Target
Our target in this lesson will be Flare 1.12.
Identify
Our goal in this lesson is to identify where a game stores its save data using two different approaches. Then, we will modify the game’s save data to add extra levels to our character.
Understand
In the previous lesson, we discussed how games must store save data on the file system so that the save data can persist between computer restarts. To access the file system, games must use OS-level API’s, such as CreateFile. By hooking these API’s, we can determine the save location of a particular game. We can hook these API’s in two ways:
- By using a profiling suite, such as Process Monitor
- By attaching a debugger to the game and setting a breakpoint on the API import
Once we have determine the location of the save file, we can then edit it.
Process Monitor
Process Monitor is a profiling tool owned by Microsoft. It can be used to monitor file system, registry, and network access from all processes on the system. The current version can be downloaded here.
After extracting the file, start Flare and begin a new game. Then, open up ProcMon.exe. You should see hundreds of events start to populate the log view:
By default, Process Monitor monitors all events from all currently running executables. For our purposes, we only want to see the activity from Flare. To do this, we can apply a filter by going to Filter -> Filter:
For this lesson, we want to filter on the Process Name of flare.exe. Add this condition and then click the Add button. This filter should then be applied, like so:
Process Monitor will now only be displaying events tied to Flare. Next, we need to trigger an event that will write to our save file. We can do this by hitting the Escape key and choosing Save & Exit in Flare:
Doing so will cause several CreateFile and WriteFile events to be fired. The items containing the saves directory should immediately catch your attention:
We can see that we are writing to two files (avatar.txt and stash_HC.txt) in the C:\Users\IEUsers\AppData\Roaming\flare\userdata\saves\empyrean\1\ directory. If we navigate to that directory, we can see that those are the only two files:
If we open avatar.txt, we can see there are several character-related pieces of data, including our character’s current XP and current build stats:
If we modify the build entries, save the file, and then load it in Flare, we see that our changes were successful:
Debugger Breakpoint
We can also identify the location of a save file through the use of a debugger. Like we have done in previous lessons, attach x64dbg to Flare.
Looking at the API for WriteFile, we see that it requires a file handle. This file handle is obtained via a call to CreateFile. Therefore, by setting a breakpoint on the CreateFile function inside kernel32.dll, we will be able to observe the path of all files the game wishes to write to.
In x64dbg, navigate to the Symbols tab. While the API documentation states that CreateFile resides in kernel32.dll, most traditional kernel32.dll functions now reside in kernelbase.dll. Select the kernelbase.dll module and search for CreateFile:
Double-click the CreateFileA entry and set a breakpoint on the first instruction (mov edi, edx). Next, go into Flare and save your game. The breakpoint should immediately pop. In the stack view at the bottom right, you can observe the save file path being pushed on the top of the stack:
