Game Trainer Studio 1.6.4

[xanupox]

Anyone use this to compile a quick .exe to poke code with existing offsets?

I read that s4lly thread by Rockman and saw the offsets posted and tried to load up Game Trainer Studio and create buttons to "poke" the offsets and NOPs.

Having trouble getting it to work with Warhammer though. I havent used it in years, is there something just as easy to use that works?

[cap0n3]

What excactly do you want to do and what system are you running?

[xanupox]

Running Vista 64 bit.

Want to make an executable that has either buttons or uses hotkeys to poke code into the war.exe to enable hacks.

I was using the offsets that was posted in the other thread for wallhack, no fall dmg, etc.

I placed buttons on the trainer, clicked "poke" and placed the offsets and the NOPsinto the code window, assigned hotkeys as well.

However it doesnt seem to be able to find the war.exe or something. The trainer does nothing when running the game, when I press the enable/disable hacks nothing seems to happen.

[Timmytimmelson]

CE works pretty well for simplicity's sake, just set hotkeys as you want and save it to a table so u can reuse it everytime u load up

[rockman319]

I've tried CE but I can't seem to get the "pointer" correctly.

[PharmerPhale]

I've tried CE but I can't seem to get the "pointer" correctly.

I thought we covered that already lol... What part of it are you having trouble with?

[rockman319]

Oh sorry, I uh haven't looked at your guide lol. Too lazy.
I will! lol when I have uh... you know... time. *cough*

[xanupox]

I got it to work... I had the offsets the the code, just forgot to say "poke" before that lol... I used to use this tool along with Tsearch to create Battlefield Vietnam hacks. I had to use Code Caves and jump out of the main code before the PB scan range, apply my hacks in the code cave, then jump back in after the code area.

PB never knew anything was happening. I'll share what I know if Mythic ever turns on PB, but I doubt they will because the client already lags people bad.

[rockman319]

Wow you sound very knowledgeable with code caves and stuff.

[PharmerPhale]

Oh sorry, I uh haven't looked at your guide lol. Too lazy.
I will! lol when I have uh... you know... time. *cough*

Roflmao Rockman319

[xanupox]

Well, if PB ever is activated the way you guys run your hacks will end as you know it. You'll be forced to use alternate methods to get your code into the area it needs to go, but without PunkBuster knowing its happening.

Code Caves work because of how PB scans. Punk Buster does NOT scan the whole .exe of the game, it would cripple performance. Instead, the Evenbalance team researches all the hacks for awhile, learns what areas people are hacking using 909090 (NOPs), and then once they have a few areas of code range, they create their "scan ranges" for that particular game.

WAR.exe for example is often hacked in the following areas.

1) No Fall Damage
2) Speed Increases
3) Teleport/Movment over great Distances

Let's break this down as the Alphabet. The enter war.exe would be A thru Z, then go onto AA-ZZ, then AAA-ZZZ.

Let's say for the No Fall damage, the code for that was the letter F. Us hackers were NOPing out the letter "F", so we avoided No Fall Damage. Well, what PB does is setup a scan range starting a "E", and ending at "G". Obviously "F" is in between there as well.

Punk Buster has a knowledge of what the code is supposed to be inside that scan range. So when anything changes, like "NOP" are there instead of EAS or EAX or whatever, then PB alerts to hacking.

So, how can you change the letter "F", to be a NOP then, if PB is going to be looking for it every few minutes? Code Caving is how.

Since we know the PB scan range, it starts at "E", hits "F" and ends at "G". Then what we will do is find a section of the .exe that has blank/emtpy space in it, that is large enough work out some hacking code within. This is a cave in the code.

You can use a few tools to scan the full .exe to find the caves, I'll skip explaining that. Lets assume you know of the address for a code cave already and we'll use that.

So since the code reads sequentially prior to "F", we'll take a look at it closer.

We bascially copy the entire code staring at "D", right before the PB scan range... and copy "D thru G", all the code exactly.

Now, we change the code at "D", to say JMP to address of the code cave... let's say the code cave was found at "YYY".

In the empty space at address YYY, we insert all the original code exactly as it was written at "D thru G". In this section, we apply our hacks, whatever they may be... NOPs or whatever you want to change, do it here in the Code Cave. Now at the end of this Code Cave, you place a return JMP back to the letter "H". This returns the code path right back to the original code sequence. Your hack is applied, but the original code in the war.exe was just bypassed, it is there, unchanged but completly ignored... except by PunkBuster who is scanning that address range and is happily reporting that the code is unchanged and no hacks are occuring.

So a Code Cave method to avoid PB is basically just finding some empty space in the code that is big enough to put your code into, then redirecting the code path on this detour to your little hidden code area, applying your hacks in that area, then returning back to the main original code area...

The below is how the game would operate....

A - B - C - D >JMP to YYY - Recreated E - NOPing "F" - Recreated G > JMP to H - I -J - K, etc...

However, PB would continue to scan "E - F - G", back in the original location and see nothing was altered and not report you for the hacks. The only way you could get caught is if PB increased the size of its address scan range. However, if you are really good, you can create "Super Caves" and just Jump out, WAY WAY before the needed address and recreate all this code in the cave, apply the hack in the range needed, recreate a lot more code post the hack address range, then jump back further down the line.

Such as A - B > JMP to "YYY" - Recreate original code of C - D - E - NOP'd F - Recreate original code of G - H - I > JMP back to J.

The only limitation to jumping out is the code has to be in a read sequence, basically running a linear operation. You cannot jump out and move code that has other code pointing to it, because it cannot find that code 100% of the time when it is in its new location (in the cave)... It's is a trial and error method.

However, none of this is needed until PB gets turned on, but if they turn it on and you get caught to lose your account... that maybe too late. So, I may start working on moving your guys existing hacks into code caves.

[rockman319]

Dang, man. +1 rep

[HansW]

good luck with that.
one question though, why use codecaves when you can allocate memory in the process to hold your code ?

[xanupox]

Allocating memory could change the overall size of the executable which would most likely flag as altering the file and a PB kick. I've never messed with that though, the tools to make those kinds of adjustments were not readily available back when I was doing my hacking.

I had to use a tool called, Tsongkie's Code Cave Tool or something close to that just to locate empty portions of code 'deadspace / caves', that were big enough to support the code move rewrites.