$$$$$$$$$$$$$$$$$ : $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $ : /| ?_?_? $ $ ._ / |__ ____ ____ ____ ____ ____ ____ $ $ ____| \/ \ _/ \/ \_ /: \/ \_ / ? \ $ $ / |o \ _// _\ | _/_|\ \ |/ ? \_ $ $ \ : /_ ) ____ \/\ |/ / \ _|_ \ $ $ / . \ \/ \ \ | / ?_ \ | /\/? ? $ $ / \ / \ / | \ | / _? + $ $ _ _ \__ |_____/___/\ /:___ /____ /__|_ / | \ \ / $ $ | |RECLAIM! |/ |/ |/ \_:_/ | \ \ / $ $ |_ | : : : \_ ? _\ \_/ $ $$$$$$$$ \ | $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$: \___/\___/ $$$$$$$$$$$$$$ \| Advanced Game Training by [sheep] a.k.a RECLAIM! ------------------------------------------------ (best viewed in 1024x768) LESSON : 1. SUBJECT: DMA - Dynamic Memory Allocation. TOOLS NEEDED: Softice, memory searcher (ur choice). U now have in ur possetion (part 1) of an ever expanding tutorial covering ADVANCED GAME HACKING (A.G.H).. Over the next few months i hope to write a series of tutorials covering all aspects of A.G.H.. The lessons i will be teaching in these tutorials will give u the needed skills to make the transition between NEWBIE GAME HACKER to GAME HACK REVERSER.. Apart from the beginner stuff im about to introduce ive never seen any of the information in my tutorials written anywhere else this may be due to people either not wanting to give out advanced information that has taken them a long time to study OR.. they just cant be bothered to write an extensive essay about this subject.. either way it doesnt matter because u are about to learn ALL!! LESSON START ------------ WHAT IS DMA? ------------ Im sure u have all heard about DMA by now.. understanding what this is and how to defeat it are the first steps of a mighty ladder. Ill try and stick to telling u how DMA affects us (THE GAME HACKER) and not stray into too much technical detail.. When a game uses DMA the memory locations it uses are allocated dynamically whereby the game grabs the next available slot of memory and gives it to whoever asked for it.. Generally there are so many variations going on while ur computer is running its very unlikely that the memory locations u get on one occasion will be the same next time u reload the game.. this is why ur trainers only work just after u have collected the addresses and NOT once u have reloaded.. Once the game is reloaded it will grab a whole NEW set of memory locations for itself thus making ur OLD set of memory locations useless. To defeat DMA and create a trainer that will work 100% of the time u need to come out of the realms of the NEWBIE and into the NEW LAND :) NEW TOOL! --------- This is where we start adding NEW tools to our cheaters arsenal.. the first tool we need to add is called SOFTICE its a software debugger that enables u to manipulate the game code (on the fly) which means while the game is still running.. I wont go into installing softice in this tutorial.. there are plenty of other tutorials that do that for u.. so from here on ill assume u already have it installed. SOFTICE SETUP ------------- When u press CTRL-D to pop softice u should see the following windows.. REGISTER WINDOW - this window is always at the very top of the softice window (WR [return]) and displays the contents of all the registers.. DUMP WINDOW - generally situated close to the top of the softice window (WD [return]) contains a split screen display.. one side is ascii the other is hex. CODE WINDOW - this is the main window.. sits just under the DUMP WINDOW (WC [return]) contains the code of whatever process maybe running when u pop softice.. the code is represented in ASSEMBLY LANGUAGE instrutions.. The comments in the brackets are what u need to type to turn the different windows on.. also u need to type CODE ON.. this will bring up the OPCODES which are a set of numbers displayed to the left of each ASM instruction and to the right of every memory location in the CODE WINDOW.. (if u dont understand any ASM then i suggest u go away now and read up on a basic tutorial) DEFEATING DMA ------------- THEORY ------ At the end of this section i will show u how DMA is defeated IN PRACTICE.. ill use a game ive recently trained showing u code listings so that u can apply the theory to a practical example.. so dont worry if im not going into too much detail about setting breakpoints etc.. it will all be covered in the PRACTICAL section.... As we cannot change the memory locations of a DMA game we need to get right to the core and by that i mean the GAME CODE.. once u have found ur memory locations in a NON-DMA game u generally make ur trainer poke numbers into the locations u have found and this makes an affective trainer.. we know that this doesnt work for DMA so what we have to do is STOP the game code from decreasing our locations.. we do this by WATCHING what happends to our memory locations while the game is running.. thankfully we dont need to sit there and do the WATCHING ourselves.. our new friend SOFTICE does it all for us.. example... lets say i have 5 lives and the location of these lives is 490000. We can all think logically so we know that when we die in the game the GAME CODE will decrease the location 490000 by 1.. We need to stop this from happening.. The way we do this is by setting something called a BREAKPOINT.. there are a few kinds of breakpoint available to us but the one we need at the moment is a MEMORY BREAKPOINT.. this breakpoint will WATCH a memory location for us.. if anything should affect our memory location then softice will then pop at the exact piece of code that affected it.. this means that when we die inside the game and the GAME CODE decreases our lives softice will pop and we will find ourselves looking at the GAME CODE that decreases our lives.. GOOD STUFF EH? :) Unfortunately this is where it starts to get tricky.. u NEED to be able to understand what u are looking at.. by this i mean u HAVE to learn at least the basics of ASSEMBLY LANGUAGE for some people this is too much and thats why they have given in.. but for many i know u have struggled and stuck to it and have at least got a small understanding of ASM.. GAME CODE --------- There is something VERY advantagious about GAME CODE.. IT NEVER CHANGES LOCATION.. thats right.. on every single game EVEN DMA GAMES.. if we find the GAME CODE that decreases our lives at 453000 then u can bet ur life that the next time u load the game the EXACT same code is at 453000 and this is the key to defeating DMA.. instead of poking values into DATA memory locations.. we are going to poke values into CODE memory locations.. actually they are the same thing fundamentally they just behave in different ways.. CODE KILLING ------------ This is what u will see inside softice.. ADDRESS...... OPCODES............ ASSEMBLY LANGUAGE..... 0120:00008096 01585A ADD [EAX+5A],EBX 0120:00008099 7404 JZ 0000809F 0120:0000809B B486 MOV AH,86 0120:0000809D EB17 JMP 000080B6 0120:0000809F 55 PUSH EBP 0120:000080A0 1E PUSH DS 0120:000080A1 50 PUSH EAX 0120:000080A2 E86E078ED8 CALL D88E8815 This is just a random code snippet taken from softice.. it has nothing to do with a GAME of any kind i just wanted to show u what was what when it came to the CODE WINDOW display as this is the place u will be spending most of ur time... now i will show u a section of code taken from a message board.. this is from a REAL GAME ADDRESS...... OPCODES........ ASSEMBLY LANGUAGE....... 016F:xxxxxxxx 0000 MOV EAX,[EDI] 016F:xxxxxxxx 0000 DEC EAX 016F:xxxxxxxx 0000 MOV [ESI+0C],ECX 016F:xxxxxxxx 0000 MOV [EDI],EAX 016F:xxxxxxxx 0000 MOV EDI,EAX Ok, the assembly instructions are the only valid thing in the above code the rest have either been filled with 0000 for opcodes or xxxxxxxxx for the addresses.. these are not important at this time anyway.... The above code probably means absolutly nothing to u and dont worry because it shouldnt.. NOW!!! let me add a story and some comments to the above code... We are playing a game... we have got 20 LIVES.. we find the location of these LIVES at 445566 we place a breakpoint on this location inside softice.. so that when something affects our LIVES softice will pop and we can see the code that is affecting them... WE FALL DOWN A HOLE AND DIE!!!! BANG!!!! SOFTICE POPS!!!!! this is what we see..... ADDRESS...... OPCODES........ ASSEMBLY LANGUAGE....... 016F:xxxxxxxx 0000 MOV EAX,[EDI] <------ number of LIVES we already had is read from [EDI] and placed into EAX. (EDI=445566) (EAX=20) 016F:xxxxxxxx 0000 DEC EAX <------ EAX is decreased by 1 (EAX = 19) 016F:xxxxxxxx 0000 MOV [ESI+0C],ECX <------ store ECX. 016F:xxxxxxxx 0000 MOV [EDI],EAX <------ place NEW LIVES ammount back into location 445566. (EDI=445566) (EAX=19) SOFTICE LANDS HERE UNDER THE INSTRUCTION THAT AFFECTED THE LIVES.... | | 016F:xxxxxxxx 0000 MOV EDI,EAX I hope the picture has become more clear to u now.. the lives are read from our location then decreased by 1 and then placed back into our location.. im sure the clever ones reading this will already have figured out what we have to do.. but for the slower chaps ill continue :) 016F:xxxxxxxx 48 DEC EAX <------ EAX is decreased by 1 (EAX = 19) Ok.. this is the NASTY instruction that is killing our poor little character... as u can see ive put in the REAL OPCODE for this instruction its 48.. This instruction decreases our lives by 1 each time.. what we need to do is GET RID OF IT!! if we do then there is nothing to kill our little character and he can live forever.... :) Thankfully we can do this within softice.. u need to replace the DEC EAX with something else.. the all time fave for replacing stuff that isnt needed is an equally small instruction called NOP which is NO-OPERATION.. thats correct.. when this instruction is executed absolutely nothing is done.. so KEEP this little NOP by ur side at all times.. so if we replace 016F:xxxxxxxx 48 DEC EAX <------ EAX is decreased by 1 (EAX = 19) with.. 016F:xxxxxxxx 90 NOP <------ NO OPERATION then we have infinite lives.. its as easy as that.. THE THING ABOUT NOP ------------------- When u are replacing instructions inside a program u have to make sure that if an instruction has 5 opcodes then u MUST replace it with 5 opcodes.. example... 0120:00008121 E86C04EB10 CALL 10EB8592 if i wanted to get rid of the above call.. i couldnt just put 1 NOP.. because NOP is only 90 i need to FILL E8-6C-04-EB-10 so instead of just NOP(90) i would need 5 NOPS 90-90-90-90-90 otherwise the program will most definately crash on u... so once u have replaced this call it should look like this... before... 0120:00008121 E86C04EB10 CALL 10EB8592 after.... 0120:00008121 90 NOP 0120:00008123 90 NOP 0120:00008125 90 NOP 0120:00008127 90 NOP 0120:00008129 90 NOP MAKING THE DMA TRAINER ---------------------- A DMA trainer is no differnt in any way to a NORMAL trainer.. all u are doing is poking values into the CODE section instead of the DATA section.. eaxmple... replace.. 016F:0000412345 48 DEC EAX <------ EAX is decreased by 1 (EAX = 19) with.. 016F:0000412345 90 NOP <------ NO OPERATION Same Code but this time ive added the addresses and the correct OPCODES.. if i wanted to make a trainer that worked 100% on this DMA game.. all i need to do is poke 90 (NOP) into location 412345.. this would turn the DEC EAX to a NOP and the game would have infinite lives.. no need to worry about DMA locations anymore.. 412345 WILL ALWAYS!!! be the place to poke 90 and get infinite lives.. GAME CODE DOES NOT CHANGE LOCATION!!! As i said at the beginning i havent gone into much detail about how to set breakpoints etc. this will all be taken care of in the next part of the tutorial.. PRACTICAL EXAMPLE (Serious Sam 2) ---------------------------------------------- As i dont like to do things by half i will now show u a practical approach to defeating DMA with code listings and softice commands.. this is just a backup of what is written above.. after this u should be able to understand the entire tutorial.. that is if u dont already :)... These code listings and commands all come from the game SERIOUS SAM 2.. u dont need to go and find this game but if u have it then it will make it a lot easier for u to have a go with what we have learnt today... On this game ive decided to show u BULLETS instead of lives because the life total in SS2 is worked out slightly differently (something i will be tackling in another tutorial). ok.. lets begin.. 1. I did a normal EXACT VALUE search to find the address for the bullets .. i got the address 6AFEF28. 2. I POPPED softice with CTRL-D so that i could set a breakpoint on the bullets location.. 3. Inside softice i typed BPM 6AFEF28 W (the W means WRITE so when ever something writes to our address softice will pop) then i pressed RETURN to set the breakpoint.. 4. Return to the game.. SHOOT! BANG! SOFTICE POPS! 5. I scrolled the code window up a bit and this is the code listing... ADDRESSES.... OPCODES............ ASSEMBLY LANGUAGE......... 017F:60570C50 55 PUSH EBP 017F:60570C51 8BEC MOV EBP,ESP 017F:60570C53 A1E8625E60 MOV EAX,[605E62E8] 017F:60570C58 8B08 MOV ECX,[EAX] 017F:60570C5A FF15E4625E60 CALL [605E62E4] 017F:60570C60 8B4854 MOV ECX,[EAX+54] 017F:60570C63 85C9 TEST ECX,ECX 017F:60570C65 7508 JNZ 60570C6F 017F:60570C67 8B4508 MOV EAX,[EBP+08] <--- Address of BULLETS 017F:60570C6A 8B4D0C MOV ECX,[EBP+0C] <--- Amount of BULLETS to decrease by.(ECX=1) 017F:60570C6D 2908 SUB [EAX],ECX <--- subtract ECX(1)from BULLETS 017F:60570C6F 5D POP EBP <--- WE LAND HERE WHEN SI POPS 017F:60570C70 C3 RET As u can see even though its not the same code as before its VERY similar.. thats the good thing about ASM there are only a couple of instructions that decrease the value of an address so they are easy to spot most of the time.. this time they use SUB.. which means SUBTRACT.. ok.. to defeat this we need to get rid of that SUB instruction... 6. I typed A 60570C6D then pressed return.. this lets me manipulate the code at location 60570C6D.. 7. I typed NOP [return] NOP [return] the returns mean i pressed return :) just to clear any confusion.. I used 2 nops as u can see because remember we need to get rid of 2 bytes of OPCODES 29-08 so we need to replace them with 2 bytes of our own OPCODES 90-90.. 8. I then pressed return a 3rd time without entering anything and softice drops out of assemble mode.. 9. Now we are all done and ready to test it.. CTRL-D got me back into the game.. i now have infinite bullets.. and the dma is defeated.. dont forget.. game code doesnt change location.. to make a 100% working bullet trainer for this game all u need to do is poke 90,90 into location 60570C6D... WELL!! we have come to the end of this tutorial.. i hope u managed to follow it and obtain all the knowledge u need to defeat DMA.. keep a look out for other tutorials in this series.. If u have any problems or questions then please email me at sheeprec@operamail.com please be patient for a reply... PLEASE FEEL FREE TO SPREAD THIS DOCUMENT TO ANY SITES!!!!!