Thief : Dark Project - Pointers Pointers and Code Injection - Thief : The Dark Project v1.14 by SunBeam -------------------------------------------------------------------------------------- » Tools needed ------------------ 1. Thief : The Dark Project v1.14 2. TSearch v1.6b - http://fly.to/mtc 3. Cheat Engine v4.4 - http://syndiv.com/ce/ » Introduction ----------------- First of all, this is and will be one of my favourite games. I love the story-line and the medieval atmosphere, which compensate the lack of 'not so flashy' graphics :o). Before we start, I would like to thank Sheep and Tsongkie for their tutorials on Pointers, DMA and Code Injection. These guys are very good at what they do. Also, if I recall, Sheep's alias is Reclaim :o). Nice trainer you did for Thief 2. Sorry I did some sniffing with TrainerSpy, but i needed to learn [how I got past the trainer protection is top secret :o)]. Oh, and one more thing. The 'health hack' you made for Thief 2 is working only on maps which have edi = 15 :o). There are other values for the rest of the maps... Before movin on, you MUST read Tsongkie's tut : "An alternative to staple intersections" - www.tsongkie.com. Pointers and code injection is explained there, i won't cover it in this tutorial. Just applying it on Thief : The Dark Project. Let's get to work... » Thief : The Dark Project v1.14 -------------------------------------- What we'll hack in this game is the amount of items [flash bombs, health potions etc.] and arrows [water, broad, fire etc.], in one sweep. Meaning that we find the pointer for arrows, which is the same one for items. So, what we'll write for arrows, applies to items as well... Open up the game, skip the training and load the first mission : Lord Bafford's Manor. Switch to the Broadhead Arrows. If you didn't buy anything before starting the mission, you should have 36 of them. Alt-tab to desktop and open-up Cheat Engine [i'll shorten it to CE]. Target thief.exe and search for 36 on 4 bytes. Go back in-game and shoot 1 arrow. Return to CE and search next for 35. I got D59B10, but yours could be different, since the game uses DMA. Double-click on it to get it in the 'address list', then right-click on it and select 'Find out what writes to this address'. Click Yes to attach the debugger and 2 windows should pop-up. The big one is the debugger window; you can close the other one. Return to Thief and shoot another arrow. Get back to CE and look in the debugger window. You should see one address : 004bc763 - 89 4c f8 04 - mov [eax+edi*8+04],ecx. Click on it and then on the 'More information' button. A window, 'Extra info', should pop-up. What you see there is the value of all registers at the moment you shot the arrow. The one holding the amount of arrows is ecx. All values you see there are in hex. If you have 34 arrows, then ecx should be 22. Also, you can see 'The value of the pointer needed to find this address is probably 00D599DC'. Ok. Close the debugger window by pressing the Stop button first. In CE, click the Hex option near the search field and type in D599DC. Uncheck it, and click on Search. What we do here is looking for the POINTER :o). You should get only one address, BA2580. If you read Tsongkie's tut, you should know what you have to do now. You can also read this and his in parallel, so you'd understand better. I basically did what he explained there, applied to this game. Enough blabbering :o)... We need a code-cave. You can use TSearch or Tsongkie's Code-Cave tool. In TS, target thief.exe and from the Process menu, select Memory. Scroll to thief.exe section and look down. The best spot for a code-cave is the end of the .data section, right above the .rsrc section. You can pick out any of those regions, but make sure they're all filled with 00's. If the address you choose for the code-cave isn't free [meaning filled with 00's], then pick other one. There's plenty of them :o). I chose 745F00, just above the .rsrc entry-point. For the code-injection we'll use TSearch's AutoHack Window and Easy Write. So, you can close CE, you don't need it anymore, and also note that it doesn't take the game process along with it like TS does after using the debugger :o). Select thief.exe, enable the debugger and navigate to 4BC763. Since we'll work on 4bc763, we'll need both 4bc75f and 4bc763 lines in our code-cave. Why ? Because if we spoil a code, we need to back it up in the code-cave. Make a new Easy Write script and type in [or copy-paste] : offset 745f00 // that's the code-cave address; we first write the code-cave, then we make the jump mov ecx, [esp+0x10] // we make a backup of 4bc75f and 4bc763 functions, because @ 4bc75f we'll write the jump // to our code-cave, so these functions will still be used; otherwise, the game will crash mov [eax+edi*8+04], ecx mov ecx, [0xBA2580] // move the pointer to ecx cmp eax, ecx // compare eax and ecx (eax and the pointer); why eax ? because eax stores the address // of arrows, items etc; you noticed CE's 'Extra info'; if not, look again :o) jne 4bc767 // jump back to the code if not equal; this is the line below 4bc763 mov byte ptr [eax+edi*8+04], 0x64 // if equal, then [eax+edi*8+04] is our arrows', items' address; set the ammount to 100 // 64 in hex = 100 in decimal; you can change it to what value you want :o) jmp 4bc767 // jmp back to game's routine offset 4bc75f jmp 745f00 // jump to our code cave; why 3 NOP's ? because the functions @ 4bc75f and 4bc763 require nop // 8 bytes; count them yourself; any jmp function requires 5 bytes of memory; so we NOP the nop // the rest of 3 nop This is the Patched code, the one you should write in the top window of Easy Write. For the UnPatched code, to be written in the lower window of Easy Write : offset 4bc75f mov ecx, [esp+0x10] mov [eax+edi*8+04], ecx That's it. Now you have 100 arrows, of each type. And since the items' pointer is the same as the arrows' pointer, you'll also get the same amount of items : 100 health potions, 100 flash bombs etc. :o) » Final words ---------------- Greetz fly out to : tsongkie - very nice tutorial you made, dude; thank you very much ! i needed that :o) sheep - thanx man for the HomeWorld 2 tutorial, it helped a lot; from what i noticed, all the trainers you make are so totally different from the onez out there; what do i mean ? you hack very special options in games, not only the regular ones : health, ammo etc; take for example : Age Of Mythology - speed hack [woa!], Prince Of Persia SoT - continually walking on wallz [woa!], HomeWorld 2 - health and destroy pointers [woa!]; wish I coulda talk to ya; have some questions :P, lotsa :o)... What can I say ? I wish I were like those guys above :o) Maybe one day, who knows... SunBeam, out... www.gamehacking.as.ro - a little outdated, but visit it for the sake of visiting :o); my scene name WAS T-RaiNeR :o)... www.ghu.as.ro www.extalia.com