Revision as of 12:58, 5 February 2014 edit62.217.45.26 (talk)No edit summary← Previous edit | Revision as of 10:26, 15 February 2014 edit undoHitman731 (talk | contribs)83 edits Removed dead and unnecessary links, added proper references, included information about old scene practices of making trainers, added modern groups naming practice and information about trainer making tools used today. Improved the article overall.Next edit → | ||
Line 1: | Line 1: | ||
{{Unreferenced|date=January 2007}} | {{Unreferenced|date=January 2007}} | ||
'''Game trainers''' are programs made to modify |
'''Game trainers''' are programs made to modify memory of a ] thereby modifying its behavior using addresses and values, in order to allow cheating. It can "freeze" a ] disallowing the game from lowering or changing the information stored at that memory address e.g. health meter, ammo counter or manipulate the data at the memory addresses specified to suit the needs of the person ] at the game. | ||
==History== | ==History== | ||
In the 1980s and 1990s, trainers were generally integrated straight into the actual game by ]s. When the game was first started, the trainer loaded first, asking the player if he/she wished to cheat. Then the code would proceed to the actual game. In the cracker group release lists and intros, trained games were marked with one or more plus signs after them, one for each option in the trainer, for example: ''"the Mega Krew presents: '''Ms. Astro Chicken++'''"''. Modern trainers append their titles with a single + and a number, as many have several functions. The number used represents the number of modifications the trainer has available, e.g. 'infinite |
In the 1980s and 1990s, trainers were generally integrated straight into the actual game by ]s. When the game was first started, the trainer loaded first, asking the player if he/she wished to cheat and which cheats would like to enabled. Then the code would proceed to the actual game. These embedded trainers came with intros about the groups releasing the game and the trainer often used to showcase the skills of the cracking group demo coding skills<ref name="FLT group">{{cite web|url=http://www.defacto2.net/organisation/fairlight|title=Defacto2 Group Information Page for Fairlight|accessdate=14 February 2014|work=Contains information about their old demos and releases and stats}}</ref>, some of these groups focus entirely on their demoscene today<ref name="Razor1911 group">{{cite web|url=http://www.pouet.net/prod.php?which=55991|title=Razor1911 group demos|accessdate=14 February 2014|work=Razor1911 demoscene division which coded impressive demos back in the early days of embedded trainers}}</ref> In the cracker group release lists and intros, trained games were marked with one or more plus signs after them, one for each option or cheat in the trainer, for example: ''"the Mega Krew presents: '''Ms. Astro Chicken++'''"''. Modern trainers append their titles with a single + or writing "plus" and a number, as many have several functions. The number used represents the number of modifications the trainer has available, e.g. 'infinite health' or 'one hit kills'. Another difference is the inclusion of game version or digital download source of game. For example: "Hitman Absolution Steam +11 Trainer"<ref name="deviatedhacking hitman trainer">{{cite web|url=http://deviatedhacking.com/index.php/topic/1737-hitman-absolution-steam-11-trainer/|title=Hitman Trainer|accessdate=14 February 2014|date=21 November 2012|work=Naming of Trainers by Modern trainer groups}}</ref>, "F.E.A.R 3 v 1.3 PLUS 9 Trainer" etc.<ref name="gamecopyworld.com">{{cite web|url=http://m0004.gamecopyworld.com/games/pc_grand_theft_auto_4.shtml|title=GCW list of trainers|accessdate=14 February 2014}}</ref><ref name="deviatedhacking.com">{{cite web|url=http://deviatedhacking.com/index.php/forum/5-game-trainers/|title=Listing by the famous scene trainer making group DVT|accessdate=14 February 2014}}</ref> | ||
Modern trainers also come as separately downloadable programs; instead of modifying the game's programming directly, values stored in memory are changed. | Modern trainers also come as separately downloadable programs; instead of modifying the game's programming directly, values stored in memory are changed. In fact this has become such a norm now that trainers today by definition only modifies memory and any modification to the game exe is frowned upon and not considered a true trainer but a patch instead. | ||
With ] the memory ] are often stored dynamically on the ] but modern ] use ]. Therefore, the only way to modify such memory in a reproducible manner is to get information from inside the game process. This requires ] methods like ] of ] and ], ] or searching for static access pointers. The trainer gets active when the object has been allocated and deactivates itself again when the object is freed. | With ] the memory ] are often stored dynamically on the ] but modern ] use ]. Therefore, the only way to modify such memory in a reproducible manner is to get information from inside the game process. This requires ] methods like ] of ] and ], ] or searching for static access pointers. The trainer gets active when the object has been allocated and deactivates itself again when the object is freed. | ||
Line 15: | Line 15: | ||
API hooking works completely differently: A preloader loads a library into the game process while starting it. The library spys on dynamic memory allocations and discovery starts with recording them all. With static memory search in parallel it is possible to match the found value address to an unique memory allocation. The idea is to close the game process directly after the value is found and the object still exists. Then, the last matching memory allocation is the correct one. So matching it reverse is the method of choice. The object size as well as the value offset inside it are discovered and the jump-back code address in the game binary can be determined by backtracing. Often a constructor is found and with that it is possible keep track of all memory objects it allocates. The library in the game process and the game trainer need to communicate with each other through ]. | API hooking works completely differently: A preloader loads a library into the game process while starting it. The library spys on dynamic memory allocations and discovery starts with recording them all. With static memory search in parallel it is possible to match the found value address to an unique memory allocation. The idea is to close the game process directly after the value is found and the object still exists. Then, the last matching memory allocation is the correct one. So matching it reverse is the method of choice. The object size as well as the value offset inside it are discovered and the jump-back code address in the game binary can be determined by backtracing. Often a constructor is found and with that it is possible keep track of all memory objects it allocates. The library in the game process and the game trainer need to communicate with each other through ]. | ||
The disadvantage is: This can be detected as ]. But it is possible to find more values within objects by dumping and comparing them. Also adaption to other game and compiler versions becomes simple as all it takes is to look for a library function call with known parameter (the object size) in the disassembly. | The disadvantage is: This can be detected as ]. But it is possible to find more values within objects by dumping and comparing them. Also adaption to other game and compiler versions becomes simple as all it takes is to look for a library function call with known parameter (the object size) in the disassembly. | ||
E.g. the ] universal game trainer "ugtrain" shows this method completely legal with ] games as examples. | E.g. the ] universal game trainer "ugtrain" shows this method completely legal with ] games as examples.<ref name="ugtrain">{{cite web|url=https://github.com/sriemer/ugtrain|title=universal game trainer "ugtrain"|accessdate=14 February 2014}}</ref> | ||
==Automated Tools used in trainer making== | |||
In the past, trainers were often coded in assembly language or any of the high level language available at the time. Today, trainers can also be made with automated trainer making tools that just require basic information about cheats such as address and injection code, the program then compiles the trainer using pre-defined values and settings requiring no programming skill from the end-user. The most popular trainer making tool used today is ] which supports wide variety of injection types and pointers, other tools that were used in past but are no longer as applicable are ], ] and ] etc <ref name="GCW">{{cite web|url=http://m0004.gamecopyworld.com/games/gcw_game_tools.shtml#Trainer_Tools|title=Trainer Making Tools|accessdate=14 February 2014}}</ref>. Some of the advanced techniques that Cheat Engine trainers supports include code injection, code shifting and the flexibility and versatility provided by its Lua scripting <ref name="lua">{{cite web|url=http://wiki.cheatengine.org/index.php?title=Lua&oldid=1670|title=Lua|accessdate=2014-02-14|date=2013-06-11|work=Cheat Engine Lua Wiki explaining some of the scripting functions available in CE}}</ref>which has phased out other trainer making tools which lacked the support for some of these features. | |||
==See also== | ==See also== | ||
*] | *] | ||
*] | |||
==References== | ==References== | ||
{{Reflist|2}} | |||
* | |||
* | |||
* | |||
* | |||
] | ] |
Revision as of 10:26, 15 February 2014
This article does not cite any sources. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Trainer" games – news · newspapers · books · scholar · JSTOR (January 2007) (Learn how and when to remove this message) |
Game trainers are programs made to modify memory of a computer game thereby modifying its behavior using addresses and values, in order to allow cheating. It can "freeze" a memory address disallowing the game from lowering or changing the information stored at that memory address e.g. health meter, ammo counter or manipulate the data at the memory addresses specified to suit the needs of the person cheating at the game.
History
In the 1980s and 1990s, trainers were generally integrated straight into the actual game by cracking groups. When the game was first started, the trainer loaded first, asking the player if he/she wished to cheat and which cheats would like to enabled. Then the code would proceed to the actual game. These embedded trainers came with intros about the groups releasing the game and the trainer often used to showcase the skills of the cracking group demo coding skills, some of these groups focus entirely on their demoscene today In the cracker group release lists and intros, trained games were marked with one or more plus signs after them, one for each option or cheat in the trainer, for example: "the Mega Krew presents: Ms. Astro Chicken++". Modern trainers append their titles with a single + or writing "plus" and a number, as many have several functions. The number used represents the number of modifications the trainer has available, e.g. 'infinite health' or 'one hit kills'. Another difference is the inclusion of game version or digital download source of game. For example: "Hitman Absolution Steam +11 Trainer", "F.E.A.R 3 v 1.3 PLUS 9 Trainer" etc.
Modern trainers also come as separately downloadable programs; instead of modifying the game's programming directly, values stored in memory are changed. In fact this has become such a norm now that trainers today by definition only modifies memory and any modification to the game exe is frowned upon and not considered a true trainer but a patch instead.
With object-oriented programming the memory objects are often stored dynamically on the heap but modern operating systems use heap and stack randomization. Therefore, the only way to modify such memory in a reproducible manner is to get information from inside the game process. This requires reverse engineering methods like API hooking of malloc() and free(), code injection or searching for static access pointers. The trainer gets active when the object has been allocated and deactivates itself again when the object is freed.
Static access pointers vs. API hooking
Searching and following access pointers reverse to pointers on static memory can be cumbersome. It doesn't provide the size of the object and if there are multiple objects of the same class, these often can't be handled correctly as there can be e.g. vectors or lists in between on the heap. But the advantage is that this method can be used to attach to an already running process if it works. The DMA (Dynamic Memory Allocation) support in Cheat Engine is an example for that.
API hooking works completely differently: A preloader loads a library into the game process while starting it. The library spys on dynamic memory allocations and discovery starts with recording them all. With static memory search in parallel it is possible to match the found value address to an unique memory allocation. The idea is to close the game process directly after the value is found and the object still exists. Then, the last matching memory allocation is the correct one. So matching it reverse is the method of choice. The object size as well as the value offset inside it are discovered and the jump-back code address in the game binary can be determined by backtracing. Often a constructor is found and with that it is possible keep track of all memory objects it allocates. The library in the game process and the game trainer need to communicate with each other through inter-process communication (IPC). The disadvantage is: This can be detected as malware. But it is possible to find more values within objects by dumping and comparing them. Also adaption to other game and compiler versions becomes simple as all it takes is to look for a library function call with known parameter (the object size) in the disassembly. E.g. the free and open-source (FOSS) universal game trainer "ugtrain" shows this method completely legal with FOSS games as examples.
Automated Tools used in trainer making
In the past, trainers were often coded in assembly language or any of the high level language available at the time. Today, trainers can also be made with automated trainer making tools that just require basic information about cheats such as address and injection code, the program then compiles the trainer using pre-defined values and settings requiring no programming skill from the end-user. The most popular trainer making tool used today is Cheat Engine which supports wide variety of injection types and pointers, other tools that were used in past but are no longer as applicable are Trainer Maker Kit, Game Trainer Studio and Trainer Creation Kit etc . Some of the advanced techniques that Cheat Engine trainers supports include code injection, code shifting and the flexibility and versatility provided by its Lua scripting which has phased out other trainer making tools which lacked the support for some of these features.
See also
References
- "Defacto2 Group Information Page for Fairlight". Contains information about their old demos and releases and stats. Retrieved 14 February 2014.
- "Razor1911 group demos". Razor1911 demoscene division which coded impressive demos back in the early days of embedded trainers. Retrieved 14 February 2014.
- "Hitman Trainer". Naming of Trainers by Modern trainer groups. 21 November 2012. Retrieved 14 February 2014.
- "GCW list of trainers". Retrieved 14 February 2014.
- "Listing by the famous scene trainer making group DVT". Retrieved 14 February 2014.
- "universal game trainer "ugtrain"". Retrieved 14 February 2014.
- "Trainer Making Tools". Retrieved 14 February 2014.
- "Lua". Cheat Engine Lua Wiki explaining some of the scripting functions available in CE. 2013-06-11. Retrieved 2014-02-14.