INSTANT BUILD FOR PLAYER ONLY (by sheep)

I couldn't find this tutorial anywhere on the forums here, but luckily I found it posted somewhere on the net.

Quote

TIME/DATE: 11:23pm, 09, October 2003
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SUBJECT: INSTANT BUILD FOR PLAYER ONLY - Advanced Options Gamehacking.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~

Once again I feel its time to unleash another tutorial onto the world of
gamehacking freaks, this one is a little shorter than most.. Hope you all
get something from it though.

RANTS!
------
I notice a lot of fucking idiots around the trainer community that seem
to think bashing out the same shit day after day is helping the community
in some way, people sitting on forums talking about how to make a trainer
engine for the last 2 years need to get a fucking life..


The REAL!! trainer scene which is part of the WAREZ RLS scene with groups such
as MYTH, CLASS, DIVINE, DEVIANCE, FAIRLIGHT etc.. seems to have gone to shit
these days, its infested with lame ass groups rlsing substandard trainers to
gain rls numbers. Lets hope these lame fucks read my tutorials and educate them
selves so that the standard of trainers can at least raise a little.

I feel better now Smile

ON WITH THE SHOW!
-----------------
With the increase of RTS games on the PC market lots of trainers are being
created for them but unfortunately not many are created correctly. The
main problem with these BAD trainers are that when the trainer maker
manipulates the code in an RTS 99% of the time the same code is used for
the computer player as well, ergo.. we get an invalid option because the
computer will use that option to a greater advantage than u ever could,
especially if its instant build.. u can generally tell if u are using
a BAD trainer because u will most likely get ur ass kicked when
enabling the options.



TOOLS NEEDED: Softice, Search Engine (Tsearch or Artmoney).
WORK SUBJECT: HOMEWORLD 2

locations...

SOFTICE.........................LOOK FOR IT!!! ITS ON THE WEB!!
SEARCH ENGINE...................LOOK FOR IT!!! ITS ON THE WEB!!
HOMEWORLD 2.....................BUY IT! Smile

SOFTICE SETUP
*************

When you press CTRL-D to pop softice you should see the following windows..

REGISTER WINDOW - this window is always at the very top of the softice window
(WR [return]) and displays the contents of all the registers..

DUMP WINDOW - generally situated close to the top of the softice window
(WD [return]) contains a split screen display.. one side is ascii the
other is hex.
CODE WINDOW - this is the main window.. sits just under the DUMP WINDOW
(WC [return]) contains the code of whatever process maybe running when
u pop softice.. the code is represented in ASSEMBLY LANGUAGE
instructions..

The comments in the brackets are what you need to type to turn the different windows on..
you also need to type CODE ON.. this will bring up the OPCODES which are a set of numbers
displayed to the left of each ASM instruction and to the right of every memory location
in the CODE WINDOW..


LESSON START
************

Ok, as stated above the game we will be working on is HOMEWORLD 2 without any updates
installed. Im choosing this game because Ive just created a HOMEWORLD 2 trainer and the
options are fresh in my mind. I suppose even if u dont have the game u can still learn
from the actual theory.


THEORY
******

One thing that we all can assume for ourselves is that the computer doesnt need a
graphical representation of the game unlike humans who need the graphical
stimulus to work and even play the game (moronic humans ) anyway all that babble
actually means that the computer will never use ANY routines that are associated
with the DISPLAY. I can tell the little cogs in ur head are turning now eh? hmm
perhaps not Smile well, our task is to find somewhere within the game that our 2
pointers collide, this is called a STAPLE INTERSECTION it means 2 beneficial pointers
or code sections are in the same area. You will find many of these STAPLE INTERSECTIONS
within the game but tracking them down can sometimes be tricky. Im now going to
give u an example of a STAPLE INTERSECTION just to make sure u understand what I
mean.


STAPLE INETERSECTION EXAMPLE
============================

This is totally made up code but shows u the point Im trying to make...


Game Screen
|
.===============.
| |
| (-0-) | <-- space ships.. hehe
| (-0-) |
| |
| |
| Progress 46%| <-- Players Build Progress, 100% = Unit is built.
'===============' ( I know that most of the time build progress
is shown in a BAR but to make it so people
understand more clearly Ive used numbers
to represent the build progress.)

Ok, so at this present time the screen is being updated with the value
46, this will be somewhere in the data section and very easy to find
with a search engine such as tsearch.

The progress value in memory is at some stage converted from data into a graphical
representation of what we see on the screen. This is where we will find our
STAPLE INTERSECTION.



STAPLE INTERSECTION CODE
========================

(this code is not real)

Graphical Conversion Routine.

mov edx, [ecx+456*4+456] <-- Move Build Progress value into edx (46)
lea eax, [ebp-130h]
push eax
push dword ptr [ebp+8]
lea eax, [ebp-234h]
push offset bb55
push edx
call 456333 <-- Convert 46 (value) into 46% ON SCREEN.
add esp, 10h


The above routine is a perfect example of a STAPLE INTERSECTION, we have
2 pointers or code sections that are INTERSECTING with each other.. first
we have the REAL!! value in memory (46) and then we have the routine that
is converting it into a graphical representation..CALL 456333. The reason
we need both crossing at 1 point is because we need something from both
elements..

ELEMENT 1 - mov edx, [ecx+456*4+456] <--- this gives us access to
our real value.(46)

ELEMENT 2 - call 456333 <--- This gives us a place that the computer
never uses because its a SCREEN ROUTINE!

ELEMENT 1 + ELEMENT 2 = STAPLE INTERSECTION which in turn means we now
have a place to inject code, update our value and we are assured that
the computer will never get the benefit.

Im going to go 1 step further just in case u guys still dont get it.. below
is what will probably happen when a UNIT is built within an RTS.


COMPUTER PLAYER BUILD ROUTINE
=============================

1 Check Money Amount (make sure the computer has enough to build the unit)

2 Start Building

3 Update Build Progress

4 Check Build Status (is it at 100%?)


Ok, there are more than likely a lot more steps but this shows u the basics..
now we look at the HUMAN PLAYER.


HUMAN PLAYER BUILD ROUTINE
==========================

1 Check Money Amount (same as above)

2 Start Building

3 Update Build Progress

4 Update Screen Progress <-- STAPLE INTERSECTION!

5 Check Build Status (same as above)

6 Check if Player Quit Unit Production <-- STAPLE INTERSECTION!


As u can see there are more steps included in the human players routine because
humans need to SEE the game (4) and humans also change their mind (6) both are
valid STAPLE INTERSECTIONS but the screen update is the cleanest and best way
of the two.


So now I hope u all at least know the REASONS why we are using STAPLE INTERSECTIONS
and how they are very beneficial when it comes to cutting the computer out of any
cheat benefits.




PRACTICAL
*********

This is the part of the show where I take HOMEWORLD 2 (our chosen target) and enlighten
u all on how to actually obtain the instant build option using a STAPLE INTERESECTION.


1.Finding the build progress data location
-------------------------------------------

(As this is supposed to be an advanced tutorial this will be a brief description.)

i) START BUILDING A UNIT (space craft etc.)
ii) SWITCH TO TSEARCH (or whatever search engine u are using) and do an unknown search.
iii) FINAL SEARCH (This game uses a DWORD to store the progress of the build, it also
decreases as the bar goes up so make sure u do a DECREASED search
rather than INCREASE. If u use the pause build button u can also
add a NOT CHANGED search which will shorten ur search a LOT)

oki, this is what I found.



108E030C: 001046BA <-- this value is what remained of my build progress.

Once u have ur value, (ur value will be different btw.. ) then u need to
freeze all building progress with the PAUSE BUILD button.. its just on the
right of the actual progress bar, this will stop our breakpoint from picking
up and of the progression code.

Now we have this done we need to set an OPEN breakpoint on the progress value
we just searched for.. so in softice do this..

type.. BPM <address> (return)

mine looks like this..

BMP 108e030c (return)

An OPEN BREAKPOINT just means that it will pick up any code that either READS or WRITES to the
value we breakpoint.

If u have done this correctly softice should constantly break at the code below..


We know that this is indeed the onscreen display routine because if we change
the JNZ at location 51cff5 to a JMP then we get no progress bar at all on the
screen.


.text:0051CFF3 cmp edx, [ecx]
.text:0051CFF5 jnz short loc_51D016
.text:0051CFF7 mov ecx, [ebp+var_C]
.text:0051CFFA mov ecx, [ecx+1Ch]
.text:0051CFFD mov eax, [eax+0Ch] <-- our build progress value is placed in eax.
.text:0051D000 mov [ebp+var_1C], ecx <-- softice breaks here
.text:0051D003 sar eax, 0Ah <-- our build progress value is converted.
.text:0051D006 sub ecx, eax <-- ecx = build to go, eax = build already done
.text:0051D008 mov [ebp+var_4], ecx

The code here just determines the percentage of the screen it has to fill with the color
yellow, this represents the build progress..

So now we have tracked down our STAPLE INTERSECTION that will NEVER be used by the computer
yet it has a direct link to the values we need to change.. oh happy day!! Smile We are ready to
inject a little bit of code to make an instant build for PLAYER ONLY..

So.. first thing we do is determine what we need to inject.. well, I suggest the best way to
tackle this problem is by moving 0 into the (LEFT TO BUILD) progress value which is
situated at offset EAX+0Ch, u need to be very careful though because as u may have noticed
the pointer EAX+0Ch is actually being placed into EAX which will destroy our pointer
to the value we need.. so this is where we shall jump out..


.text:0051CFF3 cmp edx, [ecx]
.text:0051CFF5 jnz short loc_51D016
.text:0051CFF7 mov ecx, [ebp+var_C]
.text:0051CFFA mov ecx, [ecx+1Ch]
.text:0051CFFD mov eax, [eax+0Ch] <-- jmp out here --.
.text:0051D000 mov [ebp+var_1C], ecx |
.text:0051D003 sar eax, 0Ah |
.text:0051D006 sub ecx, eax |
.text:0051D008 mov [ebp+var_4], ecx |
|
|
|
CODE CAVE |
|
.data:008b9E00 <---to here--------'
.data:........
.data:........
.data:........


final code looks something like this..



.text:0051CFF3 cmp edx, [ecx]
.text:0051CFF5 jnz short loc_51D016
.text:0051CFF7 mov ecx, [ebp+var_C]
.text:0051CFFA mov ecx, [ecx+1Ch]
.text:0051CFFD jmp 8b9e00 <-- jmp out here(1)--.
.text:0051D000 nop #-- back to here(2)--. |
.text:0051D003 sar eax, 0Ah | |
.text:0051D006 sub ecx, eax | |
.text:0051D008 mov [ebp+var_4], ecx | |
| |
| |
| |
CODE CAVE | |
| |
.data:008b9E00 mov dword ptr [eax+0c],0 #---to here(1)-----'
.data:........ mov eax, [eax+0Ch] |
.data:........ mov [ebp+var_1C], ecx |
.data:........ jmp 51d000 <---jmp back from here(2) -----'

Most of the time I recreate the destroyed instructions first, but because the instruction
destroys the pointer then I had to re-create it after we have placed 0 into the build
progress value.

Once this is all done u can press F5 to let softice run the game and ur instant build will
be complete..

IMPORTANT NOTE: its very important that u always re-create the instructions u destroy when
using CODE CAVES, at worst u will crash the game and at best u will kill gfx onscreen which
I always think is an ugly option.


ADDITION: I forgot to add this in, The theory used here can be applied to any options really,
money etc.. anything that has a screen value.. try it next time u come across a game that
uses the SAME routines for health as u and the enemy.. works 100%.. thanks to SKYNET for
reminding me to add this.. Smile

FINAL WORDS
-----------

Once again we find ourselves at the end of another show.. time just flies when ur reading
massive amounts of shite! Smile) seriously I hope u all get something from this tutorial, I
dont spend my time writing them for nothing u know Smile

until next time dudes..


************************************************** *****************************************
************************************************** *****************************************

If u have any questions or comments then email me at... sh33pr3c@hotmail.com

visit my site for more tutorials.. sheeps trainer site..

I would just like to greet some people that support and inspire me....

Odin, MiraMax, KeyboardJunky, Calligula, Orr, DarkLighter, Kilby, Tuna,
MiNiSTER, [NTSC], [Drone], Rizzah, [Etrigan], tko..

No order.. just GREAT people..


PLEASE FEEL FREE TO SPREAD THIS DOCUMENT TO ANY SITES!!!!!

	GameHackingcom Gamehacking.com & CES since 1995. Providing you with quality tutorials and trainers, help and experience for all you game hacking needs backed by a very powerful community.

	Trainer A trainer is a program written to intercept and alter the memory addresses of a game. Trainers usually have to be running in memory the entire time the game is loaded. Since trainers address specific memory locations, they usually only support a specific version of a game. This file is not supported in multiplayer or online games.

[[Psych]]

I thought i'd posted up most/all of Sheep's a while ago. Guess not :/ Nice one

[Traxin]

Awesome tutorial, thanks for the share man.
I gotta try this soon

[s8xy]

EPIC...

Thanks for this bro..Big help and inspiriation