Hacking ZUMA - AutoHack & Injection Manager (+pics)

Submit Tutorials Related to Memory Hacking Software

Moderators: g3nuin3, SpeedWing, WhiteHat, mezzo

Hacking ZUMA - AutoHack & Injection Manager (+pics)

Postby WhiteHat » Mon May 19, 2008 7:48 am

I did this on my father’s request... Not a direct request, actually. I was visiting him a week ago when i saw him playing Zuma. He said something like “Accuracy mode is my favorite feature in Zuma. It would be much better if accuracy mode is active by default...” and that sounds good enough as a request..

So, i pluged in my FD which always has the latest MHS in it (never leave your house without the latest MHS =D), isntalled MHS in his (actually, my neece’s PC) and started to make the hack he wanted. And i was lucky to made it... So i wrote this tutorial which in later part will focus mainly on utilizing MHS Auto-Hack and MHS Injection Manager...

Game : Zuma Deluxe v1.0
Tools : MHS
Tutorial Level : Beginner


Normal Mode vs Accuracy Mode - Values Differences

The goal of the hack is to activate accuracy mode for entire game... So, i had to find what is the difference between normal and accuracy mode (every differences involve values).

Image

In normal mode, there is no visible ‘aiming beam’ while it is in accuracy mode. Moreover, the ‘shooting speed’ in normal mode is much slower... This was the base logic i used as a start (well, basically it was all that i need)...

After doing some basic Search and Sub-Search (with Same As Original option ticked) followed by some trial, i found that there are 3 important addresses for the hack: Aiming Beam Switch, Aiming Beam Counter, and Shooting Speed.
- Aiming Beam Switch acts as a.. switch ( XD ) which determines whether the beam is ON or OFF.
- Aiming Beam Counter acts as a count down counter that when it reach zero, it TURNS OFF Aiming Beam Switch.
- Shooting Speed determines how fast the Frog Avatar shot the Zuma Spheres...

In Normal Mode, those address values are:
- Aiming Beam Switch = 0 (Byte)
- Aiming Beam Counter = 0 (Unsigned Long)
- Shooting Speed = 6.00 (Float)

In Accuracy Mode, those values are:
- Aiming Beam Switch = 1 (Byte)
- Aiming Beam Counter = 1 ~ 2000 (Unsigned Long)
- Shooting Speed = 15.00 (Float)

The address of Aiming Beam Counter value is just 0x1F away after the one of Aiming Beam Switch value, while the address of Shooting Speed value separated away from them randomly...

For the Aiming Beam to be visible, then the Switch value has to be 1 AND the Counter value has to be bigger than 0.
When player gets accuracy bonus, the switch sets to 1 and the counter sets to 2000 and decreased gradually (but fast). I also noted from a further trial that the beam is fading to invisible when the counter reach 300 and less..

Image

Those addresses are, unfortunately, dynamic. So, i only had at least two options: to search for their complex address (searching for their static pointers) or to do some code injection which force the game to always activate accuracy mode.

The first option was a tough one. I have to be honest that i failed to find the static pointers/complex addresses... Then i move to the second option: Code Injection.


Utilizing MHS Auto-Hack

After put those values address into MHS table (for temporary use), i applied auto-hack on them to find out codes which access or write them which in turn would allow me studied the codes.

I set Zuma to window mode, so i could see the hit count of each codes which in turn would give me clues of what they do to my found addresses (ASM still confuses me a lot, so this is the only working way i know for now). However, there should be other better ways to figure out what specific codes do to our found addresses (Auto-Hack process), since not every games have option for running in window mode... Please correct me if i’m wrong...

Following are screen-shots of Auto-Hacks to my found addresses followed by a rough idea of what they do to the corresponding address, which i made after completing Stage One: Level 1-1 to 1-5. (I actually completed stage 1 for three times. Each completion meant for auto-hack for each addresses)...

Codes that access Shooting Speed address

Image

By playing the game and watching the Auto-Hack window simultaneously, i figured out what each of the code did: (MHS Speed Hack helped me a lot in this)...

00401FD8 - MOV DWORD PTR [ESI+44], 40C00000
- Executed at the beginning of a new game. Sets the Shooting Speed to 6.00 float (=0x40C00000)

00401A70 - FSTP DWORD PTR [EAX+44]
- Executed at the beginning of a new level. Sets the Shooting Speed to 6.00
- Executed right after all spheres eliminated when the n*100 bonus calculated. Sets the Shooting Speed to 6.00
- Executed when accuracy mode worn out. Sets the Shooting Speed to 6.00

00413B61 - FSTP DWORD PTR [ECX+44]
- Executed at right after Zuma spheres came out, at the beginning of stage. Sets Shooting Speed to 6.00

004047F3 - FMUL DWORD PTR [ESI+44]
004047FC - FMUL DWORD PTR [ESI+44]
- Executed every time a player shoot a sphere. Read the address of Shooting Speed value.

00401A52 - MOV DWORD PTR [EAX+44], 41700000
- Executed when a player obtain accuracy mode. Sets Shooting Speed to 15.00 float (=0x41700000)


Codes that access Aiming Beam Switch address

Image

00418A6B - MOV BYTE PTR [ESI+131], BL
- Executed at the beginning of a new game. Sets the Aiming Beam Switch to 0.

00401A42 - MOV BYTE PTR [ECX+131], AL
- Executed at the beginning of a new game. Sets the Aiming Beam Switch to 0.
- Executed at the beginning of each new level. Sets the Aiming Beam Switch to 0.
- Executed right after all spheres eliminated when the n*100 bonus calculated. Sets the Aiming Beam Switch to 0.
- Executed when player obtain accuracy mode. Sets the Aiming Beam Switch to 1.
- Executed when accuracy mode worn out. Sets the Aiming Beam Switch to 0.

00421E0E - MOV AL, BYTE PTR [ESI+131]
- Executed every time as long as the game is running, started right after the very first level begins. Read the address of Aiming Beam Switch value.


Codes that access Aiming Beam Counter address

Image

00401A63 - MOV DWORD PTR [ECX+150], 0
- Executed at the beginning of a new game. Set the Aiming Beam Counter to 0.
- Executed at the beginning of each new level. Set the Aiming Beam Counter to 0.
- Executed right after all spheres eliminated when the n*100 bonus calculated. Set the Aiming Beam Counter to 0.
- Executed when accuracy mode worn out. Set the Aiming Beam Counter to 0.

0041AA1F - MOV DWORD PTR [ESI+150], EBX
- Executed at the beginning of a new game. Set the Aiming Beam Counter to 0.

00401C5B - MOV EAX, DWORD PTR [ESI+150]
- Executed everytime as long as the game is running, started right after the very first level begins. Read the address of Aiming Beam Counter value.

004093F3 - MOV EAX, DWORD PTR [ESI+150]
- Executed everytime as long as the game is running, started right after zuma spheres is coming. Read the address of Aiming Beam Counter value.

00417389 - MOV DWORD PTR [ESI+150], 7D0
- Executed when player obtain accuracy mode bonus. Set the Aiming Beam Counter to 2000 (=0x7D0)

00401C68 - MOV DWORD PTR [ESI+150], EAX
- Executed when player obtain accuracy mode bonus. Decreased Aiming Beam Counter gradually... This code will not be executed if the value of Aiming Beam Counter equals 0.

Above codes were all that poped up. I just ignored the registers values info since they were not needed in this case... The next step was to determine what codes to be injected and where to place them...


Where to inject my code ?

Based on my ‘research’ comparison from auto-hack result for the 3 addresses, i decided to inject my code here:
- Shooting Speed: 0x004047F3
- Aiming Beam Switch: 0x00421E0E
- Aiming Beam Counter: 0x00401C5B

My reason was simple: Those address executed more often than the others. This would virtually ‘locks’ the value of my addresses to any value i wanted them to be...


What Codes to inject ?

In order to ‘mimic’ Accuracy Mode, the value of my addresses had to be:
- Shooting Speed = 15.00 (Float)
- Aiming Beam Switch = 1 (Byte)
- Aiming Beam Counter >= 300 (Unsigned Long)


In later trial, i increased Shooting Speed value to 25.00 float as it was faster and safe (too fast wasn’t safe since the shot sphere could ’jump’ out of others)... Also, value for Aiming Beam Counter had to be greater than 300 cause any lower value would fade off the beam to invisible. I’d just make its value 2000...

Next, my injection code had to have same address pointer and offset ([register+offset]) as the target code address:

Shooting Speed
- address target for code-injection: 004047F3 - FMUL DWORD PTR [ESI+44]
- my code injection: MOV DWORD PTR [ESI+44], 41C80000
* this code would write value 25.00 (=0x41C80000, 4 bytes long) into Shooting Speed address.

Aiming Beam Switch
- address target for code-injection: 00421E0E - MOV AL, BYTE PTR [ESI+131]
- my code injection: MOV BYTE PTR [ESI+131], 1
* this code would write value 1 (=0x01, 1 byte long) into Aiming Beam Switch address.

Aiming Beam Counter
- address target for code-injection: 00401C5B - MOV EAX, DWORD PTR [ESI+150]
- my code injection: MOV DWORD PTR [ESI+150], 7D0
* this code would write value 2000 (=0x000007D0, 4 bytes long) into Aiming Beam Counter address.


Next step: Utilizing MHS Injection Manager

MHS Injection Manager offers ease usability for all of your injection codes: It stores all injection code you’ve made in one file (injections.inj), but capable to recognize which codes belong to their specific games. Moreover, it gives us option to apply/un-apply each injection codes so that we can activate or deactivate certain cheat we’ve made. Later on, my father learned in no time that it’s so easy to activate/deactivate Aiming Beam and/or Fast Shooting Speed...

Here are pictures for my code injection for Zuma Deluxe:
(Use shortcut [CTRL]+[i] right on target addresses to be injected)

Shooting Speed:
Image

Aiming Beam Switch:
Image

Aiming Beam Counter:
Image

I would suggest you to read MHS help file for detailed information about Code Injection feature... However, i’ll try to explain some options briefly:
- Place Overwritten At End: checked -> This would ensure that my code would be executed before the overwritten codes.
- Always Inject: checked -> This was merely for my father. I wanted the injection applied automatically when he attach Zuma process to MHS.
- Inject into This Process Only: checked -> This is important to make sure that the code injection applied only to Zuma process

One thing that we should notice: MHS would allocate the cave address for us, so we only have to worry about the injection codes... What a kind software MHS is... ^^

And this is the screen-shoot of Injection Manager window from MHS Main Window...
Image
* I edited the screen-shot a bit to eliminate H-ScrollBar...

We can see that it’s very easy to Apply/Un-apply each Injection Code. For example:
- If you want to disable the Aiming Beam hack, just un-apply the code at address 0x00421E0E
- If you want to disable the Shooting Speed hack, just un-apply the code at address 0x004047F3

It’s pretty easy that even my father, who is at his 64 age now, had understand it in no time...

Last but not least: Screen-Shot of working code injection hack for ZUMA...
Image

Notice that the Aiming Beam was activated while the game has just begun (Level 1-1, and no collected score yet)...
And, yes, i can not prove that the speed has really increased. How would i do that anyway ?.. >.<

...

Now that my father is a happy man. He even found Speed Hack by himself and use it along with the code injection hacks, only he speed up the game twice from normal time !
By the time i wrote this tut, i heard that he managed to get to stage 5 in double speed Zuma... He must be an alien...


That’s all folks !.. Any corrections are welcome...

:)

Edit: Woohoo .. My number 300 post !
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby Lobbie » Wed May 21, 2008 2:38 pm

muhahahaha...great tut mate! My wife's been playing zuma and keep whinging to me about how difficult it gets after leveling up. This should shut her mouth for a while muahahahaha.....terima kashih dong.
Lobster in Szechuan sauce, Baked Lobster in Cheese, Lobster in Ginger and Shallot....YUM!

ImageImage
By JB Gzn & emocore

Muahahaha...I am the LobsterMaster...Muahahaha
Image
User avatar
Lobbie
Been Around
 
Posts: 286
Joined: Fri Mar 07, 2008 7:56 pm
Location: Australia

Postby WhiteHat » Wed May 21, 2008 2:53 pm

LoL... Terima kasih kembali... You’re welcome...
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby Zaladine » Thu May 22, 2008 10:49 am

haha my big bro tut is d best!
thx to him pap cant stop playin zuma now.
:lol: :twisted: :lol:
Zaladine
I Have A Few Questions
 
Posts: 4
Joined: Fri Apr 18, 2008 5:48 am

Postby WhiteHat » Thu May 22, 2008 12:34 pm

Zaladine wrote:haha my big bro tut is d best!
thx to him pap cant stop playin zuma now...

You’ve promised me not to post anything here with that stolen id from me...
Now you’ve broke it, i’m gonna get you and pinch your sorry nose !

:evil:
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby L. Spiro » Thu May 22, 2008 12:39 pm

I was very tempted to edit your post to say:

Whitehat wrote:Now you’ve broke it, i’m gonna get you and pinch your sorry ass all night !



L. Spiro
Our songs remind you of songs you’ve never heard.
User avatar
L. Spiro
L. Spiro
 
Posts: 3129
Joined: Mon Jul 17, 2006 10:14 pm
Location: Tokyo, Japan

Postby WhiteHat » Thu May 22, 2008 12:49 pm

LoL... he is my bad bad little brother, Lord Spiro...
If i treat him roughly, my dad’s gonna cut off
my finance... or my throat... T_T

He had registered to this forum using 3 of my other
nicknames and 1 id with my real name without my
permission... However, i still love him (but not much).

My apologize for what he has done...


:oops:
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby No1DeSeRvUaE » Fri Jan 16, 2009 3:35 am

Nice tutorial i didnt understand much but i am gonna read it till i do

btw how did u get the shooting speed?

i understand the tutorial now but i still want to know how did u get the shooting speed
No1DeSeRvUaE
Sir Hacks-A-Lot
 
Posts: 31
Joined: Fri Jan 16, 2009 3:17 am

Postby WhiteHat » Fri Jan 16, 2009 11:48 am

No1DeSeRvUaE wrote:... i still want to know how did u get the shooting speed


By comparing every possible addresses which values differed between accurate mode and non-accurate mode...

The steps were:
- In Non-Accurate mode, i started search with MHS for BYTE, Unknown, and “Same as Original” search option enabled.
- Kept playing and when i get Accurate mode, i sub-search for “Different from before” addresses.
- Kept playing for a while till accurate mode ran off, i searched for “Same as Original” addresses.
- Repeated the step till i got the values: Non-Accurate mode = 6.0 float, Accurate mode = 15.0 float.

I also did spam “same as before” search when i was sure that the speed was not changed..
I guess that’s pretty basic in searching values, so i don’t think any further explanation needed..
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby No1DeSeRvUaE » Sun Jan 18, 2009 5:54 am

ok thanks for the information
No1DeSeRvUaE
Sir Hacks-A-Lot
 
Posts: 31
Joined: Fri Jan 16, 2009 3:17 am

Postby minorutono » Tue Mar 31, 2009 1:31 am

Yet another informative tutorial, WhiteHat.

^^ I learn so much from you xD

Question : I need to set myself to full access every time before Injection works. Any way around this?

Question : How does this act as a workaround for pointers? It doesn't work for me after I restart my game.. I gotta do it all over again. I think im not putting the right address or something.
User avatar
minorutono
i R t3h nUB!!111
 
Posts: 944
Joined: Thu Apr 17, 2008 10:10 am
Location: 2845 Vista Verde Way Cameron Park CA 95682

Postby WhiteHat » Tue Mar 31, 2009 6:15 pm

minorutono wrote:Question : I need to set myself to full access every time before Injection works. Any way around this?

Though i’ve never been writing any script, i believe the best solution is LS.Script. You may want to start from On_OpenProcess function, which you can always refer from MHS help file..

I don’t recall that i have to change the access-property of Zuma process to FullAccess before injecting this code. Honestly, i forget about this matter..
But until now, i’ve been using MHS Auto-Assembler to overcome similar problem so that i only need to load the ASM-Script once...

So yea, L. Spiro Script (LSS) is the best solution...


minorutono wrote:Question : How does this act as a workaround for pointers? It doesn't work for me after I restart my game.. I gotta do it all over again. I think im not putting the right address or something.

Maybe i’ve miss-understood your question here, but this kind of hack (code injection) usually used to ‘avoid’ pointers (values which stored in multi-layer pointer trails)...
I’m sorry if this isn’t what you’ve asked... ^^;
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby minorutono » Wed Apr 01, 2009 12:49 am

Whitehat wrote:
minorutono wrote:Question : I need to set myself to full access every time before Injection works. Any way around this?

Though i’ve never been writing any script, i believe the best solution is LS.Script. You may want to start from On_OpenProcess function, which you can always refer from MHS help file..

I don’t recall that i have to change the access-property of Zuma process to FullAccess before injecting this code. Honestly, i forget about this matter..
But until now, i’ve been using MHS Auto-Assembler to overcome similar problem so that i only need to load the ASM-Script once...

So yea, L. Spiro Script (LSS) is the best solution...


Alrighty. Im just asking because although I (somehow) figured out that I needed full access (on 2 of 2 different processes I tried).



Whitehat wrote:
minorutono wrote:Question : How does this act as a workaround for pointers? It doesn't work for me after I restart my game.. I gotta do it all over again. I think im not putting the right address or something.

Maybe i’ve miss-understood your question here, but this kind of hack (code injection) usually used to ‘avoid’ pointers (values which stored in multi-layer pointer trails)...
I’m sorry if this isn’t what you’ve asked... ^^;


xD I think i'm the one misunderstanding something. When you say 'avoid pointers', you mean that you can use the injection like pointer, and continue reusing it like a pointer? As in.. you just need to get the first addy (not a pointer) and inject there? And if you restart the game, it'll still work?

Im obviously not getting something :/... ^^
User avatar
minorutono
i R t3h nUB!!111
 
Posts: 944
Joined: Thu Apr 17, 2008 10:10 am
Location: 2845 Vista Verde Way Cameron Park CA 95682

Postby WhiteHat » Fri Apr 03, 2009 11:20 am

minorutono wrote:Alrighty. Im just asking because although I (somehow) figured out that I needed full access (on 2 of 2 different processes I tried).

Sounds normal for me... I always have to change any code-injected processes to FullAccess before they allow me to make some code modification.


Whitehat wrote:When you say 'avoid pointers', you mean that you can use the injection like pointer, and continue reusing it like a pointer?

I guess this doesn’t quite right... but...


Whitehat wrote:As in.. you just need to get the first addy (not a pointer) and inject there? And if you restart the game, it'll still work?

True.. This more like it...

For example, the real Complex Address (pointer trails) for Shooting Speed is:
[module.exe+0x176DC0]+([[module.exe+0x176DC0]+0xE7F3C]&0x1FFFFF)+0x130+(0*0x2C)+0x06

Finding that working complex address is quite troublesome. So, instead, we can just inject (make some code modification) to the code which handles the Shooting Speed value, that is, according to the tutorial, this code: 0x004047F3 - FMUL DWORD PTR [ESI+44], so we don’t even need to find the address of Shooting Speed value when the injection we made has executed..

If we restart the game, we still have to executed the injection once... Or if we don’t wanna do this, we can patch the module with our injection code, or create a dll file...

I haven’t done these method though. I still prefer finding complex addresses. Some game, especially on-line ones, don’t allow any code modification... If i should make some injection, i will use MHS Auto-Assembler...

Please correct me if i’m wrong. Still learning on this.... ^^
.. to boldly go where no eagle has gone before...
User avatar
WhiteHat
Elang Djawa
 
Posts: 1059
Joined: Fri Jul 21, 2006 12:49 pm
Location: Away for a while...

Postby minorutono » Fri Apr 03, 2009 12:39 pm

Whitehat wrote:
minorutono wrote:Alrighty. Im just asking because although I (somehow) figured out that I needed full access (on 2 of 2 different processes I tried).

Sounds normal for me... I always have to change any code-injected processes to FullAccess before they allow me to make some code modification.


Whitehat wrote:When you say 'avoid pointers', you mean that you can use the injection like pointer, and continue reusing it like a pointer?

I guess this doesn’t quite right... but...


Whitehat wrote:As in.. you just need to get the first addy (not a pointer) and inject there? And if you restart the game, it'll still work?

True.. This more like it...

For example, the real Complex Address (pointer trails) for Shooting Speed is:
[module.exe+0x176DC0]+([[module.exe+0x176DC0]+0xE7F3C]&0x1FFFFF)+0x130+(0*0x2C)+0x06

Finding that working complex address is quite troublesome. So, instead, we can just inject (make some code modification) to the code which handles the Shooting Speed value, that is, according to the tutorial, this code: 0x004047F3 - FMUL DWORD PTR [ESI+44], so we don’t even need to find the address of Shooting Speed value when the injection we made has executed..

If we restart the game, we still have to executed the injection once... Or if we don’t wanna do this, we can patch the module with our injection code, or create a dll file...

I haven’t done these method though. I still prefer finding complex addresses. Some game, especially on-line ones, don’t allow any code modification... If i should make some injection, i will use MHS Auto-Assembler...

Please correct me if i’m wrong. Still learning on this.... ^^


I get it. Ok, thanks for clarifying!

You say you're learning, but I'm learning from you. How confusing xD!
User avatar
minorutono
i R t3h nUB!!111
 
Posts: 944
Joined: Thu Apr 17, 2008 10:10 am
Location: 2845 Vista Verde Way Cameron Park CA 95682

Next

Return to Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests