Basic Codecaves with FEAR as an example.

[Zededarian]

This is a simple tut meant to demonstrate the use of code caves. The game, in this case, is FEAR's free multiplayer, and the hack I'm going to show is one to make you refill up to 10 health packs every time you pick one up.

NOTE: Anywhere where I say you should get the same value as me, don't worry if you don't, I'm trying to figure out why this is but I think it has to do with my copy of FEAR being updated for new maps.

The basic idea behind a code cave is that you take an ASM command from the game's running memory, and replace it with a new one. Since your command is often longer than the one you're replacing, you will usually have to jump to a new area of memory (your code cave), enter your new command, replicate any commands your had to overwrite to make your jump command, then jump back to where you left off in the game's memory.

Alright, let's get started. I'm going to use cheatengine for this rather than tsearch, because it has (in my opinion) much better tools for making codecaves. Anyway, host your own private game in FEAR, and go pick up a health pack (you know, the ones where you press a button to use it later). Do a new scan for value 1, value type byte. Go pick up another health pack, search for 2 using next scan, and so on until you're down to 5 or fewer values (usually you want to try and get it down to 3). Usually the value you want is the first one on the list, but test it (IE double click to add it, then change the value to 8 and pick up another health pack to see if it worked). If you don't have 9 health packs, try the others till you find a working one.

Now right click and choose "See what writes to this address." Say yes to anything it asks, then go into the game and pick up a health pack. Now go back to cheatengine, and you should see one command in the little window that popped up. Click "Show disassembler" on the right, and a new window named Memory Viewer should pop up. When I did it, I got the address 26ECBB3, and since it's stattic you should get the same one for the command.

Now, before we continue, we should find a place to put our Code Cave. Go to "Extra" at the top of the Memory Viewer window, and choose "scan for code caves". Uncheck Also scan non-executable read-only memory, if it's checked, change Size of Cave to 40 and press start. Pick any value you like, although I generally try and find one with a big gap before the next one. Write this one down (mine was 20030970).

Now, write down the following things:
The command you found to access your memory address
The command Immediately below it, and its start address
The command 2 spaces below it, and its start address
The start address of the command 3 spaces below it

Now right click the command you found to be writing to your original address, and choose "create jump and initialize to code cave". Enter the value of your codecave, or a value a little above it (5-10 at the most) if you want to be extra safe (I chose not to be, filling in 20030970). Now press OK, and enter 40 in the next window that comes up, pressing OK again. Now, you should have created a jmp command and overwritten one or more commands below the one that you initialized the jump on. Take note of first command intact below the jmp and nops, and circle its start address (remember when I said to write this all down?) (you should get 26ecbbb, although you could just have a different version). Take note of all commands above it that were overwritten (once again, you wrote them down).

Now right click your jmp command, choose "go to address", and enter the address of your codecave (20030970 in my case). You should jump there and see the commands you wrote over. Change the first command to whatever you want it to be.

Alright, now you need to learn a little bit of ASM. 90% of the time, the code writing to your address will be "mov x,y" with x and y being whatever the program needs. This basically moves the value y into spot x. So, with our command (mov [ecx],bl), [ecx] is the location of our number of health packs, and bl is the new number we're storing in there. Since we want to have our number of health packs refill to 10 every time, we need simply change bl to 10.

Right click the command and choose "assemble". Now simply replace bl with 10, to make the command "mov [ecx],10".

It will pop up a warning window saying you're going to overwrite your next command, just press yes. Now assemble the line directly below your new command and write in the command it overwrote (you should have it written down from before).

Now to return to the normal execution of the game. Remember that address you circled before? Assemble the line below the command you just wrote, and type "jmp <that address>". It should be "jmp 26ecbbb", since the command should be static, but like I said, your version might be different (and this is supposed to be an example in a general purpose tut).

Go into the game and test it by dying and picking up a health kit. If you did everything so far right, you should suddenly have 10.

Why would you ever go to this much trouble, given that you started off with a working value that could be used to edit the number of health packs? Well, everything you found in this is static, which means it can be made into a trainer (I'm working on one now with even better stuff, but it's still in the very early stages and extremely broken because I'm lazy/busy, so don't bother asking for a copy (unless you wan't to help develop it, of course...)
---

Whew. Sorry if that got confusing at times, I made it as clear as I could. Codecaves can be used for almost anything else you want to do, too. If you don't understand the ASM, google works pretty well. https://burks.brighton.ac.uk/burks/la...smtut/asm5.htm is my favorite sight for quick reference.

Message me with any questions you have, or if you just need some help. If you need more practice, try doing the same thing for nades (using 5 instead of 10, of course). Or, if you're feeling adventurous, I wonder what would happen if you did this with the command to decrease health packs? Well, not really, I have a pretty good Idea what will happen, but try it anyway.