Hey ppl,
"for people who don' know what is "game trainer" go here: http://www.megagames.com/trainers.html"
Hey ppl, i tried yesterday to train the game that i've been workin on with irrlicht, and it worked, so i've been thinkin of a tutorial, a special tutorial for Irrlicht guys, and Irrlicht games.
wanna that? poll for it
Game Trainer Tutorial
-
beshrkayali
- Posts: 85
- Joined: Mon Jun 11, 2007 11:22 am
- Location: Damascus - Syria
- Contact:
Either do it, or don't. Polls are annoying.
Here's my old, possibly still relevant, offset finding guide.
It's dumbed down as much as I possibly could make it, to the point where it's innacurate in some spots, but this is how people hack games... yes, online games too, but it's a lot more complicated to create supporting client exploits to manipulate networking flaws. However, the fact that 90% or more of online games model their networking platforms in a manner similar to raknet is helpful. Their forums are invaluable in sussing out new methods of attack, and so on.
http://en.wikipedia.org/wiki/Tsearch
TSearch is used to search memory. In a few years, this will likely be obsolete, with new multi-core systems and OS's rising in popularity. This won't work with interpreted programs (Java, Python) without a whole helluva lot of extra work.
At any rate, this is a forum, not a popularity contest. Either provide something you think is useful and within the context of a particular discussion, or don't... don't ask people if you should. Imagine talking to someone like that in real life... it gets old fast.
Here's my old, possibly still relevant, offset finding guide.
The 10 step anti-DMA program
1.) Find the address of your variable (PtrAdd).
2.)Open the dissasembler tab in T-Search. Input PtrAdd into the dissassemble box.
3.)Click the disassemble button.
4.)Change the value you are searching for, in game. You end up with some ASM code appearing. Search for something that looks like
Code:
eax +[4D]
"+4D" is your Offset, mark it down somewhere.
If eax -[4D] is what you find, change Subtract in step 5.) to Add.
5.) Subtract 4D from PtrAdd. Convert the result to decimal. Search for the decimal number in 4Byte mode.
6.)You'll usually find a boatload of them. This is where things get a tad tedious. Filter the results with a Has/Has Not Changed routine. Once you filter 3 times with no change in the number of results, save all the results to a .cht file.
7.)Quit and reload the game, then repeat steps 1 & 5.
8.) Filter the results with a Has/Has Not Changed routine. Once you filter 3 times with no change in the number of results, load your saved .cht file and compare the results you have to the results you just found. Look for two identical addresses. Sometimes there are several, its ok. Just pick one you like.
9.) Mark down the address you found (PtrOrigin). Now, to find your variable (stored at PtrAdd,) just find the PtrOrigin, convert the value stored there to hex, Add 4D, and you have PtrAdd, where your variable is stored! Subtract 4D if your offset was -4D.
Until patchday, you can use the PtrOrigin and Offsets any way you like!
10.)Every time the .exe gamefile changes, you will need to repeat the above steps to find your offsets, PtrOrigin, & PtrAdd.
Why you just did what you did:
When Dynamic Memory Allocation (DMA) is used, the program generates and assigns a random address for certain variables to be stored at. An offset is a value which the program uses to keep structures consistent. The offset is added to the random address, then the program accesses the variable stored. The PtrOrigin is where the random address is stored. Add (or subtract!) an offset to the random address, and you end up with the PtrAdd to your variable.
Generally, you will find different data structures using the same PtrOrigin. Health, Mana, Fatigue.... Player related variables might very well all have the same PtrOrigin. Sometimes, once you find the PtrOrigin for Health, you can save yourself work by just finding the offsets for Mana, Fatigue, Gold, and XP. They do this to save CPU usage... if each variable had to use DMA individually... ugh, performance hell. Fortunately for us gamehackers, we have...
Structs, or offset footprints.
An offset footprint is oftentimes called a "struct." If you find a series of variables all related to eachother (using the same PtrOrigin), such as player data, mark down the differences (distance in hex) between each offset. If there is a difference of 1C between each variable, you can safely bet that when you have to update the offsets again, the structure will remain the same, with a difference of 1C between each PtrAdd. This allows you to easily find all the variables in the struct without reworking the Offset and PtrAdd again.
Example struct:
This isn't real. Dont use for any real games.
Code:
[Base] (PtrAdd - HP Offset)
[+1A]HP
[+1A]Mana
[+1A]Stamina
[+1A]Gold
[+1A]Exp
[+1A]TargetHP
[+1A]TargetMana
[+1A]TargetStamina
Using that struct, you could simply find the PtrOrigin, go to that address, add 1A, and you have HP. Add 1A again, and you have Mana, again, Stamina, so on and so forth.
Practice finding simple variables, like health and mana. Do it 10-12 times before you move on to anything more complicated... the familiarity with anti-DMA measures will be invaluable. Sometimes there can be a PtrOrigin leading to another PtrOrigin, and dynamic offsets based on those values. If you know the basics, it becomes tedious, rather than impossible, to find the offsets and structs you're looking for.
It's dumbed down as much as I possibly could make it, to the point where it's innacurate in some spots, but this is how people hack games... yes, online games too, but it's a lot more complicated to create supporting client exploits to manipulate networking flaws. However, the fact that 90% or more of online games model their networking platforms in a manner similar to raknet is helpful. Their forums are invaluable in sussing out new methods of attack, and so on.
http://en.wikipedia.org/wiki/Tsearch
TSearch is used to search memory. In a few years, this will likely be obsolete, with new multi-core systems and OS's rising in popularity. This won't work with interpreted programs (Java, Python) without a whole helluva lot of extra work.
At any rate, this is a forum, not a popularity contest. Either provide something you think is useful and within the context of a particular discussion, or don't... don't ask people if you should. Imagine talking to someone like that in real life... it gets old fast.
-
beshrkayali
- Posts: 85
- Joined: Mon Jun 11, 2007 11:22 am
- Location: Damascus - Syria
- Contact:
-
beshrkayali
- Posts: 85
- Joined: Mon Jun 11, 2007 11:22 am
- Location: Damascus - Syria
- Contact:
) like those trainers
trainers aren't usually used for online cheating.
that usually only happens as an example of poor security in programming.
what that above tutorial explains is how to use some sort of disassembler to find the magic number used to basically obfuscate the correct variables for your game.
another trick is to phish the data flow if possible and determine values by the frequency at which they are passed from server to client. ergo when you're attacked your health goes down. but that is the reason for the obfuscation.
this all really boils down to a flaw in either computer design or just windows itself or maybe it's the programming.. the entire thing really.
that usually only happens as an example of poor security in programming.
what that above tutorial explains is how to use some sort of disassembler to find the magic number used to basically obfuscate the correct variables for your game.
another trick is to phish the data flow if possible and determine values by the frequency at which they are passed from server to client. ergo when you're attacked your health goes down. but that is the reason for the obfuscation.
this all really boils down to a flaw in either computer design or just windows itself or maybe it's the programming.. the entire thing really.