Search site: 

| Home | PC Cheat Codes | Game Patch Updates | PC Game Trainers | PC Game Tools | Game Patch Fixes | Articles | Discussion Forums | Contact |

Trainer Tutorials

Latest Forum Discussions:

This section of the site is dedicated to Trainer Tutorials to help everyone get a better understanding of how Game Trainers are made and how they function.

Code Injection Tutorial

You can view this tutorial in its original format here
‡ Tutorial on ”Code Injection“ by brzi ‡ 
‡         August - 21 - 2003           ‡  
‡ E-Mail...¦ ‡
‡ Team.....¦ DEViOUS™                  ‡
‡ Web Site.¦      ‡
‡ Greets...¦ Tsongkie € Stoner € Omega ‡
‡ Micral € Mini^Me € EEDOK € InvadeR € ‡
‡ snow and everyone that i know :)     ‡

‡Dedicated to ..:Omega:.. - MISS YA BRO‡

‡           Tools Needed               ‡
‡              SoftIce			   ‡
‡          Memory Searcher             ‡
‡          A PIECE OF PAPER            ‡

‡Links To The Tools			   ‡
‡SoftIce - I am giving you the latest  ‡
‡version of SI - ver. 4.5              ‡
‡      ‡
‡Serial #: 4001-2345FB-BF		   ‡
‡Memory searcher - your choice         ‡
‡                   ‡

*** Excuse my English ***

‡ Lesson Start ‡

‡ Why learn Code Injection ‡

ONE: Well if you learn Code Injection you can give yourself a bigger rank
in the gamehacking community,but.. the main reason is that if you know
how to do Code Injection and you have enough ASM knowledge the there is
nothing that can stop you from doing something BAD!! to the game - ofcourse
this is limited by your knowledge of the game and your knowledge of the ASM Language.
TWO: Your are playing your game, ok, you have found your ... lets say health
address... You NOP that address and you have an infinite health.
But you pass the level or you go on the next stage and it doesnt work anymore.
You say: WHAT THE HELL!? Well HELLO !!!! This is DMA!!! It causes your memory
addresses to change everytime you run/restart the game or when you change the
level/stage/map. Well this is fucking annoying, you can stop it by finding the 
instruction that decreases your health and by NOP-ing it but what if you want
something more, what if you want something BAD! to the game. Well that can be
accomplished with Code Injection. All you need is included in the Tools and
you have to be willing to learn. 
IF KNOWLEDGE IS CRIME, THEN MAY GOD HELP ME. - Remember this sentence.
*NOTE: This is my opinion.

‡ Code Injection Theory ‡

Code Injection is a method that is used by gamehackers 
(advanced gamehackers) to do/achieve something that it cannot be done
with the normal training methods. The main goal of code injection is to
create a path from the Game loop to your own code and after the code has
beed executed you jump back to the Game loop again. I told ya you are only 
limited by your knowledge of the game and your ASM knowledge.

‡This is how code injection works:‡
1. We find our address.
2. We find a code cave.
3. We modify the instruction at our address to jump to the code cave
where we have written our code.
4. We write our code to the code cave.
5. After the code is executed we jump back to the instruction below the
NOP - if we have to write NOP.
- Try to understand ME :)

I this tutorial i will use the Programme test by Oliviver.

We will hack the numbers.
Well you open favorite memory searcher and search. 
After a little search you should end with only one address.
My address was 41D090.
Put a breakpoint on that address using SoftIce (bpm 41D090 w)
Press the button once.SoftIce should pop.
I have this code:

Code ...

Address		OPCODES		ASM Instructions

00401384		A390D04100		mov [0x41D090],eax <-move the value of eax into ON SCREEN variable
00401389		C644241100		mov byte ptr [esp+0x11],0x0 <- SI pops here
00401385		E86D0D0000		call 0x00402100
........		........		...............

Let's say that we want the number to be at 100 so we first
search for a code cave where we will put our code. You can
use SI commands for this or Tsongkie's Code Cave Tool.

‡ What is a Code Cave? ‡
‡Code Caves are 00's and 90's in the program code where we             ‡
‡can inject our code without infecting the main code.                  ‡

‡How to find a Code Cave using Tsongkie' Code Cave Tool, SoftIce‡
The Easy way is Tsongkie's Code Cave Tool:
Start TCCT.
Type the window name of the program/game. In our case type prog test.
Press on Search.
TCCT will find a lots of addresses and display them in the Result Box.
But we wont select any address from this, we will use that old SI way
and then select an address.
The SoftIce way:
In SI type:
You should see this:

TaskName    SS:SP      StackTop     StackBot     StackLow     TaskDB    hQueue     Events

Programm *	0000:0000  0065E000     00660000                   0B26	0B87       0000
Wordpad	0000:0000  0066D000	00670000			   0A9E	0A5F       0000
Explorer    0000:0000  0066C000	00670000			   1F9E     1F3F       0000
........    .........  ........     ........                   ....     ....       .....

NOW Type:
MAP32 Programme test    <- here you type the name of the game eg. GTA2
You should see this:

Owner      Obj Name    Obj#    Address         Size      Type
PROGRAME   .text       0001    0137:00401000   0001697A  CODE RO
PROGRAME   .rdata      0002    013F:00418000   000042C8  IDATA RO
PROGRAME   .data       0003    013F:0041D000   00007B68  IDATA RW
PROGRAME   .idata      0004    013F:00425000   00001BA2  IDATA RW
PROGRAME   .rsrc       0005    013F:00427000   00004540  IDATA RW

Now lets check the address that is in the .rsrc line (00427000)
In SI type:
U 00427000 - Press Enter
Now you will be at code location 00427000.
Scroll the window up by pressing Ctrl+Up key and you'll see lots of
addresses like this:

Address     OPCODES       Asm Intructions

xxxxxxxxx   0000          ADD [EAX],AL
xxxxxxxxx   0000          ADD [EAX],AL
xxxxxxxxx   0000          ADD [EAX],AL

This addresses are called "Code Caves".
Lets pick 00426F80.         
This is where we are goind to inject our code.
First we need to replace the function at address 00401384 with a jump 
that will jump to our code. So we do this

In SI type:

a 00401384 <enter> 
Type jmp 00426f80
Press Esc or Enter

Now we type:

u 00401384 <enter>

Now the address will change from

Address		OPCODES		ASM Instructions

00401384		A390D04100		mov [0x41D090],eax 
00401389		C644241100		mov byte ptr [esp+0x11],0x0
00401385		E86D0D0000		call 0x00402100
........		..........		.................


Address		OPCODES		ASM Instructions

00401384		E9F75B0200        jmp 00426F80 <- jump to our code
00401389		C644241100		mov byte ptr [esp+0x11],0x0
00401385		E86D0D0000		call 0x00402100
........		..........		...............

At address 00401384 we jump to our code. 
By usual we need to write a single NOP but in this case that's not needed.
Why we should write a NOP? - well it this case we dont need but in other
cases here's why:
After we write our jump or call we write a single NOP to even to code.
We have this code:


Now after we write our jump without the NOP to even the code the code will
look like this:

JMP 000000000 <- some address here
ADD BX, EC <- we jump back here
JE 000000 <- some address here

And when our code is executed and jmp back to the game loop the game/program
will crash . But if we write NOP to even the code it should be like this:

JMP 000000000 <- some address
MOV EAX,[EDI+14] <- we jump back here - the function that is below the MOV [EDI],AX
You see that after we have written the NOP the code comes back to normal
and everything will work fine. OK return to the main subject.

OK.. next we need to write our code at the address 00426F80

In SI we type:
u 00426f80 <enter> - this will bring you to the address
a 00426f80 <enter>
type MOV  EAX,064h <enter>  
type MOV  [0041d090],EAX <enter> 
type JMP  00401389 <enter> 
Press Esc or Enter

Now check. In SI we type:

u 00426f80

and it should be like this:

Address		Opcodes		ASM

00426F80		B864000000		MOV EAX,00000064 <- now eax has the value of 100 Dec - 64 Hex
00426F85		66A390D04100	MOV [0041D090],AX <- mov the value of eax into ON SCREEN variable
00426F80		E9F9A3FdFF		JMP 00401389 <- jmp back to the game code

Now lets check if our Code Injection works. First clear the break points
in SI type bc * <enter> and exit by pressing Ctrl+D. Look at the program.
What !? The value is the same, but wait the program increases the value
everytime you press the button.So press the button few times and you will
see what happens. The value will be 101 cuz the program add one to the value.
If the program crashes then you have wrote something wrong. Check if you have
wrote everything like i told ya.If yes then congratulations you have made
your first Code Injection.

Write the opcodes on a piece of paper. We need the opcodes for later when 
we will poke this address with the trainer.

You see that code injection is easy, you just need to practice and everything
will be just fine.Remeber that i told you that you can do some BAD things 
with Code Injection.

‡Making the Trainer‡

You just need to poke the addresses like this
Address		Bytes2Write
00401384          E9 F7 5B 02 00
Address		Bytes2Write
00426F80		B8 64 00 00 00 66 A3 90 D0 41 00 E9 F9 A3 FD FF

‡To Better Understand Code Injection‡
Main Code
00401384       E9F75B0200	  ---	JMP 00426F80 <- jump to our code
00401389	   C644241100	  |	MOV BYTE PTR [ESP+11],00<-|
                                |                             | 
Our Code                        |                             |
00426F80	MOV EAX,00000064  <-|                             |
00426F85	MOV [0041D090],AX                                 |
00426F8B    JMP 00401389 -------------------------------------  <- jump back

‡Final Words‡

And finaly this tutorial is over. THANKS GOD for that. Now i can get to my
normal life again. IS THERE IS ONE :)


To Sheep for releasing his wonderfull tutorials - check them out
To All Members of the DEViOUS Team and everybody that i know.

Copyright © (1998) 2004 - 2016 All Rights Reserved. Privacy Policy Disclaimer