[Science popularization] A little experience in making FLASH game Modifiers

In fact, this thing has been popularized more than once. This article applies to AS3 and applies to AS2 and AS2. However, to modify FLASH games, I am only a beginner method. Now I am still reading the fdb source code in flexsdk4.1. In theory, we should be able to find a better solution-directly modify the code after secondary compilation so that we can do whatever we want ~~ B. I will not talk about it in the idle time, But I will talk about it later in the "advanced" section. I will talk about it in the future. I don't want to eat it, but I am interested in it.

An old man said it well. To do this, you must first sharpen your skills! It is recommended to look down before doing this: http://www.yogda.com/Yogda.1.0.564.zip. Of course, it would be nice to go to the home page. If you have a hacker or ASV, you can do the same. But I still recommend this. You can directly modify the code ...... Cool ~~ B is quite powerful.

I. Necessary tools

1. One of the Yogda, hacker genie, and ASV6

2. WINHEX and other hexadecimal editors

Reprinted please indicate the source: http://www.cnblogs.com/zcsor

Ii. decompilation and Modification

First of all, the most practical thing is that you may not be able to play a game once, but you will be able to do it again next time. But if you have not been able to play a game for ten times, and you have quite thought about it (in your opinion ), it is necessary to modify it, but do not do bad things! Next, let's talk about the actual situation. If you know what tools are used, you will be able to do a lot with a little understanding of the syntax. You may not need to talk about it. But let's talk about it in detail.

1. Who is decompilation?

Write a few simple statements on the timeline:

Var _ w: int = 60;
Var _ h: int = 60;
Var gr: * = graphics;
Gr. clear ();
Gr. lineStyle (1, 0x999999 );
Gr. beginFill (0xFF00FF, 0.4 );
Gr. drawRect (20, 20, this. _ w, this. _ h );
Gr. endFill ();

Then export. Why the edge is not clear? change it to a black one! (Hey, don't go back and change the code. We can't get through with ourselves today !)

2. decompile yourself!

Use the decompilers you selected to open the exported SWF. The Yogda expands the tree on the left and comes here:

Public function _ fla: frame1 ();

Check the right (I just right-click the copy ):

Function 0000 *():
{
 
// Max stack: 5
// Local count: 1
// Scope depth: 10
// Max Scope depth: 11
// Exception Count: 0
// Trait Count: 0
// Code Length: 65 bytes.
 
 
0 getlocal0
1 pushscope
2 getlocal0
4 pushbyte 60
6 initproperty _ w
7 getlocal0
9 pushbyte 60
11 initproperty _ h
12 getlocal0
14 getlex graphics
16 initproperty gr
17 getlocal0
19 getproperty gr
22 callpropvoid clear, 0
23 getlocal0
25 getproperty gr
27 pushbyte 1
29 pushint 1
32 callpropvoid lineStyle, 2
33 getlocal0
35 getproperty gr
37 pushint 2
39 pushdouble 1
42 callpropvoid beginFill, 2
43 getlocal0
45 getproperty gr
47 pushbyte 20
48 dup
49 getlocal0
51 getproperty _ w
52 getlocal0
54 getproperty _ h
57 callpropvoid drawRect, 4
58 getlocal0
60 getproperty gr
63 callpropvoid endFill, 0
64 returnvoid
}

Reprinted please indicate the source: http://www.cnblogs.com/zcsor

See the lines in red. (Of course, you don't have the red lines in the editor. Check the row number. If there is no red lines, see the following.) gr. lineStyle (1, 0x999999); decompilation result, 0x99999999? Except for the byte and bool types, other types are generally replaced by indexes. You can refer to the Integers on the left, which are numbered in sequence, but the numbers do not correspond to the numbers here, and should be + 1. The comparison is as follows:

Gr. lineStyle (1, 0x999999 );

That is:

23 getlocal0
25 getproperty gr
27 pushbyte 1
29 pushint 1
32 callpropvoid lineStyle, 2

Note: The preceding number is a byte number instead of a row number.

Note:

23. Its meaning should be understood as This.

25, Gr.

27. Let's not talk about the stack. Parameter 1

29. Let's not talk about the stack. Parameter 2

32. Call

The preceding two parameters are used for subsequent calls. I understand. Therefore, we want to make it easy:

Double-click the line 29, change it to pushbyte 1, and click OK to save. Then, click "save" on the tool bar and re-run the new.swf!

 

It's easy. No, but we still have to use WINHEX, because I'm used to WINHEX and CTRL + ALT + X to find a string of iconic hexadecimal values, then edit -- change 2D 01 to 24 01 ...... Just kidding.

 

3. What should I do with online FLASH? -- Purely technical discussion

WINHEX is used because we need to find the offset between the modified position and the entire SWF file. Therefore, I personally think that, after getting familiar with it, I should take a look at it with the decompilation tool and then use WINHEX directly. The offset is clearly described above, and the selected content can be copied to the Code in N languages, but there is no VB, haha.

1. Extract SWF for decompilation: Yes, there is another headache. Many times we have used various methods and tried countless tools to find that SWF has not been downloaded to the hard disk ...... In fact, this is really a ghost, so simple things are complicated for everyone. I have done a good job in the previous article-the SWF in the cracked memory, which contains tools, note: The SWF of a Multi-label browser is generally not in the same process as your title, such as the browser name. there are n exe files, but the guy without the startup window title is exactly what we want to search.

2. After that, when we write down the location and change it to something (the good practice should be to record the original one and verify it before modification ), you can modify it. It is only in the memory this time.

Note: We recommend that you use ASV to decompile SWF with mixed effects. It provides the function of "unobfuscation" for names after obfuscation, however, you only need to turn the box into letters and numbers. To understand it, you have to do it yourself! In addition, before the Virtual Machine explains the ABC code, let's leave the reasons and methods for this change. It's very simple. Don't think it's complicated!

Reprinted please indicate the source: http://www.cnblogs.com/zcsor

========================================================== ========================================================== ========
The following tools are required:
Flexsdk4.1 (available in adobe)
Debug Flash Player or ax control (available in adobe)
XJad (search by yourself, or you have a java decompilation tool on hand)
Eclipse (not required, java editor, but can be viewed using notepad, but it still looks easier to display with highlighted syntax)
========================================================== ========================================================== ========

4. Mount the debugger to solve more problems!
Release, which can be used for use. However, you need to make some changes to your flash player or ax control: Download the corresponding debug version to adobe. In this example, run fdb.exe and enter run to wait. When you open a SWF using the Flash Player or web page of the debug version (of course, you must install the ax control of the debug version. If the installation fails, you can go to c: \ windows \ system3 \ micromedia \ Run the uninstall program -- close all pages first and see flash *. if the dll disappears, it indicates that the uninstall is successful. Otherwise, you can close the browser and try again. The corresponding prompt is displayed on the fdb interface. Of course, to use this command line tool, you need to carefully read its help file. Its breakpoint function is what we need -- and is very "considerate" -- it supports the function name as the breakpoint. Of course, if you use a non-debug SWF, you may need to perform minor operations on it! In this way, we break points in some locations, you can get anything you want-but there is still no ASM addiction after the second compilation mentioned above-it will let us enter the familiar WINDOWS runtime environment so that we can do whatever we want-such as send A message. Even further, for console applications, we can reset their input and output streams to get their output information. This content can be referred to the article of the chess Magic School, where the engine communication technology is used, or you can directly look at the source code provided by MSDN-that is very clear.

Reprinted please indicate the source: http://www.cnblogs.com/zcsor

5. Read it carefully ~ Fdb. jar source code, you can get more
It's just a suggestion. It will take a lot of time and effort-if it's just a project for you, not an integral part of your knowledge framework, it will be worth the candle if you study it. But if you want to implement a more "powerful" modifier, you may need to study and study it very often.
Reprinted please indicate the source: http://www.cnblogs.com/zcsor

 

In addition, the main reason why Yogda is used is that it can directly modify and save the file so that it can be modified after the SWF is cracked, replace it when it is not compiled by the virtual machine! You can save some code in the memory and have a relatively high grasp-especially for beginners, it can reduce many problems that cannot be modified due to carelessness.