Subject: Using Flags Author: Whitey -------------------- Tools Needed: -------------- Memory Searcher (artmoney, tsearch, ect) Debugger (recommend softice) A Game First off im not goin to go into setting up softice, and how to search for addresses if you are reading this tutorial you should already know all that stuff. Also you should be farely decent at injecting code into the game, and have a basic knowledge of asm. Explain: --------- Alot of times when you find a health address and set a breakpoint on it you notice in softice that when you get your first pointer if you set a breakpoint on it, it is writing to your health and the cpu's health. Now of course you can trace or keep hitting F5 to make softice break over and over and find the pointer that is writing to just your health. But why would you want that when you could get 2 or 3 options out of that one pointer. Thats where flags come in, you can set multiple conditions to split it up into a few options :-) Lesson Start: -------------- Ok first off i started searching over and over and got my health address, then opened up softice and set a open breakpoint on the address i got (bpm Address ENTER). Hit F5 to exit softice and it breaks instantly, type bc * to clear my breakpoint. My pointer i got was "MOV EAX,[ESI+08]". I set a execution breakpoint (bpx) on that pointer, then kept hitting F5 and watched my registers up top. Each time it broke i dumped esi+08 (d esi+08) to see whats in it and noticed that when esi+08 equaled my address edx equals 1 and anytime edx equaled anything else it was the cpu's player health, see when edx=1 thats your id :-). Now lets get to some code! Code: ------ First off you need to find a code cave with alot of space im sure you know how to find that. Then scroll up a couple addresses and pick out 2 more offsets for your flags, here is what i got POINTER: 004E571E MOV EAX,[ESI+08] CODE CAVE: 00A63280 FLAG 1: 00556169 FLAG 2: 00556160 Now im goin to show you my code and then i will explain everything. 004E571E: JMP 00A63280 CODE CAVE: 00A63280 MOV EAX,[ESI+08] CMP BYTE [00556169],1 JNE OPTION 2 CMP EDX,1 JNE OPTION 2 MOV [ESI+08],42C80000 OPTION 2: CMP BYTE [00556160],1 JNE BACK TO GAME CMP EDX,1 JE BACK TO GAME MOV [ESI+08],00000000 JMP BACK TO GAME Code Review: --------------- MOV EAX,[ESI+08] = Original instruction you took out with your jump CMP BYTE [00556169],1 = Compare Flag 1 with 1, if = option 1 is turned on JNE OPTION 2 = jump if not equal - jumps to option 2 if Flag 1 doesnt equal 1. If it does it skips this jump CMP EDX,1 = Compares EDX with 1, remember when edx=1 its your health JNE OPTION 2 = jump if not equal - if EDX dont =1 jump to option 2. If it does it skips this jump MOV [ESI+08],42C80000 = Moves full health value into ESI+08. OPTION 2: CMP BYTE [00556160],1 = Compare Flag 2 with 1, if = option 2 is turned on JNE BACK TO GAME = if Flag 2 dont equal 1 then jump back to game CMP EDX,1 = Compares EDX with 1, remember when edx=1 its your health. JE BACK TO GAME = jump if equal - if edx equal 1 then jump back to game..dont want it to skip this jump or will write zero to our health MOV [ESI+08],00000000 = Moves zero into ESI+08 JMP BACK TO GAME = Jump back to game -------------------------------------------------------------------------------------------------------------------------------------- Explain: ----------- You see when you poke 1 into flag 1 infinite health is activated, and when 1 is poked into flag 2 instant kill is activated. So you got 2 options out of this one pointer. It compares edx to test if its you or the pc and if its you, then you will have full health and when its the pc they will all die..pretty slick huh :-). You could also add another flag in there if you wanted and have your 3rd option move value of the pcs health right before they die for a one hit kill, witch would be 3 options with just one pointer. So in your trainer your infinite health key would poke all that code and poke 1 into 00556169 (flag1), and for your instant kill key it would poke all that code and poke 1 into 00556160 (flag2). Pokeing 0 into either of the flags will turn that option off :-) Part2: ----------- I. Basically im just goin to show you the different ways you can use flags. I will just be showing examples of things you can do with flags...theres endless amout :-) Example 1: --------------- Say you wanted to make a instant fill for health or ammo..ect. And you wanted the routine just to go threw once, so everytime you hit your key it would instantly fill.. Heres and example of how to can use flags to do that... Ill show my code then explain! POINTER: MOV EAX,[ESI+08] FLAG ADDRESS: 00A63280 CODE CAVE: MOV EAX,[ESI+08] CMP BYTE [00A63280],1 JNE BACK TO GAME MOV BYTE [00A63280],0 MOV DWORD PTR [ESI+08],42C80000 JMP BACK TO GAME Explain: -------------- MOV EAX,[ESI+08] ---Pointer you destroyed with your jump CMP BYTE [00A63280],1 ---Compare flag1 with 1 JNE BACK TO GAME ---jump if not equal back to game-if flag is 1 skip this jump MOV BYTE [00A63280],0 ---move 0 into flag address MOV DWORD PTR [ESI+08],42C80000 ---move full health value into esi+08 JMP BACK TO GAME ---jump back to game Ok im sure you see what its doing your trainer will poke all that code and poke 1 into your flag address. Its compareing your flag with 1 (is activated?) if so it skips the jump and moves 0 back into flag address, so the next time threw the routine the flag will be 0 makeing it jump back to the game...Everytime you hit your hotkey it will instanlly fill your health or whatever your doing it for:-) Example 2: ----------- I notice alot of times when i have rlsed a trainer for a game with money or something i get emails of people complaining because there is just a standard injection to give them to much dam money filling it to the max. So lately I started setting a flag and adding a certain value to the money everytime the key is pressed so they can add a little bit at a time when they need it.....in this example im goin to show you how thats done.. Ill show my code then explain! POINTER: MOV EAX,[ESI+08] FLAG1: 00A63280 CODE CAVE: MOV EAX,[ESI+08] CMP BYTE [00A63280],1 JNE BACK TO GAME MOV BYTE [00A63280],0 PUSH EDX MOV EDX,3E8 ADD [ESI+08],EDX POP EDX JMP BACK TO GAME Explain: ---------------- MOV EAX,[ESI+08] ---Pointer you destroyed with the jump CMP BYTE [00A63280],1 ---compare flag1 with 1 (is active?) JNE BACK TO GAME ---jump if not equal-if flag1 is not equal to 1 jump back to game MOV BYTE [00A63280],0 ---move 0 back into flag1 PUSH EDX ---push edx onto the stack MOV EDX,3E8 ---move 3E8 into EDX- 3E8=1000 in dec ADD [ESI+08],EDX ---Add EDX to ESI+08 POP EDX ---Pop EDX off the stack JMP BACK TO GAME ---Jump back to the game This should be pretty much explanitory.. basically its compareing your flag if = to 1 then skip the jump and put 0 back into flag address so it dont repeat then you push a register in this case EDX. and move the value you want into it then add it to your pointer..So say your doing money this code will add $1000 everytime you hit your hotkey... This is the end..Hope you learned something! Whitey! Questions: jsmooth1980@hotmail.com