Defeating DMA - Pointer Searching using Tsearch by EEDOK best read in 800x600 resolution, maximized Mr_eedok@hotmail.com ------------------------------------------------- What you'll need to do this tutorial: Tsearch 1.5 or later Tsongkie's GHME - available at http://www.devious.tsongkie.com/devious.php?id=trainmes Hexadecimal Calculator -------------------------------------------------- Theory: In many games that use DMA it is common to see commands like this: mov [esi+0x4],eax. What this means is copy eax to an area of memory 4 bytes from a pointer. The pointer it refers to is normally stored somewhere in the memory of the program. So to be able to hack programs that use this, we would just read the pointer add the offset manually, and we would then have the address which we want to hack. This is beneficial over nopping, or reversing asm commands because: 1. You don't have to modify any of the asm code. 2. You can make the address any value, anytime. 3. A segment of code does not have to be initialized. 4. Allows for one sided hacks where certain functions are shared between the CPU and the player. ----------------------------------------------------- Getting started: 1. Open up Tsearch and the GTM, pause the GTM and find the address for money 2. In Tsearch hit Autohack>enable debugger, Go into the GTM and unpause it until the money changes, then go back into Tsearch, and hit Autohack>Autohack Window. 3. In the Autohack Window it should have popped at 4011DB: sub [esi+0x4],eax, what this means is subtract the value of eax, from the area of memory 4 bytes away from the pointer. All we need to know here is that the current address is +0x4 bytes from the pointer. 4. Open up your hexadecimal calculator and put in your current address(in hex), then subtract 4 from it(also in hex). 5. Convert the result of the previous step to decimal format and search for it in Tsearch. If done correctly you should have the address 403138. 6. Hit the restart button so the location of the address of money changes, you should notice the value of 403138 changes. 7. Read the value of 403138, convert the value to hexadecimal, then add 4 to it, this will give you the new location of money. This will work even if you restart the program. 8. Make a function in your trainer to read address 403138 and add 4 to it, then write to that offset. ------------------------------------------------------------ Possible problem and solution: I noticed this when I was playing GTA3 and wanted to hack my health, and the problem was that when I did a search for pointers I ended up with more than 50 addresses.. So here's what I did, A)Had Artmoney to search for the new locations of my health value. B)Had Tsearch open to find my pointer. Well first I did the search for the pointer in Tsearch and immediately got 54 addresses. So I restarted GTA3. After restarting I used artmoney to refind my health address, and upon finding it I searched for my pointer value again. This resulted in 14 results for a pointer. So I restarted the program again, and deleted the possible pointers that turned to 0, showing that they're definitely not a pointer to what I wanted. I repeated finding my health and searching for a new pointer, which resulted in 6 addresses being found. At this time I noticed that every time I restarted the game, all 6 addresses were the same as each other, no matter how often or at what time I started the game, so I just used the one closest to the programs entry point. ----------------------------------------------------------------- Shouts to: Devious: Stonerifik, Tsongkie, Omega, Synbios, Micral, Mini^Me, brzi, Invader, Sn0w renzo, bie, ddh, Vortexion, routine_error, [Ginger], Ultimate, Zekk Web sites: http://devious.tsongkie.com http://eedok.simplehost.com Feel free to tell me about corrections, or additions I should make to this tutorial. If you find a copy of this tutorial on a site not listed above, feel free to contact me about it, I'll take care of the rest.