Copy Link
Add to Bookmark
Report

Standard Game Training: Learning how to defeat DMA - the easy way

Game Training Tutorial #2 for Beginners by POiZN

eZine's profile picture
Published in 
Game Training Tutorial
 · 2 years ago

Tutorial Nr. 2: Standard Game Training: Learning how to defeat DMA - the easy way

Tools Needed:

What we will learn:

In this tutorial we will learn, how to search for unknown values and defeat Dynamic Memory Allocation (DMA).

Our target is a game called Alien Abduction. This game is a very good for us to train, coz its using a fuel bar and DMA.

WHAT IS DMA?

As you may have noticed, there are games, which are changing the memory locations. That means, when you have found the address for lives and restart the game, the address has changed.

Some games (nowadays almost every game) are using this method and every time you load the game or restart it, the game will give the memory locations to another available slot of memory.

When you have restarted the game, you will have to make the search again, coz your old address is as useless as a second asshole :P

But don't worry ... there is a way to get around this problem.

But keep in mind, that we are not able to change the allocation of the memory.
What we have to do is to find the correct game code, which is for example decreasing our Health/Life and stop it from executing.

THE DEBUGGER

I know that there are more and better debuggers available, but we will use TSearch's. Its free, it's easy to use and I think not everyone has the money to buy SoftIce (or should I say: Not everyone has access to it :P ). We could also use OllyDbg, but I think for easy things like this, TSearch is suitable.

UNKNOWN VALUES

An unknown value is a value which we can't see at all. Example:
When we run the game Alien Abduction we see, that we have 3 Lives. This is a known value because it is an exact digit.

But when we look at the fuel in the game, we see that there isn't a given value but a fuel BAR.

So when we have 100% fuel the value could be 100 or 17902 or whatever, but we don't know it for sure.

THE SEARCH FOR THE UNKNOWN VALUE

This search method will obviously take a bit longer than the search for exact values because with this search we will search for ALL addresses in the memory. Start TSearch and run the game. Once you have started a new level, pause the game and go back to TSearch.

Select the process AlienAbduction.RWG (Reflexive Arcade games are almost always using this type of file).Start a new search for an unknown value, Type: 4 Bytes.

After the search go back into the game, unpause it and watch the Fuel Bar decreasing. After it has decreased a few mm, pause the game again, go back to TSearch and continue the search with Has decreased because we have just seen our fuel decreasing.

Some games are using different routines. On the game American McGee's Scrapland for instance, I have almost spent 2 hours of searching for the Infinite Ship Boost hack, until I had the idea, of searching the other way. So when the Ship Boost has decreased I have to search for has increased/etc Ö and it worked perfect ;)

Anyways... after the first has decreased search, go back to the game, let the fuel decrease again and search. You will notice, that this search method will take a few minutes, to make it easier, you can also use the search for a value which has not changed.

You should do it like this:
After the search for has decreased, go back to the game but do NOT resume it.
Then (without doing anything) Go back to TSearch again and search for a value which `Has Not Changed'.

This search would kill more addresses, when you resume the game, fly a bit around and kill a few enemies, but unfortunately the fuel will instantly decrease, when you resume the game.

Note, that you should always be careful that no enemy kills you, coz after you died, the memory will already be allocated to another location.

Ok, I have now 18 addresses left. To kill the other ones, the only thing I need, is to have a look at them :P

There are addresses which are linked together, for example 496D0B, 496D0C, 496D0D, 496D0E (in this case 496D0E would be the mater address).
When I change the value from address 496D0E, the linked addresses will change their values, too.

Here are only 3 bunches of those addresses (note that this is not on every game the same).

Transfer all these master addresses to the CheatTable and freeze one after another and after you have found the correct one, delete the others.

My fuel address is 93F5536 with value 214234 (your address will be different to 99,9%, but the value will probably be in the same range).

After changing the value a bit I saw that the maximum value of fuel is 214331.

Well, as we know this address will change as soon as we restart the game.
Now we need our debugger.

USING THE DEBUGGER

At the top of TSearch click on AutoHack, in the drop-down on Enable debugger and after that AutoHack window.

Now go to the TSearch main screen and right-click the fuel address and choose AutoHack (at the bottom). We have now set a Breakpoint (it's a WRITE breakpoint, btw) on our fuel address. When we go back to the game and the fuel value is changing, we will see something popping up in the TSearch's AutoHack window:

ADDRESS	        OPCODES	                LANGUAGE 
4138CF D996A4000000 FST DWORD PTR [ESI+0xA4]

Do you see it? You have exactly the same code. That's because this is the GAME CODE. This code is on EVERY computer the same.

There are of course exceptions (more about them in another tutorial), but I can assure you to 100% that this code will always be the same on any computer you are using (At least as long as you use the same game version).

The question is now: How are we supposed to hack this value? There no numbers we can write to get infinite fuel or to set the fuel value to max Ö

I will tell you what we have to do: We have to replace the instruction which is changing our Fuel (FST DWORD PTR [ESI+0xA4]) to something else, that isn't changing it.

Fortunately we have a friend called NO OPERATION (a.k.a. NOP). And our friend does exactly what he is called. When the game is executing the instruction which is changing our fuel and we have nopped it, the fuel will not change.

NOP HACKS

As you know from the above code, FST DWORD PTR [ESI+0xA4] has 6 opcodes:

D9-96-A4-00-00-00

We want to kill the whole instruction FST DWORD PTR [ESI+0xA4] so we have to kill ALL opcodes.
The NOP opcode is 90 so we have to overwrite/poke NOP 6 times into the instruction we want to kill.

Once back to the AutoHack window right-click the line

4138CF          D996A4000000          FST DWORD PTR [ESI+0xA4]

and then Nop This Line. You will see 6 NOP's. One beneath the other. Go back to the game and resume it.

Well done, you have now Infinite Fuel. You could also make this hack for Lives, Nukes, Crystals, etc.

THE REWARD

Now quit the whole game and run it again. Start TSearch, choose the process and click enable debugger and AutoHack window.

There is a button in the AutoHack window called DIS or click on Edit and then on Disassemble.

Write down the address 4138CF and you will see that its still there ;)

You have now learned how to make nop-hacks. With this knowledge you are able to defeat DMA on almost every game.

As I have said earlier, this is only the easy way of how to defeat it. In the next tutorial you will learn how to do it with code injection.

Now I suggest you again to download other games and repeat what we have done.

You should also start to learn assembler coz it is essential for our next tutorials, though I will explain a bit too. You should at least know what the different instructions like MOV, JMP (and all other JMP types), LEA, CMP, PUSH, etc. are doing.

Well then ... another tutorial finished. I hope you have managed everything and learned from it.
Even people who already have loads of experience in game training are using this method to freeze values etc, so don't think this is only stuff for kids :P

If you have questions/comments or suggestions for another tutorial then email me at: poizn1@googlemail.com or contact me on --> iRC: EFNET: #GAMEHACKING

For more tutorials visit: http://www.gamehacking.co.uk

A big THANK YOU is flying out to Apache- for being the 1st who is putting this tutorial on his site.

greetz are also flying out to these people and friends (in alphabetical order): [Death], [sheep], allen, ape, CoaxCable, Drax, HaD-Team, jmp_fce4, m1ndphuck, Mango, maZel, spookie, toker, Trelpie, Tron, Tsongkie and of course VegitoSSJ.

You are allowed to spread this tutorial to any sites as long as the content of this tutorial is exactly the same as the one on http://www.gamehacking.co.uk

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT