Code Injection Advanced
What is code injection?
Right now there are some games which canít be trained via the normal ways are searching for the static address for e.g. on The Sims When you find the money value changing it wonít do shit to your money on screen. Now to get round this we use code injection. There are also a variety of things that we also use it for things such as when you get a value that the computer uses as well for e.g. you find the health address you freeze it and youíve got infinite life but then the computer does as well. Well these sort of problems can be solved with code injection so read on.
Memory Searcher I suggest T-search but any will do.
Softice Ė A definite needed tool for any true game hacker.
The Sims v1.1 for the practical
Now just to make this a little bit easier before the practical. Iíll explain exactly how code injection works. First you must find a code cave. A place in the game where we can write our own code we then jump from the game code which is affecting say health to our codecave where we have written our own code we then jump from here back to the game code. This is just totally made up code from softice but should give you a slight idea of what we want to do.
0010:558975 5F2014 Sub EAX,30 We Jump out here to our code
0011:558978 5078 Mov EAX,[ESI+30] We nop this address
0012:558980 50 Add EBX,EAX We jump back here
0055 Add EAX,30 This is just made up code this is our code cave.
0056 Mov EAX,[ESI+30]
0078 Jmp 558980 We Then jump back to our game code.
Also there is one thing you will need to know a little bit about asm to fully understand this tutorial. So donít mail me if your having problems understanding this tutorial if you donít know shit about
Now for this example I will be using The Sims. We are going to hack the money value which uses
DMA, address changes every level or any time we restart the game Also changing the static address wonít do anything also nopping the address wonít do shit. So we are going to use code injection to hack this game.
Finding Code Caves
Now there are several ways of doing this but the easiest which I have found is to use
T-Songkieís Code Cave tool and then with the address you have use SI commands to locate your
codecave. So first go and get TCCT from gamehacking.com or from the Devious homepage. Also this is only one of the ways to do this and because Iím lazy and canít be bothered explaining all the ways of finding
Now run The Sims and go back to the desktop and open TCCT and put the window name ĎThe Simsí into the textbox and press search. Then in the results window you will see hex addresses pick one lets say 10ABF. Now run softice and type d 10ABF and you will have a list on addresses so scroll down Iíve picked 10ADF. So then type in SI type u 10ADF and this should take you to the location of the address and bingo weíve found our code cave. Now codecaves look like this:-
0010:10ADF ADD [EAX],AL
So write this address down on a piece of paper which we will use later in the tutorial.
Now we must find our money address. So open your memory searcher and search for the amount of money you have. Go back to the game decrease your money go back to your memory searcher and search for the decreased value. After doing this a couple of times you should get it. I got 180BECA now changing this or nopping it wonít do anything to the actual amount of money on your screen because all this address does is read the amount of money youíve got.
Now we must place a breakpoint on this is SI so back to the game and press ctrl+d then in SI type
BPMD 180BECA W
After doing this go to the game and loose a bit of money and SI should pop up with something that looks like this:-
0008:00447F80 MOV EAX,[ECX+50] Moves Money into EAX
0008:00447F83 ADD EAX,[ECX+54] SI Pops Here
0008:00447F86 Push Eax
447F80 This is the pointer we want to edit ECX+50 being our amount of money which is placed into eax and then further down in the code EAX is placed into our on screen display. So this is where we want to make our jump. So in SI type
a 447f80 Enter
jmp 10ADF Enter
and then enter again to drop out of assembly mode. Now it should look like this
0008:00447F80 JMP 10ADF
0008:00447F86 Push Eax
Now I havenít included the op codes because their not needed just yet. Now by editing address 447F80 to jump to our code cave after doing this it fucks up the game code but if we right a single nop to the address underneath it will even it out.
Now for our codecave so type a 10ADF
And then type the following and pressing enter after each line
MOV DWORD PTR [ECX+50],98967FH
MOV DWORD PTR EAX,[ECX+50]
Then hit enter twice to drop out of assembly mode. Now to explain a bit more on what we have just done.
MOV DWORD PTR [ECX+50],98967FH - Move 9999999 in hex into [ECX+50]
MOV DWORD PTR EAX,[ECX+50] - Then we move ecx+50 into eax
ADD EAX,[ECX+54] - recreate the code we nopped earlier
JMP 447F86 - jumps back to the game code.
Now exit SI and buy or sell something and bingo!!! Weíve done it our money is now 9999999
Now to put this into a trainer you just poke the address where you made your gateway with the op codes and then the first address of your code cave with all their op codes.
To display the op codes type code on. After doing this you should have some extra numbers in the code window these are called op codes.
448789 1B 5F 8E Jmp to code cave
10ABF 1A F1 45 88
10AC3 58 99 88 77
10AC7 45 9E 55 88 JUMP BACK
So here we would poke
Poke 448789 1B 5F 8E
Poke 10ABF 1A F1 45 88 58 99 88 77 45 9E 55 88
And there you have it.
Now this is just one of the things you can do with code injection buy the possibilities are endless. So hopefully after reading this tutorial you should have a better idea of code injection. By reading this you wonít learn fully but do this tutorial a couple of times also read some of the other tutorials floating around on the internet. I have also tried to explain things in this tutorial as simple as I can but if you have any problems understanding something or feel I have missed something then give us an email on
Greetz Fly out to Sheep Tsongkie, Vulmer, Futal, Micral, Raven, Digital Vigilante, CES Devious and all extalia members.
Tutorial by Shinero