Cheat Engine Forum Index Cheat Engine
The Official Site of Cheat Engine
 
 FAQFAQ   SearchSearch   MemberlistMemberlist   UsergroupsUsergroups   RegisterRegister 
 ProfileProfile   Log in to check your private messagesLog in to check your private messages   Log inLog in 


How do I increase the current value in SWF?

 
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking
View previous topic :: View next topic  
Author Message
AylinCE
Grandmaster Cheater Supreme
Reputation: 37

Joined: 16 Feb 2017
Posts: 1516
PostPosted: Sun Jul 14, 2019 8:33 pm    Post subject: How do I increase the current value in SWF? Reply with quote
hi ..

I am increasing a value in Flash code.
But I can't reach the max value.
Below are running codes:

Code:
24 00 74 d7 24 00 74 63 04
25 90 4e ?? 25 90 4e -- 10.000  ( The code works. )


Code:
24 00 74 d7 24 00 74 63 04
2d e1 01 ?? 2d e1 01 -- 1.000.000   ( The code works. )


Code:
24 00 74 d7 24 00 74 63 04
2d 47 ?? ?? 2d 47 --  100.000.000 ( Code not working. )


Code:
24 00 74 d7 24 00 74 63 04
2d f8 0c ?? 2d f8 0c -- 99.000.000 ( Code not working. )


SWF Code

Code:
private function onRewardEvent(param1:CFEvent) : void
      {
         var _loc6_:AbstractCFB = null;
         var _loc2_:CFReward = new CReward();
         var _loc3_:uint = 0;
         var _loc4_:uint = 0;
         var _loc5_:Vector.<AbstractCFBonus> = this.cloneBonuses();
         for each(_loc6_ in _loc5_)
         {
            _loc6_.init(param1,_loc2_);
            if(_loc6_.doesApply())
            {
               if(_loc6_.appliesToBaseScore)
               {
                  _loc3_ = _loc6_.getBasePoints(_loc3_);
               }
               else
               {
                  _loc4_ = _loc6_.getBonusPoints(_loc4_);
               }
               _loc6_.logStats();
               _loc2_.bonusesApplied.push(_loc6_);
               ServiceLocator.gameEvent.dispatch(new CFBonusEvent(_loc6_));
            }
         }
         _loc2_.rawScore = param1.score;
         _loc2_.prevMaxRawScore = param1.prevMaxScore;
         _loc2_.basePoints = _loc3_;
         _loc2_.bonusPoints = _loc4_;
         _loc2_.triggeringEvent = param1;
         _loc2_.itemStorageKey = param1.itemKey;
         this.m_eventCallback(_loc2_);
      }


0xFF push:

Code:
setlocal_2
; 24 00
pushbyte 0
; 74
convert_u
; d7
setlocal_3
; 24 00
pushbyte 0
; 74
convert_u
; 63 04
setlocal 4


I used "pushint" and pushuint,
but the result made an error in the game.
Is there an exit?
Thanks in advance for the answers.
_________________
Hi Hitler Different Trainer forms for you!
https://forum.cheatengine.org/viewtopic.php?t=619279
Enthusiastic people: Always one step ahead
Do not underestimate me Master: You were a beginner in the past
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4699
PostPosted: Sun Jul 14, 2019 10:26 pm    Post subject: This post has 1 review(s) Reply with quote
pushshort (0x25) takes a u30, a variable-length encoded integer, and pushes it on the stack.
In a u30 operand, if the most significant bit of a byte is set, the next byte is part of the value (little endian order); otherwise, the next byte is not part of the value.
Code:
25 90 4e          - pushshort 10000

90 4e             - operand
10010000 01001110 - hexadecimal -> binary
0010000 1001110   - remove most significant bits
1001110 0010000   - reverse byte order (little endian)
10011100010000    - concatenate bits
10,000            - binary -> decimal
Do this in the opposite order to convert any 30 bit unsigned integer to a u30.

pushint (0x2d) and pushuint (0x2e) also take a u30, but it's interpreted as an index into the respective constant pool.

source:
https://www.adobe.com/content/dam/acom/en/devnet/pdf/avm2overview.pdf
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
Corroder
Grandmaster Cheater Supreme
Reputation: 75

Joined: 10 Apr 2015
Posts: 1668
PostPosted: Mon Jul 15, 2019 6:33 am    Post subject: Reply with quote
Code:

Code:
24 00 74 d7 24 00 74 63 04
2d 47 ?? ?? 2d 47 --  100.000.000 ( Code not working. )   


Code:   
24 00 74 d7 24 00 74 63 04
2d f8 0c ?? 2d f8 0c -- 99.000.000 ( Code not working. )


Code:
Should be:

24 00 74 d7 24 00 74 63 04
2d 04 74 d7 2d 04 74 63 04

and

24 00 74 d7 24 00 74 63 04
2d 05 74 d7 24 05 74 63 04


In actionScript 3, rule #1.
Original code and replacer code must have the same code lenght.
If sometimes got not the same code length, then give NOP instruction = 02
_________________
Stealing Code From Stolen Code...
And Admit It.. Hmmm....Typically LOL
Back to top
View user's profile Send private message
AylinCE
Grandmaster Cheater Supreme
Reputation: 37

Joined: 16 Feb 2017
Posts: 1516
PostPosted: Mon Jul 15, 2019 8:31 am    Post subject: Reply with quote
Corroder wrote:


24 00 74 d7 24 00 74 63 04
2d 05 74 d7 24 05 74 63 04[/code]

In actionScript 3, rule #1.
Original code and replacer code must have the same code lenght.
If sometimes got not the same code length, then give NOP instruction = 02


Code:
var _loc3_:* = -1;
var _loc4_:* = -1;


Code:
setlocal_2
; 2d 05
pushint -1
; 02
nop
; d7
setlocal_3
; 2d 05


I've tried your bid before.
2d = 24 always gives the same result.

------------------------------------------------

@ParkourPenguin we have had such a conversation before.
You always prioritize education, thank you.
But I'm not a programmer, I need an example again.
What you're saying sounds complicated accounts. Sad

Code not working:

Code:
var _loc3_:* = 100000000;
var _loc4_:* = 100000000;


Code:
; 2e 05
pushuint 100000000
; 02
nop
; d7
setlocal_3
; 2e 05
pushuint 100000000
; 02
nop
; 63 04
setlocal 4


--------------------------------------
Note: With "Double" search within the game
we can change the normal value to high value.
I need to move this to a high value in SWF. Sad
_________________
Hi Hitler Different Trainer forms for you!
https://forum.cheatengine.org/viewtopic.php?t=619279
Enthusiastic people: Always one step ahead
Do not underestimate me Master: You were a beginner in the past
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4699
PostPosted: Mon Jul 15, 2019 9:34 am    Post subject: Reply with quote
Code:
; 2e 05
pushuint 100000000
Is this code you wrote? Are you sure index 5 in the uint pool contains 100000000?
What was the original code? What are you trying to change that code to?
Where are you injecting at in the decompiled code? What does the corresponding original bytecode look like around that area?
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
AylinCE
Grandmaster Cheater Supreme
Reputation: 37

Joined: 16 Feb 2017
Posts: 1516
PostPosted: Mon Jul 15, 2019 11:34 am    Post subject: Reply with quote
Code:

Code:
code
; d0
getlocal_0
; 30
pushscope
; 20
pushnull
; 80 cf 04
coerce Qname(PackageNamespace("f.managers.cf.bonuses"),"AbstractCFBonus")
; 63 06
setlocal 6
; 5d 86 04
findpropstrict Qname(PackageNamespace("f.managers.cf"),"CFReward")
; 4a 86 04 00
constructprop Qname(PackageNamespace("f.managers.cf"),"CFReward") 0
; 80 86 04
coerce Qname(PackageNamespace("f.managers.cf"),"CFReward")
; d6
setlocal_2
; 24 00
pushbyte 0
; 74
convert_u
; d7
setlocal_3
; 24 00
pushbyte 0
; 74
convert_u
; 63 04
setlocal 4
; d0
getlocal_0
; 46 c9 cd 01 00
callproperty Qname(PrivateNamespace(null,"688"),"cloneBonuses") 0
; 80 d0 04
coerce TypeName(Qname(PackageNamespace("__AS3__.vec"),"Vector")<Qname(PackageNamespace("f.managers.cf.bonuses"),"AbstractCFBonus")>)
; 63 05
setlocal 5
; 24 00
pushbyte 0
; 63 07
setlocal 7
; 62 05
getlocal 5
; 82
coerce_a
; 63 08
setlocal 8
; 10 6a 00 00
jump ofs009e
; 09
ofs0034:label
; 62 08
getlocal 8
; 62 07
getlocal 7
; 23
nextvalue
; 80 cf 04
coerce Qname(PackageNamespace("f.managers.cf.bonuses"),"AbstractCFBonus")
; 2a
dup
; 63 06
setlocal 6
; d1
getlocal_1
; d2
getlocal_2
; 4f df 10 02
callpropvoid Qname(PackageNamespace(""),"init") 2
; 62 06
getlocal 6
; 46 98 b9 01 00
callproperty Qname(PackageNamespace(""),"doesApply") 0
; 12 4d 00 00
iffalse ofs009e
; 62 06
getlocal 6
; 66 95 b9 01
getproperty Qname(PackageNamespace(""),"appliesToBaseScore")
; 12 0e 00 00
iffalse ofs0069
; 62 06
getlocal 6
; d3
getlocal_3
; 46 9c b9 01 01
callproperty Qname(PackageNamespace(""),"getBasePoints") 1
; 74
convert_u
; d7
setlocal_3
; 10 0c 00 00
jump ofs0075
; 62 06
ofs0069:getlocal 6
; 62 04
getlocal 4
; 46 9d b9 01 01
callproperty Qname(PackageNamespace(""),"getBonusPoints") 1
; 74
convert_u
; 63 04
setlocal 4
; 62 06
ofs0075:getlocal 6
; 4f a0 b9 01 00
callpropvoid Qname(PackageNamespace(""),"logStats") 0
; d2
getlocal_2
; 66 f4 b9 01
getproperty Qname(PackageNamespace(""),"bonusesApplied")
; 62 06
getlocal 6
; 4f d9 c4 02 01
callpropvoid Qname(Namespace("http://adobe.com/AS3/2006/builtin"),"push") 1
; 60 f4 10
getlex Qname(PackageNamespace("f.managers"),"ServiceLocator")
; 66 a6 ac 02
getproperty Qname(PackageNamespace(""),"gameEvent")
; 5d c2 d2 02
findpropstrict Qname(PackageNamespace("farm2.events"),"CFBonusEvent")
; 62 06
getlocal 6
; 4a c2 d2 02 01
constructprop Qname(PackageNamespace("farm2.events"),"CFBonusEvent") 1
; 4f 8d 31 01
callpropvoid Qname(PackageNamespace(""),"dispatch") 1
; 32 08 07
ofs009e:hasnext2 8 7
; 11 8f ff ff
iftrue ofs0034
; 08 08
kill 8
; 08 07
kill 7
; d2
getlocal_2
; d1
getlocal_1
; 66 ad 86 01
getproperty Qname(PackageNamespace(""),"score")
; 61 f0 b9 01
setproperty Qname(PackageNamespace(""),"rawScore")
; d2
getlocal_2
; d1
getlocal_1
; 66 ae 86 01
getproperty Qname(PackageNamespace(""),"prevMaxScore")
; 61 f1 b9 01
setproperty Qname(PackageNamespace(""),"prevMaxRawScore")
; d2
getlocal_2
; d3
getlocal_3
; 61 f2 b9 01
setproperty Qname(PackageNamespace(""),"basePoints")
; d2
getlocal_2
; 62 04
getlocal 4
; 61 f3 b9 01
setproperty Qname(PackageNamespace(""),"bonusPoints")
; d2
getlocal_2
; d1
getlocal_1
; 61 f6 b9 01
setproperty Qname(PackageNamespace(""),"triggeringEvent")
; d2
getlocal_2
; d1
getlocal_1
; 66 ab 86 01
getproperty Qname(PackageNamespace(""),"itemKey")
; 61 f5 b9 01
setproperty Qname(PackageNamespace(""),"itemStorageKey")
; d0
getlocal_0
; d2
getlocal_2
; 4f c7 cd 01 01
callpropvoid Qname(PrivateNamespace(null,"688"),"m_eventCallback") 1
; 47
returnvoid




Code:
setlocal_2
; 24 00
pushbyte 0
; 74
convert_u
; d7
setlocal_3
; 24 00
pushbyte 0
; 74
convert_u
; 63 04
setlocal 4



Original Code: 24 00 74 d7 24 00 74 63 04

Replace:

Code:
24 00 74 d7 24 00 74 63 04
25 90 4e ?? 25 90 4e -- 10.000  ( The code works. )



Code:
24 00 74 d7 24 00 74 63 04
2d e1 01 ?? 2d e1 01 -- 1.000.000   ( The code works. )



Code:
24 00 74 d7 24 00 74 63 04
2d 47 ?? ?? 2d 47 --  100.000.000 ( Code not working. )


Code:
24 00 74 d7 24 00 74 63 04
2e 05 02 ?? 2e 05 02 --  100.000.000 ( Code not working. )


Code:
24 00 74 d7 24 00 74 63 04
2e 05 ?? ?? 2e 05 --  100.000.000 ( Code not working. Game Page Error )


?

Ekran3-1.JPG
 Description:
 Filesize:  15.73 KB
 Viewed:  6453 Time(s)

Ekran3-1.JPG
Ekran3.JPG
 Description:
 Filesize:  31.98 KB
 Viewed:  6454 Time(s)

Ekran3.JPG
Ekran2.JPG
 Description:
 Filesize:  30.19 KB
 Viewed:  6455 Time(s)

Ekran2.JPG
Ekran1.JPG
 Description:
 Filesize:  15.01 KB
 Viewed:  6454 Time(s)

Ekran1.JPG

_________________
Hi Hitler Different Trainer forms for you!
https://forum.cheatengine.org/viewtopic.php?t=619279
Enthusiastic people: Always one step ahead
Do not underestimate me Master: You were a beginner in the past
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4699
PostPosted: Mon Jul 15, 2019 12:49 pm    Post subject: Reply with quote
Code:
24 00 74 d7 24 00 74 63 04
2d 47 ?? ?? 2d 47 --  100.000.000 ( Code not working. )

Are you sure index 0x47 (71) in the int constant pool contains the value 100.000.000? If you're using JPEXS, you should see the pools in the bottom left under the "constants" tab.

This different solution might work:
Code:
24 00 74 d7 24 00 74 63 04
25 80 c2 d7 2f 2a d7 63 04

; 25 80 c2 d7 2f
; pushshort 100.000.000
; 2a
; dup
; d7
; setlocal_3
; 63 04
; setlocal_4

_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
AylinCE
Grandmaster Cheater Supreme
Reputation: 37

Joined: 16 Feb 2017
Posts: 1516
PostPosted: Mon Jul 15, 2019 1:42 pm    Post subject: Reply with quote
Result:

Img: https://i.hizliresim.com/Xb4LO7.jpg




Code:
setlocal_2
; 25 80 c2 ff ff 0f
pushshort -7936
; 2a
dup
; d7
setlocal_3
; 63 04
setlocal 4


Code:
var _loc3_:* = -7936;
var _loc4_:* = _loc3_;


EDIT : Original Script ..

The 10,000 and 1,000,000 codes I mentioned in the first comment,
it works without error.
But I couldn't get it higher.
Within the game: Up to 2 billion changes are successful with "Double".
But with Script it gives error.

Ekran2.JPG
 Description:
Original Script ..
This, I realized that I show.
Sorry. Original code breakdown.
 Filesize:  85.47 KB
 Viewed:  6355 Time(s)

Ekran2.JPG

_________________
Hi Hitler Different Trainer forms for you!
https://forum.cheatengine.org/viewtopic.php?t=619279
Enthusiastic people: Always one step ahead
Do not underestimate me Master: You were a beginner in the past


Last edited by AylinCE on Mon Jul 15, 2019 2:56 pm; edited 1 time in total
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4699
PostPosted: Mon Jul 15, 2019 2:45 pm    Post subject: Reply with quote
Why did you change the operand to pushshort? That's not even a valid u30 (too many significant bits).
I don't know what you're doing, but all you have to do is change the bytecode. Scan the original AoB with cheat engine and change it before it gets compiled.
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
AylinCE
Grandmaster Cheater Supreme
Reputation: 37

Joined: 16 Feb 2017
Posts: 1516
PostPosted: Mon Jul 15, 2019 3:18 pm    Post subject: Reply with quote
ParkourPenguin wrote:
Why did you change the operand to pushshort? That's not even a valid u30 (too many significant bits).
I don't know what you're doing, but all you have to do is change the bytecode. Scan the original AoB with cheat engine and change it before it gets compiled.



After changing the code in CE,
Search: 24 00 74 d7 24 00 74 63 04
Replace: 25 80 c2 d7 2f 2a d7 63 04

I check the result of the game.
There is no error in the game, but it shows the value as negative.
I'm looking SWF to take the game again.
The following picture, you also CE-changing code,
SWF view. I'm not playing in SWF.
I just called with CE and changed the code.

The output SWF results in the code:
Video:
https://youtu.be/w59hXVabNE8

Ekran3.JPG
 Description:
All of your code appears in the Hex code.
but the result is negative.
I still haven't made any changes in SWF.
This is the SWF image of code that changes with CE.
By the way; Thank you for your patience.
 Filesize:  61.16 KB
 Viewed:  6347 Time(s)

Ekran3.JPG
Ekran1.JPG
 Description:
I didn't create this SWF change.
It's just the way your code is reflected in the SWF.
So the code you gave: It looks like this in SWF.
I think your code, "Pushshort" of pushing.
 Filesize:  41.65 KB
 Viewed:  6355 Time(s)

Ekran1.JPG

_________________
Hi Hitler Different Trainer forms for you!
https://forum.cheatengine.org/viewtopic.php?t=619279
Enthusiastic people: Always one step ahead
Do not underestimate me Master: You were a beginner in the past
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
ParkourPenguin
I post too much
Reputation: 152

Joined: 06 Jul 2014
Posts: 4699
PostPosted: Mon Jul 15, 2019 8:14 pm    Post subject: Reply with quote
That behaviour seems to contradict what little I can find in Adobe's documentation, so I don't know what's going on.

Have you looked at the constant pools?
_________________
I don't know where I'm going, but I'll figure it out when I get there.
Back to top
View user's profile Send private message
AylinCE
Grandmaster Cheater Supreme
Reputation: 37

Joined: 16 Feb 2017
Posts: 1516
PostPosted: Tue Jul 16, 2019 2:18 am    Post subject: Reply with quote
ParkourPenguin wrote:
That behaviour seems to contradict what little I can find in Adobe's documentation, so I don't know what's going on.

Have you looked at the constant pools?


I'm glad you understand that. You lifted your suspicion.
I have reached the solution with the information you provide. Thanks.

I couldn't find the net 100 million, but I found a lot of options.
"2d" agreed to push the game a lot of value. Smile

All the codes in the picture are working.

Again Thanks..

Ekran3-3-1.JPG
 Description:
All the codes in the picture are working.
 Filesize:  99.79 KB
 Viewed:  6134 Time(s)

Ekran3-3-1.JPG

_________________
Hi Hitler Different Trainer forms for you!
https://forum.cheatengine.org/viewtopic.php?t=619279
Enthusiastic people: Always one step ahead
Do not underestimate me Master: You were a beginner in the past
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
Display posts from previous:   
Post new topic   Reply to topic    Cheat Engine Forum Index -> General Gamehacking All times are GMT - 6 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Powered by phpBB © 2001, 2005 phpBB Group

CE Wiki   IRC (#CEF)   Twitter
Third party websites