A trainer is a program written to intercept and
alter the memory addresses of games that are running
in the background. Usually trainers contain such
features as GOD MODE, UNLIMITED LIVES and others
that sometimes aren't pre-programmed into the
game by its designers.
Some people believe that creating a trainer
is extremely difficult and requires all kinds
of programming knowledge and skills. Not true.
Some very friendly tools have been created to
allow anyone to make their very own trainers for
their favorite games. In these tutorials, we'll
teach you the basics of how to get started and
give you step by step instructions on creating
trainers that you can follow along with on your
Tackling Code-Shifting by HonestGamer
Code-Shifting is yet another memory allocation like Dynamic Memory Allocation that is present in many games till date. The difference is that instead of the regular addresses, the code areas of the game change dynamically. And this is due to a loaded module (Which can be a .dll or .exe) in a separate location. In other words, when you try to find an oppcode that writes to the values of the game, the found oppcode is for that particular game run only. So the effect will only be seen at that instance. On the next game run, the codes will get shifted, and you again will have to find the oppcodes.
There are many popular games that are coming with Code-Shifting, like Half-Life series, Doom 3, Counter-Strike, Max Payne 2, etc. I will be taking Half-Life (Original) as an example.
First, we need some tools to train the game:-
- Cheat Engine 5.X (Download from: http://www.cheatengine.org/downloads.php): This is one of the best gamehacking tools I have seen to date, and its extremely easy to tackle this allocation with this tool.
- Scientific Calculator: Well the Microsoft Calculator that comes with your Windows OS will do. Just set it on scientific mode, select Hex and QWORD.
Of first we run Cheat Engine. Then we run the game (Currently Half-Life). After we reach the main menu, we Alt+Tab back to Cheat Engine and select the game process, for Half-Life, it will be hl.exe
Okay, now let us hack health in the game. The game has a numerical representation to health, so It is easy. In many games values do not match the visual values of the game, so all you have to do is an Unknown Initial Value scan. But this game stores it health in 4 Bytes and Exact Value scanning will work.
So you come with 3 addresses when you search for health in the game. Click on the black one as the 2 green ones are static and they don’t bring any changes to the game.
After you include the address to your list, right click it and select Find out what writes to this address. After you do this, Cheat Engine will attach a debugger to the game and will find out the oppcode. For finding out the oppcode, return to the game, injure yourself some more and Alt+Tab back to Cheat Engine. At present I am getting this oppcode with the corresponding code area:-
03af2347: 89 86 4c 04 00 00 - mov [esi+0000044c],eax
Remember, if you try to make a pointer for health, it will again work at that instance only as the base will change. Also the code area 03af2347 is a temporary one and it will change the next time I run the game. Most likely it will shift to areas like 03af2447 which have a resemblance to the current one. So thus there is a method that makes the processor calculate and trace the shifted code. And this is the mostly used by Trainer makers.
There is a formula for calculation of shifted codes:-
Module Name + (Current Code Area – Base Of The Module)
For finding the module name and its base for this game, I simply right-click the oppcode and select Open the disassembler at this location in the code-list after adding it.
So after having disassembler opened, I look at the hexadecimal section of the game memory. Cheat Engine has a fine feature that tells you everything related to that address. So first we search 03af2347 in it (For that, right-click on the code area column and select Go to address).
As you see on the top line of the image, you get all the details of the code area we searched (First one). So the module is hl.dll and the module’s base, or the allocation base is 03ab0000. So now we apply it to the formula I mentioned before:-
hl.dll + (03af2447 – 03ab0000)
(03af2447 – 03ab0000) is a hexadecimal calculation, so we open up our scientific calculator and do the calculation. I am using the Windows Calculator, I have set it on scientific mode, selected Hex and ticked QWORD. I have already done the calculation and this is the image of what it should be:
Just ignore the 0 infront of the code areas when you are doing the calculation. So as you see I got the answer 42347.
So, now we get our ultimate answer to the formula as:-
Now to make a Unlimited Health option, we simply open up the Auto Assembler in Cheat Engine by pressing the Ctrl+A combination while at the Disassembler window or by going in the Tools tab, and from there selecting Auto Assemblar.
To save the script you will be making, insert the Cheat Engine framework code from the Templates tab in the Auto Assembler window.
You can code your own script, but I will be using the template Cheat Engine has for Code Injection. For that I go to the Templates tab and then select Code Injection.
When you do, you will get a popup asking you where it should make the jump. Stop here before clicking OK on the automatically entered address, erase it and type in hl.dll+42347 (Without spaces) which we earlier derived. The image should make you understand easily.
So what this will do is whenever you activate the script, it will calculate the base of the module (hl.dll) and add 42347 which will give the shifted code area of our oppcode.
So now after we enter this, we go to the memory of the game at that location. We will get the oppcode we got for health (Look below originalcode label). Now below the newmem label you can inject your own code, or simply enter a NOP and delete the line of the oppcode we got. Remember, you may find several lines below orignalcode (This is because a jump is 5 bytes and Cheat Engine automatically takes some bytes from them if required), do not delete all of them, just the line which is your chosen oppcode. If you do so, it will corrupt the game code and ultimately the game will crash.
I have chosen to inject my own code. I have made it to move [esi+0000044c] to a 100 value so I always have 100 health. This is my final script, look into the newmem for my code:
00000064 is the hexadecimal form of 100 in 4 bytes. Now all you do is save it. There we go, we have a Unlimited Health option that will work at any cost! Save it to a CT file or build a Trainer and be happy at your achievement!
If you are using any other trainer building softwares, just type in what we typed in the On what address do you want to jump popup instead of your regular address.
Hope you understood my tutorial well. The same concept works in other games using Code-Shifting. So best of luck!
- Dark Byte: For his amazing tool, Cheat Engine.
- Zeallsoft: For Super Screen Capture, tool I used to capture my screen (I have the Trial version, so pardon the watermarks).
- Valve: For Half-Life which I used as an example.
- Team ACE members: For their precious support.
- CheatHappens: For hosting this tutorial and for providing incomparable services.
|How does it