Making a trainer for C&C Tiberium Wars

trialusert
In this tutorial I'll try to teach how to make a simple trainer for C&C Tiberium Wars. The methods you'll see here are usable for other game as well, as they're common and easy to understand.

The trainer we're about to make will include 3 typical features: "Money Hack" , "Energy Hack", and a "Map Hack": 


  


Off we go:

The very first step would be to enter the game and open its process (Ctrl+P): 





First Feature - Money Hack:

In order to have unlimited money in game, we should first search for the money value. As you can see, the amount of money (Tiberium) is given to us - 10000 by default. High chances the value wer'e looking for contains the same amount of money, altough it might contain a different value (-just like in most flash games). So, assuming it's 10000, run a Data-Type Search (Ctrl+Shift+S) with the following details:

Data Type: Long
Evaluation Type: Exact Value
Value to Find: 10000 





Next, go back to the game and change your money by increasing/decreasing it. We now have to perform another search, a search that will find the new money value within the previous search results. That kind of search is called a Sub Search. Return to MHS and run a Sub Search (Ctrl+Shift+D) with the following details:

Search Type: Exact Value
Value to Find: [new money value] //Let's take 9700 for example





After a few sub-searches you should stay with 1 address: [0x05CC29AC] (this is the address that I found; You however may find another address, as this is not a static address). Add that address to the list by clicking it and pressing Enter. Double click the new address and you'll see the Modify Address window opens up. This window provides a large variety of features and ways to modify addresses. All we need is to change the value of the address we found, and then check if our money in-game changed as well. Under the Main tab, insert the following:
Cur Value: 800 //Just an example
and press OK.

Now go back to the game and look at your money value. If it shows 800, it means you got the correct address. If you'd like, you can return to the modification settings of that address and add a description to it (i.e : Description: Money). 





This way you can set your money to whatever value you desire, but we're not going to do that. We are going to find and edit the function that's responsible for reducing the money. To do that we need to attach the Debugger (Diassembler). MHS makes it easy for us to find all the functions that write/access our addresses. Let's do it:
Right click the Money address > Find What Writes This Address 





A new window appears, this is the Diassembler/Debugger window. In the right side of it you'll see the game code written in Assembly language. In the left side you'll see the Helper window, which includes helpful debugging features. We're going to use the Auto-Hack feature, so make sure it's selected. 





Look at the upper part of the Auto-Hack window, the address you see there is the Money address (0x05CC29AC). MHS now collects information about what writes that address. Once the game executes the function that does it, MHS will find and add it to the list of functions. All we got to do is to go back to the game and decrease the money somehow; For example let's build a power plant. 








Return to the Auto-Hack window and you should notice a code line added to the list below. Right click it > Go to... > In Current Tab/In New Tab (whichever you prefer). It'll lead you to the following Assembly function (marked in gray): 


SUB     DWORD PTR [ESI], EAX


Right, that's the function we were looking for.








Things you'll need to know before editing the function:

SUB - Subtract operation
DWORD PTR - Refer to 4 bytes (=Long)
[ESI] - Refer to the value held in address ESI (if ESI = 4, it'll refer to the value of address 00000004).
EAX - A register that holds a certain value.

Instuction:


SUB X, Y --> X = X -Y


Now it's easy to understand that the type of the money value is Long (= 4 Bytes = DWORD) and located at address ESI ( [ESI] ). EAX probably holds the reduction value. Thus, the function is decreasing our money according to EAX. We're going to change it.
Right click the function > Assemble. A little window opens.





Change the original code (SUB DWORD PTR [ESI], EAX) to:


ADD     DWORD PTR[ESI], EAX


Press OK.

ADD - Addition operation

Instuction:


ADD X, Y --> X = X + Y





By changing SUB to ADD, we made the function increase the money and not decrease it. Go back to the game and you should notice that your money is always increasing.




Second Feature - Energy Hack:

The obvious way to make our energy unlimited would be to find the energy value and set it high enough so that it never ends. Well we don't want to be obvious, so we'll choose another way to do that.

C&C contains 2 main values that control our energy, and these are the energy production value and the energy consumption value.


 


If we find the functions that write those values, we can edit them as we desire.
We're going to follow the next steps:
________________________________________________

1. Find the address that holds the energy production value.
2. Find the address that holds the energy consumption value.
3. Find what writes that address.
4. Creatively edit the function that writes it.
________________________________________________

1. First step is to find the address that holds the energy-production value. Assuming that we have no idea what that value is, let's search for an Unkown Long value (Data Type: Long, Evaluation Type: Unknown Value. Scroll up if you don't remember how to perform a search).
Just like before, we need to go back to the game and change the value that we searched for. A simple way to do that is to buy power plants (increases the total energy-production).








Return to MHS and run a Sub Search. In case you decreased your energy production, search for Decreased Value. In case you increased it, search for Increased Value.
Repeat these actions until you stay with one address.
Add the address you found to the list; In my case it's: 0x05CC2A04 (again, it's dynamic).








In order to make sure you got the correct address, modify its value and check whether your energy in-game was modified as well.

2. Second step is to find the adderss that holds the energy-consumption value. Again we search for an Unknown Long value. After the search finishes, we need to go back to the game and change the consumption value.

For example:








Return to MHS and run appropriate sub searches. After you find the right address, add it to the list. I found this address: 0x05CC2A08.

Note that both the production and consumption addresses are located next to each other, 4 bytes long -each.

Now there should be three addresses in your list, one that holds the money value, the two others that hold the energy values.





3. Third step is to find what function writes the Energy-Consumption address. We're going to attach the Diassembler again. Right click the Energy-Consumption address > Find What Writes This Address. This time, when the Diassembler window shows up, you'll see 2 addresses in the upper part of the Auto-Hack tab - the Money address from before, and the new address that was just added. We now know that MHS tries to collect information about what writes the Energy-Consumption address. Go back to the game and increase/decrease your total energy consumption.





 


Now return to the Diassembler and look at the new function that appeared in the list below:


ADD     DWORD PTR [EAX+8], ECX


MHS found this function immediately after the game executed the code that was responsible for reducing/raising the consumption energy. Right click it > Go to... > In Current Tab/In New Tab.





We can see that the game adds the value inside ECX to the Long value (reminder: DWORD = 4 Bytes = Long) located at address [EAX+8] (reminder: [x] refers to the value at address x, and not the the value x).
In other words, the energy production value is located at address [EAX+8], and the amount of energy to be added is held in ECX. Note that ECX may contain a negative number.

4. Forth step is to edit the function we just found. Right click the function (marked in gray) > Auto Assemble > Inject Code. The Auto-Assemble window will appear.





This feature gives us the possibility to conveniently write Assembly scripts and inject them to the game. We'll refer to MyCode and OverwrittenCode labels. In case we don't mess with other labels or jumps, the Assembly functions written under MyCode will be the first to inject, then the game will continue to OverwrittenCode and back to original game code.

To make our energy unlimited, we'll inject an Assembly script that changes the consumption value according to the production value. Instead of setting the consumption value to zero, the scipt will set the consumption value to: {production value minus one}. Therfore, it'll result in an unlimited energy.

Under MyCode lable, copy and paste the following:


MOV     ECX, [0x05CC2A04] //Adjust to your Energy-Production address
DEC     ECX


DEC - Decrease By One

Instuction:


DEC AL --> AL = AL - 1


Now, under OverwrittenCode lable, change:


ADD     DWORD PTR [EAX+8], ECX


To: 


MOV     DWORD PTR [EAX+8], ECX





MyCode Explanation:

MOV ECX, [0x05CC2A04] : this code line places the value at address 0x05CC2A04 in ECX. Address 0x05CC2A04 is the address that holds the energy-production value (the address found in step 1). ECX holds the amount of energy that the game needs to increase or decrease from the total energy consumption.

DEC ECX : this code line decreases the value of ECX by 1. Meaning ECX now holds the current energy production value minus one.


OverwrittenCode Explanation:

As we already understood, the game updates the energy-production by adding a certain value to it. That value is held in ECX, and contains a negative or positive number.
But now ECX is holding our energy-production value - 1, so instead of adding it to the total consumption value, we'll want to place it there everytime. In other words, we want a moving operation and not an addition operation. That leads us the the following conclusion:
ADD DWORD PTR [EAX+8], ECX needs to become MOV DWORD PTR [EAX+8], ECX.

Press Next > Inject, to inject the script.





Now go back to the game and you should notice the change: consumption is always production minus 1:







Third Feature - Map Hack:

In order to make this feature, we first need to understand what maps are really made of. Almost every map in real-time strategy games (like C&C 3) is made of thousands of miniature squares. Each square will most likely include a value indicating whether it is revaled or not. "Fog of war" is a nickname for an unknown territory in the map, which include only shrouded "squares". 





Assuming that revealed squares contain a value of 1, we know that modifying the function that gives each square its value correctly, will result in a revealed map.

"Okay, so are we going to find all the addresses of all squares?"
-That won't be necessary. It will suffice if we find an address of one single square, and then look for what accesses it.

"I understand, but I still can't think of a way to find such an address!"
-Luckily, we don't have to work too hard. The GDI army has a radar-scan utility which becomes available once the command post is built.








When the "Radar Scan" option is available, we need to target it to a place we choose. Note that at least one same square has to be scanned on every radar scan we will perform. It'll be better if we target the radar on an unmoving object, like a tree or a house for example.





Now after the chosen place was revealed, we begin searching (I'll save you time by telling you the search details):

Data Type: Byte
Evaluation Type: Exact Value
Value to Find: 1 //Value of revealed squares

Go back to the game and wait until the radar scan is over and the area gets shoruded again. Once finished, perform a sub search:

Search Type: Exact Value
Value to Find: 0 //Value of shrouded squares (fog of war)

Repeat these actions (after a radar scan > search 1, when shrouded > search 0) until you stay with at least one address that changes accordingly. Add it to the list. You already know how things work, so I'll try to make it short:
Right click > Find What Accesses This Address. After the diassembler opens, go back to the game and radar-scan the area you chose if it's shrouded, or wait until it gets shrouded in case it's already revealed. Return to the diassembler and you should notice this function:


MOVZX   EAX, WORD PTR [ECX+EAX*8+4]


MOV - Moving operation

Instruction:


MOV X, Y --> X = Y


MOVZX - Move With Zero-Extend (moves but also zero extends the value to 16 or 32 bits)

The value indicating whether the square is revealed, is moved into EAX.
[ECX+EAX*8+4] is probably the address from which the game retrieves that value.
Let's edit it: Right click the function > Assemble. Change the original function to the following one:


MOV EAX, 1


WORD PTR [ECX+EAX*8+4] changed to 1 - that's because we want all map squares to be revealed (remember? 0 = shrouded, 1 = revealed).

MOVZX changed to MOV - zero extention is unnecessary.

Go back to the game. The map is finally revealed! Good job. 





If there are any questions or requests, please let me know (I may add a part two to this tutorial). Also, If you see any mistakes or if you think that any changes should be made, please notice me.
I will soon make a post explaning how to use MHS Trainer Maker Kit to inject scripts into your own coding projects (i.e: C/C++/C#...), so that you could actually make your standalone trainers. Keep updating! :)