Cheat Engine

Spudwiser · How do I cheat? Reputation: 0 Joined: 07 Nov 2006 Posts: 8

Ok, here goes:

I am going to try and make this as quick as possable.

I am trying to hack the first decade version of Command and Conquer gold. I have found the address that will freeze building health, for lets say the power plant. This address is DMA. When I see what writes to the address and follow the pointer it points me to an address that is also dma. If I check to see what writes to the pointer and follow that it will point me to a Static address. What I would like to know is this. Is it possable to go from pointer to pointer? If so how? Also is is showing this as an offsed [ebx+eax] so what would I fill in for the offset? If you cannot understand I will try to post some screnes. I am going to bed now I will check this in the morning. Thanks in advance.

EDIT:
OK, so no one knows what to do? I have tried to follow the guide on another topic, but when I set a break point the game freezes and I cannot Alt+Tab out of it. This game also cannot be run in a window. The only option is to install it on a virtual PC, but I know it isn't going to be the same, or have the same addresses.

Never mind I will just use tsearch.

Labyrnth · Moderator Reputation: 10 Joined: 28 Nov 2006 Posts: 6301

This may not be the same game but the tut is still a good reference.

http://www.extalia.com/home/index.php?sel=guides&view=53

Resolving DMA in C&C:
Generals (Code Injection)

by Shaikh Adeel

Introduction: Command &
Conquer games have employed DMA since their first ever games .... So that Game
Hackers can be presented with a challenge - that we have taken up with pleasure.
To hack C&C: Generals we will employ Code injection again ... as my last
tutorial for GTA: Vice City. Anyone can and should read this tutorial as it is
not classified as beginner or advanced.

Things you might need:

- Command & Conquer: Generals v-1.0.

- You should know the basics of memory finding.

- Tsongkie's Code Cave Tool.

- A memory Scanner ... I will be using Cheat Engine v-4.3 and T-Search.

- A trainer builder or Language ....

Lets Begin:

Start a new Skirmish game .... Choose any team. In the start u have $10,000.
Alt+tab out of the game and in Cheat Engine (or whtever u use) choose Game.dat
as process. Now before we search for cash lemme tell u about the the Memory
Array function of Cheat Engine 4.3. Using it u can search
for ur value in an array of addresses that u urself choose. Default in
all memory searchers is usually 00400000 upto 7FFFFFFF. If we search with
default it would take a lot of time as well as RAM. So we choose an array of
03000000 - 04000000. I have found my money addresses in this range .... It may
differ in different versions. In that case u might have to search with default
at first and then get an idea where u find ur addresses.

Ok
... now search for 10000 using the following settings:

I only got 3 entries instantly .. without waiting for a looong search. Go into
the game. Build a Power Plant. That leaves u with $9,200. Alt+Tab out and u will
see that one address has changed to 9200. Add it to the list using the red
Pointer. Change its value .... and check in the game if it changes there too. If
it does not then search again ... If it does then lets move on.

Open your Debugger ... whatever you use - OllyDebug, SoftIce, T-Search's Auto
Hack. I will use Auto Hack .. But the basic Principles remain the same for all
of them. Copy the address for Cash from Cheat Engine. Now First of All ... place
a Write breakpoint on it in Auto Hack. Go into the game and Build another Power
Plant. Minimize the game and check the auto hack window. There is an offset
there:

54A0F5 mov
[edi+0x4],eax

But if we use this address for code injection ... it will also give as much cash
to ur opponent. OK ... now copy the same address and place a Read/Write
breakpoint on it. Now go into the game ... and DONT DO ANYTHING. The reason for
this is we want to see what instruction reads from that address coz we want to
get the address that would only give us cash and not our opponents. Just after
3-4 seconds alt+tab out again. Check the Auto Hack window and we see that we've
got another instruction there:

4EB5E0 mov ebp,[eax+0x34]
<----- This is the
address tht we'll use.

Ok ... good ... Lets start some Code Injection. Open Tsongkie's Code Cave Tool.
Go into the game and press F12. Alt+Tab out and u'll se alot of addresses listed
there. These are the code caves ... lets pick 00400011. Open the Easy Write and
start a new code. First of all we'll try the simplest code:

Easywrite Top:

offset 0x00400011

mov dword ptr [eax+0x34],0xF4240

mov ebp,[eax+0x34]

jmp 0x4EB5E3

offset 0x4EB5E0

jmp 0x00400011

Easywrite Bottom:

offset 0x4EB5E0

mov ebp,[eax+0x34]

Lets
use a hotkey for it ... I used F2. Name it "Cash" and press Ok. I wont
be using snaps of easy write here ... If u r new to Easywrite and Autohack then
read my GTA: Vice City tutorial so u can get a better idea. Ok ... now go in the
game ... Press the hotkey .... WTF! It crashes .. the error says: The game
encountered a serious error.

Ok
... we now need to see what caused it to crash. Open up Easywrite. Open the code
we made for Cash, Check the TMK pokes. Hmm intersting ... the pokes we made at
4EB5E0 are 5 bytes long while the original instruction is 3 Bytes in length. So
basically we are writing over the next instruction:

Ok
... now what we'll do is recreate all the code that is destroyed here and put it
in our code cave and jmp to it. So now the code that we'll create is:

Top:

offset 400011

mov dword ptr [eax+0x34],0xF4240

mov ebp,[eax+0x34]

cmp [0x9190B8],ebp

jmp 4eb5e9

offset 4eb5e0

jmp 400011

nop

nop

nop

nop

Bottom:

offset 0x4EB5E0

mov ebp,[eax+0x34]

cmp [0x9190B8],ebp

OK ... In case u dint
understand the code above:

- We create the code cave at
00400011.

- mov dword ptr
[eax+0x34],0xF4240 : This code writes
1,000,000 into [eax+0x34]. Its written in Hex - F4240.

- mov ebp,[eax+0x34]

-
cmp [0x9190B8],ebp <-
We recreate any destroyed instructions.

- jmp 4eb5e9
We jump to the next original game loop or
the normal game routine. This is so that the loop continues. If u look at the
snapshot above u will see tht this address is after the cmp
[0x9190B8],ebp instruction. So basically we
run the 2 recreated pieces of code at our code cave and then jump to the
original game code so that it runs normally. Simple huh ??

- offset 4eb5e0

jmp 400011 This part jumps
from 04EB5E0 to our code cave, there we run our recreated code then jump back to
the next original game loop.

- The 4 NOPs are to balance out the code. Becoz the
code we created at our code cave was 5 bytes long. But the length we want to
balance is from 4eb5e0 to
4eb5e9 .. thats 9 Bytes long ... so we
balance the remaining 4 bytes by NOPs.

- At the Bottom we just recreate the code in its original form.

Now
to create a trainer, all u need to do is use the code or the pokes in your
trainer.

=================================