Eliminating DMA with Tsearch
Why I wrote this Tutorial:
How the hell do I hack DMA??? How do I use Soft Ice??? Help me with
DMA!!! These were the questions and some others about Dynamic Memory Allocation
(DMA) that I was getting and seeing everyday on many forums and in my email …… When ever I told someone to use Soft Ice … the person would say that either he was unable to use it or Soft Ice fucked up his system. That’s why I decided that ppl should know abt this cool memory hacking tool T-SEARCH that has an inbuilt debugger like Soft Ice, although no way as powerful as Soft Ice. And it doesn’t fuck up ur system J
What U need:
· Beans Trainer Tester
· Some knowledge about memory hacking.
· Background on DMA.
Here We Go:
First of all start Bean’s Trainer Tester. Pause it and set the level to 5. That’s the first Dynamic Memory Level. It will be a lot easy. U only have to freeze the Health and the Timer. Start T-Search. U’ll see a button named Open Process. Press it and it will open a box with all the processes running at that time. Select the process ‘TESTER.EXE’ from them. Just below the Open Memory button is a small button with a magnifying glass. Press it and it will start the initial search. When it stops, press ok. Now go to Tester and press
unpause. The tester will start. The health will start decreasing. Now pause Tester … This is very important so the values do not change while we search. After pausing go to TS (T-Search). Another button next to the magnifying glass button will have appeared with small dots. Press it. It opens a box with a lot of stuff. Now In the “search for ” tab select 2 bytes. Now click “Has Decreased ” button, because we do not know the exact value. Now click OK. T-Search will start searching and come up with about 1031 addresses. Bring up Tester again and let it go so the health decreases some more…. Pause it now. Go to TS and again press the same button with a magnifying glass and dots. The “has decreased” option will already be selected. Press OK. It will search again and come up with about 487 ….. Go to Tester, unpause it and let the health decrease some more. Pause it and go to TS and again press the same button ( search next ) , the “has decreased option will be selected …. Press OK. TS will find about 70 addresses. Again repeat the same process …. Let the health decrease and search for “HAS DECREASED” until u have only about2 or 3 addresses. These r which I got:
52001C and 6643FC
One of these addresses, when frozen, will stop the health from decreasing. It was in my case 6643FC … the other one 52001C is only for screen display and it remains the same every time. The one freezing the health is our real addie but still its not very real J coz it’s the Dynamic Memory Address and it will change when the tester is started. Ok, first REMOVE the freeze from the real
addie. And keep the tester paused.
Now we will look for the real address working behind this address. Go to TS … at the top of TS there will be an option called Auto Hack. Press it … it brings 2 options : 1) Enable Debugger, 2) Auto Hack Window. Press first Auto Hack Window … it will bring up the debugger window. Then press Enable debugger. Now right click on the address 6643FC, a small menu will come up. At the bottom of the menu is option “Auto HACK”. Click it. Now go to Tester and press
Unpause. Look at the auto hack window. There will be a string like :
401E8C: MOV dword ptr[ecx], eax
Showing that the value of address 6643FC has changed due to this address 401E8C. Click in the box next to this address to freeze it. Go to tester and press the TEST button. After the time it will say Timer: Failure, Health : Success~!!!!!!!!!
U can hack the timer in the same way.
Email : firstname.lastname@example.org
Website : www.Extalia.com