Saturday, October 27, 2012

Code Injection Tutorial

Code Injection When And How Tutorial By DEMETRON
Target : Command & Conquer Red Alert 3
Version : 1, 0, 0, 0
Aim : Hacking money via code injection so only your money won’t decrease but your opponent’s will.
Level of Difficulty: Novice(beginners level)
Tools Required:  
-The game off course
-Cheat Engine (I am using version 5.5)
-Notepad++ or any other text editor to note addresses and other stuffs.
-None but some knowledge of assembly and experience of cheat engine is a plus.(if you don’t it’s ok!)
Note:  This tut. assumes that you were born yesterday and had no prior knowledge of game hacking  so you can skip some parts according  to your knowledge.

Part 1 : Finding Addresses
Let’s start with finding addresses which store our money value. to do this start cheat engine now if we open our game it will be opened in full screen mode and that sometimes create trouble when attaching debugger to it, so let’s open the game in a window. If you go to game option and search there is already  a check box to run the game in a window mode we can use that other way to do this is go to the shortcut of the game right click on it, go to properties and in the target add -win after a space so your target will become something like "C:\Program Files\Red Alert 3\RA3.exe" –win  now open your game and it’ll run in window like given screen shot.

 Now with your game running go to cheat engine click on process (in menu bar) and you’ll see lots of process in this list (it’s basically every process running in the system right now) but we have to find the process of our game and that’s pretty easy actually on top (not necessarily ) you will see the two processes having the logo of our game yup those two processes are related to our game but which one to select now, In general the process with *.EXE are shown only but in this case you we’ll see a *.game extension also and we are going to select that one for debugging because that’s the main module which contains the address not the other one(you are welcome to to understand this phenomena completely. So select one with the *.game extension in it.

 Ok our platform is set now we can do some serious things just go to game’s skirmish option and start a game with no opponents(why? Because we don’t want our base is to be destructed when we are in middle of a search) and just because you are curious :D I choose Allied Nations, blue color,battlebase beta map(1’st on the list) initial resource 25000 and no random crates. Let’s begin to play and before doing anything go to cheat engine again and check the pause the game while scanning option it will ask you to attach debugger to game click yes. Now in the cheat engine’s value option enter 25000(as mine is 25k at starting and if yours is different enter whatever amount you have)

Leave all other settings to default and press First Scan and I got 121 results(addresses) you might get more or less doesn’t matter at this point.Ok now we go back to game again build  a power plant it’ll cost $800 (you can build anything else if you want we are just spending some money here) and now I have $24200 remain on my account so let’s put this value in cheat engine and press next scan and wow we just got 3 results now J now spend some more money or earn some money back by selling things and do the same search again until you get the final results (yup those 3 address are the final results)and as it’s just 3 results we can check them manually now select all address and press the arrow button in bottom which says copy all selected items to address list or you can just double click on each 3 addresses to add them to list below. Now at the table there are fields like address|type|value click on value of each 3 address we just add and try to modify it, And hopefully one address is the address we are looking for and if we change its value the same change can be seen in the game also. I try to change the value to $50k and found mine it’s 068D324C yours may be different. If all this not making sense see the snapshot below

Just to check our address is correct and it’s actually changing the amount of money we have in the game let’s set it to very low like $20 and try to build something oops we have insufficient funds which is exactly what we want to hear :D now make it  $10000 and try again yup it’s working we have our address. Note down this address quit the current match and start another match use different army and map this time I choose soviet. now in cheat engine you will see add address manually button click on it and add your address (mine is 068D324C) now change the value like before to $50k but it didn’t change on the game why? Because this game uses DMA and the address to money gets changed every time we start new match. So now we have to find a static reference which doesn’t change every time to calculate our address to money and such reference is called pointer. Pointers points to some address or may be another pointer which again points to some address and this address + offset = final address  and that’s what we are looking for, and how to do that is on next part.

Part 2 : Finding Base Pointer
To find the base pointer we need the current address of money, and as we changed the map the address is also changed so we have to repeat all part 1 to find the address. So go on and back with an address (mine is 05DDADD4 now) I hope you already add your address to the address list table if not do it plz and right click on it, you will see many options select Find out what writes to this address ,make sure your money is not increasing or decreasing while doing this

a window will pop-up do not close it and switch back to game again, spend some money and an address will be displayed to that pop-up of yours.

What we are doing is to find out what instruction is decreasing our money and if you wanna make sure just nop this instruction by clicking on the replace button it’ll change this instruction with one that do nothing. Let’s do it and after that try to build something as you can see no money is decreasing right now…..and you might think I don’t need to read further I got what I want but hold a sec champ, what we just did was a quick and dirty way we didn’t even know for what else this instruction is used for, and noping it might crash our game at some point. So let’s analyze what else this instruction do. To do so first we have to restore the original code by clicking on the advanced options at bottom of cheat engine you will see the instruction that we just noped now right click on it and select Restore with original code .

Ok our instruction has been restored now we going to set a breakpoint to it to do so first we need to open it inside a disassembler and thanks to dark byte the cheat engine has its own. You will find open the disassembler at this location option just above the Restore with original code click on it .And if this is our first time your expression might be “what the hell is this?” that is a disassembler every game hackers and crackers best buddy :D now before moving further let’s have a opponent in the game ,basically what I doubt is that same instruction is also responsible for decreasing our opponents money and if we simply nope it his money won’t decrease either ….so what’s the point then :D so go on start a new match with an opponent but wait a second what if he will crush us before we gather some data and another thing is we can’t see our opponent until the battlefield is expanded so what we can do is create a ally force and see it’s money is also manipulated by the same instruction, and if so it’s not a good idea to nop that because if it is holding our ally’s address it may be hold our opponents also. So go on and start a new match with an ally force. After starting the game don’t do anything just seat idle and let your ally start building something, in that way we are sure he is the one spending money right now. Now click on cheat engine’s memory view right click and select go to address  enter 007F20D0 that’s the instruction which decrease our money. Now we are going to set a breakpoint on that instruction.Rightclick and select toggle breakpoint .

just after you click on the toggle breakpoint your game will be hang don’t panic it’s what a breakpoint do it stop all the dataflow to that instruction so we can azalyze it step by step. If  you can see the image above in the right side Registers are also shown and value of ESI is also shown there the value that ESI register holds is basically an address and if I am right it’s our ally’s money address. Well let’s see, if you read the instruction carefully
mov [esi+04],eax
means whatever value(address in our case) ESI reg. holds is added by 4 and then value of EAX reg. will copied to it. So for me ESI currently holds 0649A9C8+4 = 649A9CC (all calculation here are in hexadecimal you can use windows calculator to do hexadecimal calculations) and value of EAX is 2670 which is 9840 in decimal and that make sense as starting amount was 10000 he spent some money and 9840 remains in his account. But how can we sure that address 649A9CC(your will be different) is our ally’s lets add this address into address list of cheat engine by clicking on add address manually. Now change its value to 0 and freeze the address by clicking on the frozen checkbox, now remove the breakpoint from the instruction and run it by pressing F9 or debug->run option. Go back to game and analyze your ally’s activity and if you did everything right you will see all his constructions are stopped this moment that’s because we put 0 on his account, uncheck frozen and give him some big amount like $50k and see he will start making everything. So this analysis tells us the same instruction is used for player, his ally and opponent’s money. Now we can’t just nope this instruction we have to find out our base pointer and calculate our address every time. To calculate our base pointer first we need the current address that holds money you can do all the scanning one again or set a breakpoint to the instruction at  007F20D0 - 89 46 04 - mov [esi+04],eax and see what address ESI holds for you and add 4 to that address that will your current address for money. In my case it’s 067666C4 which is actually 067666C0+4 as its [ESI+4] now we have to find out what pointer points to the address that ESI holds currently. Just check on HEX checkbox and put your address of ESI reg. and click on new scan. I got only result(0558DDA8 for me) which is very good actually because that is our pointer but it may not the base pointer, so let’s scan for the address of pointer we just got .Again I got only one address(04A9BF94) not repeat this process until we found the base pointer.Ok we got no more address that hold 04A9BF94 that means that is our base pointer note it down. Remember this is a pointer to a pointer so when coding your hack you have to do
[value of (value of 04A9BF94 ) ]+4  = our address
To check it is a base pointer or not let’s EXIT the game and restart it again. add process of game to cheat engine now go to add address manually option click on pointer and put the address of base pointer we just found, see the image below for reference.

Now we have our base pointer and using this you can calculate address for money every time, You can stop right there if you want, just code a trainer that will write a very big value to this address like $999999. But if you stick with the tutorial we’ll going to learn how to use code injection and some assembly code, to stop decreasing the money.

Part 3 : Using Code Injection
As someone said a picture is worth thousand words here is an pictorial representation of what code injection is and how it works

Hope you get some idea of what we are going to do, first step is to wait and think what we actually want to do? And what we want to do here is simply change this instruction to something like.
  1. If ESI == our address go to 3
  2. Else go to 2
  3. Decrease money value.
  4. Jump back to original game code.
Now to write our code we need some free space. We can find that using cheat engine, go to memory view  and in menu you will see tools options in the top you will see two options 1’st is allocate memory and 2nd is scan for code caves. First one can be used for testing your code as it simply add some free memory but to write a trainer we have to search for code caves (this are the free spaces inside the game),so let’s search for code caves, I change the size to 40 from default 12 as I don’t know how much memory we need, but as more will be handy.

There are lots of space available  in the list and I pick 00D07000 (just because it is easy to remember) note down your address too. Now that we have an address to write our own code we can start but before creating the jump instruction on the original game route we must write the modified code first why? Because if we create a jump right now at 007F20D0 this will crash our game as the game is still running and we have nothing at 00D07000 but garbage only.
Here are the actual screenshot of the assembly code and I’ll explain each code step by step

Code Cave:
00D07000 – push eax “pushing the EAX register on the stack, so whatever value EAX currently holds will be saved and later restored, when we are done using EAX ”
00D07001-mov eax,[04a9bf94] “we are just copying the address value into EAX register that is pointed by our base pointer 04a9bf94”
00D07006 –mov eax,[eax] “again we are copying the value of (address value of EAX) in to EAX ,as we have a level 2 pointer, so basically EAX now holds our money address – 4(offset)”
Note: mov EAX,04a9bf94  - this copies simply a decimal value 78233492 to EAX;
Whereas mov EAX,[ 04a9bf94] – this copies whatever value 04a9bf94 address holds;
00D07008- cmp ESI,EAX “we are checking if the ESI holds our address, a cmp instruction return zero if true”
00D0700A-pop eax “now that we have no use of EAX we must restore its previous value.”
00D0700B-jne 00d07012 “this instruction means ‘jump if not zero’ if ESI not holds our address then compiler will jump to 00d07012”
00D0700D-jmp 00d07015 “this is a simple jump instruction that will jump on 00d07015. If ESI holds our address then this will execute”
00D07012 and 00D07015 are the actual game instructions at 007F20D0 and 007F20D3 , we have to mention this instructions because when we created a jump at  007F20D0 both the instructions were destroyed.
00D07018 – jmp 007F20D6 ‘’it’s not what you see on the pic but that’s the same instruction we are simply going back to original game route.”
Now pause the game and write all this instructions, and edit the instruction at 007F20D0 to jmp 00D07000  now go back to game again and build something your money won’t decrease but your ally’s will, you can check it by setting a breakpoint at  00D07008 and step by step executing the instructions.