Subject: Using Flags
Author: Whitey
--------------------
Tools Needed:
--------------
Memory Searcher (artmoney, tsearch, ect)
Debugger (recommend softice)
A Game
First off im not goin to go into setting up softice, and how to search for addresses if you are reading this
tutorial you should already know all that stuff. Also you should be farely decent at injecting code into the
game, and have a basic knowledge of asm.
Explain:
---------
Alot of times when you find a health address and set a breakpoint on it you notice in softice that when you get your
first pointer if you set a breakpoint on it, it is writing to your health and the cpu's health. Now of course you
can trace or keep hitting F5 to make softice break over and over and find the pointer that is writing to just your health.
But why would you want that when you could get 2 or 3 options out of that one pointer. Thats where flags come in, you can
set multiple conditions to split it up into a few options :-)
Lesson Start:
--------------
Ok first off i started searching over and over and got my health address, then opened up softice and set a open breakpoint
on the address i got (bpm Address ENTER). Hit F5 to exit softice and it breaks instantly, type bc * to clear my breakpoint.
My pointer i got was "MOV EAX,[ESI+08]". I set a execution breakpoint
(bpx) on that pointer, then kept hitting F5 and watched
my registers up top. Each time it broke i dumped esi+08 (d esi+08) to see whats in it and noticed that when esi+08 equaled my
address edx equals 1 and anytime edx equaled anything else it was the cpu's player health, see when
edx=1 thats your id :-).
Now lets get to some code!
Code:
------
First off you need to find a code cave with alot of space im sure you know how to find that. Then scroll up a couple addresses
and pick out 2 more offsets for your flags, here is what i got
POINTER: 004E571E MOV EAX,[ESI+08]
CODE CAVE: 00A63280
FLAG 1: 00556169
FLAG 2: 00556160
Now im goin to show you my code and then i will explain everything.
004E571E: JMP 00A63280
CODE CAVE: 00A63280
MOV EAX,[ESI+08]
CMP BYTE [00556169],1
JNE OPTION 2
CMP EDX,1
JNE OPTION 2
MOV [ESI+08],42C80000
OPTION 2:
CMP BYTE [00556160],1
JNE BACK TO GAME
CMP EDX,1
JE BACK TO GAME
MOV [ESI+08],00000000
JMP BACK TO GAME
Code Review:
---------------
MOV EAX,[ESI+08] = Original instruction you took out with your jump
CMP BYTE [00556169],1 = Compare Flag 1 with 1, if = option 1 is turned on
JNE OPTION 2 = jump if not equal - jumps to option 2 if Flag 1 doesnt equal 1. If it does it skips this jump
CMP EDX,1 = Compares EDX with 1, remember when edx=1 its your health
JNE OPTION 2 = jump if not equal - if EDX dont =1 jump to option 2. If it does it skips this jump
MOV [ESI+08],42C80000 = Moves full health value into ESI+08.
OPTION 2:
CMP BYTE [00556160],1 = Compare Flag 2 with 1, if = option 2 is turned on
JNE BACK TO GAME = if Flag 2 dont equal 1 then jump back to game
CMP EDX,1 = Compares EDX with 1, remember when edx=1 its your health.
JE BACK TO GAME = jump if equal - if edx equal 1 then jump back to game..dont want it to skip this jump or will write zero to our health
MOV [ESI+08],00000000 = Moves zero into ESI+08
JMP BACK TO GAME = Jump back to game
--------------------------------------------------------------------------------------------------------------------------------------
Explain:
-----------
You see when you poke 1 into flag 1 infinite health is activated, and when 1 is poked into flag 2 instant kill is activated. So
you got 2 options out of this one pointer. It compares edx to test if its you or the pc and if its you, then you will have full
health and when its the pc they will all die..pretty slick huh :-). You could also add another flag in there if you wanted and
have your 3rd option move value of the pcs health right before they die for a one hit kill, witch would be 3 options with just one pointer.
So in your trainer your infinite health key would poke all that code and poke 1 into 00556169 (flag1), and for your instant
kill key it would poke all that code and poke 1 into 00556160 (flag2). Pokeing 0 into either of the flags will turn that option off :-)
Part2:
-----------
I.
Basically im just goin to show you the different ways you can use flags. I will just
be showing examples of things you can do with flags...theres endless amout :-)
Example 1:
---------------
Say you wanted to make a instant fill for health or ammo..ect. And you wanted the routine just to go
threw once, so everytime you hit your key it would instantly fill.. Heres and example of how to can
use flags to do that...
Ill show my code then explain!
POINTER: MOV EAX,[ESI+08]
FLAG ADDRESS: 00A63280
CODE CAVE:
MOV EAX,[ESI+08]
CMP BYTE [00A63280],1
JNE BACK TO GAME
MOV BYTE [00A63280],0
MOV DWORD PTR [ESI+08],42C80000
JMP BACK TO GAME
Explain:
--------------
MOV EAX,[ESI+08] ---Pointer you destroyed with your jump
CMP BYTE [00A63280],1 ---Compare flag1 with 1
JNE BACK TO GAME ---jump if not equal back to game-if flag is 1 skip this jump
MOV BYTE [00A63280],0 ---move 0 into flag address
MOV DWORD PTR [ESI+08],42C80000 ---move full health value into esi+08
JMP BACK TO GAME ---jump back to game
Ok im sure you see what its doing your trainer will poke all that code and poke 1 into your flag address.
Its compareing your flag with 1 (is activated?) if so it skips the jump and moves 0 back into flag address,
so the next time threw the routine the flag will be 0 makeing it jump back to the
game...Everytime you hit
your hotkey it will instanlly fill your health or whatever your doing it for:-)
Example 2:
-----------
I notice alot of times when i have rlsed a trainer for a game with money or something i get emails of people
complaining because there is just a standard injection to give them to much dam money filling it to the max.
So lately I started setting a flag and adding a certain value to the money everytime the key is pressed so
they can add a little bit at a time when they need it.....in this example im goin to show you how thats done..
Ill show my code then explain!
POINTER: MOV EAX,[ESI+08]
FLAG1: 00A63280
CODE CAVE:
MOV EAX,[ESI+08]
CMP BYTE [00A63280],1
JNE BACK TO GAME
MOV BYTE [00A63280],0
PUSH EDX
MOV EDX,3E8
ADD [ESI+08],EDX
POP EDX
JMP BACK TO GAME
Explain:
----------------
MOV EAX,[ESI+08] ---Pointer you destroyed with the jump
CMP BYTE [00A63280],1 ---compare flag1 with 1 (is active?)
JNE BACK TO GAME ---jump if not equal-if flag1 is not equal to 1 jump back to game
MOV BYTE [00A63280],0 ---move 0 back into flag1
PUSH EDX ---push edx onto the stack
MOV EDX,3E8 ---move 3E8 into EDX- 3E8=1000 in dec
ADD [ESI+08],EDX ---Add EDX to ESI+08
POP EDX ---Pop EDX off the stack
JMP BACK TO GAME ---Jump back to the game
This should be pretty much explanitory.. basically its compareing your flag if = to 1 then skip the jump and
put 0 back into flag address so it dont repeat then you push a register in this case
EDX. and move the value
you want into it then add it to your pointer..So say your doing money this code will add $1000 everytime you
hit your hotkey...
This is the end..Hope you learned something!
Whitey!
Questions:
jsmooth1980@hotmail.com
|
|
