I found this on http://rpg-exploiters.shoq.net/forum...ight=dma++axis
I was haveing trouble with understanding DMA so I thoight this would be helpful
:wave: ENJOY!
Advanced Game Training by [sheep] a.k.a RECLAIM!
------------------------------------------------
(best viewed in 1024x76
LESSON : 1.
SUBJECT: DMA - Dynamic Memory Allocation.
TOOLS NEEDED: Softice, memory searcher (ur choice).
U now have in ur possetion (part 1) of an ever expanding tutorial covering
ADVANCED GAME HACKING (A.G.H).. Over the next few months i hope to write a series
of tutorials covering all aspects of A.G.H.. The lessons i will be teaching in
these tutorials will give u the needed skills to make the transition between
NEWBIE GAME HACKER to GAME HACK REVERSER..
Apart from the beginner stuff im about to introduce ive never seen any of the
information in my tutorials written anywhere else this may be due to people either
not wanting to give out advanced information that has taken them a long time to study
OR.. they just cant be bothered to write an extensive essay about this subject..
either way it doesnt matter because u are about to learn ALL!!
LESSON START
------------
WHAT IS DMA?
------------
Im sure u have all heard about DMA by now.. understanding what this is and how
to defeat it are the first steps of a mighty ladder. Ill try and stick to telling
u how DMA affects us (THE GAME HACKER) and not stray into too much technical detail..
When a game uses DMA the memory locations it uses are allocated dynamically
whereby the game grabs the next available slot of memory and gives it to
whoever asked for it..
Generally there are so many variations going on while ur computer is running its very
unlikely that the memory locations u get on one occasion will be the same next time u
reload the game.. this is why ur trainers only work just after u have collected the
addresses and NOT once u have reloaded.. Once the game is reloaded it will grab a whole
NEW set of memory locations for itself thus making ur OLD set of memory locations useless.
To defeat DMA and create a trainer that will work 100% of the time u need to come out of
the realms of the NEWBIE and into the NEW LAND
NEW TOOL!
---------
This is where we start adding NEW tools to our cheaters arsenal.. the first tool we need
to add is called SOFTICE its a software debugger that enables u to manipulate the game
code (on the fly) which means while the game is still running..
I wont go into installing softice in this tutorial.. there are plenty of other tutorials
that do that for u.. so from here on ill assume u already have it installed.
SOFTICE SETUP
-------------
When u press CTRL-D to pop softice u should see the following windows..
REGISTER WINDOW - this window is always at the very top of the softice window
(WR [return]) and displays the contents of all the registers..
DUMP WINDOW - generally situated close to the top of the softice window
(WD [return]) contains a split screen display.. one side is ascii the
other is hex.
CODE WINDOW - this is the main window.. sits just under the DUMP WINDOW
(WC [return]) contains the code of whatever process maybe running when
u pop softice.. the code is represented in ASSEMBLY LANGUAGE
instrutions..
The comments in the brackets are what u need to type to turn the different windows on..
also u need to type CODE ON.. this will bring up the OPCODES which are a set of numbers
displayed to the left of each ASM instruction and to the right of every memory location
in the CODE WINDOW..
(if u dont understand any ASM then i suggest u go away now and read up on a basic tutorial)
DEFEATING DMA
-------------
THEORY
------
At the end of this section i will show u how DMA is defeated IN PRACTICE.. ill use a
game ive recently trained showing u code listings so that u can apply the theory to a practical
example.. so dont worry if im not going into too much detail about setting breakpoints
etc.. it will all be covered in the PRACTICAL section....
As we cannot change the memory locations of a DMA game we need to get right to the core
and by that i mean the GAME CODE.. once u have found ur memory locations in a NON-DMA
game u generally make ur trainer poke numbers into the locations u have found and this
makes an affective trainer.. we know that this doesnt work for DMA so what we have to do
is STOP the game code from decreasing our locations.. we do this by WATCHING what
happends to our memory locations while the game is running.. thankfully we dont need to
sit there and do the WATCHING ourselves.. our new friend SOFTICE does it all for us..
example...
lets say i have 5 lives and the location of these lives is 490000.
We can all think logically so we know that when we die in the game the GAME CODE will
decrease the location 490000 by 1.. We need to stop this from happening..
The way we do this is by setting something called a BREAKPOINT.. there are a few kinds
of breakpoint available to us but the one we need at the moment is a MEMORY BREAKPOINT..
this breakpoint will WATCH a memory location for us.. if anything should affect our
memory location then softice will then pop at the exact piece of code that affected it..
this means that when we die inside the game and the GAME CODE decreases our lives softice
will pop and we will find ourselves looking at the GAME CODE that decreases our lives..
GOOD STUFF EH?
Unfortunately this is where it starts to get tricky.. u NEED to be able to understand what
u are looking at.. by this i mean u HAVE to learn at least the basics of ASSEMBLY LANGUAGE
for some people this is too much and thats why they have given in.. but for many i know u
have struggled and stuck to it and have at least got a small understanding of ASM..
GAME CODE
---------
There is something VERY advantagious about GAME CODE.. IT NEVER CHANGES LOCATION.. thats
right.. on every single game EVEN DMA GAMES.. if we find the GAME CODE that decreases our
lives at 453000 then u can bet ur life that the next time u load the game the EXACT same
code is at 453000 and this is the key to defeating DMA.. instead of poking values into
DATA memory locations.. we are going to poke values into CODE memory locations.. actually
they are the same thing fundamentally they just behave in different ways..
CODE KILLING
------------
This is what u will see inside softice..
ADDRESS...... OPCODES............ ASSEMBLY LANGUAGE.....
0120:00008096 01585A ADD [EAX+5A],EBX
0120:00008099 7404 JZ 0000809F
0120:0000809B B486 MOV AH,86
0120:0000809D EB17 JMP 000080B6
0120:0000809F 55 PUSH EBP
0120:000080A0 1E PUSH DS
0120:000080A1 50 PUSH EAX
0120:000080A2 E86E078ED8 CALL D88E8815
This is just a random code snippet taken from softice.. it has nothing to do with a GAME
of any kind i just wanted to show u what was what when it came to the CODE WINDOW display
as this is the place u will be spending most of ur time...
now i will show u a section of code taken from a message board.. this is from a REAL GAME
ADDRESS...... OPCODES........ ASSEMBLY LANGUAGE.......
016F:xxxxxxxx 0000 MOV EAX,[EDI]
016F:xxxxxxxx 0000 DEC EAX
016F:xxxxxxxx 0000 MOV [ESI+0C],ECX
016F:xxxxxxxx 0000 MOV [EDI],EAX
016F:xxxxxxxx 0000 MOV EDI,EAX
Ok, the assembly instructions are the only valid thing in the above code the rest have
either been filled with 0000 for opcodes or xxxxxxxxx for the addresses.. these are not
important at this time anyway....
The above code probably means absolutly nothing to u and dont worry because it shouldnt..
NOW!!! let me add a story and some comments to the above code...
We are playing a game... we have got 20 LIVES.. we find the location of these LIVES
at 445566 we place a breakpoint on this location inside softice.. so that when something
affects our LIVES softice will pop and we can see the code that is affecting them...
WE FALL DOWN A HOLE AND DIE!!!!
BANG!!!!
SOFTICE POPS!!!!!
this is what we see.....
ADDRESS...... OPCODES........ ASSEMBLY LANGUAGE.......
016F:xxxxxxxx 0000 MOV EAX,[EDI] <------ number of LIVES we already had
is read from [EDI] and placed into
EAX. (EDI=445566) (EAX=20)
016F:xxxxxxxx 0000 DEC EAX <------ EAX is decreased by 1 (EAX = 19)
016F:xxxxxxxx 0000 MOV [ESI+0C],ECX <------ store ECX.
016F:xxxxxxxx 0000 MOV [EDI],EAX <------ place NEW LIVES ammount back into
location 445566. (EDI=445566)
(EAX=19)
SOFTICE LANDS HERE UNDER THE INSTRUCTION THAT
AFFECTED THE LIVES.... |
|
016F:xxxxxxxx 0000 MOV EDI,EAX
I hope the picture has become more clear to u now.. the lives are read from our location
then decreased by 1 and then placed back into our location.. im sure the clever ones
reading this will already have figured out what we have to do.. but for the slower chaps
ill continue
016F:xxxxxxxx 48 DEC EAX <------ EAX is decreased by 1 (EAX = 19)
Ok.. this is the NASTY instruction that is killing our poor little character... as
u can see ive put in the REAL OPCODE for this instruction its 48..
This instruction decreases our lives by 1 each time.. what we need to do is GET RID OF IT!!
if we do then there is nothing to kill our little character and he can live forever....
Thankfully we can do this within softice.. u need to replace the DEC EAX with something
else.. the all time fave for replacing stuff that isnt needed is an equally small
instruction called NOP which is NO-OPERATION.. thats correct.. when this instruction is
executed absolutely nothing is done.. so KEEP this little NOP by ur side at all times..
so if we replace
016F:xxxxxxxx 48 DEC EAX <------ EAX is decreased by 1 (EAX = 19)
with..
016F:xxxxxxxx 90 NOP <------ NO OPERATION
then we have infinite lives.. its as easy as that..
THE THING ABOUT NOP
-------------------
When u are replacing instructions inside a program u have to make sure that if an
instruction has 5 opcodes then u MUST replace it with 5 opcodes..
example...
0120:00008121 E86C04EB10 CALL 10EB8592
if i wanted to get rid of the above call.. i couldnt just put 1 NOP.. because NOP is only 90
i need to FILL E8-6C-04-EB-10 so instead of just NOP(90) i would need 5 NOPS 90-90-90-90-90
otherwise the program will most definately crash on u... so once u have replaced this call
it should look like this...
before...
0120:00008121 E86C04EB10 CALL 10EB8592
after....
0120:00008121 90 NOP
0120:00008123 90 NOP
0120:00008125 90 NOP
0120:00008127 90 NOP
0120:00008129 90 NOP
MAKING THE DMA TRAINER
----------------------
A DMA trainer is no differnt in any way to a NORMAL trainer.. all u are doing is poking
values into the CODE section instead of the DATA section..
eaxmple...
replace..
016F:0000412345 48 DEC EAX <------ EAX is decreased by 1 (EAX = 19)
with..
016F:0000412345 90 NOP <------ NO OPERATION
Same Code but this time ive added the addresses and the correct OPCODES.. if i wanted to
make a trainer that worked 100% on this DMA game.. all i need to do is poke 90 (NOP)
into location 412345.. this would turn the DEC EAX to a NOP and the game would have
infinite lives.. no need to worry about DMA locations anymore.. 412345 WILL ALWAYS!!!
be the place to poke 90 and get infinite lives.. GAME CODE DOES NOT CHANGE LOCATION!!!
As i said at the beginning i havent gone into much detail about how to set breakpoints etc.
this will all be taken care of in the next part of the tutorial..
PRACTICAL EXAMPLE (Serious Sam 2)
----------------------------------------------
As i dont like to do things by half i will now show u a practical approach to defeating
DMA with code listings and softice commands.. this is just a backup of what is written
above.. after this u should be able to understand the entire tutorial.. that is if u dont
already ...
These code listings and commands all come from the game SERIOUS SAM 2.. u dont need to
go and find this game but if u have it then it will make it a lot easier for u to have
a go with what we have learnt today...
On this game ive decided to show u BULLETS instead of lives because the life total in
SS2 is worked out slightly differently (something i will be tackling in another tutorial).
ok.. lets begin..
1. I did a normal EXACT VALUE search to find the address for the bullets ..
i got the address 6AFEF28.
2. I POPPED softice with CTRL-D so that i could set a breakpoint on the bullets location..
3. Inside softice i typed BPM 6AFEF28 W (the W means WRITE so when ever something writes
to our address softice will pop) then i pressed RETURN to set the breakpoint..
4. Return to the game.. SHOOT! BANG! SOFTICE POPS!
5. I scrolled the code window up a bit and this is the code listing...
ADDRESSES.... OPCODES............ ASSEMBLY LANGUAGE.........
017F:60570C50 55 PUSH EBP
017F:60570C51 8BEC MOV EBP,ESP
017F:60570C53 A1E8625E60 MOV EAX,[605E62E8]
017F:60570C58 8B08 MOV ECX,[EAX]
017F:60570C5A FF15E4625E60 CALL [605E62E4]
017F:60570C60 8B4854 MOV ECX,[EAX+54]
017F:60570C63 85C9 TEST ECX,ECX
017F:60570C65 7508 JNZ 60570C6F
017F:60570C67 8B4508 MOV EAX,[EBP+08] <--- Address of BULLETS
017F:60570C6A 8B4D0C MOV ECX,[EBP+0C] <--- Amount of BULLETS to
decrease by.(ECX=1)
017F:60570C6D 2908 SUB [EAX],ECX <--- subtract ECX(1)from BULLETS
017F:60570C6F 5D POP EBP <--- WE LAND HERE WHEN SI POPS
017F:60570C70 C3 RET
As u can see even though its not the same code as before its VERY similar.. thats the good
thing about ASM there are only a couple of instructions that decrease the value of an
address so they are easy to spot most of the time.. this time they use SUB.. which means
SUBTRACT.. ok.. to defeat this we need to get rid of that SUB instruction...
6. I typed A 60570C6D then pressed return.. this lets me manipulate the code at location
60570C6D..
7. I typed NOP [return] NOP [return] the returns mean i pressed return just to clear
any confusion.. I used 2 nops as u can see because remember we need to get rid of 2
bytes of OPCODES 29-08 so we need to replace them with 2 bytes of our own OPCODES
90-90..
8. I then pressed return a 3rd time without entering anything and softice drops out of
assemble mode..
9. Now we are all done and ready to test it.. CTRL-D got me back into the game.. i now
have infinite bullets.. and the dma is defeated..
dont forget.. game code doesnt change location.. to make a 100% working bullet trainer
for this game all u need to do is poke 90,90 into location 60570C6D...
WELL!! we have come to the end of this tutorial.. i hope u managed to follow it and
obtain all the knowledge u need to defeat DMA.. keep a look out for other tutorials
in this series..
If u have any problems or questions then please email me at [email protected]
please be patient for a reply...
http://www.sheeprec.cjb.net
----(please leave the copyright info below intact)----
This post is copyright by the user posting it and MMOwned.com - World of Warcraft Exploits,Hacks, Bots and Guides, where it was posted. You may not copy or reproduce the above on any other site without written permission from both the poster and MMOwned.com