‡ Tutorial on ”Code Injection“ by brzi ‡ **************************************** ‡ August - 21 - 2003 ‡ **************************************** ‡ E-Mail...¦ brzi@devious.tsongkie.com ‡ ‡--------------------------------------‡ ‡ Team.....¦ DEViOUS™ ‡ ‡--------------------------------------‡ ‡ Web Site.¦ www.deviousonline.tk ‡ ‡--------------------------------------‡ ‡ Greets...¦ Tsongkie € Stoner € Omega ‡ ‡ Micral € Mini^Me € EEDOK € InvadeR € ‡ ‡ snow and everyone that i know :) ‡ **************************************** ‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡ ‡Dedicated to ..:Omega:.. - MISS YA BRO‡ ‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡‡ **************************************** ‡ Tools Needed ‡ ‡--------------------------------------‡ ‡ SoftIce ‡ ‡--------------------------------------‡ ‡ Memory Searcher ‡ ‡--------------------------------------‡ ‡ A PIECE OF PAPER ‡ **************************************** **************************************** ‡Links To The Tools ‡ ‡--------------------------------------‡ ‡SoftIce - I am giving you the latest ‡ ‡version of SI - ver. 4.5 ‡ ‡www.newhua.com/down/si405w9x.zip ‡ ‡Serial #: 4001-2345FB-BF ‡ ‡--------------------------------------‡ ‡Memory searcher - your choice ‡ ‡www.gamehacking.com ‡ ‡--------------------------------------‡ **************************************** *** Excuse my English *** ------------------------- ‡ Lesson Start ‡ **************** ‡ Why learn Code Injection ‡ **************************** ONE: Well if you learn Code Injection you can give yourself a bigger rank in the gamehacking community,but.. the main reason is that if you know how to do Code Injection and you have enough ASM knowledge the there is nothing that can stop you from doing something BAD!! to the game - ofcourse this is limited by your knowledge of the game and your knowledge of the ASM Language. TWO: Your are playing your game, ok, you have found your ... lets say health address... You NOP that address and you have an infinite health. But you pass the level or you go on the next stage and it doesnt work anymore. You say: WHAT THE HELL!? Well HELLO !!!! This is DMA!!! It causes your memory addresses to change everytime you run/restart the game or when you change the level/stage/map. Well this is fucking annoying, you can stop it by finding the instruction that decreases your health and by NOP-ing it but what if you want something more, what if you want something BAD! to the game. Well that can be accomplished with Code Injection. All you need is included in the Tools and you have to be willing to learn. IF KNOWLEDGE IS CRIME, THEN MAY GOD HELP ME. - Remember this sentence. *NOTE: This is my opinion. ‡ Code Injection Theory ‡ ************************* Code Injection is a method that is used by gamehackers (advanced gamehackers) to do/achieve something that it cannot be done with the normal training methods. The main goal of code injection is to create a path from the Game loop to your own code and after the code has beed executed you jump back to the Game loop again. I told ya you are only limited by your knowledge of the game and your ASM knowledge. ‡This is how code injection works:‡ *********************************** 1. We find our address. 2. We find a code cave. 3. We modify the instruction at our address to jump to the code cave where we have written our code. 4. We write our code to the code cave. 5. After the code is executed we jump back to the instruction below the NOP - if we have to write NOP. - Try to understand ME :) ************************* I this tutorial i will use the Programme test by Oliviver. We will hack the numbers. Well you open favorite memory searcher and search. After a little search you should end with only one address. My address was 41D090. Put a breakpoint on that address using SoftIce (bpm 41D090 w) Press the button once.SoftIce should pop. I have this code: Code ... Address OPCODES ASM Instructions 00401384 A390D04100 mov [0x41D090],eax <-move the value of eax into ON SCREEN variable 00401389 C644241100 mov byte ptr [esp+0x11],0x0 <- SI pops here 00401385 E86D0D0000 call 0x00402100 ........ ........ ............... Let's say that we want the number to be at 100 so we first search for a code cave where we will put our code. You can use SI commands for this or Tsongkie's Code Cave Tool. www.tsongkie.com ‡ What is a Code Cave? ‡ *********************************************************************** ‡Code Caves are 00's and 90's in the program code where we ‡ ‡can inject our code without infecting the main code. ‡ *********************************************************************** ‡How to find a Code Cave using Tsongkie' Code Cave Tool, SoftIce‡ ***************************************************************** The Easy way is Tsongkie's Code Cave Tool: Start TCCT. Type the window name of the program/game. In our case type prog test. Press on Search. TCCT will find a lots of addresses and display them in the Result Box. But we wont select any address from this, we will use that old SI way and then select an address. --------------------------- The SoftIce way: In SI type: TASK You should see this: -------------------- TaskName SS:SP StackTop StackBot StackLow TaskDB hQueue Events Programm * 0000:0000 0065E000 00660000 0B26 0B87 0000 Wordpad 0000:0000 0066D000 00670000 0A9E 0A5F 0000 Explorer 0000:0000 0066C000 00670000 1F9E 1F3F 0000 ........ ......... ........ ........ .... .... ..... ---------------------------------------------------------------------------------------- NOW Type: MAP32 Programme test <- here you type the name of the game eg. GTA2 You should see this: -------------------- Owner Obj Name Obj# Address Size Type PROGRAME .text 0001 0137:00401000 0001697A CODE RO PROGRAME .rdata 0002 013F:00418000 000042C8 IDATA RO PROGRAME .data 0003 013F:0041D000 00007B68 IDATA RW PROGRAME .idata 0004 013F:00425000 00001BA2 IDATA RW PROGRAME .rsrc 0005 013F:00427000 00004540 IDATA RW ------------------------------------------------------------------ Now lets check the address that is in the .rsrc line (00427000) In SI type: U 00427000 - Press Enter Now you will be at code location 00427000. Scroll the window up by pressing Ctrl+Up key and you'll see lots of addresses like this: Address OPCODES Asm Intructions xxxxxxxxx 0000 ADD [EAX],AL xxxxxxxxx 0000 ADD [EAX],AL xxxxxxxxx 0000 ADD [EAX],AL This addresses are called "Code Caves". Lets pick 00426F80. This is where we are goind to inject our code. First we need to replace the function at address 00401384 with a jump that will jump to our code. So we do this In SI type: a 00401384 Type jmp 00426f80 Press Esc or Enter Now we type: u 00401384 Now the address will change from Address OPCODES ASM Instructions 00401384 A390D04100 mov [0x41D090],eax 00401389 C644241100 mov byte ptr [esp+0x11],0x0 00401385 E86D0D0000 call 0x00402100 ........ .......... ................. to Address OPCODES ASM Instructions 00401384 E9F75B0200 jmp 00426F80 <- jump to our code 00401389 C644241100 mov byte ptr [esp+0x11],0x0 00401385 E86D0D0000 call 0x00402100 ........ .......... ............... At address 00401384 we jump to our code. By usual we need to write a single NOP but in this case that's not needed. Why we should write a NOP? - well it this case we dont need but in other cases here's why: After we write our jump or call we write a single NOP to even to code. example We have this code: MOV [EDI],AX MOV EAX,[EDI+14] MOV ECX,[EAX+50] Now after we write our jump without the NOP to even the code the code will look like this: JMP 000000000 <- some address here ADD BX, EC <- we jump back here JE 000000 <- some address here And when our code is executed and jmp back to the game loop the game/program will crash . But if we write NOP to even the code it should be like this: JMP 000000000 <- some address NOP MOV EAX,[EDI+14] <- we jump back here - the function that is below the MOV [EDI],AX You see that after we have written the NOP the code comes back to normal and everything will work fine. OK return to the main subject. OK.. next we need to write our code at the address 00426F80 In SI we type: u 00426f80 - this will bring you to the address a 00426f80 type MOV EAX,064h type MOV [0041d090],EAX type JMP 00401389 Press Esc or Enter Now check. In SI we type: u 00426f80 and it should be like this: Address Opcodes ASM 00426F80 B864000000 MOV EAX,00000064 <- now eax has the value of 100 Dec - 64 Hex 00426F85 66A390D04100 MOV [0041D090],AX <- mov the value of eax into ON SCREEN variable 00426F80 E9F9A3FdFF JMP 00401389 <- jmp back to the game code Now lets check if our Code Injection works. First clear the break points in SI type bc * and exit by pressing Ctrl+D. Look at the program. What !? The value is the same, but wait the program increases the value everytime you press the button.So press the button few times and you will see what happens. The value will be 101 cuz the program add one to the value. If the program crashes then you have wrote something wrong. Check if you have wrote everything like i told ya.If yes then congratulations you have made your first Code Injection. Write the opcodes on a piece of paper. We need the opcodes for later when we will poke this address with the trainer. You see that code injection is easy, you just need to practice and everything will be just fine.Remeber that i told you that you can do some BAD things with Code Injection. ‡Making the Trainer‡ ******************** You just need to poke the addresses like this Address Bytes2Write 00401384 E9 F7 5B 02 00 Address Bytes2Write 00426F80 B8 64 00 00 00 66 A3 90 D0 41 00 E9 F9 A3 FD FF ‡To Better Understand Code Injection‡ Main Code 00401384 E9F75B0200 --- JMP 00426F80 <- jump to our code 00401389 C644241100 | MOV BYTE PTR [ESP+11],00<-| | | Our Code | | 00426F80 MOV EAX,00000064 <-| | 00426F85 MOV [0041D090],AX | 00426F8B JMP 00401389 ------------------------------------- <- jump back ‡Final Words‡ ************* And finaly this tutorial is over. THANKS GOD for that. Now i can get to my normal life again. IS THERE IS ONE :) ‡Greets:‡ ********* To Sheep for releasing his wonderfull tutorials - check them out www.sheeprec.cjb.net To All Members of the DEViOUS Team and everybody that i know.