All the info you need to start gamehacking.

These are my guides, im just posting these because i love gamehacking and would love to see some of you guys get in on it aswell

Game Hacking

by Sorin

An Overview
Intro:
In the following, I'll show you what GameHacking is, an how you
can work it out



1. What is GameHacking ?

All of you must played even for one time a game that you couldn't finished,
or couldn't pass X level, or something like that. The solution was :

a) make use of the game's cheat_codes (if any). But with this you are
treated by the game like an ordinary cheater : NO HIGHSCORE !
b) put yourself together, download some useful tools from the web and
try to make yourself the law for the game (i.e. : make your pistol
bullets be unlimited without using any game's cheat_code)

Well, in this tut we'll be discussing the b) part...

NOTE: If you like very much the game, then have the patience to finish it
without any game_hacking. After that, hack it until your eyes will be sticked
on the PC's monitor !!




2. What tools do we need ?

Yeah, that's a real question... Here's the needed :

a) a good Debugger (Soft Ice, of course) - we'll use the debugger in advanced
techniques of game_hacking, when you need to trace the game's code.

b) a Memory_Searcher (TSearch, ArtMoney, GameHack, Game Trainer) - we'll use
the memory_searcher to find the addresses where the game holds our wanted
data (lives, bullets, energy, mana, money etc).

c) a Hex-Editor (HexWorkshop, Hackers View) - we'll use the hex editor when
hacking the saved_game files, or when we modify the game's .exe/.dll ...

d) a Dissasembler (W32Dasm, IDA) - we'll use the dissasembler when we have to
deal with a dead-listing. A dead-listing is the game's code listed in ASM
when the program isn't running in memory.

e) a Trainer-Maker (Trainer Maker Kit) OR some programming knowledge. These are
OPTIONAL, needed only when you want to build up a trainer.

These tools can be found at :

- http://www.protools.cjb.net/
- http://www.gamehacking.com/
- http://www.ghu.as.ro/
- and at many more sites...

Here's some pictures representing the respective tool:

SoftIce ; Game Trainer ; GameHack ; W32Dasm ; HexWorkshop ; Hiew ; TMK ; TSearch



3. Types of Game-Hacking :

Well, we have several ways to do our hack :

I. Memory Hacking

a) Value poking (when changing the amount of grenades, for example)

b) Memory patching (when we overwrite game's instructions in memory)

i.e. ASM instruction HEX value of "dec ecx"
dec ecx 49

Ecx holds our energy. We have found the instruction that decrease it.
To avoid decreasing, we patch like this:

ASM instruction HEX value of "nop"
nop 90

By changing "dec ecx" with "nop" (49 with 90), we prevent our energy for
beeing decreased. Preety kool, huh ? This method is EXTREMELY EFFECTIVE
when we have to deal with DMA.


II. Executable (DLL) Hacking

a) .EXE/.DLL patching (same as I-b point except the changes we make are permanently)


III. Saved_Game Hacking

a) .SAVED pathching

Here's why we need Hex-Editors: If the game you want to hack has a
"save curent game" option, you can hack that .saved file...


With all this clarified, we can go down to business



< WHAT IS DMA >

DMA (Dynamic Memory Allocation) is how the game_you_want_to_hack messes with your
PC memory... Like the name says, the game allocates the memory dynamicaly. That
means every time you restart the game, it holds your data at a different memory
location. Here's an example :

you found your bullets at address 100
you found your grenades at address 120
you found your life at address 150

........ after you restart the game, ..........

you find your bullets at address 510
you find your grenades at address 530
you find your life at address 560

........ after you restart the game second time, ..........

you find your bullets at address 610
you find your grenades at address 630
you find your life at address 660


What did we deduce ? The game changes the locations of your data EVERY TIME !
BUT, let's take a closer look... In all 3 cases, the difference between the addresses
is THE SAME !

1st case: 100+20=120
120+30=150

2nd case: 510+20=530
530+30=560

3rd case: 610+20=630
630+30=660

This means our DMA problem ('till now) reduces to : FIND THE PATERN ADDRESS which is :

in the first case : 100
in the second case : 500
in the third case : 600

By knowing the PATERN ADDRESS, we can easily add the difference to get the other
addresses !

This is an overview of DMA...


< CODE INJECTION >

Well, we clarified what is DMA... But how can we bypass that ? SIMPLE ! Code
Injection ! (or kill the instructions that makes your day miserable)

Code Injection is, like the name says, Injection of Code hehehe...

Here's an example:


mov eax,[ecx] - ecx = pointer to bullets' address
dec byte ptr [eax] - eax = bullets' address
mov eax,[ecx+20] - ecx+20 = pointer to grenades' address
dec word ptr [eax] - eax = grenades' address
mov eax,[ecx+50] - ecx+50 = pointer to mana's address
dec dword ptr [eax] - eax = mana's address

This is DMA... We found that "PARENT ADDRESS(POINTER)" is ecx. But since is DMA,
ecx also changes. So we need to keep this ecx stored in a place from where
we can mess with it all time, knowing it's value...

How to do that ? SIMPLE ! Find somewhere in the game's code a place full of 0's.
There we will inject our code. The injection routine is very simple:

- find some empty space in game's memory a.k.a the 0's (or FFh)
- overwrite an instruction with a "jump" or "call" instruction that jumps to that
place full of 0's
- reconstruct the overwritten instruction
- overwrite some of 0's with our code (to catch the parent address)
- jump back (or "ret" if we used a "call") to the initial place (game's code)

So, for our example, this should look like this :


ORIGINAL MODIFIED
mov eax,[ecx] | jmp 4455 (place full of 0's)
dec byte ptr [eax] | dec byte ptr [eax] <-------<---------<----<-----|
mov eax,[ecx+20] | > mov eax,[ecx+20] ^
dec word ptr [eax] | dec word ptr [eax] |
mov eax,[ecx+50] | mov eax,[ecx+50] |
dec dword ptr [eax] | dec dword ptr [eax] ^
................... |
offset 4455: (where we found the 0's) |
mov eax,[ecx] - we reconstruct overwritten instr. ^
mov dword ptr[5555],ecx - save parent to a STATIC address |
jump back to "dec byte ptr [eax]" ----->--->--->------>---|


With this, we defeated DMA by saving the PARENT pointer to a STATIC memory location.
And in our trainer we just read the PARENT pointer from address 5555 (static),
then add the difference to obtain the pointers for other addresses (for
life, money, etc).

To obtain the amount of bullets with your trainer, u can do this:
_________________________
| read from 5555 in temp
| push temp
| pop ecx -> ecx=POINTER to address of bullets
| mov ecx,[ecx] -> ecx=address of bullets
| mov eax,[ecx] -> eax=the effective number of bullets
--------------------------


Also NOTE : that 5555 address is where there are lots of 0's, too ! If u find 0's at
1234, then don't use 5555, use 1234 !

!! A BIG THANKS GOES TO SHEEP FOR HIS DMA TUTS. THEY WORTH READING !!


Now, that we have finished DMA & CODE INJECTION, let's have a look on the different
hack methods...

< SAVED_GAME PATCHING >

Let's take first the .SAVE file patching... What can we do here ? Well, search the
saved_file and replace the wanted value with the new value...

Let's take for example WarCraft II. Play a single player game. After a while, save your
game under XXX (for example). And remember your gold amount !!! Now, load your
XXX file in HexWorkshop and do some searching... But the search type must be
under "32 Bit Unsigned long". That's because u search for a base 10 number, and
this number can be greater than 65535 (biggest word value). Got the idea ?
Now you type in the "Value" edit_box the amount of money, and click OK...
Simple, heh ?

But there are also A LOT of games that save their data ENCRYPTED (like StarCraft)...

In this case, we try

< VALUE POKING >

Yes, the well known method...

Here we need the memory_searcher ! So, fire it up (TSearch, ArtMoney, etc) select as
process the game you want to cheat in, and search for the wanted value. The
memory_searcher will find many addresses containg your value. To bypass this,
go back in the game and CHANGE that value. Pause the game, go back in mem_searcher
and search for the new value ! Repeat these steps until you will find only a few
addresses. Then all you have to do is to try changing the value in those addresses
and see (in the game) how affects you and what is the one you need...

You can also might want to try

< MEMORY PATCHING >

YES ! This is awesome ! And sticks very_well with DMA & CODE INJECTION !

But to master this technique, you must have (some) asm knowledge...

Here's an example :

You find your bullets at addr. 100. Open SoftIce (^D), and put a bpm on that address
< bpm 500 >. BUT YOU MUST BE IN THE GAME PROCESS !!! (Check SoftIce's lower right
corner. If it says the name of the game, then you're IN !)

Shoot a bullet in the game... SI should pop:

.............
xx: mov eax, [44]
yy: dec eax -> you land here in SoftIce
zz: mov dword ptr [44], eax
............

What do we see ? The game moves in eax your bullets number stored in memory at location
[44]. Then it comes that UGLY instruction "dec eax", then update your decreased
bullets back in [44]. So, to prevent bullets for decreasing, we just "nop" (no
operation) that "dec eax". You can do it in SoftIce by typing:

asm yy [ENTER]
nop [ENTER]
[ENTER]

,where yy is the memory offset of the respective instruction...

Yeah, this is a GOOD method, but we don't want to do this SI thing all the time...
OK ! There are 2 solution :

a) make a trainer
b)

< EXECUTABLE/DLL PATCHING >

This is almost like above, except we change the instructions permanently ...

We'll use Hiew. Fire it up and load in it the game's .exe. Press F4, select "Decode",
then press F5 (goto address) and type that yy number you had from SoftIce. Now
press F3 (edit), then F2 (asm), then write your "nop" instruction. Then press
[ENTER], then [ESC], then F9 (save) and you're done !

REMEMBER : Sometimes, the instructions that dec your life, money etc are not in the
.exe file, but in some game's .DLL. You can easily find this out within
SI by looking at the offset of the respective instruction. If it says
something like 1XXXXXXX or so, then your in some DLL ! You can also look
at the lower right corner of SI.

Example of game that uses a .dll to dec the life : HERCULES


In the following there will be presented some techniques on hacking different things
in a game...


BULLETS, LIFE, MANA, GRENADES etc (when you know their real amount) :

-search with mem_searcher for that value
-change it in the game
-search for new value
-repeat these steps until you find only a few addresses (usualy 2-3)
-change the value at those address to see how affects you

ENERGY BARS, BULLETS, LIFE, MANA, GRENADES etc (when you don't know real amount) :

-dump the memory
-change your energy, bullets etc inside the game
-search the dumped memory for the addresses whose values are changed
-repeat these steps until you find only a few addresses
-change the value at those address to see how affects you
*** The value of a full energy-bar is usualy around 250 !!! ***

INSTANT BUILD HACKING TECHNIQUES :

-dump the memory
-change your energy inside the game
-search the dumped memory for the addresses whose values are decreased (usualy)
-repeat these steps until you find only a few addresses
-change the value at those address to see how affects you

WAYS OF MAP STORING :

< well, this is the most complicated part of all >

In 2D strategy games, map is probably held in matrix
___________________________
| a[1,1] a[1,2] .... a[1,n] |
| a[2,1] a[2,2] .... a[2,n] |
| ...............X......... | -> X are your units, and that purple color means u see
| .....................X... | the map in that place
| a[m,1] a[m,2] .... a[m,n] |
-----------------------------

representing the screen. When your unit is moved on a[5,6] (for example), then the game
puts in that place in matrix the coded_byte for place_without_fog. When you move
your unit from that place, the game puts back at that place in matrix the coded_byte
for place_with_fog.

So, the game have 2 options :

a) refresh the map in a timer
b) refresh the map when a unit is moved

My personal opinion...
PS: Don't bitch me if u find a game that has diff. ways to store the map...


In the ending, I wish all of you a "nice hacking"

< CHEERS & GREETS >


I want to thank some people who helped me directly/indirectly
(you know, order doesn't matter )

- Groza (BEST publisher - I'm still & still waiting that tut on C&C map_hack
when you'll have time, of course... )
- Snaky (toate cele bune ! )
- T-RaiNeR (n-am mai vorbit de mult... nasol e cu bac'u asta (( )
- ParaBytes (my cracking teacher - a BIG THANKS)
- Some in GameHacking's forum ( some of u are great, but some are made of cocoa ) )
- All GHU members (Cei mai buni ! - Biciuila esti si tu inclus, cacaciosule !)
- JUVENTUS (I love JUVE)
- YOU
romanian:
*******************************
* Salutari celor din Romania! *
*******************************

Special Greet Goes To Synbios -> he knows why and I hope he'll forgive me someday...
Advertising:

2003

eof


*********************************************************************************

ÜÜÜÜÛÛÜÜÜÜÜÜ
Û²ÛÛÛÛÛÛÝ
ßÛ Û²ÛÛÛÛÛÛ Ûßß ß
Û Û²ÛÛÛÛÛÛ Û ÜÜÜÜÜÜ nmls^bafh
ÜÜÜÜÜÜ Û²ÛÛÛÛÛÛÞÜÜÛÛÛÛ²ÛÛ ÜÜÜÜÜÜ ÜÜÜÜÜÜ
ÜÜÜÛßßßßÛÜÜÛßß ÜÜ ßß ÛÛ²ÛÛÛÛÛßßßßßßßßß ÜÜÛßß ÜÜ ßßßÛÜÜÜ ÜÜÛßß ÜÜ ßßßÛÜÜÜ
ÜÜÜÛÛÜÜÜÜÜÜÛÛÛÛÛÛÛÜÜÞßßÛÛÛÛ Ûßßßßßßßß ÜÛßß ÜÜÛÛÛÛÛÛÛÜÜÜ ßß ÜÜÜÛÛÛÛÛÛÛÜÜÜ ßßß
° ÝÛÛÛÛÛÛÛÛÝßßÛÛÛÛ²ÛÛÛÛÛÞßÛÛÛ ÜÜÜÛßßßßßÛÜ ÜÜÛÛÛßßßÛÛÛÛÛÛ²ÛÛÛÞßÛÛßÝßÛÛÛÛÛÛ²ÛÛÜ
° Û²ÛÛÛÛÛÛ ° ÝÛÛÛÛÛÛ²ÛÛÛÞÛÛÛÞÛ ÜÜÜÛÛÛÜÜÜÜÞß²ÛÝ° ÝÝÛÛÛÛÛÛÛ²ÛÛÞÛÝ ° ßÛÛÛÛÛÛ²ÛÛ °
±° Û²ÛÛÛÛÛÛ °°ÝÛÛÛÛÛÛÛ²ÛÛÞÛÛÛ ± ÝÛÛÛÛÛÛ²ÛÛÛÞ²ÛÞ±° ÜÛÛÛÛÛÛÛÛÛßÞÛ °°±ÝÛÛÛÛÛÛÛÛÝ °
±± Û²²ÛÛÛÛÛ ±° ÛÛÛÛÛÛÛ²ÛÛÞÛÛÛ ±² ÛÛÛÛÛÛÛ²ÛÛÝßÛÛÜÜÜÜÜÜÜÜÞßÞ ÝÜÛÛ °±² ÜÜÜÜÜÜÜ ±°
²± ÛÛ²ÛÛÛÛÛÞ²± ÛÛÛÛÛÛÛ²ÛÛÞÛÛÛÞ²²ÞÛÛÛÛÛÛÛ²ÛÛÝÞÝßßßßßÛÛÛÛÛÛÛÛÜÞßÛÞ²² ÞÛÛÛÛÛÛÛÛÜ ±
²²ÞÛÛ²ÛÛÛÛÛÞ²²ÞÛÛÛÛÛÛÛ²ÛÛÞÛÛÛÞ²ÞÜÛÛÛÛÛ²ÛÛÛÛÞ²ÜÞ²² ÞÞÛÛÛÛÛÛ²ÛÛÞ²Þ ²ÞÜÛÛÛÛÛÛ²ÛÛ ²
²²ÞÛÛÛÛÛÛÛÛÞ² ÞÛÛÛÛÛ²ÛÛÛÛÞ²ÛÛÜÜÛÛÛÛÛÛÛÛßßßÞÜÛÛÛÜÜÜÛÛÛÛÛÛÛ²ÛÛß ÛÛÜÞÜÛÛÛÛÛÛ²ÛÛß ²
² ßßßßßÛÛßß Ü ßßßßßßßßßß ÜÜÜÜÜÜÜÜ ßßß ÜÜ ßßßßßßßÛÛÛÛÛßßßßßß Ü ßßßÛÛÛÛÛÛÛßßß ÜÜÜ
ßßßßßÛÜÜÜÜÛß ßßßßßßßßßßßßß ßßßßßßß ßßßßßßÛÜÜÜÜÜÜÜÛßßßßßßßßÛÜÜÜÜÜÜÜÜÜÛßßß

Training Games on PC´s (Windows specific)
written by [NtSC] over/2001/2002

*********************************************************************************
Disclaimer:
-----------
If you request Nuke for People,when they release a Trainer with the same Options
you have,just delete this Tutorial,and kill yourself.It was in Case not written
for kiddie Morons wich make 50% of the todays Internet.

About me..
----------
I am doing Trainers / Reverse Engineering of code since 1986...
C-64,Amiga,SuperNES,GameBoy Advanced and Pc now..

Began training Games on PC in January 2001

Tools I use to train:
---------------------
- W32Dasm
- SoftIce
- GameHack v2.0
- MagicTrainerCreator
- BlindFind (my own Tool,for Alt-Tab protected Games..)
- Icedump < for Mem-Dumps + Anti-Debugging Features >

Language I code in:
-------------------
- No Masm,just Tasm.. (Borland Turbo Assembler v5.0)

Lets start our little Tutorial..

---------------------------------------------------------------------------------------

The Search:
-----------

(with SoftIce useable)

- Fastest Way is to use a GameHack-Tool and search for the Option
Adresses.When Adresses are found set an Breakpoint on Region with
Softice. (Adress: 4df000 / bpr 4df000 4df001 w) this means...
SoftIce will break up when a (w)rite Access appears to that
Adress.When SoftIce pops up,you should be at the Decrement for
the Adress.

(SoftIce unuseable,due to GFX-Setup of Game)

- Find Adresses with GameHack-Tool.Start W32Dasm and disassemble
the Game.exe.Go to search Option and search for the Adress your
GameHack-Tool provided.You should find Inits, or Decrements when it uses
static Memory Adresses. DMA Adressing would end in no Results (normally...)..!

W32Dasm Problems:
-----------------

- SomeTimes when you try to disassemble an Program with W32DASM
you will not get any Code Line.This is done via an manipulation
of the PE-Header Section Flags. The fucked up Flags look
like: 400000C0 or 600000C0..you have to patch these Flags,in case
you want to disassemble it correctly.With these Flags set,
the .code Section is declared as an Data Section and W32Dasm
will not disassemble them correctly.Change the Flags to: E0000020
for most of the normal Sections,and just give the code section
20000060 and try then...should work....if the Program is packed,
W32Dasm will give no correct Informations anyway.You´ll have to
depack it first.

* Note: Nowadays,for Shareware mangled Section Flags are 90% of 100 done
through Pe-Crypters or Packers like for example Asprotect..
In that Case you will have to find some Depacker for that
Crypter/Packer used on that Program..
Or just dump and rebuild...Can you?..

Alt-Tab Protections:
--------------------
Some Things i found through the Time are:

a) check the existing Windowname / WindowClasses / .exe Names of running Processes
for known GameHack-Tools.
WindowName or WindowClass = one of known GameHackTool = shutup Game
Name of an running Process = one of known GameHackTool = shutup Game
Solution = change WindowName / WindowClass/ .exe Name of your Tool

b) Key Combination setup.
Variants:
...Alt-Tab disabled
...no switch back to Game,after Alt-Tab
...if Alt-Tab pressed,quit Game

See Examples for more Info on that....

c) poor Game coding...the Game isnt able to restore the Screen after Task-Switching.
At this time,you have only the Chance to use SoftIce-Plugins.

d) Auto-Setback Game Window to Foreground-Window
Check Actual ForeGroundWindow,if it is not the GameWindow,set GameWindow
back to actual ForeGroundWindow.
Done with a nice Timer,itll make the lil Trainerguys dizzy I think...

Alt-Tab-Protection-Examples:
----------------------------

Example from Game: The Smurfs,lets get loose
Dll: wkeykill.dll
--------------------------------------------------------------------------------------

Header from wkeykill.dll / W32Dasm Output

+++++++++++++++++++ IMPORTED FUNCTIONS ++++++++++++++++++
Number of Imported Modules = 2 (decimal)

Import Module 001: KERNEL32.dll
Import Module 002: USER32.dll

+++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++

Import Module 001: KERNEL32.dll

Addr:000020B0 hint(00FE) Name: GetModuleHandleA
Addr:00002094 hint(0051) Name: DisableThreadLibraryCalls

Import Module 002: USER32.dll

Addr:000020D2 hint(00D7) Name: GetAsyncKeyState
Addr:000020E6 hint(0011) Name: CallNextHookEx
Addr:000020F8 hint(0248) Name: UnhookWindowsHookEx
Addr:0000210E hint(0234) Name: SystemParametersInfoA
Addr:00002126 hint(0225) Name: SetWindowsHookExA

+++++++++++++++++++ EXPORTED FUNCTIONS ++++++++++++++++++
Number of Exported Functions = 0001 (decimal)

Addr:10001210 Ord: 1 (0001h) Name: Kill

+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
//********************** Start of Code in Object .text **************
Program Entry Point = 10001000 (wkeykill.dll File Offset:00001800)

This Nice dll kills just the Alt-Tab switching..
But no big Deal...

Number of Exports = 1, Function-Name: Kill ...uhhh..ph3aR!!!!

Load the Exe into W32Dasm...
Use StrnRef and look up WkeyKill.dll
You land here...

* Referenced by a CALL at Address:
|:0041509D
|

* Possible StringData Ref from Data Obj ->"WKeyKill.dll"
|
:00431E60 6820EB4C00 push 004CEB20

* Reference To: KERNEL32.LoadLibraryA, Ord:01C2h
|

Obfuscatlly,when training and not using SOftIce-Plugins, we need to remove the Alt-Tab
Protection... Notice that :Referenced by a CALL at Address:|:0041509D
Lets hook that one up.....

:00415094 A1D4CF6300 mov eax, dword ptr [0063CFD4]
:00415099 85C0 test eax, eax
:0041509B 7405 je 004150A2
:0041509D E8BECD0100 call 00431E60

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041509B(C)
|
:004150A2 FF05CCCF6300 inc dword ptr [0063CFCC]

Hmm... Loads an Dword-Adress into Eax,and tests..If Pointer Value = 0 WKeyKill,dll
will not be loaded..Fine..
So,no big Deal,..change the conditional Jump at Adess 41509b to an Jmp,and we are done..

:0041509B EB05 jmp 004150A2 <-- Should look like this..

Fine,ready,go and Train...Alt-Tab switchable now...

--------------------------------------------------------------------------------------

GameHack-Tool-Protections:
--------------------------

- just checking for WindowNames,WindowClasses / active Processes of known GameHack-Tools.
Means...Check...if Window "GameHackTool V1.0" is active,fake Adresses or
Shutup...Solution = change GameHackTool-Title,same for WindowClass,Tool .exe Name...

Option-Hint #1 (with SoftIce):
------------------------------

- lets say you find an Adress at d93200 wich offers the Lifes you have
in an Game.Set a Breakpoint on Region with SoftIce

bpr d80000 db0000 w ; this means, SoftIce pops up when there is an
(w)rite access to an Adress in the Area from
d80000 db0000..In case most Options are stored
in the same Area of Game-Memory, just loose
something (Wepon-Shot,Energy...)..if SoftIce
pops up, you may have found a new Adress.
To search up the Decrement/Increment use the
Technic already descibed above.

Option-Hint #2 (with SoftIce):
------------------------------

- you need at least one Option-Adress..
Set a Breakpoint on your found Adress..and press Escape or whatever to go back to
Game-Menu..Start a new Game..Softice should in 70% of 100 cases popup at a nice
init-Routine where the Games sets up the Values,..Lives,Level,..whatever..
Just write down the ADresses that are initialized,and check em Ingame..
Set them to 0/1 or whatever,and check what the change Affects..

Advanced Training #1(without SofIce/GameHackTools):
---------------------------------------------------
- needed : some knowledge of Assembler Programming (Instructions)

- use W32Dasm to disassemble the Game (if protected read Section above)
lets say you have 300 Minutes of Time in the Game,just look for an
Assembler Instruction that mov´s the Hexadezimal-Value to an Memory
Adress ( 300 dezimal = 012c hexadezimal)...write down MemoryAdress
were Value is stored,or Adress of Instruction that mov´s the Value.
In most cases you should find only some Instructions/Adresses and
you can check them via Patching in the Code.Adresses outside the
Memory can be checked via an Beta-Ingame-Key Tester.

-----------------------------------------------------------------------
Avoiding the Failure to take DMA as an direct Memory Adress:
------------------------------------------------------------
- DMA Memory is alloctacted by the Game..Its mostly used when the Game has an
Save-Option,or either is big in Size..These Adresses change..That means,
every time you start your Game, it normally has changed Adresses....
If you just access the Dma-Adresses as direct ones,your Trainer prolly
would not work..

Getting a useable Pointer to DMA-Adresses:
------------------------------------------
- Find at least one Option Adress..Just say Lives....
Go on,and set a breakpoint on the Adress..
Lose 1 Life,and our Numega Friend (SoftIce) should pop up...
what do we see now??...

Lets say...The Instruction on your actual EIP-3 is..
dec [ecx+14] .. What does this tell us?
It prolly decrements from Memory Adress ecx+14...
On easy Cases ecx just contains your DMA-Baseadress...
fine...how do we find the actual store Adress of it??
ecx = 02213567
s 0 l ffffffff 67 35 21 02 <-- we search for that Adress in Memory
| | (Adress is BACKWARDS,notice that...)
| |___ EndAdress
|___StartAdress (program Base-Adress,normally,400000,not ever..)

If SoftIce says: Pattern found at 0030:004bc4f6

It will mean...the Pointer to your DMA is stored at Adress 4bc4f6 by the
Program..

Example on How to access our found DMA-Adress:
----------------------------------------------
PAdress1 equ 004bc4f6h <-- the SoftIce ´Pattern found´one

call ReadProcessMemory,PHandle,PAdress1,edx,Byte4,0 <-- Read 4 Bytes (DMA-Base)
add dword ptr [edx],014h <-- Add Value to get to Option-Adress
(remember dec [ecx+14])
|__= Value
mov dword ptr ecx,[edx]
mov [AdressStore],ecx
call ReadProcessMemory,PHandle,ecx,edx,Byte4,0 <-- Read our ´Update´ Dma-Adress
(should contain Adress of Lives now)
add dword ptr [edx],001h <-- Add one Life
mov ecx,[AdressStore]
call WriteProcessMemory,PHandle,ecx,edx,Byte4,0 <-- Store Updated Adress

Thats it..
No Mythos...Just a bit Experience..
It was an easy Example..there are also Games wich store an Adress over another Adress,
you would have to read out both Adress,before you can modify your one..

-------------------------------------------
No valueable DMA-Pointer found,what now?
-------------------------------------------
Lets say,you found an Memory Adress,for Example 1ab3d00.
It holds Money you have in the Game...: $1.000.000
You put a Memory-Breakpoint on it,bpm 1ab3d00.
Buy something,so hopefully SoftIce will pop up,since the Adress will get changed.
SoftIce pops up at: 4432a3: mov [ecx+14],edx
[Ecx+14] = Adress 1ab3d00 , and we have not found a valid Pointer to the DMA-
Adress to read it out in our Trainermenu.
Edx holds the new Value to be inserted ($1.000.000 - what we bought...)
So,we do an Maximum Money Option for it...
How?..We just change the code before that mov [ecx+14],edx.
I guess a Subtract will be done,before the mov [ecx+14],edx.
Change the Subtract to: mov edx,$5f5e100 = maximum Money [$5f5e100 = 100.000.000]
Make sure the Instructions have the same Length,otherwise Nop out the obfuscating shit.
That means now...
Everytime the Game would normally Subtract our Money,
We fill up the Money Adress with maximum Value [$100.000.000]

--------------------------------------------------------------------------------------

-------------------------------------------------
Examples of Different-Routines,stolen from Games:
-------------------------------------------------

Example from: Pearl Harbor - Strike at Dawn German [Energy]
------------------------------------------------------------
Mainly, you can handle Energy Adresses like an Normal Value.
That means,..Energy = 05 Hex,wsprintf -> decimal -> Display -> Energy: 05
Most non Shareware-Games use other Display Methods like
for an Example a Bar that fades out, moving Display...
These Routines mostly have an look like the Routine below,
as they are mostly handled through float operations.

:004312FF D9442418 fld dword ptr [esp+18]
:00431303 D8642410 fsub dword ptr [esp+10]
:00431307 DEC9 fmulp st(1), st(0)
:00431309 D8442410 fadd dword ptr [esp+10]
:0043130D D95C2418 fstp dword ptr [esp+18] <-- Store float Adress

Example from: Sega Bass Fishing [Line]
---------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00478414(U), :00478421(C)
|
:0047842B D90560A77501 fld dword ptr [0175A760]
:00478431 D80D00064B00 fmul dword ptr [004B0600]
:00478437 D8C1 fadd st(0), st(1)
:00478439 D80DF0034B00 fmul dword ptr [004B03F0]
:0047843F D91D60A77501 fstp dword ptr [0175A760] <-- Store float Adress
:00478445 A160A77501 mov eax, dword ptr [0175A760]
:0047844A 50 push eax

Example from: Sega Bass Fishing [Time]
---------------------------------------
:0045CA5B A148AD7501 mov eax, dword ptr [0175AD48]
:0045CA60 40 inc eax
:0045CA61 83F83C cmp eax, 0000003C <-- Time/Milliseconds
:0045CA64 A348AD7501 mov dword ptr [0175AD48], eax
:0045CA69 7C77 jl 0045CAE2 <-- if not 60 go away
:0045CA6B A150AD7501 mov eax, dword ptr [0175AD50]
:0045CA70 48 dec eax <-- if 60 = dec Seconds
:0045CA71 A350AD7501 mov dword ptr [0175AD50], eax

Example from: Sega Marine Fishing [Time]
-----------------------------------------
:0044A6C6 F6C308 test bl, 08
:0044A6C9 752F jne 0044A6FA <-- eb and go...
:0044A6CB 8B0D680B6500 mov ecx, dword ptr [00650B68]
:0044A6D1 85C9 test ecx, ecx
:0044A6D3 7408 je 0044A6DD
:0044A6D5 D905E4C24C00 fld dword ptr [004CC2E4]

Example from: Sega Marine Fishing [Line]
-----------------------------------------
The tricky Part was here,the Line itself was splitted into 2 Counters.

:004ABC6C 890D04FE6400 mov dword ptr [0064FE04], ecx
:004ABC72 D91510FE6400 fst dword ptr [0064FE10] <-- needs to be erased
:004ABC78 7C06 jl 004ABC80
:004ABC7A 893D04FE6400 mov dword ptr [0064FE04], edi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004ABC78(C)
|
:004ABC80 D91D14FE6400 fstp dword ptr [0064FE14] <-- needs to be erased
:004ABC86 E895B4FCFF call 00477120
:004ABC8B D90514FE6400 fld dword ptr [0064FE14]

Example from: Shark Hunting the Great White [Energy / shark_game.dll]
----------------------------------------------------------------------
:100124B4 8B86A0000000 mov eax, dword ptr [esi+000000A0]
:100124BA D986040F0000 fld dword ptr [esi+00000F04]
:100124C0 8B4830 mov ecx, dword ptr [eax+30]
:100124C3 D986800F0000 fld dword ptr [esi+00000F80]
:100124C9 8B5034 mov edx, dword ptr [eax+34]
:100124CC 894C2408 mov dword ptr [esp+08], ecx
:100124D0 8954240C mov dword ptr [esp+0C], edx
:100124D4 DC4C2408 fmul qword ptr [esp+08]
:100124D8 DEE9 fsubp st(1), st(0)
:100124DA D99E040F0000 fstp dword ptr [esi+00000F04] <-- Store float Adress


Example from: Hunting Unlimited [Time / ho_game.dll]
-----------------------------------------------------
:100416A7 D944240C fld dword ptr [esp+0C]
:100416AB D88608010000 fadd dword ptr [esi+00000108]
:100416B1 D99E08010000 fstp dword ptr [esi+00000108]
:100416B7 D98604010000 fld dword ptr [esi+00000104]
:100416BD D864240C fsub dword ptr [esp+0C]
:100416C1 D95C240C fstp dword ptr [esp+0C]
:100416C5 D944240C fld dword ptr [esp+0C]
:100416C9 8B44240C mov eax, dword ptr [esp+0C]
:100416CD D81D54990710 fcomp dword ptr [10079954]
:100416D3 898604010000 mov dword ptr [esi+00000104], eax <-- Store float Adress
:100416D9 DFE0 fstsw ax

Example from: MegaMan Man Legends [MegaMan.exe / Energy]
---------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AD9CE(C)
|
:004AD9D9 668B516E mov dx, word ptr [ecx+6E] <-- Load Energy
:004AD9DD 6685D2 test dx, dx <-- already zero, or - ?
:004AD9E0 7E1A jle 004AD9FC <-- if yes,bye..
:004AD9E2 89D0 mov eax, edx
:004AD9E4 29D8 sub eax, ebx <-- otherwise subtract
:004AD9E6 6689416E mov word ptr [ecx+6E], ax <-- and store new Value
:004AD9EA 6685C0 test ax, ax <-- Zero now?
:004AD9ED 7F15 jg 004ADA04 <-- if not,jump....
:004AD9EF 66C7416E0000 mov [ecx+6E], 0000 <-- otherwise clear up..
:004AD9F5 E88A8FF8FF call 00436984
:004AD9FA EB08 jmp 004ADA04

Example from: Autobahn Total - Die Verfolgungsjagd *German* - [Track Unlocker]
-------------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00419058(C)
|
:00419235 85DB test ebx, ebx
:00419237 7513 jne 0041924C
:00419239 F744241000000100 test [esp+10], 00010000 <-- Track unlocked?
:00419241 0F84EC050000 je 00419833 <-- no,go away locked
:00419247 E9C8000000 jmp 00419314 <-- yes,enable to click

On this,we just change:
:00419239 F744241000000100 test [esp+10], 00010000 <-- Track unlocked? ==>
to
:00419239 C744241000000100 mov [esp+10], 00010000 <-- Track always unlocked!

Ok,the Track will prolly not be enabled now...We need to kill the jmp at adress
00419241 too...I did it by writing EB04 to adress 00419241,this will insert a Jump
419247...but,you can also insert 6 Nops (6 x 90) to clear the instruction..
Main Idea is the same,writing my jump is 2 Bytes,noping is 6 Bytes...Choose
yourself...!

Example from: From Dusk till Dawn *GERMAN* - [Energy] / Code Fake
-----------------------------------------------------------------
:005119CB A804 test al, 04
:005119CD 7409 je 005119D8
:005119CF 5F pop edi
:005119D0 B801000000 mov eax, 00000001
:005119D5 5E pop esi
:005119D6 59 pop ecx
:005119D7 C3 ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005119CD(C)
|
:005119D8 8B8FF74D0000 mov ecx, dword ptr [edi+00004DF7]
:005119DE 2BCA sub ecx, edx
:005119E0 898FF74D0000 mov dword ptr [edi+00004DF7], ecx

The Test al, 04 at Adress 5119CB checks for any Sprite Collision.
This can be an Enemy or You. We see the sub ecx,edx at Adress 5119de
but if we erase it, we AND our Enemies will also be invincible.
So,CHECK your Register when you enter the Sub-Routine at Adress
5119d8. If an Collision was detected Register ESI sets the Flag to
compare between us,and Enemy.We land at, an Collision that would
decrease our Energy would be Register ESI = 0.
What to do now?

:005119CB A804 test al, 04
:005119CD 7409 je 005119D8

We simply change that to:

:005119CB 85f6 test esi, esi
:005119CD 7509 jnz 005119D8

And thats it,...If a Collision on our Player is counted,well will simply
not conditional Branch to the Sub-Routine wich subtracts the Energy.
If its an enemy Collision <ESI not 0> it will still branch.

Example from: DownTown [Game Init] / Delphi-Game,High Adresses + Alt-Tab Protected
----------------------------------------------------------------------------------
:0049C262 C705A001EE05C8000000 mov dword ptr [05EE01A0], 000000C8
:0049C26C C705A401EE05C8000000 mov dword ptr [05EE01A4], 000000C8
:0049C276 C705A801EE05C8000000 mov dword ptr [05EE01A8], 000000C8

Ok,quick Step...000000C8 = Decimal 200,a Value I found in the Game.
I used W32Dasm and searched 00c8,initiated by a mov instruction.
[To land in the Game init]...Works..Alt-Tab would close the Game btw!

Example from: Dexters Laboratory: Science Ain´t Fair [Energy]
--------------------------------------------------------------
:00417BFC 754F jne 00417C4D <-- change to EB
:00417BFE D9460C fld dword ptr [esi+0C]
:00417C01 D82584494700 fsub dword ptr [00474984]
:00417C07 D9560C fst dword ptr [esi+0C]
:00417C0A D81D14454700 fcomp dword ptr [00474514]
:00417C10 DFE0 fstsw ax
:00417C12 F6C401 test ah, 01
:00417C15 0F84DB000000 je 00417CF6
:00417C1B 68DC050000 push 000005DC

Example from: Trade Empires *GERMAN* [Money]
---------------------------------------------
Original Code was:

0177:004B11CF 90 NOP
0177:004B11D0 55 PUSH EBP
0177:004B11D1 8BEC MOV EBP,ESP
0177:004B11D3 8B510C MOV EDX,[ECX+0C] <-- Adress Money
0177:004B11D6 8B4508 MOV EAX,[EBP+08] <-- Adress Inc/Decrease
0177:004B11D9 03D0 ADD EDX,EAX

eax can here now be an -,or + Value. That means our add instruction
can add a Value,but if the Value eax is negative it can also sub a Value.

0177:004B11DB 89510C MOV [ECX+0C],EDX <-- Store new Money
0177:004B11DE 5D POP EBP
0177:004B11DF C20400 RET 0004
0177:004B11E2 90 NOP

The Code i came up with for my Trainer:

0177:004B11D0 55 PUSH EBP
0177:004B11D1 8BEC MOV EBP,ESP
0177:004B11D3 8B4508 MOV EAX,[EBP+08] <-- Get Inc/Decrease
0177:004B11D6 85C0 TEST EAX,EAX <-- is it 0?
0177:004B11D8 7E04 JLE 004B11DE <-- or a - Value?
0177:004B11DA 01410C ADD [ECX+0C],EAX <-- if not,let it add
0177:004B11DD 90 NOP
0177:004B11DE 5D POP EBP
0177:004B11DF C20400 RET 0004

--------------------------------------------------------------------------------------

Hints on Values:
----------------

Options search:
---------------

Suche Wert: 5 -------->
5
4/-1
6/+1

Unlock:
-----------
Gamestart: 0 -------->
1
not equal

Cars/Tracks:
-------------
Gamestart: 0 -------->
1
not equal
Datafields /1/ne

Invincible:
-------------
Gamestart: 0 --------> Flicker Timer
greater than
less than
equal

General Unlocking:
--------------------
Manipulate the Game, for example racing Games to always be first.
Play the Game,until a new Car/Track is unlocked and examine the
Changes.

Invincibility:
**************
- first 0
After a Collision some Timer gets initialized,wich is counted down afterwards.

Level-Skip:
***********
- most Games offer an defined Ammount of Items to get/destroy
(Example: 40 Items to destroy/Zero the Byte,and Level is skipped)

Timers:
*******
- can be stored as 2 Bytes (0801)

Lives:
******
- can be stored -1 (Display says 5 / 4 in Memory)
- can be stored as obfuscating Values 3/3 (use MemChange-Trainertool)

Weapons (Selector):
*******************
- there is mostly an Range of compares to the Adress
0001,0002,0003.....use W32Dasm to find multiple Adress compares

Cheat-Mode enable:
******************
- use W32Dasm to check for CheatMode-Text. If found, a CheatMode
is often made through a Password typed in.Patch the Password-Routine
to always enable/disable Cheat.Use a Memory-Compare-Tool to find the Byte wich
is set to enable/disable CheatMode.

Difficult Values:
-----------------
- Hard to find Timers / Level-Skip-Value Adresses can best be found
with an GameHack-Tool that has an ´Memchange´-Option like ´MTC´

***********************************************************************

Error-Fixing on Trainer-Programming:
-------------------------------------
This is an OpenProcess-Routine wich enables you to read and write to the
specified Game.The Flags are w9x/me + w2k tested.

call GetWindowThreadProcessId,eax,offset Pid

call OpenProcess,PROCESS_VM_READ OR PROCESS_VM_WRITE OR PROCESS_VM_OPERATION,0,Pid
mov PHandle,eax
cmp eax,0
jz Error

Avoid to do ReadProcessMemory into Registers!
----------------------------------------------
Under W9x/me it worked well,but w2k messed it up..
So,this is how it should look like < Example => Check that Toggle1 >

call ReadProcessMemory,PHandle,0077e7a0h,offset Toggle1,Byte4,0
add [Toggle1],064h
call WriteProcessMemory,PHandle,0077e7a0h,offset Toggle1,Byte4,0


..Cont...