Tutorial
|
INTRODUCTION: A trainer is a program written to intercept and alter the memory addresses of games that are running in the background. Usually trainers contain such features as GOD MODE, UNLIMITED LIVES and others that sometimes aren't pre-programmed into the game by its designers. Some people believe that creating a trainer
is extremely difficult and requires all kinds
of programming knowledge and skills. Not true.
Some very friendly tools have been created to
allow anyone to make their very own trainers for
their favorite games. In these tutorials, we'll
teach you the basics of how to get started and
give you step by step instructions on creating
trainers that you can follow along with on your
own. Tools needed 1. Obscure Patched to 1.1 (English version -
no-cd being used) Ok here we go! First of all if your new to the game you will
obviously start from the beginning obviously people
who are not new to the game will find this more
easier since they But the first one to search for is the easiest and thats ammo, you will find a gun early on in the game. So what to do now? Well as soon as you have the gun ready, aim it and note the amount of bullets in the gun. Now ALT+TAB out the game to Cheat Engine (make
sure its running before the game for easier use).
On cheat engine you will see a little PC icon
on the top left it should Select Obscure from the list, now goto new search and place whatever amount of ammo (left side) you have and hit NEW SCAN, it will probably say 2800+ found, not to worry go back to the game (ALT+TAB) and then fire a shot, go back to cheat engine and place that new value into cheat engine and hit NEXT SCAN. Hopefully you should be to a few values, one address will stand out as it doesnt belong to the rest, if you want fire one more shot to clarify again (always the best). In this instance I had an address of 051B0384 yours will be different as this game uses DMA (Dynamic Memory Addressing which means each time you play the game the value will never be in the same address). Ok now we have our address lets test by double clicking the address on the left so it appears in the bottom section of Cheat Engine. From here double click the value option in the bottom and change its value, check back into game see if any changes were made. It did? Nice :) Here comes the technical part, get your paper
ready and pen and now right click on the address
on the bottom part of Cheat Engine, and select
"Find out what writes to this Now a new blank window popped up, now go back to the game, and fire another shot, go back to Cheat Engine, you should see this in the list as a new entry. 004ee369 - 89 85 54 01 00 00 - mov [ebp+00000154],eax This address SHOULD be the same, what it says is this - At address 004ee369 an opcode MOV is moving a value contained in EAX to be moved to the location (remember the [] I talked about?) contained in EBP adding on the value of 154 hex. In laymens terms, at this address, the amount of ammo left (EAX) is moved into memory location ( [EBP+00000154] ) where the old value was and stores it. Later on the game will use this memory location (This is a DMA address) to show your ammo amount on screen. Fun part here lets look at the code, click on
the 004ee369 entry in the window then click
"Show Disassembler", dont be frightened
at the code, just maximize it and look Right above at address 004ee368 you should see 004ee368 - 48 - dec eax Before it stores the value it decreases the old ammo value by 1, i.e you fired a shot. Ok we have two choices, we can remove the DEC op and replace with NOP - remember NOP does nothing whatsoever and is used to fill in code. OR! We can find a nice place of free space to make our own code and force a nice value into the ammo memory location. Either way is fine, but most trainer makers dont like NOP'ing out dec's as they see it as an easy way out. Ok lets start on "Code Injection" the fun stuff, ok we know our address which writes the ammo value, at 4ee369. What I want you to do, and this is Important is to write down the 1. Address Now you may think why not take out that opcode, why? Well if you do no amount will be sent to memory location and it could crash the game. How about changing the opcode to MOV our own value in, we cant also, if we tried that it would occupy another 4 bytes of space, and would destroy the next code, which would again crash the game. BUT!!!! We can "inject" a smaller opcode that
takes less space, aha! This is what is called
CODE INJECTION. But to do this we need to find
that lovely free space to write our While on the desktop load up Sheep's Array of Sunshine, now look down the process list and find Obscure (one not if you have a folder called obscure open close it or you will see double :P) Ok found Obscure in the list, now press "find
code cave", now in this window look at the
code cave results, you will see odd things like
.sforce (I wonder what that is lol) What we are really looking for is a Code Cave which allows both Read/Write and enough space to write our code. As you can see the .RSRC entry starts at 006ae3c8h and has a size of c38h (3128 bytes) and is both read/write. Excellent note this address :) We have found our Code cave to place our own code. Now we can close SAS, and go back to the disassembler window of Cheat Engine. Now in the top window right click among the code and say goto address, here place our code cave address which is 6ae3c8 (dont worry about the 00's or the h - remember h means hex address) You should now see alot of 00's and ADD [eax],al's, this is normal this is free space :) One IMPORTANT point to make, when making trainers and doing code injection, ALWAYS!!! start with your code before changing game code, if we dont the game will crash as it will see alot of 00's and lose its path in the original code. So ALWAYS do your own code first in your code cave when done then change the game code to look at your new code. Got it? GOOD Ok what can we place here to make our ammo 99 all the time? We know this MOV [ebp+154],eax Now if you remembered your DAY 1 lesson, you know you can move either registers or IMMEDIATE VALUES, so you can force a value into this address. Ok the next step is simple, if we want 99 ammo
we just move the 99 value into [ebp+154].
See not to hard, at this point its best to use
Windows Calculator ill show ASM will read values in Hex form, not Decimal, so 10 in hex is NOT 10 in decimal. Here is an example Starting from the value 1 and ending with a value of 255 01,02,03,04,05,06,07,08,09,0A,0B,0C,0D,0E,0F,10....FA,FB,FC,FD,FE,FF So you can see 10h is not 10 dec. So use Windows Calculator in scientific mode, in decimal type 99 and then press the hex option, it will show 63. That is the value of 99 in hex - 63h Now we know which value to move, we can finish our new line of code. On cheat engine, double click on the 6ae3c8 line and manually type (with spaces) this MOV [ebp+154],63 If it asks to fill up code with NOP's just say yes to get into a habit, as this is NECESSARY. Not placing unused space with a NOP it may corrupt later code.
6AE3C8 - C7 85 54 01 00 00 63 00 00 00 - mov [ebp+00000154],00000063 Now the next line manually type in the opcode RET, so you have this 6AE3D2 - C3 - ret Remember last tutorial on Call's and Returns. Good, so you know im gonna go call our code from the game! Notice the NOP also, this is important. Ok lets go back to where the original code was, remember I asked you to write it down? YOU DIDNT!! shame on you this IS NOT easy do follow the steps, to those who did good job! Ok back to 4ee369 address to our original MOV code. What we will do here is change that code to our CALL to where our new code is, so the opcode is CALL 6ae3c8 Place that on address 4ee369 where the game code is and change it with our own, also remember to say yes to nop's! We now should have this
Ok lets review our code
Remember to keep note of these ok! Especially the Addresses on the left and the hex numbers! ITS IMPORTANT FOR LATER! and also there is a good reason why you kept note of the old untouched opcode too!!! Now go back to your game and fire your gun. W00T! 99 ammo all the time :) Lets Recap on what is going on. The game will reach 004ee369 expecting to move the decreased ammo value into the ammo address (which is DMA remember) but instead the game calls opcodes at the address 006ae3c8 which moves our own value into the same ammo address and returns back to the game code as if nothing ever happened ;) Now lets try finding a new value to play with how about the CD amounts for saving your game! Yeah this should be easy :P Ok close the debugger window of cheat engine and stop the "read from" window. And your back to your Cheat Engine main window. Go back to the game and check out your number of CD's in your inventory. You know what to do, search that value!! LOL ok just do as before, use one go back search the new value etc etc, till your left with one address :) Hey what be going on tis like 3 address's!!!! I hear you say, well look at your ammo address on the bottom any near it? Try double clicking one near that and change its value did it work? No what about that one out of the way. Mine was 0194E5CC yours again will be different. Try changing value on that one, did it work? W00t! As before right click and "Find out what writes to this address" then go back to game and save the game again to use a CD. TADA! it found an address your should be the same as mine. 0051D490 - FF 48 3C - dec [eax+3c] Same as mine? Excellent. What this does is decreases the amount at the address contained in EAX plus 3c, EAX+3c makes your address you found. Remember to write this down ok! What to do with it? Well its too short to make a JMP or CALL command, so we will do it the easy way NOP it out so it wont decrease your CD amount. No DEC command no decrease. So click on line and show disassembler like before. Click on the address 51D490 and right click and say "replace code that does nothing", just say ok on the little popup. So now you have 51D490 - 90 - nop Write this down for your trainer offcourse. Go back to game and save, did you disc count drop? No? Excellent. Wow youve done good, you have got 2 options so far for your trainer. Guess what! Im gonna leave you to it, lets see how many more options you can come up with? Then tomorrow Ill show you in part 2 how to build your trainer :) Good Hunting and Happy Coding :) Part 2 Ok so we have our options for our trainer, so how to make a trainer, a good place to start is using Trainer Maker Kit, which can be found on the web freely. Remember I told ya to mark down your changes and addresses etc, well I hope you did because you will need them here. Especially the Hex values and the addresses. Ok this is what has to be done. 1. Make sure the game is running and ALT+TAB
out of the game to the desktop Ok you have TMK running now, now what to do Ok give the project a name and click on create. Ok first off we have to tell the trainer which
game its going to patch when its built you will
see a Tab on the left middle window entitled "Build
Settings" click here and Now the field below entitled Exe name, is the
name of the trainer your going to make and NOT
the game itself. So type here c:\mytrain this
will save your trainer to C: Ok lets get back to the Objects menu. Click this. Ok we are back to the objects menu, and we have
a very dull looking trainer so far. Nothing there.
First right click on the dialog box shown on the
right screen. And Just change the Trainer title to "Obscure v1.1 +x Trainer" x is the number of options you have, bear in mind that all ammo options you have count as one and should be placed under the same option. Lets add a Button, you can use the insert menu or the button icon on the top row, a button will be used to either... 1. Be pressed to start and option Ok we have a button, what you can do is move the button around to be placed where you like wherever is fine, its up to yourself. Now right click the button, and goto properties
and here you can change the button name say if
ammo call it "Ammo" (without the "")
or if health call "Health". Other Tabs
on Lets go through them. 1. FCT - this will be where you will tell TMK the function of the button, since its for changing game code, we will click on Poke (which it should be by default). 2. Ttip - This is for a mouse over event, when you move the mouse over the button you can display a small information window saying what it does, but it isnt really needed so leave blank. 3. Color - Obviously to change the colour of the button and the text inside it. 4. BMP - This is when you have picture
buttons, one for normal, one for over the top
(maybe a light added) and one for when clicked
(for example a pressed in button). 5. Key - An important one, here you can
specify the hotkey for when you press the key
in game, the trainer will know what to do. Just
make sure you dont use a button that is 6. Misc - If you want to add a sound when a button is pressed so to let people know they have activated a cheat. Again not necessary and will take up more space. Ok so the important ones is FCT, Color and Key for now. Set to what you want then close the window. Now right click again on the button, and choose Write Memory Actions. This is where we will add our code for the game :) Ok ill use my ammo information as shown in part 1. When I load up the Write Memory Actions I have been presented by a white box in which I can type, and some other buttons, dont use wizzard its a pain in the backside for this. Just to recap here is my code injection for the ammo from part 1.
In our little window we will do this Type in this POKE Address_used Hex_values Note, that addresses must be in 8 bits, the addy in my example above is 6 bits, so add 00 at the start so 6AE3C8 becomes 006AE3C8. Also uses CAPS LOCK its much easier ;) In my case it will look like this POKE 006AE3C8 C7 85 54 01 00 00 63 00 00
00 C3 90 If just used the first address noted, and just typed out each individual hex values, they will be placed in the correct place. As long as the address is correct! You will know if you did it right, as Poke will be blue colored, address black, and each individual hex value is light blue. Once done hit apply. There you go one option done. It is the same for each other button, just use a unique key for each button, and type in the correct addresses used and hex values. When you have done all this, remember to SAVE the project, there is nothing worse than quiting TMK only to go back maybe because of a mistyped value to find its not there anymore. So save after each button made to be sure ok. Once saved, you can build your trainer, just goto build menu at the top and select Build Your Project, it will be saved to disc, so you can run it and test it. It is best to test from a clean load of the game, so you can see the options at work if they are working or not. If the game crashes, you may have made a mistake somewhere, go back to check whats been done. For further fun, you can add a picture to your trainer, change its icon etc. Once you build your trainer, have a look at the options and have fun. There ya go, well done your first trainer, which you can be proud of showing or showing off to your friends. Contact: |