Code Injection Advanced Code Injection What is code injection? Right now there are some games which can’t be trained via the normal ways are searching for the static address for e.g. on The Sims When you find the money value changing it won’t do shit to your money on screen. Now to get round this we use code injection. There are also a variety of things that we also use it for things such as when you get a value that the computer uses as well for e.g. you find the health address you freeze it and you’ve got infinite life but then the computer does as well. Well these sort of problems can be solved with code injection so read on. Tools: Memory Searcher I suggest T-search but any will do. Softice – A definite needed tool for any true game hacker. The Sims v1.1 for the practical Now just to make this a little bit easier before the practical. I’ll explain exactly how code injection works. First you must find a code cave. A place in the game where we can write our own code we then jump from the game code which is affecting say health to our codecave where we have written our own code we then jump from here back to the game code. This is just totally made up code from softice but should give you a slight idea of what we want to do. -Game Code- 0010:558975 5F2014 Sub EAX,30 We Jump out here to our code 0011:558978 5078 Mov EAX,[ESI+30] We nop this address 0012:558980 50 Add EBX,EAX We jump back here -Code Cave- 0055 Add EAX,30 This is just made up code this is our code cave. 0056 Mov EAX,[ESI+30] 0078 Jmp 558980 We Then jump back to our game code. Also there is one thing you will need to know a little bit about asm to fully understand this tutorial. So don’t mail me if your having problems understanding this tutorial if you don’t know shit about asm. Now for this example I will be using The Sims. We are going to hack the money value which uses DMA, address changes every level or any time we restart the game Also changing the static address won’t do anything also nopping the address won’t do shit. So we are going to use code injection to hack this game. Finding Code Caves Now there are several ways of doing this but the easiest which I have found is to use T-Songkie’s Code Cave tool and then with the address you have use SI commands to locate your codecave. So first go and get TCCT from gamehacking.com or from the Devious homepage. Also this is only one of the ways to do this and because I’m lazy and can’t be bothered explaining all the ways of finding codecaves. Now run The Sims and go back to the desktop and open TCCT and put the window name ‘The Sims’ into the textbox and press search. Then in the results window you will see hex addresses pick one lets say 10ABF. Now run softice and type d 10ABF and you will have a list on addresses so scroll down I’ve picked 10ADF. So then type in SI type u 10ADF and this should take you to the location of the address and bingo we’ve found our code cave. Now codecaves look like this:- 0010:10ADF ADD [EAX],AL So write this address down on a piece of paper which we will use later in the tutorial. Now we must find our money address. So open your memory searcher and search for the amount of money you have. Go back to the game decrease your money go back to your memory searcher and search for the decreased value. After doing this a couple of times you should get it. I got 180BECA now changing this or nopping it won’t do anything to the actual amount of money on your screen because all this address does is read the amount of money you’ve got. Now we must place a breakpoint on this is SI so back to the game and press ctrl+d then in SI type BPMD 180BECA W After doing this go to the game and loose a bit of money and SI should pop up with something that looks like this:- 0008:00447F80 MOV EAX,[ECX+50] Moves Money into EAX 0008:00447F83 ADD EAX,[ECX+54] SI Pops Here 0008:00447F86 Push Eax 447F80 This is the pointer we want to edit ECX+50 being our amount of money which is placed into eax and then further down in the code EAX is placed into our on screen display. So this is where we want to make our jump. So in SI type a 447f80 Enter jmp 10ADF Enter nop Enter and then enter again to drop out of assembly mode. Now it should look like this 0008:00447F80 JMP 10ADF 0008:00447F83 NOP 0008:00447F86 Push Eax Now I haven’t included the op codes because their not needed just yet. Now by editing address 447F80 to jump to our code cave after doing this it fucks up the game code but if we right a single nop to the address underneath it will even it out. Now for our codecave so type a 10ADF And then type the following and pressing enter after each line MOV DWORD PTR [ECX+50],98967FH MOV DWORD PTR EAX,[ECX+50] ADD EAX,[ECX+54] JMP 447F86 Then hit enter twice to drop out of assembly mode. Now to explain a bit more on what we have just done. MOV DWORD PTR [ECX+50],98967FH - Move 9999999 in hex into [ECX+50] MOV DWORD PTR EAX,[ECX+50] - Then we move ecx+50 into eax ADD EAX,[ECX+54] - recreate the code we nopped earlier JMP 447F86 - jumps back to the game code. Now exit SI and buy or sell something and bingo!!! We’ve done it our money is now 9999999 simoleons. Now to put this into a trainer you just poke the address where you made your gateway with the op codes and then the first address of your code cave with all their op codes. To display the op codes type code on. After doing this you should have some extra numbers in the code window these are called op codes. Example Gateway 448789 1B 5F 8E Jmp to code cave CODE CAVE 10ABF 1A F1 45 88 10AC3 58 99 88 77 10AC7 45 9E 55 88 JUMP BACK So here we would poke Poke 448789 1B 5F 8E Poke 10ABF 1A F1 45 88 58 99 88 77 45 9E 55 88 And there you have it. Now this is just one of the things you can do with code injection buy the possibilities are endless. So hopefully after reading this tutorial you should have a better idea of code injection. By reading this you won’t learn fully but do this tutorial a couple of times also read some of the other tutorials floating around on the internet. I have also tried to explain things in this tutorial as simple as I can but if you have any problems understanding something or feel I have missed something then give us an email on Shinero_uk@yahoo.co.uk Greetz Fly out to Sheep Tsongkie, Vulmer, Futal, Micral, Raven, Digital Vigilante, CES Devious and all extalia members. Well Enjoy Tutorial by Shinero