DABhand
17-04-2005, 15:15
Again look here for better layout - http://www.vwaskar.pwp.blueyonder.co.uk/asm4FF/tr1d1.txt
Trainer 1 - Obscure v1.1
========================
Tools needed
1. Obscure Patched to 1.1 (English version - no-cd being used)
2. Trainer Maker Kit (TMK can be found anywhere on the net)
3. Cheat Engine 4.4 (Again anywhere on the net)
4. Sheeps Array of Sunshine (try sheeprec.cjb.net)
5. Paper and a Pen/Pencil.
Ok here we go!
First of all if your new to the game you will obviously start from the beginning
obviously people who are not new to the game will find this more easier since they
will have most things at hand to search for.
But the first one to search for is the easiest and thats ammo, you will find a gun
early on in the game.
So what to do now?
Well as soon as you have the gun ready, aim it and note the amount of bullets in the
gun.
Now ALT+TAB out the game to Cheat Engine (make sure its running before the game for
easier use). On cheat engine you will see a little PC icon on the top left it should
be flashing telling you that you havent selected a process yet (a process is a program
resident in the memory)
Select Obscure from the list, now goto new search and place whatever amount of ammo
(left side) you have and hit NEW SCAN, it will probably say 2800+ found, not to worry
go back to the game (ALT+TAB) and then fire a shot, go back to cheat engine and place
that new value into cheat engine and hit NEXT SCAN. Hopefully you should be to a few
values, one address will stand out as it doesnt belong to the rest, if you want fire
one more shot to clarify again (always the best).
In this instance I had an address of 051B0384 yours will be different as this game
uses DMA (Dynamic Memory Addressing which means each time you play the game the value
will never be in the same address). Ok now we have our address lets test by double
clicking the address on the left so it appears in the bottom section of Cheat Engine.
From here double click the value option in the bottom and change its value, check back
into game see if any changes were made. It did? Nice :)
Here comes the technical part, get your paper ready and pen and now right click on the
address on the bottom part of Cheat Engine, and select "Find out what writes to this
address", say yes to attach the debugger. Normally "what reads" would be better but
there is anti-debugging process running in the game and the game will crash, so stick
to write for this game.
Now a new blank window popped up, now go back to the game, and fire another shot, go
back to Cheat Engine, you should see this in the list as a new entry.
004ee369 - 89 85 54 01 00 00 - mov [ebp+00000154],eax
This address SHOULD be the same, what it says is this -
At address 004ee369 an opcode MOV is moving a value contained in EAX to be moved to
the location (remember the [] I talked about?) contained in EBP adding on the value
of 154 hex.
In laymens terms, at this address, the amount of ammo left (EAX) is moved into memory
location ( [EBP+00000154] ) where the old value was and stores it. Later on the game
will use this memory location (This is a DMA address) to show your ammo amount on screen.
Fun part here lets look at the code, click on the 004ee369 entry in the window then
click "Show Disassembler", dont be frightened at the code, just maximize it and look
above the code.
Right above at address 004ee368 you should see
004ee368 - 48 - dec eax
Before it stores the value it decreases the old ammo value by 1, i.e you fired a shot.
Ok we have two choices, we can remove the DEC op and replace with NOP - remember NOP
does nothing whatsoever and is used to fill in code.
OR!
We can find a nice place of free space to make our own code and force a nice value
into the ammo memory location.
Either way is fine, but most trainer makers dont like NOP'ing out dec's as they see it
as an easy way out.
Ok lets start on "Code Injection" the fun stuff, ok we know our address which writes the
ammo value, at 4ee369. What I want you to do, and this is Important is to write down the
1. Address
2. Hex Numbers (in this case - 89 85 54 01 00 00)
3. The opcode (in this case - mov [ebp+00000154],eax)
Now you may think why not take out that opcode, why? Well if you do no amount will be
sent to memory location and it could crash the game.
How about changing the opcode to MOV our own value in, we cant also, if we tried that it
would occupy another 4 bytes of space, and would destroy the next code, which would
again crash the game.
BUT!!!!
We can "inject" a smaller opcode that takes less space, aha! This is what is called
CODE INJECTION. But to do this we need to find that lovely free space to write our
own code :)
While on the desktop load up Sheep's Array of Sunshine, now look down the process list
and find Obscure (not if you have a folder called obscure open, close it or you will
see double :P)
Ok found Obscure in the list, now press "find code cave", now in this window look at
the code cave results, you will see odd things like .sforce (I wonder what that is lol)
and .brick
What we are really looking for is a Code Cave which allows both Read/Write and enough
space to write our code.
As you can see the .RSRC entry starts at 006ae3c8h and has a size of c38h (3128 bytes)
and is both read/write. Excellent note this address :) We have found our Code cave
to place our own code.
Now we can close SAS, and go back to the disassembler window of Cheat Engine.
Now in the top window right click among the code and say goto address, here place our
code cave address which is 6ae3c8 (dont worry about the 00's or the h - remember h
means hex address)
You should now see alot of 00's and ADD [eax],al's, this is normal this is free space :)
One IMPORTANT point to make, when making trainers and doing code injection, ALWAYS!!!
start with your code before changing game code, if we dont the game will crash as it will
see alot of 00's and lose its path in the original code. So ALWAYS do your own code
first in your code cave when done then change the game code to look at your new code.
Got it? GOOD
Ok what can we place here to make our ammo 99 all the time?
We know this
MOV [ebp+154],eax
Now if you remembered your DAY 1 lesson, you know you can move either registers or
IMMEDIATE VALUES, so you can force a value into this address.
Ok the next step is simple, if we want 99 ammo we just move the 99 value into
[ebp+154]. See not to hard, at this point its best to use Windows Calculator ill show
you why.
ASM will read values in Hex form, not Decimal, so 10 in hex is NOT 10 in decimal. Here
is an example
Starting from the value 1 and ending with a value of 255
01,02,03,04,05,06,07,08,09,0A,0B,0C,0D,0E,0F,10... .FA,FB,FC,FD,FE,FF
So you can see 10h is not 10 dec.
So use Windows Calculator in scientific mode, in decimal type 99 and then press the
hex option, it will show 63. That is the value of 99 in hex - 63h
Now we know which value to move, we can finish our new line of code.
On cheat engine, double click on the 6ae3c8 line and manually type (with spaces) this
MOV [ebp+154],63
If it asks to fill up code with NOP's just say yes to get into a habit, as this is
NECESSARY. Not placing unused space with a NOP it may corrupt later code.
Ok we should see this at 6ae3c8
6AE3C8 - C7 85 54 01 00 00 63 00 00 00 - mov [ebp+00000154],00000063
Now the next line manually type in the opcode RET, so you have this
6AE3D2 - C3 - ret
6AE3D3 - 90 - nop
Remember last tutorial on Call's and Returns. Good, so you know im gonna go call our
code from the game! Notice the NOP also, this is important.
Ok lets go back to where the original code was, remember I asked you to write it down?
YOU DIDNT!! shame on you this IS NOT easy do follow the steps, to those who did good job!
Ok back to 4ee369 address to our original MOV code. What we will do here is change that
code to our CALL to where our new code is, so the opcode is
CALL 6ae3c8
Place that on address 4ee369 where the game code is and change it with our own, also
remember to say yes to nop's! We now should have this
4EE369 - E8 5A 00 1C 00 - call 006ae3c8
4EE36E - 90 - nop
Ok lets review our code
6AE3C8 - C7 85 54 01 00 00 63 00 00 00 - mov [ebp+00000154],00000063
6AE3D2 - C3 - ret
6AE3D3 - 90 - nop
4EE369 - E8 5A 00 1C 00 - call 006ae3c8
4EE36E - 90 - nop
Remember to keep note of these ok! Especially the Addresses on the left and the hex
numbers! ITS IMPORTANT FOR LATER! and also there is a good reason why you kept note
of the old untouched opcode too!!!
Now go back to your game and fire your gun. W00T! 99 ammo all the time :)
Lets Recap on what is going on.
The game will reach 004ee369 expecting to move the decreased ammo value into the ammo
address (which is DMA remember) but instead the game calls opcodes at the address
006ae3c8 which moves our own value into the same ammo address and returns back to the
game code as if nothing ever happened ;)
Now lets try finding a new value to play with how about the CD amounts for saving your
game! Yeah this should be easy :P
Ok close the debugger window of cheat engine and stop the "read from" window. And your
back to your Cheat Engine main window.
Go back to the game and check out your number of CD's in your inventory.
You know what to do, search that value!! LOL ok just do as before, use one go back search
the new value etc etc, till your left with one address :)
Hey what be going on tis like 3 address's!!!! I hear you say, well look at your ammo
address on the bottom any near it? Try double clicking one near that and change its value
did it work? No what about that one out of the way. Mine was 0194E5CC yours again will be
different.
Try changing value on that one, did it work? W00t!
As before right click and "Find out what writes to this address" then go back to game and
save the game again to use a CD.
TADA! it found an address your should be the same as mine.
0051D490 - FF 48 3C - dec [eax+3c]
Same as mine? Excellent. What this does is decreases the amount at the address contained
in EAX plus 3c, EAX+3c makes your address you found. Remember to write this down ok!
What to do with it? Well its too short to make a JMP or CALL command, so we will do it
the easy way NOP it out so it wont decrease your CD amount. No DEC command no decrease.
So click on line and show disassembler like before. Click on the address 51D490 and right
click and say "replace code that does nothing", just say ok on the little popup.
So now you have
51D490 - 90 - nop
51D491 - 90 - nop
51D492 - 90 - nop
Write this down for your trainer offcourse. Go back to game and save, did you disc count
drop? No? Excellent.
Wow youve done good, you have got 2 options so far for your trainer.
Guess what! Im gonna leave you to it, lets see how many more options you can come up with?
Then tomorrow Ill show you in part 2 how to build your trainer :)
Good Hunting and Happy Coding :)
Trainer 1 - Obscure v1.1
========================
Tools needed
1. Obscure Patched to 1.1 (English version - no-cd being used)
2. Trainer Maker Kit (TMK can be found anywhere on the net)
3. Cheat Engine 4.4 (Again anywhere on the net)
4. Sheeps Array of Sunshine (try sheeprec.cjb.net)
5. Paper and a Pen/Pencil.
Ok here we go!
First of all if your new to the game you will obviously start from the beginning
obviously people who are not new to the game will find this more easier since they
will have most things at hand to search for.
But the first one to search for is the easiest and thats ammo, you will find a gun
early on in the game.
So what to do now?
Well as soon as you have the gun ready, aim it and note the amount of bullets in the
gun.
Now ALT+TAB out the game to Cheat Engine (make sure its running before the game for
easier use). On cheat engine you will see a little PC icon on the top left it should
be flashing telling you that you havent selected a process yet (a process is a program
resident in the memory)
Select Obscure from the list, now goto new search and place whatever amount of ammo
(left side) you have and hit NEW SCAN, it will probably say 2800+ found, not to worry
go back to the game (ALT+TAB) and then fire a shot, go back to cheat engine and place
that new value into cheat engine and hit NEXT SCAN. Hopefully you should be to a few
values, one address will stand out as it doesnt belong to the rest, if you want fire
one more shot to clarify again (always the best).
In this instance I had an address of 051B0384 yours will be different as this game
uses DMA (Dynamic Memory Addressing which means each time you play the game the value
will never be in the same address). Ok now we have our address lets test by double
clicking the address on the left so it appears in the bottom section of Cheat Engine.
From here double click the value option in the bottom and change its value, check back
into game see if any changes were made. It did? Nice :)
Here comes the technical part, get your paper ready and pen and now right click on the
address on the bottom part of Cheat Engine, and select "Find out what writes to this
address", say yes to attach the debugger. Normally "what reads" would be better but
there is anti-debugging process running in the game and the game will crash, so stick
to write for this game.
Now a new blank window popped up, now go back to the game, and fire another shot, go
back to Cheat Engine, you should see this in the list as a new entry.
004ee369 - 89 85 54 01 00 00 - mov [ebp+00000154],eax
This address SHOULD be the same, what it says is this -
At address 004ee369 an opcode MOV is moving a value contained in EAX to be moved to
the location (remember the [] I talked about?) contained in EBP adding on the value
of 154 hex.
In laymens terms, at this address, the amount of ammo left (EAX) is moved into memory
location ( [EBP+00000154] ) where the old value was and stores it. Later on the game
will use this memory location (This is a DMA address) to show your ammo amount on screen.
Fun part here lets look at the code, click on the 004ee369 entry in the window then
click "Show Disassembler", dont be frightened at the code, just maximize it and look
above the code.
Right above at address 004ee368 you should see
004ee368 - 48 - dec eax
Before it stores the value it decreases the old ammo value by 1, i.e you fired a shot.
Ok we have two choices, we can remove the DEC op and replace with NOP - remember NOP
does nothing whatsoever and is used to fill in code.
OR!
We can find a nice place of free space to make our own code and force a nice value
into the ammo memory location.
Either way is fine, but most trainer makers dont like NOP'ing out dec's as they see it
as an easy way out.
Ok lets start on "Code Injection" the fun stuff, ok we know our address which writes the
ammo value, at 4ee369. What I want you to do, and this is Important is to write down the
1. Address
2. Hex Numbers (in this case - 89 85 54 01 00 00)
3. The opcode (in this case - mov [ebp+00000154],eax)
Now you may think why not take out that opcode, why? Well if you do no amount will be
sent to memory location and it could crash the game.
How about changing the opcode to MOV our own value in, we cant also, if we tried that it
would occupy another 4 bytes of space, and would destroy the next code, which would
again crash the game.
BUT!!!!
We can "inject" a smaller opcode that takes less space, aha! This is what is called
CODE INJECTION. But to do this we need to find that lovely free space to write our
own code :)
While on the desktop load up Sheep's Array of Sunshine, now look down the process list
and find Obscure (not if you have a folder called obscure open, close it or you will
see double :P)
Ok found Obscure in the list, now press "find code cave", now in this window look at
the code cave results, you will see odd things like .sforce (I wonder what that is lol)
and .brick
What we are really looking for is a Code Cave which allows both Read/Write and enough
space to write our code.
As you can see the .RSRC entry starts at 006ae3c8h and has a size of c38h (3128 bytes)
and is both read/write. Excellent note this address :) We have found our Code cave
to place our own code.
Now we can close SAS, and go back to the disassembler window of Cheat Engine.
Now in the top window right click among the code and say goto address, here place our
code cave address which is 6ae3c8 (dont worry about the 00's or the h - remember h
means hex address)
You should now see alot of 00's and ADD [eax],al's, this is normal this is free space :)
One IMPORTANT point to make, when making trainers and doing code injection, ALWAYS!!!
start with your code before changing game code, if we dont the game will crash as it will
see alot of 00's and lose its path in the original code. So ALWAYS do your own code
first in your code cave when done then change the game code to look at your new code.
Got it? GOOD
Ok what can we place here to make our ammo 99 all the time?
We know this
MOV [ebp+154],eax
Now if you remembered your DAY 1 lesson, you know you can move either registers or
IMMEDIATE VALUES, so you can force a value into this address.
Ok the next step is simple, if we want 99 ammo we just move the 99 value into
[ebp+154]. See not to hard, at this point its best to use Windows Calculator ill show
you why.
ASM will read values in Hex form, not Decimal, so 10 in hex is NOT 10 in decimal. Here
is an example
Starting from the value 1 and ending with a value of 255
01,02,03,04,05,06,07,08,09,0A,0B,0C,0D,0E,0F,10... .FA,FB,FC,FD,FE,FF
So you can see 10h is not 10 dec.
So use Windows Calculator in scientific mode, in decimal type 99 and then press the
hex option, it will show 63. That is the value of 99 in hex - 63h
Now we know which value to move, we can finish our new line of code.
On cheat engine, double click on the 6ae3c8 line and manually type (with spaces) this
MOV [ebp+154],63
If it asks to fill up code with NOP's just say yes to get into a habit, as this is
NECESSARY. Not placing unused space with a NOP it may corrupt later code.
Ok we should see this at 6ae3c8
6AE3C8 - C7 85 54 01 00 00 63 00 00 00 - mov [ebp+00000154],00000063
Now the next line manually type in the opcode RET, so you have this
6AE3D2 - C3 - ret
6AE3D3 - 90 - nop
Remember last tutorial on Call's and Returns. Good, so you know im gonna go call our
code from the game! Notice the NOP also, this is important.
Ok lets go back to where the original code was, remember I asked you to write it down?
YOU DIDNT!! shame on you this IS NOT easy do follow the steps, to those who did good job!
Ok back to 4ee369 address to our original MOV code. What we will do here is change that
code to our CALL to where our new code is, so the opcode is
CALL 6ae3c8
Place that on address 4ee369 where the game code is and change it with our own, also
remember to say yes to nop's! We now should have this
4EE369 - E8 5A 00 1C 00 - call 006ae3c8
4EE36E - 90 - nop
Ok lets review our code
6AE3C8 - C7 85 54 01 00 00 63 00 00 00 - mov [ebp+00000154],00000063
6AE3D2 - C3 - ret
6AE3D3 - 90 - nop
4EE369 - E8 5A 00 1C 00 - call 006ae3c8
4EE36E - 90 - nop
Remember to keep note of these ok! Especially the Addresses on the left and the hex
numbers! ITS IMPORTANT FOR LATER! and also there is a good reason why you kept note
of the old untouched opcode too!!!
Now go back to your game and fire your gun. W00T! 99 ammo all the time :)
Lets Recap on what is going on.
The game will reach 004ee369 expecting to move the decreased ammo value into the ammo
address (which is DMA remember) but instead the game calls opcodes at the address
006ae3c8 which moves our own value into the same ammo address and returns back to the
game code as if nothing ever happened ;)
Now lets try finding a new value to play with how about the CD amounts for saving your
game! Yeah this should be easy :P
Ok close the debugger window of cheat engine and stop the "read from" window. And your
back to your Cheat Engine main window.
Go back to the game and check out your number of CD's in your inventory.
You know what to do, search that value!! LOL ok just do as before, use one go back search
the new value etc etc, till your left with one address :)
Hey what be going on tis like 3 address's!!!! I hear you say, well look at your ammo
address on the bottom any near it? Try double clicking one near that and change its value
did it work? No what about that one out of the way. Mine was 0194E5CC yours again will be
different.
Try changing value on that one, did it work? W00t!
As before right click and "Find out what writes to this address" then go back to game and
save the game again to use a CD.
TADA! it found an address your should be the same as mine.
0051D490 - FF 48 3C - dec [eax+3c]
Same as mine? Excellent. What this does is decreases the amount at the address contained
in EAX plus 3c, EAX+3c makes your address you found. Remember to write this down ok!
What to do with it? Well its too short to make a JMP or CALL command, so we will do it
the easy way NOP it out so it wont decrease your CD amount. No DEC command no decrease.
So click on line and show disassembler like before. Click on the address 51D490 and right
click and say "replace code that does nothing", just say ok on the little popup.
So now you have
51D490 - 90 - nop
51D491 - 90 - nop
51D492 - 90 - nop
Write this down for your trainer offcourse. Go back to game and save, did you disc count
drop? No? Excellent.
Wow youve done good, you have got 2 options so far for your trainer.
Guess what! Im gonna leave you to it, lets see how many more options you can come up with?
Then tomorrow Ill show you in part 2 how to build your trainer :)
Good Hunting and Happy Coding :)