Post here, your questions for any of the guides, please state them in this order:

1. What Tutorial it was
2. The question,

Have fun everyone!

>The theories and methods of memoryhacking | Faldo | 2-6 (depending on step)|

1.) How do you know what value to search for if is a state of character? (ie. turbo mode)
2.) How do you know what byte type to search with? (4 byte is 8 bit which mean max value can be 2^32)

>The theories and methods of memoryhacking | Faldo | 2-6 (depending on step)|

1.) How do you know what value to search for if is a state of character? (ie. turbo mode)
2.) How do you know what byte type to search with? (4 byte is 8 bit which mean max value can be 2^32)

1. Since only the creator/code of the game knows the exact values, you need to search. Sometimes, you even need to search for "unknown values" and then use search next to try and narrow the number of addresses down.

2. To know what "byte type" you need to find you need to understand how your memory handles opcodes... i will not explain that in this thread but i can tell you that most of the normal values are coded in 2 bytes. It's the most comonly used.

1. Since only the creator/code of the game knows the exact values, you need to search. Sometimes, you even need to search for "unknown values" and then use search next to try and narrow the number of addresses down.


How do we proceed the search? Do we just randomly guess a number and change the value when the state is changed?? Can you give a example??

thanks

If you look at my tutorial, there is already 2 good examples...

One example explains how to narrow addresses down by changeing teams and looking for value 1 or 2 depending on what team you're on.

if you don't know what you're looking for you have to search for an "unknown value".

heh, I looked at it already, but in both of your case, you know the value, team red and blue.

But what I am trying to do is search for a state that dont have a value, like.... god mode, where I want to NOP the part that it check if I am being hit by monster.

That is what I ask how should I search for that "unknown value"

sorry for not being clear =P

you just have to find the hp decrement?
if it is like on halo, you need to do an unknown value search then has increased/decreaced alot of times

That is what I ask how should I search for that "unknown value"

sorry for not being clear =P

heh, no problem... what i didn't explain is that you can acctually choose "unknown value" in T-search when searching, check it out =o)

Yea you search for how ever much HP you have, get hit, and search for the remaining health. Soon you would find the code for your HP.

If you are dealing with a health bar for HP, the health at its maximum level with either be 100 or 255. Search for either of those two.

Yea you search for how ever much HP you have, get hit, and search for the remaining health. Soon you would find the code for your HP.Please read about the problem before you answer out of the blue. The problem beserk1 had was he needed the value for a state of character. And since there is no value displayed in the game for that, you have to start searching for "unknown values", change the state of character in the game and then search for "Value has decreased", "Value has increased" or "Value has changed".

I have a question.I understand using tsearch....the problem is when i try make my own trainer......its seems to be fail.i try to make my own trainer using tmk1.3 n1.5 and different game too.It seems to be fail, I've downloaded the pinball space cadet trainer(the one that said to change the score to 1 or 2 mil..i think)but nothing happen...if any1 know what kind of problem that I face here plss tell me and plss tell me what to do...

I have a question.I understand using tsearch....the problem is when i try make my own trainer......its seems to be fail.i try to make my own trainer using tmk1.3 n1.5 and different game too.It seems to be fail, I've downloaded the pinball space cadet trainer(the one that said to change the score to 1 or 2 mil..i think)but nothing happen...if any1 know what kind of problem that I face here plss tell me and plss tell me what to do...

If you would have bothered to read the post under "pinball release" post. I said that that trainer isn't working, and i also explained why.

As for your problem with TMK, you have to specify where you get stuck, otherwise noone can help you.

mmhmmm. lots of stuff with TMK you could be held up on.

i'm useing GTS so can this make a trainer also ?

Yes, GTS and TMK are very similar.

Hey i don't know how to make the trainer (sorry i'm a nuub) i use Tsearch to find the dma and the value i put was 1 and 2 but i don't know what to do with them can someone help me? also how can i find the godmod? how can i find the regain of the MP and HP?? can someone help me please!! :)

I moved this question to the correct thread if you're wondering why it changed place.

Your question is very confusing... if you were to say what tutorial you are stuck on and at what step it would be easier to help you.

erm....i need help from faldo or Gregsy on building my trainer

versofriend closed my thread and ask me 2 find.........bad luck i sitll can't find it

i see most of the tutorial talk about autohacks in T-search.....and found the addy than copy paste in TMK


what if i can't autohack???(the games detect debugging)
and i 've found the pointers and the offset
what do i type in TMK???

you could try to hex edit the autohack window's dialouge box and see if the game doesnt notice that.

what if i can't autohack???(the games detect debugging)
I made a little program that changes the windows dialogue, try it:
http://www.mpcforum.com/showthread.php?t=65232

--------------------------------------------------------------------------------
(let me know if I stuck this in the wrong place)
Hi guys,
I recently began playing ff7 for the third time and wanted to play with a trainer. After days of searching, I could not find one trainer that worked for the ultima edition (which I DL'd when one of my OG cd's got snapped) so I decided to try and make my own. I have made decent progress in three days and have nearly become obsessed with learning to make trainers. Unfortunately, the tutorials are not doing much for me because they are not specific to my problems, so I am forced to bother other ppl.

At any rate, here is where I am. Any help would be great. (I followed along on ff7 with this tutorial)

http://www.hexsoft.gifgraphix.com/tutorials/GHA_TUT_Resolving_DMAs_An_Easier_Method.htm

I started off by searching for my health in battle (cloud). I had 6 options that all mirrored Cloud's health, and I changed the value of all 6 to dif numbers and matched it up to 9AB108. I double checked by freezing this value. Cloud did not take damage. I unfroze it and set a break point and got the following.
41CD10: mov edi,0x9AB0A0
5CF81D: mov [edx+0x2C],ecx
5CF835: mov edx,[ecx+0x2C]
5CFB15: cmp dword ptr [ecx+0x2C],0x0
432BC9: mov eax,[ecx+0x9AB108]
436BA6: cmp dword ptr [ecx+0x9AB108],0x1E61
43540D: mov edx,[ecx+0x9AB108]
43547F: mov [eax+0x9AB108],ecx
5D7EF9: mov edx,[ecx+eax*4]
5DBA54: mov ecx,[edx+0x9AB108]
5DF186: mov eax,[edx+0x2C]
5DF1B3: mov [ecx+0x2C],eax
5DF1B9: cmp dword ptr [edx+0x2C],0x0
5DA5B6: mov ecx,[edx+0x9AB108]

Then I looked for a value that looked like this "mnemonix[Register+0x##],register" and matched the following from the list.
5CF81D: mov [edx+0x2C],ecx
5DF1B3: mov [ecx+0x2C],eax
So I used 2c as my address value and added it to my original DMA address.
9AB108+2C=9AB134. (10137908 dec.)( I also subtracted b/c I was not sure which to do)
9AB108-2C=9AB0DC. (10137820 dec.)
According to the tutorial the next step is to use tsearch to find that decimal value. I searched both values on 1,2,3,and 4 byte but found 0 results for each. I do not know what I did wrong. Any help would be great, THANKS!

If it sais +0x2C, you need to reverse that calculation in order to find its pointer, in other words: DMA address - 2C (all in hex) = your pointer.
When you find the pointer, you need to read from it to get the value it "sends to the DMA". To my knowledge, you can only do this with GTS 1.62 or any advanced programming language like C++/VB, if you want to create a trainer that is.

If it sais +0x2C, you need to reverse that calculation in order to find its pointer, in other words: DMA address - 2C (all in hex) = your pointer.
When you find the pointer, you need to read from it to get the value it "sends to the DMA". To my knowledge, you can only do this with GTS 1.62 or any advanced programming language like C++/VB, if you want to create a trainer that is.
Ok, so I subtract 2C from the DMA adress.
9AB108-2C=9AB0DC. (10137820 dec.)
I still get nothing when I search this value on tsearch at this point in the tutorial. Is the tutorial wrong? You seem more knowledgeable so I will trust your answer. If this is the case, I may be in trouble. I don't know c++ or vb. How do I "read from the pointer with GTS 1.62?"
Note: and thanks for the fast response last time Faldo.

Sorry for the delay...
I never tried doing this with GTS, only heard it could be done.
Anyways, you seem to be doing it right... When you search for the decimal number with T-search, you should find a few addresses having that decimal number as a value. One of these addresses is your base pointer (you need to narrow it down). If you've tried it over and over without result, you might be useing the wrong offset.
When you found the base pointer its value will allway be the address of the DMA, after you've converted the decimal to hex and then added the offset.
Tell me if i have to explain that in english for ya ;)

post deleted,
warned for spam.

How can i faind item value(bow,weapon,medsin.... :rolleyes: )

not sure but i think softice can help u with that :x

How can i faind item value(bow,weapon,medsin.... :rolleyes: )
you can get the number of an item if the game allows, but other than that, i dont know :/
@VF is your answer to everything softice?

Heya all,
Just made the map hack for bfv using the tut faldo posted (great work! ;)). Anyways it runs fine except for the fact that in pb servers I get kicked by pb for corrupt memory, I think it may be the code cave and pb finds code where there should be none, am I right and is there a solution around this?
Cheers

Since PB know about this method now, they have a countermesure for it. Creating simple code caves don't work anymore.

I'm working on a new tutorial that will enable you to bypass PB once more. However, since i have very little free time, it could take awhile before it's done ;)

Thanks for the quick response Faldo. I'll have a fiddle around and see if I can suss something out. I'll have to have another look through the forums, I've read all your tuts and the asm mini guide, I've studied basic c,java and vb so hopfully I can work around the current pb probs (I only got interested in hacking a couple of days ago lol). I'm assuming pb know's where the code stops and scans the memory after this for code that isnt meant to be there! Anyways thanks again! :)

P.S. I look forward to your next tut, but hopefully wont need it by then :laugh:

I'm new to this whole deal, so what exactly do I need to know basically? Should i start out with C++ or Visual Basic? and what type of tools would i need to aid me through the way?

First, tell us what you want to do... sure if you wanna program, learning C++ is a good idea... but if you wanna make a simple hack, you'll need soem of these tools:
http://www.mpcforum.com/showthread.php?t=79969

Hi! First of all i'm REALLY NOOOOOOOOOOB
I tried to make my trainer for Sacred 1.8.3 (italian version, all the other countries can use 1.8.26 T_T) using this guide: Trainer Making Tutorial: Newbies Version (T-Search + TMK).
But i've found some problems... BIG problems...
Every times i make a character the adress for HP, EXP and GOLD... CHANGE! So i can't make a trainer because i need to search the adresses every time... T_T
I've found my hp, gold and exp values... to make a god-mode i've freezed the minimum hp with t-search, so i'll never die... but i tried to unfreeze it on t-search and make a LOCK with TMK... doesn't work... why?
Adding gold simply doesn't work, and when i try to add exp points it works but i turn back to the game, i kill a monster (so i get exp) and i die and turn back to 1 exp points...
There is a mthod to force the game to use always the same adresses? So i can easily make a god-mode hack...
BTW i need a exp/money trainer too... what i did wrong?

sorry for my bad english but i'm italian... T_T

Yes it's called Dynamic Memory Allocation (DMA) and there is information about it and how to defeat it on these forums.

Ohhhhhhhh DMA, i've seen something about that... but i've never known what was :P
Sorry but i'm really noooob :D
Ok i will try again whit this new knowledge :P


(my english sucks... i know :D)

EDIT:
Ok... i'm noob, not stupid :)
I've tried this tutorial: Trainer Making Tutorial: (Intermediate) Defeating DMA (T-Search & TMK)
Now the problem is... i can be a god without searching my values every time and freesing them... BUT... my enemies are immortal too and sometimes the game closes without any reason... how can i make vulnerable enemies and make the game stable now???
T_T

does tsearch works on online game as well or juz those normal single player game? i've try to edit my money ingame, the figure is there but i cant use it at all...

T-search edits only your own memory, but since alot of online games leave alot of calculations in your memory it can easely be altered with t-search.

lol okay mine is the intermediate tutorial,defeating DMA using tsearch and TMK

The tutorial works...but it just freezes and unfreezes the value,is there anyway that i can freeze it at the value i want?

DMAStealing by Kosire (Shadow's Fury)

I stumbled into a roadblock while working on your DMA-Stealing tutorial today. Would you mind helping me understand what I’m doing wrong? I am working with the team address function in BF1942. Here’s the steps I’ve taken so far:

1.Locate code that writes to DMA value. Using AutoHack gave me the following code:

407619: mov [esi+0xAC],eax

2.Using Olly, I located the address 00407619 (assuming that this is my Base) and changed the code to reflect my jumpgate:

(original code)
00407619 8986 AC000000 MOV DWORD PTR DS:[ESI+AC],EAX
0040761F 8B0D 6CD79700 MOV ECX,DWORD PTR DS:[97D76C]

(jumpgate injection)
00407619 E9 DCB84B00 JMP BF1942.008C2EFA
0040761E 90 NOP
0040761F 8B0D 6CD79700 MOV ECX,DWORD PTR DS:[97D76C]

3.Find free area of memory space to move ESI:

Using the memory map feature, scrolling all the way to bottom, and double-clicking on last chunk, I located an address where hex numbers are zeroed out.

Here is the memory address: 7FFE0FF0

I noticed this address has far more characters than the free memory address you use in your tutorial.

4.Build code cave at blank address (Here’s where I ran into problems):

(original code of blank addy)
008C2EFA 0000 ADD BYTE PTR DS:[EAX],AL

The first line sends ESI to the memory address in step 3.

008C2EFA 8935 F00FFE7F MOV DWORD PTR DS:[7FFE0FF0],ESI

The second line calls the original line replaced by jumpgate. When I attempted to assemble the following code, Olly gave me the error message “Unknown Identifier”:

MOV DWORD PTR DS:[ESI+AC],EAX

After researching the forums, I noticed that Spontaneous mentioned to write ESI+AC to EAX. After attempting to assemble the following code, I received the error message “Address expression requires brackets”.

MOV DWORD PTR DS:EAX,[ESI+AC]

And after placing brackets around EAX, I received the message “Unknown Identifier”

MOV DWORD PTR DS:[EAX],[ESI+AC].

This is the point where I am stuck. Any ideas of what I missed out on?

Note: I have Olly in pause mode when I attempt to assemble the lines. Should I even try to use Olly or head straight to EasyWrite to see if my code works?

Kosire answered my question in the BF1942 thread. My problem was that I need to add a 0 to AC so that the computer knows I am adding hex format.

MOV DWORD PTR DS:[EAX],[ESI+AC] becomes

MOV DWORD PTR DS:[EAX],[ESI+0xAC].

I have a question on "Theories and methods of memory hacking"

I want to make a trainer but be able to past it out to my friends, but they cannot use the fog since its semi-DMA and static. Is there a tut or something that i can do to make it not just for my PC but my friends to?
I play on non PB servers so it doesnt matter if it is detected

in assembly tutorial how can i understand where my value stand in register for example esi,eax ecc..?

If you don't mind rephrasing your question, i might be able to help ya mate...
If you're looking for a program that monitors registers in realtime i'd suggest you use T-Search.

Faldo in your tut to debug an already debugged process i get the numbers but when i clear the numbers i either get a blue screeen or nothing happens and i cant later attach ollydbg or auto hack in Tsearch. Is there any other way to debug an already debugged process?? thanks.

**this is my first attempt at this**

Great tutorials by the way.

I have managed to make my trainer with basic code caving.

It works great in single player but of course it gets detected by PB

PB kick 0 minutes [81156]

I noticed an earlier post that says a tut will be made for this but might take a while.

Is there an update on this subject?


I am stuck and can't figure out how to make my trainer PB proof.

I have done searches for the PB scan ranges but they all seem to be a little out of date.

And even then i am still a little unclear on how that applies to the trainer that i have made.

This is for BF2 patch 1.4

**EDITED**

Ok i think i got it figured out. Not sure but i think i got it.
Sry to have posted this post but after all those tutorials it was alot to take in. So once i got the trainer to work in single it got a little frustrating to get a 0 min kick but i think i got it.

It seems the problem wasn't in the scan range after all but i am still a noob so i am going to test a different method before i assume that was the problem.

Thanks again for all the info on here! It is much appreciated!

I have a question about defeating DMA. In F.E.A.R. I have a problem making trainer for all ammo in one clip -hack, the trainer works but if you reset the game the address have changed. :ninja: So what do you do next when you find the 1st "static" address with autohack and that address changes too? Thanks if you can answer this. :cross-eyed:

Maybe someone make a tutorial for using WPE Pro for games that are encrypted or hard to read?

some trainers dont work coz the addys are different with some computers

sorry post in the wroing place xD

I have a problem when trying to create a code cave, which I would appreciate if someone would help me with.

I have the address I want to change, and when I put this in Ollydbg it shows up and is selected. But when I scroll down to see the addresses below it the one I'm after disappears, and the addresses one below and one after it get selected, and I don't know why it does this.

I tried making a code cave anyway by inputting the address I want to change inbetween these two, but it didn't seem to work. Any help is much appreciated.

any1 know how to use fraps? help me.... cuz i cant make a video while playing RO

Hi everyone, uhm my english is very bad. I hope everyone can understand what i write.

I made my own trainer for AOE rise of rome v1.0 using Tsearch and TMK. I found some code and i can make unlimite food whit these codes. I want add food when click the button in the trainer. But i can use "add" in TMK. When i use this option, the game will crash. i think it because i use "add" in wrong code. But i can understand the assembly code write in these code. Someone can teach me how to use "add" in TMK and what's the assembly code???

I need help putting a debugger on Halo, with Cheat Engine
or Tsearch (the autohack feature).

When i try "Enable debugger" on Tsearch, nothing happens.

When i try attaching with Cheat Engine, it looks like it works but when i try to find pointers Halo closes when i go back in game, not an exception. Its just like closing any other window.

How can i make this work?

Um anyone know how to make a ac script so i can use it in a game like "maplestory" =) thanks

kk im learning to hack for a week now
(starting to hack some stupid internet games)

but how do you find the value if the value you want isnt exact?

example:
HP=350_Search 350_find 459498576_*get hit*
Search 320(New hp)_ find 0 ????

how do i find static addresses ?

Static addresses are usually ranged between 400000 and 1000000 in a process depending on how many addresses the game needs. Big games like Age of Conan have static addresses up in the 2000000s.
These addresses never change unless the exe itself changes (patch) and can also be called "global addresses" since any game with the same version of the exe will contain the same information, no matter what computer you have or where in the world you are.
Cheers!

I'm trying to hack this game rise of nations , i found the address and it doesn't change when I re- launch the game . so does this mean other people who have the game have the same address and can my hack be used by other people( I used vb)?
thanks faldo ( I'm a newb)

I'm trying to hack this game rise of nations , i found the address and it doesn't change when I re- launch the game . so does this mean other people who have the game have the same address and can my hack be used by other people( I used vb)?
thanks faldo ( I'm a newb)
Just becasue an address doesn't change don't mean it's static. There are "semi-static" addresses that don't change on your computer but will change on anothers. That's why you need to look at what range the address is in. Like i said if it's the 400000 to 2000000 it is most likely static.

The reason an address is dynamic or semi-dynamic is because the developer can either use VirtualAllocEx() to get a random place in the memory at first available space for the applications variables... or he can specify a "relative range" of addresses that will be the same on your computer every time but that range will differ on another computer.

how i can run the main file for game (xxx.exe) using c++ ?
and how i can see all the recieved packets from server to (xxx.exe) proccess using c++?
and how i can see the sended packets ?

ty