Lesson #1 (Trial & Error)

By

Indian_Trail




Why learn how to cheat? well first of all its is fun and it leads to alot more. If you know how alter programs you can change them in anyway you like. For example you just downloaded a demo version of a game and it contains a nasty nagscreen. With alittle reverse engineering you can disable that screen, but thats more in the cracking field. These days there are banks with cheats available on the web, but thats not real cheating. These cheats at those sitez are mostly cheats which has been put there by the programmers. If you know how to Reverse engineer you can cheat, crack a game in less time than it would take you to search the web for it.
What you will need:
  • A very good debugger like Softice. Both the dos version and the win95 version. Make sure you use the 2.62 dos version of softice
  • A basic knowledge of Assembly language
Thats the only two things that you'll need. I'll give you the basic knowledge of Assembler in the next lesson. In this lesson we will cheat without Softice. The only thing we will need in this lesson is a hex editor. If you have Norton Commander installed on your system you can use that editor. If you dont have a hex editor, find one quick on the web. At the end of this file you'll find some good commented URL's which you should examine. Ok got the hex editor? Ready? Lets go.

The Trial and Error method:

 This method is called "trial and error" and is based around the idea of altering values within a game (mostly saved games). This way of cheating is not very effient and it's very time-consuming. But it's an easy way. You can try this method on games like Warcraft, Command & Conquer, Doom games etc etc. I have chosen "Warcraft II" as an example, but you can try it on doom or whatever you fancy.
Ok here's what we'll do.
  1. Load the game
  2. Choose Custom scenario (see note below)
  3. Choose the first custom scenario ex "gold seperates east from west.."
  4. Type down the amount of gold and lumber you have
  5. Save the game and exit the program
I had 2000 Gold and 1500 Lumbers. What wel'll do now is to change the amount of gold. To do this we must first convert the decimal value to hexadecimal because a hexeditor displays the values in hex ( thats why it's called hex editor).
The hex system looks like this 0123456789ABCDEF The conversion is done like this:
  • Divide 2000 with 16 (2000/16) you'll get the value 125 wich has the rest 0.
  • Now divide 125 with 16 you'll get the value 7.8125 with the rest 13 (0.8125*16) which is d in hex.
  • Now divide 7 with 16 and you'll get the value 0.4375 with the rest 7 (0.4375*16).
The rest values in reverse order are the hex number of 2000. This makes 2000=7d0. Since most dos games are written in 16 bit code wich makes the values of four bytes you'll just add a zero before the first value, 2000 = 07D0.
The intel processor stores the values backwards too, therefore we won't find anything searching the saved game with 07d0. We have to reverse it to D0 07. You just move the first two values to the end of the last two pretty easy, another faster way is to make a little utillity to do this for us. The different number systems will be better explained in the assembler lessons.

Anyway you search the saved game for D007 and you'll get about 15 hits. Now you change the first place where D007 was found to FFFF( since F is the largest value in hex). Ok save the file and run the game, load your saved game and see if theres any change to the amount of gold. It should be 65535. The important thing here is that if there was no change in the game you'll have load the saved game in the hex editor again and change back the values you entered and try altering the next D007. This is why this method is called "trial and error" in this example we got lucky the first try, but it could have been the last hit of D007 that was the right one.

 HEY Just 65535, is this as good as it gets?
When you searched the saved game file fot D007, did you notice that it was two bytes with 00 immediately after the D007. Try putting FF on those two bytes aswell and you'll end up with 16777215 gold instead. Now you could search for the tree which was 1500 which is 05DC in hex.

The reson why we choosed "custom scenario" is that in warcraft II you are given diffrent amount of gold and lumber for each scenario. This means that if you change the first scenarios gold amount, it will be reset when the next scenario is loaded. But dont despair games like Doom, Descent and alot more are not scenario based. So if you change them you'll have the cheat 'til the end of the game. As said before this method is not very funny because it involves no brain activity at all. In the next lesson we will learn some basic of assembly language and some softice debugging basics.

Here are some very interesting links:

Fravia page of reverse engineering
Here you find alot of usefull information about cracking, some very usefull tools. Check out the +ORC lessons to get a grip of cracking.

FTP Search
Here you can search for files on ftp's The softice for dos version is s-ice262.zip. Find it install it and learn how to use it.

An assembler tutorial
Ok thats it for now. The next lesson will deal about softice and assembler and a real cheat for a breakout game.

Indian_Trail

 1