Save Game Hacking: By Beginners For Beginners (Written By Fable Fox)I just was reading ROMHacking by Ti Dragon, so I decided to write a hacking tutorial of my own, this one that I enjoyed doing a long, long time ago.
Why did I put 'By Beginners For Beginners' in the title? Simple, because this tutorial WILL NOT cover encrypted save games, or disassembling the .exe to know how the game works, what it does when it save the game file (like what people do to write application keygen - they have to do this to know what calculation they must do, or which JMP / JNZ that they must bypass. Oops, how did I know that ;-P). So what technique we will use? Simple, byte compare and a hex editor. One might say that these are useless nowdays, but I'll tell you the reason when we will have arrived at the right point ;-)
Oh, since we didn't do any disassembly, this tutorial will use bruteforce technique. So if you come to a situation where there's too any locations with too little data (like you need 10 flowers and only have 3, and there's 400 locations containing 0x03 in the .sav), don't bother. Play the game until you have a good search data which reveals a few locations.
If you can't do that, this is why people write tools like Game Wizard (DOS) and Game Master (Win). Find 2 and when suddenly you have 3 flowers, find 3 - you will find the location, change it, save the game. But sometimes, you still find 100 locations. This could happen (it did happen on me). Sometimes, the programmer did it for fun. They only need an array, and you use it for a few vars only. Like for example health. It contains 0 to 100. You need a byte. If you create an array, let's say, of 200, it's only 200 bytes of memory, but 200 memory locations for the mem hacker. I don't know if this is actually how it works (using array) - but poking to memory works too (hey, guess what, it's faster too!), I think. All you need is to create a 200-byte memory location. Sometimes you need to freeze everything. As in health, if the programmer compares all health and found the lowest value, they could use that as the current health variable (change array number - easy).
Now I'll tell you why I've written this tutorial. I don't have Win32 games in mind. No, not new games. And no, I don't have an old PC lying around so that I can run old games on their native format and edit the memory using GameWizard. The main reason why I've written this article / tutorial is for old game fans. Some games have no cheats, some games are too old for any site with lists cheats (or editor), since DOSBOX doen't support memory search/edit/freeze just yet - I guess we have to edit the save game for now.
Do this as a last resort, if the game has a cheat - use it. If an ASM coder has written an editor, use it. If everything else fails, then this is what the tutorial is for.
Dune 2: Cash / Spice
The main reason why I've picked Dune 2 is that the game is simple, and the savegame is simple. What we want to do is change the amount of money we have. First start the game, choose House Atredies. Your first mission is to collect 1000. Watch that your starting cash (spice actually) is 999. Save that game. It's going to be 000.sav. Create a slab. It will cost you 5. So you now have 994. Save the game in another slot. It will become 001.sav. Run a byte compare program on both _000.sav and _001.sav with 001 as new and 000 as old.
First, I want to teach you about hex. If 0-1 is binary, 0-9 is decimal, then 0-F is hex. F equals 15. Because of that, 10 hex equals 16 dec. Read a programming book if you want to know more, for this tutorial you need either a scientific calculator, or the Calc program that came with Windows. Just set it to scientific mode. You will see hex and dec radio button. Set it to dec, enter a value. Click hex and you will see in converted into hex value. Try entering 255, in will converted into FF. Do it vice versa. 5A hex will result in 90 decimal.
This is the zoomed. (Unresized, actually)
Now that you have done the byte compare, what is the value we are looking for? 999 dec = 03e7 hex, 995 dec = 03e2 hex. If you use Calc, you will get 3e7 and 3e2. Why did I add 0 in front? It always comes in pairs, in a hex editor, that is. Since this is a value that changes, try using Find from the byte compare program menu. Use E7. There's only one occurence of E7 that it finds, guess what, its new value is E2. Try using find again. There is no other. Wow! We have found the exact location the first time. I want you to note that E7 comes before 03 in the hex editor, and the location (offset) for E7 is 000186.
NOTE: In some games you might not have to do this, but in Dune 2, you can only keep money amount to silo/refinery you have. So go back to the game, build a refinery, and save it. Note the new amount of cash/spice you have now.
Open a hex editor, and load _000.sav.
Go to offset 000186 and you will see a new value. Use calc and you will see that it's your current value. In my screenshot, it's still E7 03 as I'm yet to know about that silo/refinery thing. It's been a long time. 2000 dec is 07 D0 hex. But as you remember that in a hex editor, the order is the other way around, insert DO 07 (it's the endian thing of the computer). The first at offset 000186, the next at offset 000187. Save the file. Close it. Go back to Dune 2 and load your game.
Your spice will dwindle quickly until it's the amount you can store, but don't worry, you will win the game in no time. See, save game hacking isn't that hard. But, what about adventure games? What about inventory items? Would it be harder than cash? Hmmmm.... Oh, by the way, the location for the spice is changed when you get into the third level. But by now you know how to find it. I don't know if the location is going to change for later levels, so always check the value before you change it.
NOTE: You might ask if you can do this for Dune 2000? Yes, you can. I know, I've done it ;-P In Dune 2000, the location for spice/cash is different for each of the Houses, but as far as I can remember, the location didn't change over the levels, unlike Dune 2 - which has three location depending on the level.
NOTE: If you plan to play Dune 2, my advice is don't bother attacking turrets. If you send five tanks against one turret, in the end you are going to lose them all, and the turrets get repaired just fine. In Dune 2, repairing is so fast it can outdo any damage. While a rocket launcher can do great damages, it rarely hits a small turret. So the tip is, for the stages where rocket turret isn't available, use your rocket launcher to destroy buildings behind the turret. Why? The rocket launcher can stay outside turret range but still be able to hit buildings. Since buildings are big, rocket hits them easily, and the damage is great. A group of three or four rocket launchers can destroy buildings in two shots. So if you go for silo and refineries, the enemy is going to lose a lot of money, which means, no more turret repairs. You don't have to destroy turrets to win the level. In later levels, you will find out that computer builds rocket turrets on their front, but not back. So attack from behind. This way, your rocket launchers can hit buildings but their rocket turrets (which are in front of the buildings) can't hit you back. The rule of the game is easy - if you can destroy their construction yard, refinery, and heavy vehicle factory - you're going to win. Even if this team consists of four rocket launchers and some tanks (to draw enemy fire so that rocket launcher have enough time to destroy key buildings) is a suicide attempt, in the end you're going to win.
NOTE: In later levels, combination of mobile cons vec, workshop and rocket turrets can do great wonders. You can create an invincible repair base near enemy base. Yes, turret is that dangerous.
Faery Tale Adventure (Inventory & Characteristic)
Faery Tale Adventure is a truly great game that spans 5 PCs (as in generation). I first played it on a 8 MHz PC with a CGA monitor. Later I played it on my brother's 100 MHz, VGA. Then on my own 166 MHz PC, SVGA. After that 500 MHz, at first runnable but not playable, and DOSBOX didn't support it yet until much later, and now on my 2.66 P4. The tune is great, storyline is great, the graphics - at its time - were great.
NOTE: If for fun you want to try ftc.exe (CGA) instead of fte.exe (EGA), don't just run it under DOSBOX. It will use the wrong palette. Playable, but the graphics are ugly. You must set DOSBox to CGA (either by setting it up yourself or use DFend to run FT) so that FT will run in its CGA glory!
First, you must download the game at www.the-underdogs.org. While you're at it, download the manual and walkthrough too. Especially the manual, if not you won't know how to run / play the game. Then, download DOSBox emulator.
Now play the game. Check your inventory by pressing 'I'. You only have a dirk. Save the game as A. Walk into the house on the north. Press 't' for take. Your character will find a glass vial. Go to inventory, now you will have a dirk and a glass vial. Load game A again. Go into the house. Save as A, take the vial, save as B.
NOTE: Actually, for other games you might want to prefer to look for easier data differences instead of 00/01, but for FT, this is enough. I mean, hacking Dune 2 got your feet wet enough, right ;-)
Since first you don't have a vial, then you have it - it is probably the only difference between save A and B right? Well, run it inside a byte compare program.
See, the first occurence of data changing from 00 to 01 is at offset 28. Usually in hex editor, the line is numbered 00, 10, 20 and it goes from 00 to 0F on each line. So does for 10 - 1F and 20 - 2F.
NOTE: There's an error in the screen shot. I put the old file as new and new file as old. But as long as you know which is which, you'll be fine.
So, let's change the value eh. What about 0A (10 dec).
10 glass vials! Woohoo! We're lucky! We hit the jackpot! So what will we do now? Well, since in the inventory screen it shows that you have space in both your left and right, why don't you try adding a value at an offset before and after, and see what it does. You might want to try one location at a time and write down what the offset represents.
Here's the 75% list. Find the rest yourself (shard, bone, writ). The location is in HEX.
2d to 32 is keys in the order of the inventory, starting with gold, green, blue, red, grey, white.
34 : apple, 35 : rose, 36 : gold statue,
Character statistic : aa : bravery, b0 : kindness, b2 : luck, b4 wealth, 01b4 : vitality.
I used some items and played for some time before taking this screen shot. This is what a healthy inventory looks like, especially the jade skull (all enemies on screen died instantly), keys, and apples too.
NOTE: Did you know that you can change your weapon type in Space Hulk using Game Wizard? First I just freeze a cool type of weapon - Storm something. But there is a stage where most (or a lot) of my Hulks are given hand to hand weapons like the hammer, the claw and the swords. While it is powerful - allowing that character to be used by the PC - or you sometimes - will result in a quick death. So while my character is running around with freezed gun, others will die and fail the mission. I changed all of the character weapons into that Storm thing, and won the level. The intro song is great, gameplay is good, it was fun but too hard. The point is, if you know the right location and the right value - you can do great things.
NOTE: There are rumours about Faery Tale, it's regarding the food and apple. If you buy food at a town - you're eating it there and then. There is no way you can buy a lot of food and keep it in your inventory. If you're travelling to a far location or looking for a hard to find location, this can be a great pain. I remember having an apple in the inventory the first time I played it. I can't remember was it before or after I hacked it. Some say you will find apples in your journey, but you cannot buy any apple, it's a bonus thing. Some say in the Amiga version you can buy apples, but not in the PC version. By doing this, I found out that you can have apples in your inventory. You will eat it if you're hungry. But no, other than in the king's castle area, there is no other way you can get apples in the game (beside hacking).
The famous Faery Tale's apple.
NOTE: If you died, a fairy will revive you, minus 5 luck. You will change to another brother once you run out of luck. In case you talk to a sorceress, your luck is increased. So keep talking until it reaches maximum! I found out this on my own when I played the game for the first time.
NOTE: In the crypt, you need A LOT of white (I can't remember which actually, but it's the Hemsath Tomb puzzle) keys. If you have five white keys. Unlock five doors. Exit without saving. Load back and you will have all five keys, with the door you just unlock staying unlocked. I found about it much later in life (in the 500 MHz era) by reading a walkthrough. By then, I already knew how to hack the save game. If you have 20 keys, and you need 25, you just unlocked 20 doors. If you walk out of the crypt to get more keys, all the doors you unlocked before become locked. This led to a very big problem because you have no idea how much white keys you really need. In the end, you spend a lot of time killing skeletons until you reached the maximum for white keys. Of course, this is provided you didn't know aforementioned cheat. I hacked the save game for a reason. Bad game design is one of them. This is why I rarely hack save games.
UFO Enemy Unknown: Cash & Super Soldier
There's a lot of UFO editors out there, I think. But I'll add it here because hacking it is easy. It's also a good example where game data is kept inside multiple files.
The name is unique, we can use it as a key search. Since the soldier statistics is what we can to edit, we'll look into it and jot down the data.
Now open the UFO\GAME_1\soldier.dat. This file contains your soldier statistics. Early on, you can see your soldier data. Change it to 9f (159). So no need for byte compare this time. The answer is dead on.
You might think hex = 14, dec = 20 will hold the bravery, but your in for a suprise! It is not. It seems like bravery equal (11 - value at offset 34) * 10. So right now 11 - 9 * 10 = 20. So change the value at 34 from 09 to 00 (in my example I change it to 01), so the bravery is 100. I found this by trial and error. This is because, the data has to be around in there, after the soldier name and before the next soldier name.
Save, close the hex editor and open the game and load your hacked save game.
NOTE: Now all of our soldiers are super soldiers. You can push the limit, like 150, 180 or 200. But don't go overboard like 255 because as far as I remember, if your soldier gains in any of the statistic that you have changed to 255 - it will hang. But I cannot remember. Let just say that if the graph bar look screwed, you're walking on a thin line. Don't try pushing the limit.
NOTE: The main reason why I hack UFO:EU is the 'fear factor'. Soldiers go panicky and dropping things, or shoot their own team members. Image what happens if a soldier become paniced after you primed a granade. Things can get ugly. I know the right thing to do is to sack lame soldier (low bravery) right after they're arrived. But 1: You wasted money. 2: You waste time. Time to wait for the next solder, and the training time (should you get the brave soldier in the first case, you already are able to send him/her into battle to gain statistic). If you're chicken, don't be a soldier in the first place. The second reason only happens with XCOM: Terror From The Deep. Early on in the game, ALL aliens are a sharpshooter, and all your soldier are ex Storm Trooper - if you get the joke. That is, they can't shoot the alien even if they're standing near them. The reason for this is linked to % of accuracy for alien tech and human tech, combined with the character base accuracy.
NOTE: XCOM: TFTD The other reason is if you use only one magazine - if you win the level it's considered wasted. This will result in a lot of magazines going 'missing', and magazines are hard to come by. The cheat is to unload it from your gun. This lead to another cheat, don't empty your magazine. If there is one left - unload it and replace with a new one. Again, bad game design.
If you're thinking how this tutorial has become the way it is, it'll tell you the secret. I want to finish Faery Tale for the second time. (Yes, I play it on a certain computer just for fun and to kill time, but after that I will get busy and leave it). So while hacking the game files, I planned to to write this article. I covered Dune 2 because a long, long time ago (just like now) I didn't have an Internet connection to my PC (before it was cash, now it is logistics). I would have to take a walk to the nearest cyber cafe to download an editor. At that time, I found it's easier for me to whip out my calculator and open a hex editor. While for UFO Enemy Unknown, I didn't even know what the Internet was at that time (if I recall correctly). It wasn't for the public just yet (I think) - it's either that or it was not yet widespread like it is today, there wasn't a cyber cafe where I lived. I do have PCTools. Why do I have PCTools? Well, oldskoolers would know why ;-P
BONUS: If you are really into this as a hobby, just for fun thing, you might want to know this. Did you know that if you are stuck at an 'inventory game' (like Legend of Kyrandia), you can add things to your inventory? As in Kyrandia, since the inventory worked like item, item, item, item, item. You can arrange the items as item, empty, item, empty, item, empty. Usually, empty items equaled 0x00. You can find the pattern easily. In Kyrandia, different values represent different items. Sometimes you can find items that were never used in the game (I can't remember what) so it was fun.
Last but not least, use hacking save games only to reduce the non-fun part of the game, not the gameplay all together. Like FT, I hacked it for food and for some white keys - originally. But for this tutorial I added all kinds of items. For UFO, I changed the bravery, something all soldier should have a lot of to begin with. Maybe accuracy too, I mean - they're soldiers. You train to shoot everyday, right? (Or at least a few times a week). As for XCOM:TFTD, soldiers with such accuracy shouldn't be allowed on the battlefield to begin with, so does guns with low accuracy. The reason for this is that if you can bypass everything all together, (like using a level change cheat) what the point of buying the game in the first place? You buy it to play it, not watching "YOU HAVE WON FINAL LEVEL!" without even playing the final level!
This article has quite a few screen shots. But don't worry. It's less than 150kb combined. It's a good thing articles such as this appear in HUGI, I mean, the demo scene has its roots in hacking and cracking, right ;-)
For Fallout 2, the location for a bonus point is D5C9, inside save.dat. I don't know if the location changes. I still remember changing it to F0 and cranked my outdoor to 100. The main reason was that I wanted to bypass unnecessary battles and look for all those special encounters without sacrifing the important aspect of my character. Nothing else.
Does anyone know how to hack The Dark Heart of Uukrul save game? I know DHU creates two identical save games - game.gmi and game.img (cool extension, isn't? People might thought it's an image file. Well, it is -- it's the image file for game.gmi ;-) Get the joke?) Tampering with .gmi only doesn't do anything (obviously it reads the lower value inside game.img). But by changing .img to make the value look just like .gmi, it will say the savegame has been tempered with. Obviously it has afail safe system - which I don't know what or how. (Editor: A CRC check of some kind?) You can use Game Wizard 32 for DOS with DHU. I finished the game a long time ago - without cheating. Just curious, that's all.
NOTE: If you're a game programmer and want a simple fail safe system for a savegame, you could use extra data - the accumulative of statistics. If the stat is 10/10/10, then the amount would be 30. So if someone change the value to 99/99/99 but didn't change the amount, you know it has been tempered with ;-)