Hacking flash games with CE (Updated on 12th January, 2011)

Section's for general approaches on hacking various options in games. No online-related discussions/posts OR warez!
Post Reply
STN
Founder
Founder
Posts: 2847
Joined: Thu Mar 02, 2017 7:48 pm
Reputation: 258

Hacking flash games with CE (Updated on 12th January, 2011)

Post by STN » Wed Apr 19, 2017 12:33 am

Recreating Geri's tutorials and articles before his site got wiped out. Wealth of information in it!
-----
This is a small description on how to find values in flash games generally. It does not cover the tutorial on how to find values, only the part which is unique to flash games.

First of all, flash games are working differently from other games, so the usual pointer, code injection methods etc will not work here (or at least not as You would expect). CE is by far not the best choice to hack a flash game, that is why universal flash trainers were created. I rarely play and hack flash games, so this is not a professional tutorial, just some methods that You may try if You are stuck.

Because most of the users are thinking about Flash games that they work as normal games, I will explain it in a few words what is the difference. If You hack a normal game, You just start the exe file, than You do the usual hacks and when You get back, the code will remain the same. The exe file is not changing. However if You update the game, of course the exe file will change in the new version and You will have to make another trainer based on the new codes (or use AOBscan but that is a "special" method). So how are flash games working? Usually You start the browser, the browser will load the flash player plugin and the flash player plugin will run the swf file. So when You try to hack the game, You try to hack the browser or flash player, which is using the swf file. Now if You try to make a trainer, You will obviously have to think about this question: will other people use exactly the same browser and flash player plugin as me not to mention browser updates and other kind of plugins and system components which is related to the browser? Well, not. Their browser will be different at least in one little thing, the codes and pointers will be different on their computers so the idea of making a working trainer which is based on code injection or pointers is generally screwed. It is just like everyone would use a special version of the game which is different from Yours. All You can do is to make some pointers which will work with Your browser on Your computer at least until You don't update or install anything in it, or You can use AOBscan to write a script which is searching for specific codes and change them with code injection. Using code injection with flash games is much harder so if You choose that method, You have to be really good. Now lets continue...

Important note from CE's creator (DarkByte):

If you're using firefox and want to use Cheat Engine on a browser game, then open plugin-container.exe instead of the firefox process. (That process will only exist when the game has already been started)

If You want to find a value in a flash game with CE, these are the main methods that are usually working:

1. Search for the value as a "4 byte" value. This is simple enough and it is working with most of the new games which has been written in AS3.

2. Search for the value as a "Double type" value. Some older flash games are using double type values to store the variables.

3. Search for the value as a "4 byte" value, but multiply the value with 8 when You search for it. For example You have 100 gold in the game, then You need to search for 800. If You have found it and You want 10000 gold, You need to change it to 80000. If You type in a value which cannot be divided with 8, most likely You will crash the game.

4. Remember there is an option in CE to search for ALL value types, so if You don't have a clue, try it out. It may be Double, 4 byte, whatever.

5. Some games are always changing the address of the values, in this case You need to find the value from 1 search. Most of this games are multiplying the value with 8, so You need to use the 3rd method, but You have only one shot at it to find it and the address will be moved. You also need to pause the game with CE to prevent the game from moving the address elsewhere until You find it and change it. To pause the process, click on "Advanced options" at the bottom of CE and click on the pause button. Then search for the value and if You find it, change it. If not, or You have too many results, try it again. Generally the bigger the number that You search for, the less results will be. For example if You search for 8, You will have tons of results. If You search for 3635384, You will have far less, most likely only a few (or maybe only one result which is the best).

6. Some games are using encryptions to protect the game from hackers. In this case, You can still search for unknown value and changed/unchanged values. Maybe You will find what You seek.

That is all I can recommend for now.

Just a small addition for users who have downloaded the new CE 6.0 already.

A custom scan script made by Dark Byte. It multiplies the values with 8 automatically. Useful for some flash games where the values are multiplied.
You can add this script to CE 6 this way:

1. Right-click on the Value type field.
2. Choose "Define new custome type (Auto assembler)"
3. Delete everything from the window and copy-paste this script.
4. Click on OK.

Now You have a new value type in the list which is good for flash games where the value is multiplied by 8. You just type in the values as You see them
in the game and it will be multiplied by CE automatically.


The script:


alloc(TypeName,256)
alloc(ByteSize,4)
alloc(ConvertRoutine,1024)
alloc(ConvertBackRoutine,1024)

TypeName:
db 'Flash *8 type',0

ByteSize:
dd 4

//The convert routine should hold a routine that converts the data to an nteger (in eax)
//function declared as: stdcall int ConvertRoutine(unsigned char *input);

//Note: Keep in mind that this routine can be called by multiple threads at the same time.

ConvertRoutine:
[32-bit]
push ebp
mov ebp,esp
push ecx
mov ecx,[ebp+8]
[/32-bit]

//at this point ecx contains the address where the bytes are stored

//put the bytes into the eax register
mov eax,[ecx] //second fun fact, addressing with 32-bit registers doesn't work in 64-bit, it becomes a 64-bit automatically (most of the time)
shr eax,3 //shift right by 3 bits (divide by 8)

//and now exit the routine
[64-bit]
ret
[/64-bit]
[32-bit]
pop ecx
pop ebp
ret 4
[/32-bit]

//The convert back routine should hold a routine that converts the given integer back to a row of bytes (e.g when the user wats to write a new value)
//function declared as: stdcall void ConvertBackRoutine(int i, unsigned char *output);
ConvertBackRoutine:
[32-bit]
push ebp
mov ebp,esp
push edx //save the registers
push ecx
mov edx,[ebp+0c]
mov ecx,[ebp+08]
[/32-bit]

//at this point edx contains the address to write the value to
//and ecx contains the value

//ok, saving the original bits is currently not in, but when it is uncomment the commented lines
push eax
//push edx


//mov edx,[edx] //edx now contains the original value
//and edx,7 //only save the first 3 bits

mov eax,ecx //eax gets the user input value
shl eax,3 //shift left by 3 bits (multiply by 8)
//or eax,edx //add the bits of the original value

//pop edx
mov [edx],eax //write the new value into the old value
pop eax

[64-bit]
//everything is back to what it was, so exit
ret
[/64-bit]

[32-bit]
//cleanup first
pop ecx
pop edx
pop ebp
ret 8
[/32-bit]





Peace!
Geri

Post Reply

Who is online

Users browsing this forum: No registered users