Code
Injection When And How Tutorial By DEMETRON
Target :
Command & Conquer Red Alert 3
Version :
1, 0, 0, 0
Aim :
Hacking money via code injection so only your money won’t decrease but your
opponent’s will.
Level
of Difficulty: Novice(beginners level)
Tools
Required:
-The game off course
-Cheat Engine (I am using
version 5.5)
-Notepad++ or any other text editor to note addresses
and other stuffs.
Pre-Requisites:
-None but some knowledge of assembly and experience of
cheat engine is a plus.(if you don’t it’s ok!)
Note: This tut. assumes that you
were born yesterday and had no prior knowledge of game hacking so you can skip some parts according to your knowledge.
Part
1 : Finding Addresses
Let’s start
with finding addresses which store our money value. to do this start cheat
engine now if we open our game it will be opened in full screen mode and that
sometimes create trouble when attaching debugger to it, so let’s open the game
in a window. If you go to game option and search there is already a check box to run the game in a window mode
we can use that other way to do this is go to the shortcut of the game right
click on it, go to properties and in the target add -win
after a space so your target will become something like "C:\Program
Files\Red Alert 3\RA3.exe" –win now open your game and it’ll run in window like given
screen shot.
Now with
your game running go to cheat engine click on process (in menu bar) and you’ll
see lots of process in this list (it’s basically every process running in the
system right now) but we have to find the process of our game and that’s pretty
easy actually on top (not necessarily ) you will see the two processes having
the logo of our game yup those two processes are related to our game but which
one to select now, In general the process with *.EXE are shown only but in this
case you we’ll see a *.game extension also and we are going to select that one
for debugging because that’s the main module which contains the address not the
other one(you are welcome to gamehacking.com) to understand this phenomena
completely. So select one with the *.game extension in it.
Ok our platform is set now we can do some
serious things just go to game’s skirmish option and start a game with no
opponents(why? Because we don’t want our base is to be destructed when we are
in middle of a search) and just because you are curious :D I choose Allied
Nations, blue color,battlebase beta map(1’st on the list) initial resource
25000 and no random crates. Let’s begin to play and before doing anything go to
cheat engine again and check the pause the game while scanning option it will
ask you to attach debugger to game click yes. Now in the cheat engine’s value
option enter 25000(as mine is 25k at starting and if yours is different enter
whatever amount you have)
Leave all
other settings to default and press First Scan and I got 121 results(addresses)
you might get more or less doesn’t matter at this point.Ok now we go back to
game again build a power plant it’ll
cost $800 (you can build anything else if you want we are just spending some
money here) and now I have $24200 remain on my account so let’s put this value
in cheat engine and press next scan and wow we just got 3 results now J now spend some more money or earn
some money back by selling things and do the same search again until you get
the final results (yup those 3 address are the final results)and as it’s just 3
results we can check them manually now select all address and press the arrow
button in bottom which says copy all selected items to address list or you
can just double click on each 3 addresses to add them to list below. Now at the
table there are fields like address|type|value click on value of each 3 address
we just add and try to modify it, And hopefully one address is the address we
are looking for and if we change its value the same change can be seen in the
game also. I try to change the value to $50k and found mine it’s 068D324C yours
may be different. If all this not making sense see the snapshot below
Just to
check our address is correct and it’s actually changing the amount of money we
have in the game let’s set it to very low like $20 and try to build something
oops we have insufficient funds which is exactly what we want to hear :D now
make it $10000 and try again yup it’s
working we have our address. Note down this address quit the current match and
start another match use different army and map this time I choose soviet. now
in cheat engine you will see add address manually button click on it and
add your address (mine is 068D324C) now change the value like before to $50k
but it didn’t change on the game why? Because
this game uses DMA and the address to money gets changed every time we start
new match. So now we have to find a static reference which doesn’t change every
time to calculate our address to money and such reference is called pointer.
Pointers points to some address or may be another pointer which again points to
some address and this address + offset = final address and that’s what we are looking for, and
how to do that is on next part.
Part
2 : Finding Base Pointer
To
find the base pointer we need the current address of money, and as we changed
the map the address is also changed so we have to repeat all part 1 to find the
address. So go on and back with an address (mine is 05DDADD4 now) I hope you
already add your address to the address list table if not do it plz and right
click on it, you will see many options select Find out
what writes to this address ,make
sure your money is not increasing or decreasing while doing this
a window
will pop-up do not close it and switch back to game again, spend some money and
an address will be displayed to that pop-up of yours.
What we are
doing is to find out what instruction is decreasing our money and if you wanna
make sure just nop this instruction by clicking on the replace button it’ll
change this instruction with one that do nothing. Let’s do it and after that
try to build something as you can see no money is decreasing right now…..and
you might think I don’t need to read further I got what I want but hold a sec champ,
what we just did was a quick and dirty way we didn’t even know for what else
this instruction is used for, and noping it might crash our game at some point.
So let’s analyze what else this instruction do. To do so first we have to
restore the original code by clicking on the advanced options at bottom of
cheat engine you will see the instruction that we just noped now right click on
it and select Restore
with original code .
Ok our
instruction has been restored now we going to set a breakpoint to it to do so
first we need to open it inside a disassembler and thanks to dark byte the cheat engine has its own. You will find open the disassembler
at this location option just above the Restore with original code click
on it .And if this is our first time your expression might be “what the hell is
this?” that is a disassembler every game hackers and crackers best buddy :D now
before moving further let’s have a opponent in the game ,basically what I doubt
is that same instruction is also responsible for decreasing our opponents money
and if we simply nope it his money won’t decrease either ….so what’s the point
then :D so go on start a new match with an opponent but wait a second what if
he will crush us before we gather some data and another thing is we can’t see
our opponent until the battlefield is expanded so what we can do is create a
ally force and see it’s money is also manipulated by the same instruction, and
if so it’s not a good idea to nop that because if it is holding our ally’s
address it may be hold our opponents also. So go on and start a new match with
an ally force. After starting the game don’t do anything just seat idle and let
your ally start building something, in that way we are sure he is the one
spending money right now. Now click on cheat engine’s memory view right click and
select go to
address enter 007F20D0 that’s
the instruction which decrease our money. Now we are going to set a breakpoint
on that instruction.Rightclick and select toggle breakpoint .
just after you click on the toggle breakpoint your game will be
hang don’t panic it’s what a breakpoint do it stop all the dataflow to that
instruction so we can azalyze it step by step. If you can see the image above in the right side
Registers are also shown and value of ESI is also shown there the value that
ESI register holds is basically an address and if I am right it’s our ally’s
money address. Well let’s see, if you read the instruction carefully
mov [esi+04],eax
means
whatever value(address in our case) ESI reg. holds is added by 4 and then value
of EAX reg. will copied to it. So for me ESI currently holds 0649A9C8+4 = 649A9CC
(all calculation here are in hexadecimal you can use windows calculator to do
hexadecimal calculations) and value of EAX is 2670 which is 9840 in decimal and
that make sense as starting amount was 10000 he spent some money and 9840
remains in his account. But how can we sure that address 649A9CC(your will be
different) is our ally’s lets add this address into address list of cheat
engine by clicking on add address manually. Now change its value to 0 and
freeze the address by clicking on the frozen checkbox, now remove the
breakpoint from the instruction and run it by pressing F9 or debug->run
option. Go back to game and analyze your ally’s activity and if you did
everything right you will see all his constructions are stopped this moment
that’s because we put 0 on his account, uncheck frozen and give him some big
amount like $50k and see he will start making everything. So this analysis
tells us the same instruction is used for player, his ally and opponent’s money.
Now we can’t just nope this instruction we have to find out our base pointer
and calculate our address every time. To calculate our base pointer first we
need the current address that holds money you can do all the scanning one again
or set a breakpoint to the instruction at
007F20D0 - 89 46 04 - mov
[esi+04],eax and see what address ESI holds for you and add 4 to that
address that will your current address for money. In my case it’s 067666C4
which is actually 067666C0+4 as its [ESI+4] now we have to find out what
pointer points to the address that ESI holds currently. Just check on HEX
checkbox and put your address of ESI reg. and click on new scan. I got only
result(0558DDA8 for me) which is very good actually because that is our pointer
but it may not the base pointer, so let’s scan for the address of pointer we
just got .Again I got only one address(04A9BF94) not repeat this process until
we found the base pointer.Ok we got no more address that hold 04A9BF94 that
means that is our base pointer note it down. Remember this is a pointer to a
pointer so when coding your hack you have to do
[value
of (value of 04A9BF94 ) ]+4 = our
address
To
check it is a base pointer or not let’s EXIT the game and restart it again. add
process of game to cheat engine now go to add address manually option click on
pointer and put the address of base pointer we just found, see the image below
for reference.
Now
we have our base pointer and using this you can calculate address for money
every time, You can stop right there if
you want, just code a trainer that will write a very big value to this address
like $999999. But if you stick with the tutorial we’ll going to learn how to
use code injection and some assembly code, to stop decreasing the money.
Part
3 : Using Code Injection
As
someone said a picture is worth thousand words here is an pictorial
representation of what code injection is and how it works
Hope
you get some idea of what we are going to do, first step is to wait and think
what we actually want to do? And what we want to do here is simply change this
instruction to something like.
- If ESI == our address go to 3
- Else go to 2
- Decrease money value.
- Jump back to original game code.
Now
to write our code we need some free space. We can find that using cheat engine,
go to memory view and in menu you will
see tools options in the top you will see two options 1’st is allocate memory
and 2nd is scan for code caves. First one can be used for testing
your code as it simply add some free memory but to write a trainer we have to
search for code caves (this are the free spaces inside the game),so let’s
search for code caves, I change the size to 40 from default 12 as I don’t know
how much memory we need, but as more will be handy.
There
are lots of space available in the list and
I pick 00D07000 (just because it is easy to remember) note down your address
too. Now that we have an address to write our own code we can start but before
creating the jump instruction on the original game route we must write the
modified code first why? Because if we create a jump right now at 007F20D0 this will crash our game as the
game is still running and we have nothing at 00D07000 but garbage only.
Here
are the actual screenshot of the assembly code and I’ll explain each code step
by step
Code
Cave:
00D07000 – push eax “pushing the EAX
register on the stack, so whatever value EAX currently holds will be saved and
later restored, when we are done using EAX ”
00D07001-mov
eax,[04a9bf94] “we are just copying the address value into EAX register that is
pointed by our base pointer 04a9bf94”
00D07006 –mov eax,[eax] “again we are copying
the value of (address value of EAX) in to EAX ,as we have a level 2 pointer, so
basically EAX now holds our money address – 4(offset)”
Note: mov EAX,04a9bf94 - this copies simply a decimal value 78233492
to EAX;
Whereas
mov EAX,[ 04a9bf94] – this copies whatever value 04a9bf94 address holds;
00D07008- cmp ESI,EAX “we are checking if the
ESI holds our address, a cmp instruction return zero if true”
00D0700A-pop eax “now that we have no use
of EAX we must restore its previous value.”
00D0700B-jne 00d07012 “this instruction means
‘jump if not zero’ if ESI not holds our address then compiler will jump to
00d07012”
00D0700D-jmp 00d07015 “this is a simple jump
instruction that will jump on 00d07015. If ESI holds our address then this will
execute”
00D07012 and 00D07015 are the actual game instructions at 007F20D0 and 007F20D3 ,
we have to mention this instructions because when we created a jump at 007F20D0
both the instructions were destroyed.
00D07018 – jmp 007F20D6 ‘’it’s not what you see
on the pic but that’s the same instruction we are simply going back to original
game route.”
Now
pause the game and write all this instructions, and edit the instruction at 007F20D0 to jmp 00D07000 now go back to
game again and build something your money won’t decrease but your ally’s will,
you can check it by setting a breakpoint at
00D07008 and step by step
executing the instructions.
