Standard Game Training: Learning how to defeat DMA ñ with code injection
Game Training Tutorial #3 for Beginner by POiZN
Tutorial Nr. 3: Standard Game Training: Learning how to defeat DMA ñ with code injection
Tools Needed:
- TSearch http://www.gamehacking.co.uk
- Alien Defense v1.0 http://www.reflexive.net
- Sheep's Array of Sunshine v1.3 http://www.gamehacking.co.uk
What we will learn:
In this tutorial we will learn how to defeat DMA with code injection.
Code Injection is used by advanced game hackers. The general idea is, that you jump out of the main game code to your OWN code and jump back, after your code has been executed.
If you have good asm (Assembler) knowledge, you can do almost everything with it.
NEW TOOL
Today we will use Sheep's Array of Sunshine (a.k.a. SAS). With this little program, we can search our game code for unused locations, to inject our code.
It has quite a lot more functions, than you might think. You should read the included readme, to learn how to use this program and how to take advantage of it Ö
I'm using it since 2003 and I still hope that one time (hopefully in this century :P)
sheep will update it.
START
The game we will hack today is called Alien Defense. It's another little shareware game and perfect to learn how to inject code.
Also note that you should have learned the basics of asm by now. (I have warned you in the previous tutorial :P)
First thing we need to do is to find the Health value. We could hack Shield as well, but for this part we will use Health..
I think the search you have to do is completely clear... if not:
Start TSearch, run the game, begin a mission, select the process AD.RWG in TSearch and start the search for an unknown value.
Go back to the game, decrease the Health, search again; decrease the Health, search again; decrease the Health, search again; and search for has not changed, to save a bit time Ö
I have found the address 294C57E (yours will be different to 99,9%).
Now there are two ways how we could do it ... The first would be to set a Memory breakpoint on the address, the second would be to set a open breakpoint on it.
For this tutorial we will use the normal Memory breakpoint ... we will see the advantage of the Open breakpoint in the next tutorial.
Now after you have found the correct address (the value should be in the range of 16384 and 17096 [depends on how much Health you have left]) set a breakpoint on it by enabling the debugger and right-clicking the address and AutoHack it.
I got:
ADDRESS OPCODES LANGUAGE
0040EDB3 D9597C FSTP DWORD PTR [ECX+0x7C]What we will try to do now is this:
ADDRESS OPCODES LANGUAGE
0040EDB3 D9597C FSTP DWORD PTR [ECX+0x7C] --> we jmp to 1
0040EDB6 8BE5 MOV ESP,EBP
0040EDB8 5D POP EBP --> 2
0040EDB9 C20400 RETN 0x4
00xxxxx0 OUR CODE HERE --> 1
00xxxxx4 OUR CODE HERE
00xxxxx8 OUR CODE HERE
00xxxxxC JMP 0040EDB8 --> and after our code has been executed we jmp to 2What we here do is:
We jump from our main game code ñ 0040EDB3 ñ to our code cave ñ 00xxxxx0 (this 00xxxxx0 is only because we haven't grabbed our code cave yet) ñ then we inject our own code and after the code has been executed, we will jump back to the main game code.
Well, we have to find out, which value we have to inject into [ECX+0x7C], right?
Normally it would be 17096, because if you change your Health value to that, you would have full Health ... but not in this game
We have to find out the address of the register (ECX) and then add 7C to it.
To do this right-click on the line
0040EDB3 D9597C FSTP DWORD PTR [ECX+0x7C]in the AutoHack window and then on Register.
Now go to the Register tab (it's to the right of the Thread tab).
Once there, you have to choose the register ECX in the dropdown list. Then click on the square to the left of the window, to activate it (you will see that it is activated by the red head that appears in the square.
Go back to the game and change the value (decrease the Health), pause again and go back to AutoHack.
An address should now have appeared under Original Value. Here it is 294C500 (yours will be different).
Go to TSearch again, then to View and Show Calculator (if you haven't already activated it).
Right to the equality sign there is a button called H ... click on it to change it to ëDí Now we are in the Hex mode, coz everything we need to calculate is hex and not decimal.
Calculate your register address with 7C ... in this case it should be:
294C500 + 7C = 294C57C (you could have done it in your head, but I think you got the point)
Add this address to TSearch, 4Bytes.
Change your Health value (address 294C57E here) to 17096 (thatís the value to get max Health) and you will see that the value in address 294C57C has changed to 1120403456. This is the value we need to inject into [ECX+0x7C] to get 100% health.
Now we will grab our code cave.
Run SAS, select the process (the window name) and then on CODE CAVE FINDER.
Have a look at the CODE CAVE RESULTS ... it should look like this:
SECTION CODE CAVE START CODE CAVE SIZE CHARACTERISTICS
.text 0043ACD2 32E Read/Exec
.rdata 00440680 980 Read Only
.data 00451CAC 354 Read/Write
.rsrc 00459AB0 350 Read OnlyWe will use the cave in the .data section of the game, because not every cave is suitable so I suggest you to always use the .data or another section with Read/Write characteristics.
Before we inject our code, let's make sure that there is really no code flying around.
Go to the AutoHack window and disassemble the address 00451CAC.
Well, here I see now that there is a bit code on address 00451CAB ñ inc dword ptr [eax] ñ gambling around so we should better scroll a few lines down.
I have chosen 00451CC1 ... you can see the opcodes are 00-00 and the asm code for that is ADD [EAX],AL --> this is unused code, so very good for us to inject our code in.
Now let's begin Ö
INJECTING THE CODE
Go back to the TSearch main screen and click on View and then on EasyWrite (if you havenít already activated it).
Click on the white letter thing, to make a new easy write option and write this in the upper section of the EasyWrite window, because this is for the option, when it is activated (ON):
OFFSET 00451CC1
FSTP DWORD PTR [ECX+0x7C]
MOV DWORD PTR [ECX+0x7C],0x42C80000
MOV ESP,EBP
JMP 0040EDB8
OFFSET 0040EDB3
JMP 00451CC1Now I will tell you everything, this code does:
OFFSET 00451CC1 --> this is the address of our code cave
FSTP DWORD PTR [ECX+0x7C] --> we re-create the 1st destroyed instruction
MOV DWORD PTR [ECX+0x7C],0x42C80000 --> we move our health to 100%
42C80000 is 1120403456 in hex (you
can use TSearch's converter)
MOV ESP,EBP --> we re-create the 2nd destroyed instruction
JMP 0040EDB8 --> we jump back to the main game code
OFFSET 0040EDB3 --> this is the address of the main game code
JMP 00451CC1 --> and from the main game code, we jump to our
code caveIt is ALWAYS very important, that you re-create the instructions you've destroyed. If you ask why we have destroyed them; this is because of the jump to our code cave.
With this jump we will destroy 5 OPCODES but the line
0040EDB3 D9597C FSTP DWORD PTR [ECX+0x7C]has only 3 opcodes, so we have automatically destroyed the next instruction too, which is
0040EDB6 8BE5 MOV ESP,EBPAfter you have typed that in EasyWrite, click on OK and activate the option. Go back to the game, and you will see that when an enemy hits you, you will always have 100% health.
To see how this looks in Assembly Language with all the addresses and opcodes, go to AutoHack, click on Disassemble and write down the address 0040EDB3 and you will see:
ADDRESS OPCODES LANGUAGE
0040EDB3 E9092F0400 JMP 0x00451CC1Right-click on this line and then click on Follow and you will see your code:
ADDRESS OPCODES LANGUAGE
00451CC1 D9597C FSTP DWORD PTR [ECX+0x7C]
00451CC4 C7417C0000C842 MOV DWORD PTR [ECX+0x7C],0x42C80000
00451CCB 8BE5 MOV ESP,EBP
00451CCD E9E6D0FBFF JMP 0x0040EDB8Great, eh?
Now we almost finished this tutorial. Go back to the EasyWrite Option, we have just created and you will see that there is also a section in the lower EasyWrite window. This is used to deactivate our option (OFF). Write this:
OFFSET 0040EDB3
FSTP DWORD PTR [ECX+0x7C]
OFFSET 0040EDB6
MOV ESP,EBPThe only thing we do here is changing the game code back to normal. That means that the jump to our code cave will be overwritten by the original code, to disable the Infinite Health hack.
OK then Ö another tutorial finished. I hope you have managed everything and learned from it.
You are now able to defeat the DMA and inject your OWN code into the game code, which is very often used by advanced game hackers to make hacks you cannot do with normal game training.
As always I suggest you to download more shareware games and practise what we have just done.
Since the next tutorial will be a bit more complex you should prepare for it ;)
If you have questions/comments or suggestions for another tutorial then email me at: poizn1@googlemail.com or contact me on --> iRC: EFNET: #GAMEHACKING
For more tutorials visit: http://www.gamehacking.co.uk
A big THANK YOU is flying out to Apache- for being the 1st who is putting this tutorial on his site.
greetz are also flying out to these people and friends (in alphabetical order): [Death], [sheep], allen, ape, CoaxCable, Drax, HaD-Team, jmp_fce4, m1ndphuck, Mango, maZel, spookie, toker, Trelpie, Tron, Tsongkie and of course VegitoSSJ.
You are allowed to spread this tutorial to any sites as long as the content of this tutorial is exactly the same as the one on http://www.gamehacking.co.uk
