Foreword: I am pleased to announce the very first article from long time viewer Omega! I’ve reviewed this article, and this is very good stuff on reverse engineering. For the WordPress audience, this does not violate the Terms of Service. This article is simply for education, and to get your feet wet with reverse engineering. The Underground Staff does not advocate hacking for malicious use. This is simply an exercise to get your mind exploring new possibilities, no more and no less. With that said, have fun! ~ Versatile
If you visit this blog there’s a good chance you once used a no-cd crack or others hacks for a program. You may have visited this blog to find tutorials on how to use and apply them. But today we’re going a step further. We will gradually explain how these hacks are actually made. This post will only be a small introduction that can be followed by anyone. Each of my posts will continue with more advanced techniques.
Reverse Engineering (RE)
The first thing you want to do is analyze your target program. You first need to know what it does and how it works internally. Once you have this knowledge you can find the weak spots and make the program do what you want. A term that’s used a lot to describe this process is Reverse (Code) Engineering. Wikepedia defines it as:
Reverse engineering (RE) is the process of discovering the technological principles of a device, object or system through analysis of its structure, function and operation. It often involves taking something (e.g. a software program) apart and analyzing its workings in detail.
Reverse Engineering is one of the most important steps when creating a hack or no-cd crack. Sometimes it is even used as a synonym for these.
Our first lesson will be simple and doesn’t require any previous RE and/or programming knowledge. We will attempt to freeze the timer of Minesweeper.
Internally a computer works only with numbers, so every single thing on your computer is represented by a number. The smallest type of number we can directly access is called a byte. It can store the numbers between (and including) -128 and 127. We can then group 2 bytes togheter and can represent every number between -32768 and 32767. With 4 bytes we get -2147483648 and 2147483647. We can continue this with 8 bytes and so on.
It is the programmer that gives meaning to these numbers. For example, we can say that numbers 0 to 25 stand for each letter in the alphabet. In a different situation we can say that 0 to 11 stands for each month in the year. We can see that the “meaning” of these numbers indeed depends on where and how they are used.
Every byte has a so called address. This address is again a number, and we use this number to access the byte. For example, we have 2 bytes and want to add them together. Say the first byte is saved at address 2345 and the second one at address 5345. We can then tell the computer to add the bytes at address 2345 and 5345 together (and optionally save this result at another address). Address are mostly written in hexadecimal notation.
For a more detailed explanation on how numbers are stored and represented on computers you can read “The Art of Assembly“.
Freezing the timer
It’s now our job to find where the number that represents the timer is saved. Once we know it’s location we can simply overwrite it with a new value and thus change the timer in Minesweeper. To find the address we will use the tool “Memory Hacking Software” (MHS).
The first thing we need to guess is how the timer is saved. Since the timer already is a number this is trivial (the number of the timer is saved directly without any conversion). We only need to determine the size of the number. Since a byte is not large enough to save the biggest possible value of the timer (999), we will guess the programmer of minesweeper used (at least) 2 bytes to save the timer.
- Start Minesweeper. Now launch MHS.
- Go to File -> Open Process, select Minesweeper and click on Open
- Then do Search -> Data-Type Search. Select Short as Data Type (Short is the same as 2 bytes) and Exact Value as evaluation type.
- Since we haven’t started the game in minesweeper yet, the timer is currently zero. In Value to Find type 0. Now click OK.
- It will say how many addresses (in the minesweeper process) had the value 0. There will probably be a lot of them! I had 1497378 results, and one of these (probably) is the timer.
Filtering the results
We know that one of these address is the timer, however there are too many results and practically this list is still useless. What we need to do is shrink the list. And this will be done by doing a “sub search” on our previous results. In this case we can start playing minesweeper so the timer will start. We now know that the timer has increased, so we will search for an “increased value” in our current result list and thus shrink the list.
- Go to Search -> Sub Search so we can further “filter” our results of the previous search. We know the timer has increased so we select Increased as Search Type.
- I got 46 results. Still too much. I again do a sub search and again search for an increased number. Now I only get 3 results! Continue this until you only have a few results left. Once you have a small list, it should be easy to spot the timer by observing the Current Value field. This will always be equal to the timer in minesweeper. In my case the timer is saved at address 0100579C (this address can be different for you).
- Double click on the address in the “Found Addresses” list. It will be added to the “main address list”. Double click on the address in the main address list. We will now lock the value of the timer to zero. We do this by checking Locked and entering an Exact Value of zero.
And there you go, you froze the timer. Because of the way minesweeper was made it will actually display a time of 1 instead of 0, but nevertheless it’s frozen.
This was small and basic introduction to hacking. You can try this method on other programs (eg. on number of bullets left, current health, high score, etc). However you will notice that it doesn’t always work. You won’t be able to easily find the address or the address could change each time you play the game. We will discuss these problems the next time and actually do some real hacking :).
See you next time,
Share this Post