Post by £åߥ®Ñth on Jan 23, 2008 11:07:14 GMT -5
Here is a little tutorial showing code injection to make Prison Tycoon 3 Give you can instead of spending it.
Cash always will go up.
Tools:
Cheat Engine
-----------------
1. Scan and find your cash. "4 byte scan"
2. Once you find the address, see what write to it by right clicking it in CE.
3. Now you will get and instruction like this.
004790e8 - 29 41 28 - sub[ecx+28],eax
4. This instruction subtracts the amount you was supposed to spend in game.
--------------------------------------------------------------------------------------
Now there are several ways to do this and i will show a few.
First lets look at altering this instruction.
What happens if we change "sub" to "add"
add [ecx+28],eax
1. The value that was supposed to be removed from your cash is now added to the cash total. This is a very simple alteration.
And this is what we will be doing.
--------------------------------------------------------------------------------------
Ok, to tackle this we need to do a code injection.
We will be doing this with AA Scripts.
You will have to scan for a code cave and do the script like this for it to work in a CE generated Trainer. v5.3.
Code Cave: This is a empty code block
004002C8: Notice the address of the cave.
So we start with this:
We add the toggle "Enable", a label and the code cave.
Now we need to know what goes in the cave.
This is the place we write our own code. Remember all we are doing is a simple change of "sub" to "add".
Then we got to make the script know how it will get to our code.
This will be our original address or what we found it writing to.
004790E8:
So this part when the script is turned on. It will write a jump at the original address to make it jump to our code.
jmp 004002C8
nop cleans up any left over bytes and is required.
and our label. This basically lets the script know where to jump back in line to the original flow of the games code.
Now the last part.
Disable toggle
The original address, and we write back the original code of
sub [ecx+28],eax
This returns the game back to normal.
Here is what the whole script should now look like.
================================================
================================================
Ok we are not done yet... Here is a faster and simpler way to do this AA as well.
Notice in this image the bytes:
004790E8 29 41 28 blah blah blah blah
We are only interested these 29 41 28. Why, well look at this:
004790e8 - 29 41 28 - sub[ecx+28],eax
You see the byts for our targeted instruction are 29 41 28
29 = sub "See where we are going"
Next we want that sub to be add. Well the bytes for add is 01
004790e8 - 29 41 28 - sub[ecx+28],eax
004790e8 - 01 41 28 - add[ecx+28],eax
Now you are like how do you know this. These images will explain.
sub = 29
add = 01
Now what can we do with this?
Simplest AA
Enable to toggle it. The address and then the byte you are going to write. "db" is used to make the script write the bytes you want.
Turing it off
Disable to toggle it. The address and then the byte you are going to write so it is back to original code again.
Again "db" make it write the byte.
The whole script should look like this:
----------------------------------------------------------------------
--------------------------------------------------------------------------------------
Also, this can be used for TMK
Poke:
004790e8 01
Poke:
004790e8 29
-------------------------------------------------------------------------------------
Now that you have learned to write a couple different AA scripts to alter your game. Lets take a look at it a little more deeper.
What if the games address changed? The scripts would not work any longer. Just suppose this game has a code shift? This would make your trainer or your script crap right?
So here is how to defeat a code shift using CE. And writing the same 2 scripts so they will work.
In the above image you will see The module we are in with this address we used for the scripts.
prisonTycoon3.exe
The base address of it is 400000
Now what we want is the address to be calculated so th script will always work.
Here we go:
004790E8 - 400000 = 790E8
So now basically this address would really be.
prisonTycoon3.exe + 790E8
Great thing about CE is it uses symbols and allows us to do this
.
Lets apply this to our second script we did. This script will defeat a code shift. You just alter your address's so it calculates them using symbols.
Now lets do this with our first script.
And there you have it. A complete cash hack for Prison Tycoon 3.
.:Shouts to Team Extalia:.
Cash always will go up.
Tools:
Cheat Engine
-----------------
1. Scan and find your cash. "4 byte scan"
2. Once you find the address, see what write to it by right clicking it in CE.
3. Now you will get and instruction like this.
004790e8 - 29 41 28 - sub[ecx+28],eax
4. This instruction subtracts the amount you was supposed to spend in game.
--------------------------------------------------------------------------------------
Now there are several ways to do this and i will show a few.
First lets look at altering this instruction.
What happens if we change "sub" to "add"
add [ecx+28],eax
1. The value that was supposed to be removed from your cash is now added to the cash total. This is a very simple alteration.
And this is what we will be doing.
--------------------------------------------------------------------------------------
Ok, to tackle this we need to do a code injection.
We will be doing this with AA Scripts.
You will have to scan for a code cave and do the script like this for it to work in a CE generated Trainer. v5.3.
Code Cave: This is a empty code block
004002C8: Notice the address of the cave.
So we start with this:
We add the toggle "Enable", a label and the code cave.
[ENABLE]
label(back)
004002C8:Now we need to know what goes in the cave.
This is the place we write our own code. Remember all we are doing is a simple change of "sub" to "add".
add [ecx+28],eax
Then we got to make the script know how it will get to our code.
This will be our original address or what we found it writing to.
004790E8:
So this part when the script is turned on. It will write a jump at the original address to make it jump to our code.
jmp 004002C8
nop cleans up any left over bytes and is required.
and our label. This basically lets the script know where to jump back in line to the original flow of the games code.
004790E8:
jmp 004002C8
nop
back:
Now the last part.
Disable toggle
The original address, and we write back the original code of
sub [ecx+28],eax
This returns the game back to normal.
[DISABLE]
004790E8:
sub [ecx+28],eaxHere is what the whole script should now look like.
================================================
[ENABLE]
label(back)
004002C8:
add [ecx+28],eax
004790E8:
jmp 004002C8
nop
back:
[DISABLE]
004790E8:
sub [ecx+28],eax================================================
Ok we are not done yet... Here is a faster and simpler way to do this AA as well.
Notice in this image the bytes:
004790E8 29 41 28 blah blah blah blah
We are only interested these 29 41 28. Why, well look at this:
004790e8 - 29 41 28 - sub[ecx+28],eax
You see the byts for our targeted instruction are 29 41 28
29 = sub "See where we are going"
Next we want that sub to be add. Well the bytes for add is 01
004790e8 - 29 41 28 - sub[ecx+28],eax
004790e8 - 01 41 28 - add[ecx+28],eax
Now you are like how do you know this. These images will explain.
sub = 29
add = 01
Now what can we do with this?
Simplest AA
Enable to toggle it. The address and then the byte you are going to write. "db" is used to make the script write the bytes you want.
[ENABLE]
004790e8:
db 01
Turing it off
Disable to toggle it. The address and then the byte you are going to write so it is back to original code again.
Again "db" make it write the byte.
[DISABLE]
004790e8:
db 29The whole script should look like this:
----------------------------------------------------------------------
[ENABLE]
004790e8:
db 01
[DISABLE]
004790e8:
db 29--------------------------------------------------------------------------------------
Also, this can be used for TMK
Poke:
004790e8 01
Poke:
004790e8 29
-------------------------------------------------------------------------------------
Now that you have learned to write a couple different AA scripts to alter your game. Lets take a look at it a little more deeper.
What if the games address changed? The scripts would not work any longer. Just suppose this game has a code shift? This would make your trainer or your script crap right?
So here is how to defeat a code shift using CE. And writing the same 2 scripts so they will work.
In the above image you will see The module we are in with this address we used for the scripts.
prisonTycoon3.exe
The base address of it is 400000
Now what we want is the address to be calculated so th script will always work.
Here we go:
004790E8 - 400000 = 790E8
So now basically this address would really be.
prisonTycoon3.exe + 790E8
Great thing about CE is it uses symbols and allows us to do this
.Lets apply this to our second script we did. This script will defeat a code shift. You just alter your address's so it calculates them using symbols.
[ENABLE]
prisonTycoon3.exe+790e8:
db 01
[DISABLE]
prisonTycoon3.exe+790e8:
db 29Now lets do this with our first script.
[ENABLE]
label(back)
prisonTycoon3.exe+2C8:
add [ecx+28],eax
prisonTycoon3.exe+790E8:
jmp prisonTycoon3.exe+2C8
nop
back:
[DISABLE]
prisonTycoon3.exe+790E8:
sub [ecx+28],eaxAnd there you have it. A complete cash hack for Prison Tycoon 3.
.:Shouts to Team Extalia:.