Advanced Game Training: Learning how to make hacks for Player Only
Game Training Tutorial #4 for Beginner by POiZN
Tutorial Nr. 4: Advanced Game Training: Learning how to make hacks for Player Only
Tools Needed:
- TSearch http://www.gamehacking.co.uk
- AirStrike 3D Operation W.A.T v1.65 http://www.divogames.com
- Sheep's Array of Sunshine v1.3 http://www.gamehacking.co.uk
What we will learn:
In this tutorial we will learn how to make hacks for Player Only.
A new routine:
As you may have noticed (you would probably only notice this when you have trained/hacked an iso game) a few games are using the same routine in the game code for the player AND the enemy and/or other things as well.
To explain it a bit more:
Let's say you want to hack the Health in a game. After you have found the address you set a memory breakpoint on it, you change the value (decrease the Health) and AutoHack gives you the address which is decreasing your Health.
Then you nop the instruction, you go back to the game and you see that you have Infinite Health. But when you play a bit longer you notice that the enemies will have Infinite Health as well Ö
That means that the game is using the same instruction for other things as well as to decrease your Health.
As far as I know, there is only one shareware game, which is using the same routine to decrease the player AND the enemy health.
And this game is called AirStrike 3D. Today this will be our target game.
START
Obviously we have to find the Health address first.
I think the search you have to do is completely clear... if not:
Start TSearch, run the game, begin a mission, select the process AirStrike3D.exe in TSearch and start the search for an unknown value.
Go back to the game, decrease the Health, search again; decrease the Health, search again; decrease the Health, search again; and search for has not changed, to save a bit time Ö
I have found the address 466355.
Now we will set a memory Breakpoint on it.
With a Memory Breakpoint, TSearch will show us every code which writes to the address we have set a breakpoint on.
Enable the debugger and AutoHack the address.
Go back to the game and decrease the Health. This line will pop up:
ADDRESS OPCODES LANGUAGE
406197 D99E03010000 FSTP DWORD PTR [ESI+0x103]
This is the instruction which is changing our Health.
Right-click it and then Nop This Line. Go back to the game and check it.
Yes Ö when an enemy hits you, your Health will not be decreased.
Play a bit around and try to kill some enemies. You will notice that you can't kill them.
That's because you have just nopped an instruction, which is also used to change the enemy Health.
But still Ö this code is not useless to us Ö think about it Ö I will tell you later ;)
Hacking Health for Player Only
As you know, we have just set a Memory Breakpoint on the Health address (remember: With a Memory Breakpoint, TSearch will show us every code which ëwritesí to the address we have set a breakpoint on).
We will now set an Open Breakpoint on it.
With an Open Breakpoint, TSearch will show us every code which either ëreadsí or ëwritesí to the address we have set a breakpoint on.
In the AutoHack window go to Edit and then Set BreakPoint and write down the Health address (466355), Bpm size: 1 and set the Type to: Read/Write. Now click on Set and AutoHack should have constantly returned one address.
Now go back to the game, unpause it but do NOT change the health. Make sure that there are no enemies shooting at you right now.
Fly around for 2-3 seconds (remember: do NOT change the health), pause the game again and go back to AutoHack.
The debugger returned 3 addresses, which are only READING the address.
ADDRESS OPCODES LANGUAGE
4066F2 D98103010000 FLD DWORD PTR [ECX+0x103]
41ACDA D906 FLD DWORD PTR [ESI]
404629 D98203010000 FLD DWORD PTR [EDX+0x103]
Not even one of these three addresses is used by the computer.
For our health injection we will use this one:
404629 D98203010000 FLD DWORD PTR [EDX+0x103]
Well Ö for our Infinite Health hack, we have to know which value we have to inject in [EDX+0x103]. Right-click the address in the disassembler window and click Register. Now go to the Register-Tab, choose the register EDX and click on the square to the left of the address. Go back to the game, unpause it, pause it, go back to AutoHack and you will see that an address has returned. Here it is 466250. Calculate this address with 103: 466250 + 103 = 466353. Add this address to TSearch's CheatTable.
When you have 100% Health, the value of address 466353 = 1137180672 and that's the value, which we will inject into [EDX+0x103].
But this is not the only thing we will do in this tutorial Ö we will also use this one:
406197 D99E03010000 FSTP DWORD PTR [ESI+0x103]
to make a One Hit Kill hack (This is the instruction, which returned when we have set a memory breakpoint on the health address. It is changing both [player AND enemy Health]).
That's the advantage when a game is using the same routine for the player and the enemy Ö we can make two hacks, though we have only searched for one address ;)
OK, now it's time to grab our code cave. Run SAS, select the process (the window name) and then click on CODE CAVE FINDER.
Have a look at the CODE CAVE RESULTS ... it should look like this:
SECTION CODE CAVE START CODE CAVE SIZE CHARACTERISTICS
.text 00430850 000007B0 Read/Exec
.rdata 00437CAE 00000352 Read Only
.data 01FBE364 00000C9C Read/Write
.rsrc 02012398 00000C68 Read Only
The .data section has read/write characteristics, so we will use this one. In AutoHack disassemble the address 01FBE364 and scroll a few lines down, because we will need the first lines for a few other things Ö in a moment you will see what I mean.
We will use address 01FBE380.
First we will make the One Hit Kill Ö (big thx to Veggy for the code snippet) Ö go to TSearch and make a new EasyWrite option. Write this in the upper box (I will explain everything more detailed later):
OFFSET 01FBE3A6
FSTP DWORD PTR [ESI+0x103]
CMP BYTE PTR [1FBE36D],0x0
JE @BackToGame1
CMP BYTE PTR [1FBE370],ESI
JE @BackToGame1
MOV DWORD PTR [ESI+0x103],0x00000000
@BackToGame1:
JMP 0040619D
OFFSET 00406197
JMP 01FBE3A6
HEX 90
That was our One Hit Kill Ö now we will make the Infinite Health hack for Player Only. Write this in the upper box, but above the One Hit Kill code:
OFFSET 01FBE380
MOV DWORD PTR [1FBE370],EDX
CMP BYTE PTR [1FBE36B],0x0
JE @BackToGame
MOV DWORD PTR [EDX+0x103],0x43C80000
@BackToGame:
FLD DWORD PTR [EDX+0x103]
JMP 0040462F
OFFSET 00404629
JMP 01FBE380
HEX 90
Now its time to explain you everything this code does. We will start with Infinite Health:
OFFSET 01FBE380
I think this is obvious Ö it's our code cave. From here all our code will be executed.
MOV DWORD PTR [1FBE370],EDX
OK, as I said, we will use the first few lines of the .data section for a few other things. This is one of these other things.
Here we move the player structure base into 1FBE370. We will need this for the One Hit Kill option because there we will compare if the player OR the enemy got hit.
As you know the instruction
406197 D99E03010000 FSTP DWORD PTR [ESI+0x103]
decreases the player health as well as the enemy health. So when the player was hit, EDX will have the player structure base and when the enemy was hit, it will have the enemy structure base.
So after we have moved the PLAYER structure base into 1FBE370, we are able to compare it with the enemy structure base in our One Hit Kill option.
CMP BYTE PTR [1FBE36B],0x0
This is another one of these other things. With this compare routine, we are able to compare if the option is ON or OFF.
Since 1FBE36B is in our .data code cave, its standard code is 00 (ADD [EAX],AL).
So when it is 00 the option is OFF.
But when we inject 0001 (ADD [ECX],AL) into 1FBE36A, the option is ON.
JE @BackToGame
After the cmp routine has been executed this instruction will jump back to the game, when the option is off.
JE = Jump if Equal. That means if 1FBE36B is 00, the One Hit Kill is off and we have to jump back to the main game code. If 1FBE36B is 01, continue with the next instruction, which is:
MOV DWORD PTR [EDX+0x103],0x43C93334
Here we move the Health value to 100% (1137180672 = 43C80000 in hex).
@BackToGame:
FLD DWORD PTR [EDX+0x103]
JMP 0040462F
We use the BackToGame routine to re-create the destroyed instruction and jump
back to the game after our code has been executed. Remember:
CMP BYTE PTR [1FBE36B],0x0 JE @BackToGame
If 1FBE36B (Infinite Health) = OFF, we have to jump back to the game.
OFFSET 00404629
JMP 01FBE380
HEX 90
From the address 00404629 we jump to our code cave (01FBE380).
We use the HEX 90 instruction (HEX 90 is the same as NOP), because with the jump to our code cave we have destroyed 5 bytes but the original instruction was 6 bytes long. So we have overwritten the destroyed 6 byte instruction with another 6 byte instruction. When we do not replace the original number of bytes, the game would probably crash.
Now for the One Hit Kill hack:
OFFSET 01FBE3A6
Same as above: It's our code cave. From here all our code will be executed.
FSTP DWORD PTR [ESI+0x103]
We re-create the destroyed instruction.
CMP BYTE PTR [1FBE36D],0x0
We compare if the option was activated or not (on or off =1 or 0]).
JE @BackToGame1
If the option has not been activated, jump back to the main game code.
CMP BYTE PTR [1FBE370],ESI
Do you remember this line: MOV DWORD PTR [1FBE370],EDX in the Infinite Health code?: We move the player structure base into 1FBE370.
And now we COMPARE the base with the person (player or enemy) who got hit, with the player structure base, because if ESI is the same as 1FBE370, the PLAYER was hit and not the enemy, which means that we can:
JE @BackToGame1
Jump back to the main game code.
MOV DWORD PTR [ESI+0x103],0x00000000
If ESI WAS the enemy structure base, we can move the enemy health value to 0, so that we are able to kill the enemy with One Hit ;)
@BackToGame1:
JMP 0040619D
We use the BackToGame1 routine to jump back to the game. Remember:
CMP BYTE PTR [1FBE36D],0x0 JE @BackToGame1
If 1FBE36D (One Hit Kill) = OFF, we will jump back to the game.
OFFSET 00406197
JMP 01FBE3A6
HEX 90
Same as above: From the address 00406197 we jump to our code cave (01FBE3A6).
We use the HEX 90 instruction (HEX 90 is the same as NOP), because with the jump to our code cave we have destroyed 5 bytes but the original instruction was 6 bytes long. So we have overwritten the destroyed 6 byte instruction with another 6 byte instruction. When we do not replace the original number of bytes, we would probably crash the game.
Phew Ö that was the code for the Infinite Health and One Hit Kill hackÖ Activate the option and go back into the game to test it!
Well Ö not working, eh?
Of course it does not work :P
Do you remember this line in the Infinite Health code?:
CMP BYTE PTR [1FBE36B],0x0
And this line in the One Hit Kill code?:
CMP BYTE PTR [1FBE36D],0x0
As I said earlier, here we are comparing, if the option is ON or OFF.
And at the moment 1FBE36B and 1FBE36D are both 00, which means, that the options are off.
To enable them, we have to inject 0001 into 1FBE36A and 1FBE36C.
To do this, make a new EasyWrite option and write this in the upper box, to enable Infinite Health:
OFFSET 1FBE36A
ADD [ECX],AL
And to deactivate the Option write this in the lower box:
OFFSET 1FBE36A
ADD [EAX],AL
Do the same for the One Hit Kill option (make a new EasyWrite option and write the same code in the upper and lower box). You only have to change the offsets to 1FBE36C.
Now activate ALL the EasyWrite options and go back to the game.
You will see that everything is working perfect. You have Infinite Health and the enemies are dying with One Hit.
You could also disable Infinite Health and you will still kill enemies with One Hit.
Or disable One Hit Kill and you will still have Infinite Health.
Phew Ö that was a long tutorial, wasn't it?
Still Ö I hope that I have explained everything good enough so that you understand it.
Now the best thing for you to do would be to hack a few iso games. Install a few of them and try to hack Health, Ammo, make One Hit Kills, etc.
I also advise you to learn asm, because when you can asm, you can do pretty much everything you want for example hacks like Kill All, Rapid Fire, Super Speed, Super Jump, Invisibility, Get All Weapons/Items, Enemies don't Shoot, etc.
I know most of the hacks are hard to do without SIce, but you should at least try to make a few of them.
It always depends on your coding skills ;)
Still Ö I hope u managed everything in this tutorial and learned from it, since at the moment this one is the most extensive one.
If you have questions/comments or suggestions for another tutorial then email me at: poizn1@googlemail.com or contact me on --> iRC: EFNET: #GAMEHACKING
For more tutorials visit: http://www.gamehacking.co.uk
A big THANK YOU is flying out to apache- for being the 1st who is putting this tutorial on his site.
greetz are also flying out to these people and friends (in alphabetical order): [Death], [sheep], allen, ape, CoaxCable, Drax, HaD-Team, jmp_fce4, m1indphuck Mango, maZel, spookie, toker, Trelpie, Tron, Tsongkie and of course VegitoSSJ.
You are allowed to spread this tutorial to any sites as long as the content of this tutorial is exactly the same as the one on http://www.gamehacking.co.uk