How to make instant build trainer Tutorial -- by Groza / May 2001
Target: Red Alert 2 version 1.004
I wrote this tutorial in order to show you how I made the instant
build
option in my trainer for Red Alert 2. Because of a great demand I will
write how to make reveal map and skip mission options too. All the
tutorials
will be available to download from my page http://grozatt.cjb.net so
check
it out time to time.
WHAT WE NEED ?
--------------
- SoftIce ( the best tool, can't live without it )
- Winhack
To make an instant build trainer we have to find out the code that
cares(calculates) how long something will be building. There are many
possibilities how to find it out. I will explain just one of them,
which
worked fine with me. Now if we think a little, there should be some
parameter
in memory that is increasing or decreasing(depends on the game) during
the
build. We are going to find it out.
So let's start building something. Now during building process we have
to
find all the memory locations which are decreasing or increasing.
First we
will try to find out those which are decreasing. In the game we start
building Barracks and as soon as it starts we pause the game(we press
ESC),
ALT+TAB to WinHack choose the process of RedAlert 2(game.exe) and
start
searching the locations. Then ALT+TAB back to the game, unpause and
wait a
little. Back ALT+TAB to Winhack and use the -has decreased- option to
search
only those memory locations which were decreased since the last
search.
Then back to the game... we need to repeat doing this till we don't
find only
one or few locations.
In Winhack we can also use other options like -has decreased by Less
than %-
which can be very useful but I won't explain them here.
OK, everything should come well and we find the location(by me is
88FCEEC).
Let's check it out.
Back to the game and ALT+D to Softice. Be sure that we are in
RA2(game.exe)
and not in some other process. Let's put a breakpoint on the address
bpmb 88FCEEC w and ALT+D to return to the game. SoftIce should pop up.
We should see something like this:
:004B9529 mov ecx, dword ptr [esi+68]
:004B952C push edi
:004B952D call 004E5470
:004B9532 mov eax, dword ptr [esi+5C]
:004B9535 mov [esi+58], 00
:004B9539 sub eax, edi
<-this decrease our counter
:004B953B mov dword ptr [esi+5C], eax
:004B953E cmp dword ptr [esi+24],
00000036 <---interesting
:004B9542 jne 004B9574
Hm, let's patch it !!! Instead of sub eax, edi let's modify it by
sub eax,eax ! In this way we will decrease the counter so it should
build
the thing instantly. Let's modify it, disable all breakpoints and back
to
the game. What???#%&%#& Nothing happen. :(
But don't give up, let's check that cmp at the 004B953E. Seems it's
comparing
the location pointed to [esi+24] with 36 hex. Let's check it out,
disable
all breakpoints and put a bpmb [esi+24] w.
Back to the game and softice pop up here:
:004B94BF
8B4638
mov eax, dword ptr [esi+38]
:004B94C2
8B5624
mov edx, dword ptr [esi+24]
:004B94C5
03D0
add edx, eax
:004B94C7
895624
mov dword ptr [esi+24], edx
:004B94CA
A15453A300
mov eax, dword ptr [00A35354]
:004B94CF
8B54240C
mov edx, dword ptr [esp+0C]
Hm, we can see that here is some other counter, which increases
something.
And when it reaches 0x36 it is done. OK, let's modify the code in this
way then:
mov edx, 36
nop
//this 3 additional nops are because this instruction is
nop
//shorter than that we've replaced
nop
mov dword ptr [esi+24], edx
OK, disable all breakpoints and let's go back to the game. YES, IT
WORKS !!!!
We have the instant build. Now we only need to make a trainer that
will
modify the code when we press a button.
And that's all that has to be done. Easy isn't it ?
Please check the tutorial section on my page to find out more about
writing a trainer...
Greetz to MICRaL from TekZ 8193 for trying to make my page better !
From the heart of the winter,
Groza
Email: grozatt@email.si
Web: http://grozatt.cjb.net
|
|
