Tutorial How to hack games using ida pro / ida pro tutorial

monkeyhunter · March 5, 2018

Ida Pro 7.0 + All Decompilers Full Leak-Pass

Download link：

Hidden Content

React or reply to this topic to see the hidden content & download link.

How to hack games using ida pro / ida pro tutorial

Here is a good tutorial for anyone who is willing to learn what the arm assembly language is and how do you understand it.
Steps of doing:

1. Check the Game --> What could be hacked? What names the functions could have?

2. Load the Binary(lib file in lib folder) in IDA -->Check if load resources is checked

3. Let the IDA time to load

4. After that open up a Hexeditor and put the Binary in it

______________________________________________

Useful searches:

(the big ones are the key words)

Player's Life: life,health,damage,hp,live,power

e.g: CSoldierHero::takeDamage
e.g: CPlayer::removeHealth

Points: points,score,mp

e.g: Game::UpdatePoints
e.g: Game::AddPoints
e.g: Game::loadScore

Ammo: ammo,shoot,shot,fire,weapon

e.g CPlayer:: ProcessShooting
e.g CPlayer::fire
e.g xxx::subAmmo

If you have other things like 'speed' or 'suns' or something just try different options

Extras:

-level -->level up cheats
-powerups -->megajump,doodlejump
-some keywords depend on the game.. rpg,action,fun,...
-kill -->splinter cell
-Unlock --> Unlock is an important keyword *

______________________________________________

WHAT TO DO...?

ADD(e.g score): set to MOV R0,#480000000*
set the registers or the value after #xx to very high

SUB(e.g ammo): change to ADD,NOP it. Or set the SUB to #0

RSB(reverse subtract --take damage): NOP it or set the registers to low or try to change to an ADD

LDR(e.g score,...): change the Register to Register 7(R7) or to an MOV R0,#480000000*

STR(e.g setLife): Change the register to R7 or MOV R0,#480000000*

SUBS/ADDS (same like SUB and ADD)

______________________________________________

CODES:

ADD R3,R3 #1 -->01 30 83 E2
SUB R3,R3 #1 --> 01 30 43 E2

ADD R1,R3,R3 --> 01 30 83 E0
SUB R1,R3,R3 --> 01 30 43 E0

MOV R0,#48000000 = 12 03 A0 E3 -->very high value (you know the PvZ Hack where the sun turns into 9999? thats a MOV R0, #48000000)

MOV R0,#1 = 01 00 A0 E3 (often used for functions like : isXXX or hasXXX (e.g: player::hasAllWeapons if you use an MOV R0,#1 it always returns the value 1 so you have all Weapons))

MOV R0,#0 = 00 00 A0 E3 (often used for isXXX and hasXXX functions(e.g: player::needFood if you use MOV R0,#0 it always returns 0 , so you do not need food))

2Byte BX LR : 7047 -->deletes a function
2Byte Nop : C046 -->NOP = No operation

4Byte BX LR : 1EFF2FE1 -->deletes a function
4Byte Nop : 0000A0E1 -->NOP = No operation

_____________________________________________________

Branches:

Above mostly all Branch commands there have to be a CMP(compare) and because of this CMP it branches

e.g: BEQ(branch if equal) above: CMP R3,R2

so it doesnt branch because R3 not equal to R2

if CMP R2,R2 and then BEQ then it branches

BEQ = Branch if equal (cmp r2,r2)
BNE = Branch if not equal (cmp r3,r11)
BLT = Branch if lower than(cmp r2,r3)
BGT = Branch if greater than(cmp r3,r1)

_______________________________________________________

ONE SENTENCE IS IMPORTANT: "try it!"

Without trying you can't succeed.

So go ahead and try!

Plist editing - Hex editing - IDA Hacking

Plist: Just download some Games and rehack plists

Hex: Download savefile and Compare and learn with it some hex.

IDA: 1. Use the Offset DB and go with IDA to the Location. Check the function and what was changed. 2. Download some Binarys and Compare them. 3. Read Tutorials

My knowledge:

BX LR - NOP - SUB - ADD - LDR - STR - MOV - RSB

Just one last Thing: GDB isnt the horror. I dont like GDB. I can't work with it.

I just sometimes use it for checking a functions and their registers(e.g when I don't know what registers are low in there and what high).

Unlock:

In Brothers in Arm: Hour of Heroes

CSoldierHero UnlockAllWeapons

Double click on it..

Make an XRef from the Ttle of the function (highlight the function and press X)

Then there should be an BNE(branch not equal) it branches if not equal

If you change it to and B(branch no conditions) it always branches and you have your weapons unlocked..

This means yo can't change the function directly.. you have to check from where it comes

BNE,BLT,BGT,BEQ --> B = Change the last byte to an EA if it is 4 Byte XX XX XX EA
BNE,BLT,BGT,BEQ --> B = Change the last byte to an E0 if it is 2 Byte XX E0

CMP

If you hack ammo and you know there is a SUB Rx, Rx #1 which sumtracts your ammo the look above there should be a CMP.
If there is a CMP which compares thesame register as the SUB subtracts then you are right and it could be the CMP that compares if Rx = 0

IF Rx = 0 it reloads your gun

so if you NOP (0100A0E1) the CMP it doesnt reload as it doesnt compare if Rx is equal 0

You often find CMPs above Branches. This means you have two options: Either you make the BXX to only aB so it branches all the time(look at branches). Or you set the CMP as neede: e.g:

BNE(BranchNotEqual) so it branches when the comparison result isnt equal --> CMP R2,R3 if R2 and R3 have different values it branches as they aren't equal.