Search site: 

| Home | PC Cheat Codes | Game Patch Updates | PC Game Trainers | PC Game Tools | Game Patch Fixes | Articles | Discussion Forums | Contact |

Trainer Tutorials

Latest Forum Discussions:

This section of the site is dedicated to Trainer Tutorials to help everyone get a better understanding of how Game Trainers are made and how they function.

Code Injection Part 2 Tutorial

You can view this tutorial in its original format here
       ۲۱    ۲۱   ۲۱   ۱
       ۲۲۱  ۲۲۱ ۲۱  
       ۲۱  ۲۱       ۲۱   
       ۱ ߱      ۲۱    
       ۲۱ ۲۱        ۲۱     ۲۱ 
       ۲۲۱ ۲۲۱      ۲۱      ۲۱
       ۲߲۱ ۲۲۱    ۲۱   ۲۱
       ۲۱ ۲۲۱  ۲۱ ۲۱
       ߱ ߱ ߱ ߱

Tutorial on Code Injection - Part 2 by brzi*

Well after a week or two or maybe more of doing nothing just standing in front of my PC, 
looking at the screen and drinking i have decided to write another tutorial on code injection.
I hope you liked my first one :). But in that i have told you how to do the standard code
injection method which is boring. In this tutorial i'm going to show you how to inject API 
functions. Well as my first tutorial of this kind i'm going to show you how to inject a 
Message Box. In my next tutorials i'll show you some more stuff (if i have time to write more
tutorials because the school year has just began. So lets start our little tutorial. Well use
Tsongkie's Code Cave Tool for searching a code cave and we will inject our Message Box in it, i
mean we will inject the messagebox into Tsongkie's Code Cave Tool. Wait u'll see :)


Windows Disassembler - W32Dsm89 -
Tsongkie's Code Cave Tool -
TSearch v1.6 -
API Reference
Pen and a Piece of Paper


Explanation of the MessageBox API taken from the API reference:

The MessageBox function creates, displays, and operates a message box. The message box contains
an application-defined message and title, plus any combination of predefined icons and push 

int MessageBox(

    HWND  hWnd,	// handle of owner window
    LPCTSTR  lpText,	// address of text in message box
    LPCTSTR  lpCaption,	// address of title of message box  
    UINT  uType 	// style of message box


Identifies the owner window of the message box to be created. If this parameter is NULL, 
the message box has no owner window. 


Points to a null-terminated string containing the message to be displayed. 


Points to a null-terminated string used for the dialog box title. If this parameter is NULL, 
the default title Error is used. 


Specifies the contents and behavior of the dialog box. 

*NOTE: Unlike other programming languages in ASM parameters are pushed into the stack backwards.
In ASM you have to push the caption first, then the main text, followed by the window handle,
and then the call the MessageBoxA.

Ok now open W32Dsm89 and disassemble Tsongkie's Code Cave Tool. After the Disassembly is done
click on the StrnRef button on the toolbar. Now double click on the string in the list that
says "Tsongkie's Code Cave Tool v1.0". I have this code:

* Possible StringData Ref from Data Obj ->"About Tsongkie's Code Cave Tool"
:00401089 6849304000              push 00403049   <- pushes the location of the caption  

* Possible StringData Ref from Data Obj ->"Tsongkie's Code Cave Tool v1.0"
:0040108E 6869604000              push 00403069   <- pushes the location of the main text
:00401093 FF3558324000            push dword ptr [00403258]  <- push the WndHandle (hWnd)

* Reference To: USER32.MessageBoxA, Ord:01BBh
:00401099 E85E010000              Call 004011FC  <- Calls MessageBoxA
:0040109E EB1A                    jmp 004010BA     |
...........                                        |
...........                                        |
* Reference to: USER32.MessageBoxA, Ord:01BBh      |________
                                  |                         |
:004011FC FF2524204000            Jmp dword ptr [00402024] <-
Now we know everything that we need. Lets do some testing :)
Open TSearch and click on EasyWrite.

// Begin TSearch script

offset 00401089
//jmp to our code cave
jmp 0040DC17

offset 0040DC17
//Recreate all the stuff
//push the caption of the msgbox
push 00403049
//push the main text of the msgbox
push 00403069
//push the window handle
push dword ptr [00403258]
//call the MessageBoxA API
call 004011FC
//jmp back after the call or the program will crash
jmp 0040109E

// End TSearch script

Now if you run Tsongkie's Code Cave Tool and enable the script and then press the about button,
it will display you the standard Message "Tsongkie's Code Cave Tool ....". It means that the
injection is succesfull and everything is fine. 
Now the other part - our strings (the caption, main text). I have marked the new parts with 
|NEW| .

// Begin TSearch script

//First we will write our strings

//|NEW| Our caption
offset 0040DCA7
asc "brzi's CI tut2"
hex 00   
//hex 00 is a null terminator needed for all strings

//|NEW| Our Text  //I couldn't think of anything good for the text so let it be "Hello"
offset 0040DCBB
asc "Hello !"
hex 00

offset 00401089
//jmp to our code cave
jmp 0040DC17

offset 0040DC17
//Recreate all the stuff 
//|NEW| Change the original caption "About Tsongkie's Code .." to our "brzi's CI tut2"
push 0040DCA7

//|NEW| Chande the original text "Tsongkie's Code Cave..." to our simple "Hello !"
push 0040DCBB

//push the window handle
push dword ptr [00403258]

//call the MessageBoxA API
call 004011FC

//jmp back after the call or the program will crash.
jmp 0040109E

//End TSearch script

Now if you press the about button a message saying "Hello !" will be displayed. 
Congratulations ! You have injected your first Message Box!

Well that's it for now, i hope you understood how this thing works so you may try to do 
something by your self. Until next time CYA.

Stoner,Tsongkie,Omega,Micral,EEDOK,InvadeR,Bie,VBTrainer and everybody else that i know :)=

Copyright (1998) 2004 - 2016 All Rights Reserved. Privacy Policy Disclaimer