Cheating in games. Lesson #1

by

Indian_Trail

INTRODUCTION

Why learn how to cheat? Well first of all it is funny and it leads to a lot more. If you know how to alter programs you can change them in anyway you like. For example, you just downloaded a demo version of a game and it contains a nasty nagscreen. With a little of reverse engineering you can disable that screen, but that's more in the cracking field.

These days there are banks with cheats available on the Web, but that's not real cheating. These cheats at those sitez are mostly cheats which have been put there by the programmers. If you know how to reverse engineer you can cheat, crack a game in less time than it would take you to search the Web for it.

What you will need:

A very good debugger like Softice. Both, the DOS version and the Win95 version.
A basic knowledge of assembler language.

Those are the only two things that you'll need. I'll give you the basic knowledge of assembler in the next lesson. In this lesson we will cheat without Softice. The only thing we will need in this lesson is a hex editor. If you have the Norton Commander installed on your system you can use that editor. If you don't have a hex editor, find one quickly on the Web. At the end of this file you'll find some good commented URLs which you should examine.

OK, got the hex editor? Ready? Lets go.

THE TRIAL AND ERROR METHOD

This method is called "trial and error" and is based around the idea of altering values within a game (mostly saved games). This way of cheating is not very efficient and it's very time-consuming. But it's an easy way. You can try this method on games like Warcraft, Command & Conquer, Doom games, etc, etc. I have chosen "Warcraft II" as an example, but you can try it with Doom or whatever you fancy.

OK, here's what we'll do:

Load the game.
Choose custom scenario (see note below).
Choose the first custom scenario, e.g. "gold seperates east from west...".
Write down the amount of gold and lumber you have.
Save the game and exit the program.

I had 2000 gold and 1500 lumbers. What we'll do now is to change the amount of gold. To do this we must first convert the decimal value to hexadecimal because a hex editor displays the values in hex (that's why it's called hex editor). The hex system looks like this 0123456789ABCDEF.

The conversion is done like this:

Divide 2000 by 16 (2000/16), you'll get the value 125 which has the rest 0.
Now divide 125 by 16, you'll get the value 7.8125 with the rest 13 (0.8125 * 16) which is D in hex.
Now divide 7 by 16 and you'll get the value 0.4375 with the rest 7 (0.4375 * 16).
The rest values backwards are the hex representation of 2000. This makes 2000 dec = 7D0 hex. Since most DOS games are written in 16 bit code which makes the values be four bytes, you'll just add a zero before the first value, 2000 dec = 07D0 hex.

The Intel processor stores the values backwards, therefore we won't find anything searching 07D0 in the saved game. We have to reverse the bytes to D007. You just move the first two values to the end of the last two, pretty easy. Another faster way is to make a little utility to do this for us. The different number systems will be better explained in the assembler lessons.

Anyway you search the saved game for D007 and you'll get about 15 hits. Now you change the first place where D007 was found to FFFF (since F is the largest value in hex). OK, save the file and run the game. Load your saved game and see if there's any change to the amount of gold. It should be 65535. The important thing here is that if there was no change in the game you'll have to load the saved game in the hex editor again and change back the values you entered and try altering the next D007. That's why this method is called "trial and error". In this example we got lucky the first try, but it could have been the last hit of D007 that was the right one.

Hey!, just 65535, is this as good as it gets? When you searched the file of the saved game for D007, did you notice that there were two bytes with 00 immediately after the D007. Try putting FF on those two bytes as well and you'll end up with 16777215 gold instead. Now you could search for the tree which was 1500 which is 05DC in hex.

The reson why we chose "custom scenario" is that in Warcraft II you are given different amount of gold and lumber in each scenario. This means that if you change the first scenario's gold amount, it will be reset when the next scenario is loaded. But don't despair, games like Doom, Descent and a lot more are not scenario based. So if you change them you'll have the cheat 'til the end of the game.

As said before, this method is not very funny because it involves no brain activity at all. In the next lesson we will learn some basic of assembler language and some Softice debugging basics.

INTERESTING LINKS

Here are some very interesting links:

Fravia's Page of Reverse Engineering.

Here you'll find a lot of useful information about cracking, some very useful tools. Check out the +ORC lessons to get a grip of cracking.

FTP search.

Here you can search for files on ftp servers. The best Softice version for DOS is s-ice262.zip. Find it, install it and learn how to use it.

Assembler tutorial.

OK, that's all for now. The next lesson will deal about Softice and assembler and a real cheat for a breakout game.

All opinions on my work are welcomed. Please feel free to ask questions at my e-mail indian_trail@hotmail.com.

indian_trail@hotmail.com (10-Oct-97)

Go to the parent page: Software hacking.