PDA

View Full Version : Beginner's Guide to DMA



Fish Beans
08-03-2004, 05:29 PM
This is my second tutorial on the basics of game hacking. This is intended to help new hackers come to grasp with DMA, or Dynamic Memory Allocation. DMA is when an address changes Dynamically. This means that every time you load the game, the address changes. Many games also have addresses that change during gameplay, making them that much harder to hack. This tutorial will show you how to stop the problem at the source, and preventing the game from ever changing the value, or changing it to suit your desires. In no way is this tutorial supposed to be a complete guide on DMA, but more a beginners guide to beating it without resorting to TSearch.


Tools needed:

1. Memory searcher of your choice (Artmoney is recommended)
2. A debugger, Ollydbg or Softice work well. This document will use Ollydbg.
3. A basic understanding of ASM helps, but I'll try to make this understandable by complete newbs.
4. Powerstrip (http://www.download.com/3120-20-0.html?qt=powerstrip&tg=dl-2001&search.x=0&search.y=0&search=+Go%21+) or another program that can restore your resolution.
4. A brain. In order to actually learn anything from this, you need to be able to figure out why we did what we did.


Plan of Attack: What we are going to do this time through is not change the value itself, but change the instructions that modify that address. This is what our debugger is for. Debuggers allow the hacker to jump into the memory of a game whenever certain conditions are met, this is called a "breakpoint". Once our debugger has "popped" into the code, we can see what is going on, and find the address of the instruction we need to modify.

We'll start this project by obtaining the address for what we want to hack. We'll use minerals in Starcraft because it's simple. Starcraft does not use DMA, but this method still applies to it. Once you have obtained your address (004FD4B4 in 1.11b), open Ollydbg and attach it to the Starcraft process. If you didn't read the manual for Ollydbg, then click file, then attach. Select the Starcraft process from the list presented and click Attach. After a few moments the various windows of Ollydbg will pop up with some ASM code in them.

Now that we have our debugger up and running, we need to set a breakpoint. Right click in the disassembler (the area with all the ASM code) and select Go To, then click Expression. Type your address, 004fd4b4, into the box that pops up, and click Ok. The top line in the disassembler will now be the address you entered into the box. Now we can set a breakpoint on the address. Right click the address and select Breakpoints, then select "Memory, On Write", since we only need to see the code when Starcraft writes to the address. You follow the same procedure to remove a breakpoint, but select "Remove Breakpoint" instead of actually setting one.

Anyhow, now that we have our breakpoint set, we have to make it pop, so head back into Starcraft (be sure to hit the play button first, or SC will still be frozen) and do something to reduce the amount of minerals you have. As soon as you do this, Starcraft will freeze, and you'll be unable to switch to any other programs. This is where Powerstrip comes into play. Press Ctrl-Alt-S to restore your adapter defaults and return to your desktop. There should be a large black box in the upper left corner of your screen. If it is difficult to view Olly, press Alt-F5 to set it to Always On Top. The disassembler window should now contain the ASM instructions loaded into memory. The top of the window will contain the instruction that caused Olly to pop, which should be MOV DWORD PTR DS:[EAX+4FD4A0],EDX. This translates to "Take the value in EDX and write it to the address [EAX+4fd4a0]". Now, in order to stop your minerals from ever decreasing, all we need to do is destroy that instruction. We do this by "nopping" the instructions by writing 90 over each byte. You can do this quickly by right clicking the instruction and selecting binary, then "Fill with NOP's". Now you can go remove your breakpoint. To test this out, click the blue play button to resume the Starcraft process, then go back into game. Try building some units. You should find that your minerals no longer decrease!

If you scroll up a bit in the disassembler window, you'll see this instruction, SUB EDX,ECX. This translates to subtracting the value in EDX by ECX, then storing that value in EDX. If remember, the code we just destroyed used EDX as the register to store the mineral value to be written to memory. This leads me to believe that the instruction SUB EDX,ECX is responsible for subtracting the cost of an action from the mineral total. To test my idea, we can change it to ADD EDX,ECX, which should effectively make you gain minerals when you spend them. Right click on the instruction and select Assemble and change the SUB to ADD. Once again, go back into Starcraft to test it. If you restored the instructions we destroyed the first time, whenever you spend any minerals, you should gain them instead.

Let's recap what we just did. First we found our address using Artmoney, then we set a breakpoint on it in Ollydbg. After the breakpoint was set, we jumped into the game code by triggering the breakpoint. We then nopped the instructions that decreased the amount of minerals, and later changed them to increase instead. To create your hack, you just write the hex code for the ASM instructions to the address that you changed the instructions at. The instruction we first destroyed was six bytes long, and we replaed it with NOPs (90), and it was at the address 00401f75, so you would write 90 90 90 90 90 90 to the address 401f75.