DMA Explained And Trained

[kingviper]

I found this on http://rpg-exploiters.shoq.net/forum...ight=dma++axis
I was haveing trouble with understanding DMA so I thoight this would be helpful
:wave: ENJOY!

Advanced Game Training by [sheep] a.k.a RECLAIM!

------------------------------------------------



(best viewed in 1024x76



LESSON : 1.



SUBJECT: DMA - Dynamic Memory Allocation.



TOOLS NEEDED: Softice, memory searcher (ur choice).



U now have in ur possetion (part 1) of an ever expanding tutorial covering

ADVANCED GAME HACKING (A.G.H).. Over the next few months i hope to write a series

of tutorials covering all aspects of A.G.H.. The lessons i will be teaching in

these tutorials will give u the needed skills to make the transition between

NEWBIE GAME HACKER to GAME HACK REVERSER..



Apart from the beginner stuff im about to introduce ive never seen any of the

information in my tutorials written anywhere else this may be due to people either

not wanting to give out advanced information that has taken them a long time to study

OR.. they just cant be bothered to write an extensive essay about this subject..

either way it doesnt matter because u are about to learn ALL!!





LESSON START

------------



WHAT IS DMA?

------------



Im sure u have all heard about DMA by now.. understanding what this is and how

to defeat it are the first steps of a mighty ladder. Ill try and stick to telling

u how DMA affects us (THE GAME HACKER) and not stray into too much technical detail..



When a game uses DMA the memory locations it uses are allocated dynamically

whereby the game grabs the next available slot of memory and gives it to

whoever asked for it..



Generally there are so many variations going on while ur computer is running its very

unlikely that the memory locations u get on one occasion will be the same next time u

reload the game.. this is why ur trainers only work just after u have collected the

addresses and NOT once u have reloaded.. Once the game is reloaded it will grab a whole

NEW set of memory locations for itself thus making ur OLD set of memory locations useless.



To defeat DMA and create a trainer that will work 100% of the time u need to come out of

the realms of the NEWBIE and into the NEW LAND



NEW TOOL!

---------



This is where we start adding NEW tools to our cheaters arsenal.. the first tool we need

to add is called SOFTICE its a software debugger that enables u to manipulate the game

code (on the fly) which means while the game is still running..



I wont go into installing softice in this tutorial.. there are plenty of other tutorials

that do that for u.. so from here on ill assume u already have it installed.





SOFTICE SETUP

-------------



When u press CTRL-D to pop softice u should see the following windows..



REGISTER WINDOW - this window is always at the very top of the softice window

(WR [return]) and displays the contents of all the registers..



DUMP WINDOW - generally situated close to the top of the softice window

(WD [return]) contains a split screen display.. one side is ascii the

other is hex.

CODE WINDOW - this is the main window.. sits just under the DUMP WINDOW

(WC [return]) contains the code of whatever process maybe running when

u pop softice.. the code is represented in ASSEMBLY LANGUAGE

instrutions..



The comments in the brackets are what u need to type to turn the different windows on..

also u need to type CODE ON.. this will bring up the OPCODES which are a set of numbers

displayed to the left of each ASM instruction and to the right of every memory location

in the CODE WINDOW..



(if u dont understand any ASM then i suggest u go away now and read up on a basic tutorial)



DEFEATING DMA

-------------



THEORY

------



At the end of this section i will show u how DMA is defeated IN PRACTICE.. ill use a

game ive recently trained showing u code listings so that u can apply the theory to a practical

example.. so dont worry if im not going into too much detail about setting breakpoints

etc.. it will all be covered in the PRACTICAL section....



As we cannot change the memory locations of a DMA game we need to get right to the core

and by that i mean the GAME CODE.. once u have found ur memory locations in a NON-DMA

game u generally make ur trainer poke numbers into the locations u have found and this

makes an affective trainer.. we know that this doesnt work for DMA so what we have to do

is STOP the game code from decreasing our locations.. we do this by WATCHING what

happends to our memory locations while the game is running.. thankfully we dont need to

sit there and do the WATCHING ourselves.. our new friend SOFTICE does it all for us..



example...



lets say i have 5 lives and the location of these lives is 490000.



We can all think logically so we know that when we die in the game the GAME CODE will

decrease the location 490000 by 1.. We need to stop this from happening..



The way we do this is by setting something called a BREAKPOINT.. there are a few kinds

of breakpoint available to us but the one we need at the moment is a MEMORY BREAKPOINT..

this breakpoint will WATCH a memory location for us.. if anything should affect our

memory location then softice will then pop at the exact piece of code that affected it..

this means that when we die inside the game and the GAME CODE decreases our lives softice

will pop and we will find ourselves looking at the GAME CODE that decreases our lives..

GOOD STUFF EH?



Unfortunately this is where it starts to get tricky.. u NEED to be able to understand what

u are looking at.. by this i mean u HAVE to learn at least the basics of ASSEMBLY LANGUAGE

for some people this is too much and thats why they have given in.. but for many i know u

have struggled and stuck to it and have at least got a small understanding of ASM..



GAME CODE

---------



There is something VERY advantagious about GAME CODE.. IT NEVER CHANGES LOCATION.. thats

right.. on every single game EVEN DMA GAMES.. if we find the GAME CODE that decreases our

lives at 453000 then u can bet ur life that the next time u load the game the EXACT same

code is at 453000 and this is the key to defeating DMA.. instead of poking values into

DATA memory locations.. we are going to poke values into CODE memory locations.. actually

they are the same thing fundamentally they just behave in different ways..



CODE KILLING

------------



This is what u will see inside softice..





ADDRESS...... OPCODES............ ASSEMBLY LANGUAGE.....



0120:00008096 01585A ADD [EAX+5A],EBX

0120:00008099 7404 JZ 0000809F

0120:0000809B B486 MOV AH,86

0120:0000809D EB17 JMP 000080B6

0120:0000809F 55 PUSH EBP

0120:000080A0 1E PUSH DS

0120:000080A1 50 PUSH EAX

0120:000080A2 E86E078ED8 CALL D88E8815



This is just a random code snippet taken from softice.. it has nothing to do with a GAME

of any kind i just wanted to show u what was what when it came to the CODE WINDOW display

as this is the place u will be spending most of ur time...



now i will show u a section of code taken from a message board.. this is from a REAL GAME



ADDRESS...... OPCODES........ ASSEMBLY LANGUAGE.......



016F:xxxxxxxx 0000 MOV EAX,[EDI]

016F:xxxxxxxx 0000 DEC EAX

016F:xxxxxxxx 0000 MOV [ESI+0C],ECX

016F:xxxxxxxx 0000 MOV [EDI],EAX

016F:xxxxxxxx 0000 MOV EDI,EAX



Ok, the assembly instructions are the only valid thing in the above code the rest have

either been filled with 0000 for opcodes or xxxxxxxxx for the addresses.. these are not

important at this time anyway....



The above code probably means absolutly nothing to u and dont worry because it shouldnt..



NOW!!! let me add a story and some comments to the above code...



We are playing a game... we have got 20 LIVES.. we find the location of these LIVES

at 445566 we place a breakpoint on this location inside softice.. so that when something

affects our LIVES softice will pop and we can see the code that is affecting them...



WE FALL DOWN A HOLE AND DIE!!!!



BANG!!!!



SOFTICE POPS!!!!!



this is what we see.....





ADDRESS...... OPCODES........ ASSEMBLY LANGUAGE.......





016F:xxxxxxxx 0000 MOV EAX,[EDI] <------ number of LIVES we already had

is read from [EDI] and placed into

EAX. (EDI=445566) (EAX=20)



016F:xxxxxxxx 0000 DEC EAX <------ EAX is decreased by 1 (EAX = 19)



016F:xxxxxxxx 0000 MOV [ESI+0C],ECX <------ store ECX.



016F:xxxxxxxx 0000 MOV [EDI],EAX <------ place NEW LIVES ammount back into

location 445566. (EDI=445566)

(EAX=19)

SOFTICE LANDS HERE UNDER THE INSTRUCTION THAT

AFFECTED THE LIVES.... |

|

016F:xxxxxxxx 0000 MOV EDI,EAX





I hope the picture has become more clear to u now.. the lives are read from our location

then decreased by 1 and then placed back into our location.. im sure the clever ones

reading this will already have figured out what we have to do.. but for the slower chaps

ill continue





016F:xxxxxxxx 48 DEC EAX <------ EAX is decreased by 1 (EAX = 19)





Ok.. this is the NASTY instruction that is killing our poor little character... as

u can see ive put in the REAL OPCODE for this instruction its 48..



This instruction decreases our lives by 1 each time.. what we need to do is GET RID OF IT!!

if we do then there is nothing to kill our little character and he can live forever....



Thankfully we can do this within softice.. u need to replace the DEC EAX with something

else.. the all time fave for replacing stuff that isnt needed is an equally small

instruction called NOP which is NO-OPERATION.. thats correct.. when this instruction is

executed absolutely nothing is done.. so KEEP this little NOP by ur side at all times..



so if we replace



016F:xxxxxxxx 48 DEC EAX <------ EAX is decreased by 1 (EAX = 19)



with..



016F:xxxxxxxx 90 NOP <------ NO OPERATION



then we have infinite lives.. its as easy as that..





THE THING ABOUT NOP

-------------------



When u are replacing instructions inside a program u have to make sure that if an

instruction has 5 opcodes then u MUST replace it with 5 opcodes..



example...



0120:00008121 E86C04EB10 CALL 10EB8592



if i wanted to get rid of the above call.. i couldnt just put 1 NOP.. because NOP is only 90

i need to FILL E8-6C-04-EB-10 so instead of just NOP(90) i would need 5 NOPS 90-90-90-90-90

otherwise the program will most definately crash on u... so once u have replaced this call

it should look like this...



before...



0120:00008121 E86C04EB10 CALL 10EB8592



after....



0120:00008121 90 NOP

0120:00008123 90 NOP

0120:00008125 90 NOP

0120:00008127 90 NOP

0120:00008129 90 NOP







MAKING THE DMA TRAINER

----------------------



A DMA trainer is no differnt in any way to a NORMAL trainer.. all u are doing is poking

values into the CODE section instead of the DATA section..



eaxmple...



replace..



016F:0000412345 48 DEC EAX <------ EAX is decreased by 1 (EAX = 19)



with..



016F:0000412345 90 NOP <------ NO OPERATION





Same Code but this time ive added the addresses and the correct OPCODES.. if i wanted to

make a trainer that worked 100% on this DMA game.. all i need to do is poke 90 (NOP)

into location 412345.. this would turn the DEC EAX to a NOP and the game would have

infinite lives.. no need to worry about DMA locations anymore.. 412345 WILL ALWAYS!!!

be the place to poke 90 and get infinite lives.. GAME CODE DOES NOT CHANGE LOCATION!!!



As i said at the beginning i havent gone into much detail about how to set breakpoints etc.

this will all be taken care of in the next part of the tutorial..





PRACTICAL EXAMPLE (Serious Sam 2)

----------------------------------------------



As i dont like to do things by half i will now show u a practical approach to defeating

DMA with code listings and softice commands.. this is just a backup of what is written

above.. after this u should be able to understand the entire tutorial.. that is if u dont

already ...



These code listings and commands all come from the game SERIOUS SAM 2.. u dont need to

go and find this game but if u have it then it will make it a lot easier for u to have

a go with what we have learnt today...



On this game ive decided to show u BULLETS instead of lives because the life total in

SS2 is worked out slightly differently (something i will be tackling in another tutorial).



ok.. lets begin..





1. I did a normal EXACT VALUE search to find the address for the bullets ..

i got the address 6AFEF28.



2. I POPPED softice with CTRL-D so that i could set a breakpoint on the bullets location..



3. Inside softice i typed BPM 6AFEF28 W (the W means WRITE so when ever something writes

to our address softice will pop) then i pressed RETURN to set the breakpoint..



4. Return to the game.. SHOOT! BANG! SOFTICE POPS!



5. I scrolled the code window up a bit and this is the code listing...



ADDRESSES.... OPCODES............ ASSEMBLY LANGUAGE.........



017F:60570C50 55 PUSH EBP

017F:60570C51 8BEC MOV EBP,ESP

017F:60570C53 A1E8625E60 MOV EAX,[605E62E8]

017F:60570C58 8B08 MOV ECX,[EAX]

017F:60570C5A FF15E4625E60 CALL [605E62E4]

017F:60570C60 8B4854 MOV ECX,[EAX+54]

017F:60570C63 85C9 TEST ECX,ECX

017F:60570C65 7508 JNZ 60570C6F

017F:60570C67 8B4508 MOV EAX,[EBP+08] <--- Address of BULLETS

017F:60570C6A 8B4D0C MOV ECX,[EBP+0C] <--- Amount of BULLETS to

decrease by.(ECX=1)

017F:60570C6D 2908 SUB [EAX],ECX <--- subtract ECX(1)from BULLETS

017F:60570C6F 5D POP EBP <--- WE LAND HERE WHEN SI POPS

017F:60570C70 C3 RET



As u can see even though its not the same code as before its VERY similar.. thats the good

thing about ASM there are only a couple of instructions that decrease the value of an

address so they are easy to spot most of the time.. this time they use SUB.. which means

SUBTRACT.. ok.. to defeat this we need to get rid of that SUB instruction...



6. I typed A 60570C6D then pressed return.. this lets me manipulate the code at location

60570C6D..



7. I typed NOP [return] NOP [return] the returns mean i pressed return just to clear

any confusion.. I used 2 nops as u can see because remember we need to get rid of 2

bytes of OPCODES 29-08 so we need to replace them with 2 bytes of our own OPCODES

90-90..



8. I then pressed return a 3rd time without entering anything and softice drops out of

assemble mode..



9. Now we are all done and ready to test it.. CTRL-D got me back into the game.. i now

have infinite bullets.. and the dma is defeated..



dont forget.. game code doesnt change location.. to make a 100% working bullet trainer

for this game all u need to do is poke 90,90 into location 60570C6D...



WELL!! we have come to the end of this tutorial.. i hope u managed to follow it and

obtain all the knowledge u need to defeat DMA.. keep a look out for other tutorials

in this series..



If u have any problems or questions then please email me at [email protected]

please be patient for a reply...


http://www.sheeprec.cjb.net
----(please leave the copyright info below intact)----
This post is copyright by the user posting it and MMOwned.com - World of Warcraft Exploits,Hacks, Bots and Guides, where it was posted. You may not copy or reproduce the above on any other site without written permission from both the poster and MMOwned.com

[issacobra]

BE VERRRRRY careful before installing softice. I crack progs and stuff with it but a lot of progs will not run if you have ever installed it (skype). The only way i can run skype is by cracking that to bypass the check :P Softice is impossible to get off your system...

[kingviper]

BE VERRRRRY careful before installing softice. I crack progs and stuff with it but a lot of progs will not run if you have ever installed it (skype). The only way i can run skype is by cracking that to bypass the check :P Softice is impossible to get off your system...

Thanks for the warning!

[Flying Piggy]

Very clever guide though : )
good job .

[kingviper]

Very clever guide though : )
good job .

Ty Piggy

[TehAvatar]

The problem we have at the moment with DMA is that we dont really know how to get the opcode to write a certain value to a DMA address.

Few examples of what I hope to achieve:

Eg. Change the game Coordinates
Eg. Change the forward speed

Thanks for the guide nonetheless.
-=TehAvatar=-

[Zaldion]

Woah too much text for me to read right now...someone mind simplifying what this does for me? And it seems to me it memory edits? Isn't that very detectable?

[dscecs]

Thanks for providing where you got it from as well.

As per changing the game coordinates, the only good thing that changing the game coordinates for is now, is exploration. The moment you interact with the place you are at, you become disconnected. You cannot move when teleported or you will dc. Jumping and then teleporting doesn't work nor does running and jumping as the old BWH had to have done. After about 15 times on a test account, you will be banned. Oh and when you get get dc, you are also rubber banded back. It is believed that the teleport is only a client side hack at this point. We do know that the server (not warden) has a check and that this is what causes the dc and the rb effect.

You can increase your run speed, but increasing over about 200% will cause a ban. At least that was about the limit prior to the 2.0 changes.

I don't usually share this information, as I have been waiting for someone to come up with a new teleport hack, and even offered a $10,000 bounty at one time. But alas no teleport hack has been found.

I do know that in China they are using a BWH like tool, and have even gotten my hands on it, but I cannot backwards engineer to see what it actually does and it seems to need some kind of remote verification (probably a serial number check). I tried to have a friend reverse it, but he didn't have the time to check it.

I hope the information finds you in good favor and helps you a bit. I am from rpg-exploiters as well

Oh some other hacks I haven't seen in a while, which you can search for... superman jump (lessesn the amount gravity has on a character - jump over walls). Teleport to corpse (might work again - great for corpse recovery). Run under water (takes away swimming and you can really run on the ocean floor - but you still run out of breath). Tracking (they already have it on InnerSpace - allows you to track as tho a hunter also track PVP)