10-27-2010, 10:14
Defeating DMA - Pointer Searching using Tsearch
by EEDOK
best read in 800x600 resolution, maximized
<!-- e --><a href="mailto:Mr_eedok[at]hotmail.com">Mr_eedok[at]hotmail.com</a><!-- e -->
-------------------------------------------------
What you'll need to do this tutorial:
Tsearch 1.5 or later
Tsongkie's GHME
Hexadecimal Calculator
--------------------------------------------------
Theory:
In many games that use DMA it is common to see commands like this: mov [esi+0x4],eax. What this
means is copy eax to an area of memory 4 bytes from a pointer. The pointer it refers to is
normally stored somewhere in the memory of the program. So to be able to hack programs that use
this, we would just read the pointer add the offset manually, and we would then have the address
which we want to hack.
This is beneficial over nopping, or reversing asm commands because:
1. You don't have to modify any of the asm code.
2. You can make the address any value, anytime.
3. A segment of code does not have to be initialized.
4. Allows for one sided hacks where certain functions are shared between the CPU and the player.
-----------------------------------------------------
Getting started:
1. Open up Tsearch and the GTM, pause the GTM and find the address for money
2. In Tsearch hit Autohack>enable debugger, Go into the GTM and unpause it until the money
changes, then go back into Tsearch, and hit Autohack>Autohack Window.
3. In the Autohack Window it should have popped at 4011DB: sub [esi+0x4],eax, what this means
is subtract the value of eax, from the area of memory 4 bytes away from the pointer. All we need
to know here is that the current address is +0x4 bytes from the pointer.
4. Open up your hexadecimal calculator and put in your current address(in hex), then subtract 4
from it(also in hex).
5. Convert the result of the previous step to decimal format and search for it in Tsearch. If
done correctly you should have the address 403138.
6. Hit the restart button so the location of the address of money changes, you should notice the
value of 403138 changes.
7. Read the value of 403138, convert the value to hexadecimal, then add 4 to it, this will give
you the new location of money. This will work even if you restart the program.
8. Make a function in your trainer to read address 403138 and add 4 to it, then write to that
offset.
------------------------------------------------------------
Possible problem and solution:
I noticed this when I was playing GTA3 and wanted to hack my health, and the problem was that
when I did a search for pointers I ended up with more than 50 addresses.. So here's what I did,
A)Had Artmoney to search for the new locations of my health value.
B)Had Tsearch open to find my pointer.
Well first I did the search for the pointer in Tsearch and immediately got 54 addresses. So I
restarted GTA3. After restarting I used artmoney to refind my health address, and upon finding
it I searched for my pointer value again. This resulted in 14 results for a pointer. So I
restarted the program again, and deleted the possible pointers that turned to 0, showing that
they're definitely not a pointer to what I wanted. I repeated finding my health and searching
for a new pointer, which resulted in 6 addresses being found. At this time I noticed that every
time I restarted the game, all 6 addresses were the same as each other, no matter how often or
at what time I started the game, so I just used the one closest to the programs entry point.
-----------------------------------------------------------------
Shouts to:
Devious: Stonerifik, Tsongkie, Omega, Synbios, Micral, Mini^Me, brzi, Invader, Sn0w
renzo, bie, ddh, Vortexion, routine_error, [Ginger], Ultimate, Zekk
Web sites:
<!-- m --><a class="postlink" href="http://devious.tsongkie.com">http://devious.tsongkie.com</a><!-- m -->
<!-- m --><a class="postlink" href="http://eedok.simplehost.com">http://eedok.simplehost.com</a><!-- m -->
Feel free to tell me about corrections, or additions I should make to this tutorial.
If you find a copy of this tutorial on a site not listed above, feel free to contact
me about it, I'll take care of the rest.
by EEDOK
best read in 800x600 resolution, maximized
<!-- e --><a href="mailto:Mr_eedok[at]hotmail.com">Mr_eedok[at]hotmail.com</a><!-- e -->
-------------------------------------------------
What you'll need to do this tutorial:
Tsearch 1.5 or later
Tsongkie's GHME
Hexadecimal Calculator
--------------------------------------------------
Theory:
In many games that use DMA it is common to see commands like this: mov [esi+0x4],eax. What this
means is copy eax to an area of memory 4 bytes from a pointer. The pointer it refers to is
normally stored somewhere in the memory of the program. So to be able to hack programs that use
this, we would just read the pointer add the offset manually, and we would then have the address
which we want to hack.
This is beneficial over nopping, or reversing asm commands because:
1. You don't have to modify any of the asm code.
2. You can make the address any value, anytime.
3. A segment of code does not have to be initialized.
4. Allows for one sided hacks where certain functions are shared between the CPU and the player.
-----------------------------------------------------
Getting started:
1. Open up Tsearch and the GTM, pause the GTM and find the address for money
2. In Tsearch hit Autohack>enable debugger, Go into the GTM and unpause it until the money
changes, then go back into Tsearch, and hit Autohack>Autohack Window.
3. In the Autohack Window it should have popped at 4011DB: sub [esi+0x4],eax, what this means
is subtract the value of eax, from the area of memory 4 bytes away from the pointer. All we need
to know here is that the current address is +0x4 bytes from the pointer.
4. Open up your hexadecimal calculator and put in your current address(in hex), then subtract 4
from it(also in hex).
5. Convert the result of the previous step to decimal format and search for it in Tsearch. If
done correctly you should have the address 403138.
6. Hit the restart button so the location of the address of money changes, you should notice the
value of 403138 changes.
7. Read the value of 403138, convert the value to hexadecimal, then add 4 to it, this will give
you the new location of money. This will work even if you restart the program.
8. Make a function in your trainer to read address 403138 and add 4 to it, then write to that
offset.
------------------------------------------------------------
Possible problem and solution:
I noticed this when I was playing GTA3 and wanted to hack my health, and the problem was that
when I did a search for pointers I ended up with more than 50 addresses.. So here's what I did,
A)Had Artmoney to search for the new locations of my health value.
B)Had Tsearch open to find my pointer.
Well first I did the search for the pointer in Tsearch and immediately got 54 addresses. So I
restarted GTA3. After restarting I used artmoney to refind my health address, and upon finding
it I searched for my pointer value again. This resulted in 14 results for a pointer. So I
restarted the program again, and deleted the possible pointers that turned to 0, showing that
they're definitely not a pointer to what I wanted. I repeated finding my health and searching
for a new pointer, which resulted in 6 addresses being found. At this time I noticed that every
time I restarted the game, all 6 addresses were the same as each other, no matter how often or
at what time I started the game, so I just used the one closest to the programs entry point.
-----------------------------------------------------------------
Shouts to:
Devious: Stonerifik, Tsongkie, Omega, Synbios, Micral, Mini^Me, brzi, Invader, Sn0w
renzo, bie, ddh, Vortexion, routine_error, [Ginger], Ultimate, Zekk
Web sites:
<!-- m --><a class="postlink" href="http://devious.tsongkie.com">http://devious.tsongkie.com</a><!-- m -->
<!-- m --><a class="postlink" href="http://eedok.simplehost.com">http://eedok.simplehost.com</a><!-- m -->
Feel free to tell me about corrections, or additions I should make to this tutorial.
If you find a copy of this tutorial on a site not listed above, feel free to contact
me about it, I'll take care of the rest.