$$$$$$$$$$$$$$$$$ : $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $ : /| ?_?_? $ $ ._ / |__ ____ ____ ____ ____ ____ ____ $ $ ____| \/ \ _/ \/ \_ /: \/ \_ / ? \ $ $ / |o \ _// _\ | _/_|\ \ |/ ? \_ $ $ \ : /_ ) ____ \/\ |/ / \ _|_ \ $ $ / . \ \/ \ \ | / ?_ \ | /\/? ? $ $ / \ / \ / | \ | / _? + $ $ _ _ \__ |_____/___/\ /:___ /____ /__|_ / | \ \ / $ $ | |RECLAIM! |/ |/ |/ \_:_/ | \ \ / $ $ |_ | : : : \_ ? _\ \_/ $ $$$$$$$$ \ | $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$: \___/\___/ $$$$$$$$$$$$$$ \| Advanced Game Training by [sheep] a.k.a RECLAIM! ************************************************ (best viewed in 1024x768) LESSON : 2 (part 1) SUBJECT: CODE INJECTION - DMA to STATIC Address. TOOLS NEEDED: Softice, memory searcher (ur choice) gamehack. U now have in ur possetion (Part 2 Section 1) of an ever expanding tutorial covering ADVANCED GAME HACKING (A.G.H).. Over the next few months i hope to write a series of tutorials covering all aspects of A.G.H.. The lessons i will be teaching in these tutorials will give u the needed skills to make the transition between NEWBIE GAME HACKER to GAME HACK REVERSER.. Before we do actually start i warn u that if u dont have certain prior knowledge before attempting this tutorial then u wont get much out of it.. I suggest u most certainly read my previous tutorial which covers DMA in full detail.. U also need to know at least the basics of the ASM language... with all that out the way lets continue.... SOFTICE SETUP ************* When u press CTRL-D to pop softice u should see the following windows.. REGISTER WINDOW - this window is always at the very top of the softice window (WR [return]) and displays the contents of all the registers.. DUMP WINDOW - generally situated close to the top of the softice window (WD [return]) contains a split screen display.. one side is ascii the other is hex. CODE WINDOW - this is the main window.. sits just under the DUMP WINDOW (WC [return]) contains the code of whatever process maybe running when u pop softice.. the code is represented in ASSEMBLY LANGUAGE instrutions.. The comments in the brackets are what u need to type to turn the different windows on.. also u need to type CODE ON.. this will bring up the OPCODES which are a set of numbers displayed to the left of each ASM instruction and to the right of every memory location in the CODE WINDOW.. LESSON START ************ ok.. To achieve the final goal of defeating DMA with CODE INJECTION u will need to learn a few new concepts that u may not have come across before.. ive listed the concepts that we will be covering below... i) Code Injection Theory ii) Offset Theory iii) DMA to STATIC Outline iv) DMA to STATIC Practical Code Injection Once u have learnt the first 3 concepts u will most certainly be ready to tackle the 4th and final one... good luck :)) CODE INJECTION THEORY ********************* Code injection is a method used by advanced game hackers to achieve certain tasks that cannot be achieved with NORMAL game training methods.. The main aim of code injection is to create a pathway FROM the main GAME loop TO ur own code.. u then jmp back to the main game loop after ur code has been executed.. what ur code does is only limited by ur knowledge of the game and of course ur knowledge of asm :)) Code injection is so flexible u can do pretty much anything u like.. breaking free of the restrictions of the normal NOP hacks.... Example... This is a code snippet i used in my last tutorial.. its just an example so it doesnt matter... 0120:00008096 01585A ADD [EAX+5A],EBX 0120:00008099 E9xxxxxxxx .---- JMP 500000 <--- we create our gateway here... 0120:0000809B B486 | MOV AH,86 <----. 0120:0000809F 55 | PUSH EBP | 0120:000080A0 1E | PUSH DS | 0120:000080A1 50 | PUSH EAX | 0120:000080A2 E86E078ED8 | CALL D88E8815 | | | | | 0120:00500000 OUR CODE! <---' | 0120:00500002 OUR CODE! | 0120:00500004 OUR CODE! | 0120:00500006 JMP 809B -------------------------------' <--- once our code is done we jmp back.. if u destroy any valuable instructions while making ur gateway.. u must make sure u re-create them inside the OUR CODE section.. or u will most likely crash the game... Dont forget this is only the theory.. a fully detailed "HOW TO" will follow in the practical section lower down.. OFFSET THEORY ************* We all know that DMA causes the variables of a game to change location every time we either start a new game or reboot completely.. Even though this is true.. DMA variables actually stay in the same place relevant to each other.. WHAT DO I MEAN?? i hear u ask :)) ok.. ill give u an example... 00456777 : LIFE TOTAL 00456778 : .........: .........: etc......: .........: 00456999 : BULLET TOTAL The above diagram is a hypothetical situation of 2 DMA variables.. we have LIFE TOTAL at address 456777 and we have BULLET TOTAL at 456999 if u subtrack those 2 addresses from each other u get what is called an OFFSET.. 456999h-456777h = 222h (h = hex). u will understand why we need offsets in just a second... OK!! I RESTART MY GAME!!! 00659123 : LIFE TOTAL 00659124 : .........: .........: etc......: .........: 00659345 : BULLET TOTAL Now we have restarted the variables have changed location.. BUT!! notice the actual addresses 659345h-659123h = 222h. Even though the variables are allocated different memory locations they always stay the same distance apart.. this is the KEY to the whole process.. The reason they stay the same distance apart is because each variable isnt actually allocated seperate memory locations.. a large chunk of memory containing most if not all game variables would be allocated the memory at run time... Using offsets we can make a detailed map of every variable we need.. all we would need to do is pick 1 variable as the MASTER and find this address every time.. from that 1 address u will instantly know where the other variables are located in memory... Another example.... Here is a made up offset map... HEALTH COUNTER location = MASTER VARIABLE <--- find this address. BULLETS location = MASTER VARIABLE + 3445h LIVES location = MASTER VARIABLE + 2345h SKILL POINTS location = MASTER VARIABLE + 334h now.. we start our game... and find HEALTH COUNTER.. 000657444 : HEALTH COUNTER we can now change that map into REAL addresses.. like this.. HEALTH COUNTER location = 657444h + 0h = 657444h BULLETS location = 657444h + 3445h = 65A889h LIVES location = 657444h + 2345h = 659789h SKILL POINTS location = 657444h + 334h = 657778h So now u can see by making a Variable map using 1 MASTER variable we can find all the other variables with offsets :)) its pretty cool stuff eh? :))) ok.. its pretty vital that u understand offsets BEFORE u go on.. if u dont understand it then go back and RE-RE-RE READ.... DMA TO STATIC OUTLINE ********************* Once u understand at least the basics of code injecting such as i explained ealier u should'nt have too much trouble understanding the DMA to STATIC principles.. The outline goes something like this :- We find a place in the game code that contains a POINTER to a variable we are using i.e LIVES, HEALTH, BULLETS etc.. Once we have found this POINTER we need to make sure that it is a SPECIFIC POINTER which means it ONLY!! points to 1 location.. if the POINTER is GENERAL it will cycle through many places and manipulate many memory locations this is useless to us... A pointer will look something like this .. MOV EAX,[EBX+00000208] EBX will contain a DMA base address.. the 208 is an offset added to EBX to form the POINTER which points to our variable (LIVES).. Lets say that we know EBX+208 = LIVES.. we now need to find out if this is a SPECIFIC pointer (points to only 1 address) and not a GENERAL pointer (points and manipulates many addresses) we do this by placing a breakpoint on the MOV EAX,[EBX+00000208] instruction then keep pressing F5 to get out of softice.. every time softice pops up again look at the contents of EBX.. if the number inside EBX doesnt change then we know that we have a SPECIFIC pointer.. if the number inside EBX changes, even once, then this pointer is no good to us.. to get a good idea if the address in EBX is SPECIFIC u should check the value in EBX at least 10 or 20 times to make sure its not changing... ok, once we have found our SPECIFIC pointer.. we need to store away the DMA base value that lies inside EBX (NOTE!! EBX doesnt always contain the DMA base value.. it could be any REGISTER.. u need to look at the pointer and see what REGISTER IS USED.. ie.. MOV EAX,[EBX+00000208] <-- EBX contains the store away value MOV EAX,[ECX+00004564] <-- ECX contains the store away value MOV EAX,[EDX+00001122] <-- EDX contains the store away value MOV EAX,[ESI+00000234] <-- ESI contains the store away value MOV EAX,[EDI+00004408] <-- EDI contains the store away value just keep all that in mind.. pointers can take on many forms but i think the above code is more than likely the type of thing u will encounter in most games... ok.. so we need to store our DMA base value away into static memory.. we do this by creating a pathway to our own code (code injection).. our code will then place the DMA base value thats inside EBX into a static address so that our trainer can read that address every time.. create its own pointer by adding offsets to it.. and then poking values into that pointer.. Here is a diagram to explain it a little more.... We have found our pointer.. below Before we make our gateway... ----------------------------- 0041A736 MOV EAX,[EBX+00000208] <----- pointer here... 0041A73C FLD REAL4 PTR [EBX+000000CC] 0041A742 FDIV REAL4 PTR [EBX+000000C8] 0041A748 MOV [00786CA4],EAX After we make our gateway... ---------------------------- 0041A736 JMP 9000000 <----- gateway has been created.. 0041A73C FLD REAL4 PTR [EBX+000000CC] 0041A742 FDIV REAL4 PTR [EBX+000000C8] 0041A748 MOV [00786CA4],EAX Our code section... ------------------- 09000005 MOV EAX,[EBX+00000208] ; re-create instruction we destroyed to make our gateway 09000010 MOV [9000100],EBX ; mov DMA base value in ebx into a static address.. 09000015 JMP 41A73C ; Jump back to main game loop.. 09000100 0000000000 ; location to store value from EBX Once the above code has been executed u can now read the value from 9000100 and even when the game changes its memory locations ur code will put the correct value back inside 9000100.. so all u need to do is read that value.. add 208 to it and u have the exact location of LIVES.. remember?? lives = EBX+208... thats pretty much the whole deal.. apart from the code that reads the value from 9000100 but ill show u that in the PRACTICAL section below... dont worry if all that was a bit much to take in.. keep flipping back to this section to re-read.. with the fully explained PRACTICAL section u should be able to put them both together and understand it all.. DMA TO STATIC PRACTICAL CODE INJECT *********************************** The game ive chosen for this tutorial is called SPACE TRIPPER..(thanks keyboardjunkie) u can dload it from here.. http://www.pompom.org.uk/STpage1.htm lets start... First thing we need to do is find a MASTER variable.. ive chosen LIVES.. unfortuantly this game is a bit of a bitch for finding the LIVES value.. but with a little asm knowledge (which u all should have by now :)) u will be fine... oki.. we do the usual search.. die.. search die.. If u do it correctly u will only find 1 address .. and it will be this.. 786ca4 If u try and change this location u will notice that the screen updates but thats about it.. u still have the same amount of LIVES as before thats because u havent found the REAL address for LIVES.. dont worry!! i didnt expect u to.. ill tell u why.. this game doesnt just allocate memory every time u start a new game.. it allocates memory after every time u die.. so its impossible for u to find the REAL value with a mem searcher.. thankfully the ON SCREEN variable is STATIC.. so from this variable we can quickly find the REAL value.. This is how its done... Using softice place a breakpoint on the ON SCREEN variable like this.. type BPM 786ca4 W (return) lose a life.. softice POPS!!!! u should see this... 0041A736 8B8308020000 MOV EAX,[EBX+00000208]; pointer moves REAL LIVES into EAX (EAX = 2) 0041A73C D983CC000000 FLD REAL4 PTR [EBX+000000CC] 0041A742 D8B3C8000000 FDIV REAL4 PTR [EBX+000000C8] 0041A748 A3A46C7800 MOV [00786CA4],EAX ; Move REAL LIVES value into ON SCREEN variable ; (ON SCREEN variable = 2 ) As u can see [EBX+00000208] is a POINTER to the REAL LIVES address in memory.. EBX will contain a DMA base address which we need to store away and 208 is added to it so that EBX+208 = REAL LIVES. The value from the REAL LIVES location is moved into EAX and then EAX is placed into the ON SCREEN variable memory location... to prove all this u need to do this.. In softice.. type D EBX+208 (return) Now edit the memory location in the top left hand corner of the DUMP window and ur lives will update properly.. showing u that we have found the REAL LIVES memory location... Luckily enuff we have found 2 vital things with just 1 breakpoint.. we have found the REAL LIVES memory address.. we have also found a potential POINTER to use in our CODE INJECTION.. lets see if this POINTER is SPECIFIC or GENERAL.. once again we take to softice.. First of all we need to clear all other breakpoints so ... type BC* (return) then place a breakpoint on the 41a736 address... type BPX 41A736 (return) then press F5 to get out of softice.. softice should POP!! straight away.. Look at the content of EBX.. has the value changed?? keep pressing F5.. keep looking at the EBX content :)) is the value inside EBX changing?? if no!! we are IN!!! YAY!!! So, now we have found a valid place to inject and save our POINTER into a static memory address.. all we need to do now is find a nice place to put OUR CODE!! u can do this a few ways.. 1. Look up and down the code close to where u are injecting and see if there is a large cluster of NOPs.. (this is empty code).. also a large cluster of 0's signals a good OUR CODE location aswell.. 2. If nothing turns up close to ur injecting address then do a search in softice for 909090909090.. read the manual if u dont know how to search.. u should do by now.. 3. This is the method i use.. people tell me that they have encountered problems with this method but ive created about 20 to 30 trainers using it and its never given me a NON working trainer.. so until it does ill continue to use it.. i) type TASK (return) inside softice.. ii) find the name of ur game window.. iii) type MAP32 (return) iv) this will bring up all the sections of the game.. what we want to do is add code onto the end of the data section.. here is what i get from Space Tripper... :map32 spacetripper Owner Obj Name Obj# Address Size Type SPACETRIPP.text 0001 017F:00401000 0004BE10 CODE RO SPACETRIPP.data 0002 0187:0044D000 00006718 IDATA RW SPACETRIPP.bss 0003 0187:00454000 0035CDB4 UDATA RW SPACETRIPP.idata 0004 0187:007B1000 000014F0 IDATA RW SPACETRIPP.rsrc 0005 0187:007B3000 0000095C IDATA RO SHARED The .data section starts at 44d000 but we need to use the end of the data section ( there is usually a lot of buffered space on the end of the data section so we can happily use it without messing with any REAL data used by the game) so what we do is look at the next section down.. which is .bss the start of the .bss section is just after the very end of the .data section.. so, lets hunt for a nice place to put OUR CODE.. inside softice again... type D 454000 (return) Just to be on the safe side we need to scroll the dump window up a bit.. so that we are on the end of the data section.. u will notice that when we scroll upwards the text at the top of the dump window will change.. from SPACETRIPPER! .bss to SPACETRIPPER! .data+ to scroll the dump window up u need to do this.. type EB (return) then use the PAGE UP / PAGE DOWN keys to move the window up and down :)) ive decided that 453f00 is a good place for use to place our code.. so the first thing u need to do is write that memory address down.. so that u dont forget it... now we have the address of OUR CODE.. we need to go back to the pointer at (41a736) and make our gateway.. it should still be inside ur code window but if it isnt then so do this.. type U 41a736 (return) that will place 41a736 at the top of ur CODE window.. now we create the gateway... ***NOTE!!*** The next steps are all done one after the other .. u cannot break in the middle of them or attempt to come out of softice or u will crash the game.... type A 41a736 (return) type jmp 453f00 (return) type nop (return) ( we need this nop to ballance the opcodes and to avoid a crash) type (return) ( this return on its own will take us out of (A)ssemble mode) at this point u should see the code window change from... ORIGINAL CODE... 0041A736 8B8308020000 MOV EAX,[EBX+00000208] 0041A73C D983CC000000 FLD REAL4 PTR [EBX+000000CC] 0041A742 D8B3C8000000 FDIV REAL4 PTR [EBX+000000C8] 0041A748 A3A46C7800 MOV [00786CA4],EAX to AFTER GATEWAY CREATED... 0041A736 E9C5970300 JMP 00453F00 0041A73B 90 NOP 0041A73C D983CC000000 FLD REAL4 PTR [EBX+000000CC] <-- we jmp back here after OUR CODE.. 0041A742 D8B3C8000000 FDIV REAL4 PTR [EBX+000000C8] 0041A748 A3A46C7800 MOV [00786CA4],EAX ok.. next steps... type U 453f00 (return) type A 453f00 (return) we are now ready to create the OUR CODE section... First we must re-create the instruction that we destroyed to make our gateway... type mov eax,[ebx+208] (return) Now we need to store the POINTER into a static memory address.. all of the addresses around u are static.. so u can pick any one u like.. nothing too close to the code section .. i have chosen 453f30.... type mov dword ptr [453f30],ebx (return) Now finally we need to jump back to the game code... type jmp 41a73c (return) <-- 41a73c is just after our NOP instruction in the gateway... type (return) <-- gets u out of (A)ssemble mode.. ok.. after alllll that... ur code locations should look like this.... GATEWAY SECTION... 0041A736 E9C5970300 JMP 00453F00 0041A73B 90 NOP 0041A73C D983CC000000 FLD REAL4 PTR [EBX+000000CC] 0041A742 D8B3C8000000 FDIV REAL4 PTR [EBX+000000C8] 0041A748 A3A46C7800 MOV [00786CA4],EAX OUR CODE SECTION... 00453F00 8B8308020000 MOV EAX,[EBX+00000208] 00453F06 891D303F4500 MOV [00453F30],EBX 00453F0C E92B68FCFF JMP 0041A73C 00453F11 0000 ADD [EAX],AL 00453F13 0000 ADD [EAX],AL if ur code does not mirror that of mine then u have done something wrong.. u need to go back and redo it... NOW!! if u HAVE the same code as me.. which u should have.. u can now press F5 to exit softice.. and the game should be running fine... we can now do something pretty cool to demostrate that this is ACTUALLY working.... go back into softice with CTRL-D.. type D *453f30+280 (return) (if it says something like INVALID ADDRESS) u need to exit softice and then re-enter again...) if all goes to plan in the top left hand corner of the dump window u will see the REAL LIVES.. address.. u can modify this and ur lives will change.. NOW FOR THE COOL PART!!! lose all ur lives.. so that it says GAME OVER.. start a new game.. (dont reload the game) just start a new game... if u look at the dump window.. u will notice that the LIVES location has changed.. OBVIOUSLY!! ITS DMA !! :))) but.. our code is still doing its job... its still storing away the dma value at our static address so all u need to do to find the REAL lives value again.. is type that command... type D *453f30+280 (return) and now in the top left hand corner of the dump window u will see the REAL LIVES address again.. pretty damn cool eh?? :)) we have defeated DMA .. the DMA base address will ALWAYS!!! be stored at 453f30 and all u need to do is add 208 to it.. and u get the REAL LIVES address... FINAL WORDS *********** What can we do with this? ------------------------- im sure the clever ones out there have already worked out how to use this in ur trainers.. but for those who are a little slower on the uptake ill explain... once ur code is injected into the game.. u can then use READPROCESSMEMORY to gather the dma base address from 453f30.. then u just poke values into DMA_BASE_ADDRESS+208.. its as simple as that... Injecting ur Code Injection! :) ------------------------------- Once u have done all that u obviously dont wanna go through all those steps every time u need to inject ur code.. so u must create a trainer to inject the code for u.. its very simple..infact its the same process as ALL trainers.. except u will be dealing with more bytes than usual.... Example for this tutorial... ---------------------------- For the code injection to work every time.. this is what u would need to poke in ur trainer.. At address 41a736.. u would need to poke E9,C5,97,03,00 At address 5f3f00 u would need to poke 8B,83,08,02,00,00,89,1D,30,3F,45,00,E9,2B,68,FC,FF and thats it.. u will be able to read the DMA base address from 5f3f30.. basically all u do is poke all the OPCODES of the instructions we just wrote back into the correct memory locations... WORD OF WARNING!! always poke OUR CODE section OPCODES first... then the GATEWAY OPCODES.. FEW!!! another tutorial finished.. man!! its a lot of work.. ******************************************************************************************* ******************************************************************************************* If u have any questions or comments then email me at... RECLAIM22@HOTMAIL.COM visit my site for more tutorials.. http://WWW.SHEEPREC.CJB.NET I would just like to greet some people that support and inspire me.... Odin, MiraMax, Keyboard Junkie, Calligula, Orr, DarkLighter, Kilby, LordFinal, EverLast. MiNiSTER, [NTSC], [Drone], Rizzah, Bengi... No order.. just GREAT people.. If i missed anyone.. grab me and ill add u next time :)) PLEASE FEEL FREE TO SPREAD THIS DOCUMENT TO ANY SITES!!!!!