IDA is an Interactive Disassembler and in this tutorial im going to explain some of the program basics.
Steps of doing:
- Collect some game info --> What could be hacked? What names the functions could have?
- Load the Binary into IDA -->Check if "arm7" is checked.
- Let the IDA time to load.
- After that open up a HeXEditor (HxD Edit, ResourceHacker, etc...) and put the Binary in it.
(the big ones are the key words)
Player's Life: life,health,damage,hp,live,power
- e.g: CSoldierHero::takeDamage
- e.g: CPlayer::removeHealth
- e.g: Game::UpdatePoints
- e.g: Game::AddPoints
- e.g: Game::loadScore
- e.g CPlayer:rocessShooting
- e.g CPlayer::fire
- e.g xxx::subAmmo
If you have other things like 'speed' or 'suns' or something just try different options
- level = level up cheats
- powerups = megajump,doodlejump
- some keywords depend on the game.. rpg,action,fun,...
- kill = splinter cell
- Unlock is an important keyword
WHAT TO DO...?
- ADD(e.g score): set to MOV R0,#480000 000*
- set the registers or the value after #xx to very high
- SUB(e.g ammo): change to ADD,NOP it. Or set the SUB to #0
- RSB(reverse subtract --take damage): NOP it or set the registers to low or try to change to an ADD
- LDR(e.g score,...): change the Register to Register 7(R7) or to an MOV R0,#480000 000*
- STR(e.g setLife): Change the register to R7 or MOV R0,#480000 000*
- SUBS/ADDS (same like SUB and ADD)
- ADD R[color=#ff0000;]3[/color],R3 [color=#0000ff;]#1 [/color] -->[color=#0000ff;]01[/color] [color=#ff0000;]3[/color]0 83 E2
- SUB R[color=#ff0000;]3[/color],R3 [color=#0000ff;]#1 [/color] --> [color=#0000ff;]01[/color] [color=#ff0000;]3[/color]0 43 E2
- ADD R1,R3,R3 --> 01 30 83[color=#00ff00;] E0[/color]
- SUB R1,R3,R3 --> 01 30 83[color=#00ff00;] E0[/color]
- MOV R0,#480000 00 = 12 03 A0 E3 -->very high value (you know the PvZ Hack where the sun turns into 9999? thats a MOV R0, #480000 00)
- MOV R0,#1 = 01 00 A0 E3 (often used for functions like : isXXX or hasXXX (e.g: player::hasAllWeapons if you use an MOV R0,#1 it always returns the value 1 so you have all Weapons))
- MOV R0,#0 = 00 00 A0 E3 (often used for isXXX and hasXXX functions(e.g: player::needFood if you use MOV R0,#0 it always returns 0 , so you do not need food))
- 2Byte BX LR : 7047 -->deletes a function
- 2Byte Nop : C046 -->NOP = No operation for one command
- 4Byte BX LR : 1EFF2FE1 -->deletes a function
- 4Byte Nop : 0000A0E1 -->NOP = No operation[/color]
Above mostly all Branch commands there have to be a CMP(compare) and because of this CMP it branches
- e.g: BEQ(branch if equal) above: CMP R3,R2
- so it doesnt branch because R3 not equal to R2
- if CMP R2,R2 and then BEQ then it branches
- BEQ = Branch if equal (cmp r2,r2)
- BNE = Branch if not equal (cmp r3,r11)
- BLT = Branch if lower than(cmp r2,r3)
- BGT = Branch if greater than(cmp r3,r1)
I think more you dont need. And I dont know more ONE SENTENCE IS IMPORTANT: "try it!"
Without trying you can't succeeed.
So go ahead and try!
- Plist: editing - Hex editing - IDA Hacking
- Plist: Just download some Games and rehack plists
- Hex: Download savefile and Compare and learn with it some hex.
- Use the Offset DB and go with IDA to the Location.
- Check the function and what was changed.
- Download some Binarys and Compare them.Read Tutorial
First I learned the Code of BX LR and NOP and how to use them. Then I learned SUB and ADD with Fragger and so on. After that I looked into the Registers with LDR and STR. Then I have learned the MOV R0,#480000 for a very high value. Also MOV R0 #0/1. Last day ive learned RSB. How to use and how to change.
I just sometimes use it for checking a functions and their registers(e.g when I don't know what registers are low in there and what high).
In Brothers in Arm: Hour of Heroes
- CSoldierHero UnlockAllWeapons
Double click on it..
> Make an XRef from the Ttle of the function (highlight the function and press X)
> Then there should be an BNE(branch not equal) it branches if not equal
> If you change it to and B(branch no conditions) it always branches and you have your weapons unlocked..
> This means yo can't change the function directly.. you have to check from where it comes
- BNE,BLT,BGT,BEQ --> B = Change the last byte to an EA if it is 4 Byte XX XX XX EA
- BNE,BLT,BGT,BEQ --> B = Change the last byte to an E0 if it is 2 Byte XX E0
If you hack ammo and you know there is a SUB Rx, Rx #1 which sumtracts your ammo the look above there should be a CMP.
If there is a CMP which compares thesame register as the SUB subtracts then you are right and it could be the CMP that compares if Rx = 0
IF Rx = 0 it reloads your gun so if you NOP (0100A0E1) the CMP it doesnt reload as it doesnt compare if Rx is equal 0
You often find CMPs above Branches. This means you have two options:
Either you make the BXX to only aB so it branches all the time(look at branches). Or you set the CMP as neede: e.g:
BNE(BranchNotEqual) so it branches when the comparison result isnt equal
--> CMP R2,R3 if R2 and R3 have different values it branches as they aren't equal
Credits: Me, Myself and Darkcon