Search site: 

| Home | PC Cheat Codes | Game Patch Updates | PC Game Trainers | PC Game Tools | Game Patch Fixes | Articles | Discussion Forums | Contact |

Trainer Tutorials

Latest Forum Discussions:

This section of the site is dedicated to Trainer Tutorials to help everyone get a better understanding of how Game Trainers are made and how they function.

Using Flags Tutorial

You can view this tutorial in its original format here
Subject: Using Flags
Author: Whitey
--------------------



Tools Needed:
--------------

Memory Searcher (artmoney, tsearch, ect)
Debugger (recommend softice)
A Game 


First off im not goin to go into setting up softice, and how to search for addresses if you are reading this
tutorial you should already know all that stuff. Also you should be farely decent at injecting code into the
game, and have a basic knowledge of asm.



Explain:
---------

Alot of times when you find a health address and set a breakpoint on it you notice in softice that when you get your
first pointer if you set a breakpoint on it, it is writing to your health and the cpu's health. Now of course you 
can trace or keep hitting F5 to make softice break over and over and find the pointer that is writing to just your health.
But why would you want that when you could get 2 or 3 options out of that one pointer. Thats where flags come in, you can
set multiple conditions to split it up into a few options :-)





Lesson Start:
--------------

Ok first off i started searching over and over and got my health address, then opened up softice and set a open breakpoint
on the address i got (bpm Address ENTER). Hit F5 to exit softice and it breaks instantly, type bc * to clear my breakpoint.
My pointer i got was "MOV EAX,[ESI+08]". I set a execution breakpoint (bpx) on that pointer, then kept hitting F5 and watched
my registers up top. Each time it broke i dumped esi+08 (d esi+08) to see whats in it and noticed that when esi+08 equaled my
address edx equals 1 and anytime edx equaled anything else it was the cpu's player health, see when edx=1 thats your id :-).

Now lets get to some code!



Code:
------

First off you need to find a code cave with alot of space im sure you know how to find that. Then scroll up a couple addresses
and pick out 2 more offsets for your flags, here is what i got


POINTER: 004E571E MOV EAX,[ESI+08]

CODE CAVE: 00A63280

FLAG 1: 00556169
FLAG 2: 00556160



Now im goin to show you my code and then i will explain everything.


004E571E: JMP 00A63280


CODE CAVE: 00A63280


MOV EAX,[ESI+08] 
CMP BYTE [00556169],1 
JNE OPTION 2
CMP EDX,1
JNE OPTION 2
MOV [ESI+08],42C80000
OPTION 2:
CMP BYTE [00556160],1
JNE BACK TO GAME
CMP EDX,1
JE BACK TO GAME
MOV [ESI+08],00000000
JMP BACK TO GAME





Code Review:
---------------

MOV EAX,[ESI+08] = Original instruction you took out with your jump

CMP BYTE [00556169],1 = Compare Flag 1 with 1, if = option 1 is turned on

JNE OPTION 2 = jump if not equal - jumps to option 2 if Flag 1 doesnt equal 1. If it does it skips this jump

CMP EDX,1 = Compares EDX with 1, remember when edx=1 its your health

JNE OPTION 2 = jump if not equal - if EDX dont =1 jump to option 2. If it does it skips this jump

MOV [ESI+08],42C80000 = Moves full health value into ESI+08.

OPTION 2:

CMP BYTE [00556160],1 = Compare Flag 2 with 1, if = option 2 is turned on

JNE BACK TO GAME = if Flag 2 dont equal 1 then jump back to game

CMP EDX,1 = Compares EDX with 1, remember when edx=1 its your health.

JE BACK TO GAME = jump if equal - if edx equal 1 then jump back to game..dont want it to skip this jump or will write zero to our health

MOV [ESI+08],00000000 = Moves zero into ESI+08

JMP BACK TO GAME = Jump back to game

--------------------------------------------------------------------------------------------------------------------------------------


Explain:
-----------

You see when you poke 1 into flag 1 infinite health is activated, and when 1 is poked into flag 2 instant kill is activated. So
you got 2 options out of this one pointer. It compares edx to test if its you or the pc and if its you, then you will have full 
health and when its the pc they will all die..pretty slick huh :-). You could also add another flag in there if you wanted and 
have your 3rd option move value of the pcs health right before they die for a one hit kill, witch would be 3 options with just one pointer.


So in your trainer your infinite health key would poke all that code and poke 1 into 00556169 (flag1), and for your instant
kill key it would poke all that code and poke 1 into 00556160 (flag2). Pokeing 0 into either of the flags will turn that option off :-)



Part2:
-----------



I.

Basically im just goin to show you the different ways you can use flags. I will just
be showing examples of things you can do with flags...theres endless amout :-)




Example 1:
---------------

Say you wanted to make a instant fill for health or ammo..ect. And you wanted the routine just to go 
threw once, so everytime you hit your key it would instantly fill.. Heres and example of how to can
use flags to do that...

Ill show my code then explain!


POINTER: MOV EAX,[ESI+08]

FLAG ADDRESS: 00A63280


CODE CAVE:

MOV EAX,[ESI+08]
CMP BYTE [00A63280],1
JNE BACK TO GAME
MOV BYTE [00A63280],0
MOV DWORD PTR [ESI+08],42C80000
JMP BACK TO GAME



Explain:
--------------

MOV EAX,[ESI+08] ---Pointer you destroyed with your jump

CMP BYTE [00A63280],1 ---Compare flag1 with 1

JNE BACK TO GAME ---jump if not equal back to game-if flag is 1 skip this jump

MOV BYTE [00A63280],0 ---move 0 into flag address

MOV DWORD PTR [ESI+08],42C80000 ---move full health value into esi+08

JMP BACK TO GAME ---jump back to game



Ok im sure you see what its doing your trainer will poke all that code and poke 1 into your flag address.
Its compareing your flag with 1 (is activated?) if so it skips the jump and moves 0 back into flag address,
so the next time threw the routine the flag will be 0 makeing it jump back to the game...Everytime you hit 
your hotkey it will instanlly fill your health or whatever your doing it for:-)






Example 2:
-----------

I notice alot of times when i have rlsed a trainer for a game with money or something i get emails of people 
complaining because there is just a standard injection to give them to much dam money filling it to the max.
So lately I started setting a flag and adding a certain value to the money everytime the key is pressed so 
they can add a little bit at a time when they need it.....in this example im goin to show you how thats done.. 



Ill show my code then explain!


POINTER: MOV EAX,[ESI+08]

FLAG1: 00A63280



CODE CAVE:


MOV EAX,[ESI+08]
CMP BYTE [00A63280],1
JNE BACK TO GAME
MOV BYTE [00A63280],0
PUSH EDX
MOV EDX,3E8
ADD [ESI+08],EDX
POP EDX
JMP BACK TO GAME




Explain:
----------------



MOV EAX,[ESI+08] ---Pointer you destroyed with the jump

CMP BYTE [00A63280],1 ---compare flag1 with 1 (is active?)

JNE BACK TO GAME ---jump if not equal-if flag1 is not equal to 1 jump back to game

MOV BYTE [00A63280],0 ---move 0 back into flag1

PUSH EDX ---push edx onto the stack

MOV EDX,3E8 ---move 3E8 into EDX- 3E8=1000 in dec

ADD [ESI+08],EDX ---Add EDX to ESI+08

POP EDX ---Pop EDX off the stack

JMP BACK TO GAME ---Jump back to the game



This should be pretty much explanitory.. basically its compareing your flag if = to 1 then skip the jump and
put 0 back into flag address so it dont repeat then you push a register in this case EDX. and move the value
you want into it then add it to your pointer..So say your doing money this code will add $1000 everytime you
hit your hotkey...

This is the end..Hope you learned something!

Whitey!


Questions:

jsmooth1980@hotmail.com 

Copyright (1998) 2004 - 2016 GamePatchPlanet.com. All Rights Reserved. Privacy Policy Disclaimer