Training games [PC]

This is very intresting, It is one of the best. ENJOY No credit


*********************************************************************************

ÜÜÜÜÛÛÜÜÜÜÜÜ
Û²ÛÛÛÛÛÛÝ
ßÛ Û²ÛÛÛÛÛÛ Ûßß ß
Û Û²ÛÛÛÛÛÛ Û ÜÜÜÜÜÜ nmls^bafh
ÜÜÜÜÜÜ Û²ÛÛÛÛÛÛÞÜÜÛÛÛÛ²ÛÛ ÜÜÜÜÜÜ ÜÜÜÜÜÜ
ÜÜÜÛßßßßÛÜÜÛßß ÜÜ ßß ÛÛ²ÛÛÛÛÛßßßßßßßßß ÜÜÛßß ÜÜ ßßßÛÜÜÜ ÜÜÛßß ÜÜ ßßßÛÜÜÜ
ÜÜÜÛÛÜÜÜÜÜÜÛÛÛÛÛÛÛÜÜÞßßÛÛÛÛ Ûßßßßßßßß ÜÛßß ÜÜÛÛÛÛÛÛÛÜÜÜ ßß ÜÜÜÛÛÛÛÛÛÛÜÜÜ ßßß
° ÝÛÛÛÛÛÛÛÛÝßßÛÛÛÛ²ÛÛÛÛÛÞßÛÛÛ ÜÜÜÛßßßßßÛÜ ÜÜÛÛÛßßßÛÛÛÛÛÛ²ÛÛÛÞßÛÛßÝßÛÛÛÛÛÛ²ÛÛÜ
° Û²ÛÛÛÛÛÛ ° ÝÛÛÛÛÛÛ²ÛÛÛÞÛÛÛÞÛ ÜÜÜÛÛÛÜÜÜÜÞß²ÛÝ° ÝÝÛÛÛÛÛÛÛ²ÛÛÞÛÝ ° ßÛÛÛÛÛÛ²ÛÛ °
±° Û²ÛÛÛÛÛÛ °°ÝÛÛÛÛÛÛÛ²ÛÛÞÛÛÛ ± ÝÛÛÛÛÛÛ²ÛÛÛÞ²ÛÞ±° ÜÛÛÛÛÛÛÛÛÛßÞÛ °°±ÝÛÛÛÛÛÛÛÛÝ °
±± Û²²ÛÛÛÛÛ ±° ÛÛÛÛÛÛÛ²ÛÛÞÛÛÛ ±² ÛÛÛÛÛÛÛ²ÛÛÝßÛÛÜÜÜÜÜÜÜÜÞßÞ ÝÜÛÛ °±² ÜÜÜÜÜÜÜ ±°
²± ÛÛ²ÛÛÛÛÛÞ²± ÛÛÛÛÛÛÛ²ÛÛÞÛÛÛÞ²²ÞÛÛÛÛÛÛÛ²ÛÛÝÞÝßßßßßÛÛÛÛÛÛÛÛÜÞßÛÞ²² ÞÛÛÛÛÛÛÛÛÜ ±
²²ÞÛÛ²ÛÛÛÛÛÞ²²ÞÛÛÛÛÛÛÛ²ÛÛÞÛÛÛÞ²ÞÜÛÛÛÛÛ²ÛÛÛÛÞ²ÜÞ²² ÞÞÛÛÛÛÛÛ²ÛÛÞ²Þ ²ÞÜÛÛÛÛÛÛ²ÛÛ ²
²²ÞÛÛÛÛÛÛÛÛÞ² ÞÛÛÛÛÛ²ÛÛÛÛÞ²ÛÛÜÜÛÛÛÛÛÛÛÛßßßÞÜÛÛÛÜÜÜÛÛÛÛÛÛÛ²ÛÛß ÛÛÜÞÜÛÛÛÛÛÛ²ÛÛß ²
² ßßßßßÛÛßß Ü ßßßßßßßßßß ÜÜÜÜÜÜÜÜ ßßß ÜÜ ßßßßßßßÛÛÛÛÛßßßßßß Ü ßßßÛÛÛÛÛÛÛßßß ÜÜÜ
ßßßßßÛÜÜÜÜÛß ßßßßßßßßßßßßß ßßßßßßß ßßßßßßÛÜÜÜÜÜÜÜÛßßßßßßßßÛÜÜÜÜÜÜÜÜÜÛßßß

Training Games on PC´s (Windows specific)
written by [NtSC] over/2001/2002

*********************************************************************************
Disclaimer:
-----------
If you request Nuke for People,when they release a Trainer with the same Options
you have,just delete this Tutorial,and kill yourself.It was in Case not written
for kiddie Morons wich make 50% of the todays Internet.

About me..
----------
I am doing Trainers / Reverse Engineering of code since 1986...
C-64,Amiga,SuperNES,GameBoy Advanced and Pc now..

Began training Games on PC in January 2001

Tools I use to train:
---------------------
- W32Dasm
- SoftIce
- GameHack v2.0
- MagicTrainerCreator
- BlindFind (my own Tool,for Alt-Tab protected Games..)
- Icedump < for Mem-Dumps + Anti-Debugging Features >

Language I code in:
-------------------
- No Masm,just Tasm.. (Borland Turbo Assembler v5.0)

Lets start our little Tutorial..

---------------------------------------------------------------------------------------

The Search:
-----------

(with SoftIce useable)

- Fastest Way is to use a GameHack-Tool and search for the Option
Adresses.When Adresses are found set an Breakpoint on Region with
Softice. (Adress: 4df000 / bpr 4df000 4df001 w) this means...
SoftIce will break up when a (w)rite Access appears to that
Adress.When SoftIce pops up,you should be at the Decrement for
the Adress.

(SoftIce unuseable,due to GFX-Setup of Game)

- Find Adresses with GameHack-Tool.Start W32Dasm and disassemble
the Game.exe.Go to search Option and search for the Adress your
GameHack-Tool provided.You should find Inits, or Decrements when it uses
static Memory Adresses. DMA Adressing would end in no Results (normally...)..!

W32Dasm Problems:
-----------------

- SomeTimes when you try to disassemble an Program with W32DASM
you will not get any Code Line.This is done via an manipulation
of the PE-Header Section Flags. The fucked up Flags look
like: 400000C0 or 600000C0..you have to patch these Flags,in case
you want to disassemble it correctly.With these Flags set,
the .code Section is declared as an Data Section and W32Dasm
will not disassemble them correctly.Change the Flags to: E0000020
for most of the normal Sections,and just give the code section
20000060 and try then...should work....if the Program is packed,
W32Dasm will give no correct Informations anyway.You´ll have to
depack it first.

* Note: Nowadays,for Shareware mangled Section Flags are 90% of 100 done
through Pe-Crypters or Packers like for example Asprotect..
In that Case you will have to find some Depacker for that
Crypter/Packer used on that Program..
Or just dump and rebuild...Can you?..

Alt-Tab Protections:
--------------------
Some Things i found through the Time are:

a) check the existing Windowname / WindowClasses / .exe Names of running Processes
for known GameHack-Tools.
WindowName or WindowClass = one of known GameHackTool = shutup Game
Name of an running Process = one of known GameHackTool = shutup Game
Solution = change WindowName / WindowClass/ .exe Name of your Tool

b) Key Combination setup.
Variants:
...Alt-Tab disabled
...no switch back to Game,after Alt-Tab
...if Alt-Tab pressed,quit Game

See Examples for more Info on that....

c) poor Game coding...the Game isnt able to restore the Screen after Task-Switching.
At this time,you have only the Chance to use SoftIce-Plugins.

d) Auto-Setback Game Window to Foreground-Window
Check Actual ForeGroundWindow,if it is not the GameWindow,set GameWindow
back to actual ForeGroundWindow.
Done with a nice Timer,itll make the lil Trainerguys dizzy I think...

Alt-Tab-Protection-Examples:
----------------------------

Example from Game: The Smurfs,lets get loose
Dll: wkeykill.dll
--------------------------------------------------------------------------------------

Header from wkeykill.dll / W32Dasm Output

+++++++++++++++++++ IMPORTED FUNCTIONS ++++++++++++++++++
Number of Imported Modules = 2 (decimal)

Import Module 001: KERNEL32.dll
Import Module 002: USER32.dll

+++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++

Import Module 001: KERNEL32.dll

Addr:000020B0 hint(00FE) Name: GetModuleHandleA
Addr:00002094 hint(0051) Name: DisableThreadLibraryCalls

Import Module 002: USER32.dll

Addr:000020D2 hint(00D7) Name: GetAsyncKeyState
Addr:000020E6 hint(0011) Name: CallNextHookEx
Addr:000020F8 hint(0248) Name: UnhookWindowsHookEx
Addr:0000210E hint(0234) Name: SystemParametersInfoA
Addr:00002126 hint(0225) Name: SetWindowsHookExA

+++++++++++++++++++ EXPORTED FUNCTIONS ++++++++++++++++++
Number of Exported Functions = 0001 (decimal)

Addr:10001210 Ord: 1 (0001h) Name: Kill

+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
//********************** Start of Code in Object .text **************
Program Entry Point = 10001000 (wkeykill.dll File Offset:00001800)

This Nice dll kills just the Alt-Tab switching..
But no big Deal...

Number of Exports = 1, Function-Name: Kill ...uhhh..ph3aR!!!!

Load the Exe into W32Dasm...
Use StrnRef and look up WkeyKill.dll
You land here...

* Referenced by a CALL at Address:
|:0041509D
|

* Possible StringData Ref from Data Obj ->"WKeyKill.dll"
|
:00431E60 6820EB4C00 push 004CEB20

* Reference To: KERNEL32.LoadLibraryA, Ord:01C2h
|

Obfuscatlly,when training and not using SOftIce-Plugins, we need to remove the Alt-Tab
Protection... Notice that :Referenced by a CALL at Address:|:0041509D
Lets hook that one up.....

:00415094 A1D4CF6300 mov eax, dword ptr [0063CFD4]
:00415099 85C0 test eax, eax
:0041509B 7405 je 004150A2
:0041509D E8BECD0100 call 00431E60

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041509B(C)
|
:004150A2 FF05CCCF6300 inc dword ptr [0063CFCC]

Hmm... Loads an Dword-Adress into Eax,and tests..If Pointer Value = 0 WKeyKill,dll
will not be loaded..Fine..
So,no big Deal,..change the conditional Jump at Adess 41509b to an Jmp,and we are done..

:0041509B EB05 jmp 004150A2 <-- Should look like this..

Fine,ready,go and Train...Alt-Tab switchable now...

--------------------------------------------------------------------------------------

GameHack-Tool-Protections:
--------------------------

- just checking for WindowNames,WindowClasses / active Processes of known GameHack-Tools.
Means...Check...if Window "GameHackTool V1.0" is active,fake Adresses or
Shutup...Solution = change GameHackTool-Title,same for WindowClass,Tool .exe Name...

Option-Hint #1 (with SoftIce):
------------------------------

- lets say you find an Adress at d93200 wich offers the Lifes you have
in an Game.Set a Breakpoint on Region with SoftIce

bpr d80000 db0000 w ; this means, SoftIce pops up when there is an
(w)rite access to an Adress in the Area from
d80000 db0000..In case most Options are stored
in the same Area of Game-Memory, just loose
something (Wepon-Shot,Energy...)..if SoftIce
pops up, you may have found a new Adress.
To search up the Decrement/Increment use the
Technic already descibed above.

Option-Hint #2 (with SoftIce):
------------------------------

- you need at least one Option-Adress..
Set a Breakpoint on your found Adress..and press Escape or whatever to go back to
Game-Menu..Start a new Game..Softice should in 70% of 100 cases popup at a nice
init-Routine where the Games sets up the Values,..Lives,Level,..whatever..
Just write down the ADresses that are initialized,and check em Ingame..
Set them to 0/1 or whatever,and check what the change Affects..

Advanced Training #1(without SofIce/GameHackTools):
---------------------------------------------------
- needed : some knowledge of Assembler Programming (Instructions)

- use W32Dasm to disassemble the Game (if protected read Section above)
lets say you have 300 Minutes of Time in the Game,just look for an
Assembler Instruction that mov´s the Hexadezimal-Value to an Memory
Adress ( 300 dezimal = 012c hexadezimal)...write down MemoryAdress
were Value is stored,or Adress of Instruction that mov´s the Value.
In most cases you should find only some Instructions/Adresses and
you can check them via Patching in the Code.Adresses outside the
Memory can be checked via an Beta-Ingame-Key Tester.

-----------------------------------------------------------------------
Avoiding the Failure to take DMA as an direct Memory Adress:
------------------------------------------------------------
- DMA Memory is alloctacted by the Game..Its mostly used when the Game has an
Save-Option,or either is big in Size..These Adresses change..That means,
every time you start your Game, it normally has changed Adresses....
If you just access the Dma-Adresses as direct ones,your Trainer prolly
would not work..

Getting a useable Pointer to DMA-Adresses:
------------------------------------------
- Find at least one Option Adress..Just say Lives....
Go on,and set a breakpoint on the Adress..
Lose 1 Life,and our Numega Friend (SoftIce) should pop up...
what do we see now??...

Lets say...The Instruction on your actual EIP-3 is..
dec [ecx+14] .. What does this tell us?
It prolly decrements from Memory Adress ecx+14...
On easy Cases ecx just contains your DMA-Baseadress...
fine...how do we find the actual store Adress of it??
ecx = 02213567
s 0 l ffffffff 67 35 21 02 <-- we search for that Adress in Memory
| | (Adress is BACKWARDS,notice that...)
| |___ EndAdress
|___StartAdress (program Base-Adress,normally,400000,not ever..)

If SoftIce says: Pattern found at 0030:004bc4f6

It will mean...the Pointer to your DMA is stored at Adress 4bc4f6 by the
Program..

Example on How to access our found DMA-Adress:
----------------------------------------------
PAdress1 equ 004bc4f6h <-- the SoftIce ´Pattern found´one

call ReadProcessMemory,PHandle,PAdress1,edx,Byte4,0 <-- Read 4 Bytes (DMA-Base)
add dword ptr [edx],014h <-- Add Value to get to Option-Adress
(remember dec [ecx+14])
|__= Value
mov dword ptr ecx,[edx]
mov [AdressStore],ecx
call ReadProcessMemory,PHandle,ecx,edx,Byte4,0 <-- Read our ´Update´ Dma-Adress
(should contain Adress of Lives now)
add dword ptr [edx],001h <-- Add one Life
mov ecx,[AdressStore]
call WriteProcessMemory,PHandle,ecx,edx,Byte4,0 <-- Store Updated Adress

Thats it..
No Mythos...Just a bit Experience..
It was an easy Example..there are also Games wich store an Adress over another Adress,
you would have to read out both Adress,before you can modify your one..

-------------------------------------------
No valueable DMA-Pointer found,what now?
-------------------------------------------
Lets say,you found an Memory Adress,for Example 1ab3d00.
It holds Money you have in the Game...: $1.000.000
You put a Memory-Breakpoint on it,bpm 1ab3d00.
Buy something,so hopefully SoftIce will pop up,since the Adress will get changed.
SoftIce pops up at: 4432a3: mov [ecx+14],edx
[Ecx+14] = Adress 1ab3d00 , and we have not found a valid Pointer to the DMA-
Adress to read it out in our Trainermenu.
Edx holds the new Value to be inserted ($1.000.000 - what we bought...)
So,we do an Maximum Money Option for it...
How?..We just change the code before that mov [ecx+14],edx.
I guess a Subtract will be done,before the mov [ecx+14],edx.
Change the Subtract to: mov edx,$5f5e100 = maximum Money [$5f5e100 = 100.000.000]
Make sure the Instructions have the same Length,otherwise Nop out the obfuscating shit.
That means now...
Everytime the Game would normally Subtract our Money,
We fill up the Money Adress with maximum Value [$100.000.000]

--------------------------------------------------------------------------------------

-------------------------------------------------
Examples of Different-Routines,stolen from Games:
-------------------------------------------------

Example from: Pearl Harbor - Strike at Dawn German [Energy]
------------------------------------------------------------
Mainly, you can handle Energy Adresses like an Normal Value.
That means,..Energy = 05 Hex,wsprintf -> decimal -> Display -> Energy: 05
Most non Shareware-Games use other Display Methods like
for an Example a Bar that fades out, moving Display...
These Routines mostly have an look like the Routine below,
as they are mostly handled through float operations.

:004312FF D9442418 fld dword ptr [esp+18]
:00431303 D8642410 fsub dword ptr [esp+10]
:00431307 DEC9 fmulp st(1), st(0)
:00431309 D8442410 fadd dword ptr [esp+10]
:0043130D D95C2418 fstp dword ptr [esp+18] <-- Store float Adress

Example from: Sega Bass Fishing [Line]
---------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00478414(U), :00478421(C)
|
:0047842B D90560A77501 fld dword ptr [0175A760]
:00478431 D80D00064B00 fmul dword ptr [004B0600]
:00478437 D8C1 fadd st(0), st(1)
:00478439 D80DF0034B00 fmul dword ptr [004B03F0]
:0047843F D91D60A77501 fstp dword ptr [0175A760] <-- Store float Adress
:00478445 A160A77501 mov eax, dword ptr [0175A760]
:0047844A 50 push eax

Example from: Sega Bass Fishing [Time]
---------------------------------------
:0045CA5B A148AD7501 mov eax, dword ptr [0175AD48]
:0045CA60 40 inc eax
:0045CA61 83F83C cmp eax, 0000003C <-- Time/Milliseconds
:0045CA64 A348AD7501 mov dword ptr [0175AD48], eax
:0045CA69 7C77 jl 0045CAE2 <-- if not 60 go away
:0045CA6B A150AD7501 mov eax, dword ptr [0175AD50]
:0045CA70 48 dec eax <-- if 60 = dec Seconds
:0045CA71 A350AD7501 mov dword ptr [0175AD50], eax

Example from: Sega Marine Fishing [Time]
-----------------------------------------
:0044A6C6 F6C308 test bl, 08
:0044A6C9 752F jne 0044A6FA <-- eb and go...
:0044A6CB 8B0D680B6500 mov ecx, dword ptr [00650B68]
:0044A6D1 85C9 test ecx, ecx
:0044A6D3 7408 je 0044A6DD
:0044A6D5 D905E4C24C00 fld dword ptr [004CC2E4]

Example from: Sega Marine Fishing [Line]
-----------------------------------------
The tricky Part was here,the Line itself was splitted into 2 Counters.

:004ABC6C 890D04FE6400 mov dword ptr [0064FE04], ecx
:004ABC72 D91510FE6400 fst dword ptr [0064FE10] <-- needs to be erased
:004ABC78 7C06 jl 004ABC80
:004ABC7A 893D04FE6400 mov dword ptr [0064FE04], edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004ABC78(C)
|
:004ABC80 D91D14FE6400 fstp dword ptr [0064FE14] <-- needs to be erased
:004ABC86 E895B4FCFF call 00477120
:004ABC8B D90514FE6400 fld dword ptr [0064FE14]

Example from: Shark Hunting the Great White [Energy / shark_game.dll]
----------------------------------------------------------------------
:100124B4 8B86A0000000 mov eax, dword ptr [esi+000000A0]
:100124BA D986040F0000 fld dword ptr [esi+00000F04]
:100124C0 8B4830 mov ecx, dword ptr [eax+30]
:100124C3 D986800F0000 fld dword ptr [esi+00000F80]
:100124C9 8B5034 mov edx, dword ptr [eax+34]
:100124CC 894C2408 mov dword ptr [esp+08], ecx
:100124D0 8954240C mov dword ptr [esp+0C], edx
:100124D4 DC4C2408 fmul qword ptr [esp+08]
:100124D8 DEE9 fsubp st(1), st(0)
:100124DA D99E040F0000 fstp dword ptr [esi+00000F04] <-- Store float Adress


Example from: Hunting Unlimited [Time / ho_game.dll]
-----------------------------------------------------
:100416A7 D944240C fld dword ptr [esp+0C]
:100416AB D88608010000 fadd dword ptr [esi+00000108]
:100416B1 D99E08010000 fstp dword ptr [esi+00000108]
:100416B7 D98604010000 fld dword ptr [esi+00000104]
:100416BD D864240C fsub dword ptr [esp+0C]
:100416C1 D95C240C fstp dword ptr [esp+0C]
:100416C5 D944240C fld dword ptr [esp+0C]
:100416C9 8B44240C mov eax, dword ptr [esp+0C]
:100416CD D81D54990710 fcomp dword ptr [10079954]
:100416D3 898604010000 mov dword ptr [esi+00000104], eax <-- Store float Adress
:100416D9 DFE0 fstsw ax

Example from: MegaMan Man Legends [MegaMan.exe / Energy]
---------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AD9CE(C)
|
:004AD9D9 668B516E mov dx, word ptr [ecx+6E] <-- Load Energy
:004AD9DD 6685D2 test dx, dx <-- already zero, or - ?
:004AD9E0 7E1A jle 004AD9FC <-- if yes,bye..
:004AD9E2 89D0 mov eax, edx
:004AD9E4 29D8 sub eax, ebx <-- otherwise subtract
:004AD9E6 6689416E mov word ptr [ecx+6E], ax <-- and store new Value
:004AD9EA 6685C0 test ax, ax <-- Zero now?
:004AD9ED 7F15 jg 004ADA04 <-- if not,jump....
:004AD9EF 66C7416E0000 mov [ecx+6E], 0000 <-- otherwise clear up..
:004AD9F5 E88A8FF8FF call 00436984
:004AD9FA EB08 jmp 004ADA04

Example from: Autobahn Total - Die Verfolgungsjagd *German* - [Track Unlocker]
-------------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00419058(C)
|
:00419235 85DB test ebx, ebx
:00419237 7513 jne 0041924C
:00419239 F744241000000100 test [esp+10], 00010000 <-- Track unlocked?
:00419241 0F84EC050000 je 00419833 <-- no,go away locked
:00419247 E9C8000000 jmp 00419314 <-- yes,enable to click

On this,we just change:
:00419239 F744241000000100 test [esp+10], 00010000 <-- Track unlocked? ==>
to
:00419239 C744241000000100 mov [esp+10], 00010000 <-- Track always unlocked!

Ok,the Track will prolly not be enabled now...We need to kill the jmp at adress
00419241 too...I did it by writing EB04 to adress 00419241,this will insert a Jump
419247...but,you can also insert 6 Nops (6 x 90) to clear the instruction..
Main Idea is the same,writing my jump is 2 Bytes,noping is 6 Bytes...Choose
yourself...!

Example from: From Dusk till Dawn *GERMAN* - [Energy] / Code Fake
-----------------------------------------------------------------
:005119CB A804 test al, 04
:005119CD 7409 je 005119D8
:005119CF 5F pop edi
:005119D0 B801000000 mov eax, 00000001
:005119D5 5E pop esi
:005119D6 59 pop ecx
:005119D7 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005119CD(C)
|
:005119D8 8B8FF74D0000 mov ecx, dword ptr [edi+00004DF7]
:005119DE 2BCA sub ecx, edx
:005119E0 898FF74D0000 mov dword ptr [edi+00004DF7], ecx

The Test al, 04 at Adress 5119CB checks for any Sprite Collision.
This can be an Enemy or You. We see the sub ecx,edx at Adress 5119de
but if we erase it, we AND our Enemies will also be invincible.
So,CHECK your Register when you enter the Sub-Routine at Adress
5119d8. If an Collision was detected Register ESI sets the Flag to
compare between us,and Enemy.We land at, an Collision that would
decrease our Energy would be Register ESI = 0.
What to do now?

:005119CB A804 test al, 04
:005119CD 7409 je 005119D8

We simply change that to:

:005119CB 85f6 test esi, esi
:005119CD 7509 jnz 005119D8

And thats it,...If a Collision on our Player is counted,well will simply
not conditional Branch to the Sub-Routine wich subtracts the Energy.
If its an enemy Collision <ESI not 0> it will still branch.

Example from: DownTown [Game Init] / Delphi-Game,High Adresses + Alt-Tab Protected
----------------------------------------------------------------------------------
:0049C262 C705A001EE05C8000000 mov dword ptr [05EE01A0], 000000C8
:0049C26C C705A401EE05C8000000 mov dword ptr [05EE01A4], 000000C8
:0049C276 C705A801EE05C8000000 mov dword ptr [05EE01A8], 000000C8

Ok,quick Step...000000C8 = Decimal 200,a Value I found in the Game.
I used W32Dasm and searched 00c8,initiated by a mov instruction.
[To land in the Game init]...Works..Alt-Tab would close the Game btw!

Example from: Dexters Laboratory: Science Ain´t Fair [Energy]
--------------------------------------------------------------
:00417BFC 754F jne 00417C4D <-- change to EB
:00417BFE D9460C fld dword ptr [esi+0C]
:00417C01 D82584494700 fsub dword ptr [00474984]
:00417C07 D9560C fst dword ptr [esi+0C]
:00417C0A D81D14454700 fcomp dword ptr [00474514]
:00417C10 DFE0 fstsw ax
:00417C12 F6C401 test ah, 01
:00417C15 0F84DB000000 je 00417CF6
:00417C1B 68DC050000 push 000005DC

Example from: Trade Empires *GERMAN* [Money]
---------------------------------------------
Original Code was:

0177:004B11CF 90 NOP
0177:004B11D0 55 PUSH EBP
0177:004B11D1 8BEC MOV EBP,ESP
0177:004B11D3 8B510C MOV EDX,[ECX+0C] <-- Adress Money
0177:004B11D6 8B4508 MOV EAX,[EBP+08] <-- Adress Inc/Decrease
0177:004B11D9 03D0 ADD EDX,EAX

eax can here now be an -,or + Value. That means our add instruction
can add a Value,but if the Value eax is negative it can also sub a Value.

0177:004B11DB 89510C MOV [ECX+0C],EDX <-- Store new Money
0177:004B11DE 5D POP EBP
0177:004B11DF C20400 RET 0004
0177:004B11E2 90 NOP

The Code i came up with for my Trainer:

0177:004B11D0 55 PUSH EBP
0177:004B11D1 8BEC MOV EBP,ESP
0177:004B11D3 8B4508 MOV EAX,[EBP+08] <-- Get Inc/Decrease
0177:004B11D6 85C0 TEST EAX,EAX <-- is it 0?
0177:004B11D8 7E04 JLE 004B11DE <-- or a - Value?
0177:004B11DA 01410C ADD [ECX+0C],EAX <-- if not,let it add
0177:004B11DD 90 NOP
0177:004B11DE 5D POP EBP
0177:004B11DF C20400 RET 0004

--------------------------------------------------------------------------------------

Hints on Values:
----------------

Options search:
---------------

Suche Wert: 5 -------->
5
4/-1
6/+1

Unlock:
-----------
Gamestart: 0 -------->
1
not equal

Cars/Tracks:
-------------
Gamestart: 0 -------->
1
not equal
Datafields /1/ne

Invincible:
-------------
Gamestart: 0 --------> Flicker Timer
greater than
less than
equal

General Unlocking:
--------------------
Manipulate the Game, for example racing Games to always be first.
Play the Game,until a new Car/Track is unlocked and examine the
Changes.

Invincibility:
**************
- first 0
After a Collision some Timer gets initialized,wich is counted down afterwards.

Level-Skip:
***********
- most Games offer an defined Ammount of Items to get/destroy
(Example: 40 Items to destroy/Zero the Byte,and Level is skipped)

Timers:
*******
- can be stored as 2 Bytes (0801)

Lives:
******
- can be stored -1 (Display says 5 / 4 in Memory)
- can be stored as obfuscating Values 3/3 (use MemChange-Trainertool)

Weapons (Selector):
*******************
- there is mostly an Range of compares to the Adress
0001,0002,0003.....use W32Dasm to find multiple Adress compares

Cheat-Mode enable:
******************
- use W32Dasm to check for CheatMode-Text. If found, a CheatMode
is often made through a Password typed in.Patch the Password-Routine
to always enable/disable Cheat.Use a Memory-Compare-Tool to find the Byte wich
is set to enable/disable CheatMode.

Difficult Values:
-----------------
- Hard to find Timers / Level-Skip-Value Adresses can best be found
with an GameHack-Tool that has an ´Memchange´-Option like ´MTC´

***********************************************************************

Error-Fixing on Trainer-Programming:
-------------------------------------
This is an OpenProcess-Routine wich enables you to read and write to the
specified Game.The Flags are w9x/me + w2k tested.

call GetWindowThreadProcessId,eax,offset Pid

call OpenProcess,PROCESS_VM_READ OR PROCESS_VM_WRITE OR PROCESS_VM_OPERATION,0,Pid
mov PHandle,eax
cmp eax,0
jz Error

Avoid to do ReadProcessMemory into Registers!
----------------------------------------------
Under W9x/me it worked well,but w2k messed it up..
So,this is how it should look like < Example => Check that Toggle1 >

call ReadProcessMemory,PHandle,0077e7a0h,offset Toggle1,Byte4,0
add [Toggle1],064h
call WriteProcessMemory,PHandle,0077e7a0h,offset Toggle1,Byte4,0

***********************************************************************