Finding offsets and manipulating

[huzi89]

Hey, what's up.

I've been programming for a fair few years, I mean - about 11 years. I've started working with the X360.dll, provided by DJ SkunkieButt; I followed a tutorial on here (7s), on how to mod a Dead Rising 2 game save to alter your level.

My question is, how do people find out the offsets to use with Package IO? I've looked in the hex editor, and seen the different offsets, but do you use the first X amount of letters/numbers or the last? How do you know what offset does what?

It's all very confusing, but Horizon are out there, demolishing games (congratulations by the way!), knowing every offset, and how to manipulate them to anything and everything.

I am pretty sure this maybe a newbie question, but we've all got to start somewhere, right?

Thanks in advance

~huzi

 

[GoldBl4d3]

First, you start by learning the general header of the file. Find the research of con files and save files. then, what I like to do to, if find a default number in the game. Like starting ammo. I find it in the hex value and try to edit it. Typically when dealing with those kind of numbers, you look for int32.

But yea, then you just learn better techniques like that.

 

[amd42]

It's hard to explain. Really. The most important thing that I can tell you though is to practice. Try to figure out file formats used by simpler programs and then work your way up from there. Also, make sure you're competent with techniques commonly used by programmers (different data types, structures, arrays of offsets, bitfields, linked lists, binary trees, etc.) so that you can think like them and recognize values more easily.

As far as actually finding values, here are some of my tips:

1. It's important to have a basic understanding of how the target program's processor works and what its endianness is. The Xenon processor, for example, is 64-bit and stores values in big-endian order. This means that the bytes in multibyte values are stored from left-to-right, so if you see the bytes 12 34 56 78, then the hex number they represent actually is 0x12345678. This isn't the case with processors such as the x86 though, which is little-endian and stores bytes from right-to-left. With a little-endian processor, 12 34 56 78 represents the value 0x78563412.
2. See if there has already been existing research done behind the format or game you're trying to reverse-engineer. Even if the format itself hasn't been documented (as was the case when I went to go figure out the Reach save format), you can also try looking for information about how the game's engine works so that you can understand why things might be stored a certain way. Google is your friend here.
3. Hope and pray that the file isn't encrypted or hashed. If it is, try and see if any common algorithms work (MD5, SHA1, adding all of the bytes in the file, etc.), but chances are that you'll need to learn assembly language and disassemble the game. Also learn to recognize where hashes might be: if you see a string of 20 bytes that appear to be random, then you've probably found a SHA1 digest.
4. Try to find values you can easily recognize - for example, search for your ammo count. If you can find your ammo count, then it means that the start of the weapon data shouldn't be too far from where you found the value. Also, values such as file/section sizes or file offsets are extremely important as well and should not be overlooked, because they tell you information about the file layout.
5. If ammo isn't enough for you and you want to go find more complicated values (e.g. object positions), it can be extremely helpful to compare saves. Grab a save that has the conditions you want and then grab another save which doesn't (try to keep them as similar as possible though). Load them into your hex editor and compare them. Figure out what bytes changed and then try to speculate why they changed the way they did. It may not always be obvious, so grabbing several more saves can help as well. Once you have some ideas, grab a completely different save and see if you can replicate those conditions with only a hex editor.
6. Look for strings. For example, if you see the word "objects" somewhere in the file, then the object table should follow it.
7. Look for repetition. The ASCII view can be helpful for this. If you notice a repeating pattern of bytes, then you've probably found a list of structures. Try to then figure out where each structure starts and ends and how their offsets and lengths can be determined.
8. Document your work. Open up Notepad and jot down anything you're thinking of as you look through the file. Include any offsets that you've found, what data types you think they are, and describe what you think the values mean. Don't be afraid to be wrong!

Further reading:


http://en.wikibooks....ng/File_Formats
http://upe.acm.jhu.e...se/reverse.html
http://www.iwriteiam...Ha_HTCABFF.html
http://www.linuxjour...om/article/6334