Go Back

Defense Grid Updated (again, by populair demand)

It seems that there was some type of point-gather-thing during my vacation which made you able to earn goodies, or something. But I couldn't update the trained on account of me being on vacation :)

I'm back but I think reason people wanted the trainer might be over. Still it's updated and you can download it here.

Posted by: Da_Teach on Friday, July 15, 2011  •  Comments (12)  •  Full story  •  C# Trainer Defense Grid

Defense Grid Updated

It seems a new DLC made Defense Grid popular again, so here's an updated trainer.

If any other trainer is not working, let me know and I'll update them. If you have any requests for game-trainers, also let me know. I can't promise anything, but sometimes I'm bored and I'll do trainer-requests.

Posted by: Da_Teach on Sunday, May 01, 2011  •  Comments (11)  •  Full story  •  Trainer Defense Grid

Alien Breed: Impact

I recently bought Alien Breed: Impact from Steam, an Arcade Shooter (as they call it themselves) that gave me back 'old' feelings (they don't make that many games like it anymore). Anyways, I played it for a while but the controls of the game are horrid. I ended up getting annoyed by the controls. So the logical next step is to hack it ;)  By the way, if the controls where better, it would be a lot more fun to play.

However, Alien Breed uses the Unreal 3 Engine. Several other games use it too, like Mass Effect 2, which made me 'worry' a bit. The Unreal 3 Engine takes OO-programing to another level. As soon as I found some values (ammo/health) my suspicions where confirmed. Just like Mass Effect 2, Alien Breed uses 1 function to subtract nearly every value in the game.

Initially I wanted to give up, not that hacking it is impossible. It is just a lot of work and is it really worth it? I decided not to give up. And my decision will probably make me look into Mass Effect 2 again.

After putting a (memory-write) break-point on the ammo value, I saw that the instruction at 0x4BE228 is responsible for subtracting health, ammo, enemies health, cash, etc. Replacing the the "sub [ebx], eax" instruction with nothing (nop's) worked.  Ammo was frozen and I couldn't die. But it also made it creatures, windows, etc invincible.

The next step in the chain was to trace (using Syser) the function's return address (which was 0x4C5331), that was a dead-end too. All values used this same function. Instead of digging deeper, I decided to try and find something in the call-arguments of the subtract function (0x4BE180) that allowed me to identify the values it was subtracting from.

To do this I had to figure out a bit on how the subtract function worked. This wasn't easy, mainly because the function accepts a wide array of values it has to subtract from. Through tracing I found out that the first call within the function (call edx at 0x4BE1B5) retrieves the pointer to the value it is going to subtract from.

Looking at the first call that it does, we find out it bases this call on the value that is present at the first argument + 0x18 (it loads the first argument in esi @ 0x4BE183 and then loads a the pointer from [esi+0x18] into eax). It loads a byte from the pointer that it gets, and then uses that to call the function for the address to the value. For ammo, health, cash, that value is 1. The function that it calls when the value is 1 is 0x4BB610.

Inspecting this function gets us to the following conclusion, [[[first argument + 0x18] + 0] + 0x64] contains the offset of value compared to the class that is calling the subtract function. While checking out the memory address that [[first argument + 0x18] + 0] points to, I saw that [[[first argument + 0x18] + 0] + 4] points to a value identifier. For ammo this identifier is 32810 and for health its 5685.

With this info we can determine when to subtract the value, and when to keep the value the same. The problem however was that the function overwrites several things before it finally gets to the actual subtract instruction (at 0x4BE228). So the decision to subtract or not would have to be made at the start of the function. (perhaps its possible to get the  original esi value back, but I gave up looking for it)

This brought me back to the function that calls our subtract function, which was the 0x4C5331 function (or well, thats the return address). In this function we see that it gets the subtract function from a look up array (see 0x4C5322), using Cheat Engine we find that the subtract function-address is stored in 0x11C9438. I decided to make a detour function and write its address into 0x11C9438.

With the detour function in place, my first try was to not-execute the subtract function if it concerned ammo/health/etc. This quickly led to a crash. Apparently the subtract function does more then subtract. My next try was to get the pointer to the value, and increase it with the value being subtracted (as such, subtract would then have no effect). This quickly led to an issue, the value it subtracts from the main value (ok too many value's in one sentence) is also stored in an object.

It was getting late, and I was getting bored real quick with these objects in objects. So I decided to actually change the code depending on the main value. If the value is ammo/etc, I change the subtract instruction at 0x4BE228 to nop, if the value is something else, I change subtract the instruction at 0x4BE228 back to its normal value.

This worked!  So while probably not the most elegant method to success, it definitely works. I had to put in one additional check for Health. Because the Health identifier was the same for everyone (e.g. also enemies), I had to check if the health was player-health or enemy-health, I did this by checking the v-table of the calling-class (for the player its 0xF4FE60).

The end result is this +4 trainer.

Posted by: Da_Teach on Saturday, July 03, 2010  •  Comments (7)  •  Full story  •  C# Code Injection Pointers Syser Codecave Trainer Alien Breed: Impact

Defense Grid - Updated (again :)

It's been a few months since I was able to update the site. I've been so busy with work that I haven't had any free time that I was willing to spend on hacking ;)

However, I noticed Defense Grid got updated. They added a few DLC packs. So here's a new version. I only updated the offsets, and I only tested it after I downloaded one DLC. Perhaps the executable changes every DLC, but I doubt it.

With the steam bargains I have bought a few 'new' games which I will probably hack just because its possible ;)

I will probably also add either an additional blog to the site, or just add it on this blog with other tags, where I will post a bit more on problems that I play with at the work place. I run into "fun" issues every so often, which could be fun to share :)

Posted by: Da_Teach on Friday, June 25, 2010  •  Comments (6)  •  Full story  •  C# Trainer Defense Grid

Torchlight Update

It seems Torchlight got updated on Steam this week, this meant the trainer was no longer working. I have fixed it and the trainer works again.

You can download it here.

Edit: Its really updated now! It seems upload failed and the old version didnt get overwritten.

Posted by: Da_Teach on Thursday, April 01, 2010  •  Comments (7)  •  Full story  •  Torchlight Trainer

Defense Grid: The Awakening - Updated

It seems there has been a patch for Defense Grid. Well let me rephrase, they added Borderlands DLC pack. In the process they changed the executable a bit, so hence my updated trainer.

Since I was a little bored (just a bit ;) I added a couple of options to the trainer, bring it to a whopping +3.

Have fun with it !  You can download it here.

Posted by: Da_Teach on Saturday, March 20, 2010  •  Comments (1)  •  Full story  •  C# Trainer Defense Grid

Mass Effect Part #2

This game is more trouble then its worth, but I promised I'd write a trainer and so I did. This game is pointer upon pointer upon pointer, etc. A lot of times routines do much more then just something simple as experience or health, etc.

However I did finally manage to find a static pointer to money and experience (I think, it works on my pc's). I also added unlimited grenades and a money multiplier (you earn money 8 times as fast) and of course invincibility.

You can download the trainer here.

Posted by: Da_Teach on Friday, February 05, 2010  •  Comments (0)  •  Full story  •  C# Trainer Mass Effect

Trine Part #2

I planned to write this blog a few days ago, but my main PC (the one I hack on) decided to die on me and couldnt get it fixed until late last night. But its up and running and I finally got around to finishing my trainer for Trine.

As mentioned in my previous blog, turning on "Unlimited Health" made enemies invincible too. That ruins the playability of the game a bit. So one of the first things you check is to see if the function that decreases health is used on a different spot for players then for enemies. This wasn't the case, my guess is that the players are part of the same entity-array as the enemies.

Since we couldn't use that as a base-reference, I did a quick search  (using Cheat Engine) for a static address for the player-structure. Perhaps its in there somewhere, but I got bored of looking for it ;)

So whats left? Well figure out how the game "knows" its a player instead of an enemy. I wont post the entire decompiled function (it has 1300 lines!) but you can download it by clicking here.

If you download the function, then you'll see that at line 1254 the new health is calculated. Whats interesting is the part where it would decrease the damage by certain collectible items. It starts at line 1186 and ends at 1249. Now I didnt really care to figure out what it did there, but the if at line 1186 was interesting.

This "if ( (a2->byte212 && a2->dword1D4 || a2->dword1CC) && a2->dword960 != 1 )" basically checks if the current entity is the player or an enemy, as enemies don't have items. Some further analysis (using pointers found with Cheat Engine) reveals that pointer + 960h = 2 for a player while its 1 for enemies.

Now we have a way to check if the type of entity (who's health is being decreased). Now we have to modify the instruction at 691BB2h to only decrease health for enemies. However we can't magically add instructions to an executable, so we have to allocate some memory (or use a codecave, but thats something for another day) in Trine, write the instructions in there that we want to "add" and then redirect the program flow to this newly created piece of code.

First we have to write some assembler which we can write to the allocated piece of memory, I chose for this:
cmp dword ptr [ebx+960], 2  // Check if its a player
je 691BB8 // Yes, jump back
mov [ebx+254], esi // No, decrease health
jmp 691BB8 // Jump back

What we basically do is check if its a player, if it is we jump back to the original function, if its not we decrease health and jump back. We have to decrease the health, because thats the function we are replacing. You could possibly change "mov [ebx+254], esi " into "mov [ebx+254], 0" which would instantly kill everything when you hit it.

After we created this code inside our newly allocated memory, its just a matter of replacing the instruction at 691BB2h with a jump to our piece of code and voilla. Players stay alive and enemies die.

I made a small trainer which you can download here. It includes a modified "Unlimited Energy" as nop'ing that function didn't always have the desired effect. My new modification is to always write the maximum energy into the current-energy field.

Posted by: Da_Teach on Saturday, January 16, 2010  •  Comments (1)  •  Full story  •  Code Injection Trine Decompiler Trainer

Defense Grid: The Awakening Part #3

Now that we have identified the two functions which lookup the pointer to the credits spent value, there are actually two options we could go for to create a trainer. I'm going for the easiest solution which is to copy the two function's into a C# program. The other option would be to inject code into the Defense Grid: The Awakening process and execute the two functions inside the game.

There are reasons why you'd want to inject code into the game to execute the function. For example, if you are trying to write a bot (automated game play) for a game, you might want to execute certain functions within the game. For example "MoveForward" function, or "Pickup Item" function, or "Cast Spell" function, etc.

However since we only want to lookup a pointer and the functions are relatively easy to duplicate, I've chosen to do that instead of inject code. I have also chosen for C# as my programming language mostly because I love writing programs in it :)

I've written a class for C# which uses Win32 functions like ReadProcessMemory and WriteProcessMemory to allow for the trainer to update the game's memory. Its included in the trainer zip file (it includes the source).

The conversion of the functions is rather straight forward, I have created two functions, one called GetBasePointer which is a conversion of sub_47E1B0 and one called GetValuePointer which is a conversion of sub_47E6E0.

Here's the code for GetBasePointer:
private int GetBasePointer()
{
    int type = _memory.ReadInteger(_memory.ReadInteger(0xB458C4) + 212);
    int basePointer = _memory.ReadInteger(_memory.ReadInteger(0xB458E8) + 44 + 4);

    int result = _memory.ReadInteger(basePointer + 4);
    int pointer = _memory.ReadInteger(result + 4);

    while (_memory.ReadByte(pointer + 29) == 0)
    {
        if (_memory.ReadInteger(pointer + 12) >= type)
        {
            result = pointer;
            pointer = _memory.ReadInteger(pointer);
        }
        else
            pointer = _memory.ReadInteger(pointer + 8);
    }

    if (result == _memory.ReadInteger(basePointer + 4) || type < _memory.ReadInteger(result + 12))
        result = _memory.ReadInteger(basePointer + 4);

    return result;
}

And here's GetValuePointer:
private int GetValuePointer(int type)
{
    int basePointer = GetBasePointer() + 16;

    int result = _memory.ReadInteger(basePointer + 4);
    int pointer = _memory.ReadInteger(result + 4);

    while (_memory.ReadByte(pointer + 21) == 0)
    {
        if (_memory.ReadInteger(pointer + 12) >= type)
        {
            result = pointer;
            pointer = _memory.ReadInteger(pointer);
        }
        else
            pointer = _memory.ReadInteger(pointer + 8);
    }

    if (result == _memory.ReadInteger(basePointer + 4) || type < _memory.ReadInteger(result + 12))
        result = _memory.ReadInteger(basePointer + 4);

    return result;
}

Note that I have removed several checks which the game has, so in theory this could return incorrect values.

Once you put everything together, you can get a trainer which will allow you to change the values within the game. I've created a +1 trainer with source included, which you can download here. Please note that .NET 3.5 SP1 is required for this trainer and the game has to be started before running this trainer (it might also need administrator privileges).

Posted by: Da_Teach on Sunday, January 03, 2010  •  Comments (3)  •  Full story  •  C# Trainer Defense Grid