Jump to content


Photo
- - - - -

Noobs Code Injection When and How Tutorial


  • Please log in to reply
10 replies to this topic

#1 demetron

demetron

    Crew

  • Crew
  • 341 posts
  • LocationIndia

Posted 22 October 2012 - 01:25 PM

Code Injection When And How Tutorial By DEMETRON

http://www.gamehacki...24788-demetron/

Target : Command & Conquer Red Alert 3
Version : 1, 0, 0, 0
Aim : Hacking money via code injection so only your money won’t decrease but your opponent’s will.
Level of Difficulty: Novice(beginners level)
Tools Required:
-The game off course
-Cheat Engine (I am using version 5.5)
-Notepad++ or any other text editor to note addresses and other stuffs.
Pre-Requisites:
-None but some knowledge of assembly and experience of cheat engine is a plus.(if you don’t it’s ok!)
Note: This tut. assumes that you were born yesterday and had no prior knowledge of game hacking so you can skip some parts according to your knowledge.

Part 1 : Finding Addresses

Let’s start with finding addresses which store our money value. to do this start cheat engine now if we open our game it will be opened in full screen mode and that sometimes create trouble when attaching debugger to it, so let’s open the game in a window. If you go to game option and search there is already a check box to run the game in a window mode we can use that other way to do this is go to the shortcut of the game right click on it, go to properties and in the target add -win after a space so your target will become something like "C:\Program Files\Red Alert 3\RA3.exe" –win now open your game and it’ll run in window like given screen shot.
Posted Image

Now with your game running go to cheat engine click on process (in menu bar) and you’ll see lots of process in this list (it’s basically every process running in the system right now) but we have to find the process of our game and that’s pretty easy actually on top (not necessarily ) you will see the two processes having the logo of our game yup those two processes are related to our game but which one to select now, In general the process with *.EXE are shown only but in this case you we’ll see a *.game extension also and we are going to select that one for debugging because that’s the main module which contains the address not the other one(you are welcome to gamehacking.com) to understand this phenomena completely. So select one with the *.game extension in it.

Posted Image

Ok our platform is set now we can do some serious things just go to game’s skirmish option and start a game with no opponents(why? Because we don’t want our base is to be destructed when we are in middle of a search) and just because you are curious :D I choose Allied Nations, blue color,battlebase beta map(1’st on the list) initial resource 25000 and no random crates. Let’s begin to play and before doing anything go to cheat engine again and check the pause the game while scanning option it will ask you to attach debugger to game click yes. Now in the cheat engine’s value option enter 25000(as mine is 25k at starting and if yours is different enter whatever amount you have)
Posted Image

Leave all other settings to default and press First Scan and I got 121 results(addresses) you might get more or less doesn’t matter at this point.Ok now we go back to game again build a power plant it’ll cost $800 (you can build anything else if you want we are just spending some money here) and now I have $24200 remain on my account so let’s put this value in cheat engine and press next scan and wow we just got 3 results now J now spend some more money or earn some money back by selling things and do the same search again until you get the final results (yup those 3 address are the final results)and as it’s just 3 results we can check them manually now select all address and press the arrow button in bottom which says copy all selected items to address list or you can just double click on each 3 addresses to add them to list below. Now at the table there are fields like address|type|value click on value of each 3 address we just add and try to modify it, And hopefully one address is the address we are looking for and if we change its value the same change can be seen in the game also. I try to change the value to $50k and found mine it’s 068D324C yours may be different. If all this not making sense see the snapshot below
Posted Image

Just to check our address is correct and it’s actually changing the amount of money we have in the game let’s set it to very low like $20 and try to build something oops we have insufficient funds which is exactly what we want to hear :D now make it $10000 and try again yup it’s working we have our address. Note down this address quit the current match and start another match use different army and map this time I choose soviet. now in cheat engine you will see add address manually button click on it and add your address (mine is 068D324C) now change the value like before to $50k but it didn’t change on the game why? Because this game uses DMA and the address to money gets changed every time we start new match. So now we have to find a static reference which doesn’t change every time to calculate our address to money and such reference is called pointer. Pointers points to some address or may be another pointer which again points to some address and this address + offset = final address and that’s what we are looking for, and how to do that is on next part.


Part 2 : Finding Base Pointer

To find the base pointer we need the current address of money, and as we changed the map the address is also changed so we have to repeat all part 1 to find the address. So go on and back with an address (mine is 05DDADD4 now) I hope you already add your address to the address list table if not do it plz and right click on it, you will see many options select Find out what writes to this address ,make sure your money is not increasing or decreasing while doing this

Posted Image

a window will pop-up do not close it and switch back to game again, spend some money and an address will be displayed to that pop-up of yours.

Posted Image

What we are doing is to find out what instruction is decreasing our money and if you wanna make sure just nop this instruction by clicking on the replace button it’ll change this instruction with one that do nothing. Let’s do it and after that try to build something as you can see no money is decreasing right now…..and you might think I don’t need to read further I got what I want but hold a sec champ, what we just did was a quick and dirty way we didn’t even know for what else this instruction is used for, and noping it might crash our game at some point. So let’s analyze what else this instruction do. To do so first we have to restore the original code by clicking on the advanced options at bottom of cheat engine you will see the instruction that we just noped now right click on it and select Restore with original code .
Posted Image

Ok our instruction has been restored now we going to set a breakpoint to it to do so first we need to open it inside a disassembler and thanks to dark byte the cheat engine has its own. You will find open the disassembler at this location option just above the Restore with original code click on it .And if this is our first time your expression might be “what the hell is this?” that is a disassembler every game hackers and crackers best buddy :D now before moving further let’s have a opponent in the game ,basically what I doubt is that same instruction is also responsible for decreasing our opponents money and if we simply nope it his money won’t decrease either ….so what’s the point then :D so go on start a new match with an opponent but wait a second what if he will crush us before we gather some data and another thing is we can’t see our opponent until the battlefield is expanded so what we can do is create a ally force and see it’s money is also manipulated by the same instruction, and if so it’s not a good idea to nop that because if it is holding our ally’s address it may be hold our opponents also. So go on and start a new match with an ally force. After starting the game don’t do anything just seat idle and let your ally start building something, in that way we are sure he is the one spending money right now. Now click on cheat engine’s memory view right click and select go to address enter 007F20D0 that’s the instruction which decrease our money. Now we are going to set a breakpoint on that instruction.Rightclick and select toggle breakpoint .
Posted Image

just after you click on the toggle breakpoint your game will be hang don’t panic it’s what a breakpoint do it stop all the dataflow to that instruction so we can azalyze it step by step. If you can see the image above in the right side Registers are also shown and value of ESI is also shown there the value that ESI register holds is basically an address and if I am right it’s our ally’s money address. Well let’s see, if you read the instruction carefully
mov [esi+04],eax
means whatever value(address in our case) ESI reg. holds is added by 4 and then value of EAX reg. will copied to it. So for me ESI currently holds 0649A9C8+4 = 649A9CC (all calculation here are in hexadecimal you can use windows calculator to do hexadecimal calculations) and value of EAX is 2670 which is 9840 in decimal and that make sense as starting amount was 10000 he spent some money and 9840 remains in his account. But how can we sure that address 649A9CC(your will be different) is our ally’s lets add this address into address list of cheat engine by clicking on add address manually. Now change its value to 0 and freeze the address by clicking on the frozen checkbox, now remove the breakpoint from the instruction and run it by pressing F9 or debug->run option. Go back to game and analyze your ally’s activity and if you did everything right you will see all his constructions are stopped this moment that’s because we put 0 on his account, uncheck frozen and give him some big amount like $50k and see he will start making everything. So this analysis tells us the same instruction is used for player, his ally and opponent’s money. Now we can’t just nope this instruction we have to find out our base pointer and calculate our address every time. To calculate our base pointer first we need the current address that holds money you can do all the scanning one again or set a breakpoint to the instruction at 007F20D0 - 89 46 04 - mov [esi+04],eax and see what address ESI holds for you and add 4 to that address that will your current address for money. In my case it’s 067666C4 which is actually 067666C0+4 as its [ESI+4] now we have to find out what pointer points to the address that ESI holds currently. Just check on HEX checkbox and put your address of ESI reg. and click on new scan. I got only result(0558DDA8 for me) which is very good actually because that is our pointer but it may not the base pointer, so let’s scan for the address of pointer we just got .Again I got only one address(04A9BF94) not repeat this process until we found the base pointer.Ok we got no more address that hold 04A9BF94 that means that is our base pointer note it down. Remember this is a pointer to a pointer so when coding your hack you have to do
[value of (value of 04A9BF94 ) ]+4 = our address
To check it is a base pointer or not let’s EXIT the game and restart it again. add process of game to cheat engine now go to add address manually option click on pointer and put the address of base pointer we just found, see the image below for reference.

Posted Image

Now we have our base pointer and using this you can calculate address for money every time, You can stop right there if you want, just code a trainer that will write a very big value to this address like $999999. But if you stick with the tutorial we’ll going to learn how to use code injection and some assembly code, to stop decreasing the money.








Part 3 : Using Code Injection

As someone said a picture is worth thousand words here is an pictorial representation of what code injection is and how it works
Posted Image


Hope you get some idea of what we are going to do, first step is to wait and think what we actually want to do? And what we want to do here is simply change this instruction to something like.
  • If ESI == our address go to 3
  • Else go to 2
  • Decrease money value.
  • Jump back to original game code.
Now to write our code we need some free space. We can find that using cheat engine, go to memory view and in menu you will see tools options in the top you will see two options 1’st is allocate memory and 2nd is scan for code caves. First one can be used for testing your code as it simply add some free memory but to write a trainer we have to search for code caves (this are the free spaces inside the game),so let’s search for code caves, I change the size to 40 from default 12 as I don’t know how much memory we need, but as more will be handy.

Posted Image

There are lots of space available in the list and I pick 00D07000 (just because it is easy to remember) note down your address too. Now that we have an address to write our own code we can start but before creating the jump instruction on the original game route we must write the modified code first why? Because if we create a jump right now at 007F20D0 this will crash our game as the game is still running and we have nothing at 00D07000 but garbage only.
Here are the actual screenshot of the assembly code and I’ll explain each code step by step
Posted Image

Posted Image



Code Cave:
00D07000 – push eax “pushing the EAX register on the stack, so whatever value EAX currently holds will be saved and later restored, when we are done using EAX ”
00D07001-mov eax,[04a9bf94] “we are just copying the address value into EAX register that is pointed by our base pointer 04a9bf94”
00D07006 –mov eax,[eax] “again we are copying the value of (address value of EAX) in to EAX ,as we have a level 2 pointer, so basically EAX now holds our money address – 4(offset)”
Note: mov EAX,04a9bf94 - this copies simply a decimal value 78233492 to EAX;
Whereas mov EAX,[ 04a9bf94] – this copies whatever value 04a9bf94 address holds;
00D07008- cmp ESI,EAX “we are checking if the ESI holds our address, a cmp instruction return zero if true”
00D0700A-pop eax “now that we have no use of EAX we must restore its previous value.”
00D0700B-jne 00d07012 “this instruction means ‘jump if not zero’ if ESI not holds our address then compiler will jump to 00d07012”
00D0700D-jmp 00d07015 “this is a simple jump instruction that will jump on 00d07015. If ESI holds our address then this will execute”
00D07012 and 00D07015 are the actual game instructions at 007F20D0 and 007F20D3 , we have to mention this instructions because when we created a jump at 007F20D0 both the instructions were destroyed.
00D07018 – jmp 007F20D6 ‘’it’s not what you see on the pic but that’s the same instruction we are simply going back to original game route.”
Now pause the game and write all this instructions, and edit the instruction at 007F20D0 to jmp 00D07000 now go back to game again and build something your money won’t decrease but your ally’s will, you can check it by setting a breakpoint at 00D07008 and step by step executing the instructions.





Here's the PDF version of the same feel free to share and re-post as long as the original author name is mentioned :)
thank you

Attached File  Code Injection Tutorial by DEMETRON.pdf   1.68MB   79 downloads

Being a game hacker doesn't really mean just cheating or winning in games,we explore new ways to play the game,the way it was not really intended,and some how this hacks are the reason games didn't get old faster. -DEMETRON


#2 KEMiCZA

KEMiCZA

    Administrator

  • Administrators
  • 400 posts
  • LocationBelgium

Posted 22 October 2012 - 05:39 PM

Took a quick glance at it and it looks good. Plenty of images as well, noob friendly. Good job.

#3 demetron

demetron

    Crew

  • Crew
  • 341 posts
  • LocationIndia

Posted 23 October 2012 - 02:22 AM

Took a quick glance at it and it looks good. Plenty of images as well, noob friendly. Good job.


Thanks :)

Being a game hacker doesn't really mean just cheating or winning in games,we explore new ways to play the game,the way it was not really intended,and some how this hacks are the reason games didn't get old faster. -DEMETRON


#4 g3nuin3

g3nuin3

    Elite

  • Members
  • 261 posts

Posted 23 October 2012 - 06:27 AM

fantastic job demetron!
-=Intelligence is my Bitch=-
Posted Image
<3 Micral for ths one ;)

#5 demetron

demetron

    Crew

  • Crew
  • 341 posts
  • LocationIndia

Posted 23 October 2012 - 02:10 PM

fantastic job demetron!

thanks mate :D

Being a game hacker doesn't really mean just cheating or winning in games,we explore new ways to play the game,the way it was not really intended,and some how this hacks are the reason games didn't get old faster. -DEMETRON


#6 Shannou06

Shannou06

    Member

  • Members
  • 72 posts

Posted 25 October 2012 - 10:46 PM

Well, extremely well summed up and indeed noob friendly!
Why not add a section about doing the similar code cave effect in C++? It will make the trainers more user friendly! ;)

#7 demetron

demetron

    Crew

  • Crew
  • 341 posts
  • LocationIndia

Posted 26 October 2012 - 01:57 AM

Well, extremely well summed up and indeed noob friendly!
Why not add a section about doing the similar code cave effect in C++? It will make the trainers more user friendly! ;)


The second part was going to be that complete trainer making tutorial for the same but having time issues here so may be in future also you can do that if you want to :)

Being a game hacker doesn't really mean just cheating or winning in games,we explore new ways to play the game,the way it was not really intended,and some how this hacks are the reason games didn't get old faster. -DEMETRON


#8 demetron

demetron

    Crew

  • Crew
  • 341 posts
  • LocationIndia

Posted 27 October 2012 - 03:47 PM

Our guests can't able to download the PDF without registration,so i posted the whole thing here finally :)

Being a game hacker doesn't really mean just cheating or winning in games,we explore new ways to play the game,the way it was not really intended,and some how this hacks are the reason games didn't get old faster. -DEMETRON


#9 OneDream

OneDream

    n00bie

  • Members
  • 2 posts

Posted 15 November 2012 - 06:06 PM

Thanks for this great tutorial, demetron. I've read and tried every single step up until part 3. I have a question though. For quite some time I've been trying to find the static (green coloured) pointer to the money address to no avail. The base pointer(s) I've been able to find at the end of part 2 of your tutorial change(s) after a restart of the game itself. Either I'm doing something terribly wrong or the base pointers we have to find aren't supposed to be static addresses. If it's the latter, than I've completely misunderstood the purpose of that part of the tutorial and I apologize.

I could use some help. Anyone willing to lend a hand?

Thanks in advance! :)

#10 demetron

demetron

    Crew

  • Crew
  • 341 posts
  • LocationIndia

Posted 16 November 2012 - 03:26 AM

yup the base pointer is a static address and it must be same for everyone's computer otherwise the trainer won't work,if i didn't do something wrong then it's 04A9BF94 and the same address must be your base pointer also check your game version this tutorial is specifically written for version 1, 0, 0, 0 and i don't know if the same work on other verisons too.

just check the game version then try [value of (value of 04A9BF94 ) ]+4 = our address and see if get your money address.

Being a game hacker doesn't really mean just cheating or winning in games,we explore new ways to play the game,the way it was not really intended,and some how this hacks are the reason games didn't get old faster. -DEMETRON


#11 OneDream

OneDream

    n00bie

  • Members
  • 2 posts

Posted 16 November 2012 - 01:23 PM

Thank you for trying to help.

The version of Red Alert 3 I'm currently playing is indeed v1.0.0, so I guess that's not the issue. I've tried firing up CE (v5.5 and v6.2) and I've added [value of (value of 04A9BF94 ) ]+4 manually to no avail. The value that's visible in CE doesn't reflect the amount of money that's shown in-game. Any idea why? Could it perhaps be that this isn't actually the base pointer?

Thanks in advance!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users