architectures based on registers, address buses, or data buses of that size. The range of integer values that can be stored in 32 bits is 0 through 4294967295, or −2147483648 through 2147483647 using two's complement encoding. With this knowledge, all we need to know is the value we are searching for, take unlimited attack again for example, its max value is only 100, which falls within the “0 through 4294967295, or −2147483648 through 2147483647” part, however it’s a waste of memory to use 4 bytes to store an integer that maxes at 100.
So, we would expect the programmer to use a smaller size data structure to store it. (Note that I’m only mentioning the positive range)
• Byte : 2^8 numbers = 256 numbers or 0 – 255
• 2 Bytes: 2^16 numbers = 65536 numbers or 0 – 65535 (older games uses the 65535 rule)
• 4 Bytes: 2^32 numbers = 4294967296 numbers or 0 – 4294967295
• 8 Bytes: 2^64 numbers = 18446744073709551616 numbers and so on.
• Float: it’s a decimal capable number, obtained by multiplying a mantissa by a base. It basically handles float-point numbers or what we call decimals.
• Double: A 64 bit decimal capable type, obtained by multiplying a float by an exponent. It’s basically a float as well.
• Text: well its just text, ASCII/Unicode text. It’s also known as a string or char type in programming.
• Array of bytes: This basically allows the search for a portion of the machine language code if you use it carefully; otherwise it’s just a hex search of the value u wanted. An array is a list or perhaps more accurately, a collection of objects or data types.
So now having knowledge of the data types, the unlimited attack would conveniently fall into the Byte category, since its dynamic, meaning its allocated just sufficient memory, so a Byte best fits that.
Finding hacks using the memory view aka using array of bytes. Its one of the most powerful and dependent ways if you know how to accurately use it.
As I have touched on earlier, when a program is being executed, it gets translated to machine language, some like to call it assembly language. Each of the instructions of the assembly language can be represented by a specific hex value:
Some “common” ones
• jne = 74
• je = 75
• jz = 74
• add = 80/81
• and = 80/81
• cmp = 80/81
• sub = 80/81
• or = 80/81/83
• xor = 80/81/83
• test = 84/85
• mov = 88/89/8a/8b/8c/8e
• nop = 90
Each of these hex values represents a single instruction and some instructions can be represented by more than one hex value. So how does that help us find addresses?
Simple take this short piece of code for example (not taken from maple):
00400059 6d - insd
0040005A 20 63 61 - and [ebx+61],ah
0040005D 6e - outsb
0040005E 6e - outsb
0040005F 6f - outsb
00400060 74 20 - je 00400082
note that the statement je 00400082 is the one we are looking for, but we cannot just do a direct search sometimes since it consist of the address 00400082, and if that address changes, the search would fail.
So the trick here is to search for a “static” instructions, those that doesn’t involves hard coded addresses that might change, so if we look up, we can see that all the instruction above the je 00400082 doesn’t have anything hard coded in them and are good to be used as the search string.
What we do now is to copy down the hex codes of all those instructions, i.e. 6d 20 63 61 6e 6e 6e 6f. Now if we are to go to the memory view of Cheat Engine, we can see 2 sections, there’s the section with the instructions and the section (lower half) that shows the memory dump of the process:
• Right click on the lower half and select “search memory”
• Under type, select “[Array of ] byte”
• The range is to narrow down the search, if you know the approximate range then use it, else leave it alone.
• Under the text box u type in the array you’ve just copied “6d 20 63 61 6e 6e 6e 6f” and click “ok”
• You should see the first address of the lower half to point to 00400059, which is the address of the “insd” instructions that you’ve copied. Now scroll down a bit and viola! je 00400082.
This method doesn’t directly search for the address itself; instead it searches for similar instructions around that address, this is useful if you need to find a code for another version of the game, for example, the god mode in oms you know so u can use that to find the god mode address in jms without really knowing the “value” of the god mode (since its mostly likely different as the address pointed to by the je/jne is different).
Note: you can also use addresses after the “je” instruction, as long as its non dynamic. Use your creativity.
Some basic game concepts:
Most games rely on collision detection and vector based positioning to work. This means that all animated items in the game have a vector depicting its respective position on the map or the world. And usually a game event occurs when a “collision” is detected, i.e. when an object touches another. Let’s look at some basic game concepts that had been put to the advantage of hackers.
God mode: When you touch a mob what happens?
1. Calculate hit possibility (decides if the games proceed with steps 2-5)
2. If hit then, reduce hp
4. Knock back
5. Else Miss
Melee god and full god works on point 1, flash god works on point 3, miss hack works on point 5. There are many ways to achieve invulnerability, what I’ve mentioned is a couple of them. Melee god works only for physical collision detected by mob sprite and you. Full god mode works on point 1 in the sense that it nullifies all decisions to proceed to step 2 - 5.
Wall Vac: As we all know, when we walk until the border of a map, we can’t walk anymore or else we’ll “fall” off. Now the graphics itself won’t know of when we reach the edge, so there must be something there to tell the game that the character has reached the edge. The answer: a boundary. Yes most games 2d or 3d have map boundaries to prevent the character from going out-of-bounds. Same as in maplestory, there are 4 boundaries to each map (since the map is rectangular) and these boundaries control the rules of the characters and monsters in it.
By changing the boundaries, we have changed the rules of the map itself and newly spawn monsters will adopt the “latest” rules and thus this result in a vac-like effect when the boundaries of the walls are “compressed” to a point (think Indiana Jones when he get trapped by compressing walls). The reason why “old” monsters didn’t move is that when they spawn (before the wall vac is used) they’ve already been bound to the old wall boundaries. And obviously slopes, platforms, steps, etc have a higher priority over the boundaries since if not all mobs will fall right to the bottom, regardless of platforms. This explains why the monsters will get “stuck” on edges and slopes.
Other vacs: Some other vacs, like DupeVac uses another method. Instead of changing the boundaries of the walls, the vac directly changed each monster’s vector location on the map itself. This method allows the monsters to “overwrite” the rules of collision with platforms and slopes since I suppose the vectors (position of characters and monsters) are given the highest priority.
CF = Carry flag (check if there is any carry over for arimethic operations)
PF = Parity flag (indicate if the bits of an operation is even or odd, 0 for odd, 1 for even)
AF = Adjust flag (Auxiliary Flag - Set on a carry or borrow to the value of the loer order 4 bits)
ZF = Zero flag (bacsially a boolean flag, determines if a conditional jump is executed)
SF = Sign flag (determines the sign, negative or positive)
TP = Trap flag (single step, for 80886 emulation. When TP is enabled, interrupts are trapped.)
IF = Interrupt enable flag (self explanatory)
DF = Direction flag (determines the direction to move through the code (specific to repeat instructions))
OF = Overflow flag (determines if an operation result in an overflow)
All the registers are actually hardware accumulators to temporary store instructions or values for the cpu to process.
EAX (At 000) Dedicated accumulator which is used for all major calculations.
ECX (At 001) The universal loop counter which has a special interpretation for loops.
EDX (At 010) The data register, which is an extension to the accumulator, stores data relevant to the operation applied to the accumulator.
EBX (At 011) Currently used for free storage but was originally used as a pointer in 16-bit mode.
ESP (At 100) Stack pointer. Is used to hold the top address of the stack.
EBP (At 101) Base pointer. Is used to hold the address of the current stack frame. It is also sometimes used as free storage.
ESI (At 110) Source index. Commonly used for string operations. It has a one-byte opcode for loading data from memory to the accumulator.
EDI (At 111) Destination index. Commonly used for string operations. Has a one-byte STOS instruction to write data out of the accumulator.
EIP Instruction pointer. Holds the current instruction address.
“Half the fun of hacking is the actual hacking, the other half come from finding and discovering the hacks” –Lalaman2002
--Compiled by Lalaman2002
Last edited by scruie; 4th July 2006 at 20:12.
Hi, very nice tut first of all.
now may I ask a question? (assuming the answer is yes)
I didn't understand the section explainig array of byte search.
Why exactly we are looking for this statment? Ain't je stands for jump equal, how would a jump function would help us finding an adress of a dinamic variant?
Originally Posted by lalaman2002
and how can it be changed? Ain't 00400082 a constant???
Another thing, would you mind explaining about memory dump?
the address 00400082 is hard coded in, that means when the game patches it'll change and if u gonna find by that u'll not get any correct hits. This is a pattern matching process, where u match similarities in code structures around that code. It uses codes that doesn't change e.g. mov eax,ecx ..etc those codes dont change and can be used to accurately locate the segment, kinda like a signature.
the memory dump is the green stuff at the lower half of the memory view window. u can even dump gamemon.des from there ^^ that's what i do.
lol its actually npscan.des where the strings are stored ^^
Last edited by lalaman2002; 31st May 2006 at 12:03.
Reason: Automerged Doublepost
thanks for answering me lalaman2002 (and so quickly too).
Now I have another question, why the the last line is included in the search?
If it is supposed to be changed, I mean should the array of byte we search include the last line? (je 00400082)?
Can you shed some light on the subject of memory dumping? Like why should a memory be dumped, what it's uses? What's the difference between dumped and not dumped memory?
Thanks lalaman2002 - Thread stickied
Thank the guy, learn something and try to leave spam to a minium, that's all I ask.
well done! you are one of those that actually read and tried to understand. Yes its a typo by me, sorry my bad. i've edited the post, it should be only “6d 20 63 61 6e 6e 6e 6f”.
Originally Posted by MyName15
as for memory dump, its kinda like a snapshot of the memory at that point of time. As we have known, the strings that GG detects are loaded into memory when maple runs, so if you have trace gamemon.des, you'll discovered that the strings are mostly from npscan.des and having a dump of that memory (both gamemon.des and npscan.des) you can analyse the machine code that describes the behaviour of the gameguard, and of course to get the list of strings.
ok next question, how to dump gameon.des and npscan.des? are there progs that can show the snapshot of the memory? How and where are the strings appearing?
thx for the reply again..
this question might be getting off the topic so you can choose weather to answer it or not...
I wrote this in a hurry... Ill check your reply later and I think ill have more questions.
Im sorry if this questions annoy you lalaman, if so just say and ill obviously stop.
try memory view, file, save memory region. that bascially saves the region u specified. and if u specified the entire region its a full dump i suppose. You can try to locate where the string were by simply doing a text search on known detected strings (e.g Cheat) and use the address to see if u hit the list. Analysising the entire dump will yield similar results. i'm no expert on dumping so this is all i can say about that.
lalaman, really appreciate your efforts in coming up with that tutorial. can tell you spent much time preparing that for us.
next up, i like to ask u a few noob questions. when you're searching for bytes (0 bytes, 1 byte, 2 bytes, 4 bytes etc.), what exactly are you doing? and all those addresses, what are they? thx in advance for your patience.
I can't be bothered to read every post. So just to mention. If you haven't noted to the newbies. Calls, xors, movs (sometimes) also is simular to the jump if equal you mentioned in the guide (I don't know what they are called but I know what they are lol). It would be wise for you to browse through the memory then find a a bunch of hex near the end of the function your looking in to copy down. It isn't as likely for them to change the starting commands of a function.
If you don't mind lalaman:
@alexanderegrt: If you have read the guide it already tells you why you should search those certain byte sizes rather than just some random ones... or maybe I got your question wrong?
Another thing, you could try find text strings that are nearby to the certain JE, call or w/e you are wanting, then each time there is a patch to search for that text string...
Last edited by BanoffeePie; 31st May 2006 at 17:43.
yes there's no need to use the addresses directly above or below the line u want. as long as you can find a reference you can use it to search.
Lalaman. I don't know wether I am supposed to ask you here or not. But can I have you msn address?
Anyways heres a comment: This is one of the tutorials that would of taught me alot when I were back in the starting days of game hacking. (I don't call game hacking, hacking because hacking is hacking... real hacking.)
Last edited by BanoffeePie; 31st May 2006 at 18:01.
i think you are very good at com but i just dont understand the way it works.
I know that this will work but i just dont seem to get it.
when i first start to read your guide i was lost, i think i dont know how the game work.
Anyway thank you for your guide this info would help my friend.
If you would write it in a simpler way i might get it.you dont have to.
I meant what does searching bytes mean.