Note: This page has been moved to the new UESP-Wiki. The same content, just a different presentation.
This page very likely contains outdated information (last updated in 2005).
[the Unofficial Elder Scrolls Pages, 227x71, 4.2kb] UESP Main Page
Arena
Daggerfall
Battlespire
Redguard
Morrowind

General Hacking Guide

15 February 2011

Are you wondering what exactly hacking, or hex-editting, is and how to get started? Or perhaps base-16/hexadecimal numbers have always confused you? If so you're on the right page. I frequently get questions like the previous ones and decided to create a basic page outlining what is involved in hacking a game and steps to get one started. This is lined not only at Elder Scrolls games but at games in general (and other programs). On the negative side, though, hacking can be difficult and you can easily corrupt data or crash the program if you aren't careful (or even if you are).


What is Hex-Editting/Hacking

Although a formal definition is difficult if not impossible, hacking would be defined as changing the programs code or data to make it behave in a way not normally intended. For instance, you might change your save game to give yourself an item you didn't have or change its appearance, or perhaps change the program code to give yourself twice the maximum health limit. Note that hacking can also refer to circumventing security and copy protection features in a program, which is not what this document is for.


Getting Started

You will need a few things before you start your adventure.
  1. A hex file editor.
  2. Lots of time and patience.
  3. Understanding of hexadecimal numbers.
A hex-editor can be picked up at your favorite downloads site (such as www.zdnet.com. There are lots of free and shareware utils out there, some of them good, and a few exceptional. I myself use Hex Workshop which is a great program (but not completely free). A complete tutorial of hexadecimal numbers is included below but you'll have to provide the time and patience yourself. Hacking is a complex task where one is always learning new things.


Hexadecimal Numbers

One of the first stumbling blocks for many is the hexadecimal number. This will be a complete description since I have no idea the mathematical background any of you have (yes, all those math classes were useful...:). First we look at the number system which we use everyday, the decimal, or base-10, system. Its called base-10 because there are 10 digits used: 0-9. Take a look at how a typical number is represented (the ^ represents power of here): 
   Base-10 Examples:
          12345 = 1*10000 + 2*1000 + 3*100 + 4*10 + 5*1
                = 1*10^4 + 2*10^3 + 3*10^2 + 4*10^1 + 5*10^0
(Note: Any number to the power of 0 is defined to be 1, ie: 10^0=1, 16^0=1). You might remember having to manipulate numbers like this in school (I did anyways). To bring in the base-16 system, as you might guess it uses not 10, but 16 digits. It uses the regular digits 0-9 and then includes the letters A-F as well to make 16. Base-16 numbers are usually written as 0x10 or 10H in order to identify them. So, for some examples in base-16 (feel free to whip out your calculator to check things out): 
   Base-16 Examples:
           0x9 = 9*16^0 = 9 in base-10
           0xA = A*16^0 = 10 in base-10
	   0xF = F*16^0 = 15 in base-10
          0x10 = 1*16^1 + 0*16^0 = 16 in base-10
	  0x7F = 7*16^1 + F*16^0 = 127 in base-10
	  0xFF = F*16^1 + F*16^0 = 255 in base-10
If you were counting in base-16 you would go: 1,2,3,4,5,6,7,8,9,A,B,C,D,E,F,10,11,12,13,14,15,16,17,18,19,1A,1B,1C, etc... This may seem very strange and awkward to you if this is your first time working with base-16 but with practice it eventually becomes more natural. As you may realize, just about any number will work in place of the 10 or 16. Common bases include 2 and 8 and occasionally 4, although you don't generally need to be familiar with these. Add/subtracting in hex work just as with regular numbers to some degree, just don't forget the six extra digits. 
    Adding/Subtracting in Base-16:
             0x14 + 0x54 = 0x68
             0x19 + 0x01 = 0x1A    (not 0x20!)
             0x45 - 0x23 = 0x22
             0x10 - 0x01 = 0x0F    (not 0x9!)
In order to hack successfully, you will need to be comfortable working with hex numbers and converting them back and forth to decimal numbers. Fortunately most hex-editors have a built in hex-decimal conversion available (or you can make a simple program for yourself).


Data Types

Another important aspect in hacking is understanding the basic data types and how they can be stored in a file (or memory). The basic data types are: 
	Character ... 1 byte
	Short ....... 2 Bytes (often called an Integer)
	Long ........ 4 Bytes (also called an Integer)
	Float ....... 4 Bytes or more (not usually used in most games)
	String ...... At least 1 Byte or more
In addition, the first three types can have the unsigned or signed modifier (ie: signed long or unsigned long). 
                   Signed                          Unsigned
     Character  -128 to 127                       0 to 255
     Short      -32,768 to 32,767                 0 to 65,536
     Long       -2,147,483,648 to 2,147,483,647   0 to 4,294,967,295
These days, an integer usually refers to the Long version, although in older software the integer is actually a Short (the difference between a 16 bit and 32 bit program). A typical value in game is stored as a signed Long value where possible since it can be quickly manipulated and has a large range of values. A Character value is small but it actually slower to use than an integer due to overhead from conversion instructions. To furthur complicate matters the way data is stored in a file (or memory) is backwards to the way we read a number for example: 
   Intel Byte Order
          Number = 0x1234 (Short)
                 = 34 12 when written to a file
          Number = 0x12345678 (Long)
                 = 78 56 34 12 when written to a file
This method of writing data is know as the Intel Byte Order. The reverse method is occasionally used in PC programs and is know as the Motorola Byte Order. 
   Motorola Byte Order
          Number = 0x1234 (Short)
                 = 12 34 when written to a file
          Number = 0x12345678 (Long)
                 = 12 34 56 78 when written to a file
In order to read or write a number with the Motorola Byte Order you will generally have to create custom routines to do so.


What to Hack, and Where?

Often the initial problem is that you're not sure what or where the information you want to change is. In general the easiest/safest place to work is with data, such as in a save game or game data file. Scout around the games directory structure looking for interesting files names. Fire up your hex-editor and take a look at them. Often a file will have texts in them which help describe their purpose (although its not always this easy). Remember that the program itself (ie: the EXE file) does hold a certain amount of data which is often easily modified. Also keep in mind that data is often stored in multiple locations, either by design or accidently/carelessly. In most cases the actual problem is finding where the data is stored, and not how the manipulate it.


Difference Technique for Finding Data

This technique is used for finding the location of a piece of data in a file, typically a save game. What one does is create multiple copies of the file, each with a different value for the piece of data your looking for. This limits the data to that which you can control such as hit-points, mana, etc... You then search the files for the byte position which exactly matches the data change. To help explain this lets look at an example of trying to find the health parameter in a save game. The user saves three games with different health values: 
          Save 1: Health = 100
          Save 2: Health = 89
          Save 3: Health = 76
In save game #1 he would search for all byte positions with the value of 100. Similarly he would do the same for 89 in #2 and 76 in #3. He would then look for the byte position that is common to all three cases. Those byte positions might contain the value of the players health. The user can then change those one by one to see which one (or ones) change his health in the game. This method is one of the easier methods but has a number of conditions:
  1. Basically limited to data you can control in the game.
  2. You know how the data is stored. In the above example a value of 100 health is stored in the save game exactly as 100. Not all data follows this exact convention. For instance in Daggerfall, a weight of 10 would be stored in the save game as 40.
  3. The data is stored in the same position everytime. For instance in Daggerfall the byte positions of your character often changes between saves, which makes this simple method useless. If you're smart and can determine the important starting offset of data in a file you can use that, but it complicates things.
  4. In a large file it can take a long time to find the common byte positions with a hex-editor. Writing a simple program to do the chore helps a great deal.
So, despire these rather severe conditions, this method is almost always a good place to start looking for things in a file. For instance, if you find the players health, the other attributes are probably close by. If it doesn't work it either eliminates a large part of the file or indicates that you are looking in the wrong spot. Remember that some many data files (and save games) these days are Mega-Bytes in size and generally the thing you're looking for is only a few bytes. If you can eliminate 99% of the stuff in a file you're doing well. As a general rule of thumb a minimum of 5 different file states are needed to adequately narrow down which bytes are important to you.


The Record Type Format

A common type of file type in games is the record type. The overall file is broken into seperate records, each containing. The general format is as follows: 
   Record File Type
          File Header (optional)
          Record 1
          Record 2
          etc...
          File Footer (optional)
The file header, if it exists, might contain the number of records in the file, a file identifier (usually a short string), and sometimes offsets to each of the file records (from the start of the file). Sometimes a file header does not exist and the file starts immediately with the first record. Similarily, a file footer usually isn't present but can contain extra data or padding of some sort.

The format of each record will most likely be different for each one, depending on the data the record contains. A typical format for a record may be as follows: 

   Typical Record Format
          Header
          Record Data
The record header usually contians the length of the record in bytes (sometimes not including the size of the header) and the record type (usually just a number although short strings are sometimes used). The header is typically just a few bytes in size and doesn't always exist. The record data is the important stuff and its format will depend on its type (could be anything).

Identifying that a file is a record type is difficult and takes a lot of practice and time to determine. A good starting point is to try and find some meaningful data in the file (such as monster/item/npc names). Perhaps you notice that most of the monster names lie exactly 102 bytes apart (for example). This is a good indication that the record (or sub-record) size for the monster data is around 102 bytes. Try looking in the data between the names to see if there is any record size data close to the 102 value. Once you get good at it, it is often possible to spend a few minutes hacking the start of a file to determine that it has a record format (on a good day anyways).

As a note to this topic, it is possible to find embedded record formats in a file, i.e. the record data is subdivided into additional subrecords.


Closing Notes

It should be noted that while some files can be completely hacked in a matter of hours, other file formats will remain elusive despite many hours spent by many people. In general, it is almost impossible to completely understand a data file since there will always be a few numbers which don't appear to have any purpose (and perhaps they don't).


[Print] Display this document for printing (some pages may not display properly).

If you have any problems, suggestions or comments on this page or website, please feel free to use the Contact Form to send a message to the WebMaster.
This document was last modified on: Tuesday, 15 February 2011, at 20:29:14 and has been accessed 5869 times ( /general/genhack.shtml ).

Please note that this site is Completely Unofficial and is in no way connected to Bethesda softworks or Zenimax. Bethesda Softworks, Battlespire, XnGine, Morrowind, Redguard, Daggerfall, Arena and The Elder Scrolls are trademarks of Media Technology Limited, Copyright © 1994-2001 Media Technology Limited.