Guide [IDA Tutorial]How to hack with strings

March 20, 2016

I've really been wanting to make this tutorial for a long time but have never gotten around to it. But it's 11:09 and my parents are in bed so I can make this now

I'm going to be providing the site with more things, like tutorials and templates, but not so much hacks. Hacking has gotten so dull recently it's the same thing over and over and over again and I'm done with the stress.

I will be using Blitz Brigade for this tutorial because it is a great game for beginners to start learning strings. I know this binary is not the current version, but the strings are the same and the functions look more or less the same.

Requirements:

- A good grip on arm assembly. Do NOT go into this knowing nothing and then expect me to help you.

- IDA Pro

- Blitz Brigade

- A freaking brain and an IQ of at least 50

For this tutorial, we will be hacking ammo and invisible actions.

Hidden Content

To hack with strings you have to know how to open the strings subview in IDA. Go to View -> Open Subviews -> Strings.

IDA will take a few seconds to get that loaded up, and after it loads, you'll want to sort them in alphabetical order.

Then create a quick filter so that you can search. To create a quick filter, right click and then click "quick filter". I don't think you guys need a picture for that

Now you'll search for ammo. Type "ammo" (without the quotes, always type everything without the quotes) and you should see a ton of results pop up.

Don't be scared. It's normal for that many to pop up. When you first heard strings, did you think that we actually mod the string itself? No we don't. If it was that easy, everyone would be able to hack like this. Instead, the strings in a game are either useful or useless. Useful strings point to useful functions that actually handle what the string describes. Useless strings don't relate to anything and usually point to functions that I like to call "essential NPC's". Or they will point to completely different functions than what you wanted to hack. Anyway, an NPC is a character in a video game that NEEDS to be there or else the whole game breaks. Can you see where I am going from here? If you get a string that points to an essential NPC, and you mod that NPC, the game will crash.

Let's try some of these results!

In some cases, the most useless-looking strings are the useful ones, always remember that. Try every single string because you never can truly know if it will be useful or not.

To select a string, double click on it. You will then be presented with a window that has a ton of strings listed. Thankfully for us, IDA will highlight the one that you just double clicked. After that, you want to right-click on the highlighted string and then click "jump to xref to operand". When you click that, you'll see a box with however many times the string occurs in the binary. It could be anywere from one to one thousand times the string occurs in the binary.

The first string I tried was POPOUT_AMMO. POPOUT to me could mean the ammo label popping out from the background of the game into the foreground so that you can actually see how much ammo you have once the level loads.

I right clicked and xref'ed to where the string was occuring and wow, this does not look useful at all.

These strings have no useful functions near them, and not only that, they have NO functions near them. Plus, they are all the way out in the 0xAyyyyy (y being a variable) range. If you see any string that goes to a spot in the binary that looks like this, its useless.

Let's try another string. This time we will be doing Ammopack.

Ammopack could refer to an item that you can buy that gives ammo, the amount of an item that you have that gives ammo, or just simply your ammo. Double click on the string and bring up the xref dialouge box.

Huh, looks like there are two occurences! "But wait shmoo, aren't there four? Are you blind?" Yes, you are right, there are four separate spots where it occurs. But in reality, there is only two. Why? Because, if the same string has two places where it shows up that are eight or ten bytes away from each other, you count that as one whole occurence of that particular string. As you can see in the picture above, each occurence of the string has an eight byte differences between the two.

In hex, A=10 and 2=2. What is 10-2? 8.

In the second occurence, what is 8-0? 8.

You see what I am saying.

Let's try the first occurence.

Alright, stuff we can work with! Like I said in the beginning of the tutorial, hacking with strings means that you hack the functions near the string, not the string itself. You should know by now that functions always start with sub_, but they can also rarely start with loc_.

Let's try the two that occur above the string, sub_2AB7B8. Double click on it so that IDA will bring you to it.

Oh no. This doesn't look good. This function is far too small to actually do anything useful and it has 569 xrefs. That means that the game uses sub_2AB7B8 569 times for 569 different things. Looks like an essential NPC to me. To see how many xrefs a function has, you right click the function name (it is highlighted in the picture above) and then you click "jump to xref to operand".

Let's try the function directly below it, sub_2AC254. Double click on it to bring it up. Let's check how many xrefs this function has. It has 127. That's a little high, but let's look at it some more. Oh no. This function calls strcmp two times to do something. Everytime you see a function that calls strcmp, srand, time, rand, etc, will be useless, at least in my experience. rand might be useful, but the only time it was useful for me was when I was hacking Modern Combat 3 and every useful function had it.

So that function is a no.

Go back to where the string was, and little bit below it, there is a function called sub_2ADCD0. Double click it to bring it up. Right off the bat we see that this function calls time. It's a useless function.

Finally, before calling it quits with this string, try the one a little bit below sub_2ADCD0, sub_50070.

Wow, holy crap that is an ugly function. As always, let's check the amount of xrefs before we do anything. There are 1104 xrefs to this function. This games uses this function 1104 times for 1104 different things. No way this is useful to us.

The second occurence to Ammopack has only two functions near it: sub_2BEBA4, which looks exactily like sub_50070, and sub_2C00E8, which calls two of the functions that we previously determined useless.

Ammopack is a useless string.

Go back to the strings window. Let's try ammo_server. Double click the string and xref it.

There is no way this could ever be useful. For starters, this function contains many other strings such as speed, ammo_client, cheat_type, map, etc. Then it calls not only the same function, sub_81788 over and over again, but it also branches to "that very long function in the blue text" over and over again. I call it "the very long function in the blue text" because I don't know what else to call it

ammo_server is a useless string.

Go back to the strings window. Let's try ammo_clipsize. Xref it.

I want to first make something clear before we continue. Any function that starts with sub_7 is useless. Don't even think about modding it, because the game will crash.

But look, in between all of the useless functions, there is a function called sub_3094A4. Huh, why would that be there? Let's check it out.

As always, check how many xrefs there are. Only 27! A good sign. A useful function will generally have about 3-40 xrefs. And this function also looks very distinct from all the others that we have looked at, and the functions around it look similar and they all call the same function. Size looks great too!

Guess what, this function is the ammo function, meaning that the string ammo_clipsize is a useful string! When you BX LR this function, and reload the level, you ammo will become infinite. Also, if you mod the function being called inside of it, you'll get the ultrahack.

Congradulations, you have just modded Blitz Brigade ammo without the need for watchpoints or iGameGuardian!

I'd like to point out that sometimes developers will leave messages in their games that they use to troubleshoot problems with. One example could be "CHelicopterPhysicsComponent::Update - playerId not found!!" or "GameMpManager::GetClassFromPlayerDetails player %d not found". Stuff like that. The functions that contain the strings are the ones you want to mod because that function would be printing that error message if you were a Gameloft employee making and debugging the game.

Gameloft, with the genius that it is, left a string that allows you to be invisible on multiplayer. They left in a string called "MP_ClientSendPositionsMessage: m_playerPositions memory overflow". Why they left that in is beyond me but it allows invisibility.

Xref to that string, and the function you will be in is sub_22C63C. To achieve invisible actions, you have to BX LR that function. Why? Read the string. "SendPositions". When you BX LR that function, your device won't be able to send you position to the multiplayer server that would normally allow other people to see you.

You have just gotten an invisibility hack on Blitz Brigade!

Blitz Brigade is by far the best game to practice with if you want to learn strings. No other Gameloft game is like this. If you've mastered this game, don't think that you can go hack MC5 or DH5 because while those do have strings, it's much more complex than this. This is as basic as it gets.

-----------

Hacking with strings is an incredibly efficient way to hack once you get good at it. Practice some more with Blitz Brigade, and see how many features of the 16 that I got in my hack for 2.1.0 that you can get. I got all those features with strings. Good luck! And I hope you found this helpful. Expect more tutorials.