Search site: 

| Home | PC Cheat Codes | Game Patch Updates | PC Game Trainers | PC Game Tools | Game Patch Fixes | Articles | Discussion Forums | Contact |

Trainer Tutorials

Latest Forum Discussions:

This section of the site is dedicated to Trainer Tutorials to help everyone get a better understanding of how Game Trainers are made and how they function.

Code Caves & Code Injection Tutorial

You can view this tutorial in its original format here
Code Caves and Code Injection
By Tsongkie / CES 2003 

I. Introduction

Code caves are series of 00 and/or 90 hex bytes located in the process memory of our games. We can use these code caves as a place wherein we can write our own code/routine/function.

II Needed Tools

1. SoftIce/Tsearch (I prefer SoftIce)
2. Your favorite Memory Searcher (I use ArtMoney)
3. Tsongkie’s Code Cave Tool ?
4 Game (I used Gangsters 2 v1.0.5)
5. Few Brain cells ?

III Hacking the Game

I have searched the game as normal and found the value 010BAFDC for money. I also noticed that the money is being updated when the time returns to 00 (e.g. 10:00, 11:00). Also, 010BAFDC is a COUNTER Address, changing it wont have any effect with the real value.

For SoftIce Users be sure that the you enabled the following in SoftIce: 

Dump Window: wd [return]
Register Window: wr [return]
Hex Codes: code on [return]

What we need is to put a breakpoint at 010BAFDC… so…

Press ctrl+d
Type bpmd 010BAFDC w
And wait for SoftIce to Pop when time reaches 00…

When SoftIce pops up, I get the following code:

0177:005650E6 85C0 TEST EAX,EAX
0177:005650E8 75CA JNZ 005650F4
0177:005650EA 8A8658040000 MOV AL,[ESI+00000458]
0177:005650F0 84C0 TEST AL,AL
0177:005650F2 7570 JNZ 00565164
0177:005650F4 57 PUSH EDI
0177:005650F5 8B7C240C MOV EDI,[ESP+0C] ? Notice here
0177:005650F9 85FF TEST EDI,EDI ? SoftIce Pops Here
0177:005650FB 7D0B JGE 00565108

type d [ESP+0C]
BINGO! [ESP+0C] is equal to 010BAFDC, our money address ?. If we simply NOP this, the money wouldn’t change…It wouldn’t either increase nor decrease… the answer to this problem is code injection…

What we need is change MOV EDI,[ESP+0C] to:
MOV EDI,00FFFFFF which gives us $99,999,999…

IV Code injection

First, Get TCCT (Tsongkie’s Code Cave Tool… Yeah ? ) and search Gangsters2 Window for code caves. Look at the results and select one… I chose 00400319. In SoftIce type:

D 400319 [return]

Scroll down some more just to be safe…Look at 00400342…Again type

U 00400342

It is a series of code caves… Write down the address in a piece of paper.

For our own injected function

Now we need to assemble 00400342, so type:

A 00400342 [return]

0028:400342 MOV EDI,00FFFFFF [RETURN]
0028:400347 TEST EDI,EDI
0028:400349 RET

Again type: U 400342 [return]

It should look like this:

0028:00400342 BFFFFFFF00 MOV EDI,00FFFFFF
0028:00400347 85FF TEST EDI,EDI
0028:00400349 C3 RET

What we have just written is our own function ?. 

1) The instruction at 0028:00400342 is the code that we need to have $9,999,999. 

2) The instruction at 0028:00400342 is the same code at 0177:005650F9. We rewrote this because we are going to overwrite the instruction at 0177:005650F9 when we call our own function.

3) All functions/procedures end with a RET (instruction at 0028:00400349)

The only thing we need to do is call our function…

Calling Our Function/Procedure

Lets look at the game’s code again:
0177:005650F2 7570 JNZ 00565164
0177:005650F4 57 PUSH EDI
0177:005650F5 8B7C240C MOV EDI,[ESP+0C] ? Notice here
0177:005650F9 85FF TEST EDI,EDI 
0177:005650FB 7D0B JGE 00565108

What we need is to overwrite the code at 0177:005650F5 and 0177:005650F9 with a CALL Instruction. Lets assemble and overwrite the said codes.

Now type:

A 005650F5 [return]

0177:005650F5 CALL 00400342
0177:005650FA NOP ? NOP this because the next instruction starts at: 005650FB
0177:005650FB [RETURN] ? Next Instruction starts here

Type again:

U 005650F5 [RETURN]

It should look like this:

0177:005650F2 7570 JNZ 00565164
0177:005650F4 57 PUSH EDI
0177:005650F5 E848B2E9FF CALL 00400342
0177:005650FA 90 NOP
0177:005650FB 7D0B JGE 00565108

There, we are done. ? Clear all our breakpoints and check if it works. It should.

V. Our Trainer

You just need to write…

Address New Bytes

00400342 BF FF FF FF 00 85 FF C3
005650F5 E8 48 B2 E9 FF 90


For questions/suggestions/comments, e-mail me at For further help, go to forums.

Copyright © (1998) 2004 - 2016 All Rights Reserved. Privacy Policy Disclaimer