Jump to content




Welcome to dEViATED. We provide game trainers, cheats and gamehacking tutorials and a gamehacking forum for discussions and help. We have pc game trainers for various old and new games to download and will expand to other platforms. Go ahead and have a look around, you will love our pc trainers!.

Not interested in trainers ? socialize with us, we talk about girls, booze, movies, music and basically anything and everything.


These are some of the latest trainers released by us and supported fully.
Alien Isolation Trainer
Wolfenstein The New Order Trainer

Photo

DMA/Code Injection tutorials


  • Please log in to reply
14 replies to this topic

#1 STN

STN

    Founder

  • The G-Man
  • 5,715 posts

Posted 13 July 2010 - 11:03 PM


Resolving DMA in GTA: Vice City and Making a
Trainer .:

By shaikh_adeel

:.

Why I wrote this
Tutorial:


Well A friend of mine was having a lot of trouble with DMA in
hacking GTA: Vice City. When he asked me to help him, I thought I
might just write about how to hack its different options. SO here it
is ... the Tutorial on "Resolving DMA in GTA: Vice City and
Making a Trainer". I wont categorize this tutorial as Novice,
Intermediate or Advance coz I dont want to and I dont like to.
Anyone can and should read it. I will be keeping it very basic so
every one can understand it.

What We'll Learn:

1. One Hit Kills

2. Making our Player Invincible (GodMode)

3. Wanted Level Hacks (None and Full)

4. Ammo Hacks

5. Cash

6. Making The Trainer

What We Need:

1. GTA: Vice City ... the game (VC)

2. T-Search

3. An open Notepad window for ease.

4. Tsongkie's Code Cave Tool



Lets Start:

1. One Hit Kills:

First of all open up Note Pad, T-Search and VC. Alt+Tab out of the
game and choose the process in Tseacrh as gta-vc.exe.

Now go back to the game. Start a new
game if u haven't started it yet. When it starts make sure that ur
player has not been hurt yet and his health is 100. Ok ... Alt+Tab
out. Come to T-Search and start a new search. Now the known value of
full health is 200 in 1 Byte and 17096 in 2 bytes. So we'll search
for 200 in 1 byte.

Now, decrease ur health by fight
with a policeman. Now minimize the game and search for has
decreased. Keep doing this 'Has decreased' search until u find the
health address. Usually but not always the health address has the
value double of the value shown in the game. So this could be easier
to find. The Address that I found was 189E7BE. We
will use this address to find the Invincibility of our player and
One hit Kills for other people.

First of all ONE HIT KILLS. Now
click on Enable Debugger and Auto hack window. When the window
appears, right click on the address u found and click Auto Hack. Go
back to the game and get shot so that ur health decreases. Alt+Tab
again. Check the Auto Hack window .... bingo. We have something
here.

5267E8: fstp dword ptr [ebx+0x354]
<------ Write this in the Notepad window.

We will use this address to make
"One hit Kills" cheat. This may look strange but this is
what I found out when I wrote to this instruction.

NOPping it would stop this
instruction. But we will write a value to it. So now lets make a
code cave for it. Open the Code Cave tool. Write the window name and
press search. Now these are the memory addresses we will use to make
our code caves. Pick one of them for our first hack. Now first for
O.H.K hack:

offset
0x400011

mov dword ptr [ebx+0x354],0x7D (7D in
Hex = 125 in Dec)

jmp 5267EE

offset 5267E8

jmp 0x400011

And the normal construction is:

offset 0x5267E8

fstp dword ptr [ebx+0x354]

We write this in the Easy Write
window. Name it "Health" and Press the TMK button and then
Check. It will now display Pokes for this address as shown below. U
can put these in ur trainer ....


Aan Aan .. not so fast ... We havent
yet Checked if this works or not! So press OK. and click in the box
next to the Health:


Now go into the game. Kick or Punch
Someone only once .... Bingo ... The person is lying on the floor in
a pool of blood. We have our Cheat. Write down the Pokes in the
Notepad window. We will use it for making a trainer in the end.



2. Invincibility:

Now we will use the same address 189E7BE to make an Invincibility
hack. Ok ... click on
in the auto hack window. Write the health address that we found ....
in my case 189E7BE in the address tab. Under Type, change it to
Read/Write. Press Ok. Go back to the Game and spend some time. U
dont need to get hit as we have used Read/Write. It will find
anything Reading our memory address. After 10 secs, minimize the
Game.

Whoa! Lots of Addresses. We will now
check if these addresses return a value so we put a BPX on them.
Take the first address and click on it. When it gets highlighted
then go to the bottom of the auto hack window and click the
Disassembler tab. Right click on the address on the Top in the
disassembler portion on the window and click Register. DO this to
all the addresses that u got. Now click in the square next to each
address and choose the register used in each of them. Now go back to
the game and spend sometime. Get back and ur Auto Hack window will
be as below:


Hmm ... the addresses that have
returned a value are the ones we want.

Now for the value of health:

As we see .... EAX = 189E468 and
[eax+0x354] is the address for health. Ok .... Add 189E468+354.
These are not Decimal ... Both values are in Hex. Use the Hex
calculator in T-Search to add them. We get 189E7BC. In T-Search take
any address and put this address in it. The value it returns is ur
Health value. At full health (100) it is 1120403456. At 125 Health
it is 1120403456. We can change the health address we found in the
beginning to any value and this value will change with it. Ok now we
will create a code cave that will give us 125 Health.

Code Cave:

Ok .... in the code Cave tool choose
another memory address ... I choose 0x400079. Savvy ?? :(

Now the code cave will be like :

offset
0x400079 ( Our
address for the code cave)

mov dword ptr [ebx+0x354],0xhhhhhhhh (
Value to be written 'in hex')

fld dword ptr [eax+0x354] (Recreating
any destroyed instructions)

jmp xxxxxx+6h (
Adding 6 Hex will take us to the next original game loop.)

offset xxxxxx (
The address we found in Auto Hack)

jmp 0x400079

But we found alot of addresses didnt
we ?? Well theres only one way to u to see which one works. You have
to check all of them... Or maybe theres another way too .... I can
tell u which one.

Well 558B41 is Our required address.
So we'll make a code cave for it. Now we also need the hex value to
write in the code. Ok ... we want 125 Health right ?? And it was
1123680256 ... in Hex it is 42FA0000. Ok this is wht we'll use.



offset 0x400079

mov dword ptr [eax+0x354],0x42FA0000

fld dword ptr [eax+0x354]

jmp 0x558B47

offset 0x558B41

jmp 0x400079

nop



Write it in the Easy Write Window and Check the Poke Codes :


Copy them on Notepad. Press ok.
Click in the box next to Invincible. Go in the game. Health is 125.
Cool. We have now made the Invincibility hack. Lets Move on.



3. Wanted Level Hacks:

Ok .. While playing the game, those pesky cops just keep on bugging
u ... Now they wont. Lets see how :D. Go in the game. Destroy stuff,
kill ppl until u have 2 stars. Now search for '2' in 1 Byte/BYTE
format. Keep on killing until u have 3 stars. Search for 3. Keep
increasing ur stars and searching for them until u find the address
for the stars. I got 21CCC18. Now go to
the game and write "LEAVEMEALONE". Its the code to remove
all cops. This is coz it will start the Star count from 0. Ok now
there r no stars. Go to the address and right click on it and click
Auto Hack.

Now go in the game punch someone. Do
this Until u get 1 star. Now kill ppl and get stars one by one. By
the time u have 6 Stars the auto hack window will look like :


Now this shows that 1,2,3,4,5 &
6 stars are written by there respective addresses. All we now have
to do is to write 0x0 in place of 0x1, 0x2, 0x3, 0x4, 0x5 and 0x6.
Now how do we do that ? U can do that in the Disassembler tab. Right
click on each address and click Assemble. The window appears asking
u to right the code. Just replace 0x# by 0x0. But that would not be
a permanent solution until u patch the game that way.

So for making the trainer we use the
same technique. Replacing numbers by 0. The code formed will be :

offset 0x4D221B

mov dword ptr [ecx+0x20],0x0

offset 0x4D21F7

mov dword ptr [ecx+0x20],0x0

offset 0x4D21CA

mov dword ptr [ecx+0x20],0x0

offset 0x4D219A

mov dword ptr [ecx+0x20],0x0

offset 0x4D216A

mov dword ptr [ecx+0x20],0x0

offset 0x4D213A

mov dword ptr [ecx+0x20],0x0

Do u understand what this code does
?? Well whenever y kill someone ... The game calls upon these
addresses to write their respective number of stars in the game. But
as we have changed them to 0, they will write 0 star each time u
kill a person ... means : No Stars :lol:

Now if u wanna have some fun with
those Military Guys ...u need full 6 Stars. This can be done by
putting 0x6 into the addresses that operate the first 5 stars :

offset
0x4D221B

mov dword ptr [ecx+0x20],0x6

offset 0x4D21F7

mov dword ptr [ecx+0x20],0x6

offset 0x4D21CA

mov dword ptr [ecx+0x20],0x6

offset 0x4D219A

mov dword ptr [ecx+0x20],0x6

offset 0x4D216A

mov dword ptr [ecx+0x20],0x6



Why dont we use only one of these
addresses to get 6 stars ?? Well this is because these addresses are
operated 1 by 1 and after one another. If we use the 2 star address
to get 6 stars. Then we will get 6 stars when after 1 star. When we
should get 2, we will get 6 instead of 2. But if we keep on killing
it will then move back from 6 to 3 stars. Because this is the time
that the 3 star address should work. So in Easy Write we put 6 in
all of them so they put 6 stars instead of their respective number
of stars. Go back to the game, type LEAVEMEALONE to lose all ur
stars and then kill some one (preferably a policeman) and Bang!! 6
Stars!! Cool ..... With this hack out of the way ... lets move on to
the Ammo Hack.



4. Ammo Hack: In GTA:

Vice City ... The Static Ammo address operates all the guns' ammo.
So If u freeze that address at 100... then all the guns' ammo will
be frozen at 100. Saves u a lot of Time!! But we have to find it
first :P

What gun do u have ?? I have the
Sniper Rifle ... and I will find the address for its ammo. Its ammo
in the game says 47-7. This means there are 7 bullets in it magazine
and 47 are spare. So the total number of bullets is 54. So we wont
look for 47. We wont look for 7. We are looking for 54. Ok in 1 Byte
or 2 Byte format .... search, fire, search, fire, search until
u get the address. mine was 18A7A94.
Auto Hack it. go to the Game. Shoot. Back to T-Search. And this is
what the Auto Hack Window says :

5D4AF5 dec dword ptr
[esi+0xC]

There are two things that u can do
with this instruction. U can modify it to increase ur bullets when u
fire rather than decrease it. Or u can write a value like 100 and
freeze it there.

Ok first lets increase our bullets.
Change the code to :

5D4AF5 inc dword ptr
[esi+0xC].

There u are. Assemble it that way
and u get increasing bullets.

To freeze it at 100, create a code
cave :

offset 0x400954

mov dword ptr [esi+0xC],0x64

jmp 5D4AFB

offset 5D4AF5

jmp 0x400954

Its Pokes Are :

Poke 10ABF C7 46 0C
64 00 00 00 E9 30 40 5C

Poke 10ACA 00

Poke 5D4AF5 E9 C5 BF A3 FF

There u are. This
what u need to do to freeze ur ammo at 100. Hmm .... Check it by
placing this code in Easy Write. Go in the game and fire a shot....
There u are its 100 ammo and frozen. Good .....

Now we have the
Cash/Money Hack Left to learn.



5. Money Hack:

Well
this is the same thing that we have done the previous 4 times ...
and I don't feel like explaining it again, but since I said I will,
here it is. Check how much money u have. I have $ 6,945,906. Lets
search it in 4 Bytes/DWORD. Keep searching until u get the address.
I got 94ADC8.
OK now right click on it and click Auto Hack. Go in the game get
some money by killing someone. Back to auto hack and it has returned
2 addresses.

4BE7CE mov
[ebx+0xA0],eax

441384 add [edx*8+0x94ADC8],eax

To find out what we need, we first
put a BPX on them both :


Once in the Register tab .... choose
the register from the list according to the register the address is
being moved to. Now click in the squares next to them both to get
that red spot in them. Now do in game and get some money. The
Register Tab will look like this :


The first address returns the value
69FD4F in hex = 6946127 in dec. And this is the value of my cash in
the game. Hmm ....and wht is the value returned by the 2nd address
.. its 3B in Hex. It is the amount of money u had picked up and this
instruction adds this value to ur money. We Dont need this one as u
see. We need the first address.

4BE7CE mov
[ebx+0xA0],eax

Now we do the same
old thing again ..... but this I leave to u .... To make the code
cave :P

And another thing to
play with. U see the second address determines what amount is added
to ur money. Its 3B in this case ... if u change it to 10,000 (2710
in Hex) Will u pick up $10,000 each time u kill a person and get his
money ?? Check that out too.



6. Making the
Trainer

We have found all the hacks that we had pointed out in the
beginning. Now all we need to do is make a trainer.

Well it dont need
much explaining really. All u have to do is place the Pokes from the
easywrite window into the Buttons.

This is wht ur
trainer pretty much might look like :


I have tried to keep
this tutorial AS simple as I could. but still If u have any
problems contact me.



#2 STN

STN

    Founder

  • The G-Man
  • 5,715 posts

Posted 13 July 2010 - 11:04 PM

Resolving DMA in C&C:
Generals (Code Injection)


by Shaikh Adeel

Introduction: Command &
Conquer games have employed DMA since their first ever games .... So that Game
Hackers can be presented with a challenge - that we have taken up with pleasure.
To hack C&C: Generals we will employ Code injection again ... as my last
tutorial for GTA: Vice City. Anyone can and should read this tutorial as it is
not classified as beginner or advanced.

Things you might need:

- Command & Conquer: Generals v-1.0.

- You should know the basics of memory finding.

- Tsongkie's Code Cave Tool.

- A memory Scanner ... I will be using Cheat Engine v-4.3 and T-Search.

- A trainer builder or Language ....

Lets Begin:


Start a new Skirmish game .... Choose any team. In the start u have $10,000.
Alt+tab out of the game and in Cheat Engine (or whtever u use) choose Game.dat
as process. Now before we search for cash lemme tell u about the the Memory
Array function of Cheat Engine 4.3. Using it u can search
for ur value in an array of addresses that u urself choose. Default in
all memory searchers is usually 00400000 upto 7FFFFFFF. If we search with
default it would take a lot of time as well as RAM. So we choose an array of
03000000 - 04000000. I have found my money addresses in this range .... It may
differ in different versions. In that case u might have to search with default
at first and then get an idea where u find ur addresses.

Ok
... now search for 10000 using the following settings:





I only got 3 entries instantly .. without waiting for a looong search. Go into
the game. Build a Power Plant. That leaves u with $9,200. Alt+Tab out and u will
see that one address has changed to 9200. Add it to the list using the red
Pointer. Change its value .... and check in the game if it changes there too. If
it does not then search again ... If it does then lets move on.


Open your Debugger ... whatever you use - OllyDebug, SoftIce, T-Search's Auto
Hack. I will use Auto Hack .. But the basic Principles remain the same for all
of them. Copy the address for Cash from Cheat Engine. Now First of All ... place
a Write breakpoint on it in Auto Hack. Go into the game and Build another Power
Plant. Minimize the game and check the auto hack window. There is an offset
there:

54A0F5 mov
[edi+0x4],eax


But if we use this address for code injection ... it will also give as much cash
to ur opponent. OK ... now copy the same address and place a Read/Write
breakpoint on it. Now go into the game ... and DONT DO ANYTHING. The reason for
this is we want to see what instruction reads from that address coz we want to
get the address that would only give us cash and not our opponents. Just after
3-4 seconds alt+tab out again. Check the Auto Hack window and we see that we've
got another instruction there:

4EB5E0 mov ebp,[eax+0x34]
<----- This is the
address tht we'll use.


Ok ... good ... Lets start some Code Injection. Open Tsongkie's Code Cave Tool.
Go into the game and press F12. Alt+Tab out and u'll se alot of addresses listed
there. These are the code caves ... lets pick 00400011. Open the Easy Write and
start a new code. First of all we'll try the simplest code:



Easywrite Top:

offset 0x00400011

mov dword ptr [eax+0x34],0xF4240

mov ebp,[eax+0x34]

jmp 0x4EB5E3



offset 0x4EB5E0

jmp 0x00400011



Easywrite Bottom:

offset 0x4EB5E0

mov ebp,[eax+0x34]

Lets
use a hotkey for it ... I used F2. Name it "Cash" and press Ok. I wont
be using snaps of easy write here ... If u r new to Easywrite and Autohack then
read my GTA: Vice City tutorial so u can get a better idea. Ok ... now go in the
game ... Press the hotkey .... WTF! It crashes .. the error says: The game
encountered a serious error.

Ok
... we now need to see what caused it to crash. Open up Easywrite. Open the code
we made for Cash, Check the TMK pokes. Hmm intersting ... the pokes we made at
4EB5E0 are 5 bytes long while the original instruction is 3 Bytes in length. So
basically we are writing over the next instruction:


Ok
... now what we'll do is recreate all the code that is destroyed here and put it
in our code cave and jmp to it. So now the code that we'll create is:

Top:

offset 400011

mov dword ptr [eax+0x34],0xF4240

mov ebp,[eax+0x34]

cmp [0x9190B8],ebp

jmp 4eb5e9



offset 4eb5e0

jmp 400011

nop

nop

nop

nop

Bottom:

offset 0x4EB5E0

mov ebp,[eax+0x34]

cmp [0x9190B8],ebp

OK ... In case u dint
understand the code above:

- We create the code cave at
00400011.

- mov dword ptr
[eax+0x34],0xF4240 : This code writes
1,000,000 into [eax+0x34]. Its written in Hex - F4240.

- mov ebp,[eax+0x34]

-
cmp [0x9190B8],ebp <-
We recreate any destroyed instructions.

- jmp 4eb5e9
We jump to the next original game loop or
the normal game routine. This is so that the loop continues. If u look at the
snapshot above u will see tht this address is after the cmp
[0x9190B8],ebp instruction. So basically we
run the 2 recreated pieces of code at our code cave and then jump to the
original game code so that it runs normally. Simple huh ??

- offset 4eb5e0

jmp 400011 This part jumps
from 04EB5E0 to our code cave, there we run our recreated code then jump back to
the next original game loop.

- The 4 NOPs are to balance out the code. Becoz the
code we created at our code cave was 5 bytes long. But the length we want to
balance is from 4eb5e0 to
4eb5e9 .. thats 9 Bytes long ... so we
balance the remaining 4 bytes by NOPs.



- At the Bottom we just recreate the code in its original form.



Now
to create a trainer, all u need to do is use the code or the pokes in your
trainer.

=================================



#3 STN

STN

    Founder

  • The G-Man
  • 5,715 posts

Posted 13 July 2010 - 11:06 PM

Hacking Disciples: Sacred Lands - Advanced Game-Hacking

by Sorin

mail-me! ( [email protected] )

Sorin greets you!

TUT no1:
~~~~~~~~


INTRO
~~~~~

OK! In the following, I'll teach you how to find the instruction that decrease
your money in DISCIPLES: SACRED LANDS. I must tell you that it uses DMA and
has an unusual (at least for me) method to dec your money!

Start the game,and choose to PLAY A QUEST(not saga) and take a look at the money.
Write the value down on a piece of paper, then press alt+tab. Now, start
GameTrainer or any other memory finding/editing tool (Gamehack,Tsearch,etc.)
and search for that value [if you don't know how to do that, i'll explain to
you but only for GameTrainer.

GameTrainer: <- JUST for newbies and those who don't know(yet) how
~~~~~~~~~~~~ to use a memory finder

----------------------------------------------------------------------
STEP 1: As "Process", select the game(---in my case disciple.exe);

STEP 2: In the "Value" box, type the amount of money you have;

STEP 3: In the "Type" drop-down menu select dword(means DoubleWord);

STEP 4: Press the "Find" button...

STEP 5: Now, down the "Find" button, it's the address list. Here you'll look
to see the money address. But after the search, this should contain
many addresses. That's because not only one memory address holds the
number you typed, but many more (in most of the cases). But you need
just the money address.To get that, go back in the game and spend some
money (ie: hire a unit, or build something). Now, you have less money ->
remember the value or write it down.

STEP 6: Alt+tab and go back to GameTrainer.
In the "Value" box, type the new amount of money;
Press the "Sieve" button...

STEP 7: Look at the address list. If there are more than 3-4 addresses, you must
lose (or gain) some money in the game and start a new search by typing the
new amount of money in the "Value" box, and always use the "Sieve" button.

STEP 8: Repeat this until you'll have only 3-4 addresses (in our case just one if
you play a quest). Very good...]
-----------------------------------------------------------------------

The Hack: <- FOR EVERYBODY
~~~~~~~~~

Well, we have the money addr. In my case is: 03B00A20. Since this game uses
DMA (dynamic memory allocation) your address WILL BE DIFFERENT. But that's
doesn't matter...

And, as you probably know, the classic method is this:

BPM 03B00A20 W --------------|
or |> in SoftIce
BPR 03B00A20 03B00A30 W------|

but in this case doesn't work.

This is what i got in SoftIce after putting a BPR 03B00A20 03B00A30 W

============================from here==================================
mov dx,[ecx]
mov [eax],dx
mov dx,[ecx+02]
mov [eax+02],dx
mov dx,[ecx+04]
mov [eax+04],dx
mov dx,[ecx+06]
mov [eax+06],dx
mov cx,[ecx+08]
mov [eax+08],cx --->>>here i land in SoftIce
ret 0004
===========================till here===================================

Well, eax+08 holds our money. But eax+08 is 03B00A20 (in my case, in your case
is the address you found with GameTrainer). If you don't believe me, type:

? eax+08

in SoftIce. Got it?

We can't overwrite this instruction, because it's used NOT only by the money_routine,
but by others as well (i.e.: when you hire a unit, this instruction MUST be executed.
Otherwise, the unit can't be hired!). We can't set another breakpoint on eax+08
because we already have one. MMmmmm... What to do???

I'll tell what to do in the following...

IF YOU KNOW A DIFFERENT METHOD, PLEASE LET ME KNOW!!!
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Let's put a breakpoint on 03B00A20 (in my case). But this time the breakpoint
should be rw(READ/WRITE) not only w(WRITE). So, in SoftIce type:

bpm 03B00A20 rw

OK...
Let's test it. Inside the game lose some money. SoftIce will break, and you'll be on

mov [eax+08],cx like in the beginning.

But this time eax+8 will not be 03B00A20(my case). It'll be a different value.

Now the things are like this:

When you lose some money, the game uses different addresses to hold your money
FROM WHERE IT DEC THE AMOUNT. Then it stores the new amount (after you lose some)
in 03B00A20 (in my case). Let's say that you lose some money. The game saves the
money you had (before losing) in a temp. address, it does the operations (dec) on
this temp. address, then stores then new value in 03B00A20 (in my case). That's
how the game works (in my opinion). Now, we only need to trap this tmp. address
BEFORE THE GAME WILL DEC THE AMOUNT. This means we must trap it when the game wants
to put in it the money you have BEFORE the game will dec the amount. That's why we put
a read/write breakpoint. When SoftIce popped the second time, eax+08 stores the temp.
address. So, put a breakpoint on it:

bpm eax+8 w

We'll use a write-only breakpoint because the game will now modify that amount.

Now,F5 to exit SoftIce, and you'll be again in SoftIce. But guess where? Exactly to the
instruction that dec your money!!!:

===============================from here===============================
mov dx,[ecx]
sub [eax],dx
mov dx,[ecx+02]
sub [eax+02],dx
mov dx,[ecx+04]
sub [eax+04],dx
mov dx,[ex+06]
sub [eax+0],dx
mov cx,[ecx+08]
sub [eax+08],cx *** what can this be ?!?!?! hehehe...***
mov cx,[eax] <-- here I land in SoftIce
test cx,cx
=============================till here=================================

So looking at the code, I figure it out that the "sub [eax+08],cx" is the nasty
instruction that dec our money. Now all you have to do is to nop or change or
do whatever you wanna do with that instruction! You can also make a trainer or
modify the .exe ...

Well my job here is done. But there is another question: what are the rest of the
"sub"-instructions do there? I'll let you figure it out what they do! (you must
play the game if you wish to know)...

HUH!
~~~~

This was my first tutorial about gamehacking. I hope you learnt something useful.
I'm glad I can share my knowledge with all of you, and remember : If you know
something useful, don't keep it just for you! Because you are not the only one who
knows it, and sooner or later, it'll be clear like the sunlight for EVERYBODY! Maybe
it took a long time for you to discover that, but the happyness of teaching the
others will be huge !

License, legal stuff, etc etc
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

You are free to do whatever you wanna do with this tutorial. But if you think that it
is good and people will learn something from it, spread it!!!

NOTE : This tutorial is dedicated to the wonderful people in the GameHacking forum.
~~~~~~ ~~~~~~~~~

mail-me! ( [email protected] )

Sorin greets you!

2003

[BEST VIEWED WITH NOTEPAD 800X600]

eof



#4 Bastiaan

Bastiaan

    Experienced Member

  • Donators
  • PipPipPipPipPip
  • 414 posts

Posted 14 July 2010 - 01:17 PM

...

I guess this is good, might read it one time maybe you could put code parts in code tags tho?

#5 STN

STN

    Founder

  • The G-Man
  • 5,715 posts

Posted 14 July 2010 - 01:57 PM

Thats just a quick copy/pasta. Sure will do.

#6 bOrN

bOrN

    Tamed

  • n00b
  • PipPipPip
  • 34 posts

Posted 04 December 2010 - 03:01 PM

Well a nice pack of game hacking tutorials.

#7 STN

STN

    Founder

  • The G-Man
  • 5,715 posts

Posted 12 January 2011 - 06:05 PM

Hacking NOS in NFS Underground [Code Injection]

Author: [Shaikh Adeel]

Note: The NOS hack in NFS Underground is quite easy. But I did see some ppl who wanted to know how to hack it .... so .... here's a li'l tutorial on how to hack NOS in Underground. And yes the game uses DMA ... and we're gonna take care of that too.

Tools used:
- T-Search
- Sheep's Array of Sunshine

Now run the game and Tsearch. I have unlocked the whole game so I have level-3 NOS. If u dont have level-3 NOS the maximum value of NOS will be different but the procedure will be the same.

- Ok, now start a quick race .. I used Drag. Select process in Tsearch = speed.exe.
- Now play game. Dont use any NOS. Go to Tsearch and search "Unknown Initial Value".
- Go in game, use some NOS and search "Has Decreased".
- Repeat this until u get the value for NOS.

Tip: Usually when u have only 15-17 addresses left ... all of them are in thousands .. only 1 will be in tens .. i.e 20 or 34 or 47 ... get the idea?? This will be ure NOS address.

- To check if u have the correct address. Increase its value.
- Dont increase it more than the max value or the game crashes.
- The max value for Level- 1 NOS is 30, for level-2 its 60 and Level-3 its 90.



Bypassing DMA:
Ok now that we've got the address for NOS, we need to get rid of DMA now.
In Tsearch, enable debugger and put a read/write breakpoint on the address we found to be controlling our NOS. In my case it was 12B4771. Now go back into the game ... and then alt+tab out again. DO NOT USE any NOS. We need to find the instruction that only increases our NOS and not the AI player's. So we dont put a Write b/p on the address.

Now that u're out to Auto Hack window .... u will see 3 to 5 instructions there. Mine were:

449FB3 mov eax,[ecx+0x3B8]
449FC4 fild dword ptr [ecx+0x3B8]
4A654C mov eax,[esi+0x3B8]
4A655D fild dword ptr [esi+0x3B8]
4A661F mov eax, [esi+0x3B8]


Go into the disassembler tab and register them one by one by right-clicking on them and then clicking register. Now go to the Register tab and choose the registers for each instruction ... the ones in brackets are wht we need. Ok ... now click in the boxes on the left side of each line. Now the debugger will tell u wht is the value in the registers. Go into the game and then again minimize it without using any NOS. Check out the register value. For me it was 12B43B8 for all of them.

Now as ecx/esi is equal to 1243B8 .... we can do [12B43B8+3B8] to get the value of NOS to be written into the trainer. It gave me 12B4770 .... Hmmm .... the value in this address was 23211 when my NOS meter was full (when the address 12B4771 had the value 90).

Ok ... we need to write the value 23211 into the trainer. In hex 0x5AAB.

Ok we now create the code for unlimited NOS. I used the top most instruction and it worked just fine.
Use sheep's Array of Sunshine or Tsongkie's code cave tool to get an empty slot.
Lets assume we got 40000 .... the code would be:

Patched:
Offset 0x40000
mov word ptr [ecx+0x3B8],0x5AAB
mov eax,[ecx+0x3B8]
Jmp 0x449FB9

Offset 0x449FB3
jmp 0x40000
nop

Un-patched:
Offset 0x449FB3
mov eax,[ecx+0x3B8]



What the Code does:
- Normally, what happens at 449FB3 is, the game writes the value stored in [ecx+0x3B8] into ecx. We found that when the 23211 is written, the NOS is full.
- Now what we did was ... we jumped out from 449FB3 .... to 40000:
Offset 0x449FB3
jmp 0x40000
- Now at 40000 we write the value 5AAB in hex (23211 in dec) into [ecx+0xB38]. So its value remains 23211.
- Now we recreate the original instruction:
mov eax,[ecx+0x3B8]
- See what's happening??? This way the computer still keeps writing the value of [ecx+3B8] into eax ... but its value is now 23211. So our NOS meter remains full.
- Ok now we have to get back to the original game routine so the computer doesn't realize any thing wrong :)
- We see that the original instruction at 449FB3 was 6 bytes long.
- Our recreated code is 5 Bytes long.
- So we need to balance this to make the computer think that everything is normal.
- So we put a NOP after the jmp to 449FB9.

- U see we have jumped to 449FB9 ... coz our next the next original game instruction after our NOS instruction.



Now go into the game and check our NOS. Ok good it doesnt finish.
So dudes we have now made the unlimited NOS hack.

Have fun.

#8 STN

STN

    Founder

  • The G-Man
  • 5,715 posts

Posted 12 January 2011 - 06:11 PM

CodeInjection - DMA to Static

Author: Sheep

SUBJECT: CODE INJECTION - DMA to STATIC Address.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

TOOLS NEEDED: Softice, memory searcher (ur choice) gamehack.


Before we do actually start I warn you that if you dont have certain prior knowledge
before attempting this tutorial then you wont get much out of it..

I suggest you most certainly read my previous tutorial which covers DMA in full detail..
You also need to know at least the basics of the ASM language...

With all that out the way lets continue....


SOFTICE SETUP
*************

When you press CTRL-D to pop softice you should see the following windows..

REGISTER WINDOW - this window is always at the very top of the softice window
(WR [return]) and displays the contents of all the registers..

DUMP WINDOW - generally situated close to the top of the softice window
(WD [return]) contains a split screen display.. one side is ascii the
other is hex.
CODE WINDOW - this is the main window.. sits just under the DUMP WINDOW
(WC [return]) contains the code of whatever process maybe running when
u pop softice.. the code is represented in ASSEMBLY LANGUAGE
instrutions..

The comments in the brackets are what you need to type to turn the different windows on..
you also need to type CODE ON.. this will bring up the OPCODES which are a set of numbers
displayed to the left of each ASM instruction and to the right of every memory location
in the CODE WINDOW..


LESSON START
************

ok.. To achieve the final goal of defeating DMA with CODE INJECTION you will need to learn
a few new concepts that you may not have come across before.. ive listed the concepts that
we will be covering below...

i) Code Injection Theory
ii) Offset Theory
iii) DMA to STATIC Outline
iv) DMA to STATIC Practical Code Injection

Once you have learnt the first 3 concepts you will most certainly be ready to tackle the
4th and final one... good luck :))


CODE INJECTION THEORY
*********************

Code injection is a method used by advanced game hackers to achieve certain tasks
that cannot be achieved with NORMAL game training methods.. The main aim of code
injection is to create a pathway FROM the main GAME loop TO your own code.. you then
jmp back to the main game loop after your code has been executed.. what your code does
is only limited by your knowledge of the game and of course your knowledge of asm :()

Code injection is so flexible you can do pretty much anything you like.. breaking free
of the restrictions of the normal NOP hacks....

Example...

This is a code snippet I used in my last tutorial.. its just an example so it doesnt
matter...


0120:00008096 01585A ADD [EAX+5A],EBX
0120:00008099 E9xxxxxxxx .---- JMP 500000 <--- we create our gateway here...
0120:0000809B B486 | MOV AH,86 <----.
0120:0000809F 55 | PUSH EBP |
0120:000080A0 1E | PUSH DS |
0120:000080A1 50 | PUSH EAX |
0120:000080A2 E86E078ED8 | CALL D88E8815 |
| |
| |
0120:00500000 OUR CODE! <---' |
0120:00500002 OUR CODE! |
0120:00500004 OUR CODE! |
0120:00500006 JMP 809B -------------------------------' <--- once our code is done we jmp back..

if u destroy any valuable instructions while making your gateway.. you must make sure you
re-create them inside the OUR CODE section.. or you will most likely crash the game...

Dont forget this is only the theory.. a fully detailed "HOW TO" will follow in the practical
section lower down..


OFFSET THEORY
*************

We all know that DMA causes the variables of a game to change location every time we
either start a new game or reboot completely.. Even though this is true.. DMA variables
actually stay in the same place relevant to each other.. WHAT DO I MEAN?? I hear you ask :P)

ok.. ill give u an example...


00456777 : LIFE TOTAL
00456778 :
.........:
.........:
etc......:
.........:
00456999 : BULLET TOTAL


The above diagram is a hypothetical situation of 2 DMA variables.. we have LIFE TOTAL
at address 456777 and we have BULLET TOTAL at 456999 if you subtrack those 2 addresses
from each other you get what is called an OFFSET.. 456999h-456777h = 222h (h = hex).
you will understand why we need offsets in just a second...

OK!! I RESTART MY GAME!!!

00659123 : LIFE TOTAL
00659124 :
.........:
.........:
etc......:
.........:
00659345 : BULLET TOTAL

Now we have restarted the variables have changed location.. BUT!! notice the actual addresses
659345h-659123h = 222h. Even though the variables are allocated different memory locations
they always stay the same distance apart.. this is the KEY to the whole process..

The reason they stay the same distance apart is because each variable isnt actually allocated
seperate memory locations.. a large chunk of memory containing most if not all game variables
would be allocated the memory at run time...

Using offsets we can make a detailed map of every variable we need.. all we would need
to do is pick 1 variable as the MASTER and find this address every time.. from that 1
address you will instantly know where the other variables are located in memory...

Another example....

Here is a made up offset map...

HEALTH COUNTER location = MASTER VARIABLE <--- find this address.
BULLETS location = MASTER VARIABLE + 3445h
LIVES location = MASTER VARIABLE + 2345h
SKILL POINTS location = MASTER VARIABLE + 334h

now.. we start our game... and find HEALTH COUNTER..

000657444 : HEALTH COUNTER

we can now change that map into REAL addresses.. like this..

HEALTH COUNTER location = 657444h + 0h = 657444h
BULLETS location = 657444h + 3445h = 65A889h
LIVES location = 657444h + 2345h = 659789h
SKILL POINTS location = 657444h + 334h = 657778h

So now you can see by making a Variable map using 1 MASTER variable we can find all the
other variables with offsets :P) its pretty cool stuff eh? :D))


ok.. its pretty vital that you understand offsets BEFORE you go on.. if you dont understand
it then go back and RE-RE-RE READ....



DMA TO STATIC OUTLINE
*********************

Once you understand at least the basics of code injecting such as I explained ealier
you should'nt have too much trouble understanding the DMA to STATIC principles..

The outline goes something like this :-

We find a place in the game code that contains a POINTER to a variable we are using
i.e LIVES, HEALTH, BULLETS etc..

Once we have found this POINTER we need to make sure that it is a SPECIFIC POINTER
which means it ONLY!! points to 1 location.. if the POINTER is GENERAL it will cycle
through many places and manipulate many memory locations this is useless to us...

A pointer will look something like this .. MOV EAX,[EBX+00000208]

EBX will contain a DMA base address.. the 208 is an offset added to EBX to form the
POINTER which points to our variable (LIVES)..

Lets say that we know EBX+208 = LIVES.. we now need to find out if this is a SPECIFIC pointer
(points to only 1 address) and not a GENERAL pointer (points and manipulates many addresses)
we do this by placing a breakpoint on the MOV EAX,[EBX+00000208] instruction then keep pressing
F5 to get out of softice.. every time softice pops up again look at the contents of EBX..
if the number inside EBX doesnt change then we know that we have a SPECIFIC pointer.. if the
number inside EBX changes, even once, then this pointer is no good to us.. to get a good idea
if the address in EBX is SPECIFIC you should check the value in EBX at least 10 or 20 times to
make sure its not changing...

ok, once we have found our SPECIFIC pointer.. we need to store away the DMA base value that
lies inside EBX (NOTE!! EBX doesnt always contain the DMA base value.. it could be any
REGISTER.. u need to look at the pointer and see what REGISTER IS USED.. ie..

MOV EAX,[EBX+00000208] <-- EBX contains the store away value
MOV EAX,[ECX+00004564] <-- ECX contains the store away value
MOV EAX,[EDX+00001122] <-- EDX contains the store away value
MOV EAX,[ESI+00000234] <-- ESI contains the store away value
MOV EAX,[EDI+00004408] <-- EDI contains the store away value

just keep all that in mind.. pointers can take on many forms but I think the above code is more
than likely the type of thing you will encounter in most games...

ok.. so we need to store our DMA base value away into static memory.. we do this by creating a
pathway to our own code (code injection).. our code will then place the DMA base value thats
inside EBX into a static address so that our trainer can read that address every time.. create
its own pointer by adding offsets to it.. and then poking values into that pointer..

Here is a diagram to explain it a little more....


We have found our pointer.. below

Before we make our gateway...
-----------------------------

0041A736 MOV EAX,[EBX+00000208] <----- pointer here...
0041A73C FLD REAL4 PTR [EBX+000000CC]
0041A742 FDIV REAL4 PTR [EBX+000000C8]
0041A748 MOV [00786CA4],EAX

After we make our gateway...
----------------------------

0041A736 JMP 9000000 <----- gateway has been created..
0041A73C FLD REAL4 PTR [EBX+000000CC]
0041A742 FDIV REAL4 PTR [EBX+000000C8]
0041A748 MOV [00786CA4],EAX



Our code section...
-------------------

09000005 MOV EAX,[EBX+00000208] ; re-create instruction we destroyed to make our gateway
09000010 MOV [9000100],EBX ; mov DMA base value in ebx into a static address..
09000015 JMP 41A73C ; Jump back to main game loop..
09000100 0000000000 ; location to store value from EBX

Once the above code has been executed u can now read the value from 9000100 and even
when the game changes its memory locations ur code will put the correct value back
inside 9000100.. so all u need to do is read that value.. add 208 to it and u
have the exact location of LIVES.. remember?? lives = EBX+208...

thats pretty much the whole deal.. apart from the code that reads the value from 9000100 but
ill show u that in the PRACTICAL section below... dont worry if all that was a bit much to
take in.. keep flipping back to this section to re-read.. with the fully explained PRACTICAL
section u should be able to put them both together and understand it all..


DMA TO STATIC PRACTICAL CODE INJECT
***********************************

The game ive chosen for this tutorial is called SPACE TRIPPER..(thanks keyboardjunkie)
you can dload it from here.. http://www.pompom.org.uk/STpage1.htm

lets start...

First thing we need to do is find a MASTER variable.. ive chosen LIVES..
unfortuantly this game is a bit of a bitch for finding the LIVES value.. but with a little
asm knowledge (which you all should have by now :)) you will be fine...

oki.. we do the usual search.. die.. search die..

If you do it correctly you will only find 1 address .. and it will be this.. 786ca4
If you try and change this location you will notice that the screen updates but thats
about it.. you still have the same amount of LIVES as before thats because you havent found the
REAL address for LIVES.. dont worry!! i didnt expect you to.. ill tell you why.. this game doesnt
just allocate memory every time you start a new game.. it allocates memory after every time
you die.. so its impossible for you to find the REAL value with a mem searcher.. thankfully
the ON SCREEN variable is STATIC.. so from this variable we can quickly find the REAL value..

This is how its done...

Using softice place a breakpoint on the ON SCREEN variable like this..

type BPM 786ca4 W (return)

lose a life..

softice POPS!!!!

you should see this...


0041A736 8B8308020000 MOV EAX,[EBX+00000208]; pointer moves REAL LIVES into EAX (EAX = 2)
0041A73C D983CC000000 FLD REAL4 PTR [EBX+000000CC]
0041A742 D8B3C8000000 FDIV REAL4 PTR [EBX+000000C8]
0041A748 A3A46C7800 MOV [00786CA4],EAX ; Move REAL LIVES value into ON SCREEN variable
; (ON SCREEN variable = 2 )

As you can see [EBX+00000208] is a POINTER to the REAL LIVES address in memory.. EBX will contain
a DMA base address which we need to store away and 208 is added to it so that EBX+208 = REAL LIVES.
The value from the REAL LIVES location is moved into EAX and then EAX is placed into the
ON SCREEN variable memory location... to prove all this you need to do this..

In softice..

type D EBX+208 (return)

Now edit the memory location in the top left hand corner of the DUMP window and your lives will
update properly.. showing you that we have found the REAL LIVES memory location...

Luckily enuff we have found 2 vital things with just 1 breakpoint.. we have found the REAL LIVES
memory address.. we have also found a potential POINTER to use in our CODE INJECTION.. lets see
if this POINTER is SPECIFIC or GENERAL.. once again we take to softice..

First of all we need to clear all other breakpoints so ...

type BC* (return)

then place a breakpoint on the 41a736 address...

type BPX 41A736 (return)

then press F5 to get out of softice..

softice should POP!! straight away..

Look at the content of EBX.. has the value changed??

keep pressing F5..

keep looking at the EBX content :))

is the value inside EBX changing?? if no!! we are IN!!! YAY!!!


So, now we have found a valid place to inject and save our POINTER into a static memory
address.. all we need to do now is find a nice place to put OUR CODE!! u can do this
a few ways..

1. Look up and down the code close to where u are injecting and see if there is a large
cluster of NOPs.. (this is empty code).. also a large cluster of 0's signals a good
OUR CODE location aswell..

2. If nothing turns up close to your injecting address then do a search in softice for
909090909090.. read the manual if you dont know how to search.. you should do by now..

3. This is the method I use.. people tell me that they have encountered problems with
this method but ive created about 20 to 30 trainers using it and its never given
me a NON working trainer.. so until it does ill continue to use it..

i) type TASK (return) inside softice..
ii) find the name of your game window..
iii) type MAP32 <game window name> (return)
iv) this will bring up all the sections of the game.. what we want to do is add code onto
the end of the data section.. here is what i get from Space Tripper...

:map32 spacetripper
Owner Obj Name Obj# Address Size Type
SPACETRIPP.text 0001 017F:00401000 0004BE10 CODE RO
SPACETRIPP.data 0002 0187:0044D000 00006718 IDATA RW
SPACETRIPP.bss 0003 0187:00454000 0035CDB4 UDATA RW
SPACETRIPP.idata 0004 0187:007B1000 000014F0 IDATA RW
SPACETRIPP.rsrc 0005 0187:007B3000 0000095C IDATA RO SHARED

The .data section starts at 44d000 but we need to use the end of the data section ( there is
usually a lot of buffered space on the end of the data section so we can happily use it without
messing with any REAL data used by the game) so what we do is look at the next section down..
which is .bss the start of the .bss section is just after the very end of the .data section..

so, lets hunt for a nice place to put OUR CODE..

inside softice again...

type D 454000 (return)

Just to be on the safe side we need to scroll the dump window up a bit.. so that we are
on the end of the data section.. you will notice that when we scroll upwards the text at the top
of the dump window will change.. from

SPACETRIPPER! .bss
to
SPACETRIPPER! .data+<offset>

to scroll the dump window up u need to do this..

type EB (return)

then use the PAGE UP / PAGE DOWN keys to move the window up and down :))

ive decided that 453f00 is a good place for us to place our code.. so the first thing you need
to do is write that memory address down.. so that you dont forget it...

now we have the address of OUR CODE.. we need to go back to the pointer at (41a736) and make
our gateway.. it should still be inside your code window but if it isnt then do this..

type U 41a736 (return)

that will place 41a736 at the top of your CODE window..

now we create the gateway...

***NOTE!!***
The next steps are all done one after the other .. you cannot break in the middle of them
or attempt to come out of softice or you will crash the game....


type A 41a736 (return)
type jmp 453f00 (return)
type nop (return) ( we need this nop to ballance the opcodes and to avoid a crash)
type (return) ( this return on its own will take us out of (A)ssemble mode)


at this point you should see the code window change from...


ORIGINAL CODE...
0041A736 8B8308020000 MOV EAX,[EBX+00000208]
0041A73C D983CC000000 FLD REAL4 PTR [EBX+000000CC]
0041A742 D8B3C8000000 FDIV REAL4 PTR [EBX+000000C8]
0041A748 A3A46C7800 MOV [00786CA4],EAX

to

AFTER GATEWAY CREATED...
0041A736 E9C5970300 JMP 00453F00
0041A73B 90 NOP
0041A73C D983CC000000 FLD REAL4 PTR [EBX+000000CC] <-- we jmp back here after OUR CODE..
0041A742 D8B3C8000000 FDIV REAL4 PTR [EBX+000000C8]
0041A748 A3A46C7800 MOV [00786CA4],EAX

ok.. next steps...

type U 453f00 (return)
type A 453f00 (return)

we are now ready to create the OUR CODE section...

First we must re-create the instruction that we destroyed to make our gateway...

type mov eax,[ebx+208] (return)

Now we need to store the POINTER into a static memory address.. all of the addresses
around you are static.. so you can pick any one you like.. nothing too close to the code
section .. i have chosen 453f30....

type mov dword ptr [453f30],ebx (return)

Now finally we need to jump back to the game code...

type jmp 41a73c (return) <-- 41a73c is just after our NOP instruction in the gateway...

type (return) <-- gets you out of (A)ssemble mode..

ok.. after alllll that... your code locations should look like this....



GATEWAY SECTION...
0041A736 E9C5970300 JMP 00453F00
0041A73B 90 NOP
0041A73C D983CC000000 FLD REAL4 PTR [EBX+000000CC]
0041A742 D8B3C8000000 FDIV REAL4 PTR [EBX+000000C8]
0041A748 A3A46C7800 MOV [00786CA4],EAX

OUR CODE SECTION...
00453F00 8B8308020000 MOV EAX,[EBX+00000208]
00453F06 891D303F4500 MOV [00453F30],EBX
00453F0C E92B68FCFF JMP 0041A73C
00453F11 0000 ADD [EAX],AL
00453F13 0000 ADD [EAX],AL

if your code does not mirror that of mine then you have done something wrong.. you need to
go back and redo it...

NOW!! if you HAVE the same code as me.. which you should have.. you can now press F5 to
exit softice.. and the game should be running fine...

we can now do something pretty cool to demostrate that this is ACTUALLY working....

go back into softice with CTRL-D..

type D *453f30+280 (return)

(if it says something like INVALID ADDRESS) you need to exit softice and then re-enter
again...)

if all goes to plan in the top left hand corner of the dump window u will see the REAL LIVES..
address.. you can modify this and your lives will change..

NOW FOR THE COOL PART!!!

lose all your lives.. so that it says GAME OVER..

start a new game.. (dont reload the game) just start a new game...

if you look at the dump window.. you will notice that the LIVES location has changed.. OBVIOUSLY!!
ITS DMA !! :)))

but.. our code is still doing its job... its still storing away the dma value at our static
address so all you need to do to find the REAL lives value again.. is type that command...

type D *453f30+280 (return)

and now in the top left hand corner of the dump window you will see the REAL LIVES address again..

pretty damn cool eh?? :))

we have defeated DMA .. the DMA base address will ALWAYS!!! be stored at 453f30 and all you need
to do is add 208 to it.. and you get the REAL LIVES address...

FINAL WORDS
***********

What can we do with this?
-------------------------

im sure the clever ones out there have already worked out how to use this in your trainers.. but
for those who are a little slower on the uptake ill explain...

once your code is injected into the game.. you can then use READPROCESSMEMORY to gather the dma
base address from 453f30.. then you just poke values into DMA_BASE_ADDRESS+208..
its as simple as that...

Injecting Your Code Injection! :)
---------------------------------

Once you have done all that you obviously dont wanna go through all those steps every time you
need to inject your code.. so you must create a trainer to inject the code for you.. its very
simple..infact its the same process as ALL trainers.. except you will be dealing with more
bytes than usual....

Example for this tutorial...
----------------------------

For the code injection to work every time.. this is what you would need to poke in your trainer..

At address 41a736..

you would need to poke E9,C5,97,03,00

At address 5f3f00

you would need to poke 8B,83,08,02,00,00,89,1D,30,3F,45,00,E9,2B,68,FC,FF

and thats it.. you will be able to read the DMA base address from 5f3f30..

basically all you do is poke all the OPCODES of the instructions we just wrote back into the
correct memory locations...

WORD OF WARNING!! always poke OUR CODE section OPCODES first... then the GATEWAY OPCODES..


FEW!!! another tutorial finished.. man!! its a lot of work..



*******************************************************************************************
*******************************************************************************************

If u have any questions or comments then email me at... [email protected]

visit my site for more tutorials.. sheeps trainer site..

I would just like to greet some people that support and inspire me....

Odin, MiraMax, Keyboard Junkie, Calligula, Orr, DarkLighter, Kilby, LordFinal, EverLast.
MiNiSTER, [NTSC], [Drone], Rizzah, Bengi...

No order.. just GREAT people..

If i missed anyone.. grab me and ill add u next time :))


PLEASE FEEL FREE TO SPREAD THIS DOCUMENT TO ANY SITES!!!!!


by [sheep]

#9 STN

STN

    Founder

  • The G-Man
  • 5,715 posts

Posted 12 January 2011 - 06:22 PM

DMA - Dynamic Memory Allocation

Author: [sheep] a.k.a RECLAIM!

Advanced Game Training by [sheep] a.k.a RECLAIM!
------------------------------------------------

(best viewed in 1024x768)

LESSON : 1.

SUBJECT: DMA - Dynamic Memory Allocation.

TOOLS NEEDED: Softice, memory searcher (ur choice).

U now have in ur possetion (part 1) of an ever expanding tutorial covering
ADVANCED GAME HACKING (A.G.H).. Over the next few months i hope to write a series
of tutorials covering all aspects of A.G.H.. The lessons i will be teaching in
these tutorials will give u the needed skills to make the transition between
NEWBIE GAME HACKER to GAME HACK REVERSER..

Apart from the beginner stuff im about to introduce ive never seen any of the
information in my tutorials written anywhere else this may be due to people either
not wanting to give out advanced information that has taken them a long time to study
OR.. they just cant be bothered to write an extensive essay about this subject..
either way it doesnt matter because u are about to learn ALL!!


LESSON START
------------

WHAT IS DMA?
------------

Im sure u have all heard about DMA by now.. understanding what this is and how
to defeat it are the first steps of a mighty ladder. Ill try and stick to telling
u how DMA affects us (THE GAME HACKER) and not stray into too much technical detail..

When a game uses DMA the memory locations it uses are allocated dynamically
whereby the game grabs the next available slot of memory and gives it to
whoever asked for it..

Generally there are so many variations going on while ur computer is running its very
unlikely that the memory locations u get on one occasion will be the same next time u
reload the game.. this is why ur trainers only work just after u have collected the
addresses and NOT once u have reloaded.. Once the game is reloaded it will grab a whole
NEW set of memory locations for itself thus making ur OLD set of memory locations useless.

To defeat DMA and create a trainer that will work 100% of the time u need to come out of
the realms of the NEWBIE and into the NEW LAND :)

NEW TOOL!
---------

This is where we start adding NEW tools to our cheaters arsenal.. the first tool we need
to add is called SOFTICE its a software debugger that enables u to manipulate the game
code (on the fly) which means while the game is still running..

I wont go into installing softice in this tutorial.. there are plenty of other tutorials
that do that for u.. so from here on ill assume u already have it installed.


SOFTICE SETUP
-------------

When u press CTRL-D to pop softice u should see the following windows..

REGISTER WINDOW - this window is always at the very top of the softice window
(WR [return]) and displays the contents of all the registers..

DUMP WINDOW - generally situated close to the top of the softice window
(WD [return]) contains a split screen display.. one side is ascii the
other is hex.
CODE WINDOW - this is the main window.. sits just under the DUMP WINDOW
(WC [return]) contains the code of whatever process maybe running when
u pop softice.. the code is represented in ASSEMBLY LANGUAGE
instrutions..

The comments in the brackets are what u need to type to turn the different windows on..
also u need to type CODE ON.. this will bring up the OPCODES which are a set of numbers
displayed to the left of each ASM instruction and to the right of every memory location
in the CODE WINDOW..

(if u dont understand any ASM then i suggest u go away now and read up on a basic tutorial)

DEFEATING DMA
-------------

THEORY
------

At the end of this section i will show u how DMA is defeated IN PRACTICE.. ill use a
game ive recently trained showing u code listings so that u can apply the theory to a practical
example.. so dont worry if im not going into too much detail about setting breakpoints
etc.. it will all be covered in the PRACTICAL section....

As we cannot change the memory locations of a DMA game we need to get right to the core
and by that i mean the GAME CODE.. once u have found ur memory locations in a NON-DMA
game u generally make ur trainer poke numbers into the locations u have found and this
makes an affective trainer.. we know that this doesnt work for DMA so what we have to do
is STOP the game code from decreasing our locations.. we do this by WATCHING what
happends to our memory locations while the game is running.. thankfully we dont need to
sit there and do the WATCHING ourselves.. our new friend SOFTICE does it all for us..

example...

lets say i have 5 lives and the location of these lives is 490000.

We can all think logically so we know that when we die in the game the GAME CODE will
decrease the location 490000 by 1.. We need to stop this from happening..

The way we do this is by setting something called a BREAKPOINT.. there are a few kinds
of breakpoint available to us but the one we need at the moment is a MEMORY BREAKPOINT..
this breakpoint will WATCH a memory location for us.. if anything should affect our
memory location then softice will then pop at the exact piece of code that affected it..
this means that when we die inside the game and the GAME CODE decreases our lives softice
will pop and we will find ourselves looking at the GAME CODE that decreases our lives..
GOOD STUFF EH? :(

Unfortunately this is where it starts to get tricky.. u NEED to be able to understand what
u are looking at.. by this i mean u HAVE to learn at least the basics of ASSEMBLY LANGUAGE
for some people this is too much and thats why they have given in.. but for many i know u
have struggled and stuck to it and have at least got a small understanding of ASM..

GAME CODE
---------

There is something VERY advantagious about GAME CODE.. IT NEVER CHANGES LOCATION.. thats
right.. on every single game EVEN DMA GAMES.. if we find the GAME CODE that decreases our
lives at 453000 then u can bet ur life that the next time u load the game the EXACT same
code is at 453000 and this is the key to defeating DMA.. instead of poking values into
DATA memory locations.. we are going to poke values into CODE memory locations.. actually
they are the same thing fundamentally they just behave in different ways..

CODE KILLING
------------

This is what u will see inside softice..


ADDRESS...... OPCODES............ ASSEMBLY LANGUAGE.....

0120:00008096 01585A ADD [EAX+5A],EBX
0120:00008099 7404 JZ 0000809F
0120:0000809B B486 MOV AH,86
0120:0000809D EB17 JMP 000080B6
0120:0000809F 55 PUSH EBP
0120:000080A0 1E PUSH DS
0120:000080A1 50 PUSH EAX
0120:000080A2 E86E078ED8 CALL D88E8815

This is just a random code snippet taken from softice.. it has nothing to do with a GAME
of any kind i just wanted to show u what was what when it came to the CODE WINDOW display
as this is the place u will be spending most of ur time...

now i will show u a section of code taken from a message board.. this is from a REAL GAME

ADDRESS...... OPCODES........ ASSEMBLY LANGUAGE.......

016F:xxxxxxxx 0000 MOV EAX,[EDI]
016F:xxxxxxxx 0000 DEC EAX
016F:xxxxxxxx 0000 MOV [ESI+0C],ECX
016F:xxxxxxxx 0000 MOV [EDI],EAX
016F:xxxxxxxx 0000 MOV EDI,EAX

Ok, the assembly instructions are the only valid thing in the above code the rest have
either been filled with 0000 for opcodes or xxxxxxxxx for the addresses.. these are not
important at this time anyway....

The above code probably means absolutly nothing to u and dont worry because it shouldnt..

NOW!!! let me add a story and some comments to the above code...

We are playing a game... we have got 20 LIVES.. we find the location of these LIVES
at 445566 we place a breakpoint on this location inside softice.. so that when something
affects our LIVES softice will pop and we can see the code that is affecting them...

WE FALL DOWN A HOLE AND DIE!!!!

BANG!!!!

SOFTICE POPS!!!!!

this is what we see.....


ADDRESS...... OPCODES........ ASSEMBLY LANGUAGE.......


016F:xxxxxxxx 0000 MOV EAX,[EDI] <------ number of LIVES we already had
is read from [EDI] and placed into
EAX. (EDI=445566) (EAX=20)

016F:xxxxxxxx 0000 DEC EAX <------ EAX is decreased by 1 (EAX = 19)

016F:xxxxxxxx 0000 MOV [ESI+0C],ECX <------ store ECX.

016F:xxxxxxxx 0000 MOV [EDI],EAX <------ place NEW LIVES ammount back into
location 445566. (EDI=445566)
(EAX=19)
SOFTICE LANDS HERE UNDER THE INSTRUCTION THAT
AFFECTED THE LIVES.... |
|
016F:xxxxxxxx 0000 MOV EDI,EAX


I hope the picture has become more clear to u now.. the lives are read from our location
then decreased by 1 and then placed back into our location.. im sure the clever ones
reading this will already have figured out what we have to do.. but for the slower chaps
ill continue :P


016F:xxxxxxxx 48 DEC EAX <------ EAX is decreased by 1 (EAX = 19)


Ok.. this is the NASTY instruction that is killing our poor little character... as
u can see ive put in the REAL OPCODE for this instruction its 48..

This instruction decreases our lives by 1 each time.. what we need to do is GET RID OF IT!!
if we do then there is nothing to kill our little character and he can live forever.... :P

Thankfully we can do this within softice.. u need to replace the DEC EAX with something
else.. the all time fave for replacing stuff that isnt needed is an equally small
instruction called NOP which is NO-OPERATION.. thats correct.. when this instruction is
executed absolutely nothing is done.. so KEEP this little NOP by ur side at all times..

so if we replace

016F:xxxxxxxx 48 DEC EAX <------ EAX is decreased by 1 (EAX = 19)

with..

016F:xxxxxxxx 90 NOP <------ NO OPERATION

then we have infinite lives.. its as easy as that..


THE THING ABOUT NOP
-------------------

When u are replacing instructions inside a program u have to make sure that if an
instruction has 5 opcodes then u MUST replace it with 5 opcodes..

example...

0120:00008121 E86C04EB10 CALL 10EB8592

if i wanted to get rid of the above call.. i couldnt just put 1 NOP.. because NOP is only 90
i need to FILL E8-6C-04-EB-10 so instead of just NOP(90) i would need 5 NOPS 90-90-90-90-90
otherwise the program will most definately crash on u... so once u have replaced this call
it should look like this...

before...

0120:00008121 E86C04EB10 CALL 10EB8592

after....

0120:00008121 90 NOP
0120:00008123 90 NOP
0120:00008125 90 NOP
0120:00008127 90 NOP
0120:00008129 90 NOP



MAKING THE DMA TRAINER
----------------------

A DMA trainer is no differnt in any way to a NORMAL trainer.. all u are doing is poking
values into the CODE section instead of the DATA section..

eaxmple...

replace..

016F:0000412345 48 DEC EAX <------ EAX is decreased by 1 (EAX = 19)

with..

016F:0000412345 90 NOP <------ NO OPERATION


Same Code but this time ive added the addresses and the correct OPCODES.. if i wanted to
make a trainer that worked 100% on this DMA game.. all i need to do is poke 90 (NOP)
into location 412345.. this would turn the DEC EAX to a NOP and the game would have
infinite lives.. no need to worry about DMA locations anymore.. 412345 WILL ALWAYS!!!
be the place to poke 90 and get infinite lives.. GAME CODE DOES NOT CHANGE LOCATION!!!

As i said at the beginning i havent gone into much detail about how to set breakpoints etc.
this will all be taken care of in the next part of the tutorial..


PRACTICAL EXAMPLE (Serious Sam 2)
----------------------------------------------

As i dont like to do things by half i will now show u a practical approach to defeating
DMA with code listings and softice commands.. this is just a backup of what is written
above.. after this u should be able to understand the entire tutorial.. that is if u dont
already :D...

These code listings and commands all come from the game SERIOUS SAM 2.. u dont need to
go and find this game but if u have it then it will make it a lot easier for u to have
a go with what we have learnt today...

On this game ive decided to show u BULLETS instead of lives because the life total in
SS2 is worked out slightly differently (something i will be tackling in another tutorial).

ok.. lets begin..


1. I did a normal EXACT VALUE search to find the address for the bullets ..
i got the address 6AFEF28.

2. I POPPED softice with CTRL-D so that i could set a breakpoint on the bullets location..

3. Inside softice i typed BPM 6AFEF28 W (the W means WRITE so when ever something writes
to our address softice will pop) then i pressed RETURN to set the breakpoint..

4. Return to the game.. SHOOT! BANG! SOFTICE POPS!

5. I scrolled the code window up a bit and this is the code listing...

ADDRESSES.... OPCODES............ ASSEMBLY LANGUAGE.........

017F:60570C50 55 PUSH EBP
017F:60570C51 8BEC MOV EBP,ESP
017F:60570C53 A1E8625E60 MOV EAX,[605E62E8]
017F:60570C58 8B08 MOV ECX,[EAX]
017F:60570C5A FF15E4625E60 CALL [605E62E4]
017F:60570C60 8B4854 MOV ECX,[EAX+54]
017F:60570C63 85C9 TEST ECX,ECX
017F:60570C65 7508 JNZ 60570C6F
017F:60570C67 8B4508 MOV EAX,[EBP+08] <--- Address of BULLETS
017F:60570C6A 8B4D0C MOV ECX,[EBP+0C] <--- Amount of BULLETS to
decrease by.(ECX=1)
017F:60570C6D 2908 SUB [EAX],ECX <--- subtract ECX(1)from BULLETS
017F:60570C6F 5D POP EBP <--- WE LAND HERE WHEN SI POPS
017F:60570C70 C3 RET

As u can see even though its not the same code as before its VERY similar.. thats the good
thing about ASM there are only a couple of instructions that decrease the value of an
address so they are easy to spot most of the time.. this time they use SUB.. which means
SUBTRACT.. ok.. to defeat this we need to get rid of that SUB instruction...

6. I typed A 60570C6D then pressed return.. this lets me manipulate the code at location
60570C6D..

7. I typed NOP [return] NOP [return] the returns mean i pressed return :) just to clear
any confusion.. I used 2 nops as u can see because remember we need to get rid of 2
bytes of OPCODES 29-08 so we need to replace them with 2 bytes of our own OPCODES
90-90..

8. I then pressed return a 3rd time without entering anything and softice drops out of
assemble mode..

9. Now we are all done and ready to test it.. CTRL-D got me back into the game.. i now
have infinite bullets.. and the dma is defeated..

dont forget.. game code doesnt change location.. to make a 100% working bullet trainer
for this game all u need to do is poke 90,90 into location 60570C6D...

WELL!! we have come to the end of this tutorial.. i hope u managed to follow it and
obtain all the knowledge u need to defeat DMA.. keep a look out for other tutorials
in this series..

If u have any problems or questions then please email me at [email protected]
please be patient for a reply...


PLEASE FEEL FREE TO SPREAD THIS DOCUMENT TO ANY SITES!!!!!

#10 STN

STN

    Founder

  • The G-Man
  • 5,715 posts

Posted 12 January 2011 - 06:25 PM

Code Injection - DMA To Static address with Tsearch

Written By: Epic Cataclysm
Based on: [Sheep]'s Tutorials for Softice


Subject: Code Injection - DMA To Static address with Tsearch
Tools Needed: Tsearch 1.6 or higher
Game Needed: Grand Theft Auto: Vice City
User Knowledge Needed: Basic Asm, Tsearch Functions
Tutorial Difficulty Level: Advanced

Time to rewrite one of [Sheep]'s tutorials for those of us who can't seem to fire up the old softice debugger for some reason or another. For those who can, well you are some of the lucky. I however have a radeon 9800, and softice didn't like that. So i have turned to Tsearch which seems to be neck and neck with softice in my opinion. Plus you dont have to worry about games protecting against softice when you are using Tsearch to hack everything that you need. In this tutorial, we are going to hack a vital code for Grand Theft Auto: Vice City. This code is Infinite Health.

------------------------+
Find the Initial Address:
------------------------+
Start a new game and make sure that your health is at 100 %. Next use Tsearch to search for a known value of 17096. Go back into the game and loose a bit of health. Alt+tab the game and do a search for "Value Has Decreased". Repeat this a few times until you come up with an address that works. *Note* Your address will not be the same as mine because of DMA.

----------------------+
Time to get Around DMA:
----------------------+
My address is A02DDE6. This is a DMA address and is not static. We need to set a breakpoint for read/write on this address to see what is reading and writing to this address. In Tsearch go to the menu "AutoHack" and choose "Enable Debugger". Next go to menu "AutoHack" and choose "AutoHack Window" to show the AutoHack window. Next go to menu "Edit" and choose "Set BreakPoint". A new screen will come up asking your for the address to set the breakpoint on, how many bytes, and the type of breakpoint. Enter your address that you found above, leave the byte settings like they are, and then choose "Read/Write" from the breakpoint list. Click "Set" to set the breakpoint for read/write on your address. REturn to the game and run around for a sec or so, then alt+tab and check autohack window. Notice all the offset addresses from your DMA address.

For Vice City the decreaser address affects everyone in the game, and not just you. Meaning that if you lock it then everyone in the game becomes immortal when you do. If you would have just set a write breakpoint you would have gotten just the pointer address that decreases everyones health, which is useless to us.

These are the offsets that you should see in the autohack window:

501973: fld dword ptr [ecx+0x354]
505CEA: fld dword ptr [ebx+0x354]
50A66B: fld dword ptr [ebx+0x354]
509FBB: fld dword ptr [ebx+0x354]
50F3A6: fld dword ptr [eax+0x354]
558A9D: fld dword ptr [eax+0x354]
558B41: fld dword ptr [eax+0x354]
5D30BC: fld dword ptr [ebp+0x354]
5267C0: fld dword ptr [ebx+0x354]
5267DE: fld dword ptr [ebx+0x354]
5267E8: fstp dword ptr [ebx+0x354]
5D3ABF: fld dword ptr [ebp+0x354]

Next we must set a BPX, or break on execution, on each of these addresses so that that we can see if they return a value. To do this, we take each address (example 501973) and go to menu "Edit" in the autohack window and choose "Disassemble", and enter your address. Choose the Disassembler tab from the bottom and you will see your address listed at the top. Right click your address from the list and choose "Register". Go to the register tab and you will see your address has been set for a Break on execute. Next look at the register that goes along with the address ([ecx+0x354] EAX in 501973's case), and choose it from the register list. Next click the box to the left of your address to enable the break and return to the game. Run around for a sec or so and alt+tab the game. If your address returns any value other than 0 and doesn't fluctuate in value then write the address down in notepad. Continue through all the values above until you have a list of working addresses.

My addresses are:

501973 fld dword ptr [ecx+0x354]
505CEA fld dword ptr [ebx+0x354]
50A66B fld dword ptr [ebx+0x354]
509FBB fld dword ptr [ebx+0x354]
558A9D fld dword ptr [eax+0x354]
558B41 fld dword ptr [eax+0x354]

All of the addresses above should have returned the same value. That value that they returned is an address in itself (remember, these are pointers to an address that holds a value of your life).

Ok, now gain some life to get your health % back to 100. Then take the value/address returned by the pointers above

Take the value of one of the pointers listed above and replace the original address you hacked (DMA address) with the value + 354h (example A01F331h + 354h = A01F685h). The reason we added 354h is because the pointer told us to add 354h to the register value. The value of that address that you just inserted will automatically change to a your health value. You address should return 1120403456 which is full health. Notice that in this game is it different from its counterpart value 17096 (DMA Address, Value).

----------------------+
Building Our Code Cave:
----------------------+
First thing we need to do is convert the value returned by the register value + 354h which is 1119754650 and convert it to hex which is 42C80000h. Next we will start building a code cave structure so that we can test our pointers above.

Memory in most games gets allocated from 0x10000, is used till 10950.., and then thereafter is empty space. So I am choosing 0x10bb0 to write my code cave to.

Ok, so we are ready to write some asm code now. Open the easywrite window by clicking the icon. Choose a new project and give that project a name (example "infinite health"). Next, write the following into the upper text area. Then press the "check" button to make sure everything is ok. Finally, press "OK" to save it.

offset 0x10bb0 <--- Address of our code cave
mov dword ptr [eax+0x354],0x42C80000 <--- Write max health into our health pointer
fld dword ptr [eax+0x354] <--- Reconstruct original instruction
jmp 0x501979 <--- Jump Back to original routine
offset 0x501973 <--- Address of our gateway
jmp 0x10bb0 <--- Jumps to our code cave
nop <--- Balance the instruction

To make the asm that we just wrote run, we need to check the little box to the left of "infinite health" (or whatever you've titled it), and return to the game to see if it worked. We are using the first pointer address 501973 in the above code cave. This code will write 42C80000h (1120403456) to each address you set it up with. Go through and test each pointer this way by replacing the pointer address 501973 and next address in line 501979 with a new address from above and the following address in line after it. To get the next address in line after your pointer address just go to the autohack window, choose "Disassemble", type your address in and then choose "Disassembler" tab from the bottom and look to see what address follows.

Through trial and error of 6 pointers you will find that the pointer of choice would be 558B41 fld dword ptr [eax+0x354]. It is the only one of the above codes that makes you invincible and everyone else mortal. So our code cave should look as follows:

offset 0x10bb0
mov dword ptr [eax+0x354],0x42C80000
fld dword ptr [eax+0x354]
jmp 0x558B47
offset 0x558B41
jmp 0x10bb0
nop

To set the instruction of your address back to normal enter the asm below into the bottom text area, press "check" to make sure it is error free, and then "Ok" to accept. This sets the offset back to its normal instruction set (Letting you become mortal again).

offset 0x558B41
fld dword ptr [eax+0x354]

-------------------------------------+
Converting Code Cave to TMK addresses:
-------------------------------------+
To get the addresses to poke in TMK from the asm code we just created, in the easywrite window press the "TMK" button, then the "Check" button to reveal what you should put in TMK to get your code cave to work in a trainer.

Your converted code should look like:

Our Code Cave:

Poke 400E00 C7 80 54 03 00 00 00 00 C8 42 D9
Poke 400E0B 80 54 03 00 00 E9 32 7D 15 00
Poke 558B41 E9 BA 82 EA FF 90

Set Address Back to Original Instruction Set:

Poke 558B41 D9 80 54 03 00 00

---------------------------------+
Special thanks to all that helped:
---------------------------------+
[Sheep], Sain, Fahrenheit and anyone else that I am forgetting to mention.

No order, just great people...

----------+
Conclusion:
----------+

If you have any questions or comments about this tutorial, please feel free to email me at [email protected] Also if you are looking for tutorials like this one, but using softice, please visit [sheep]'s site at http://www.sheeprec.cjb.net.

Feel free to spread this document to sites you think will benefit from it!!!!!

#11 STN

STN

    Founder

  • The G-Man
  • 5,715 posts

Posted 29 December 2011 - 09:17 PM

cmp [0x9190B8],ebp <-
We recreate any destroyed instructions.


Copied from the tut itself.

#12 keng

keng

    Rookie

  • Full Members
  • PipPipPipPip
  • 60 posts

Posted 29 December 2011 - 09:20 PM

№11, by this line we recreate the next instruction after the instruction where we injected our code, see below:

mov ebp,[eax+0x34] ; we need to inject our code here <- three bytes long
cmp [0x9190B8],ebp

So after the injection it will look like:

jmp ourIntAddr <- five bytes long

ourInjAddr:
...
ourInjCore
...
cmp [0x9190B8],ebp ;<- recreate the original instruction

The length or instruction where we injected is 3 bytes long, and the "jmp ourIntAddr" is five bytes long, it's longer by 2 bytes so the next instruction gets rewritten by it. It will cause a crash - we need to recreate it, but we've got an empty space only in our injection location, so:

game's code:
...
...
...
jmp to cave ->
->... ;<- we will land here after the cave's code
...
...


cave ->
...
some cave code
...
the erased by our jmp to cave command game's instruction
...
jmp back


Doing this we just make a spot in the game's code and place some custom code to it, but the jmp command is longer so to get the game code back to normal every line of code should be executed, and we need to rewrite anything we've destroyed. It's simple if you're looking at the code in the debugger - you rewrite the "short" game's instruction by your "long" jmpToCave instruction eating a part (or the whole) of the next game's instruction after which you've rewritten -> you must recreate it somewhere and you've got no other place to do it but in your cave's code. :)

Sorry if it's not clear because of my english, if you don't understand then I can show it with some screenshots.

Too slow, :sigh:. I must improve my typing skills.

Edited by keng, 29 December 2011 - 09:21 PM.


#13 keng

keng

    Rookie

  • Full Members
  • PipPipPipPip
  • 60 posts

Posted 30 December 2011 - 08:26 AM

Thanks Keng!
You mean cmp [0x9190B8],ebp is the next instruction after mov ebp,[eax+0x34] or maybe 3 instructions away?? If so, I understood. Thank you bro, helped a lot.


It's like this:

opcodes: | mnemonics:
------------------------------------------------------
FF FF FF | mov ebp, [eax+0x34]
FF FF FF FF FF | cmp [0x9190b8], ebp


The opcodes are not real in this piece of code, just one important thing - say, we want to make an injection at the first command's location. Like:

opcodes: | mnemonics:
------------------------------------------------------
FF FF FF FF FF | jmp 0x12300000
FF FF FF FF FF | cmp [0x9190b8], ebp


I've highlighted two bytes of the jump-to-cave command to show that if the old command was shorter - the bytes of the new command will be written over the next two bytes - but there is already "cmp [0x9190b8], ebp" and it will become broken. So we must do this thing firstly:

opcodes: | mnemonics:
------------------------------------------------------
FF FF FF FF FF | jmp 0x12300000
90 90 90 | nop's here (a "do nothing command")



Why nop's? Because we need to balance the game's code length byte-by-byte - if it was 10 bytes (whatever were the exact commands, the overall length is too impostant) - then it must be 10 bytes. So it was (for example) 3 bytes for mov and 5 for cmp. Then we placed 5-bytes long jmp-to-cave instead of 3 bytes mov - the next cmp command got broken because 3 bytes of it won't make any sense - so we replace them with nop's to balance the overall length (it was 3 + 5 = 8 bytes (3 for mov, 5 for cmp) -> it stays 5 + 3 = 8 bytes (5 for jmp and 3 nop's).

After some of game's code got destroyed - we need to recreate it and we can do this nowhere but inside our code cave:




-> cavecode ; we jump here from the game's code
...
cmp [0x9190b8], ebp
...
<- ; jmp back to game's code



Fine, we replaced the mov command with some our injected code and recreated the missing (destroyed by our jmp command) next instruction (cmp).

Now, when the code's length is balanced and the cave is created - we can write our custom code there, that's it. :)

#14 keng

keng

    Rookie

  • Full Members
  • PipPipPipPip
  • 60 posts

Posted 30 December 2011 - 09:05 AM

Was glad to help you, Katsuyori. :)

#15 keng

keng

    Rookie

  • Full Members
  • PipPipPipPip
  • 60 posts

Posted 30 December 2011 - 10:05 AM

№18, if you'll stuck somewhere - you could post opcodes of the place where your've tried to inject - I'll try to explain it again using your example. :)



Official Trainer Hosters:  
Affiliates:
 

Like our work ? Why not follow us on deviatedhacking youtube facebook page deviated twitter +deviatedhacking page