Welcome to dEViATED. We provide PC trainers, cheats, mods and game trainers and a gamehacking forum for discussions and help. We have pc cheats, cheat engine tables and mods for various old and new single player games.

These are some of the latest trainers released by us and supported fully.
Assassin's Creed Rogue Trainer
Grand Theft Auto 5 Trainer

Sign in to follow this  
Followers 0

DMA/Code Injection tutorials

15 posts in this topic


Resolving DMA in GTA: Vice City and Making a

Trainer .:

By shaikh_adeel


Why I wrote this


Well A friend of mine was having a lot of trouble with DMA in

hacking GTA: Vice City. When he asked me to help him, I thought I

might just write about how to hack its different options. SO here it

is ... the Tutorial on "Resolving DMA in GTA: Vice City and

Making a Trainer". I wont categorize this tutorial as Novice,

Intermediate or Advance coz I dont want to and I dont like to.

Anyone can and should read it. I will be keeping it very basic so

every one can understand it.

What We'll Learn:

1. One Hit Kills

2. Making our Player Invincible (GodMode)

3. Wanted Level Hacks (None and Full)

4. Ammo Hacks

5. Cash

6. Making The Trainer

What We Need:

1. GTA: Vice City ... the game (VC)

2. T-Search

3. An open Notepad window for ease.

4. Tsongkie's Code Cave Tool

Lets Start:

1. One Hit Kills:

First of all open up Note Pad, T-Search and VC. Alt+Tab out of the

game and choose the process in Tseacrh as gta-vc.exe.

Now go back to the game. Start a new

game if u haven't started it yet. When it starts make sure that ur

player has not been hurt yet and his health is 100. Ok ... Alt+Tab

out. Come to T-Search and start a new search. Now the known value of

full health is 200 in 1 Byte and 17096 in 2 bytes. So we'll search

for 200 in 1 byte.

Now, decrease ur health by fight

with a policeman. Now minimize the game and search for has

decreased. Keep doing this 'Has decreased' search until u find the

health address. Usually but not always the health address has the

value double of the value shown in the game. So this could be easier

to find. The Address that I found was 189E7BE. We

will use this address to find the Invincibility of our player and

One hit Kills for other people.

First of all ONE HIT KILLS. Now

click on Enable Debugger and Auto hack window. When the window

appears, right click on the address u found and click Auto Hack. Go

back to the game and get shot so that ur health decreases. Alt+Tab

again. Check the Auto Hack window .... bingo. We have something


5267E8: fstp dword ptr [ebx+0x354]

<------ Write this in the Notepad window.

We will use this address to make

"One hit Kills" cheat. This may look strange but this is

what I found out when I wrote to this instruction.

NOPping it would stop this

instruction. But we will write a value to it. So now lets make a

code cave for it. Open the Code Cave tool. Write the window name and

press search. Now these are the memory addresses we will use to make

our code caves. Pick one of them for our first hack. Now first for

O.H.K hack:



mov dword ptr [ebx+0x354],0x7D (7D in

Hex = 125 in Dec)

jmp 5267EE

offset 5267E8

jmp 0x400011

And the normal construction is:

offset 0x5267E8

fstp dword ptr [ebx+0x354]

We write this in the Easy Write

window. Name it "Health" and Press the TMK button and then

Check. It will now display Pokes for this address as shown below. U

can put these in ur trainer ....

Aan Aan .. not so fast ... We havent

yet Checked if this works or not! So press OK. and click in the box

next to the Health:

Now go into the game. Kick or Punch

Someone only once .... Bingo ... The person is lying on the floor in

a pool of blood. We have our Cheat. Write down the Pokes in the

Notepad window. We will use it for making a trainer in the end.

2. Invincibility:

Now we will use the same address 189E7BE to make an Invincibility

hack. Ok ... click on

in the auto hack window. Write the health address that we found ....

in my case 189E7BE in the address tab. Under Type, change it to

Read/Write. Press Ok. Go back to the Game and spend some time. U

dont need to get hit as we have used Read/Write. It will find

anything Reading our memory address. After 10 secs, minimize the


Whoa! Lots of Addresses. We will now

check if these addresses return a value so we put a BPX on them.

Take the first address and click on it. When it gets highlighted

then go to the bottom of the auto hack window and click the

Disassembler tab. Right click on the address on the Top in the

disassembler portion on the window and click Register. DO this to

all the addresses that u got. Now click in the square next to each

address and choose the register used in each of them. Now go back to

the game and spend sometime. Get back and ur Auto Hack window will

be as below:

Hmm ... the addresses that have

returned a value are the ones we want.

Now for the value of health:

As we see .... EAX = 189E468 and

[eax+0x354] is the address for health. Ok .... Add 189E468+354.

These are not Decimal ... Both values are in Hex. Use the Hex

calculator in T-Search to add them. We get 189E7BC. In T-Search take

any address and put this address in it. The value it returns is ur

Health value. At full health (100) it is 1120403456. At 125 Health

it is 1120403456. We can change the health address we found in the

beginning to any value and this value will change with it. Ok now we

will create a code cave that will give us 125 Health.

Code Cave:

Ok .... in the code Cave tool choose

another memory address ... I choose 0x400079. Savvy ?? :(

Now the code cave will be like :


0x400079 ( Our

address for the code cave)

mov dword ptr [ebx+0x354],0xhhhhhhhh (

Value to be written 'in hex')

fld dword ptr [eax+0x354] (Recreating

any destroyed instructions)

jmp xxxxxx+6h (

Adding 6 Hex will take us to the next original game loop.)

offset xxxxxx (

The address we found in Auto Hack)

jmp 0x400079

But we found alot of addresses didnt

we ?? Well theres only one way to u to see which one works. You have

to check all of them... Or maybe theres another way too .... I can

tell u which one.

Well 558B41 is Our required address.

So we'll make a code cave for it. Now we also need the hex value to

write in the code. Ok ... we want 125 Health right ?? And it was

1123680256 ... in Hex it is 42FA0000. Ok this is wht we'll use.

offset 0x400079

mov dword ptr [eax+0x354],0x42FA0000

fld dword ptr [eax+0x354]

jmp 0x558B47

offset 0x558B41

jmp 0x400079


Write it in the Easy Write Window and Check the Poke Codes :

Copy them on Notepad. Press ok.

Click in the box next to Invincible. Go in the game. Health is 125.

Cool. We have now made the Invincibility hack. Lets Move on.

3. Wanted Level Hacks:

Ok .. While playing the game, those pesky cops just keep on bugging

u ... Now they wont. Lets see how :D. Go in the game. Destroy stuff,

kill ppl until u have 2 stars. Now search for '2' in 1 Byte/BYTE

format. Keep on killing until u have 3 stars. Search for 3. Keep

increasing ur stars and searching for them until u find the address

for the stars. I got 21CCC18. Now go to

the game and write "LEAVEMEALONE". Its the code to remove

all cops. This is coz it will start the Star count from 0. Ok now

there r no stars. Go to the address and right click on it and click

Auto Hack.

Now go in the game punch someone. Do

this Until u get 1 star. Now kill ppl and get stars one by one. By

the time u have 6 Stars the auto hack window will look like :

Now this shows that 1,2,3,4,5 &

6 stars are written by there respective addresses. All we now have

to do is to write 0x0 in place of 0x1, 0x2, 0x3, 0x4, 0x5 and 0x6.

Now how do we do that ? U can do that in the Disassembler tab. Right

click on each address and click Assemble. The window appears asking

u to right the code. Just replace 0x# by 0x0. But that would not be

a permanent solution until u patch the game that way.

So for making the trainer we use the

same technique. Replacing numbers by 0. The code formed will be :

offset 0x4D221B

mov dword ptr [ecx+0x20],0x0

offset 0x4D21F7

mov dword ptr [ecx+0x20],0x0

offset 0x4D21CA

mov dword ptr [ecx+0x20],0x0

offset 0x4D219A

mov dword ptr [ecx+0x20],0x0

offset 0x4D216A

mov dword ptr [ecx+0x20],0x0

offset 0x4D213A

mov dword ptr [ecx+0x20],0x0

Do u understand what this code does

?? Well whenever y kill someone ... The game calls upon these

addresses to write their respective number of stars in the game. But

as we have changed them to 0, they will write 0 star each time u

kill a person ... means : No Stars :lol:

Now if u wanna have some fun with

those Military Guys ...u need full 6 Stars. This can be done by

putting 0x6 into the addresses that operate the first 5 stars :



mov dword ptr [ecx+0x20],0x6

offset 0x4D21F7

mov dword ptr [ecx+0x20],0x6

offset 0x4D21CA

mov dword ptr [ecx+0x20],0x6

offset 0x4D219A

mov dword ptr [ecx+0x20],0x6

offset 0x4D216A

mov dword ptr [ecx+0x20],0x6

Why dont we use only one of these

addresses to get 6 stars ?? Well this is because these addresses are

operated 1 by 1 and after one another. If we use the 2 star address

to get 6 stars. Then we will get 6 stars when after 1 star. When we

should get 2, we will get 6 instead of 2. But if we keep on killing

it will then move back from 6 to 3 stars. Because this is the time

that the 3 star address should work. So in Easy Write we put 6 in

all of them so they put 6 stars instead of their respective number

of stars. Go back to the game, type LEAVEMEALONE to lose all ur

stars and then kill some one (preferably a policeman) and Bang!! 6

Stars!! Cool ..... With this hack out of the way ... lets move on to

the Ammo Hack.

4. Ammo Hack: In GTA:

Vice City ... The Static Ammo address operates all the guns' ammo.

So If u freeze that address at 100... then all the guns' ammo will

be frozen at 100. Saves u a lot of Time!! But we have to find it

first :P

What gun do u have ?? I have the

Sniper Rifle ... and I will find the address for its ammo. Its ammo

in the game says 47-7. This means there are 7 bullets in it magazine

and 47 are spare. So the total number of bullets is 54. So we wont

look for 47. We wont look for 7. We are looking for 54. Ok in 1 Byte

or 2 Byte format .... search, fire, search, fire, search until

u get the address. mine was 18A7A94.

Auto Hack it. go to the Game. Shoot. Back to T-Search. And this is

what the Auto Hack Window says :

5D4AF5 dec dword ptr


There are two things that u can do

with this instruction. U can modify it to increase ur bullets when u

fire rather than decrease it. Or u can write a value like 100 and

freeze it there.

Ok first lets increase our bullets.

Change the code to :

5D4AF5 inc dword ptr


There u are. Assemble it that way

and u get increasing bullets.

To freeze it at 100, create a code

cave :

offset 0x400954

mov dword ptr [esi+0xC],0x64

jmp 5D4AFB

offset 5D4AF5

jmp 0x400954

Its Pokes Are :

Poke 10ABF C7 46 0C

64 00 00 00 E9 30 40 5C

Poke 10ACA 00

Poke 5D4AF5 E9 C5 BF A3 FF

There u are. This

what u need to do to freeze ur ammo at 100. Hmm .... Check it by

placing this code in Easy Write. Go in the game and fire a shot....

There u are its 100 ammo and frozen. Good .....

Now we have the

Cash/Money Hack Left to learn.

5. Money Hack:


this is the same thing that we have done the previous 4 times ...

and I don't feel like explaining it again, but since I said I will,

here it is. Check how much money u have. I have $ 6,945,906. Lets

search it in 4 Bytes/DWORD. Keep searching until u get the address.

I got 94ADC8.

OK now right click on it and click Auto Hack. Go in the game get

some money by killing someone. Back to auto hack and it has returned

2 addresses.

4BE7CE mov


441384 add [edx*8+0x94ADC8],eax

To find out what we need, we first

put a BPX on them both :

Once in the Register tab .... choose

the register from the list according to the register the address is

being moved to. Now click in the squares next to them both to get

that red spot in them. Now do in game and get some money. The

Register Tab will look like this :

The first address returns the value

69FD4F in hex = 6946127 in dec. And this is the value of my cash in

the game. Hmm ....and wht is the value returned by the 2nd address

.. its 3B in Hex. It is the amount of money u had picked up and this

instruction adds this value to ur money. We Dont need this one as u

see. We need the first address.

4BE7CE mov


Now we do the same

old thing again ..... but this I leave to u .... To make the code

cave :P

And another thing to

play with. U see the second address determines what amount is added

to ur money. Its 3B in this case ... if u change it to 10,000 (2710

in Hex) Will u pick up $10,000 each time u kill a person and get his

money ?? Check that out too.

6. Making the


We have found all the hacks that we had pointed out in the

beginning. Now all we need to do is make a trainer.

Well it dont need

much explaining really. All u have to do is place the Pokes from the

easywrite window into the Buttons.

This is wht ur

trainer pretty much might look like :

I have tried to keep

this tutorial AS simple as I could. but still If u have any

problems contact me.

Share this post

Link to post
Share on other sites


Resolving DMA in C&C:

Generals (Code Injection)

by Shaikh Adeel

Introduction: Command &

Conquer games have employed DMA since their first ever games .... So that Game

Hackers can be presented with a challenge - that we have taken up with pleasure.

To hack C&C: Generals we will employ Code injection again ... as my last

tutorial for GTA: Vice City. Anyone can and should read this tutorial as it is

not classified as beginner or advanced.

Things you might need:

- Command & Conquer: Generals v-1.0.

- You should know the basics of memory finding.

- Tsongkie's Code Cave Tool.

- A memory Scanner ... I will be using Cheat Engine v-4.3 and T-Search.

- A trainer builder or Language ....

Lets Begin:

Start a new Skirmish game .... Choose any team. In the start u have $10,000.

Alt+tab out of the game and in Cheat Engine (or whtever u use) choose Game.dat

as process. Now before we search for cash lemme tell u about the the Memory

Array function of Cheat Engine 4.3. Using it u can search

for ur value in an array of addresses that u urself choose. Default in

all memory searchers is usually 00400000 upto 7FFFFFFF. If we search with

default it would take a lot of time as well as RAM. So we choose an array of

03000000 - 04000000. I have found my money addresses in this range .... It may

differ in different versions. In that case u might have to search with default

at first and then get an idea where u find ur addresses.


... now search for 10000 using the following settings:

I only got 3 entries instantly .. without waiting for a looong search. Go into

the game. Build a Power Plant. That leaves u with $9,200. Alt+Tab out and u will

see that one address has changed to 9200. Add it to the list using the red

Pointer. Change its value .... and check in the game if it changes there too. If

it does not then search again ... If it does then lets move on.

Open your Debugger ... whatever you use - OllyDebug, SoftIce, T-Search's Auto

Hack. I will use Auto Hack .. But the basic Principles remain the same for all

of them. Copy the address for Cash from Cheat Engine. Now First of All ... place

a Write breakpoint on it in Auto Hack. Go into the game and Build another Power

Plant. Minimize the game and check the auto hack window. There is an offset


54A0F5 mov


But if we use this address for code injection ... it will also give as much cash

to ur opponent. OK ... now copy the same address and place a Read/Write

breakpoint on it. Now go into the game ... and DONT DO ANYTHING. The reason for

this is we want to see what instruction reads from that address coz we want to

get the address that would only give us cash and not our opponents. Just after

3-4 seconds alt+tab out again. Check the Auto Hack window and we see that we've

got another instruction there:

4EB5E0 mov ebp,[eax+0x34]

<----- This is the

address tht we'll use.

Ok ... good ... Lets start some Code Injection. Open Tsongkie's Code Cave Tool.

Go into the game and press F12. Alt+Tab out and u'll se alot of addresses listed

there. These are the code caves ... lets pick 00400011. Open the Easy Write and

start a new code. First of all we'll try the simplest code:

Easywrite Top:

offset 0x00400011

mov dword ptr [eax+0x34],0xF4240

mov ebp,[eax+0x34]

jmp 0x4EB5E3

offset 0x4EB5E0

jmp 0x00400011

Easywrite Bottom:

offset 0x4EB5E0

mov ebp,[eax+0x34]


use a hotkey for it ... I used F2. Name it "Cash" and press Ok. I wont

be using snaps of easy write here ... If u r new to Easywrite and Autohack then

read my GTA: Vice City tutorial so u can get a better idea. Ok ... now go in the

game ... Press the hotkey .... WTF! It crashes .. the error says: The game

encountered a serious error.


... we now need to see what caused it to crash. Open up Easywrite. Open the code

we made for Cash, Check the TMK pokes. Hmm intersting ... the pokes we made at

4EB5E0 are 5 bytes long while the original instruction is 3 Bytes in length. So

basically we are writing over the next instruction:


... now what we'll do is recreate all the code that is destroyed here and put it

in our code cave and jmp to it. So now the code that we'll create is:


offset 400011

mov dword ptr [eax+0x34],0xF4240

mov ebp,[eax+0x34]

cmp [0x9190B8],ebp

jmp 4eb5e9

offset 4eb5e0

jmp 400011






offset 0x4EB5E0

mov ebp,[eax+0x34]

cmp [0x9190B8],ebp

OK ... In case u dint

understand the code above:

- We create the code cave at


- mov dword ptr

[eax+0x34],0xF4240 : This code writes

1,000,000 into [eax+0x34]. Its written in Hex - F4240.

- mov ebp,[eax+0x34]


cmp [0x9190B8],ebp <-

We recreate any destroyed instructions.

- jmp 4eb5e9

We jump to the next original game loop or

the normal game routine. This is so that the loop continues. If u look at the

snapshot above u will see tht this address is after the cmp

[0x9190B8],ebp instruction. So basically we

run the 2 recreated pieces of code at our code cave and then jump to the

original game code so that it runs normally. Simple huh ??

- offset 4eb5e0

jmp 400011 This part jumps

from 04EB5E0 to our code cave, there we run our recreated code then jump back to

the next original game loop.

- The 4 NOPs are to balance out the code. Becoz the

code we created at our code cave was 5 bytes long. But the length we want to

balance is from 4eb5e0 to

4eb5e9 .. thats 9 Bytes long ... so we

balance the remaining 4 bytes by NOPs.

- At the Bottom we just recreate the code in its original form.


to create a trainer, all u need to do is use the code or the pokes in your



Share this post

Link to post
Share on other sites


Hacking Disciples: Sacred Lands - Advanced Game-Hacking

by Sorin

mail-me! ( [email protected] )

Sorin greets you!

TUT no1:




OK! In the following, I'll teach you how to find the instruction that decrease

your money in DISCIPLES: SACRED LANDS. I must tell you that it uses DMA and

has an unusual (at least for me) method to dec your money!

Start the game,and choose to PLAY A QUEST(not saga) and take a look at the money.

Write the value down on a piece of paper, then press alt+tab. Now, start

GameTrainer or any other memory finding/editing tool (Gamehack,Tsearch,etc.)

and search for that value [if you don't know how to do that, i'll explain to

you but only for GameTrainer.

GameTrainer: <- JUST for newbies and those who don't know(yet) how

~~~~~~~~~~~~ to use a memory finder


STEP 1: As "Process", select the game(---in my case disciple.exe);

STEP 2: In the "Value" box, type the amount of money you have;

STEP 3: In the "Type" drop-down menu select dword(means DoubleWord);

STEP 4: Press the "Find" button...

STEP 5: Now, down the "Find" button, it's the address list. Here you'll look

to see the money address. But after the search, this should contain

many addresses. That's because not only one memory address holds the

number you typed, but many more (in most of the cases). But you need

just the money address.To get that, go back in the game and spend some

money (ie: hire a unit, or build something). Now, you have less money ->

remember the value or write it down.

STEP 6: Alt+tab and go back to GameTrainer.

In the "Value" box, type the new amount of money;

Press the "Sieve" button...

STEP 7: Look at the address list. If there are more than 3-4 addresses, you must

lose (or gain) some money in the game and start a new search by typing the

new amount of money in the "Value" box, and always use the "Sieve" button.

STEP 8: Repeat this until you'll have only 3-4 addresses (in our case just one if

you play a quest). Very good...]




Well, we have the money addr. In my case is: 03B00A20. Since this game uses

DMA (dynamic memory allocation) your address WILL BE DIFFERENT. But that's

doesn't matter...

And, as you probably know, the classic method is this:

BPM 03B00A20 W --------------|

or |> in SoftIce

BPR 03B00A20 03B00A30 W------|

but in this case doesn't work.

This is what i got in SoftIce after putting a BPR 03B00A20 03B00A30 W

============================from here==================================

mov dx,[ecx]

mov [eax],dx

mov dx,[ecx+02]

mov [eax+02],dx

mov dx,[ecx+04]

mov [eax+04],dx

mov dx,[ecx+06]

mov [eax+06],dx

mov cx,[ecx+08]

mov [eax+08],cx --->>>here i land in SoftIce

ret 0004

===========================till here===================================

Well, eax+08 holds our money. But eax+08 is 03B00A20 (in my case, in your case

is the address you found with GameTrainer). If you don't believe me, type:

? eax+08

in SoftIce. Got it?

We can't overwrite this instruction, because it's used NOT only by the money_routine,

but by others as well (i.e.: when you hire a unit, this instruction MUST be executed.

Otherwise, the unit can't be hired!). We can't set another breakpoint on eax+08

because we already have one. MMmmmm... What to do???

I'll tell what to do in the following...



Let's put a breakpoint on 03B00A20 (in my case). But this time the breakpoint

should be rw(READ/WRITE) not only w(WRITE). So, in SoftIce type:

bpm 03B00A20 rw


Let's test it. Inside the game lose some money. SoftIce will break, and you'll be on

mov [eax+08],cx like in the beginning.

But this time eax+8 will not be 03B00A20(my case). It'll be a different value.

Now the things are like this:

When you lose some money, the game uses different addresses to hold your money

FROM WHERE IT DEC THE AMOUNT. Then it stores the new amount (after you lose some)

in 03B00A20 (in my case). Let's say that you lose some money. The game saves the

money you had (before losing) in a temp. address, it does the operations (dec) on

this temp. address, then stores then new value in 03B00A20 (in my case). That's

how the game works (in my opinion). Now, we only need to trap this tmp. address

BEFORE THE GAME WILL DEC THE AMOUNT. This means we must trap it when the game wants

to put in it the money you have BEFORE the game will dec the amount. That's why we put

a read/write breakpoint. When SoftIce popped the second time, eax+08 stores the temp.

address. So, put a breakpoint on it:

bpm eax+8 w

We'll use a write-only breakpoint because the game will now modify that amount.

Now,F5 to exit SoftIce, and you'll be again in SoftIce. But guess where? Exactly to the

instruction that dec your money!!!:

===============================from here===============================

mov dx,[ecx]

sub [eax],dx

mov dx,[ecx+02]

sub [eax+02],dx

mov dx,[ecx+04]

sub [eax+04],dx

mov dx,[ex+06]

sub [eax+0],dx

mov cx,[ecx+08]

sub [eax+08],cx *** what can this be ?!?!?! hehehe...***

mov cx,[eax] <-- here I land in SoftIce

test cx,cx

=============================till here=================================

So looking at the code, I figure it out that the "sub [eax+08],cx" is the nasty

instruction that dec our money. Now all you have to do is to nop or change or

do whatever you wanna do with that instruction! You can also make a trainer or

modify the .exe ...

Well my job here is done. But there is another question: what are the rest of the

"sub"-instructions do there? I'll let you figure it out what they do! (you must

play the game if you wish to know)...



This was my first tutorial about gamehacking. I hope you learnt something useful.

I'm glad I can share my knowledge with all of you, and remember : If you know

something useful, don't keep it just for you! Because you are not the only one who

knows it, and sooner or later, it'll be clear like the sunlight for EVERYBODY! Maybe

it took a long time for you to discover that, but the happyness of teaching the

others will be huge !

License, legal stuff, etc etc


You are free to do whatever you wanna do with this tutorial. But if you think that it

is good and people will learn something from it, spread it!!!

NOTE : This tutorial is dedicated to the wonderful people in the GameHacking forum.

~~~~~~ ~~~~~~~~~

mail-me! ( [email protected] )

Sorin greets you!




Share this post

Link to post
Share on other sites



I guess this is good, might read it one time maybe you could put code parts in code tags tho?

Share this post

Link to post
Share on other sites


Thats just a quick copy/pasta. Sure will do.

Share this post

Link to post
Share on other sites


Well a nice pack of game hacking tutorials.

Share this post

Link to post
Share on other sites


Hacking NOS in NFS Underground [Code Injection]

Author: [shaikh Adeel]

Note: The NOS hack in NFS Underground is quite easy. But I did see some ppl who wanted to know how to hack it .... so .... here's a li'l tutorial on how to hack NOS in Underground. And yes the game uses DMA ... and we're gonna take care of that too.

Tools used:

- T-Search

- Sheep's Array of Sunshine

Now run the game and Tsearch. I have unlocked the whole game so I have level-3 NOS. If u dont have level-3 NOS the maximum value of NOS will be different but the procedure will be the same.

- Ok, now start a quick race .. I used Drag. Select process in Tsearch = speed.exe.

- Now play game. Dont use any NOS. Go to Tsearch and search "Unknown Initial Value".

- Go in game, use some NOS and search "Has Decreased".

- Repeat this until u get the value for NOS.

Tip: Usually when u have only 15-17 addresses left ... all of them are in thousands .. only 1 will be in tens .. i.e 20 or 34 or 47 ... get the idea?? This will be ure NOS address.

- To check if u have the correct address. Increase its value.

- Dont increase it more than the max value or the game crashes.

- The max value for Level- 1 NOS is 30, for level-2 its 60 and Level-3 its 90.

Bypassing DMA:

Ok now that we've got the address for NOS, we need to get rid of DMA now.

In Tsearch, enable debugger and put a read/write breakpoint on the address we found to be controlling our NOS. In my case it was 12B4771. Now go back into the game ... and then alt+tab out again. DO NOT USE any NOS. We need to find the instruction that only increases our NOS and not the AI player's. So we dont put a Write b/p on the address.

Now that u're out to Auto Hack window .... u will see 3 to 5 instructions there. Mine were:

449FB3 mov eax,[ecx+0x3B8]

449FC4 fild dword ptr [ecx+0x3B8]

4A654C mov eax,[esi+0x3B8]

4A655D fild dword ptr [esi+0x3B8]

4A661F mov eax, [esi+0x3B8]

Go into the disassembler tab and register them one by one by right-clicking on them and then clicking register. Now go to the Register tab and choose the registers for each instruction ... the ones in brackets are wht we need. Ok ... now click in the boxes on the left side of each line. Now the debugger will tell u wht is the value in the registers. Go into the game and then again minimize it without using any NOS. Check out the register value. For me it was 12B43B8 for all of them.

Now as ecx/esi is equal to 1243B8 .... we can do [12B43B8+3B8] to get the value of NOS to be written into the trainer. It gave me 12B4770 .... Hmmm .... the value in this address was 23211 when my NOS meter was full (when the address 12B4771 had the value 90).

Ok ... we need to write the value 23211 into the trainer. In hex 0x5AAB.

Ok we now create the code for unlimited NOS. I used the top most instruction and it worked just fine.

Use sheep's Array of Sunshine or Tsongkie's code cave tool to get an empty slot.

Lets assume we got 40000 .... the code would be:


Offset 0x40000

mov word ptr [ecx+0x3B8],0x5AAB

mov eax,[ecx+0x3B8]

Jmp 0x449FB9

Offset 0x449FB3

jmp 0x40000



Offset 0x449FB3

mov eax,[ecx+0x3B8]

What the Code does:

- Normally, what happens at 449FB3 is, the game writes the value stored in [ecx+0x3B8] into ecx. We found that when the 23211 is written, the NOS is full.

- Now what we did was ... we jumped out from 449FB3 .... to 40000:

Offset 0x449FB3

jmp 0x40000

- Now at 40000 we write the value 5AAB in hex (23211 in dec) into [ecx+0xB38]. So its value remains 23211.

- Now we recreate the original instruction:

mov eax,[ecx+0x3B8]

- See what's happening??? This way the computer still keeps writing the value of [ecx+3B8] into eax ... but its value is now 23211. So our NOS meter remains full.

- Ok now we have to get back to the original game routine so the computer doesn't realize any thing wrong :)

- We see that the original instruction at 449FB3 was 6 bytes long.

- Our recreated code is 5 Bytes long.

- So we need to balance this to make the computer think that everything is normal.

- So we put a NOP after the jmp to 449FB9.

- U see we have jumped to 449FB9 ... coz our next the next original game instruction after our NOS instruction.

Now go into the game and check our NOS. Ok good it doesnt finish.

So dudes we have now made the unlimited NOS hack.

Have fun.

Share this post

Link to post
Share on other sites


CodeInjection - DMA to Static

Author: Sheep



TOOLS NEEDED: Softice, memory searcher (ur choice) gamehack.

Before we do actually start I warn you that if you dont have certain prior knowledge

before attempting this tutorial then you wont get much out of it..

I suggest you most certainly read my previous tutorial which covers DMA in full detail..

You also need to know at least the basics of the ASM language...

With all that out the way lets continue....



When you press CTRL-D to pop softice you should see the following windows..

REGISTER WINDOW - this window is always at the very top of the softice window

(WR [return]) and displays the contents of all the registers..

DUMP WINDOW - generally situated close to the top of the softice window

(WD [return]) contains a split screen display.. one side is ascii the

other is hex.

CODE WINDOW - this is the main window.. sits just under the DUMP WINDOW

(WC [return]) contains the code of whatever process maybe running when

u pop softice.. the code is represented in ASSEMBLY LANGUAGE


The comments in the brackets are what you need to type to turn the different windows on..

you also need to type CODE ON.. this will bring up the OPCODES which are a set of numbers

displayed to the left of each ASM instruction and to the right of every memory location

in the CODE WINDOW..



ok.. To achieve the final goal of defeating DMA with CODE INJECTION you will need to learn

a few new concepts that you may not have come across before.. ive listed the concepts that

we will be covering below...

i) Code Injection Theory

ii) Offset Theory

iii) DMA to STATIC Outline

iv) DMA to STATIC Practical Code Injection

Once you have learnt the first 3 concepts you will most certainly be ready to tackle the

4th and final one... good luck :))



Code injection is a method used by advanced game hackers to achieve certain tasks

that cannot be achieved with NORMAL game training methods.. The main aim of code

injection is to create a pathway FROM the main GAME loop TO your own code.. you then

jmp back to the main game loop after your code has been executed.. what your code does

is only limited by your knowledge of the game and of course your knowledge of asm :()

Code injection is so flexible you can do pretty much anything you like.. breaking free

of the restrictions of the normal NOP hacks....


This is a code snippet I used in my last tutorial.. its just an example so it doesnt


0120:00008096 01585A ADD [EAX+5A],EBX

0120:00008099 E9xxxxxxxx .---- JMP 500000 <--- we create our gateway here...

0120:0000809B B486 | MOV AH,86 <----.

0120:0000809F 55 | PUSH EBP |

0120:000080A0 1E | PUSH DS |

0120:000080A1 50 | PUSH EAX |

0120:000080A2 E86E078ED8 | CALL D88E8815 |

| |

| |

0120:00500000 OUR CODE! <---' |

0120:00500002 OUR CODE! |

0120:00500004 OUR CODE! |

0120:00500006 JMP 809B -------------------------------' <--- once our code is done we jmp back..

if u destroy any valuable instructions while making your gateway.. you must make sure you

re-create them inside the OUR CODE section.. or you will most likely crash the game...

Dont forget this is only the theory.. a fully detailed "HOW TO" will follow in the practical

section lower down..



We all know that DMA causes the variables of a game to change location every time we

either start a new game or reboot completely.. Even though this is true.. DMA variables

actually stay in the same place relevant to each other.. WHAT DO I MEAN?? I hear you ask :P)

ok.. ill give u an example...

00456777 : LIFE TOTAL

00456778 :





00456999 : BULLET TOTAL

The above diagram is a hypothetical situation of 2 DMA variables.. we have LIFE TOTAL

at address 456777 and we have BULLET TOTAL at 456999 if you subtrack those 2 addresses

from each other you get what is called an OFFSET.. 456999h-456777h = 222h (h = hex).

you will understand why we need offsets in just a second...


00659123 : LIFE TOTAL

00659124 :





00659345 : BULLET TOTAL

Now we have restarted the variables have changed location.. BUT!! notice the actual addresses

659345h-659123h = 222h. Even though the variables are allocated different memory locations

they always stay the same distance apart.. this is the KEY to the whole process..

The reason they stay the same distance apart is because each variable isnt actually allocated

seperate memory locations.. a large chunk of memory containing most if not all game variables

would be allocated the memory at run time...

Using offsets we can make a detailed map of every variable we need.. all we would need

to do is pick 1 variable as the MASTER and find this address every time.. from that 1

address you will instantly know where the other variables are located in memory...

Another example....

Here is a made up offset map...

HEALTH COUNTER location = MASTER VARIABLE <--- find this address.

BULLETS location = MASTER VARIABLE + 3445h

LIVES location = MASTER VARIABLE + 2345h


now.. we start our game... and find HEALTH COUNTER..

000657444 : HEALTH COUNTER

we can now change that map into REAL addresses.. like this..

HEALTH COUNTER location = 657444h + 0h = 657444h

BULLETS location = 657444h + 3445h = 65A889h

LIVES location = 657444h + 2345h = 659789h

SKILL POINTS location = 657444h + 334h = 657778h

So now you can see by making a Variable map using 1 MASTER variable we can find all the

other variables with offsets :P) its pretty cool stuff eh? :D))

ok.. its pretty vital that you understand offsets BEFORE you go on.. if you dont understand

it then go back and RE-RE-RE READ....



Once you understand at least the basics of code injecting such as I explained ealier

you should'nt have too much trouble understanding the DMA to STATIC principles..

The outline goes something like this :-

We find a place in the game code that contains a POINTER to a variable we are using


Once we have found this POINTER we need to make sure that it is a SPECIFIC POINTER

which means it ONLY!! points to 1 location.. if the POINTER is GENERAL it will cycle

through many places and manipulate many memory locations this is useless to us...

A pointer will look something like this .. MOV EAX,[EBX+00000208]

EBX will contain a DMA base address.. the 208 is an offset added to EBX to form the

POINTER which points to our variable (LIVES)..

Lets say that we know EBX+208 = LIVES.. we now need to find out if this is a SPECIFIC pointer

(points to only 1 address) and not a GENERAL pointer (points and manipulates many addresses)

we do this by placing a breakpoint on the MOV EAX,[EBX+00000208] instruction then keep pressing

F5 to get out of softice.. every time softice pops up again look at the contents of EBX..

if the number inside EBX doesnt change then we know that we have a SPECIFIC pointer.. if the

number inside EBX changes, even once, then this pointer is no good to us.. to get a good idea

if the address in EBX is SPECIFIC you should check the value in EBX at least 10 or 20 times to

make sure its not changing...

ok, once we have found our SPECIFIC pointer.. we need to store away the DMA base value that

lies inside EBX (NOTE!! EBX doesnt always contain the DMA base value.. it could be any

REGISTER.. u need to look at the pointer and see what REGISTER IS USED.. ie..

MOV EAX,[EBX+00000208] <-- EBX contains the store away value

MOV EAX,[ECX+00004564] <-- ECX contains the store away value

MOV EAX,[EDX+00001122] <-- EDX contains the store away value

MOV EAX,[ESI+00000234] <-- ESI contains the store away value

MOV EAX,[EDI+00004408] <-- EDI contains the store away value

just keep all that in mind.. pointers can take on many forms but I think the above code is more

than likely the type of thing you will encounter in most games...

ok.. so we need to store our DMA base value away into static memory.. we do this by creating a

pathway to our own code (code injection).. our code will then place the DMA base value thats

inside EBX into a static address so that our trainer can read that address every time.. create

its own pointer by adding offsets to it.. and then poking values into that pointer..

Here is a diagram to explain it a little more....

We have found our pointer.. below

Before we make our gateway...


0041A736 MOV EAX,[EBX+00000208] <----- pointer here...

0041A73C FLD REAL4 PTR [EBX+000000CC]

0041A742 FDIV REAL4 PTR [EBX+000000C8]

0041A748 MOV [00786CA4],EAX

After we make our gateway...


0041A736 JMP 9000000 <----- gateway has been created..

0041A73C FLD REAL4 PTR [EBX+000000CC]

0041A742 FDIV REAL4 PTR [EBX+000000C8]

0041A748 MOV [00786CA4],EAX

Our code section...


09000005 MOV EAX,[EBX+00000208] ; re-create instruction we destroyed to make our gateway

09000010 MOV [9000100],EBX ; mov DMA base value in ebx into a static address..

09000015 JMP 41A73C ; Jump back to main game loop..

09000100 0000000000 ; location to store value from EBX

Once the above code has been executed u can now read the value from 9000100 and even

when the game changes its memory locations ur code will put the correct value back

inside 9000100.. so all u need to do is read that value.. add 208 to it and u

have the exact location of LIVES.. remember?? lives = EBX+208...

thats pretty much the whole deal.. apart from the code that reads the value from 9000100 but

ill show u that in the PRACTICAL section below... dont worry if all that was a bit much to

take in.. keep flipping back to this section to re-read.. with the fully explained PRACTICAL

section u should be able to put them both together and understand it all..



The game ive chosen for this tutorial is called SPACE TRIPPER..(thanks keyboardjunkie)

you can dload it from here.. http://www.pompom.org.uk/STpage1.htm

lets start...

First thing we need to do is find a MASTER variable.. ive chosen LIVES..

unfortuantly this game is a bit of a bitch for finding the LIVES value.. but with a little

asm knowledge (which you all should have by now :)) you will be fine...

oki.. we do the usual search.. die.. search die..

If you do it correctly you will only find 1 address .. and it will be this.. 786ca4

If you try and change this location you will notice that the screen updates but thats

about it.. you still have the same amount of LIVES as before thats because you havent found the

REAL address for LIVES.. dont worry!! i didnt expect you to.. ill tell you why.. this game doesnt

just allocate memory every time you start a new game.. it allocates memory after every time

you die.. so its impossible for you to find the REAL value with a mem searcher.. thankfully

the ON SCREEN variable is STATIC.. so from this variable we can quickly find the REAL value..

This is how its done...

Using softice place a breakpoint on the ON SCREEN variable like this..

type BPM 786ca4 W (return)

lose a life..

softice POPS!!!!

you should see this...

0041A736 8B8308020000 MOV EAX,[EBX+00000208]; pointer moves REAL LIVES into EAX (EAX = 2)

0041A73C D983CC000000 FLD REAL4 PTR [EBX+000000CC]

0041A742 D8B3C8000000 FDIV REAL4 PTR [EBX+000000C8]

0041A748 A3A46C7800 MOV [00786CA4],EAX ; Move REAL LIVES value into ON SCREEN variable

; (ON SCREEN variable = 2 )

As you can see [EBX+00000208] is a POINTER to the REAL LIVES address in memory.. EBX will contain

a DMA base address which we need to store away and 208 is added to it so that EBX+208 = REAL LIVES.

The value from the REAL LIVES location is moved into EAX and then EAX is placed into the

ON SCREEN variable memory location... to prove all this you need to do this..

In softice..

type D EBX+208 (return)

Now edit the memory location in the top left hand corner of the DUMP window and your lives will

update properly.. showing you that we have found the REAL LIVES memory location...

Luckily enuff we have found 2 vital things with just 1 breakpoint.. we have found the REAL LIVES

memory address.. we have also found a potential POINTER to use in our CODE INJECTION.. lets see

if this POINTER is SPECIFIC or GENERAL.. once again we take to softice..

First of all we need to clear all other breakpoints so ...

type BC* (return)

then place a breakpoint on the 41a736 address...

type BPX 41A736 (return)

then press F5 to get out of softice..

softice should POP!! straight away..

Look at the content of EBX.. has the value changed??

keep pressing F5..

keep looking at the EBX content :))

is the value inside EBX changing?? if no!! we are IN!!! YAY!!!

So, now we have found a valid place to inject and save our POINTER into a static memory

address.. all we need to do now is find a nice place to put OUR CODE!! u can do this

a few ways..

1. Look up and down the code close to where u are injecting and see if there is a large

cluster of NOPs.. (this is empty code).. also a large cluster of 0's signals a good

OUR CODE location aswell..

2. If nothing turns up close to your injecting address then do a search in softice for

909090909090.. read the manual if you dont know how to search.. you should do by now..

3. This is the method I use.. people tell me that they have encountered problems with

this method but ive created about 20 to 30 trainers using it and its never given

me a NON working trainer.. so until it does ill continue to use it..

i) type TASK (return) inside softice..

ii) find the name of your game window..

iii) type MAP32 <game window name> (return)

iv) this will bring up all the sections of the game.. what we want to do is add code onto

the end of the data section.. here is what i get from Space Tripper...

:map32 spacetripper

Owner Obj Name Obj# Address Size Type

SPACETRIPP.text 0001 017F:00401000 0004BE10 CODE RO

SPACETRIPP.data 0002 0187:0044D000 00006718 IDATA RW

SPACETRIPP.bss 0003 0187:00454000 0035CDB4 UDATA RW

SPACETRIPP.idata 0004 0187:007B1000 000014F0 IDATA RW

SPACETRIPP.rsrc 0005 0187:007B3000 0000095C IDATA RO SHARED

The .data section starts at 44d000 but we need to use the end of the data section ( there is

usually a lot of buffered space on the end of the data section so we can happily use it without

messing with any REAL data used by the game) so what we do is look at the next section down..

which is .bss the start of the .bss section is just after the very end of the .data section..

so, lets hunt for a nice place to put OUR CODE..

inside softice again...

type D 454000 (return)

Just to be on the safe side we need to scroll the dump window up a bit.. so that we are

on the end of the data section.. you will notice that when we scroll upwards the text at the top

of the dump window will change.. from



SPACETRIPPER! .data+<offset>

to scroll the dump window up u need to do this..

type EB (return)

then use the PAGE UP / PAGE DOWN keys to move the window up and down :))

ive decided that 453f00 is a good place for us to place our code.. so the first thing you need

to do is write that memory address down.. so that you dont forget it...

now we have the address of OUR CODE.. we need to go back to the pointer at (41a736) and make

our gateway.. it should still be inside your code window but if it isnt then do this..

type U 41a736 (return)

that will place 41a736 at the top of your CODE window..

now we create the gateway...


The next steps are all done one after the other .. you cannot break in the middle of them

or attempt to come out of softice or you will crash the game....

type A 41a736 (return)

type jmp 453f00 (return)

type nop (return) ( we need this nop to ballance the opcodes and to avoid a crash)

type (return) ( this return on its own will take us out of (A)ssemble mode)

at this point you should see the code window change from...


0041A736 8B8308020000 MOV EAX,[EBX+00000208]

0041A73C D983CC000000 FLD REAL4 PTR [EBX+000000CC]

0041A742 D8B3C8000000 FDIV REAL4 PTR [EBX+000000C8]

0041A748 A3A46C7800 MOV [00786CA4],EAX



0041A736 E9C5970300 JMP 00453F00

0041A73B 90 NOP

0041A73C D983CC000000 FLD REAL4 PTR [EBX+000000CC] <-- we jmp back here after OUR CODE..

0041A742 D8B3C8000000 FDIV REAL4 PTR [EBX+000000C8]

0041A748 A3A46C7800 MOV [00786CA4],EAX

ok.. next steps...

type U 453f00 (return)

type A 453f00 (return)

we are now ready to create the OUR CODE section...

First we must re-create the instruction that we destroyed to make our gateway...

type mov eax,[ebx+208] (return)

Now we need to store the POINTER into a static memory address.. all of the addresses

around you are static.. so you can pick any one you like.. nothing too close to the code

section .. i have chosen 453f30....

type mov dword ptr [453f30],ebx (return)

Now finally we need to jump back to the game code...

type jmp 41a73c (return) <-- 41a73c is just after our NOP instruction in the gateway...

type (return) <-- gets you out of (A)ssemble mode..

ok.. after alllll that... your code locations should look like this....


0041A736 E9C5970300 JMP 00453F00

0041A73B 90 NOP

0041A73C D983CC000000 FLD REAL4 PTR [EBX+000000CC]

0041A742 D8B3C8000000 FDIV REAL4 PTR [EBX+000000C8]

0041A748 A3A46C7800 MOV [00786CA4],EAX


00453F00 8B8308020000 MOV EAX,[EBX+00000208]

00453F06 891D303F4500 MOV [00453F30],EBX

00453F0C E92B68FCFF JMP 0041A73C

00453F11 0000 ADD [EAX],AL

00453F13 0000 ADD [EAX],AL

if your code does not mirror that of mine then you have done something wrong.. you need to

go back and redo it...

NOW!! if you HAVE the same code as me.. which you should have.. you can now press F5 to

exit softice.. and the game should be running fine...

we can now do something pretty cool to demostrate that this is ACTUALLY working....

go back into softice with CTRL-D..

type D *453f30+280 (return)

(if it says something like INVALID ADDRESS) you need to exit softice and then re-enter


if all goes to plan in the top left hand corner of the dump window u will see the REAL LIVES..

address.. you can modify this and your lives will change..


lose all your lives.. so that it says GAME OVER..

start a new game.. (dont reload the game) just start a new game...

if you look at the dump window.. you will notice that the LIVES location has changed.. OBVIOUSLY!!

ITS DMA !! :)))

but.. our code is still doing its job... its still storing away the dma value at our static

address so all you need to do to find the REAL lives value again.. is type that command...

type D *453f30+280 (return)

and now in the top left hand corner of the dump window you will see the REAL LIVES address again..

pretty damn cool eh?? :))

we have defeated DMA .. the DMA base address will ALWAYS!!! be stored at 453f30 and all you need

to do is add 208 to it.. and you get the REAL LIVES address...



What can we do with this?


im sure the clever ones out there have already worked out how to use this in your trainers.. but

for those who are a little slower on the uptake ill explain...

once your code is injected into the game.. you can then use READPROCESSMEMORY to gather the dma

base address from 453f30.. then you just poke values into DMA_BASE_ADDRESS+208..

its as simple as that...

Injecting Your Code Injection! :)


Once you have done all that you obviously dont wanna go through all those steps every time you

need to inject your code.. so you must create a trainer to inject the code for you.. its very

simple..infact its the same process as ALL trainers.. except you will be dealing with more

bytes than usual....

Example for this tutorial...


For the code injection to work every time.. this is what you would need to poke in your trainer..

At address 41a736..

you would need to poke E9,C5,97,03,00

At address 5f3f00

you would need to poke 8B,83,08,02,00,00,89,1D,30,3F,45,00,E9,2B,68,FC,FF

and thats it.. you will be able to read the DMA base address from 5f3f30..

basically all you do is poke all the OPCODES of the instructions we just wrote back into the

correct memory locations...

WORD OF WARNING!! always poke OUR CODE section OPCODES first... then the GATEWAY OPCODES..

FEW!!! another tutorial finished.. man!! its a lot of work..



If u have any questions or comments then email me at... [email protected]

visit my site for more tutorials.. sheeps trainer site..

I would just like to greet some people that support and inspire me....

Odin, MiraMax, Keyboard Junkie, Calligula, Orr, DarkLighter, Kilby, LordFinal, EverLast.

MiNiSTER, [NTSC], [Drone], Rizzah, Bengi...

No order.. just GREAT people..

If i missed anyone.. grab me and ill add u next time :))


by [sheep]

Share this post

Link to post
Share on other sites


DMA - Dynamic Memory Allocation

Author: [sheep] a.k.a RECLAIM!

Advanced Game Training by [sheep] a.k.a RECLAIM!


(best viewed in 1024x768)


SUBJECT: DMA - Dynamic Memory Allocation.

TOOLS NEEDED: Softice, memory searcher (ur choice).

U now have in ur possetion (part 1) of an ever expanding tutorial covering

ADVANCED GAME HACKING (A.G.H).. Over the next few months i hope to write a series

of tutorials covering all aspects of A.G.H.. The lessons i will be teaching in

these tutorials will give u the needed skills to make the transition between


Apart from the beginner stuff im about to introduce ive never seen any of the

information in my tutorials written anywhere else this may be due to people either

not wanting to give out advanced information that has taken them a long time to study

OR.. they just cant be bothered to write an extensive essay about this subject..

either way it doesnt matter because u are about to learn ALL!!





Im sure u have all heard about DMA by now.. understanding what this is and how

to defeat it are the first steps of a mighty ladder. Ill try and stick to telling

u how DMA affects us (THE GAME HACKER) and not stray into too much technical detail..

When a game uses DMA the memory locations it uses are allocated dynamically

whereby the game grabs the next available slot of memory and gives it to

whoever asked for it..

Generally there are so many variations going on while ur computer is running its very

unlikely that the memory locations u get on one occasion will be the same next time u

reload the game.. this is why ur trainers only work just after u have collected the

addresses and NOT once u have reloaded.. Once the game is reloaded it will grab a whole

NEW set of memory locations for itself thus making ur OLD set of memory locations useless.

To defeat DMA and create a trainer that will work 100% of the time u need to come out of

the realms of the NEWBIE and into the NEW LAND :)



This is where we start adding NEW tools to our cheaters arsenal.. the first tool we need

to add is called SOFTICE its a software debugger that enables u to manipulate the game

code (on the fly) which means while the game is still running..

I wont go into installing softice in this tutorial.. there are plenty of other tutorials

that do that for u.. so from here on ill assume u already have it installed.



When u press CTRL-D to pop softice u should see the following windows..

REGISTER WINDOW - this window is always at the very top of the softice window

(WR [return]) and displays the contents of all the registers..

DUMP WINDOW - generally situated close to the top of the softice window

(WD [return]) contains a split screen display.. one side is ascii the

other is hex.

CODE WINDOW - this is the main window.. sits just under the DUMP WINDOW

(WC [return]) contains the code of whatever process maybe running when

u pop softice.. the code is represented in ASSEMBLY LANGUAGE


The comments in the brackets are what u need to type to turn the different windows on..

also u need to type CODE ON.. this will bring up the OPCODES which are a set of numbers

displayed to the left of each ASM instruction and to the right of every memory location

in the CODE WINDOW..

(if u dont understand any ASM then i suggest u go away now and read up on a basic tutorial)





At the end of this section i will show u how DMA is defeated IN PRACTICE.. ill use a

game ive recently trained showing u code listings so that u can apply the theory to a practical

example.. so dont worry if im not going into too much detail about setting breakpoints

etc.. it will all be covered in the PRACTICAL section....

As we cannot change the memory locations of a DMA game we need to get right to the core

and by that i mean the GAME CODE.. once u have found ur memory locations in a NON-DMA

game u generally make ur trainer poke numbers into the locations u have found and this

makes an affective trainer.. we know that this doesnt work for DMA so what we have to do

is STOP the game code from decreasing our locations.. we do this by WATCHING what

happends to our memory locations while the game is running.. thankfully we dont need to

sit there and do the WATCHING ourselves.. our new friend SOFTICE does it all for us..


lets say i have 5 lives and the location of these lives is 490000.

We can all think logically so we know that when we die in the game the GAME CODE will

decrease the location 490000 by 1.. We need to stop this from happening..

The way we do this is by setting something called a BREAKPOINT.. there are a few kinds

of breakpoint available to us but the one we need at the moment is a MEMORY BREAKPOINT..

this breakpoint will WATCH a memory location for us.. if anything should affect our

memory location then softice will then pop at the exact piece of code that affected it..

this means that when we die inside the game and the GAME CODE decreases our lives softice

will pop and we will find ourselves looking at the GAME CODE that decreases our lives..


Unfortunately this is where it starts to get tricky.. u NEED to be able to understand what

u are looking at.. by this i mean u HAVE to learn at least the basics of ASSEMBLY LANGUAGE

for some people this is too much and thats why they have given in.. but for many i know u

have struggled and stuck to it and have at least got a small understanding of ASM..



There is something VERY advantagious about GAME CODE.. IT NEVER CHANGES LOCATION.. thats

right.. on every single game EVEN DMA GAMES.. if we find the GAME CODE that decreases our

lives at 453000 then u can bet ur life that the next time u load the game the EXACT same

code is at 453000 and this is the key to defeating DMA.. instead of poking values into

DATA memory locations.. we are going to poke values into CODE memory locations.. actually

they are the same thing fundamentally they just behave in different ways..



This is what u will see inside softice..


0120:00008096 01585A ADD [EAX+5A],EBX

0120:00008099 7404 JZ 0000809F

0120:0000809B B486 MOV AH,86

0120:0000809D EB17 JMP 000080B6

0120:0000809F 55 PUSH EBP

0120:000080A0 1E PUSH DS

0120:000080A1 50 PUSH EAX

0120:000080A2 E86E078ED8 CALL D88E8815

This is just a random code snippet taken from softice.. it has nothing to do with a GAME

of any kind i just wanted to show u what was what when it came to the CODE WINDOW display

as this is the place u will be spending most of ur time...

now i will show u a section of code taken from a message board.. this is from a REAL GAME


016F:xxxxxxxx 0000 MOV EAX,[EDI]

016F:xxxxxxxx 0000 DEC EAX

016F:xxxxxxxx 0000 MOV [ESI+0C],ECX

016F:xxxxxxxx 0000 MOV [EDI],EAX

016F:xxxxxxxx 0000 MOV EDI,EAX

Ok, the assembly instructions are the only valid thing in the above code the rest have

either been filled with 0000 for opcodes or xxxxxxxxx for the addresses.. these are not

important at this time anyway....

The above code probably means absolutly nothing to u and dont worry because it shouldnt..

NOW!!! let me add a story and some comments to the above code...

We are playing a game... we have got 20 LIVES.. we find the location of these LIVES

at 445566 we place a breakpoint on this location inside softice.. so that when something

affects our LIVES softice will pop and we can see the code that is affecting them...




this is what we see.....


016F:xxxxxxxx 0000 MOV EAX,[EDI] <------ number of LIVES we already had

is read from [EDI] and placed into

EAX. (EDI=445566) (EAX=20)

016F:xxxxxxxx 0000 DEC EAX <------ EAX is decreased by 1 (EAX = 19)

016F:xxxxxxxx 0000 MOV [ESI+0C],ECX <------ store ECX.

016F:xxxxxxxx 0000 MOV [EDI],EAX <------ place NEW LIVES ammount back into

location 445566. (EDI=445566)





016F:xxxxxxxx 0000 MOV EDI,EAX

I hope the picture has become more clear to u now.. the lives are read from our location

then decreased by 1 and then placed back into our location.. im sure the clever ones

reading this will already have figured out what we have to do.. but for the slower chaps

ill continue :P

016F:xxxxxxxx 48 DEC EAX <------ EAX is decreased by 1 (EAX = 19)

Ok.. this is the NASTY instruction that is killing our poor little character... as

u can see ive put in the REAL OPCODE for this instruction its 48..

This instruction decreases our lives by 1 each time.. what we need to do is GET RID OF IT!!

if we do then there is nothing to kill our little character and he can live forever.... :P

Thankfully we can do this within softice.. u need to replace the DEC EAX with something

else.. the all time fave for replacing stuff that isnt needed is an equally small

instruction called NOP which is NO-OPERATION.. thats correct.. when this instruction is

executed absolutely nothing is done.. so KEEP this little NOP by ur side at all times..

so if we replace

016F:xxxxxxxx 48 DEC EAX <------ EAX is decreased by 1 (EAX = 19)


016F:xxxxxxxx 90 NOP <------ NO OPERATION

then we have infinite lives.. its as easy as that..



When u are replacing instructions inside a program u have to make sure that if an

instruction has 5 opcodes then u MUST replace it with 5 opcodes..


0120:00008121 E86C04EB10 CALL 10EB8592

if i wanted to get rid of the above call.. i couldnt just put 1 NOP.. because NOP is only 90

i need to FILL E8-6C-04-EB-10 so instead of just NOP(90) i would need 5 NOPS 90-90-90-90-90

otherwise the program will most definately crash on u... so once u have replaced this call

it should look like this...


0120:00008121 E86C04EB10 CALL 10EB8592


0120:00008121 90 NOP

0120:00008123 90 NOP

0120:00008125 90 NOP

0120:00008127 90 NOP

0120:00008129 90 NOP



A DMA trainer is no differnt in any way to a NORMAL trainer.. all u are doing is poking

values into the CODE section instead of the DATA section..



016F:0000412345 48 DEC EAX <------ EAX is decreased by 1 (EAX = 19)


016F:0000412345 90 NOP <------ NO OPERATION

Same Code but this time ive added the addresses and the correct OPCODES.. if i wanted to

make a trainer that worked 100% on this DMA game.. all i need to do is poke 90 (NOP)

into location 412345.. this would turn the DEC EAX to a NOP and the game would have

infinite lives.. no need to worry about DMA locations anymore.. 412345 WILL ALWAYS!!!

be the place to poke 90 and get infinite lives.. GAME CODE DOES NOT CHANGE LOCATION!!!

As i said at the beginning i havent gone into much detail about how to set breakpoints etc.

this will all be taken care of in the next part of the tutorial..



As i dont like to do things by half i will now show u a practical approach to defeating

DMA with code listings and softice commands.. this is just a backup of what is written

above.. after this u should be able to understand the entire tutorial.. that is if u dont

already :D...

These code listings and commands all come from the game SERIOUS SAM 2.. u dont need to

go and find this game but if u have it then it will make it a lot easier for u to have

a go with what we have learnt today...

On this game ive decided to show u BULLETS instead of lives because the life total in

SS2 is worked out slightly differently (something i will be tackling in another tutorial).

ok.. lets begin..

1. I did a normal EXACT VALUE search to find the address for the bullets ..

i got the address 6AFEF28.

2. I POPPED softice with CTRL-D so that i could set a breakpoint on the bullets location..

3. Inside softice i typed BPM 6AFEF28 W (the W means WRITE so when ever something writes

to our address softice will pop) then i pressed RETURN to set the breakpoint..

4. Return to the game.. SHOOT! BANG! SOFTICE POPS!

5. I scrolled the code window up a bit and this is the code listing...


017F:60570C50 55 PUSH EBP

017F:60570C51 8BEC MOV EBP,ESP

017F:60570C53 A1E8625E60 MOV EAX,[605E62E8]

017F:60570C58 8B08 MOV ECX,[EAX]

017F:60570C5A FF15E4625E60 CALL [605E62E4]

017F:60570C60 8B4854 MOV ECX,[EAX+54]

017F:60570C63 85C9 TEST ECX,ECX

017F:60570C65 7508 JNZ 60570C6F

017F:60570C67 8B4508 MOV EAX,[EBP+08] <--- Address of BULLETS

017F:60570C6A 8B4D0C MOV ECX,[EBP+0C] <--- Amount of BULLETS to

decrease by.(ECX=1)

017F:60570C6D 2908 SUB [EAX],ECX <--- subtract ECX(1)from BULLETS


017F:60570C70 C3 RET

As u can see even though its not the same code as before its VERY similar.. thats the good

thing about ASM there are only a couple of instructions that decrease the value of an

address so they are easy to spot most of the time.. this time they use SUB.. which means

SUBTRACT.. ok.. to defeat this we need to get rid of that SUB instruction...

6. I typed A 60570C6D then pressed return.. this lets me manipulate the code at location


7. I typed NOP [return] NOP [return] the returns mean i pressed return :) just to clear

any confusion.. I used 2 nops as u can see because remember we need to get rid of 2

bytes of OPCODES 29-08 so we need to replace them with 2 bytes of our own OPCODES


8. I then pressed return a 3rd time without entering anything and softice drops out of

assemble mode..

9. Now we are all done and ready to test it.. CTRL-D got me back into the game.. i now

have infinite bullets.. and the dma is defeated..

dont forget.. game code doesnt change location.. to make a 100% working bullet trainer

for this game all u need to do is poke 90,90 into location 60570C6D...

WELL!! we have come to the end of this tutorial.. i hope u managed to follow it and

obtain all the knowledge u need to defeat DMA.. keep a look out for other tutorials

in this series..

If u have any problems or questions then please email me at [email protected]

please be patient for a reply...


Share this post

Link to post
Share on other sites


Code Injection - DMA To Static address with Tsearch

Written By: Epic Cataclysm

Based on: [sheep]'s Tutorials for Softice

Subject: Code Injection - DMA To Static address with Tsearch

Tools Needed: Tsearch 1.6 or higher

Game Needed: Grand Theft Auto: Vice City

User Knowledge Needed: Basic Asm, Tsearch Functions

Tutorial Difficulty Level: Advanced

Time to rewrite one of [sheep]'s tutorials for those of us who can't seem to fire up the old softice debugger for some reason or another. For those who can, well you are some of the lucky. I however have a radeon 9800, and softice didn't like that. So i have turned to Tsearch which seems to be neck and neck with softice in my opinion. Plus you dont have to worry about games protecting against softice when you are using Tsearch to hack everything that you need. In this tutorial, we are going to hack a vital code for Grand Theft Auto: Vice City. This code is Infinite Health.


Find the Initial Address:


Start a new game and make sure that your health is at 100 %. Next use Tsearch to search for a known value of 17096. Go back into the game and loose a bit of health. Alt+tab the game and do a search for "Value Has Decreased". Repeat this a few times until you come up with an address that works. *Note* Your address will not be the same as mine because of DMA.


Time to get Around DMA:


My address is A02DDE6. This is a DMA address and is not static. We need to set a breakpoint for read/write on this address to see what is reading and writing to this address. In Tsearch go to the menu "AutoHack" and choose "Enable Debugger". Next go to menu "AutoHack" and choose "AutoHack Window" to show the AutoHack window. Next go to menu "Edit" and choose "Set BreakPoint". A new screen will come up asking your for the address to set the breakpoint on, how many bytes, and the type of breakpoint. Enter your address that you found above, leave the byte settings like they are, and then choose "Read/Write" from the breakpoint list. Click "Set" to set the breakpoint for read/write on your address. REturn to the game and run around for a sec or so, then alt+tab and check autohack window. Notice all the offset addresses from your DMA address.

For Vice City the decreaser address affects everyone in the game, and not just you. Meaning that if you lock it then everyone in the game becomes immortal when you do. If you would have just set a write breakpoint you would have gotten just the pointer address that decreases everyones health, which is useless to us.

These are the offsets that you should see in the autohack window:

501973: fld dword ptr [ecx+0x354]

505CEA: fld dword ptr [ebx+0x354]

50A66B: fld dword ptr [ebx+0x354]

509FBB: fld dword ptr [ebx+0x354]

50F3A6: fld dword ptr [eax+0x354]

558A9D: fld dword ptr [eax+0x354]

558B41: fld dword ptr [eax+0x354]

5D30BC: fld dword ptr [ebp+0x354]

5267C0: fld dword ptr [ebx+0x354]

5267DE: fld dword ptr [ebx+0x354]

5267E8: fstp dword ptr [ebx+0x354]

5D3ABF: fld dword ptr [ebp+0x354]

Next we must set a BPX, or break on execution, on each of these addresses so that that we can see if they return a value. To do this, we take each address (example 501973) and go to menu "Edit" in the autohack window and choose "Disassemble", and enter your address. Choose the Disassembler tab from the bottom and you will see your address listed at the top. Right click your address from the list and choose "Register". Go to the register tab and you will see your address has been set for a Break on execute. Next look at the register that goes along with the address ([ecx+0x354] EAX in 501973's case), and choose it from the register list. Next click the box to the left of your address to enable the break and return to the game. Run around for a sec or so and alt+tab the game. If your address returns any value other than 0 and doesn't fluctuate in value then write the address down in notepad. Continue through all the values above until you have a list of working addresses.

My addresses are:

501973 fld dword ptr [ecx+0x354]

505CEA fld dword ptr [ebx+0x354]

50A66B fld dword ptr [ebx+0x354]

509FBB fld dword ptr [ebx+0x354]

558A9D fld dword ptr [eax+0x354]

558B41 fld dword ptr [eax+0x354]

All of the addresses above should have returned the same value. That value that they returned is an address in itself (remember, these are pointers to an address that holds a value of your life).

Ok, now gain some life to get your health % back to 100. Then take the value/address returned by the pointers above

Take the value of one of the pointers listed above and replace the original address you hacked (DMA address) with the value + 354h (example A01F331h + 354h = A01F685h). The reason we added 354h is because the pointer told us to add 354h to the register value. The value of that address that you just inserted will automatically change to a your health value. You address should return 1120403456 which is full health. Notice that in this game is it different from its counterpart value 17096 (DMA Address, Value).


Building Our Code Cave:


First thing we need to do is convert the value returned by the register value + 354h which is 1119754650 and convert it to hex which is 42C80000h. Next we will start building a code cave structure so that we can test our pointers above.

Memory in most games gets allocated from 0x10000, is used till 10950.., and then thereafter is empty space. So I am choosing 0x10bb0 to write my code cave to.

Ok, so we are ready to write some asm code now. Open the easywrite window by clicking the icon. Choose a new project and give that project a name (example "infinite health"). Next, write the following into the upper text area. Then press the "check" button to make sure everything is ok. Finally, press "OK" to save it.

offset 0x10bb0 <--- Address of our code cave

mov dword ptr [eax+0x354],0x42C80000 <--- Write max health into our health pointer

fld dword ptr [eax+0x354] <--- Reconstruct original instruction

jmp 0x501979 <--- Jump Back to original routine

offset 0x501973 <--- Address of our gateway

jmp 0x10bb0 <--- Jumps to our code cave

nop <--- Balance the instruction

To make the asm that we just wrote run, we need to check the little box to the left of "infinite health" (or whatever you've titled it), and return to the game to see if it worked. We are using the first pointer address 501973 in the above code cave. This code will write 42C80000h (1120403456) to each address you set it up with. Go through and test each pointer this way by replacing the pointer address 501973 and next address in line 501979 with a new address from above and the following address in line after it. To get the next address in line after your pointer address just go to the autohack window, choose "Disassemble", type your address in and then choose "Disassembler" tab from the bottom and look to see what address follows.

Through trial and error of 6 pointers you will find that the pointer of choice would be 558B41 fld dword ptr [eax+0x354]. It is the only one of the above codes that makes you invincible and everyone else mortal. So our code cave should look as follows:

offset 0x10bb0

mov dword ptr [eax+0x354],0x42C80000

fld dword ptr [eax+0x354]

jmp 0x558B47

offset 0x558B41

jmp 0x10bb0


To set the instruction of your address back to normal enter the asm below into the bottom text area, press "check" to make sure it is error free, and then "Ok" to accept. This sets the offset back to its normal instruction set (Letting you become mortal again).

offset 0x558B41

fld dword ptr [eax+0x354]


Converting Code Cave to TMK addresses:


To get the addresses to poke in TMK from the asm code we just created, in the easywrite window press the "TMK" button, then the "Check" button to reveal what you should put in TMK to get your code cave to work in a trainer.

Your converted code should look like:

Our Code Cave:

Poke 400E00 C7 80 54 03 00 00 00 00 C8 42 D9

Poke 400E0B 80 54 03 00 00 E9 32 7D 15 00

Poke 558B41 E9 BA 82 EA FF 90

Set Address Back to Original Instruction Set:

Poke 558B41 D9 80 54 03 00 00


Special thanks to all that helped:


[sheep], Sain, Fahrenheit and anyone else that I am forgetting to mention.

No order, just great people...




If you have any questions or comments about this tutorial, please feel free to email me at [email protected] Also if you are looking for tutorials like this one, but using softice, please visit [sheep]'s site at http://www.sheeprec.cjb.net.

Feel free to spread this document to sites you think will benefit from it!!!!!

Share this post

Link to post
Share on other sites


cmp [0x9190B8],ebp <-

We recreate any destroyed instructions.

Copied from the tut itself.

1 person likes this

Share this post

Link to post
Share on other sites

Posted (edited)

â„–11, by this line we recreate the next instruction after the instruction where we injected our code, see below:

mov ebp,[eax+0x34] ; we need to inject our code here <- three bytes long

cmp [0x9190B8],ebp

So after the injection it will look like:

jmp ourIntAddr <- five bytes long





cmp [0x9190B8],ebp ;<- recreate the original instruction

The length or instruction where we injected is 3 bytes long, and the "jmp ourIntAddr" is five bytes long, it's longer by 2 bytes so the next instruction gets rewritten by it. It will cause a crash - we need to recreate it, but we've got an empty space only in our injection location, so:

game's code:




jmp to cave ->

->... ;<- we will land here after the cave's code



cave ->


some cave code


the erased by our jmp to cave command game's instruction


jmp back

Doing this we just make a spot in the game's code and place some custom code to it, but the jmp command is longer so to get the game code back to normal every line of code should be executed, and we need to rewrite anything we've destroyed. It's simple if you're looking at the code in the debugger - you rewrite the "short" game's instruction by your "long" jmpToCave instruction eating a part (or the whole) of the next game's instruction after which you've rewritten -> you must recreate it somewhere and you've got no other place to do it but in your cave's code. :)

Sorry if it's not clear because of my english, if you don't understand then I can show it with some screenshots.

Too slow, :sigh:. I must improve my typing skills.

Edited by keng
1 person likes this

Share this post

Link to post
Share on other sites


Thanks Keng!

You mean cmp [0x9190B8],ebp is the next instruction after mov ebp,[eax+0x34] or maybe 3 instructions away?? If so, I understood. Thank you bro, helped a lot.

It's like this:

opcodes: | mnemonics:


FF FF FF | mov ebp, [eax+0x34]

FF FF FF FF FF | cmp [0x9190b8], ebp

The opcodes are not real in this piece of code, just one important thing - say, we want to make an injection at the first command's location. Like:

opcodes: | mnemonics:


FF FF FF FF FF | jmp 0x12300000

FF FF FF FF FF | cmp [0x9190b8], ebp

I've highlighted two bytes of the jump-to-cave command to show that if the old command was shorter - the bytes of the new command will be written over the next two bytes - but there is already "cmp [0x9190b8], ebp" and it will become broken. So we must do this thing firstly:

opcodes: | mnemonics:


FF FF FF FF FF | jmp 0x12300000

90 90 90 | nop's here (a "do nothing command")

Why nop's? Because we need to balance the game's code length byte-by-byte - if it was 10 bytes (whatever were the exact commands, the overall length is too impostant) - then it must be 10 bytes. So it was (for example) 3 bytes for mov and 5 for cmp. Then we placed 5-bytes long jmp-to-cave instead of 3 bytes mov - the next cmp command got broken because 3 bytes of it won't make any sense - so we replace them with nop's to balance the overall length (it was 3 + 5 = 8 bytes (3 for mov, 5 for cmp) -> it stays 5 + 3 = 8 bytes (5 for jmp and 3 nop's).

After some of game's code got destroyed - we need to recreate it and we can do this nowhere but inside our code cave:

-> cavecode ; we jump here from the game's code


cmp [0x9190b8], ebp


<- ; jmp back to game's code

Fine, we replaced the mov command with some our injected code and recreated the missing (destroyed by our jmp command) next instruction (cmp).

Now, when the code's length is balanced and the cave is created - we can write our custom code there, that's it. :)

1 person likes this

Share this post

Link to post
Share on other sites


Was glad to help you, Katsuyori. :)

Share this post

Link to post
Share on other sites


â„–18, if you'll stuck somewhere - you could post opcodes of the place where your've tried to inject - I'll try to explain it again using your example. :)

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  
Followers 0