Code Caves and Code Injection By Tsongkie / CES 2003 www.gamehacking.com I. Introduction Code caves are series of 00 and/or 90 hex bytes located in the process memory of our games. We can use these code caves as a place wherein we can write our own code/routine/function. II Needed Tools 1. SoftIce/Tsearch (I prefer SoftIce) www.gamehacking.com 2. Your favorite Memory Searcher (I use ArtMoney) www.gamehacking.com 3. Tsongkie’s Code Cave Tool ? www.tsongkie.com 4 Game (I used Gangsters 2 v1.0.5) 5. Few Brain cells ? III Hacking the Game I have searched the game as normal and found the value 010BAFDC for money. I also noticed that the money is being updated when the time returns to 00 (e.g. 10:00, 11:00). Also, 010BAFDC is a COUNTER Address, changing it wont have any effect with the real value. For SoftIce Users be sure that the you enabled the following in SoftIce: Dump Window: wd [return] Register Window: wr [return] Hex Codes: code on [return] What we need is to put a breakpoint at 010BAFDC… so… Press ctrl+d Type bpmd 010BAFDC w X And wait for SoftIce to Pop when time reaches 00… When SoftIce pops up, I get the following code: 0177:005650E6 85C0 TEST EAX,EAX 0177:005650E8 75CA JNZ 005650F4 0177:005650EA 8A8658040000 MOV AL,[ESI+00000458] 0177:005650F0 84C0 TEST AL,AL 0177:005650F2 7570 JNZ 00565164 0177:005650F4 57 PUSH EDI 0177:005650F5 8B7C240C MOV EDI,[ESP+0C] ? Notice here 0177:005650F9 85FF TEST EDI,EDI ? SoftIce Pops Here 0177:005650FB 7D0B JGE 00565108 type d [ESP+0C] BINGO! [ESP+0C] is equal to 010BAFDC, our money address ?. If we simply NOP this, the money wouldn’t change…It wouldn’t either increase nor decrease… the answer to this problem is code injection… What we need is change MOV EDI,[ESP+0C] to: MOV EDI,00FFFFFF which gives us $99,999,999… IV Code injection First, Get TCCT (Tsongkie’s Code Cave Tool… Yeah ? ) and search Gangsters2 Window for code caves. Look at the results and select one… I chose 00400319. In SoftIce type: D 400319 [return] Scroll down some more just to be safe…Look at 00400342…Again type U 00400342 It is a series of code caves… Write down the address in a piece of paper. For our own injected function Now we need to assemble 00400342, so type: A 00400342 [return] 0028:400342 MOV EDI,00FFFFFF [RETURN] 0028:400347 TEST EDI,EDI 0028:400349 RET Again type: U 400342 [return] It should look like this: 0028:00400342 BFFFFFFF00 MOV EDI,00FFFFFF 0028:00400347 85FF TEST EDI,EDI 0028:00400349 C3 RET What we have just written is our own function ?. 1) The instruction at 0028:00400342 is the code that we need to have $9,999,999. 2) The instruction at 0028:00400342 is the same code at 0177:005650F9. We rewrote this because we are going to overwrite the instruction at 0177:005650F9 when we call our own function. 3) All functions/procedures end with a RET (instruction at 0028:00400349) The only thing we need to do is call our function… Calling Our Function/Procedure Lets look at the game’s code again: 0177:005650F2 7570 JNZ 00565164 0177:005650F4 57 PUSH EDI 0177:005650F5 8B7C240C MOV EDI,[ESP+0C] ? Notice here 0177:005650F9 85FF TEST EDI,EDI 0177:005650FB 7D0B JGE 00565108 What we need is to overwrite the code at 0177:005650F5 and 0177:005650F9 with a CALL Instruction. Lets assemble and overwrite the said codes. Now type: A 005650F5 [return] 0177:005650F5 CALL 00400342 0177:005650FA NOP ? NOP this because the next instruction starts at: 005650FB 0177:005650FB [RETURN] ? Next Instruction starts here Type again: U 005650F5 [RETURN] It should look like this: 0177:005650F2 7570 JNZ 00565164 0177:005650F4 57 PUSH EDI 0177:005650F5 E848B2E9FF CALL 00400342 0177:005650FA 90 NOP 0177:005650FB 7D0B JGE 00565108 There, we are done. ? Clear all our breakpoints and check if it works. It should. V. Our Trainer You just need to write… Address New Bytes 00400342 BF FF FF FF 00 85 FF C3 005650F5 E8 48 B2 E9 FF 90 VI. FINAL WORDS For questions/suggestions/comments, e-mail me at root@tsongkie.com. For further help, go to www.gamehacking.com forums.