[EXAMPLE - Bloons Tower Defence 3] How to hack AS3 games.

Firstly, please get my AS3 Disassembler from here:
http://forum.arcadetrainer.com/viewt...p?f=19&p=29624

In this example, I will be going through a step by step tutorial on how to hack Bloons Tower Defence 3, an AS3 game to get lots of money.

You can also apply this technique to other games as well.

So, without further ado, let us begin!

Requirements:
AS3 Disassembler
Hex Editor (I use Hex Workshop in this example)
A copy of the SWF specifications.
SWF file of Bloons TD 3 (Please save this file to your computer)

Note: The SWF file of Bloons TD 3 that I have provided in the above link has already been decompressed, for most other games, they are not decompressed, and you will need a utility to decompress the swf file.

Lets get started.
Firstly, after saving the SWF of Bloons TD 3 on your hard drive, please fire up RJTDSM.exe and browse to the swf.
Click on Process File and then Save the output to the same directory as dump.txt.
http://www.arcadetrainer.com/rjt/Ima...Tut/rjtdsm.png

Since the starting money for bloonstd3 is 650, lets search for it in dump.txt.
Open dump.txt in notepad or your favorite text editor.
The first line you find should be:

Code:

000041 8a 05 // int[36] = 650

This is a integer constant pool value and has an array index of 36. However what is important about this line is these four letters: 8a 05.
Take note of them, we will be needing these hex values a little later.

Also, you might notice that there is a high integer constant pool value here:

Code:

000055 ff ff ff 07 // int[43] = 16777215

Take note of the constant pool array index, which is 43. We will be needing that later :)

Continue searching for other references of 650 until you find something like this:

Code:

... 491 findproperty SELL_RATE 494 pushdouble 0.8 496 initproperty SELL_RATE 499 findproperty STARTING_MONEY 502 pushshort 650 505 initproperty STARTING_MONEY 508 findproperty MAX_LIVES_EASY 511 pushbyte 100 513 initproperty MAX_LIVES_EASY 516 findproperty MAX_LIVES_MEDIUM 518 pushbyte 75 520 initproperty MAX_LIVES_MEDIUM 522 findproperty MAX_LIVES_HARD 525 pushbyte 50 ...

Aha! in that statement the game sets the starting money to a value of 650! We want to change that to a high number, but how?
Notice 'pushshort' in front of 650? This is called an instruction and its corresponding op code is hex 25.
http://www.arcadetrainer.com/rjt/Ima.../pushshort.png

Now, fire up Hex Workshop and open up bloonstowerdefence3.swf.
http://www.arcadetrainer.com/rjt/Ima...exworkshop.png

Press CTRL + F and set the search type to 'Hex Value'. Search for '258a05'. Explanation coming later.
http://www.arcadetrainer.com/rjt/Ima.../hexvalues.png

So why 25 8a 05?
Remember

Code:

pushshort 650

?
Since the opcode for pushshort is 25, we have hex 25.
Since 650 translates to 8a 05 as a variable length encoded hex value as you saw earlier in the constant pool

Code:

000041 8a 05 // int[36] = 650

,
we have 25 8a 05.

You should end up with one result.
http://www.arcadetrainer.com/rjt/Ima...ut/hexfind.png

Now that you have gotten the location of the

Code:

pushshort 650

instruction,
we now have to change it to something higher. Remember constant pool

Code:

000055 ff ff ff 07 // int[43] = 16777215

?

Open up Windows' built in Calculator. Change the calculation mode to scientific and enter 43 in the calculator, then click on the Hex radio button.
http://www.arcadetrainer.com/rjt/Ima...ckTut/calc.png
The hex representation of 43 is 2B.

Since we want to make the starting value a very large number, lets reference it to the constant pool value we found earlier.
The instruction to do this would be pushint, with a hex opcode of 2D.
http://www.arcadetrainer.com/rjt/Ima...ut/pushint.png

Position your mouse cursor in front of 25 of 25 8a 05 and click.
Enter these values:
2D 2B 02
http://www.arcadetrainer.com/rjt/Ima.../hexchange.png

2D 2B 02 means:
pushint *array index 43* *nop*

pushint allows us to select a index value from the constant pool, and array index 43 refers to 16777215 (large number).

the reason nop is there (opcode 02) is because we have to fill up the empty space.
http://www.arcadetrainer.com/rjt/Ima...ackTut/nop.png

The original value, 25 8a 05, takes up 3 bytes, while our new addition only takes up two bytes (2D 2B), so we fill up the three bytes with a function that does nothing, which is nop.

Save the file and optionally create a backup file to go with it, and open your newly edited bloonstowerdefence3.swf.

This should be the result:
http://www.arcadetrainer.com/rjt/Ima...Tut/result.png

Congratulations! You have hacked an AS3 game!

2 Attachment(s)

Re: [EXAMPLE - Bloons Tower Defence 3] How to hack AS3 games.

i opened the link to btd3 and my McAfee's Site Adviser told me its bad so i wouldn't trust it unless its a hacked game file

Re: [EXAMPLE - Bloons Tower Defence 3] How to hack AS3 games.

You can use your own version of btd3 you downloaded elsewhere as well, you just have to decompress the file first.

Re: [EXAMPLE - Bloons Tower Defence 3] How to hack AS3 games.

Great guide...
I hope people can follow it. This stuff is pretty advanced for the age we see here.

Re: [EXAMPLE - Bloons Tower Defence 3] How to hack AS3 games.

the sum of it should be somewhat hexeditor?

Re: [EXAMPLE - Bloons Tower Defence 3] How to hack AS3 games.

Quote:

Originally Posted by killer1478

the sum of it should be somewhat hexeditor?

Huh?

2 Attachment(s)

Re: [EXAMPLE - Bloons Tower Defence 3] How to hack AS3 games.

Quote:

Originally Posted by killer1478

the sum of it should be somewhat hexeditor?

If you mean what hex to search than yes.

Opcode in hex + Code in hex = searchable hex.

Example of Stunt Pilot:

Code:

findproperty lives pushbyte 5 initproperty lives

pushbyte + 5 lives = 2405

Pushbyte in hex = 24
5 lives = 05

The hack I used was:
2d13

because 2D is hex for the opcode PUSHINT. Pushint signifies a int value (4bytes) being pushed onto a stack. 13 is hex for decimal 19.
1 array = 4 bytes

so the array I used was:
000029 ff ac e2 04 // int[19] = 9999999

Attached to this post is my hacklog for some AS3 games hacked by hex.

Re: [EXAMPLE - Bloons Tower Defence 3] How to hack AS3 games.

Your hacklog is very informative, I'm sure it'll help many people. :lol:

Thanks and great job! :lol:

Re: [EXAMPLE - Bloons Tower Defence 3] How to hack AS3 games.

well atleast he got the just of what i was saying

it all comes down to the point of picking it up knowing what your doing and getting profit or failing dramaticly and giving up

Re: [EXAMPLE - Bloons Tower Defence 3] How to hack AS3 games.

Thanks for the Karma RJT :lol:

Killer if you still need some help you can contact me at AIM,MSN,YAHOO,or ICQ. Just look at my profile for info and add me.