Making a Trainer for PlanetSide

First, do this: T-Search Guide

Part 1: Find the real address we want
Ok, so you found the location in memory that the current instance of Planetside has placed the COF value. But that only helps until you close Planetside! So what do you do? Auto-hack, baby!

1. Unfreeze the COF address.
2. Go to the Autohack menu and choose both options, Enable Debugger and Autohack Window.
3. Go ingame, and make the COF change (crouch, uncrouch, jump, and shoot).
4. Go to the Autohack window and you will see new addresses found. What are these? This is the location in the actual game code where the command to change your COF is stored.
5. Select each of the newly found addresses, go to the TMK menu, and choose Button Script.
6. Keep T-Search just like this while we start up Trainer Maker Kit (hereby know as TMK)

Part 2: Making the trainer
Now comes the fun part- making a trainer that will be reusable and last until Planetside releases a new patch.

1. Create a new project. Name it what you want, but I recommend something recognizable .
2. First in the bottom left corner, choose the Build Settings tab.
3. Scroll down the list of Process names, and choose planetside.exe.
4. Type in a name for your trainer in the EXE Name box. Keep in mind this must comply with the normal file name restrictions.
5. Go to the Insert menu, and choose Button.
6. Right-click the button, choose Properties, and type in "freeze COF".
7. Right-click the button again, and choose Write Memory Actions.
8. Here you will paste the line that the Button Script in T-Search gave us for the ON button. It should look something like "Poke 8DF6FF 90 90 90 90 90 90" (without the quotations). You will need to do this once for each address that was found in the Autohack window.
9. Now add a new button, name it "unfreeze COF", and paste in the Button Scripts that T-Search gave us for the OFF button. These should look something like "Poke 8DF6FF 89 86 80 01 00 00".
10. Save your project, then in the Build menu, choose Build Your Project.

More Details

The Auto-Hack function in T-Search does nothing more than putting a BP (BreakPoint) on the address you located. (In this case a dynamic address for CoF - modern games use dynamic address for values since they need extra-large memory. We are far away from the "5 MB RAM is enough times" and in order to keep for example the performance of the game up DMA is used (DMA = Dynamic Memory Allocation e.g. your CoF address).

So when you use "Auto-Hack" you set a BPX (Breakpoint on Execution) - which means whenever your address is accessed the debugger - in this case T-Search - will break the function and check what is accessing it. This is how the new addresses in your "auto hack window" appear. These are functions, which are accessing your CoF-Address.

The address redb00mer mentions writes data from the stack into the DMA-Address. Now what you do is you change this function into NOPs (These are ASM (Assembler) functions for "No Operation" (do nothing)

8DF6FF 89 86 80 01 00 00 - in this line is a 6 bytes long code (6 values there, right ? = 6 bytes) that updates your CoF value. If it gets disabled your CoF value gets no longer updated by this code. (Notice this : There can be more than 1 function for changing your value. For example there is anotherone for jumping)

So changing the code at 8DF6FF into a 90 90 90 90 90 90 (No Operation, then do No Operation...) will disable the code without changing the whole function. This is one of the most basic ways to get things done since you only disable the things you dont need.

Lets take a little close look into the original code

8DF6FF is 89 86 80 01 00 00 which means : mov [esi+180h], eax
So, the function moves the value inside the register "eax" and puts into address of "value in esi + 180h (hex)". This is how DMA is handled. The esi register changes from time to time, for example when you die, change the continent, the memory gets optimized for better performance.

Sometimes you can't just NOP functions to get things done, in that case you need some ASM coding abilities. Keep in mind that on your client YOU got the power. You can change the code at any time and let your machine do what you want. Lets change the CoF to 5 forever instead so i can easier get my point across...

Instead of just NOPing we want CoF to be 5 so we really have some bad aiming (doesnt make sense but we want to learn here, not cheat ).

I wrote before that the function moves the value in eax into the address of esi+180h. So in order to make CoF always 5 we need to change eax. But how ? Quite simple...

we would need to place an additional function that says "put the value 5 into eax", thats easily done by saying "mov eax, [5]" - the mov syntax is always mov destination, source

However when you look at your debugger you will see that there is no room to place that code anywhere - we need to make some room 1st. So what we do now is we build a codecave. Codecave is the common name for a place where you store your own code.

To find room for you own code simply look for large arrays of 00 or 90 inside the memory, there are special tools out there which help you to locate these.

So now that you found a place we finally can start coding our function.

We will change the original CoF function into a JMP (Jump to address). Before we can do that we need to create our code in the codecave, otherwise the process will crash since it will jump before we have our code finished.

So go to the address of your codecave and add this :

mov eax, 5 <- Put the value 5 into the "eax" register
mov mov [esi+180h], eax <- Put the value in eax into the address of (value of esi + 180h) - The original code.
jmp 8DF705 <- You need to jump back to the function. So 8DF6FF + 6 bytes = 8DF705

This was our codecave, to make it work you change mov [esi+180h], eax at 8DF6FF into JMP Address_of_your_codecave (where mov eax, 5 is placed)