Resolving Dynamic Memories at Runtime Revision 1 May 12, 2003 by Tsongkie I. Introduction In this guide, I would try and explain to you a certain advance technique in game training that is lacking in most game trainers. I will not provide a source code for every coder has his own way of developing his trainer, so if you are looking for that, dont waste your time reading this tutorial. I will explain in pseudocode and theory on how it is done. May I remind you that this is only a way, not THE WAY. There are certain other techniques useful which provides different routines but produces the same result. I would suggest further reading to [sheep]'s tutorial on Advance Game Training... II. Lets Get Our Hands Dirty In a certain game, I found the following addies, although the values are dynamically allocated by runtime to different addies. 00465580 --> Gold 00465588 --> Silver 00465590 --> Bronze Notice that they are separated by 8 bytes. I restarted the game, found 3 different addies but also are separated by 8 bytes. Also, when I scroll up and look at the bytes before our addies, i found a 909090EB08909090 exactly 16 bytes before the first addie (Gold). I then restarted the game and find the same bytes over and over again at exactly 16 bytes before our addies. It has been put into my attention that some games do not have these kind of pointers. In fact they do, you must only look deeper into the code... III. Our Problem We want to write a trainer that resolves these addies at runtime. So how do we do that? Lets see what we know.... 1. Our addies, wherever they may be located are always 8 bytes apart. 2. At exactly 16 bytes before our addies we could find the hex bytes 909090EB08909090 IV. Our Solution Since we already know the facts, we can use it in our trainer to resolve the game addies at runtime. What we need to do is search for the "signature bytes" and when we find it at 16bytes to that address, read a dword (gold), add 8 bytes to that addie, read a dword(silver), add another 8 bytes to that addie and read the final dword (bronze). Here's what i have done with my code: * I filled the Structure IMAGE_DOS_HEADER by using ReadProcessMemory at 00400000h * I then ReadProcessMemory the GameProcess at 00400000h + IMAGE_DOS_HEADER.e_lfanew in a IMAGE_NT_HEADERS structure * I made a loop that allocates IMAGE_NT_HEADERS.FileHeader.NumberOfSections amount of IMAGE_SECTION_HEADER structure. I then read the sections of IMAGE_NT_HEADERS into my allocated buffer. Now, If the section is a data section: * Search the GameProcess from the IMAGE_SECTION_HEADER.VirtualAddress for IMAGE_SECTION_HEADER.SizeOfRawData (This is our "signature bytes") *When we find it add 16bytes to the pointer, read 8 bytes(dword for gold), add 8 bytes to the pointer read 8 bytes for the silver and increase the pointer by 8 bytes and read it for the bronze. V. Final Words Well, I hope you learned something from it. If there is something vague in the tutorial, pls contoct me via e-mail : root@tsongkie.com or go to World Of Gamehacking Site, www.gamehacking.com Greetz goes to: * Sheep * nh2 * Stonerifik * Ratattack * ddh * Micral * iCarus * Those in #gamehacking in EFnet * Team Extalia * CES * Evil Eye Software * SRN Software * Tsongkie http:/www.tsongkie.com CES